diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-02-18 11:05:40 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-02 00:21:37 +0000 |
commit | 7e7b8e38dc03f6abae7e0496c42441dce3049c40 (patch) | |
tree | 38d6f090fdba4919160cc6635ef0a9023c9dfa86 /meta | |
parent | b5eaa833ba00a13c4f7dd3d2c057c4976bfae22e (diff) | |
download | poky-7e7b8e38dc03f6abae7e0496c42441dce3049c40.tar.gz |
grub: fix an integer overflow
This patch adds a fix for a potential integer overflow in grub's
video/fb/fbfill. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
(From OE-Core rev: fbf3260bd196a5d252ad5ccf2a5fe719d3bd9c7f)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch | 78 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000000..8165ea3f71 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 4 Nov 2020 15:10:51 +0000 | ||
4 | Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow | ||
5 | |||
6 | The multiplication of 2 unsigned 32-bit integers may overflow before | ||
7 | promotion to unsigned 64-bit. We should ensure that the multiplication | ||
8 | is done with overflow detection. Additionally, use grub_sub() for | ||
9 | subtraction. | ||
10 | |||
11 | Fixes: CID 73640, CID 73697, CID 73702, CID 73823 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6] | ||
18 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
19 | --- | ||
20 | grub-core/video/fb/fbfill.c | 17 +++++++++++++---- | ||
21 | 1 file changed, 13 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c | ||
24 | index 11816d0..a37acd1 100644 | ||
25 | --- a/grub-core/video/fb/fbfill.c | ||
26 | +++ b/grub-core/video/fb/fbfill.c | ||
27 | @@ -31,6 +31,7 @@ | ||
28 | #include <grub/fbfill.h> | ||
29 | #include <grub/fbutil.h> | ||
30 | #include <grub/types.h> | ||
31 | +#include <grub/safemath.h> | ||
32 | #include <grub/video.h> | ||
33 | |||
34 | /* Generic filler that works for every supported mode. */ | ||
35 | @@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst, | ||
36 | |||
37 | /* Calculate the number of bytes to advance from the end of one line | ||
38 | to the beginning of the next line. */ | ||
39 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
40 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
41 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
42 | + return; | ||
43 | |||
44 | /* Get the start address. */ | ||
45 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
46 | @@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst, | ||
47 | #endif | ||
48 | /* Calculate the number of bytes to advance from the end of one line | ||
49 | to the beginning of the next line. */ | ||
50 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
51 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
52 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
53 | + return; | ||
54 | |||
55 | /* Get the start address. */ | ||
56 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
57 | @@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst, | ||
58 | |||
59 | /* Calculate the number of bytes to advance from the end of one line | ||
60 | to the beginning of the next line. */ | ||
61 | - rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width); | ||
62 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
63 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
64 | + return; | ||
65 | |||
66 | /* Get the start address. */ | ||
67 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
68 | @@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst, | ||
69 | |||
70 | /* Calculate the number of bytes to advance from the end of one line | ||
71 | to the beginning of the next line. */ | ||
72 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
73 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
74 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
75 | + return; | ||
76 | |||
77 | /* Get the start address. */ | ||
78 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 24a269d90d..710ab5e361 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -78,6 +78,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
78 | file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \ | 78 | file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \ |
79 | file://0030-commands-hashsum-Fix-a-memory-leak.patch \ | 79 | file://0030-commands-hashsum-Fix-a-memory-leak.patch \ |
80 | file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \ | 80 | file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \ |
81 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ | ||
81 | " | 82 | " |
82 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 83 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
83 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 84 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |