diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch new file mode 100644 index 0000000000..fedfc5d203 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Coulson <chris.coulson@canonical.com> | ||
3 | Date: Fri, 10 Jul 2020 14:41:45 +0100 | ||
4 | Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function | ||
5 | during execution | ||
6 | |||
7 | Defining a new function with the same name as a previously defined | ||
8 | function causes the grub_script and associated resources for the | ||
9 | previous function to be freed. If the previous function is currently | ||
10 | executing when a function with the same name is defined, this results | ||
11 | in use-after-frees when processing subsequent commands in the original | ||
12 | function. | ||
13 | |||
14 | Instead, reject a new function definition if it has the same name as | ||
15 | a previously defined function, and that function is currently being | ||
16 | executed. Although a behavioural change, this should be backwards | ||
17 | compatible with existing configurations because they can't be | ||
18 | dependent on the current behaviour without being broken. | ||
19 | |||
20 | Fixes: CVE-2020-15706 | ||
21 | |||
22 | Upstream-Status: Backport [commit 426f57383d647406ae9c628c472059c27cd6e040 | ||
23 | from https://git.savannah.gnu.org/git/grub.git] | ||
24 | |||
25 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
28 | --- | ||
29 | grub-core/script/execute.c | 2 ++ | ||
30 | grub-core/script/function.c | 16 +++++++++++++--- | ||
31 | grub-core/script/parser.y | 3 ++- | ||
32 | include/grub/script_sh.h | 2 ++ | ||
33 | 4 files changed, 19 insertions(+), 4 deletions(-) | ||
34 | |||
35 | diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c | ||
36 | index c8d6806..7e028e1 100644 | ||
37 | --- a/grub-core/script/execute.c | ||
38 | +++ b/grub-core/script/execute.c | ||
39 | @@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) | ||
40 | old_scope = scope; | ||
41 | scope = &new_scope; | ||
42 | |||
43 | + func->executing++; | ||
44 | ret = grub_script_execute (func->func); | ||
45 | + func->executing--; | ||
46 | |||
47 | function_return = 0; | ||
48 | active_loops = loops; | ||
49 | diff --git a/grub-core/script/function.c b/grub-core/script/function.c | ||
50 | index d36655e..3aad04b 100644 | ||
51 | --- a/grub-core/script/function.c | ||
52 | +++ b/grub-core/script/function.c | ||
53 | @@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, | ||
54 | func = (grub_script_function_t) grub_malloc (sizeof (*func)); | ||
55 | if (! func) | ||
56 | return 0; | ||
57 | + func->executing = 0; | ||
58 | |||
59 | func->name = grub_strdup (functionname_arg->str); | ||
60 | if (! func->name) | ||
61 | @@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, | ||
62 | grub_script_function_t q; | ||
63 | |||
64 | q = *p; | ||
65 | - grub_script_free (q->func); | ||
66 | - q->func = cmd; | ||
67 | grub_free (func); | ||
68 | - func = q; | ||
69 | + if (q->executing > 0) | ||
70 | + { | ||
71 | + grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
72 | + N_("attempt to redefine a function being executed")); | ||
73 | + func = NULL; | ||
74 | + } | ||
75 | + else | ||
76 | + { | ||
77 | + grub_script_free (q->func); | ||
78 | + q->func = cmd; | ||
79 | + func = q; | ||
80 | + } | ||
81 | } | ||
82 | else | ||
83 | { | ||
84 | diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y | ||
85 | index 4f0ab83..f80b86b 100644 | ||
86 | --- a/grub-core/script/parser.y | ||
87 | +++ b/grub-core/script/parser.y | ||
88 | @@ -289,7 +289,8 @@ function: "function" "name" | ||
89 | grub_script_mem_free (state->func_mem); | ||
90 | else { | ||
91 | script->children = state->scripts; | ||
92 | - grub_script_function_create ($2, script); | ||
93 | + if (!grub_script_function_create ($2, script)) | ||
94 | + grub_script_free (script); | ||
95 | } | ||
96 | |||
97 | state->scripts = $<scripts>3; | ||
98 | diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h | ||
99 | index b382bcf..6c48e07 100644 | ||
100 | --- a/include/grub/script_sh.h | ||
101 | +++ b/include/grub/script_sh.h | ||
102 | @@ -361,6 +361,8 @@ struct grub_script_function | ||
103 | |||
104 | /* The next element. */ | ||
105 | struct grub_script_function *next; | ||
106 | + | ||
107 | + unsigned executing; | ||
108 | }; | ||
109 | typedef struct grub_script_function *grub_script_function_t; | ||
110 | |||
111 | -- | ||
112 | 2.14.4 | ||
113 | |||