grub: fix an integer overflow

This patch adds a fix for a potential integer overflow in grub's video/fb/fbfill. It is a part of a security series [1]. [1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html (From OE-Core rev: fbf3260bd196a5d252ad5ccf2a5fe719d3bd9c7f) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marta Rybczynska <rybczynska@gmail.com> 2022-02-18 11:05:40 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-02 00:21:37 +0000
commit: 7e7b8e38dc03f6abae7e0496c42441dce3049c40 (patch)
tree: 38d6f090fdba4919160cc6635ef0a9023c9dfa86 /meta/recipes-bsp
parent: b5eaa833ba00a13c4f7dd3d2c057c4976bfae22e (diff)
download: poky-7e7b8e38dc03f6abae7e0496c42441dce3049c40.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..8165ea3f71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
+From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 15:10:51 +0000
+Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
+The multiplication of 2 unsigned 32-bit integers may overflow before
+promotion to unsigned 64-bit. We should ensure that the multiplication
+is done with overflow detection. Additionally, use grub_sub() for
+subtraction.
+Fixes: CID 73640, CID 73697, CID 73702, CID 73823
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/fbfill.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
+index 11816d0..a37acd1 100644
+--- a/grub-core/video/fb/fbfill.c
+++ b/grub-core/video/fb/fbfill.c
+@@ -31,6 +31,7 @@
+ #include <grub/fbfill.h>
+ #include <grub/fbutil.h>
+ #include <grub/types.h>
+#include <grub/safemath.h>
+ #include <grub/video.h>
+ 
+ /* Generic filler that works for every supported mode.  */
+@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
+ #endif
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 24a269d90d..710ab5e361 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -78,6 +78,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
           file://0030-commands-hashsum-Fix-a-memory-leak.patch \
           file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
+           file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
author	Marta Rybczynska <rybczynska@gmail.com>	2022-02-18 11:05:40 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-02 00:21:37 +0000
commit	7e7b8e38dc03f6abae7e0496c42441dce3049c40 (patch)
tree	38d6f090fdba4919160cc6635ef0a9023c9dfa86 /meta/recipes-bsp
parent	b5eaa833ba00a13c4f7dd3d2c057c4976bfae22e (diff)
download	poky-7e7b8e38dc03f6abae7e0496c42441dce3049c40.tar.gz

diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000000..8165ea3f71 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
		1	From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
		2	From: Darren Kenny <darren.kenny@oracle.com>
		3	Date: Wed, 4 Nov 2020 15:10:51 +0000
		4	Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
		5
		6	The multiplication of 2 unsigned 32-bit integers may overflow before
		7	promotion to unsigned 64-bit. We should ensure that the multiplication
		8	is done with overflow detection. Additionally, use grub_sub() for
		9	subtraction.
		10
		11	Fixes: CID 73640, CID 73697, CID 73702, CID 73823
		12
		13	Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
		14	Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
		15	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		16
		17	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
		18	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
		19	---
		20	grub-core/video/fb/fbfill.c \| 17 +++++++++++++----
		21	1 file changed, 13 insertions(+), 4 deletions(-)
		22
		23	diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
		24	index 11816d0..a37acd1 100644
		25	--- a/grub-core/video/fb/fbfill.c
		26	+++ b/grub-core/video/fb/fbfill.c
		27	@@ -31,6 +31,7 @@
		28	#include <grub/fbfill.h>
		29	#include <grub/fbutil.h>
		30	#include <grub/types.h>
		31	+#include <grub/safemath.h>
		32	#include <grub/video.h>
		33
		34	/* Generic filler that works for every supported mode. */
		35	@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
		36
		37	/* Calculate the number of bytes to advance from the end of one line
		38	to the beginning of the next line. */
		39	- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
		40	+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) \|\|
		41	+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
		42	+ return;
		43
		44	/* Get the start address. */
		45	dstptr = grub_video_fb_get_video_ptr (dst, x, y);
		46	@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
		47	#endif
		48	/* Calculate the number of bytes to advance from the end of one line
		49	to the beginning of the next line. */
		50	- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
		51	+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) \|\|
		52	+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
		53	+ return;
		54
		55	/* Get the start address. */
		56	dstptr = grub_video_fb_get_video_ptr (dst, x, y);
		57	@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
		58
		59	/* Calculate the number of bytes to advance from the end of one line
		60	to the beginning of the next line. */
		61	- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
		62	+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) \|\|
		63	+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
		64	+ return;
		65
		66	/* Get the start address. */
		67	dstptr = grub_video_fb_get_video_ptr (dst, x, y);
		68	@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
		69
		70	/* Calculate the number of bytes to advance from the end of one line
		71	to the beginning of the next line. */
		72	- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
		73	+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) \|\|
		74	+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
		75	+ return;
		76
		77	/* Get the start address. */
		78	dstptr = grub_video_fb_get_video_ptr (dst, x, y);


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 24a269d90d..710ab5e361 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -78,6 +78,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
78	file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \	78	file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
79	file://0030-commands-hashsum-Fix-a-memory-leak.patch \	79	file://0030-commands-hashsum-Fix-a-memory-leak.patch \
80	file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \	80	file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
		81	file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
81	"	82	"
82	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"	83	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
83	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"	84	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"