[prev in list] [next in list] [prev in thread] [next in thread]
List: grub-devel
Subject: [PATCH 1/4] luks: fix out-of-bounds copy of UUID
From: Patrick Steinhardt <ps () pks ! im>
Date: 2020-05-30 12:25:06
Message-ID: f90a0fa3a4d75f0b091d8853de046fab57148d40.1590840835.git.ps () pks ! im
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
When configuring a LUKS disk, we copy over the UUID from the LUKS header
into the new `grub_cryptodisk_t` structure via `grub_memcpy ()`. As size
we mistakenly use the size of the `grub_cryptodisk_t` UUID field, which
is guaranteed to be strictly bigger than the LUKS UUID field we're
copying. As a result, the copy always goes out-of-bounds and copies some
garbage from other surrounding fields. During runtime, this isn't
noticed due to the fact that we always NUL-terminate the UUID and thus
never hit the trailing garbage.
Fix the issue by using the size of the local stripped UUID field.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
grub-core/disk/luks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..2c730d072 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -125,7 +125,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
newdev->source_disk = NULL;
newdev->log_sector_size = 9;
newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+ grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
newdev->modname = "luks";
/* Configure the hash used for the AF splitter and HMAC. */
--
2.26.2
["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic