diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000000..d55709406b --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 11 Dec 2020 15:03:13 +0000 | ||
4 | Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference | ||
5 | |||
6 | The model of grub_efi_get_memory_map() is that if memory_map is NULL, | ||
7 | then the purpose is to discover how much memory should be allocated to | ||
8 | it for the subsequent call. | ||
9 | |||
10 | The problem here is that with grub_efi_is_finished set to 1, there is no | ||
11 | check at all that the function is being called with a non-NULL memory_map. | ||
12 | |||
13 | While this MAY be true, we shouldn't assume it. | ||
14 | |||
15 | The solution to this is to behave as expected, and if memory_map is NULL, | ||
16 | then don't try to use it and allow memory_map_size to be filled in, and | ||
17 | return 0 as is done later in the code if the buffer is too small (or NULL). | ||
18 | |||
19 | Additionally, drop unneeded ret = 1. | ||
20 | |||
21 | Fixes: CID 96632 | ||
22 | |||
23 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
24 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
25 | |||
26 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1] | ||
27 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
28 | --- | ||
29 | grub-core/kern/efi/mm.c | 19 ++++++++++++++----- | ||
30 | 1 file changed, 14 insertions(+), 5 deletions(-) | ||
31 | |||
32 | diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c | ||
33 | index b02fab1..5afcef7 100644 | ||
34 | --- a/grub-core/kern/efi/mm.c | ||
35 | +++ b/grub-core/kern/efi/mm.c | ||
36 | @@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size, | ||
37 | if (grub_efi_is_finished) | ||
38 | { | ||
39 | int ret = 1; | ||
40 | - if (*memory_map_size < finish_mmap_size) | ||
41 | + | ||
42 | + if (memory_map != NULL) | ||
43 | { | ||
44 | - grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
45 | - ret = 0; | ||
46 | + if (*memory_map_size < finish_mmap_size) | ||
47 | + { | ||
48 | + grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
49 | + ret = 0; | ||
50 | + } | ||
51 | + else | ||
52 | + grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
53 | } | ||
54 | else | ||
55 | { | ||
56 | - grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
57 | - ret = 1; | ||
58 | + /* | ||
59 | + * Incomplete, no buffer to copy into, same as | ||
60 | + * GRUB_EFI_BUFFER_TOO_SMALL below. | ||
61 | + */ | ||
62 | + ret = 0; | ||
63 | } | ||
64 | *memory_map_size = finish_mmap_size; | ||
65 | if (map_key) | ||