On Tue, May 12, 2020 at 02:32:25PM +0200, Javier Martinez Canillas wrote: > If an existing variable is set with a value whose length is smaller than > the current value, a memory corruption can happen due copying padding '#' > characters outside of the environment block buffer. > > This is caused by a wrong calculation of the previous free space position > after moving backward the characters that followed the old variable value. > > That position is calculated to fill the remaining of the buffer with the > padding '#' characters. But since isn't calculated correctly, it can lead > to copies outside of the buffer. > > The issue can be reproduced by creating a variable with a large value and > then try to set a new value that is much smaller: > > $ grub2-editenv --version > grub2-editenv (GRUB) 2.04 > > $ grub2-editenv env create > > $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo > $var)" > > $ wc -c env > 1024 grubenv > > $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo > $var)" > malloc(): corrupted top size > Aborted (core dumped) > > $ wc -c env > 0 grubenv > > Reported-by: Renaud Métrich <rmetr...@redhat.com> > Signed-off-by: Javier Martinez Canillas <javi...@redhat.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel