grub: fix CVE-2023-4692 & CVE-2023-4693

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94 (From OE-Core rev: f461056d88db0eae5573a0c0ad23c408cff80bd8) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-11-28 10:29:52 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-01 04:14:19 -1000
commit: c64835823aa57e2adfd6937171333880476857f7 (patch)
tree: 9b6cdd9724a9b44d01b7b2eda529f62eb56c4dc6 /meta/recipes-bsp/grub/files/CVE-2023-4693.patch
parent: 716693ccccb82ad398ff7470c360d047baeaec07 (diff)
download: poky-c64835823aa57e2adfd6937171333880476857f7.tar.gz
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1e6b6efdec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+Fixes: CVE-2023-4693
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c8d3683..4d1fe42 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+        return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
+
+      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+
+      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
+         (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-11-28 10:29:52 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-01 04:14:19 -1000
commit	c64835823aa57e2adfd6937171333880476857f7 (patch)
tree	9b6cdd9724a9b44d01b7b2eda529f62eb56c4dc6 /meta/recipes-bsp/grub/files/CVE-2023-4693.patch
parent	716693ccccb82ad398ff7470c360d047baeaec07 (diff)
download	poky-c64835823aa57e2adfd6937171333880476857f7.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..1e6b6efdec --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
	1	From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
	2	From: Maxim Suhanov <dfirblog@gmail.com>
	3	Date: Mon, 28 Aug 2023 16:32:33 +0300
	4	Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
	5	$DATA attribute
	6
	7	When reading a file containing resident data, i.e., the file data is stored in
	8	the $DATA attribute within the NTFS file record, not in external clusters,
	9	there are no checks that this resident data actually fits the corresponding
	10	file record segment.
	11
	12	When parsing a specially-crafted file system image, the current NTFS code will
	13	read the file data from an arbitrary, attacker-chosen memory offset and of
	14	arbitrary, attacker-chosen length.
	15
	16	This allows an attacker to display arbitrary chunks of memory, which could
	17	contain sensitive information like password hashes or even plain-text,
	18	obfuscated passwords from BS EFI variables.
	19
	20	This fix implements a check to ensure that resident data is read from the
	21	corresponding file record segment only.
	22
	23	Fixes: CVE-2023-4693
	24
	25	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	26	Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
	27	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	28
	29	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
	30	CVE: CVE-2023-4693
	31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	32	---
	33	grub-core/fs/ntfs.c \| 13 ++++++++++++-
	34	1 file changed, 12 insertions(+), 1 deletion(-)
	35
	36	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
	37	index c8d3683..4d1fe42 100644
	38	--- a/grub-core/fs/ntfs.c
	39	+++ b/grub-core/fs/ntfs.c
	40	@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr at, grub_uint8_t pa, grub_uint8_t *dest,
	41	{
	42	if (ofs + len > u32at (pa, 0x10))
	43	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
	44	- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
	45	+
	46	+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	47	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
	48	+
	49	+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	50	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	51	+
	52	+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
	53	+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
	54	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	55	+
	56	+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
	57	return 0;
	58	}
	59
	60	--
	61	2.25.1
	62