diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-10-19 20:42:14 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-20 11:11:46 +0100 |
commit | bd56c17ba5ec344463875e2712a42fc067969ec0 (patch) | |
tree | b340222f0740e6d7a4bdffdeb2e634d240d670e5 /meta/recipes-bsp/grub | |
parent | 92e46629b06ff7ef8b4bca38343ca9a2f5dca7ee (diff) | |
download | poky-bd56c17ba5ec344463875e2712a42fc067969ec0.tar.gz |
grub2: fix CVE-2020-10713
(From OE-Core rev: ec6a2258ca27d5709df4fe18d94841332395bcb2)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-10713.patch | 73 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch new file mode 100644 index 0000000000..c507ed3ea8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Wed, 15 Apr 2020 15:45:02 -0400 | ||
4 | Subject: yylex: Make lexer fatal errors actually be fatal | ||
5 | |||
6 | When presented with a command that can't be tokenized to anything | ||
7 | smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), | ||
8 | expecting that will stop further processing, as such: | ||
9 | |||
10 | #define YY_DO_BEFORE_ACTION \ | ||
11 | yyg->yytext_ptr = yy_bp; \ | ||
12 | yyleng = (int) (yy_cp - yy_bp); \ | ||
13 | yyg->yy_hold_char = *yy_cp; \ | ||
14 | *yy_cp = '\0'; \ | ||
15 | if ( yyleng >= YYLMAX ) \ | ||
16 | YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ | ||
17 | yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ | ||
18 | yyg->yy_c_buf_p = yy_cp; | ||
19 | |||
20 | The code flex generates expects that YY_FATAL_ERROR() will either return | ||
21 | for it or do some form of longjmp(), or handle the error in some way at | ||
22 | least, and so the strncpy() call isn't in an "else" clause, and thus if | ||
23 | YY_FATAL_ERROR() is *not* actually fatal, it does the call with the | ||
24 | questionable limit, and predictable results ensue. | ||
25 | |||
26 | Unfortunately, our implementation of YY_FATAL_ERROR() is: | ||
27 | |||
28 | #define YY_FATAL_ERROR(msg) \ | ||
29 | do { \ | ||
30 | grub_printf (_("fatal error: %s\n"), _(msg)); \ | ||
31 | } while (0) | ||
32 | |||
33 | The same pattern exists in yyless(), and similar problems exist in users | ||
34 | of YY_INPUT(), several places in the main parsing loop, | ||
35 | yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, | ||
36 | yy_scan_buffer(), etc. | ||
37 | |||
38 | All of these callers expect YY_FATAL_ERROR() to actually be fatal, and | ||
39 | the things they do if it returns after calling it are wildly unsafe. | ||
40 | |||
41 | Fixes: CVE-2020-10713 | ||
42 | |||
43 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
44 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
45 | |||
46 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e] | ||
47 | CVE: CVE-2020-10713 | ||
48 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
49 | --- | ||
50 | grub-core/script/yylex.l | 4 ++-- | ||
51 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
52 | |||
53 | diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l | ||
54 | index 7b44c37b7..b7203c823 100644 | ||
55 | --- a/grub-core/script/yylex.l | ||
56 | +++ b/grub-core/script/yylex.l | ||
57 | @@ -37,11 +37,11 @@ | ||
58 | |||
59 | /* | ||
60 | * As we don't have access to yyscanner, we cannot do much except to | ||
61 | - * print the fatal error. | ||
62 | + * print the fatal error and exit. | ||
63 | */ | ||
64 | #define YY_FATAL_ERROR(msg) \ | ||
65 | do { \ | ||
66 | - grub_printf (_("fatal error: %s\n"), _(msg)); \ | ||
67 | + grub_fatal (_("fatal error: %s\n"), _(msg));\ | ||
68 | } while (0) | ||
69 | |||
70 | #define COPY(str, hint) \ | ||
71 | -- | ||
72 | cgit v1.2.1 | ||
73 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 628ca64926..345554e7af 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
18 | file://autogen.sh-exclude-pc.patch \ | 18 | file://autogen.sh-exclude-pc.patch \ |
19 | file://grub-module-explicitly-keeps-symbole-.module_license.patch \ | 19 | file://grub-module-explicitly-keeps-symbole-.module_license.patch \ |
20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ | 20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ |
21 | file://CVE-2020-10713.patch \ | ||
21 | " | 22 | " |
22 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 23 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
23 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 24 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |