44f318a38d
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 The source code of grub2_2.06-3~deb11u1 is from: https://snapshot.debian.org/archive/debian/20220807T030023Z/pool /main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz The relationship between commits and CVEs is as below: (1)CVE-2021-3695 commit <video/readers/png: Drop greyscale support to fix heap out-of-bounds write> (2)CVE-2021-3696 commit <video/readers/png: Avoid heap OOB R/W inserting huff table items> (3)CVE-2021-3697 commit <video/readers/jpeg: Block int underflow -> wild pointer write> (4)CVE-2022-28733 commit <net/ip: Do IP fragment maths safely> (5)CVE-2022-28734 commit <net/http: Fix OOB write for split http headers> commit <net/http: Error out on headers with LF without CR> Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Partial-Bug: #2034119 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
47 lines
1.3 KiB
Diff
47 lines
1.3 KiB
Diff
From 5d2f1e350e39677938a70c17a163f1a9cde36a18 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Mon, 20 Dec 2021 19:41:21 +1100
|
|
Subject: [PATCH 4/6] net/ip: Do IP fragment maths safely
|
|
|
|
This avoids an underflow and subsequent unpleasantness.
|
|
|
|
Fixes: CVE-2022-28733
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/net/ip.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
|
|
index ea5edf8..74e4e8b 100644
|
|
--- a/grub-core/net/ip.c
|
|
+++ b/grub-core/net/ip.c
|
|
@@ -25,6 +25,7 @@
|
|
#include <grub/net/netbuff.h>
|
|
#include <grub/mm.h>
|
|
#include <grub/priority_queue.h>
|
|
+#include <grub/safemath.h>
|
|
#include <grub/time.h>
|
|
|
|
struct iphdr {
|
|
@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
|
|
{
|
|
rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
|
|
+ (nb->tail - nb->data));
|
|
- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
|
|
+
|
|
+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
|
|
+ &rsm->total_len))
|
|
+ {
|
|
+ grub_dprintf ("net", "IP reassembly size underflow\n");
|
|
+ return GRUB_ERR_NONE;
|
|
+ }
|
|
+
|
|
rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
|
|
if (!rsm->asm_netbuff)
|
|
{
|
|
--
|
|
2.17.1
|
|
|