diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2024-01-23 16:47:34 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-01-24 15:46:19 +0000 |
commit | fa809fd07390a2983695bd63270d05690fa854b9 (patch) | |
tree | c7cb2ec991e3b29e205a723466b68cac3c4a0b4b /meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch | |
parent | 0a010ac1b46651aaaf57008fb9e6db656822b2e4 (diff) | |
download | poky-fa809fd07390a2983695bd63270d05690fa854b9.tar.gz |
grub2: upgrade 2.06 -> 2.12
Drop patches that have been upstreamed. Refresh others.
This version dropped extra_deps.lst from the tarball [1] and that leads
to build failures. Restore it in do_configure for now.
[1] https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b835601c7639ed1890f2d3db91900a8506011a8e
(From OE-Core rev: 7c8e1e48075f7f54aec9d295605c982f440be5d5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch deleted file mode 100644 index 8bf9090f94..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Mon, 20 Dec 2021 19:41:21 +1100 | ||
4 | Subject: [PATCH] net/ip: Do IP fragment maths safely | ||
5 | |||
6 | We can receive packets with invalid IP fragmentation information. This | ||
7 | can lead to rsm->total_len underflowing and becoming very large. | ||
8 | |||
9 | Then, in grub_netbuff_alloc(), we add to this very large number, which can | ||
10 | cause it to overflow and wrap back around to a small positive number. | ||
11 | The allocation then succeeds, but the resulting buffer is too small and | ||
12 | subsequent operations can write past the end of the buffer. | ||
13 | |||
14 | Catch the underflow here. | ||
15 | |||
16 | Fixes: CVE-2022-28733 | ||
17 | |||
18 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2022-28733 | ||
23 | |||
24 | Reference to upstream patch: | ||
25 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287 | ||
26 | |||
27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
28 | |||
29 | --- | ||
30 | grub-core/net/ip.c | 10 +++++++++- | ||
31 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c | ||
34 | index e3d62e97f..3c3d0be0e 100644 | ||
35 | --- a/grub-core/net/ip.c | ||
36 | +++ b/grub-core/net/ip.c | ||
37 | @@ -25,6 +25,7 @@ | ||
38 | #include <grub/net/netbuff.h> | ||
39 | #include <grub/mm.h> | ||
40 | #include <grub/priority_queue.h> | ||
41 | +#include <grub/safemath.h> | ||
42 | #include <grub/time.h> | ||
43 | |||
44 | struct iphdr { | ||
45 | @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, | ||
46 | { | ||
47 | rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) | ||
48 | + (nb->tail - nb->data)); | ||
49 | - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); | ||
50 | + | ||
51 | + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), | ||
52 | + &rsm->total_len)) | ||
53 | + { | ||
54 | + grub_dprintf ("net", "IP reassembly size underflow\n"); | ||
55 | + return GRUB_ERR_NONE; | ||
56 | + } | ||
57 | + | ||
58 | rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); | ||
59 | if (!rsm->asm_netbuff) | ||
60 | { | ||
61 | -- | ||
62 | 2.34.1 | ||
63 | |||