grub2: Fix CVE-2022-2601 & CVE-2022-3775

Backport patch from upstream to solve CVE-2022-2601 CVE-2022-3775 dependency: font: Fix size overflow in grub_font_get_glyph_internal() Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532 CVE-2022-2601: font: Fix several integer overflows in grub_font_construct_glyph() Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e CVE-2022-3775: font: Fix an integer underflow in blit_comb() Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af (From OE-Core rev: 6149febd53b32406dc4b07b1721b3dfbae70723e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-01-05 11:55:25 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-13 18:11:19 +0000
commit: 95649c2878940535a355972d5e899282d54f733a (patch)
tree: 896abbae73a719c916566ff7c4001411be90beea /meta/recipes-bsp
parent: fcaac4852d849692c4500a32d75df3aba984859b (diff)
download: poky-95649c2878940535a355972d5e899282d54f733a.tar.gz
4 files changed, 304 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..090f693be3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+Fixes: CVE-2022-2601
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index df17dba..f110db9 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   struct grub_video_signed_rect bounds;
+   static struct grub_font_glyph *glyph = 0;
+   static grub_size_t max_glyph_size = 0;
+  grub_size_t cur_glyph_size;
+ 
+   ensure_comb_space (glyph_id);
+ 
+@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   if (!glyph_id->ncomb && !glyph_id->attributes)
+     return main_glyph;
+ 
+-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
+    return main_glyph;
+
+  if (max_glyph_size < cur_glyph_size)
+     {
+       grub_free (glyph);
+-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+-      if (max_glyph_size < 8)
+-       max_glyph_size = 8;
+-      glyph = grub_malloc (max_glyph_size);
+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
+       max_glyph_size = 0;
+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+     }
+   if (!glyph)
+     {
+      max_glyph_size = 0;
+       grub_errno = GRUB_ERR_NONE;
+       return main_glyph;
+     }
+ 
+-  grub_memset (glyph, 0, sizeof (*glyph)
+-              + (bounds.width * bounds.height
+-                 + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
+  grub_memset (glyph, 0, cur_glyph_size);
+ 
+   glyph->font = main_glyph->font;
+-  glyph->width = bounds.width;
+-  glyph->height = bounds.height;
+-  glyph->offset_x = bounds.x;
+-  glyph->offset_y = bounds.y;
+  if (bounds.width == 0 || bounds.height == 0 ||
+      grub_cast (bounds.width, &glyph->width) ||
+      grub_cast (bounds.height, &glyph->height) ||
+      grub_cast (bounds.x, &glyph->offset_x) ||
+      grub_cast (bounds.y, &glyph->offset_y))
+    return main_glyph;
+ 
+   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+     grub_font_blit_glyph_mirror (glyph, main_glyph,
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..e2e3f35584
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+Fixes: CVE-2022-3775
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index f110db9..3b76b22 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+   ctx.bounds.height = main_glyph->height;
+ 
+   above_rightx = main_glyph->offset_x + main_glyph->width;
+-  above_righty = ctx.bounds.y + ctx.bounds.height;
+  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+   above_leftx = main_glyph->offset_x;
+-  above_lefty = ctx.bounds.y + ctx.bounds.height;
+  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+-  below_rightx = ctx.bounds.x + ctx.bounds.width;
+  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+   below_righty = ctx.bounds.y;
+ 
+   comb = grub_unicode_get_comb (glyph_id);
+@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+       if (!combining_glyphs[i])
+        continue;
+-      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+       /* CGJ is to avoid diacritics reordering. */
+       if (comb[i].code
+          == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+        case GRUB_UNICODE_COMB_OVERLAY:
+          do_blit (combining_glyphs[i],
+                   targetx,
+-                  (ctx.bounds.height - combining_glyphs[i]->height) / 2
+-                  - (ctx.bounds.height + ctx.bounds.y), &ctx);
+                  ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
+                  - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+          break;
+@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+          /* Fallthrough.  */
+        case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height + ctx.bounds.y + space
+                  -((int) ctx.bounds.height + ctx.bounds.y + space
+                     + combining_glyphs[i]->height), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+        case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height / 2 + ctx.bounds.y
+                  -((int) ctx.bounds.height / 2 + ctx.bounds.y
+                     + combining_glyphs[i]->height / 2), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..d4ba3cafc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c   | 17 +++++++++++++----
+ include/grub/bitmap.h   | 18 ++++++++++++++++++
+ include/grub/safemath.h |  2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 5edb477..df17dba 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+       grub_int16_t xoff;
+       grub_int16_t yoff;
+       grub_int16_t dwidth;
+-      int len;
+      grub_ssize_t len;
+      grub_size_t sz;
+ 
+       if (index_entry->glyph)
+        /* Return cached glyph.  */
+@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+          return 0;
+        }
+ 
+-      len = (width * height + 7) / 8;
+-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+-      if (!glyph)
+      /* Calculate real struct size of current glyph. */
+      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
+         grub_add (sizeof (struct grub_font_glyph), len, &sz))
+       {
+         remove_font (font);
+         return 0;
+       }
+
+      /* Allocate and initialize the glyph struct. */
+      glyph = grub_malloc (sz);
+      if (glyph == NULL)
+        {
+          remove_font (font);
+          return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
+++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
+#include <grub/safemath.h>
+ 
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+   return bitmap->mode_info.height;
+ }
+ 
+/*
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
+ * Return true when overflow occurs or false if there is no overflow.
+ * This function is intentionally implemented as a macro instead of
+ * an inline function. Although a bit awkward, it preserves data types for
+ * safemath macros and reduces macro side effects as much as possible.
+ *
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
+ */
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
+({ \
+  grub_uint64_t _bitmap_pixels; \
+  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
+    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
+})
+
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+                                                    struct grub_video_mode_info *mode_info);
+ 
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
+++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res)    __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res)    __builtin_mul_overflow(a, b, res)
+ 
+#define grub_cast(a, res)      grub_add ((a), 0, (res))
+
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 777839d0b6..d09eecd8ac 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -103,6 +103,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2022-28734.patch \
           file://CVE-2022-28736.patch \
           file://CVE-2022-28735.patch \
+           file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
+           file://CVE-2022-2601.patch \
+           file://CVE-2022-3775.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-01-05 11:55:25 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-13 18:11:19 +0000
commit	95649c2878940535a355972d5e899282d54f733a (patch)
tree	896abbae73a719c916566ff7c4001411be90beea /meta/recipes-bsp
parent	fcaac4852d849692c4500a32d75df3aba984859b (diff)
download	poky-95649c2878940535a355972d5e899282d54f733a.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..090f693be3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
		1	From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Fri, 5 Aug 2022 01:58:27 +0800
		4	Subject: [PATCH] font: Fix several integer overflows in
		5	grub_font_construct_glyph()
		6
		7	This patch fixes several integer overflows in grub_font_construct_glyph().
		8	Glyphs of invalid size, zero or leading to an overflow, are rejected.
		9	The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
		10	returns NULL is fixed too.
		11
		12	Fixes: CVE-2022-2601
		13
		14	Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
		15	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		17
		18	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		19
		20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
		21	CVE: CVE-2022-2601
		22	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		23	---
		24	grub-core/font/font.c \| 29 +++++++++++++++++------------
		25	1 file changed, 17 insertions(+), 12 deletions(-)
		26
		27	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		28	index df17dba..f110db9 100644
		29	--- a/grub-core/font/font.c
		30	+++ b/grub-core/font/font.c
		31	@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
		32	struct grub_video_signed_rect bounds;
		33	static struct grub_font_glyph *glyph = 0;
		34	static grub_size_t max_glyph_size = 0;
		35	+ grub_size_t cur_glyph_size;
		36
		37	ensure_comb_space (glyph_id);
		38
		39	@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
		40	if (!glyph_id->ncomb && !glyph_id->attributes)
		41	return main_glyph;
		42
		43	- if (max_glyph_size < sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
		44	+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) \|\|
		45	+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
		46	+ return main_glyph;
		47	+
		48	+ if (max_glyph_size < cur_glyph_size)
		49	{
		50	grub_free (glyph);
		51	- max_glyph_size = (sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
		52	- if (max_glyph_size < 8)
		53	- max_glyph_size = 8;
		54	- glyph = grub_malloc (max_glyph_size);
		55	+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
		56	+ max_glyph_size = 0;
		57	+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
		58	}
		59	if (!glyph)
		60	{
		61	+ max_glyph_size = 0;
		62	grub_errno = GRUB_ERR_NONE;
		63	return main_glyph;
		64	}
		65
		66	- grub_memset (glyph, 0, sizeof (*glyph)
		67	- + (bounds.width * bounds.height
		68	- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
		69	+ grub_memset (glyph, 0, cur_glyph_size);
		70
		71	glyph->font = main_glyph->font;
		72	- glyph->width = bounds.width;
		73	- glyph->height = bounds.height;
		74	- glyph->offset_x = bounds.x;
		75	- glyph->offset_y = bounds.y;
		76	+ if (bounds.width == 0 \|\| bounds.height == 0 \|\|
		77	+ grub_cast (bounds.width, &glyph->width) \|\|
		78	+ grub_cast (bounds.height, &glyph->height) \|\|
		79	+ grub_cast (bounds.x, &glyph->offset_x) \|\|
		80	+ grub_cast (bounds.y, &glyph->offset_y))
		81	+ return main_glyph;
		82
		83	if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
		84	grub_font_blit_glyph_mirror (glyph, main_glyph,
		85	--
		86	2.25.1
		87


diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
		1	From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Mon, 24 Oct 2022 08:05:35 +0800
		4	Subject: [PATCH] font: Fix an integer underflow in blit_comb()
		5
		6	The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
		7	evaluate to a very big invalid value even if both ctx.bounds.height and
		8	combining_glyphs[i]->height are small integers. For example, if
		9	ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
		10	expression evaluates to 2147483647 (expected -1). This is because
		11	coordinates are allowed to be negative but ctx.bounds.height is an
		12	unsigned int. So, the subtraction operates on unsigned ints and
		13	underflows to a very big value. The division makes things even worse.
		14	The quotient is still an invalid value even if converted back to int.
		15
		16	This patch fixes the problem by casting ctx.bounds.height to int. As
		17	a result the subtraction will operate on int and grub_uint16_t which
		18	will be promoted to an int. So, the underflow will no longer happen. Other
		19	uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
		20	to ensure coordinates are always calculated on signed integers.
		21
		22	Fixes: CVE-2022-3775
		23
		24	Reported-by: Daniel Axtens <dja@axtens.net>
		25	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		26	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		27
		28	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		29
		30	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
		31	CVE: CVE-2022-3775
		32	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		33	---
		34	grub-core/font/font.c \| 16 ++++++++--------
		35	1 file changed, 8 insertions(+), 8 deletions(-)
		36
		37	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		38	index f110db9..3b76b22 100644
		39	--- a/grub-core/font/font.c
		40	+++ b/grub-core/font/font.c
		41	@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		42	ctx.bounds.height = main_glyph->height;
		43
		44	above_rightx = main_glyph->offset_x + main_glyph->width;
		45	- above_righty = ctx.bounds.y + ctx.bounds.height;
		46	+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
		47
		48	above_leftx = main_glyph->offset_x;
		49	- above_lefty = ctx.bounds.y + ctx.bounds.height;
		50	+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
		51
		52	- below_rightx = ctx.bounds.x + ctx.bounds.width;
		53	+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
		54	below_righty = ctx.bounds.y;
		55
		56	comb = grub_unicode_get_comb (glyph_id);
		57	@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		58
		59	if (!combining_glyphs[i])
		60	continue;
		61	- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
		62	+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
		63	/* CGJ is to avoid diacritics reordering. */
		64	if (comb[i].code
		65	== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
		66	@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		67	case GRUB_UNICODE_COMB_OVERLAY:
		68	do_blit (combining_glyphs[i],
		69	targetx,
		70	- (ctx.bounds.height - combining_glyphs[i]->height) / 2
		71	- - (ctx.bounds.height + ctx.bounds.y), &ctx);
		72	+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
		73	+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
		74	if (min_devwidth < combining_glyphs[i]->width)
		75	min_devwidth = combining_glyphs[i]->width;
		76	break;
		77	@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		78	/* Fallthrough. */
		79	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
		80	do_blit (combining_glyphs[i], targetx,
		81	- -(ctx.bounds.height + ctx.bounds.y + space
		82	+ -((int) ctx.bounds.height + ctx.bounds.y + space
		83	+ combining_glyphs[i]->height), &ctx);
		84	if (min_devwidth < combining_glyphs[i]->width)
		85	min_devwidth = combining_glyphs[i]->width;
		86	@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
		87
		88	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
		89	do_blit (combining_glyphs[i], targetx,
		90	- -(ctx.bounds.height / 2 + ctx.bounds.y
		91	+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
		92	+ combining_glyphs[i]->height / 2), &ctx);
		93	if (min_devwidth < combining_glyphs[i]->width)
		94	min_devwidth = combining_glyphs[i]->width;
		95	--
		96	2.25.1
		97


diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
		1	From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
		2	From: Zhang Boyang <zhangboyang.id@gmail.com>
		3	Date: Fri, 5 Aug 2022 00:51:20 +0800
		4	Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
		5
		6	The length of memory allocation and file read may overflow. This patch
		7	fixes the problem by using safemath macros.
		8
		9	There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
		10	if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
		11	It is safe replacement for such code. It has safemath-like prototype.
		12
		13	This patch also introduces grub_cast(value, pointer), it casts value to
		14	typeof(pointer) then store the value to pointer. It returns true when
		15	overflow occurs or false if there is no overflow. The semantics of arguments
		16	and return value are designed to be consistent with other safemath macros.
		17
		18	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
		19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		20
		21	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
		22
		23	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		24	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		25	---
		26	grub-core/font/font.c \| 17 +++++++++++++----
		27	include/grub/bitmap.h \| 18 ++++++++++++++++++
		28	include/grub/safemath.h \| 2 ++
		29	3 files changed, 33 insertions(+), 4 deletions(-)
		30
		31	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
		32	index 5edb477..df17dba 100644
		33	--- a/grub-core/font/font.c
		34	+++ b/grub-core/font/font.c
		35	@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
		36	grub_int16_t xoff;
		37	grub_int16_t yoff;
		38	grub_int16_t dwidth;
		39	- int len;
		40	+ grub_ssize_t len;
		41	+ grub_size_t sz;
		42
		43	if (index_entry->glyph)
		44	/* Return cached glyph. */
		45	@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
		46	return 0;
		47	}
		48
		49	- len = (width * height + 7) / 8;
		50	- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
		51	- if (!glyph)
		52	+ /* Calculate real struct size of current glyph. */
		53	+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) \|\|
		54	+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
		55	+ {
		56	+ remove_font (font);
		57	+ return 0;
		58	+ }
		59	+
		60	+ /* Allocate and initialize the glyph struct. */
		61	+ glyph = grub_malloc (sz);
		62	+ if (glyph == NULL)
		63	{
		64	remove_font (font);
		65	return 0;
		66	diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
		67	index 5728f8c..0d9603f 100644
		68	--- a/include/grub/bitmap.h
		69	+++ b/include/grub/bitmap.h
		70	@@ -23,6 +23,7 @@
		71	#include <grub/symbol.h>
		72	#include <grub/types.h>
		73	#include <grub/video.h>
		74	+#include <grub/safemath.h>
		75
		76	struct grub_video_bitmap
		77	{
		78	@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
		79	return bitmap->mode_info.height;
		80	}
		81
		82	+/*
		83	+ * Calculate and store the size of data buffer of 1bit bitmap in result.
		84	+ * Equivalent to "result = (width height + 7) / 8" if no overflow occurs.
		85	+ * Return true when overflow occurs or false if there is no overflow.
		86	+ * This function is intentionally implemented as a macro instead of
		87	+ * an inline function. Although a bit awkward, it preserves data types for
		88	+ * safemath macros and reduces macro side effects as much as possible.
		89	+ *
		90	+ * XXX: Will report false overflow if width * height > UINT64_MAX.
		91	+ */
		92	+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
		93	+({ \
		94	+ grub_uint64_t _bitmap_pixels; \
		95	+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
		96	+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
		97	+})
		98	+
		99	void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
		100	struct grub_video_mode_info *mode_info);
		101
		102	diff --git a/include/grub/safemath.h b/include/grub/safemath.h
		103	index c17b89b..bb0f826 100644
		104	--- a/include/grub/safemath.h
		105	+++ b/include/grub/safemath.h
		106	@@ -30,6 +30,8 @@
		107	#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
		108	#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
		109
		110	+#define grub_cast(a, res) grub_add ((a), 0, (res))
		111	+
		112	#else
		113	#error gcc 5.1 or newer or clang 3.8 or newer is required
		114	#endif
		115	--
		116	2.25.1
		117


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 777839d0b6..d09eecd8ac 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -103,6 +103,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
103	file://CVE-2022-28734.patch \	103	file://CVE-2022-28734.patch \
104	file://CVE-2022-28736.patch \	104	file://CVE-2022-28736.patch \
105	file://CVE-2022-28735.patch \	105	file://CVE-2022-28735.patch \
		106	file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
		107	file://CVE-2022-2601.patch \
		108	file://CVE-2022-3775.patch \
106	"	109	"
107	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"	110	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
108	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"	111	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"