Project

General

Profile

Bug #3027

installgrub can segfault when encountering bogus data on disk

Added by Hans Rosenfeld about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
High
Category:
cmd - userland programs
Start date:
2012-07-23
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

Installgrub tries to read possibly existing grub stages from the disk before installing the new stages.

For some part of the data read from disk, it will try to compute and verify a checksum and then check the presence of a magic value. For the checksum calculation part, it relies on size information read from the disk. If that "size" happens to be some random large value, installgrub will read over the end of the buffer and segfault.

Verifying the magic values before attempting the checksum calculation helps here. It is very unlikely that the magic values are correct but the size is still bogus. While it would possible to maliciously put such a combination on the disk, this should have no security impact besides crashing installgrub.

History

#2

Updated by Hans Rosenfeld about 8 years ago

New webrev: http://grumpf.hope-2000.org/illumos-3027-webrev-2/

Changes:
  • calculate maximum size of extra data and use that in find_einfo()
#3

Updated by Rich Lowe about 8 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
  • Tags deleted (needs-triage)

Resolved in r13836 commit:37bf491c434c

Also available in: Atom PDF