diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-07-26 12:34:02 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-08 16:23:34 +0100 |
commit | 9e7f4a7db257a865100e135f076cc31c14a71bd3 (patch) | |
tree | b97a502f6edc132b55a6a16bc1605ed65a330e54 | |
parent | e4946bd39eed9f4127e55c369bdbd9f35d832d9d (diff) | |
download | poky-9e7f4a7db257a865100e135f076cc31c14a71bd3.tar.gz |
grub2: Fix buffer underflow write in the heap
Source: https://git.savannah.gnu.org/gitweb/?p=grub.git
MR: 119719, 119733, 119689
Type: Security Fix
Disposition: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6
ChangeID: 97605970cd42776fa449fd8318f2762e32bbd177
Description:
Fixed CVEs :
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
Affects "grub2 < 2.06"
(From OE-Core rev: 191db3c58b52fa7c8530d82f7e3e3b24075fdeb4)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3695.patch | 178 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3696.patch | 46 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3697.patch | 82 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 5 |
4 files changed, 310 insertions, 1 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:01:35 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3695 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08] | ||
7 | CVE: CVE-2021-3695 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Drop greyscale support to fix heap out-of-bounds write | ||
11 | |||
12 | A 16-bit greyscale PNG without alpha is processed in the following loop: | ||
13 | |||
14 | for (i = 0; i < (data->image_width * data->image_height); | ||
15 | i++, d1 += 4, d2 += 2) | ||
16 | { | ||
17 | d1[R3] = d2[1]; | ||
18 | d1[G3] = d2[1]; | ||
19 | d1[B3] = d2[1]; | ||
20 | } | ||
21 | |||
22 | The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, | ||
23 | but there are only 3 bytes allocated for storage. This means that image | ||
24 | data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes | ||
25 | out of every 4 following the end of the image. | ||
26 | |||
27 | This has existed since greyscale support was added in 2013 in commit | ||
28 | 3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). | ||
29 | |||
30 | Saving starfield.png as a 16-bit greyscale image without alpha in the gimp | ||
31 | and attempting to load it causes grub-emu to crash - I don't think this code | ||
32 | has ever worked. | ||
33 | |||
34 | Delete all PNG greyscale support. | ||
35 | |||
36 | Fixes: CVE-2021-3695 | ||
37 | |||
38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
40 | --- | ||
41 | grub-core/video/readers/png.c | 89 ++++------------------------------- | ||
42 | 1 file changed, 8 insertions(+), 81 deletions(-) | ||
43 | |||
44 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
45 | index 0157ff7..db4a9d4 100644 | ||
46 | --- a/grub-core/video/readers/png.c | ||
47 | +++ b/grub-core/video/readers/png.c | ||
48 | @@ -100,7 +100,7 @@ struct grub_png_data | ||
49 | |||
50 | unsigned image_width, image_height; | ||
51 | int bpp, is_16bit; | ||
52 | - int raw_bytes, is_gray, is_alpha, is_palette; | ||
53 | + int raw_bytes, is_alpha, is_palette; | ||
54 | int row_bytes, color_bits; | ||
55 | grub_uint8_t *image_data; | ||
56 | |||
57 | @@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
58 | data->bpp = 3; | ||
59 | else | ||
60 | { | ||
61 | - data->is_gray = 1; | ||
62 | - data->bpp = 1; | ||
63 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
64 | + "png: color type not supported"); | ||
65 | } | ||
66 | |||
67 | if ((color_bits != 8) && (color_bits != 16) | ||
68 | && (color_bits != 4 | ||
69 | - || !(data->is_gray || data->is_palette))) | ||
70 | + || !data->is_palette)) | ||
71 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
72 | "png: bit depth must be 8 or 16"); | ||
73 | |||
74 | @@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
75 | } | ||
76 | |||
77 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
78 | - if (data->is_16bit || data->is_gray || data->is_palette) | ||
79 | + if (data->is_16bit || data->is_palette) | ||
80 | #endif | ||
81 | { | ||
82 | data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
83 | @@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data) | ||
84 | int shift; | ||
85 | int mask = (1 << data->color_bits) - 1; | ||
86 | unsigned j; | ||
87 | - if (data->is_gray) | ||
88 | - { | ||
89 | - /* Generic formula is | ||
90 | - (0xff * i) / ((1U << data->color_bits) - 1) | ||
91 | - but for allowed bit depth of 1, 2 and for it's | ||
92 | - equivalent to | ||
93 | - (0xff / ((1U << data->color_bits) - 1)) * i | ||
94 | - Precompute the multipliers to avoid division. | ||
95 | - */ | ||
96 | - | ||
97 | - const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; | ||
98 | - for (i = 0; i < (1U << data->color_bits); i++) | ||
99 | - { | ||
100 | - grub_uint8_t col = multipliers[data->color_bits] * i; | ||
101 | - palette[i][0] = col; | ||
102 | - palette[i][1] = col; | ||
103 | - palette[i][2] = col; | ||
104 | - } | ||
105 | - } | ||
106 | - else | ||
107 | - grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
108 | + | ||
109 | + grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
110 | d1c = d1; | ||
111 | d2c = d2; | ||
112 | for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, | ||
113 | @@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data) | ||
114 | return; | ||
115 | } | ||
116 | |||
117 | - if (data->is_gray) | ||
118 | - { | ||
119 | - switch (data->bpp) | ||
120 | - { | ||
121 | - case 4: | ||
122 | - /* 16-bit gray with alpha. */ | ||
123 | - for (i = 0; i < (data->image_width * data->image_height); | ||
124 | - i++, d1 += 4, d2 += 4) | ||
125 | - { | ||
126 | - d1[R4] = d2[3]; | ||
127 | - d1[G4] = d2[3]; | ||
128 | - d1[B4] = d2[3]; | ||
129 | - d1[A4] = d2[1]; | ||
130 | - } | ||
131 | - break; | ||
132 | - case 2: | ||
133 | - if (data->is_16bit) | ||
134 | - /* 16-bit gray without alpha. */ | ||
135 | - { | ||
136 | - for (i = 0; i < (data->image_width * data->image_height); | ||
137 | - i++, d1 += 4, d2 += 2) | ||
138 | - { | ||
139 | - d1[R3] = d2[1]; | ||
140 | - d1[G3] = d2[1]; | ||
141 | - d1[B3] = d2[1]; | ||
142 | - } | ||
143 | - } | ||
144 | - else | ||
145 | - /* 8-bit gray with alpha. */ | ||
146 | - { | ||
147 | - for (i = 0; i < (data->image_width * data->image_height); | ||
148 | - i++, d1 += 4, d2 += 2) | ||
149 | - { | ||
150 | - d1[R4] = d2[1]; | ||
151 | - d1[G4] = d2[1]; | ||
152 | - d1[B4] = d2[1]; | ||
153 | - d1[A4] = d2[0]; | ||
154 | - } | ||
155 | - } | ||
156 | - break; | ||
157 | - /* 8-bit gray without alpha. */ | ||
158 | - case 1: | ||
159 | - for (i = 0; i < (data->image_width * data->image_height); | ||
160 | - i++, d1 += 3, d2++) | ||
161 | - { | ||
162 | - d1[R3] = d2[0]; | ||
163 | - d1[G3] = d2[0]; | ||
164 | - d1[B3] = d2[0]; | ||
165 | - } | ||
166 | - break; | ||
167 | - } | ||
168 | - return; | ||
169 | - } | ||
170 | - | ||
171 | - { | ||
172 | + { | ||
173 | /* Only copy the upper 8 bit. */ | ||
174 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
175 | for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1); | ||
176 | -- | ||
177 | 2.25.1 | ||
178 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch new file mode 100644 index 0000000000..ef6da945c4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:05:42 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3696 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042] | ||
7 | CVE: CVE-2021-3696 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Avoid heap OOB R/W inserting huff table items | ||
11 | |||
12 | In fuzzing we observed crashes where a code would attempt to be inserted | ||
13 | into a huffman table before the start, leading to a set of heap OOB reads | ||
14 | and writes as table entries with negative indices were shifted around and | ||
15 | the new code written in. | ||
16 | |||
17 | Catch the case where we would underflow the array and bail. | ||
18 | |||
19 | Fixes: CVE-2021-3696 | ||
20 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | --- | ||
23 | grub-core/video/readers/png.c | 7 +++++++ | ||
24 | 1 file changed, 7 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
27 | index 36b3f10..3c05951 100644 | ||
28 | --- a/grub-core/video/readers/png.c | ||
29 | +++ b/grub-core/video/readers/png.c | ||
30 | @@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) | ||
31 | for (i = len; i < ht->max_length; i++) | ||
32 | n += ht->maxval[i]; | ||
33 | |||
34 | + if (n > ht->num_values) | ||
35 | + { | ||
36 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
37 | + "png: out of range inserting huffman table item"); | ||
38 | + return; | ||
39 | + } | ||
40 | + | ||
41 | for (i = 0; i < n; i++) | ||
42 | ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch new file mode 100644 index 0000000000..be15e7d1f2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 19 Jul 2022 11:13:02 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3697 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6] | ||
7 | CVE: CVE-2021-3697 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/jpeg: Block int underflow -> wild pointer write | ||
11 | |||
12 | Certain 1 px wide images caused a wild pointer write in | ||
13 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
14 | we have the following loop: | ||
15 | |||
16 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
17 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
18 | |||
19 | We did not check if vb * width >= hb * nc1. | ||
20 | |||
21 | On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
22 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
23 | we see data->bitmap_ptr jump, e.g.: | ||
24 | |||
25 | 0x6180_0000_0480 to | ||
26 | 0x6181_0000_0498 | ||
27 | ^ | ||
28 | ~--- carry has occurred and this pointer is now far away from | ||
29 | any object. | ||
30 | |||
31 | On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
32 | that won't crash but will overwrite random data. | ||
33 | |||
34 | Catch the underflow and error out. | ||
35 | |||
36 | Fixes: CVE-2021-3697 | ||
37 | |||
38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
40 | --- | ||
41 | grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
42 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
43 | |||
44 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
45 | index 31359a4..545a60b 100644 | ||
46 | --- a/grub-core/video/readers/jpeg.c | ||
47 | +++ b/grub-core/video/readers/jpeg.c | ||
48 | @@ -23,6 +23,7 @@ | ||
49 | #include <grub/mm.h> | ||
50 | #include <grub/misc.h> | ||
51 | #include <grub/bufio.h> | ||
52 | +#include <grub/safemath.h> | ||
53 | |||
54 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
55 | |||
56 | @@ -617,6 +618,7 @@ static grub_err_t | ||
57 | grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
58 | { | ||
59 | unsigned c1, vb, hb, nr1, nc1; | ||
60 | + unsigned stride_a, stride_b, stride; | ||
61 | int rst = data->dri; | ||
62 | |||
63 | vb = 8 << data->log_vs; | ||
64 | @@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
65 | nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); | ||
66 | nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); | ||
67 | |||
68 | + if (grub_mul(vb, data->image_width, &stride_a) || | ||
69 | + grub_mul(hb, nc1, &stride_b) || | ||
70 | + grub_sub(stride_a, stride_b, &stride)) | ||
71 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
72 | + "jpeg: cannot decode image with these dimensions"); | ||
73 | + | ||
74 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
75 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
76 | + data->r1++, data->bitmap_ptr += stride * 3) | ||
77 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
78 | c1++, rst--, data->bitmap_ptr += hb * 3) | ||
79 | { | ||
80 | -- | ||
81 | 2.25.1 | ||
82 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 9e98d8249d..0b7ca6d3d6 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -95,7 +95,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
95 | file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \ | 95 | file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \ |
96 | file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \ | 96 | file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \ |
97 | file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \ | 97 | file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \ |
98 | file://CVE-2021-3981.patch\ | 98 | file://CVE-2021-3981.patch \ |
99 | file://CVE-2021-3695.patch \ | ||
100 | file://CVE-2021-3696.patch \ | ||
101 | file://CVE-2021-3697.patch \ | ||
99 | " | 102 | " |
100 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 103 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
101 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 104 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |