diff options
-rw-r--r-- | meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch | 104 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch new file mode 100644 index 0000000000..544e7f31ae --- /dev/null +++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch | |||
@@ -0,0 +1,104 @@ | |||
1 | From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 4 Nov 2020 14:43:44 +0000 | ||
4 | Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows | ||
5 | |||
6 | The calculation of the unsigned 64-bit value is being generated by | ||
7 | multiplying 2, signed or unsigned, 32-bit integers which may overflow | ||
8 | before promotion to unsigned 64-bit. Fix all of them. | ||
9 | |||
10 | Fixes: CID 73703, CID 73767, CID 73833 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++----------- | ||
19 | 1 file changed, 36 insertions(+), 16 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c | ||
22 | index 1a602c8..1c9a138 100644 | ||
23 | --- a/grub-core/video/fb/video_fb.c | ||
24 | +++ b/grub-core/video/fb/video_fb.c | ||
25 | @@ -25,6 +25,7 @@ | ||
26 | #include <grub/fbutil.h> | ||
27 | #include <grub/bitmap.h> | ||
28 | #include <grub/dl.h> | ||
29 | +#include <grub/safemath.h> | ||
30 | |||
31 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
32 | |||
33 | @@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void) | ||
34 | { | ||
35 | if (framebuffer.current_dirty.first_line | ||
36 | <= framebuffer.current_dirty.last_line) | ||
37 | - grub_memcpy ((char *) framebuffer.pages[0] | ||
38 | - + framebuffer.current_dirty.first_line | ||
39 | - * framebuffer.back_target->mode_info.pitch, | ||
40 | - (char *) framebuffer.back_target->data | ||
41 | - + framebuffer.current_dirty.first_line | ||
42 | - * framebuffer.back_target->mode_info.pitch, | ||
43 | - framebuffer.back_target->mode_info.pitch | ||
44 | - * (framebuffer.current_dirty.last_line | ||
45 | - - framebuffer.current_dirty.first_line)); | ||
46 | + { | ||
47 | + grub_size_t copy_size; | ||
48 | + | ||
49 | + if (grub_sub (framebuffer.current_dirty.last_line, | ||
50 | + framebuffer.current_dirty.first_line, ©_size) || | ||
51 | + grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) | ||
52 | + { | ||
53 | + /* Shouldn't happen, but if it does we've a bug. */ | ||
54 | + return GRUB_ERR_BUG; | ||
55 | + } | ||
56 | + | ||
57 | + grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line * | ||
58 | + framebuffer.back_target->mode_info.pitch, | ||
59 | + (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line * | ||
60 | + framebuffer.back_target->mode_info.pitch, | ||
61 | + copy_size); | ||
62 | + } | ||
63 | framebuffer.current_dirty.first_line | ||
64 | = framebuffer.back_target->mode_info.height; | ||
65 | framebuffer.current_dirty.last_line = 0; | ||
66 | @@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back, | ||
67 | volatile void *framebuf) | ||
68 | { | ||
69 | grub_err_t err; | ||
70 | - grub_size_t page_size = mode_info.pitch * mode_info.height; | ||
71 | + grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height; | ||
72 | |||
73 | framebuffer.offscreen_buffer = grub_zalloc (page_size); | ||
74 | if (! framebuffer.offscreen_buffer) | ||
75 | @@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void) | ||
76 | last_line = framebuffer.previous_dirty.last_line; | ||
77 | |||
78 | if (first_line <= last_line) | ||
79 | - grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] | ||
80 | - + first_line * framebuffer.back_target->mode_info.pitch, | ||
81 | - (char *) framebuffer.back_target->data | ||
82 | - + first_line * framebuffer.back_target->mode_info.pitch, | ||
83 | - framebuffer.back_target->mode_info.pitch | ||
84 | - * (last_line - first_line)); | ||
85 | + { | ||
86 | + grub_size_t copy_size; | ||
87 | + | ||
88 | + if (grub_sub (last_line, first_line, ©_size) || | ||
89 | + grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) | ||
90 | + { | ||
91 | + /* Shouldn't happen, but if it does we've a bug. */ | ||
92 | + return GRUB_ERR_BUG; | ||
93 | + } | ||
94 | + | ||
95 | + grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line * | ||
96 | + framebuffer.back_target->mode_info.pitch, | ||
97 | + (char *) framebuffer.back_target->data + first_line * | ||
98 | + framebuffer.back_target->mode_info.pitch, | ||
99 | + copy_size); | ||
100 | + } | ||
101 | + | ||
102 | framebuffer.previous_dirty = framebuffer.current_dirty; | ||
103 | framebuffer.current_dirty.first_line | ||
104 | = framebuffer.back_target->mode_info.height; | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 710ab5e361..8b5b9e3b3e 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -79,6 +79,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
79 | file://0030-commands-hashsum-Fix-a-memory-leak.patch \ | 79 | file://0030-commands-hashsum-Fix-a-memory-leak.patch \ |
80 | file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \ | 80 | file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \ |
81 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ | 81 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ |
82 | file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \ | ||
82 | " | 83 | " |
83 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 84 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
84 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 85 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |