On Tue, May 12, 2020 at 02:32:25PM +0200, Javier Martinez Canillas wrote:
> If an existing variable is set with a value whose length is smaller than
> the current value, a memory corruption can happen due copying padding '#'
> characters outside of the environment block buffer.
>
> This is caused by a wrong calculation of the previous free space position
> after moving backward the characters that followed the old variable value.
>
> That position is calculated to fill the remaining of the buffer with the
> padding '#' characters. But since isn't calculated correctly, it can lead
> to copies outside of the buffer.
>
> The issue can be reproduced by creating a variable with a large value and
> then try to set a new value that is much smaller:
>
> $ grub2-editenv --version
> grub2-editenv (GRUB) 2.04
>
> $ grub2-editenv env create
>
> $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo
> $var)"
>
> $ wc -c env
> 1024 grubenv
>
> $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo
> $var)"
> malloc(): corrupted top size
> Aborted (core dumped)
>
> $ wc -c env
> 0 grubenv
>
> Reported-by: Renaud Métrich <rmetr...@redhat.com>
> Signed-off-by: Javier Martinez Canillas <javi...@redhat.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
