summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp/grub
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-10-19 20:42:14 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-20 11:11:46 +0100
commitbd56c17ba5ec344463875e2712a42fc067969ec0 (patch)
treeb340222f0740e6d7a4bdffdeb2e634d240d670e5 /meta/recipes-bsp/grub
parent92e46629b06ff7ef8b4bca38343ca9a2f5dca7ee (diff)
downloadpoky-bd56c17ba5ec344463875e2712a42fc067969ec0.tar.gz
grub2: fix CVE-2020-10713
(From OE-Core rev: ec6a2258ca27d5709df4fe18d94841332395bcb2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub')
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-10713.patch73
-rw-r--r--meta/recipes-bsp/grub/grub2.inc1
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
new file mode 100644
index 0000000000..c507ed3ea8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
@@ -0,0 +1,73 @@
1From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Wed, 15 Apr 2020 15:45:02 -0400
4Subject: yylex: Make lexer fatal errors actually be fatal
5
6When presented with a command that can't be tokenized to anything
7smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
8expecting that will stop further processing, as such:
9
10 #define YY_DO_BEFORE_ACTION \
11 yyg->yytext_ptr = yy_bp; \
12 yyleng = (int) (yy_cp - yy_bp); \
13 yyg->yy_hold_char = *yy_cp; \
14 *yy_cp = '\0'; \
15 if ( yyleng >= YYLMAX ) \
16 YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
17 yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
18 yyg->yy_c_buf_p = yy_cp;
19
20The code flex generates expects that YY_FATAL_ERROR() will either return
21for it or do some form of longjmp(), or handle the error in some way at
22least, and so the strncpy() call isn't in an "else" clause, and thus if
23YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
24questionable limit, and predictable results ensue.
25
26Unfortunately, our implementation of YY_FATAL_ERROR() is:
27
28 #define YY_FATAL_ERROR(msg) \
29 do { \
30 grub_printf (_("fatal error: %s\n"), _(msg)); \
31 } while (0)
32
33The same pattern exists in yyless(), and similar problems exist in users
34of YY_INPUT(), several places in the main parsing loop,
35yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
36yy_scan_buffer(), etc.
37
38All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
39the things they do if it returns after calling it are wildly unsafe.
40
41Fixes: CVE-2020-10713
42
43Signed-off-by: Peter Jones <pjones@redhat.com>
44Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
45
46Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
47CVE: CVE-2020-10713
48Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
49---
50 grub-core/script/yylex.l | 4 ++--
51 1 file changed, 2 insertions(+), 2 deletions(-)
52
53diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
54index 7b44c37b7..b7203c823 100644
55--- a/grub-core/script/yylex.l
56+++ b/grub-core/script/yylex.l
57@@ -37,11 +37,11 @@
58
59 /*
60 * As we don't have access to yyscanner, we cannot do much except to
61- * print the fatal error.
62+ * print the fatal error and exit.
63 */
64 #define YY_FATAL_ERROR(msg) \
65 do { \
66- grub_printf (_("fatal error: %s\n"), _(msg)); \
67+ grub_fatal (_("fatal error: %s\n"), _(msg));\
68 } while (0)
69
70 #define COPY(str, hint) \
71--
72cgit v1.2.1
73
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 628ca64926..345554e7af 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
18 file://autogen.sh-exclude-pc.patch \ 18 file://autogen.sh-exclude-pc.patch \
19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \ 19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \
20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ 20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
21 file://CVE-2020-10713.patch \
21" 22"
22SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" 23SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
23SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" 24SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"