|
|
@@ -0,0 +1,39 @@
|
|
|
+From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001
|
|
|
+From: Lidong Chen <lidong.chen@oracle.com>
|
|
|
+Date: Fri, 22 Nov 2024 06:27:56 +0000
|
|
|
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
|
|
|
+
|
|
|
+Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
|
|
|
+overflow leading to subsequent OOB write or read. This patch fixes the
|
|
|
+issue by replacing grub_zalloc() and explicit multiplication with
|
|
|
+grub_calloc() which does the same thing in safe manner.
|
|
|
+
|
|
|
+Fixes: CVE-2024-45776
|
|
|
+
|
|
|
+Reported-by: Nils Langius <nils@langius.de>
|
|
|
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
|
|
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
|
|
|
+
|
|
|
+CVE: CVE-2024-45776
|
|
|
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91]
|
|
|
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
|
|
+---
|
|
|
+ grub-core/gettext/gettext.c | 4 ++--
|
|
|
+ 1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
+
|
|
|
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
|
|
|
+index e4f4f8ee6..63bb1ab73 100644
|
|
|
+--- a/grub-core/gettext/gettext.c
|
|
|
++++ b/grub-core/gettext/gettext.c
|
|
|
+@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
|
|
|
+ for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
|
|
|
+ ctx->grub_gettext_max_log++);
|
|
|
+
|
|
|
+- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
|
|
|
+- * sizeof (ctx->grub_gettext_msg_list[0]));
|
|
|
++ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
|
|
|
++ sizeof (ctx->grub_gettext_msg_list[0]));
|
|
|
+ if (!ctx->grub_gettext_msg_list)
|
|
|
+ {
|
|
|
+ grub_file_close (fd);
|
Peter Marko