Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251118180021.2890-2-daniel.kiper@oracle.com>
Date: Tue, 18 Nov 2025 19:00:14 +0100
From: Daniel Kiper <daniel.kiper@...cle.com>
To: grub-devel@....org, oss-security@...ts.openwall.com
Cc: alec.r.brown@...cle.com, glin@...e.com, mbenatto@...hat.com,
        mchang@...e.com, meissner@...e.com, tf@...ay.de, volticks@...il.com
Subject: [SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation

From: Thomas Frauendorfer | Miray Software <tf@...ay.de>

The commit c68b7d236 (commands/test: Stack overflow due to unlimited
recursion depth) added recursion depth tests to the test command. But in
the error case it decrements the pointer to the depth value instead of
the value itself. Fix it.

Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth)

Signed-off-by: Thomas Frauendorfer | Miray Software <tf@...ay.de>
Reviewed-by: Daniel Kiper <daniel.kiper@...cle.com>
---
 grub-core/commands/test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c
index b585c3d70..ee47ab264 100644
--- a/grub-core/commands/test.c
+++ b/grub-core/commands/test.c
@@ -403,7 +403,7 @@ test_parse (char **args, int *argn, int argc, int *depth)
 	  if (++(*depth) > MAX_TEST_RECURSION_DEPTH)
 	    {
 	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded"));
-	      depth--;
+	      (*depth)--;
 	      return ctx.or || ctx.and;
 	    }
 
-- 
2.11.0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.