CVE-2020-10713 BootHole: Integer Overflow → Heap Buffer Overflow in GRUB2 Script Lexer (grub-core/script/yylex.l)

CVE-2020-10713 "BootHole": GRUB2's configuration file parser has a heap buffer overflow in the copy_string() function in grub-core/script/yylex.l. The function uses unsigned int len and unsigned int size for buffer size computations, and the expression size = len * 2 (and similarly parser->lexerstate->size * 2) can overflow 32-bit unsigned arithmetic when processing very long tokens from grub.cfg. This causes grub_realloc() to allocate a buffer far too small for the actual data, and the subsequent grub_strcpy() writes beyond the allocation — a heap buffer overflow. Additionally, parser->lexerstate->used + len can integer-overflow, causing the bounds check to be skipped entirely, allowing grub_strcpy() to overwrite heap memory with attacker-controlled content. An attacker with write access to the EFI System Partition can craft a malicious grub.cfg that exploits this to achieve arbitrary code execution before the OS loads, bypassing Secure Boot.