diff options
Diffstat (limited to 'poky/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch')
-rw-r--r-- | poky/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/poky/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch deleted file mode 100644 index 329e554a6..000000000 --- a/poky/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch +++ /dev/null @@ -1,117 +0,0 @@ -From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001 -From: Chris Coulson <chris.coulson@canonical.com> -Date: Fri, 10 Jul 2020 14:41:45 +0100 -Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function - during execution - -Defining a new function with the same name as a previously defined -function causes the grub_script and associated resources for the -previous function to be freed. If the previous function is currently -executing when a function with the same name is defined, this results -in use-after-frees when processing subsequent commands in the original -function. - -Instead, reject a new function definition if it has the same name as -a previously defined function, and that function is currently being -executed. Although a behavioural change, this should be backwards -compatible with existing configurations because they can't be -dependent on the current behaviour without being broken. - -Fixes: CVE-2020-15706 - -Signed-off-by: Chris Coulson <chris.coulson@canonical.com> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> - -Upstream-Status: Backport -CVE: CVE-2020-15706 - -Reference to upstream patch: -https://git.savannah.gnu.org/cgit/grub.git/commit/?id=426f57383d647406ae9c628c472059c27cd6e040 - -Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> ---- - grub-core/script/execute.c | 2 ++ - grub-core/script/function.c | 16 +++++++++++++--- - grub-core/script/parser.y | 3 ++- - include/grub/script_sh.h | 2 ++ - 4 files changed, 19 insertions(+), 4 deletions(-) - -diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c -index c8d6806..7e028e1 100644 ---- a/grub-core/script/execute.c -+++ b/grub-core/script/execute.c -@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) - old_scope = scope; - scope = &new_scope; - -+ func->executing++; - ret = grub_script_execute (func->func); -+ func->executing--; - - function_return = 0; - active_loops = loops; -diff --git a/grub-core/script/function.c b/grub-core/script/function.c -index d36655e..3aad04b 100644 ---- a/grub-core/script/function.c -+++ b/grub-core/script/function.c -@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, - func = (grub_script_function_t) grub_malloc (sizeof (*func)); - if (! func) - return 0; -+ func->executing = 0; - - func->name = grub_strdup (functionname_arg->str); - if (! func->name) -@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, - grub_script_function_t q; - - q = *p; -- grub_script_free (q->func); -- q->func = cmd; - grub_free (func); -- func = q; -+ if (q->executing > 0) -+ { -+ grub_error (GRUB_ERR_BAD_ARGUMENT, -+ N_("attempt to redefine a function being executed")); -+ func = NULL; -+ } -+ else -+ { -+ grub_script_free (q->func); -+ q->func = cmd; -+ func = q; -+ } - } - else - { -diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y -index 4f0ab83..f80b86b 100644 ---- a/grub-core/script/parser.y -+++ b/grub-core/script/parser.y -@@ -289,7 +289,8 @@ function: "function" "name" - grub_script_mem_free (state->func_mem); - else { - script->children = state->scripts; -- grub_script_function_create ($2, script); -+ if (!grub_script_function_create ($2, script)) -+ grub_script_free (script); - } - - state->scripts = $<scripts>3; -diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h -index b382bcf..6c48e07 100644 ---- a/include/grub/script_sh.h -+++ b/include/grub/script_sh.h -@@ -361,6 +361,8 @@ struct grub_script_function - - /* The next element. */ - struct grub_script_function *next; -+ -+ unsigned executing; - }; - typedef struct grub_script_function *grub_script_function_t; - --- -2.14.4 - |