44f318a38d
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 The source code of grub2_2.06-3~deb11u1 is from: https://snapshot.debian.org/archive/debian/20220807T030023Z/pool /main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz The relationship between commits and CVEs is as below: (1)CVE-2021-3695 commit <video/readers/png: Drop greyscale support to fix heap out-of-bounds write> (2)CVE-2021-3696 commit <video/readers/png: Avoid heap OOB R/W inserting huff table items> (3)CVE-2021-3697 commit <video/readers/jpeg: Block int underflow -> wild pointer write> (4)CVE-2022-28733 commit <net/ip: Do IP fragment maths safely> (5)CVE-2022-28734 commit <net/http: Fix OOB write for split http headers> commit <net/http: Error out on headers with LF without CR> Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Partial-Bug: #2034119 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
From f37943427c5bf16a0003d3049221da698006f6f3 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Tue, 8 Mar 2022 18:17:03 +1100
|
|
Subject: [PATCH 5/6] net/http: Fix OOB write for split http headers
|
|
|
|
GRUB has special code for handling an http header that is split
|
|
across two packets.
|
|
|
|
The code tracks the end of line by looking for a "\n" byte. The
|
|
code for split headers has always advanced the pointer just past the
|
|
end of the line, whereas the code that handles unsplit headers does
|
|
not advance the pointer. This extra advance causes the length to be
|
|
one greater, which breaks an assumption in parse_line(), leading to
|
|
it writing a NUL byte one byte past the end of the buffer where we
|
|
reconstruct the line from the two packets.
|
|
|
|
It's conceivable that an attacker controlled set of packets could
|
|
cause this to zero out the first byte of the "next" pointer of the
|
|
grub_mm_region structure following the current_line buffer.
|
|
|
|
Do not advance the pointer in the split header case.
|
|
|
|
Fixes: CVE-2022-28734
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/net/http.c | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
|
|
index b616cf4..a19b0a2 100644
|
|
--- a/grub-core/net/http.c
|
|
+++ b/grub-core/net/http.c
|
|
@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
|
|
int have_line = 1;
|
|
char *t;
|
|
ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
|
|
- if (ptr)
|
|
- ptr++;
|
|
- else
|
|
+ if (ptr == NULL)
|
|
{
|
|
have_line = 0;
|
|
ptr = (char *) nb->tail;
|
|
--
|
|
2.17.1
|
|
|