diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-03-11 19:14:24 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-03-15 06:44:47 -0700 |
| commit | d5bb46337dd362ba82df3677b2f5db1791a6685b (patch) | |
| tree | 2d985794916a8926e2a3166130d3d141acf34a66 /meta/recipes-bsp/grub/files | |
| parent | 373e83b89cb21fc6c875bd9133f2b392a743c48d (diff) | |
| download | poky-d5bb46337dd362ba82df3677b2f5db1791a6685b.tar.gz | |
grub: patch CVE-2025-0678 and CVE-2025-1125
Cherry-pick patch mentioning these CVEs.
(From OE-Core rev: d0283e421e41b6775f40a51de6018c2c5cfda61f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-bsp/grub/files')
| -rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch new file mode 100644 index 0000000000..14e67cf35b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lidong Chen <lidong.chen@oracle.com> | ||
| 3 | Date: Tue, 21 Jan 2025 19:02:37 +0000 | ||
| 4 | Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays | ||
| 5 | |||
| 6 | Use grub_calloc() when allocating memory for arrays to ensure proper | ||
| 7 | overflow checks are in place. | ||
| 8 | |||
| 9 | The HFS+ and squash4 security vulnerabilities were reported by | ||
| 10 | Jonathan Bar Or <jonathanbaror@gmail.com>. | ||
| 11 | |||
| 12 | Fixes: CVE-2025-0678 | ||
| 13 | Fixes: CVE-2025-1125 | ||
| 14 | |||
| 15 | Signed-off-by: Lidong Chen <lidong.chen@oracle.com> | ||
| 16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 17 | |||
| 18 | CVE: CVE-2025-0678 | ||
| 19 | CVE: CVE-2025-1125 | ||
| 20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e] | ||
| 21 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 22 | --- | ||
| 23 | grub-core/fs/btrfs.c | 4 ++-- | ||
| 24 | grub-core/fs/hfspluscomp.c | 9 +++++++-- | ||
| 25 | grub-core/fs/squash4.c | 8 ++++---- | ||
| 26 | 3 files changed, 13 insertions(+), 8 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c | ||
| 29 | index 0625b1166..9c1e925c9 100644 | ||
| 30 | --- a/grub-core/fs/btrfs.c | ||
| 31 | +++ b/grub-core/fs/btrfs.c | ||
| 32 | @@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev) | ||
| 33 | } | ||
| 34 | |||
| 35 | data->n_devices_allocated = 16; | ||
| 36 | - data->devices_attached = grub_malloc (sizeof (data->devices_attached[0]) | ||
| 37 | - * data->n_devices_allocated); | ||
| 38 | + data->devices_attached = grub_calloc (data->n_devices_allocated, | ||
| 39 | + sizeof (data->devices_attached[0])); | ||
| 40 | if (!data->devices_attached) | ||
| 41 | { | ||
| 42 | grub_free (data); | ||
| 43 | diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c | ||
| 44 | index 48ae438d8..a80954ee6 100644 | ||
| 45 | --- a/grub-core/fs/hfspluscomp.c | ||
| 46 | +++ b/grub-core/fs/hfspluscomp.c | ||
| 47 | @@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node) | ||
| 48 | return 0; | ||
| 49 | } | ||
| 50 | node->compress_index_size = grub_le_to_cpu32 (index_size); | ||
| 51 | - node->compress_index = grub_malloc (node->compress_index_size | ||
| 52 | - * sizeof (node->compress_index[0])); | ||
| 53 | + node->compress_index = grub_calloc (node->compress_index_size, | ||
| 54 | + sizeof (node->compress_index[0])); | ||
| 55 | if (!node->compress_index) | ||
| 56 | { | ||
| 57 | node->compressed = 0; | ||
| 58 | grub_free (attr_node); | ||
| 59 | return grub_errno; | ||
| 60 | } | ||
| 61 | + | ||
| 62 | + /* | ||
| 63 | + * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here | ||
| 64 | + * due to relevant checks done in grub_calloc() above. | ||
| 65 | + */ | ||
| 66 | if (grub_hfsplus_read_file (node, 0, 0, | ||
| 67 | 0x104 + sizeof (index_size), | ||
| 68 | node->compress_index_size | ||
| 69 | diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c | ||
| 70 | index f91ff3bfa..cf2bca822 100644 | ||
| 71 | --- a/grub-core/fs/squash4.c | ||
| 72 | +++ b/grub-core/fs/squash4.c | ||
| 73 | @@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data, | ||
| 74 | break; | ||
| 75 | } | ||
| 76 | total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz); | ||
| 77 | - ino->block_sizes = grub_malloc (total_blocks | ||
| 78 | - * sizeof (ino->block_sizes[0])); | ||
| 79 | - ino->cumulated_block_sizes = grub_malloc (total_blocks | ||
| 80 | - * sizeof (ino->cumulated_block_sizes[0])); | ||
| 81 | + ino->block_sizes = grub_calloc (total_blocks, | ||
| 82 | + sizeof (ino->block_sizes[0])); | ||
| 83 | + ino->cumulated_block_sizes = grub_calloc (total_blocks, | ||
| 84 | + sizeof (ino->cumulated_block_sizes[0])); | ||
| 85 | if (!ino->block_sizes || !ino->cumulated_block_sizes) | ||
| 86 | { | ||
| 87 | grub_free (ino->block_sizes); | ||