grub2: fix CVE-2020-10713

(From OE-Core rev: ec6a2258ca27d5709df4fe18d94841332395bcb2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-10-19 20:42:14 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-10-20 11:11:46 +0100
commit: bd56c17ba5ec344463875e2712a42fc067969ec0 (patch)
tree: b340222f0740e6d7a4bdffdeb2e634d240d670e5 /meta/recipes-bsp/grub/files
parent: 92e46629b06ff7ef8b4bca38343ca9a2f5dca7ee (diff)
download: poky-bd56c17ba5ec344463875e2712a42fc067969ec0.tar.gz
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
new file mode 100644
index 0000000000..c507ed3ea8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
@@ -0,0 +1,73 @@
+From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 15 Apr 2020 15:45:02 -0400
+Subject: yylex: Make lexer fatal errors actually be fatal
+When presented with a command that can't be tokenized to anything
+smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
+expecting that will stop further processing, as such:
+  #define YY_DO_BEFORE_ACTION \
+        yyg->yytext_ptr = yy_bp; \
+        yyleng = (int) (yy_cp - yy_bp); \
+        yyg->yy_hold_char = *yy_cp; \
+        *yy_cp = '\0'; \
+        if ( yyleng >= YYLMAX ) \
+                YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
+        yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
+        yyg->yy_c_buf_p = yy_cp;
+The code flex generates expects that YY_FATAL_ERROR() will either return
+for it or do some form of longjmp(), or handle the error in some way at
+least, and so the strncpy() call isn't in an "else" clause, and thus if
+YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
+questionable limit, and predictable results ensue.
+Unfortunately, our implementation of YY_FATAL_ERROR() is:
+   #define YY_FATAL_ERROR(msg)                     \
+     do {                                          \
+       grub_printf (_("fatal error: %s\n"), _(msg));     \
+     } while (0)
+The same pattern exists in yyless(), and similar problems exist in users
+of YY_INPUT(), several places in the main parsing loop,
+yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
+yy_scan_buffer(), etc.
+All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
+the things they do if it returns after calling it are wildly unsafe.
+Fixes: CVE-2020-10713
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
+CVE: CVE-2020-10713
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ grub-core/script/yylex.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
+index 7b44c37b7..b7203c823 100644
+--- a/grub-core/script/yylex.l
+++ b/grub-core/script/yylex.l
+@@ -37,11 +37,11 @@
+ 
+ /* 
+  * As we don't have access to yyscanner, we cannot do much except to
+- * print the fatal error.
+ * print the fatal error and exit.
+  */
+ #define YY_FATAL_ERROR(msg)                     \
+   do {                                          \
+-    grub_printf (_("fatal error: %s\n"), _(msg));     \
+    grub_fatal (_("fatal error: %s\n"), _(msg));\
+   } while (0)
+ 
+ #define COPY(str, hint)                         \
+-- 
+cgit v1.2.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-10-19 20:42:14 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-10-20 11:11:46 +0100
commit	bd56c17ba5ec344463875e2712a42fc067969ec0 (patch)
tree	b340222f0740e6d7a4bdffdeb2e634d240d670e5 /meta/recipes-bsp/grub/files
parent	92e46629b06ff7ef8b4bca38343ca9a2f5dca7ee (diff)
download	poky-bd56c17ba5ec344463875e2712a42fc067969ec0.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch new file mode 100644 index 0000000000..c507ed3ea8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
@@ -0,0 +1,73 @@
	1	From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
	2	From: Peter Jones <pjones@redhat.com>
	3	Date: Wed, 15 Apr 2020 15:45:02 -0400
	4	Subject: yylex: Make lexer fatal errors actually be fatal
	5
	6	When presented with a command that can't be tokenized to anything
	7	smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
	8	expecting that will stop further processing, as such:
	9
	10	#define YY_DO_BEFORE_ACTION \
	11	yyg->yytext_ptr = yy_bp; \
	12	yyleng = (int) (yy_cp - yy_bp); \
	13	yyg->yy_hold_char = *yy_cp; \
	14	*yy_cp = '\0'; \
	15	if ( yyleng >= YYLMAX ) \
	16	YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
	17	yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
	18	yyg->yy_c_buf_p = yy_cp;
	19
	20	The code flex generates expects that YY_FATAL_ERROR() will either return
	21	for it or do some form of longjmp(), or handle the error in some way at
	22	least, and so the strncpy() call isn't in an "else" clause, and thus if
	23	YY_FATAL_ERROR() is not actually fatal, it does the call with the
	24	questionable limit, and predictable results ensue.
	25
	26	Unfortunately, our implementation of YY_FATAL_ERROR() is:
	27
	28	#define YY_FATAL_ERROR(msg) \
	29	do { \
	30	grub_printf (_("fatal error: %s\n"), _(msg)); \
	31	} while (0)
	32
	33	The same pattern exists in yyless(), and similar problems exist in users
	34	of YY_INPUT(), several places in the main parsing loop,
	35	yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
	36	yy_scan_buffer(), etc.
	37
	38	All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
	39	the things they do if it returns after calling it are wildly unsafe.
	40
	41	Fixes: CVE-2020-10713
	42
	43	Signed-off-by: Peter Jones <pjones@redhat.com>
	44	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	45
	46	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
	47	CVE: CVE-2020-10713
	48	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	49	---
	50	grub-core/script/yylex.l \| 4 ++--
	51	1 file changed, 2 insertions(+), 2 deletions(-)
	52
	53	diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
	54	index 7b44c37b7..b7203c823 100644
	55	--- a/grub-core/script/yylex.l
	56	+++ b/grub-core/script/yylex.l
	57	@@ -37,11 +37,11 @@
	58
	59	/*
	60	* As we don't have access to yyscanner, we cannot do much except to
	61	- * print the fatal error.
	62	+ * print the fatal error and exit.
	63	*/
	64	#define YY_FATAL_ERROR(msg) \
	65	do { \
	66	- grub_printf (_("fatal error: %s\n"), _(msg)); \
	67	+ grub_fatal (_("fatal error: %s\n"), _(msg));\
	68	} while (0)
	69
	70	#define COPY(str, hint) \
	71	--
	72	cgit v1.2.1
	73