d10d6fb187
Porting patches from grub2_2.06-3~deb11u4 to fix CVE-2022-2601/CVE-2022-3775. The source code of grub2_2.06-3~deb11u4 is from: https://snapshot.debian.org/archive/debian/20221124T030451Z/ pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz Refer to above source code and this link for the fix: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html The 1st patch in the list is for making proper context for the 14 patches of the 2 CVEs. No content changes for all the patches from debian release. We do this because grub2/grub-efi is ported from wrlinux for secure boot bringing up. Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Closes-bug: 2020730 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
66 lines
2.3 KiB
Diff
66 lines
2.3 KiB
Diff
From afda8b60ba0712abe01ae1e64c5f7a067a0e6492 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Mon, 15 Aug 2022 02:04:58 +0800
|
|
Subject: [PATCH 07/14] font: Fix integer overflow in BMP index
|
|
|
|
The BMP index (font->bmp_idx) is designed as a reverse lookup table of
|
|
char entries (font->char_index), in order to speed up lookups for BMP
|
|
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
|
|
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
|
|
means not found.
|
|
|
|
This patch fixes the problem of large subscript truncated to grub_uint16_t,
|
|
leading BMP index to return wrong char entry or report false miss. The
|
|
code now checks for bounds and uses BMP index as a hint, and fallbacks
|
|
to binary-search if necessary.
|
|
|
|
On the occasion add a comment about BMP index is initialized to 0xffff.
|
|
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 13 +++++++++----
|
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index 9e3e0a94e..e4cb0d867 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
|
|
font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
|
|
if (!font->bmp_idx)
|
|
return 1;
|
|
+
|
|
+ /* Init the BMP index array to 0xffff. */
|
|
grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
|
|
|
|
|
|
@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
|
|
return 1;
|
|
}
|
|
|
|
- if (entry->code < 0x10000)
|
|
+ if (entry->code < 0x10000 && i < 0xffff)
|
|
font->bmp_idx[entry->code] = i;
|
|
|
|
last_code = entry->code;
|
|
@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
/* Use BMP index if possible. */
|
|
if (code < 0x10000 && font->bmp_idx)
|
|
{
|
|
- if (font->bmp_idx[code] == 0xffff)
|
|
- return 0;
|
|
- return &table[font->bmp_idx[code]];
|
|
+ if (font->bmp_idx[code] < 0xffff)
|
|
+ return &table[font->bmp_idx[code]];
|
|
+ /*
|
|
+ * When we are here then lookup in BMP index result in miss,
|
|
+ * fallthough to binary-search.
|
|
+ */
|
|
}
|
|
|
|
/* Do a binary search in `char_index', which is ordered by code point. */
|
|
--
|
|
2.30.2
|
|
|