Permalink
Browse files

Fix ext2 buffer overflow in r2_sbu_grub_memmove

  • Loading branch information...
radare committed Jun 5, 2017
1 parent 9991ac1 commit 796dd28aaa6b9fa76d99c42c4d5ff8b257cc2191
Showing with 30 additions and 13 deletions.
  1. +2 −2 shlr/Makefile
  2. +1 −0 shlr/gdb/src/gdbserver/core.c
  3. +17 −11 shlr/grub/fs/ext2.c
  4. +4 −0 shlr/grub/fs/fshelp.c
  5. +6 −0 sys/rebuild.sh
View
@@ -23,9 +23,9 @@ CS_PATCHES=0
else
CS_TAR=
CS_URL=$(GIT_PREFIX)github.com/aquynh/capstone.git
CS_UPD=20170529
CS_UPD=20170605
CS_BRA=next
CS_TIP=7982670984222e2d3bb8117da6225e06d119f56f
CS_TIP=1910fd563539fba8498f07a36a0e74cfbdf42a7f
# REVERT THIS COMMIT BECAUSE ITS WRONG
CS_REV=
CS_PATCHES=1
@@ -182,6 +182,7 @@ static int _server_handle_vCont(libgdbr_t *g, int (*cmd_cb) (void*, const char*,
return send_msg (g, "E01");
}
}
return -1;
}
static int _server_handle_qAttached(libgdbr_t *g, int (*cmd_cb) (void*, const char*, char*, size_t), void *core_ptr) {
View
@@ -432,10 +432,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
}
}
/* Direct blocks. */
if (fileblock < INDIRECT_BLOCKS)
if (fileblock < INDIRECT_BLOCKS) {
blknr = grub_le_to_cpu32 (inode->blocks.dir_blocks[fileblock]);
/* Indirect. */
else if (fileblock < INDIRECT_BLOCKS + blksz / 4)
} else if (fileblock < INDIRECT_BLOCKS + blksz / 4)
{
grub_uint32_t *indir;
@@ -679,23 +679,26 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
if (dirent.namelen != 0)
{
#ifndef _MSC_VER
char filename[dirent.namelen + 1];
#else
char * filename = grub_malloc (dirent.namelen + 1);
#endif
struct grub_fshelp_node *fdiro;
enum grub_fshelp_filetype type = GRUB_FSHELP_UNKNOWN;
if (!filename) {
break;
}
grub_ext2_read_file (diro, 0, 0, 0,
fpos + sizeof (struct ext2_dirent),
dirent.namelen, filename);
if (grub_errno)
if (grub_errno) {
free (filename);
return 0;
}
fdiro = grub_malloc (sizeof (struct grub_fshelp_node));
if (! fdiro)
if (! fdiro) {
free (filename);
return 0;
}
fdiro->data = diro->data;
fdiro->ino = grub_le_to_cpu32 (dirent.inode);
@@ -720,8 +723,8 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
grub_ext2_read_inode (diro->data,
grub_le_to_cpu32 (dirent.inode),
&fdiro->inode);
if (grub_errno)
{
if (grub_errno) {
free (filename);
grub_free (fdiro);
return 0;
}
@@ -739,8 +742,11 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
type = GRUB_FSHELP_REG;
}
if (hook (filename, type, fdiro, closure))
if (hook (filename, type, fdiro, closure)) {
free (filename);
return 1;
}
free (filename);
}
fpos += grub_le_to_cpu16 (dirent.direntlen);
View
@@ -287,6 +287,10 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node,
if (pos + len > filesize)
len = filesize - pos;
if (len < 1 || len == 0xffffffff) {
return -1;
}
blockcnt = ((len + pos) + blocksize - 1) >>
(log2blocksize + GRUB_DISK_SECTOR_BITS);
View
@@ -55,6 +55,11 @@ RebuildSdb() {
Rebuild libr/util
}
RebuildFs() {
Rebuild shlr/grub
Rebuild libr/fs
}
RebuildBin() {
Rebuild libr/bin
Rebuild libr/core
@@ -67,6 +72,7 @@ RebuildGdb() {
}
case "$1" in
fs) RebuildFs; ;;
bin) RebuildBin ; ;;
gdb) RebuildGdb ; ;;
sdb) RebuildSdb ; ;;

0 comments on commit 796dd28

Please sign in to comment.