./grub-core/fs/squash4.c : There may be data format mismatches between grub2 and the linux kernel's idea of squashfs:
These are the structures from grub2 for file and long_file: grub_uint32_t block_size[0]; These are the structures from the linux kernel for squashfs_reg_inode and squashfs_lreg_inode: __le16 block_list[0]; squash_mount() checks grub_errno immediately after calling grub_disk_read(), before checking the return code. C idiom is to check "errno"-style variables only if an error is returned -- and also to set "errno"-style variables to 0 immediately before an operation if there's no error-return mechanism in place to avoid errors from previous operations mistakenly linger. This is probably not a security issue. There are many calls to grub_malloc() with an arithmetic expression; normally these are better replaced with calloc(3)-alike wrappers which can check for integer wraparounds. I don't think any here are exploitable but I could have made a mistake. grub_squash_iterate_dir() has extensive memory leaks in the reading or memory allocation error cases -- probably there's no recovery possible if the system is out of memory when running grub2, but I figured I'd mention it all the same. This is probably not a security issue. ./grub-core/disk/loopback.c : grub_loopback_open() looks like it might handle gigantic sparse files poorly; a file that's within GRUB_DISK_SECTOR_SIZE bytes of 2^64 may set disk->total_sectors to a too-small value. This is probably not a security issue. Now that grub is part of a security boundary the grub_malloc() calls with expressions should probably all be converted to using calloc(3)-style wrappers. It probably isn't worth blocking this specific change on this conversion though. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1604499 Title: include loopback and squash4 modules in EFI binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1604499/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
