[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_in
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_internal() |
|
Date: |
Tue, 15 Nov 2022 19:00:59 +0100 |
From: Zhang Boyang <zhangboyang.id@gmail.com>
The length of memory allocation and file read may overflow. This patch
fixes the problem by using safemath macros.
There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
It is safe replacement for such code. It has safemath-like prototype.
This patch also introduces grub_cast(value, pointer), it casts value to
typeof(*pointer) then store the value to *pointer. It returns true when
overflow occurs or false if there is no overflow. The semantics of arguments
and return value are designed to be consistent with other safemath macros.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 17 +++++++++++++----
include/grub/bitmap.h | 18 ++++++++++++++++++
include/grub/safemath.h | 2 ++
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 756ca0abf..e781521a7 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font,
grub_uint32_t code)
grub_int16_t xoff;
grub_int16_t yoff;
grub_int16_t dwidth;
- int len;
+ grub_ssize_t len;
+ grub_size_t sz;
if (index_entry->glyph)
/* Return cached glyph. */
@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font,
grub_uint32_t code)
return 0;
}
- len = (width * height + 7) / 8;
- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
- if (!glyph)
+ /* Calculate real struct size of current glyph. */
+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
+ {
+ remove_font (font);
+ return 0;
+ }
+
+ /* Allocate and initialize the glyph struct. */
+ glyph = grub_malloc (sz);
+ if (glyph == NULL)
{
remove_font (font);
return 0;
diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
index 149d37bfe..431048936 100644
--- a/include/grub/bitmap.h
+++ b/include/grub/bitmap.h
@@ -23,6 +23,7 @@
#include <grub/symbol.h>
#include <grub/types.h>
#include <grub/video.h>
+#include <grub/safemath.h>
#define IMAGE_HW_MAX_PX 16384
@@ -81,6 +82,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap
*bitmap)
return bitmap->mode_info.height;
}
+/*
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
+ * Return true when overflow occurs or false if there is no overflow.
+ * This function is intentionally implemented as a macro instead of
+ * an inline function. Although a bit awkward, it preserves data types for
+ * safemath macros and reduces macro side effects as much as possible.
+ *
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
+ */
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
+({ \
+ grub_uint64_t _bitmap_pixels; \
+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels %
GRUB_CHAR_BIT), (result)); \
+})
+
void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap
*bitmap,
struct grub_video_mode_info
*mode_info);
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
index 51290d355..fbd9b5925 100644
--- a/include/grub/safemath.h
+++ b/include/grub/safemath.h
@@ -30,6 +30,8 @@
#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+#define grub_cast(a, res) grub_add ((a), 0, (res))
+
#else
#error gcc 5.1 or newer or clang 8.0 or newer is required
#endif
--
2.11.0
- [SECURITY PATCH 00/13] Multiple GRUB2 vulnerabilities - 2022/11/15, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 01/13] font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_internal(),
Daniel Kiper <=
- [SECURITY PATCH 03/13] font: Fix several integer overflows in grub_font_construct_glyph(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 04/13] font: Remove grub_font_dup_glyph(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 10/13] font: Fix an integer underflow in blit_comb(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 05/13] font: Fix integer overflow in ensure_comb_space(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 07/13] font: Fix integer underflow in binary search of char index, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 08/13] kern/efi/sb: Enforce verification of font files, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 09/13] fbutil: Fix integer overflow, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 11/13] font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 12/13] font: Assign null_font to glyphs in ascii_font_glyph[], Daniel Kiper, 2022/11/15
- [SECURITY PATCH 06/13] font: Fix integer overflow in BMP index, Daniel Kiper, 2022/11/15