grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775

Backport patch from upstream to solve CVE-2022-2601 CVE-2022-3775 dependency: font: Fix size overflow in grub_font_get_glyph_internal() (https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532) Backport patch from upstream to fix following CVEs: CVE-2022-2601: font: Fix several integer overflows in grub_font_construct_glyph() (https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e) CVE-2022-3775: font: Fix an integer underflow in blit_comb() (https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af) (From OE-Core rev: 0fc6693ab4f2f4b231b80c9675acea4e54b973f0) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Xiangyu Chen <xiangyu.chen@eng.windriver.com> 2022-11-27 22:29:08 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:02:45 +0000
commit: 69908c22b37afdf0209f31482231b0bb2c00d7ca (patch)
tree: abb82edddf4f87afbd47f1aebf22a7112bdc4980 /meta/recipes-bsp
parent: 2b2b8af7c03a903b2721cbc80487f9d09a54b7b2 (diff)
download: poky-69908c22b37afdf0209f31482231b0bb2c00d7ca.tar.gz
4 files changed, 298 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..efa00a3c6c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,115 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/font/font.c   | 17 +++++++++++++----
+ include/grub/bitmap.h   | 18 ++++++++++++++++++
+ include/grub/safemath.h |  2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d09bb38..876b5b6 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+       grub_int16_t xoff;
+       grub_int16_t yoff;
+       grub_int16_t dwidth;
+-      int len;
+      grub_ssize_t len;
+      grub_size_t sz;
+ 
+       if (index_entry->glyph)
+        /* Return cached glyph.  */
+@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+          return 0;
+        }
+ 
+-      len = (width * height + 7) / 8;
+-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+-      if (!glyph)
+      /* Calculate real struct size of current glyph. */
+      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
+         grub_add (sizeof (struct grub_font_glyph), len, &sz))
+       {
+         remove_font (font);
+         return 0;
+       }
+
+      /* Allocate and initialize the glyph struct. */
+      glyph = grub_malloc (sz);
+      if (glyph == NULL)
+        {
+          remove_font (font);
+          return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
+++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
+#include <grub/safemath.h>
+ 
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+   return bitmap->mode_info.height;
+ }
+ 
+/*
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
+ * Return true when overflow occurs or false if there is no overflow.
+ * This function is intentionally implemented as a macro instead of
+ * an inline function. Although a bit awkward, it preserves data types for
+ * safemath macros and reduces macro side effects as much as possible.
+ *
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
+ */
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
+({ \
+  grub_uint64_t _bitmap_pixels; \
+  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
+    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
+})
+
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+                                                    struct grub_video_mode_info *mode_info);
+ 
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
+++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res)    __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res)    __builtin_mul_overflow(a, b, res)
+ 
+#define grub_cast(a, res)      grub_add ((a), 0, (res))
+
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..727c509694
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,85 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+Fixes: CVE-2022-2601
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 876b5b6..0ff5525 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   struct grub_video_signed_rect bounds;
+   static struct grub_font_glyph *glyph = 0;
+   static grub_size_t max_glyph_size = 0;
+  grub_size_t cur_glyph_size;
+ 
+   ensure_comb_space (glyph_id);
+ 
+@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   if (!glyph_id->ncomb && !glyph_id->attributes)
+     return main_glyph;
+ 
+-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
+    return main_glyph;
+
+  if (max_glyph_size < cur_glyph_size)
+     {
+       grub_free (glyph);
+-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+-      if (max_glyph_size < 8)
+-       max_glyph_size = 8;
+-      glyph = grub_malloc (max_glyph_size);
+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
+       max_glyph_size = 0;
+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+     }
+   if (!glyph)
+     {
+      max_glyph_size = 0;
+       grub_errno = GRUB_ERR_NONE;
+       return main_glyph;
+     }
+ 
+-  grub_memset (glyph, 0, sizeof (*glyph)
+-              + (bounds.width * bounds.height
+-                 + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
+  grub_memset (glyph, 0, cur_glyph_size);
+ 
+   glyph->font = main_glyph->font;
+-  glyph->width = bounds.width;
+-  glyph->height = bounds.height;
+-  glyph->offset_x = bounds.x;
+-  glyph->offset_y = bounds.y;
+  if (bounds.width == 0 || bounds.height == 0 ||
+      grub_cast (bounds.width, &glyph->width) ||
+      grub_cast (bounds.height, &glyph->height) ||
+      grub_cast (bounds.x, &glyph->offset_x) ||
+      grub_cast (bounds.y, &glyph->offset_y))
+    return main_glyph;
+ 
+   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+     grub_font_blit_glyph_mirror (glyph, main_glyph,
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..853efd0486
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,95 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+Fixes: CVE-2022-3775
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 0ff5525..7b1cbde 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+   ctx.bounds.height = main_glyph->height;
+ 
+   above_rightx = main_glyph->offset_x + main_glyph->width;
+-  above_righty = ctx.bounds.y + ctx.bounds.height;
+  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+   above_leftx = main_glyph->offset_x;
+-  above_lefty = ctx.bounds.y + ctx.bounds.height;
+  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+-  below_rightx = ctx.bounds.x + ctx.bounds.width;
+  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+   below_righty = ctx.bounds.y;
+ 
+   comb = grub_unicode_get_comb (glyph_id);
+@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+       if (!combining_glyphs[i])
+        continue;
+-      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+       /* CGJ is to avoid diacritics reordering. */
+       if (comb[i].code
+          == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+        case GRUB_UNICODE_COMB_OVERLAY:
+          do_blit (combining_glyphs[i],
+                   targetx,
+-                  (ctx.bounds.height - combining_glyphs[i]->height) / 2
+-                  - (ctx.bounds.height + ctx.bounds.y), &ctx);
+                  ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
+                  - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+          break;
+@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+          /* Fallthrough.  */
+        case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height + ctx.bounds.y + space
+                  -((int) ctx.bounds.height + ctx.bounds.y + space
+                     + combining_glyphs[i]->height), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+        case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height / 2 + ctx.bounds.y
+                  -((int) ctx.bounds.height / 2 + ctx.bounds.y
+                     + combining_glyphs[i]->height / 2), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 47ea561002..270efd30ef 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -32,6 +32,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \
           file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \
           file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \
+           file://0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
+           file://CVE-2022-2601.patch \
+           file://CVE-2022-3775.patch \
 "
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
author	Xiangyu Chen <xiangyu.chen@eng.windriver.com>	2022-11-27 22:29:08 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:02:45 +0000
commit	69908c22b37afdf0209f31482231b0bb2c00d7ca (patch)
tree	abb82edddf4f87afbd47f1aebf22a7112bdc4980 /meta/recipes-bsp
parent	2b2b8af7c03a903b2721cbc80487f9d09a54b7b2 (diff)
download	poky-69908c22b37afdf0209f31482231b0bb2c00d7ca.tar.gz

diff --git a/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..efa00a3c6c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,115 @@
		1	From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Fri, 5 Aug 2022 00:51:20 +0800
		4	Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
		5
		6	The length of memory allocation and file read may overflow. This patch
		7	fixes the problem by using safemath macros.
		8
		9	There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
		10	if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
		11	It is safe replacement for such code. It has safemath-like prototype.
		12
		13	This patch also introduces grub_cast(value, pointer), it casts value to
		14	typeof(pointer) then store the value to pointer. It returns true when
		15	overflow occurs or false if there is no overflow. The semantics of arguments
		16	and return value are designed to be consistent with other safemath macros.
		17
		18	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		20
		21	Upstream-Status: Backport from
		22	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
		23
		24	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		25
		26	---
		27	grub-core/font/font.c \| 17 +++++++++++++----
		28	include/grub/bitmap.h \| 18 ++++++++++++++++++
		29	include/grub/safemath.h \| 2 ++
		30	3 files changed, 33 insertions(+), 4 deletions(-)
		31
		32	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		33	index d09bb38..876b5b6 100644
		34	--- a/grub-core/font/font.c
		35	+++ b/grub-core/font/font.c
		36	@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
		37	grub_int16_t xoff;
		38	grub_int16_t yoff;
		39	grub_int16_t dwidth;
		40	- int len;
		41	+ grub_ssize_t len;
		42	+ grub_size_t sz;
		43
		44	if (index_entry->glyph)
		45	/* Return cached glyph. */
		46	@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
		47	return 0;
		48	}
		49
		50	- len = (width * height + 7) / 8;
		51	- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
		52	- if (!glyph)
		53	+ /* Calculate real struct size of current glyph. */
		54	+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) \|\|
		55	+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
		56	+ {
		57	+ remove_font (font);
		58	+ return 0;
		59	+ }
		60	+
		61	+ /* Allocate and initialize the glyph struct. */
		62	+ glyph = grub_malloc (sz);
		63	+ if (glyph == NULL)
		64	{
		65	remove_font (font);
		66	return 0;
		67	diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
		68	index 5728f8c..0d9603f 100644
		69	--- a/include/grub/bitmap.h
		70	+++ b/include/grub/bitmap.h
		71	@@ -23,6 +23,7 @@
		72	#include <grub/symbol.h>
		73	#include <grub/types.h>
		74	#include <grub/video.h>
		75	+#include <grub/safemath.h>
		76
		77	struct grub_video_bitmap
		78	{
		79	@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
		80	return bitmap->mode_info.height;
		81	}
		82
		83	+/*
		84	+ * Calculate and store the size of data buffer of 1bit bitmap in result.
		85	+ * Equivalent to "result = (width height + 7) / 8" if no overflow occurs.
		86	+ * Return true when overflow occurs or false if there is no overflow.
		87	+ * This function is intentionally implemented as a macro instead of
		88	+ * an inline function. Although a bit awkward, it preserves data types for
		89	+ * safemath macros and reduces macro side effects as much as possible.
		90	+ *
		91	+ * XXX: Will report false overflow if width * height > UINT64_MAX.
		92	+ */
		93	+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
		94	+({ \
		95	+ grub_uint64_t _bitmap_pixels; \
		96	+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
		97	+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
		98	+})
		99	+
		100	void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
		101	struct grub_video_mode_info *mode_info);
		102
		103	diff --git a/include/grub/safemath.h b/include/grub/safemath.h
		104	index c17b89b..bb0f826 100644
		105	--- a/include/grub/safemath.h
		106	+++ b/include/grub/safemath.h
		107	@@ -30,6 +30,8 @@
		108	#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
		109	#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
		110
		111	+#define grub_cast(a, res) grub_add ((a), 0, (res))
		112	+
		113	#else
		114	#error gcc 5.1 or newer or clang 3.8 or newer is required
		115	#endif


diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..727c509694 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,85 @@
		1	From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Fri, 5 Aug 2022 01:58:27 +0800
		4	Subject: [PATCH] font: Fix several integer overflows in
		5	grub_font_construct_glyph()
		6
		7	This patch fixes several integer overflows in grub_font_construct_glyph().
		8	Glyphs of invalid size, zero or leading to an overflow, are rejected.
		9	The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
		10	returns NULL is fixed too.
		11
		12	Fixes: CVE-2022-2601
		13
		14	Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
		15	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		17
		18	Upstream-Status: Backport from
		19	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
		20	CVE: CVE-2022-2601
		21
		22	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		23
		24	---
		25	grub-core/font/font.c \| 29 +++++++++++++++++------------
		26	1 file changed, 17 insertions(+), 12 deletions(-)
		27
		28	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		29	index 876b5b6..0ff5525 100644
		30	--- a/grub-core/font/font.c
		31	+++ b/grub-core/font/font.c
		32	@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
		33	struct grub_video_signed_rect bounds;
		34	static struct grub_font_glyph *glyph = 0;
		35	static grub_size_t max_glyph_size = 0;
		36	+ grub_size_t cur_glyph_size;
		37
		38	ensure_comb_space (glyph_id);
		39
		40	@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
		41	if (!glyph_id->ncomb && !glyph_id->attributes)
		42	return main_glyph;
		43
		44	- if (max_glyph_size < sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
		45	+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) \|\|
		46	+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
		47	+ return main_glyph;
		48	+
		49	+ if (max_glyph_size < cur_glyph_size)
		50	{
		51	grub_free (glyph);
		52	- max_glyph_size = (sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
		53	- if (max_glyph_size < 8)
		54	- max_glyph_size = 8;
		55	- glyph = grub_malloc (max_glyph_size);
		56	+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
		57	+ max_glyph_size = 0;
		58	+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
		59	}
		60	if (!glyph)
		61	{
		62	+ max_glyph_size = 0;
		63	grub_errno = GRUB_ERR_NONE;
		64	return main_glyph;
		65	}
		66
		67	- grub_memset (glyph, 0, sizeof (*glyph)
		68	- + (bounds.width * bounds.height
		69	- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
		70	+ grub_memset (glyph, 0, cur_glyph_size);
		71
		72	glyph->font = main_glyph->font;
		73	- glyph->width = bounds.width;
		74	- glyph->height = bounds.height;
		75	- glyph->offset_x = bounds.x;
		76	- glyph->offset_y = bounds.y;
		77	+ if (bounds.width == 0 \|\| bounds.height == 0 \|\|
		78	+ grub_cast (bounds.width, &glyph->width) \|\|
		79	+ grub_cast (bounds.height, &glyph->height) \|\|
		80	+ grub_cast (bounds.x, &glyph->offset_x) \|\|
		81	+ grub_cast (bounds.y, &glyph->offset_y))
		82	+ return main_glyph;
		83
		84	if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
		85	grub_font_blit_glyph_mirror (glyph, main_glyph,


diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..853efd0486 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,95 @@
		1	From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Mon, 24 Oct 2022 08:05:35 +0800
		4	Subject: [PATCH] font: Fix an integer underflow in blit_comb()
		5
		6	The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
		7	evaluate to a very big invalid value even if both ctx.bounds.height and
		8	combining_glyphs[i]->height are small integers. For example, if
		9	ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
		10	expression evaluates to 2147483647 (expected -1). This is because
		11	coordinates are allowed to be negative but ctx.bounds.height is an
		12	unsigned int. So, the subtraction operates on unsigned ints and
		13	underflows to a very big value. The division makes things even worse.
		14	The quotient is still an invalid value even if converted back to int.
		15
		16	This patch fixes the problem by casting ctx.bounds.height to int. As
		17	a result the subtraction will operate on int and grub_uint16_t which
		18	will be promoted to an int. So, the underflow will no longer happen. Other
		19	uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
		20	to ensure coordinates are always calculated on signed integers.
		21
		22	Fixes: CVE-2022-3775
		23
		24	Reported-by: Daniel Axtens <dja@axtens.net>
		25	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		26	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		27
		28	Upstream-Status: Backport from
		29	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
		30	CVE: CVE-2022-3775
		31
		32	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		33
		34	---
		35	grub-core/font/font.c \| 16 ++++++++--------
		36	1 file changed, 8 insertions(+), 8 deletions(-)
		37
		38	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		39	index 0ff5525..7b1cbde 100644
		40	--- a/grub-core/font/font.c
		41	+++ b/grub-core/font/font.c
		42	@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		43	ctx.bounds.height = main_glyph->height;
		44
		45	above_rightx = main_glyph->offset_x + main_glyph->width;
		46	- above_righty = ctx.bounds.y + ctx.bounds.height;
		47	+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
		48
		49	above_leftx = main_glyph->offset_x;
		50	- above_lefty = ctx.bounds.y + ctx.bounds.height;
		51	+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
		52
		53	- below_rightx = ctx.bounds.x + ctx.bounds.width;
		54	+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
		55	below_righty = ctx.bounds.y;
		56
		57	comb = grub_unicode_get_comb (glyph_id);
		58	@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		59
		60	if (!combining_glyphs[i])
		61	continue;
		62	- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
		63	+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
		64	/* CGJ is to avoid diacritics reordering. */
		65	if (comb[i].code
		66	== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
		67	@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		68	case GRUB_UNICODE_COMB_OVERLAY:
		69	do_blit (combining_glyphs[i],
		70	targetx,
		71	- (ctx.bounds.height - combining_glyphs[i]->height) / 2
		72	- - (ctx.bounds.height + ctx.bounds.y), &ctx);
		73	+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
		74	+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
		75	if (min_devwidth < combining_glyphs[i]->width)
		76	min_devwidth = combining_glyphs[i]->width;
		77	break;
		78	@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		79	/* Fallthrough. */
		80	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
		81	do_blit (combining_glyphs[i], targetx,
		82	- -(ctx.bounds.height + ctx.bounds.y + space
		83	+ -((int) ctx.bounds.height + ctx.bounds.y + space
		84	+ combining_glyphs[i]->height), &ctx);
		85	if (min_devwidth < combining_glyphs[i]->width)
		86	min_devwidth = combining_glyphs[i]->width;
		87	@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		88
		89	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
		90	do_blit (combining_glyphs[i], targetx,
		91	- -(ctx.bounds.height / 2 + ctx.bounds.y
		92	+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
		93	+ combining_glyphs[i]->height / 2), &ctx);
		94	if (min_devwidth < combining_glyphs[i]->width)
		95	min_devwidth = combining_glyphs[i]->width;


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 47ea561002..270efd30ef 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -32,6 +32,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
32	file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \	32	file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \
33	file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \	33	file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \
34	file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \	34	file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \
		35	file://0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
		36	file://CVE-2022-2601.patch \
		37	file://CVE-2022-3775.patch \
35	"	38	"
36		39
37	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"	40	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"