The potential overflow issue arises at "size += ret;" because 'size'
is of type ssize_t (signed) while 'len' is size_t (unsigned). Repeatedly
adding read sizes ('ret') to 'size' can potentially exceed the maximum
value of ssize_t, causing it to overflow into a negative or incorrect value.
The fix is to ensure 'len' is within the range of GRUB_SSIZE_MAX.
Fixes: CID 473850
Fixes: CID 473863
Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
---
grub-core/osdep/unix/hostdisk.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/osdep/unix/hostdisk.c b/grub-core/osdep/unix/hostdisk.c
index 3a00d7451..613406770 100644
--- a/grub-core/osdep/unix/hostdisk.c
+++ b/grub-core/osdep/unix/hostdisk.c
@@ -101,6 +101,9 @@ grub_util_fd_read (grub_util_fd_t fd, char *buf, size_t len)
{
ssize_t size = 0;
+ if (len > GRUB_SSIZE_MAX)
+ return -1;
+
while (len)
{
ssize_t ret = read (fd, buf, len);
@@ -131,6 +134,9 @@ grub_util_fd_write (grub_util_fd_t fd, const char *buf,
size_t len)
{
ssize_t size = 0;
+ if (len > GRUB_SSIZE_MAX)
+ return -1;
+
while (len)
{
ssize_t ret = write (fd, buf, len);
--
2.34.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
