summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2024-01-23 16:47:34 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2024-01-24 15:46:19 +0000
commitfa809fd07390a2983695bd63270d05690fa854b9 (patch)
treec7cb2ec991e3b29e205a723466b68cac3c4a0b4b /meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
parent0a010ac1b46651aaaf57008fb9e6db656822b2e4 (diff)
downloadpoky-fa809fd07390a2983695bd63270d05690fa854b9.tar.gz
grub2: upgrade 2.06 -> 2.12
Drop patches that have been upstreamed. Refresh others. This version dropped extra_deps.lst from the tarball [1] and that leads to build failures. Restore it in do_configure for now. [1] https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b835601c7639ed1890f2d3db91900a8506011a8e (From OE-Core rev: 7c8e1e48075f7f54aec9d295605c982f440be5d5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch')
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch63
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
deleted file mode 100644
index 8bf9090f94..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Mon, 20 Dec 2021 19:41:21 +1100
4Subject: [PATCH] net/ip: Do IP fragment maths safely
5
6We can receive packets with invalid IP fragmentation information. This
7can lead to rsm->total_len underflowing and becoming very large.
8
9Then, in grub_netbuff_alloc(), we add to this very large number, which can
10cause it to overflow and wrap back around to a small positive number.
11The allocation then succeeds, but the resulting buffer is too small and
12subsequent operations can write past the end of the buffer.
13
14Catch the underflow here.
15
16Fixes: CVE-2022-28733
17
18Signed-off-by: Daniel Axtens <dja@axtens.net>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20
21Upstream-Status: Backport
22CVE: CVE-2022-28733
23
24Reference to upstream patch:
25https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287
26
27Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
28
29---
30 grub-core/net/ip.c | 10 +++++++++-
31 1 file changed, 9 insertions(+), 1 deletion(-)
32
33diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
34index e3d62e97f..3c3d0be0e 100644
35--- a/grub-core/net/ip.c
36+++ b/grub-core/net/ip.c
37@@ -25,6 +25,7 @@
38 #include <grub/net/netbuff.h>
39 #include <grub/mm.h>
40 #include <grub/priority_queue.h>
41+#include <grub/safemath.h>
42 #include <grub/time.h>
43
44 struct iphdr {
45@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
46 {
47 rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
48 + (nb->tail - nb->data));
49- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
50+
51+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
52+ &rsm->total_len))
53+ {
54+ grub_dprintf ("net", "IP reassembly size underflow\n");
55+ return GRUB_ERR_NONE;
56+ }
57+
58 rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
59 if (!rsm->asm_netbuff)
60 {
61--
622.34.1
63
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-10 13:30:05 +0000