diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-02-18 11:05:15 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-02 00:21:36 +0000 |
commit | c4ca12868c22221751516ab981d802d908bf2962 (patch) | |
tree | d221d72aeef745fafa5609055de5e177579b057f /meta/recipes-bsp | |
parent | 4a5a4dbcf618b0ba550c91136b5740c8f6f69bb8 (diff) | |
download | poky-c4ca12868c22221751516ab981d802d908bf2962.tar.gz |
grub: add a fix for a possible NULL pointer dereference
This change fixes a possible NULL pointer dereference in grub's
EFI support. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
(From OE-Core rev: a49ffdd81e020224ea3e94a266e49d40ebb7198a)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch | 65 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000000..d55709406b --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 11 Dec 2020 15:03:13 +0000 | ||
4 | Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference | ||
5 | |||
6 | The model of grub_efi_get_memory_map() is that if memory_map is NULL, | ||
7 | then the purpose is to discover how much memory should be allocated to | ||
8 | it for the subsequent call. | ||
9 | |||
10 | The problem here is that with grub_efi_is_finished set to 1, there is no | ||
11 | check at all that the function is being called with a non-NULL memory_map. | ||
12 | |||
13 | While this MAY be true, we shouldn't assume it. | ||
14 | |||
15 | The solution to this is to behave as expected, and if memory_map is NULL, | ||
16 | then don't try to use it and allow memory_map_size to be filled in, and | ||
17 | return 0 as is done later in the code if the buffer is too small (or NULL). | ||
18 | |||
19 | Additionally, drop unneeded ret = 1. | ||
20 | |||
21 | Fixes: CID 96632 | ||
22 | |||
23 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
24 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
25 | |||
26 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1] | ||
27 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
28 | --- | ||
29 | grub-core/kern/efi/mm.c | 19 ++++++++++++++----- | ||
30 | 1 file changed, 14 insertions(+), 5 deletions(-) | ||
31 | |||
32 | diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c | ||
33 | index b02fab1..5afcef7 100644 | ||
34 | --- a/grub-core/kern/efi/mm.c | ||
35 | +++ b/grub-core/kern/efi/mm.c | ||
36 | @@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size, | ||
37 | if (grub_efi_is_finished) | ||
38 | { | ||
39 | int ret = 1; | ||
40 | - if (*memory_map_size < finish_mmap_size) | ||
41 | + | ||
42 | + if (memory_map != NULL) | ||
43 | { | ||
44 | - grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
45 | - ret = 0; | ||
46 | + if (*memory_map_size < finish_mmap_size) | ||
47 | + { | ||
48 | + grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
49 | + ret = 0; | ||
50 | + } | ||
51 | + else | ||
52 | + grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
53 | } | ||
54 | else | ||
55 | { | ||
56 | - grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
57 | - ret = 1; | ||
58 | + /* | ||
59 | + * Incomplete, no buffer to copy into, same as | ||
60 | + * GRUB_EFI_BUFFER_TOO_SMALL below. | ||
61 | + */ | ||
62 | + ret = 0; | ||
63 | } | ||
64 | *memory_map_size = finish_mmap_size; | ||
65 | if (map_key) | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 04ed8b7b23..46d65d8609 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -53,6 +53,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
53 | file://0004-kern-parser-Fix-resource-leak-if-argc-0.patch \ | 53 | file://0004-kern-parser-Fix-resource-leak-if-argc-0.patch \ |
54 | file://0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch \ | 54 | file://0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch \ |
55 | file://0006-kern-efi-Fix-memory-leak-on-failure.patch \ | 55 | file://0006-kern-efi-Fix-memory-leak-on-failure.patch \ |
56 | file://0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch \ | ||
56 | " | 57 | " |
57 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 58 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
58 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 59 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |