d10d6fb187
Porting patches from grub2_2.06-3~deb11u4 to fix CVE-2022-2601/CVE-2022-3775. The source code of grub2_2.06-3~deb11u4 is from: https://snapshot.debian.org/archive/debian/20221124T030451Z/ pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz Refer to above source code and this link for the fix: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html The 1st patch in the list is for making proper context for the 14 patches of the 2 CVEs. No content changes for all the patches from debian release. We do this because grub2/grub-efi is ported from wrlinux for secure boot bringing up. Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Closes-bug: 2020730 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
92 lines
3.9 KiB
Diff
92 lines
3.9 KiB
Diff
From 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Mon, 24 Oct 2022 08:05:35 +0800
|
|
Subject: [PATCH 11/14] font: Fix an integer underflow in blit_comb()
|
|
|
|
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
|
|
evaluate to a very big invalid value even if both ctx.bounds.height and
|
|
combining_glyphs[i]->height are small integers. For example, if
|
|
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
|
|
expression evaluates to 2147483647 (expected -1). This is because
|
|
coordinates are allowed to be negative but ctx.bounds.height is an
|
|
unsigned int. So, the subtraction operates on unsigned ints and
|
|
underflows to a very big value. The division makes things even worse.
|
|
The quotient is still an invalid value even if converted back to int.
|
|
|
|
This patch fixes the problem by casting ctx.bounds.height to int. As
|
|
a result the subtraction will operate on int and grub_uint16_t which
|
|
will be promoted to an int. So, the underflow will no longer happen. Other
|
|
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
|
|
to ensure coordinates are always calculated on signed integers.
|
|
|
|
Fixes: CVE-2022-3775
|
|
|
|
Reported-by: Daniel Axtens <dja@axtens.net>
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index abd412a5e..3d3d803e8 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
ctx.bounds.height = main_glyph->height;
|
|
|
|
above_rightx = main_glyph->offset_x + main_glyph->width;
|
|
- above_righty = ctx.bounds.y + ctx.bounds.height;
|
|
+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
|
|
|
|
above_leftx = main_glyph->offset_x;
|
|
- above_lefty = ctx.bounds.y + ctx.bounds.height;
|
|
+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
|
|
|
|
- below_rightx = ctx.bounds.x + ctx.bounds.width;
|
|
+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
|
|
below_righty = ctx.bounds.y;
|
|
|
|
comb = grub_unicode_get_comb (glyph_id);
|
|
@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
|
|
if (!combining_glyphs[i])
|
|
continue;
|
|
- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
|
+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
|
/* CGJ is to avoid diacritics reordering. */
|
|
if (comb[i].code
|
|
== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
|
|
@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
case GRUB_UNICODE_COMB_OVERLAY:
|
|
do_blit (combining_glyphs[i],
|
|
targetx,
|
|
- (ctx.bounds.height - combining_glyphs[i]->height) / 2
|
|
- - (ctx.bounds.height + ctx.bounds.y), &ctx);
|
|
+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
|
|
+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
break;
|
|
@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
/* Fallthrough. */
|
|
case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
|
|
do_blit (combining_glyphs[i], targetx,
|
|
- -(ctx.bounds.height + ctx.bounds.y + space
|
|
+ -((int) ctx.bounds.height + ctx.bounds.y + space
|
|
+ combining_glyphs[i]->height), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
|
|
case GRUB_UNICODE_COMB_HEBREW_DAGESH:
|
|
do_blit (combining_glyphs[i], targetx,
|
|
- -(ctx.bounds.height / 2 + ctx.bounds.y
|
|
+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
|
|
+ combining_glyphs[i]->height / 2), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
--
|
|
2.30.2
|
|
|