Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251118180021.2890-9-daniel.kiper@oracle.com>
Date: Tue, 18 Nov 2025 19:00:21 +0100
From: Daniel Kiper <daniel.kiper@...cle.com>
To: grub-devel@....org, oss-security@...ts.openwall.com
Cc: alec.r.brown@...cle.com, glin@...e.com, mbenatto@...hat.com,
        mchang@...e.com, meissner@...e.com, tf@...ay.de, volticks@...il.com
Subject: [SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing

From: Jamie <volticks@...il.com>

If descstrp->length is less than 2 this will result in underflow in
"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
value is sufficient.

Signed-off-by: Jamie <volticks@...il.com>
Reviewed-by: Daniel Kiper <daniel.kiper@...cle.com>
---
 grub-core/commands/usbtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
index 8ef187a9a..3184ac9af 100644
--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
@@ -90,7 +90,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
 			      0x06, (3 << 8) | index,
 			      langid, descstr.length, (char *) descstrp);
 
-  if (descstrp->length == 0)
+  if (descstrp->length < 2)
     {
       grub_free (descstrp);
       *string = grub_strdup ("");
-- 
2.11.0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.