Re: GRUB has a problem with a big grub.cfg

[Bean]

On Mon, Jul 28, 2008 at 6:12 PM, Felix Zielcke <address@hidden> wrote:
> GRUB 2 has a problem with many kernel entrys in grub.cfg
> This works fine for me with grub-emu but not real GRUB
>
> I reproduced this now in qemu 0.9.1-5 from debian unstable
> Attached is the floppy image i used and the kernel entrys i added to the
> insmod lines generated by grub-mkrescue
>
> Welcome to GRUB!
>
> free magic is broken at 0x7f17a00: 0x3d616776
>
> I tried to find out how big grub.cfg exactly must be for it to fail, but
> I couldn't
> I deleted the entrys in little chunks and then after GRUB loaded the
> menu fine I added again some, but it keep displaying the menu fine with
> the new entrys added.
> So something in GRUB's memory management seems to be a bit broken with a
> big grub.cfg
>
> But I still wonder why you need that much kernels and now with testing
> in qemu I noticed that the reporter has the exact same menuentrys more
> then once in grub.cfg

Hi,

I have found the bug, it's caused by buffer overflown. In get_line
(normal/main.c), if the string length is multiple of 64, the ending \0
will overflow the buffer, this patch fix the problem:

diff --git a/normal/main.c b/normal/main.c
index e5458fc..70f2f1d 100644
--- a/normal/main.c
+++ b/normal/main.c
@@ -97,9 +97,6 @@ get_line (grub_file_t file)
        }
       else
        {
-         if (c == '\n')
-           break;
-
          if (pos >= max_len)
            {
              char *old_cmdline = cmdline;
@@ -112,6 +109,9 @@ get_line (grub_file_t file)
                }
            }

+         if (c == '\n')
+           break;
+
          cmdline[pos++] = c;
        }
     }


-- 
Bean