grub2: Fix buffer underflow write in the heap

Source: https://git.savannah.gnu.org/gitweb/?p=grub.git MR: 119719, 119733, 119689 Type: Security Fix Disposition: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 ChangeID: 97605970cd42776fa449fd8318f2762e32bbd177 Description: Fixed CVEs : CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 Affects "grub2 < 2.06" (From OE-Core rev: 191db3c58b52fa7c8530d82f7e3e3b24075fdeb4) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-07-26 12:34:02 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-08-08 16:23:34 +0100
commit: 9e7f4a7db257a865100e135f076cc31c14a71bd3 (patch)
tree: b97a502f6edc132b55a6a16bc1605ed65a330e54 /meta/recipes-bsp
parent: e4946bd39eed9f4127e55c369bdbd9f35d832d9d (diff)
download: poky-9e7f4a7db257a865100e135f076cc31c14a71bd3.tar.gz
4 files changed, 310 insertions, 1 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
new file mode 100644
index 0000000000..7d6e805725
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
+From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:01:35 +0530
+Subject: [PATCH] CVE-2021-3695
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
+CVE: CVE-2021-3695
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+ video/readers/png: Drop greyscale support to fix heap out-of-bounds write
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+      for (i = 0; i < (data->image_width * data->image_height);
+   i++, d1 += 4, d2 += 2)
+{
+  d1[R3] = d2[1];
+  d1[G3] = d2[1];
+  d1[B3] = d2[1];
+}
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+Delete all PNG greyscale support.
+Fixes: CVE-2021-3695
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 89 ++++-------------------------------
+ 1 file changed, 8 insertions(+), 81 deletions(-)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 0157ff7..db4a9d4 100644
+--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+ 
+   unsigned image_width, image_height;
+   int bpp, is_16bit;
+-  int raw_bytes, is_gray, is_alpha, is_palette;
+  int raw_bytes, is_alpha, is_palette;
+   int row_bytes, color_bits;
+   grub_uint8_t *image_data;
+ 
+@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     data->bpp = 3;
+   else
+     {
+-      data->is_gray = 1;
+-      data->bpp = 1;
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: color type not supported");
+     }
+ 
+   if ((color_bits != 8) && (color_bits != 16)
+       && (color_bits != 4
+-         || !(data->is_gray || data->is_palette)))
+         || !data->is_palette))
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: bit depth must be 8 or 16");
+ 
+@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     }
+ 
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+-  if (data->is_16bit || data->is_gray || data->is_palette)
+  if (data->is_16bit || data->is_palette)
+ #endif
+     {
+       data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
+       int shift;
+       int mask = (1 << data->color_bits) - 1;
+       unsigned j;
+-      if (data->is_gray)
+-       {
+-         /* Generic formula is
+-            (0xff * i) / ((1U << data->color_bits) - 1)
+-            but for allowed bit depth of 1, 2 and for it's
+-            equivalent to
+-            (0xff / ((1U << data->color_bits) - 1)) * i
+-            Precompute the multipliers to avoid division.
+-         */
+-
+-         const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+-         for (i = 0; i < (1U << data->color_bits); i++)
+-           {
+-             grub_uint8_t col = multipliers[data->color_bits] * i;
+-             palette[i][0] = col;
+-             palette[i][1] = col;
+-             palette[i][2] = col;
+-           }
+-       }
+-      else
+-       grub_memcpy (palette, data->palette, 3 << data->color_bits);
+
+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
+       d1c = d1;
+       d2c = d2;
+       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
+       return;
+     }
+   
+-  if (data->is_gray)
+-    {
+-      switch (data->bpp)
+-       {
+-       case 4:
+-         /* 16-bit gray with alpha.  */
+-         for (i = 0; i < (data->image_width * data->image_height);
+-              i++, d1 += 4, d2 += 4)
+-           {
+-             d1[R4] = d2[3];
+-             d1[G4] = d2[3];
+-             d1[B4] = d2[3];
+-             d1[A4] = d2[1];
+-           }
+-         break;
+-       case 2:
+-         if (data->is_16bit)
+-           /* 16-bit gray without alpha.  */
+-           {
+-             for (i = 0; i < (data->image_width * data->image_height);
+-                  i++, d1 += 4, d2 += 2)
+-               {
+-                 d1[R3] = d2[1];
+-                 d1[G3] = d2[1];
+-                 d1[B3] = d2[1];
+-               }
+-           }
+-         else
+-           /* 8-bit gray with alpha.  */
+-           {
+-             for (i = 0; i < (data->image_width * data->image_height);
+-                  i++, d1 += 4, d2 += 2)
+-               {
+-                 d1[R4] = d2[1];
+-                 d1[G4] = d2[1];
+-                 d1[B4] = d2[1];
+-                 d1[A4] = d2[0];
+-               }
+-           }
+-         break;
+-         /* 8-bit gray without alpha.  */
+-       case 1:
+-         for (i = 0; i < (data->image_width * data->image_height);
+-              i++, d1 += 3, d2++)
+-           {
+-             d1[R3] = d2[0];
+-             d1[G3] = d2[0];
+-             d1[B3] = d2[0];
+-           }
+-         break;
+-       }
+-      return;
+-    }
+-
+-    {
+  {
+   /* Only copy the upper 8 bit.  */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+       for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
new file mode 100644
index 0000000000..ef6da945c4
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
@@ -0,0 +1,46 @@
+From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:05:42 +0530
+Subject: [PATCH] CVE-2021-3696
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042]
+CVE: CVE-2021-3696
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+video/readers/png: Avoid heap OOB R/W inserting huff table items
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+Catch the case where we would underflow the array and bail.
+Fixes: CVE-2021-3696
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 36b3f10..3c05951 100644
+--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
+@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+   for (i = len; i < ht->max_length; i++)
+     n += ht->maxval[i];
+ 
+  if (n > ht->num_values)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                 "png: out of range inserting huffman table item");
+      return;
+    }
+
+   for (i = 0; i < n; i++)
+     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
new file mode 100644
index 0000000000..be15e7d1f2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
@@ -0,0 +1,82 @@
+From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 19 Jul 2022 11:13:02 +0530
+Subject: [PATCH] CVE-2021-3697
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6]
+CVE: CVE-2021-3697
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+video/readers/jpeg: Block int underflow -> wild pointer write
+Certain 1 px wide images caused a wild pointer write in
+grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
+we have the following loop:
+for (; data->r1 < nr1 && (!data->dri || rst);
+     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+We did not check if vb * width >= hb * nc1.
+On a 64-bit platform, if that turns out to be negative, it will underflow,
+be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
+we see data->bitmap_ptr jump, e.g.:
+0x6180_0000_0480 to
+0x6181_0000_0498
+     ^
+     ~--- carry has occurred and this pointer is now far away from
+          any object.
+On a 32-bit platform, it will decrement the pointer, creating a pointer
+that won't crash but will overwrite random data.
+Catch the underflow and error out.
+Fixes: CVE-2021-3697
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..545a60b 100644
+--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -617,6 +618,7 @@ static grub_err_t
+ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+   unsigned c1, vb, hb, nr1, nc1;
+  unsigned stride_a, stride_b, stride;
+   int rst = data->dri;
+ 
+   vb = 8 << data->log_vs;
+@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+   nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
+   nc1 = (data->image_width + hb - 1)  >> (3 + data->log_hs);
+ 
+  if (grub_mul(vb, data->image_width, &stride_a) ||
+      grub_mul(hb, nc1, &stride_b) ||
+      grub_sub(stride_a, stride_b, &stride))
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                      "jpeg: cannot decode image with these dimensions");
+
+   for (; data->r1 < nr1 && (!data->dri || rst);
+-       data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+       data->r1++, data->bitmap_ptr += stride * 3)
+     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);
+        c1++, rst--, data->bitmap_ptr += hb * 3)
+       {
+-- 
+2.25.1
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 9e98d8249d..0b7ca6d3d6 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -95,7 +95,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \
           file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \
           file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \
-           file://CVE-2021-3981.patch\
+           file://CVE-2021-3981.patch \
+           file://CVE-2021-3695.patch \
+           file://CVE-2021-3696.patch \
+           file://CVE-2021-3697.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-07-26 12:34:02 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-08-08 16:23:34 +0100
commit	9e7f4a7db257a865100e135f076cc31c14a71bd3 (patch)
tree	b97a502f6edc132b55a6a16bc1605ed65a330e54 /meta/recipes-bsp
parent	e4946bd39eed9f4127e55c369bdbd9f35d832d9d (diff)
download	poky-9e7f4a7db257a865100e135f076cc31c14a71bd3.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
		1	From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Wed, 20 Jul 2022 10:01:35 +0530
		4	Subject: [PATCH] CVE-2021-3695
		5
		6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
		7	CVE: CVE-2021-3695
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	video/readers/png: Drop greyscale support to fix heap out-of-bounds write
		11
		12	A 16-bit greyscale PNG without alpha is processed in the following loop:
		13
		14	for (i = 0; i < (data->image_width * data->image_height);
		15	i++, d1 += 4, d2 += 2)
		16	{
		17	d1[R3] = d2[1];
		18	d1[G3] = d2[1];
		19	d1[B3] = d2[1];
		20	}
		21
		22	The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
		23	but there are only 3 bytes allocated for storage. This means that image
		24	data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
		25	out of every 4 following the end of the image.
		26
		27	This has existed since greyscale support was added in 2013 in commit
		28	3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
		29
		30	Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
		31	and attempting to load it causes grub-emu to crash - I don't think this code
		32	has ever worked.
		33
		34	Delete all PNG greyscale support.
		35
		36	Fixes: CVE-2021-3695
		37
		38	Signed-off-by: Daniel Axtens <dja@axtens.net>
		39	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		40	---
		41	grub-core/video/readers/png.c \| 89 ++++-------------------------------
		42	1 file changed, 8 insertions(+), 81 deletions(-)
		43
		44	diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
		45	index 0157ff7..db4a9d4 100644
		46	--- a/grub-core/video/readers/png.c
		47	+++ b/grub-core/video/readers/png.c
		48	@@ -100,7 +100,7 @@ struct grub_png_data
		49
		50	unsigned image_width, image_height;
		51	int bpp, is_16bit;
		52	- int raw_bytes, is_gray, is_alpha, is_palette;
		53	+ int raw_bytes, is_alpha, is_palette;
		54	int row_bytes, color_bits;
		55	grub_uint8_t *image_data;
		56
		57	@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
		58	data->bpp = 3;
		59	else
		60	{
		61	- data->is_gray = 1;
		62	- data->bpp = 1;
		63	+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
		64	+ "png: color type not supported");
		65	}
		66
		67	if ((color_bits != 8) && (color_bits != 16)
		68	&& (color_bits != 4
		69	- \|\| !(data->is_gray \|\| data->is_palette)))
		70	+ \|\| !data->is_palette))
		71	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
		72	"png: bit depth must be 8 or 16");
		73
		74	@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
		75	}
		76
		77	#ifndef GRUB_CPU_WORDS_BIGENDIAN
		78	- if (data->is_16bit \|\| data->is_gray \|\| data->is_palette)
		79	+ if (data->is_16bit \|\| data->is_palette)
		80	#endif
		81	{
		82	data->image_data = grub_calloc (data->image_height, data->row_bytes);
		83	@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
		84	int shift;
		85	int mask = (1 << data->color_bits) - 1;
		86	unsigned j;
		87	- if (data->is_gray)
		88	- {
		89	- /* Generic formula is
		90	- (0xff * i) / ((1U << data->color_bits) - 1)
		91	- but for allowed bit depth of 1, 2 and for it's
		92	- equivalent to
		93	- (0xff / ((1U << data->color_bits) - 1)) * i
		94	- Precompute the multipliers to avoid division.
		95	- */
		96	-
		97	- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
		98	- for (i = 0; i < (1U << data->color_bits); i++)
		99	- {
		100	- grub_uint8_t col = multipliers[data->color_bits] * i;
		101	- palette[i][0] = col;
		102	- palette[i][1] = col;
		103	- palette[i][2] = col;
		104	- }
		105	- }
		106	- else
		107	- grub_memcpy (palette, data->palette, 3 << data->color_bits);
		108	+
		109	+ grub_memcpy (palette, data->palette, 3 << data->color_bits);
		110	d1c = d1;
		111	d2c = d2;
		112	for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
		113	@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
		114	return;
		115	}
		116
		117	- if (data->is_gray)
		118	- {
		119	- switch (data->bpp)
		120	- {
		121	- case 4:
		122	- /* 16-bit gray with alpha. */
		123	- for (i = 0; i < (data->image_width * data->image_height);
		124	- i++, d1 += 4, d2 += 4)
		125	- {
		126	- d1[R4] = d2[3];
		127	- d1[G4] = d2[3];
		128	- d1[B4] = d2[3];
		129	- d1[A4] = d2[1];
		130	- }
		131	- break;
		132	- case 2:
		133	- if (data->is_16bit)
		134	- /* 16-bit gray without alpha. */
		135	- {
		136	- for (i = 0; i < (data->image_width * data->image_height);
		137	- i++, d1 += 4, d2 += 2)
		138	- {
		139	- d1[R3] = d2[1];
		140	- d1[G3] = d2[1];
		141	- d1[B3] = d2[1];
		142	- }
		143	- }
		144	- else
		145	- /* 8-bit gray with alpha. */
		146	- {
		147	- for (i = 0; i < (data->image_width * data->image_height);
		148	- i++, d1 += 4, d2 += 2)
		149	- {
		150	- d1[R4] = d2[1];
		151	- d1[G4] = d2[1];
		152	- d1[B4] = d2[1];
		153	- d1[A4] = d2[0];
		154	- }
		155	- }
		156	- break;
		157	- /* 8-bit gray without alpha. */
		158	- case 1:
		159	- for (i = 0; i < (data->image_width * data->image_height);
		160	- i++, d1 += 3, d2++)
		161	- {
		162	- d1[R3] = d2[0];
		163	- d1[G3] = d2[0];
		164	- d1[B3] = d2[0];
		165	- }
		166	- break;
		167	- }
		168	- return;
		169	- }
		170	-
		171	- {
		172	+ {
		173	/* Only copy the upper 8 bit. */
		174	#ifndef GRUB_CPU_WORDS_BIGENDIAN
		175	for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
		176	--
		177	2.25.1
		178


diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch new file mode 100644 index 0000000000..ef6da945c4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
@@ -0,0 +1,46 @@
		1	From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Wed, 20 Jul 2022 10:05:42 +0530
		4	Subject: [PATCH] CVE-2021-3696
		5
		6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042]
		7	CVE: CVE-2021-3696
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	video/readers/png: Avoid heap OOB R/W inserting huff table items
		11
		12	In fuzzing we observed crashes where a code would attempt to be inserted
		13	into a huffman table before the start, leading to a set of heap OOB reads
		14	and writes as table entries with negative indices were shifted around and
		15	the new code written in.
		16
		17	Catch the case where we would underflow the array and bail.
		18
		19	Fixes: CVE-2021-3696
		20	Signed-off-by: Daniel Axtens <dja@axtens.net>
		21	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		22	---
		23	grub-core/video/readers/png.c \| 7 +++++++
		24	1 file changed, 7 insertions(+)
		25
		26	diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
		27	index 36b3f10..3c05951 100644
		28	--- a/grub-core/video/readers/png.c
		29	+++ b/grub-core/video/readers/png.c
		30	@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
		31	for (i = len; i < ht->max_length; i++)
		32	n += ht->maxval[i];
		33
		34	+ if (n > ht->num_values)
		35	+ {
		36	+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
		37	+ "png: out of range inserting huffman table item");
		38	+ return;
		39	+ }
		40	+
		41	for (i = 0; i < n; i++)
		42	ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
		43
		44	--
		45	2.25.1
		46


diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch new file mode 100644 index 0000000000..be15e7d1f2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
@@ -0,0 +1,82 @@
		1	From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Tue, 19 Jul 2022 11:13:02 +0530
		4	Subject: [PATCH] CVE-2021-3697
		5
		6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6]
		7	CVE: CVE-2021-3697
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	video/readers/jpeg: Block int underflow -> wild pointer write
		11
		12	Certain 1 px wide images caused a wild pointer write in
		13	grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
		14	we have the following loop:
		15
		16	for (; data->r1 < nr1 && (!data->dri \|\| rst);
		17	data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
		18
		19	We did not check if vb * width >= hb * nc1.
		20
		21	On a 64-bit platform, if that turns out to be negative, it will underflow,
		22	be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
		23	we see data->bitmap_ptr jump, e.g.:
		24
		25	0x6180_0000_0480 to
		26	0x6181_0000_0498
		27	^
		28	~--- carry has occurred and this pointer is now far away from
		29	any object.
		30
		31	On a 32-bit platform, it will decrement the pointer, creating a pointer
		32	that won't crash but will overwrite random data.
		33
		34	Catch the underflow and error out.
		35
		36	Fixes: CVE-2021-3697
		37
		38	Signed-off-by: Daniel Axtens <dja@axtens.net>
		39	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		40	---
		41	grub-core/video/readers/jpeg.c \| 10 +++++++++-
		42	1 file changed, 9 insertions(+), 1 deletion(-)
		43
		44	diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
		45	index 31359a4..545a60b 100644
		46	--- a/grub-core/video/readers/jpeg.c
		47	+++ b/grub-core/video/readers/jpeg.c
		48	@@ -23,6 +23,7 @@
		49	#include <grub/mm.h>
		50	#include <grub/misc.h>
		51	#include <grub/bufio.h>
		52	+#include <grub/safemath.h>
		53
		54	GRUB_MOD_LICENSE ("GPLv3+");
		55
		56	@@ -617,6 +618,7 @@ static grub_err_t
		57	grub_jpeg_decode_data (struct grub_jpeg_data *data)
		58	{
		59	unsigned c1, vb, hb, nr1, nc1;
		60	+ unsigned stride_a, stride_b, stride;
		61	int rst = data->dri;
		62
		63	vb = 8 << data->log_vs;
		64	@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
		65	nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
		66	nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
		67
		68	+ if (grub_mul(vb, data->image_width, &stride_a) \|\|
		69	+ grub_mul(hb, nc1, &stride_b) \|\|
		70	+ grub_sub(stride_a, stride_b, &stride))
		71	+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
		72	+ "jpeg: cannot decode image with these dimensions");
		73	+
		74	for (; data->r1 < nr1 && (!data->dri \|\| rst);
		75	- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
		76	+ data->r1++, data->bitmap_ptr += stride * 3)
		77	for (c1 = 0; c1 < nc1 && (!data->dri \|\| rst);
		78	c1++, rst--, data->bitmap_ptr += hb * 3)
		79	{
		80	--
		81	2.25.1
		82


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 9e98d8249d..0b7ca6d3d6 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -95,7 +95,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
95	file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \	95	file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \
96	file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \	96	file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \
97	file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \	97	file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \
98	file://CVE-2021-3981.patch\	98	file://CVE-2021-3981.patch \
		99	file://CVE-2021-3695.patch \
		100	file://CVE-2021-3696.patch \
		101	file://CVE-2021-3697.patch \
99	"	102	"
100	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"	103	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
101	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"	104	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"