Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251118180021.2890-8-daniel.kiper@oracle.com>
Date: Tue, 18 Nov 2025 19:00:20 +0100
From: Daniel Kiper <daniel.kiper@...cle.com>
To: grub-devel@....org, oss-security@...ts.openwall.com
Cc: alec.r.brown@...cle.com, glin@...e.com, mbenatto@...hat.com,
        mchang@...e.com, meissner@...e.com, tf@...ay.de, volticks@...il.com
Subject: [SECURITY PATCH 7/8] commands/usbtest: Use correct string length field

From: Jamie <volticks@...il.com>

An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.

Fixes: CVE-2025-61661

Reported-by: Jamie <volticks@...il.com>
Signed-off-by: Jamie <volticks@...il.com>
Reviewed-by: Daniel Kiper <daniel.kiper@...cle.com>
---
 grub-core/commands/usbtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
index 2c6d93fe6..8ef187a9a 100644
--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
       return GRUB_USB_ERR_NONE;
     }
 
-  *string = grub_malloc (descstr.length * 2 + 1);
+  *string = grub_malloc (descstrp->length * 2 + 1);
   if (! *string)
     {
       grub_free (descstrp);
-- 
2.11.0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.