From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1k9njP-00009s-PW
	for mharc-grub-devel@gnu.org; Sun, 23 Aug 2020 07:00:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:41634)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1k9njN-000090-Mn
 for grub-devel@gnu.org; Sun, 23 Aug 2020 07:00:10 -0400
Received: from new2-smtp.messagingengine.com ([66.111.4.224]:52347)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1k9njL-000886-FU
 for grub-devel@gnu.org; Sun, 23 Aug 2020 07:00:09 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailnew.nyi.internal (Postfix) with ESMTP id C5A1E580333;
 Sun, 23 Aug 2020 07:00:06 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Sun, 23 Aug 2020 07:00:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date
 :from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm1; bh=lSnclWQo4PY0uzYuhywl5eUBZza
 XYSylsHo0W1y0rho=; b=VFVTTvhjEUC28Ag0EhG625m/S6boMenUJMzT9LBGudG
 to2k80HjE0rjJfhd+sVi8xi2n4gIFSA1i7aoI1iXiQBx0WgcG7gviXXQ3lXiBXl4
 iD1TPXHmfsFzUazjinZje5QisAeykwbwtabzVkqJ7dMmAMfGARdt6Ac1zVGO2EGb
 7IEOEZ5D+0WHSMZMTKJLNZsdH3he7NR6rrtS+zQ/BpqKQ4JN64ifn6zGEvviZRtJ
 h2ZxIKTMVkNvRA5GBNyYZJKxR9kOlLzixyPtGqIlPkmvkdVQmm7Mnpz7ffHxhv6M
 ZlD+odS7zIjLx7yadDgmbyjrqUvUKSXgGtbps1wH88w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=lSnclW
 Qo4PY0uzYuhywl5eUBZzaXYSylsHo0W1y0rho=; b=Ezwmiuf7lWSW40oiif7Auy
 k0PTwoeeA/RT+VkhgXL2HdUcHleKV60F1SfBZ1ejNoVvwvbS6rBiWz21sEX4rdLu
 ZRDEDzZeqm8Q7KHhZx5iipEH6eLe/DHnsqyfa+zzr2GFkm4GRjCoFtdGnoJXI40K
 W4YqyRcZVDdj4QvrKZthpj1bCtk75q4muxiFoz4lJMwGBiyR66iw2ixfDLtr+sSO
 E3GUhrucLmNn6Tyb8gJBsOelq6xeBV4rykcFF3xTtGi1Q2rDdHsTL7+Bl/zbmst2
 zKksN1jchpC5nhRdqV5yNE2zhPezelz31GajkEODpcU9Y5dTWqEIFWX6h+uUdRGw
 ==
X-ME-Sender: <xms:LExCXy7xhwbayWxHH7DyG6jcOQsmNedKDBNwUA0bIojFNlT2zpdOtQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudduiedgfeeiucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefrrghtrhhi
 tghkucfuthgvihhnhhgrrhguthcuoehpshesphhkshdrihhmqeenucggtffrrghtthgvrh
 hnpeehgefhtdefueffheekgfffudelffejtdfhvdejkedthfehvdelgfetgfdvtedthfen
 ucfkphepjeejrddukeefrdehkedrudelheenucevlhhushhtvghrufhiiigvpedunecurf
 grrhgrmhepmhgrihhlfhhrohhmpehpshesphhkshdrihhm
X-ME-Proxy: <xmx:LExCX74g72wLRUEvzl_xs2jcsHRK2olzD1UaQ1DgK5UFEhqH1acxNw>
 <xmx:LExCXxf9wyMhY6Z0upASpnujfY37LacJ_ahk5NzZ2cvW7nBimcMzog>
 <xmx:LExCX_LY7NdQD7z46uTk83AuNJZc_U3Ei2Sig2uQQyX6kv91cO_2UA>
 <xmx:NkxCX9bgAA6cTnkx6bofXdjj2ada0TXjiIyzn-hAdYLsZfioXwZl9A>
Received: from vm-mail.pks.im (x4db73ac3.dyn.telefonica.de [77.183.58.195])
 by mail.messagingengine.com (Postfix) with ESMTPA id 09AE5328005E;
 Sun, 23 Aug 2020 06:59:55 -0400 (EDT)
Received: from localhost (ncase [10.192.0.11])
 by vm-mail.pks.im (OpenSMTPD) with ESMTPSA id bfd4beb1
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Sun, 23 Aug 2020 10:59:54 +0000 (UTC)
Date: Sun, 23 Aug 2020 12:59:57 +0200
From: Patrick Steinhardt <ps@pks.im>
To: grub-devel@gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>,
 Glenn Washburn <development@efficientek.com>,
 Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH 2/9] luks: Fix out-of-bounds copy of UUID
Message-ID: <8668b265f6b1f51c04b0528a287abaf2daaf8d79.1598179677.git.ps@pks.im>
References: <cover.1598179677.git.ps@pks.im>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7"
Content-Disposition: inline
In-Reply-To: <cover.1598179677.git.ps@pks.im>
Received-SPF: pass client-ip=66.111.4.224; envelope-from=ps@pks.im;
 helo=new2-smtp.messagingengine.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/23 06:59:58
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic] [fuzzy]
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2020 11:00:10 -0000


--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

When configuring a LUKS disk, we copy over the UUID from the LUKS header
into the new `grub_cryptodisk_t` structure via `grub_memcpy ()`. As size
we mistakenly use the size of the `grub_cryptodisk_t` UUID field, which
is guaranteed to be strictly bigger than the LUKS UUID field we're
copying. As a result, the copy always goes out-of-bounds and copies some
garbage from other surrounding fields. During runtime, this isn't
noticed due to the fact that we always NUL-terminate the UUID and thus
never hit the trailing garbage.

Fix the issue by using the size of the local stripped UUID field.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 grub-core/disk/luks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 6ae162601..76f89dd29 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -125,7 +125,7 @@ configure_ciphers (grub_disk_t disk, const char *check_=
uuid,
   newdev->source_disk =3D NULL;
   newdev->log_sector_size =3D 9;
   newdev->total_length =3D grub_disk_get_size (disk) - newdev->offset;
-  grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+  grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
   newdev->modname =3D "luks";
=20
   /* Configure the hash used for the AF splitter and HMAC.  */
--=20
2.28.0


--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEF9hrgiFbCdvenl/rVbJhu7ckPpQFAl9CTCwACgkQVbJhu7ck
PpTiXw/8CDbWKDUisBzfepY3BN6y/VqcMPfuf+Sc6IaPxw9GK3QuBFJ4zbNxXv6H
lz7th90gHHl5KHhJ9swbk6CnCOfBVdyrdAgznru8K10wSidpj+wegJpQpwwYlXui
s0ud3iQWYxaYmB1T4BXmLBK23bxcwVkpMmjgFu1uH83KD7fmgapk/+73o+0mnK4N
cIJ+fpaDTkBT1rV1dC5svP39M3FWnD3twyCOgij7bZrl52TCZP2lQdLB9eXBs7li
ahv0TJrYiFgyv5roa2VqwLf7wEjdNhJfu1RxUJxkUR31+EhEdsG3oXFB6kOhy+sQ
7KkDHN5Ro4vs/TsoxhZHO2EvVs1Vj13B/QvV75Hfrrf3hQXCM+/5nmsogPYWiJ4s
IXm9AQZv4venarZPWmxN2YR5OJQ93SgU83buECsZAHLv0x0JgNMGu7EIXRN2T2jA
j3RD4KiOCBDrVUgCUNd5KlP24F+M+ljPSwj6YoEMZhSi1TW3n0PHfzd4rGDDtsZm
MJLZwIfR8vx5R+1CgqgVSucXB9dNry6TCzJDRD6yyU6UBddEAIWlEIH5ZGyNbwGL
dEHa+uV13CUjr3xt4w7q+Cm1nhx+HS3zNwGiB5IMD9/aij513w6aBYssj93Z2SjT
GL6MFhkG0W88ekjFvL2I+1gIJCVLJImiXzVeX4bI4hQkYeu4xpU=
=+8HB
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--