d10d6fb187
Porting patches from grub2_2.06-3~deb11u4 to fix CVE-2022-2601/CVE-2022-3775. The source code of grub2_2.06-3~deb11u4 is from: https://snapshot.debian.org/archive/debian/20221124T030451Z/ pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz Refer to above source code and this link for the fix: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html The 1st patch in the list is for making proper context for the 14 patches of the 2 CVEs. No content changes for all the patches from debian release. We do this because grub2/grub-efi is ported from wrlinux for secure boot bringing up. Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Closes-bug: 2020730 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
82 lines
2.9 KiB
Diff
82 lines
2.9 KiB
Diff
From b1805f251b31a9d3cfae5c3572ddfa630145dbbf Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Fri, 5 Aug 2022 01:58:27 +0800
|
|
Subject: [PATCH 04/14] font: Fix several integer overflows in
|
|
grub_font_construct_glyph()
|
|
|
|
This patch fixes several integer overflows in grub_font_construct_glyph().
|
|
Glyphs of invalid size, zero or leading to an overflow, are rejected.
|
|
The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
|
|
returns NULL is fixed too.
|
|
|
|
Fixes: CVE-2022-2601
|
|
|
|
Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 29 +++++++++++++++++------------
|
|
1 file changed, 17 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index e781521a7..e6548892f 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
|
|
struct grub_video_signed_rect bounds;
|
|
static struct grub_font_glyph *glyph = 0;
|
|
static grub_size_t max_glyph_size = 0;
|
|
+ grub_size_t cur_glyph_size;
|
|
|
|
ensure_comb_space (glyph_id);
|
|
|
|
@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
|
|
if (!glyph_id->ncomb && !glyph_id->attributes)
|
|
return main_glyph;
|
|
|
|
- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
|
|
+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
|
|
+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
|
|
+ return main_glyph;
|
|
+
|
|
+ if (max_glyph_size < cur_glyph_size)
|
|
{
|
|
grub_free (glyph);
|
|
- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
|
|
- if (max_glyph_size < 8)
|
|
- max_glyph_size = 8;
|
|
- glyph = grub_malloc (max_glyph_size);
|
|
+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
|
|
+ max_glyph_size = 0;
|
|
+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
|
|
}
|
|
if (!glyph)
|
|
{
|
|
+ max_glyph_size = 0;
|
|
grub_errno = GRUB_ERR_NONE;
|
|
return main_glyph;
|
|
}
|
|
|
|
- grub_memset (glyph, 0, sizeof (*glyph)
|
|
- + (bounds.width * bounds.height
|
|
- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
|
|
+ grub_memset (glyph, 0, cur_glyph_size);
|
|
|
|
glyph->font = main_glyph->font;
|
|
- glyph->width = bounds.width;
|
|
- glyph->height = bounds.height;
|
|
- glyph->offset_x = bounds.x;
|
|
- glyph->offset_y = bounds.y;
|
|
+ if (bounds.width == 0 || bounds.height == 0 ||
|
|
+ grub_cast (bounds.width, &glyph->width) ||
|
|
+ grub_cast (bounds.height, &glyph->height) ||
|
|
+ grub_cast (bounds.x, &glyph->offset_x) ||
|
|
+ grub_cast (bounds.y, &glyph->offset_y))
|
|
+ return main_glyph;
|
|
|
|
if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
|
|
grub_font_blit_glyph_mirror (glyph, main_glyph,
|
|
--
|
|
2.30.2
|
|
|