diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-11-28 10:29:52 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-01 04:14:19 -1000 |
commit | c64835823aa57e2adfd6937171333880476857f7 (patch) | |
tree | 9b6cdd9724a9b44d01b7b2eda529f62eb56c4dc6 | |
parent | 716693ccccb82ad398ff7470c360d047baeaec07 (diff) | |
download | poky-c64835823aa57e2adfd6937171333880476857f7.tar.gz |
grub: fix CVE-2023-4692 & CVE-2023-4693
Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94
(From OE-Core rev: f461056d88db0eae5573a0c0ad23c408cff80bd8)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4692.patch | 97 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4693.patch | 62 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 2 |
3 files changed, 161 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..0e74870ebf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:31:57 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST | ||
5 | attribute for the $MFT file | ||
6 | |||
7 | When parsing an extremely fragmented $MFT file, i.e., the file described | ||
8 | using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer | ||
9 | containing bytes read from the underlying drive to store sector numbers, | ||
10 | which are consumed later to read data from these sectors into another buffer. | ||
11 | |||
12 | These sectors numbers, two 32-bit integers, are always stored at predefined | ||
13 | offsets, 0x10 and 0x14, relative to first byte of the selected entry within | ||
14 | the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. | ||
15 | |||
16 | However, when parsing a specially-crafted file system image, this may cause | ||
17 | the NTFS code to write these integers beyond the buffer boundary, likely | ||
18 | causing the GRUB memory allocator to misbehave or fail. These integers contain | ||
19 | values which are controlled by on-disk structures of the NTFS file system. | ||
20 | |||
21 | Such modification and resulting misbehavior may touch a memory range not | ||
22 | assigned to the GRUB and owned by firmware or another EFI application/driver. | ||
23 | |||
24 | This fix introduces checks to ensure that these sector numbers are never | ||
25 | written beyond the boundary. | ||
26 | |||
27 | Fixes: CVE-2023-4692 | ||
28 | |||
29 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
30 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
31 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
32 | |||
33 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] | ||
34 | CVE: CVE-2023-4692 | ||
35 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
36 | --- | ||
37 | grub-core/fs/ntfs.c | 18 +++++++++++++++++- | ||
38 | 1 file changed, 17 insertions(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
41 | index 2f34f76..c8d3683 100644 | ||
42 | --- a/grub-core/fs/ntfs.c | ||
43 | +++ b/grub-core/fs/ntfs.c | ||
44 | @@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
45 | } | ||
46 | if (at->attr_end) | ||
47 | { | ||
48 | - grub_uint8_t *pa; | ||
49 | + grub_uint8_t *pa, *pa_end; | ||
50 | |||
51 | at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
52 | if (at->emft_buf == NULL) | ||
53 | @@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
54 | } | ||
55 | at->attr_nxt = at->edat_buf; | ||
56 | at->attr_end = at->edat_buf + u32at (pa, 0x30); | ||
57 | + pa_end = at->edat_buf + n; | ||
58 | } | ||
59 | else | ||
60 | { | ||
61 | at->attr_nxt = at->attr_end + u16at (pa, 0x14); | ||
62 | at->attr_end = at->attr_end + u32at (pa, 4); | ||
63 | + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
64 | } | ||
65 | at->flags |= GRUB_NTFS_AF_ALST; | ||
66 | while (at->attr_nxt < at->attr_end) | ||
67 | @@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
68 | at->flags |= GRUB_NTFS_AF_GPOS; | ||
69 | at->attr_cur = at->attr_nxt; | ||
70 | pa = at->attr_cur; | ||
71 | + | ||
72 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
73 | + { | ||
74 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
75 | + return NULL; | ||
76 | + } | ||
77 | + | ||
78 | grub_set_unaligned32 ((char *) pa + 0x10, | ||
79 | grub_cpu_to_le32 (at->mft->data->mft_start)); | ||
80 | grub_set_unaligned32 ((char *) pa + 0x14, | ||
81 | @@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
82 | { | ||
83 | if (*pa != attr) | ||
84 | break; | ||
85 | + | ||
86 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
87 | + { | ||
88 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
89 | + return NULL; | ||
90 | + } | ||
91 | + | ||
92 | if (read_attr | ||
93 | (at, pa + 0x10, | ||
94 | u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..1e6b6efdec --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:32:33 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident | ||
5 | $DATA attribute | ||
6 | |||
7 | When reading a file containing resident data, i.e., the file data is stored in | ||
8 | the $DATA attribute within the NTFS file record, not in external clusters, | ||
9 | there are no checks that this resident data actually fits the corresponding | ||
10 | file record segment. | ||
11 | |||
12 | When parsing a specially-crafted file system image, the current NTFS code will | ||
13 | read the file data from an arbitrary, attacker-chosen memory offset and of | ||
14 | arbitrary, attacker-chosen length. | ||
15 | |||
16 | This allows an attacker to display arbitrary chunks of memory, which could | ||
17 | contain sensitive information like password hashes or even plain-text, | ||
18 | obfuscated passwords from BS EFI variables. | ||
19 | |||
20 | This fix implements a check to ensure that resident data is read from the | ||
21 | corresponding file record segment only. | ||
22 | |||
23 | Fixes: CVE-2023-4693 | ||
24 | |||
25 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
26 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
27 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] | ||
30 | CVE: CVE-2023-4693 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | grub-core/fs/ntfs.c | 13 ++++++++++++- | ||
34 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
37 | index c8d3683..4d1fe42 100644 | ||
38 | --- a/grub-core/fs/ntfs.c | ||
39 | +++ b/grub-core/fs/ntfs.c | ||
40 | @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, | ||
41 | { | ||
42 | if (ofs + len > u32at (pa, 0x10)) | ||
43 | return grub_error (GRUB_ERR_BAD_FS, "read out of range"); | ||
44 | - grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); | ||
45 | + | ||
46 | + if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
47 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); | ||
48 | + | ||
49 | + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
50 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
51 | + | ||
52 | + if (u16at (pa, 0x14) + u32at (pa, 0x10) > | ||
53 | + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) | ||
54 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
55 | + | ||
56 | + grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); | ||
57 | return 0; | ||
58 | } | ||
59 | |||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bfcda76c24..bea03f4fc1 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -109,6 +109,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
109 | file://CVE-2020-27749.patch \ | 109 | file://CVE-2020-27749.patch \ |
110 | file://CVE-2021-20225.patch \ | 110 | file://CVE-2021-20225.patch \ |
111 | file://CVE-2021-20233.patch \ | 111 | file://CVE-2021-20233.patch \ |
112 | file://CVE-2023-4692.patch \ | ||
113 | file://CVE-2023-4693.patch \ | ||
112 | " | 114 | " |
113 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 115 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
114 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 116 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |