diff options
4 files changed, 304 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..090f693be3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Fri, 5 Aug 2022 01:58:27 +0800 | ||
4 | Subject: [PATCH] font: Fix several integer overflows in | ||
5 | grub_font_construct_glyph() | ||
6 | |||
7 | This patch fixes several integer overflows in grub_font_construct_glyph(). | ||
8 | Glyphs of invalid size, zero or leading to an overflow, are rejected. | ||
9 | The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() | ||
10 | returns NULL is fixed too. | ||
11 | |||
12 | Fixes: CVE-2022-2601 | ||
13 | |||
14 | Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
15 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] | ||
21 | CVE: CVE-2022-2601 | ||
22 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
23 | --- | ||
24 | grub-core/font/font.c | 29 +++++++++++++++++------------ | ||
25 | 1 file changed, 17 insertions(+), 12 deletions(-) | ||
26 | |||
27 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
28 | index df17dba..f110db9 100644 | ||
29 | --- a/grub-core/font/font.c | ||
30 | +++ b/grub-core/font/font.c | ||
31 | @@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, | ||
32 | struct grub_video_signed_rect bounds; | ||
33 | static struct grub_font_glyph *glyph = 0; | ||
34 | static grub_size_t max_glyph_size = 0; | ||
35 | + grub_size_t cur_glyph_size; | ||
36 | |||
37 | ensure_comb_space (glyph_id); | ||
38 | |||
39 | @@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, | ||
40 | if (!glyph_id->ncomb && !glyph_id->attributes) | ||
41 | return main_glyph; | ||
42 | |||
43 | - if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) | ||
44 | + if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || | ||
45 | + grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) | ||
46 | + return main_glyph; | ||
47 | + | ||
48 | + if (max_glyph_size < cur_glyph_size) | ||
49 | { | ||
50 | grub_free (glyph); | ||
51 | - max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; | ||
52 | - if (max_glyph_size < 8) | ||
53 | - max_glyph_size = 8; | ||
54 | - glyph = grub_malloc (max_glyph_size); | ||
55 | + if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) | ||
56 | + max_glyph_size = 0; | ||
57 | + glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; | ||
58 | } | ||
59 | if (!glyph) | ||
60 | { | ||
61 | + max_glyph_size = 0; | ||
62 | grub_errno = GRUB_ERR_NONE; | ||
63 | return main_glyph; | ||
64 | } | ||
65 | |||
66 | - grub_memset (glyph, 0, sizeof (*glyph) | ||
67 | - + (bounds.width * bounds.height | ||
68 | - + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); | ||
69 | + grub_memset (glyph, 0, cur_glyph_size); | ||
70 | |||
71 | glyph->font = main_glyph->font; | ||
72 | - glyph->width = bounds.width; | ||
73 | - glyph->height = bounds.height; | ||
74 | - glyph->offset_x = bounds.x; | ||
75 | - glyph->offset_y = bounds.y; | ||
76 | + if (bounds.width == 0 || bounds.height == 0 || | ||
77 | + grub_cast (bounds.width, &glyph->width) || | ||
78 | + grub_cast (bounds.height, &glyph->height) || | ||
79 | + grub_cast (bounds.x, &glyph->offset_x) || | ||
80 | + grub_cast (bounds.y, &glyph->offset_y)) | ||
81 | + return main_glyph; | ||
82 | |||
83 | if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) | ||
84 | grub_font_blit_glyph_mirror (glyph, main_glyph, | ||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Mon, 24 Oct 2022 08:05:35 +0800 | ||
4 | Subject: [PATCH] font: Fix an integer underflow in blit_comb() | ||
5 | |||
6 | The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may | ||
7 | evaluate to a very big invalid value even if both ctx.bounds.height and | ||
8 | combining_glyphs[i]->height are small integers. For example, if | ||
9 | ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this | ||
10 | expression evaluates to 2147483647 (expected -1). This is because | ||
11 | coordinates are allowed to be negative but ctx.bounds.height is an | ||
12 | unsigned int. So, the subtraction operates on unsigned ints and | ||
13 | underflows to a very big value. The division makes things even worse. | ||
14 | The quotient is still an invalid value even if converted back to int. | ||
15 | |||
16 | This patch fixes the problem by casting ctx.bounds.height to int. As | ||
17 | a result the subtraction will operate on int and grub_uint16_t which | ||
18 | will be promoted to an int. So, the underflow will no longer happen. Other | ||
19 | uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, | ||
20 | to ensure coordinates are always calculated on signed integers. | ||
21 | |||
22 | Fixes: CVE-2022-3775 | ||
23 | |||
24 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
25 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | |||
28 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af] | ||
31 | CVE: CVE-2022-3775 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | grub-core/font/font.c | 16 ++++++++-------- | ||
35 | 1 file changed, 8 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
38 | index f110db9..3b76b22 100644 | ||
39 | --- a/grub-core/font/font.c | ||
40 | +++ b/grub-core/font/font.c | ||
41 | @@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
42 | ctx.bounds.height = main_glyph->height; | ||
43 | |||
44 | above_rightx = main_glyph->offset_x + main_glyph->width; | ||
45 | - above_righty = ctx.bounds.y + ctx.bounds.height; | ||
46 | + above_righty = ctx.bounds.y + (int) ctx.bounds.height; | ||
47 | |||
48 | above_leftx = main_glyph->offset_x; | ||
49 | - above_lefty = ctx.bounds.y + ctx.bounds.height; | ||
50 | + above_lefty = ctx.bounds.y + (int) ctx.bounds.height; | ||
51 | |||
52 | - below_rightx = ctx.bounds.x + ctx.bounds.width; | ||
53 | + below_rightx = ctx.bounds.x + (int) ctx.bounds.width; | ||
54 | below_righty = ctx.bounds.y; | ||
55 | |||
56 | comb = grub_unicode_get_comb (glyph_id); | ||
57 | @@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
58 | |||
59 | if (!combining_glyphs[i]) | ||
60 | continue; | ||
61 | - targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
62 | + targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
63 | /* CGJ is to avoid diacritics reordering. */ | ||
64 | if (comb[i].code | ||
65 | == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) | ||
66 | @@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
67 | case GRUB_UNICODE_COMB_OVERLAY: | ||
68 | do_blit (combining_glyphs[i], | ||
69 | targetx, | ||
70 | - (ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
71 | - - (ctx.bounds.height + ctx.bounds.y), &ctx); | ||
72 | + ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
73 | + - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); | ||
74 | if (min_devwidth < combining_glyphs[i]->width) | ||
75 | min_devwidth = combining_glyphs[i]->width; | ||
76 | break; | ||
77 | @@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
78 | /* Fallthrough. */ | ||
79 | case GRUB_UNICODE_STACK_ATTACHED_ABOVE: | ||
80 | do_blit (combining_glyphs[i], targetx, | ||
81 | - -(ctx.bounds.height + ctx.bounds.y + space | ||
82 | + -((int) ctx.bounds.height + ctx.bounds.y + space | ||
83 | + combining_glyphs[i]->height), &ctx); | ||
84 | if (min_devwidth < combining_glyphs[i]->width) | ||
85 | min_devwidth = combining_glyphs[i]->width; | ||
86 | @@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
87 | |||
88 | case GRUB_UNICODE_COMB_HEBREW_DAGESH: | ||
89 | do_blit (combining_glyphs[i], targetx, | ||
90 | - -(ctx.bounds.height / 2 + ctx.bounds.y | ||
91 | + -((int) ctx.bounds.height / 2 + ctx.bounds.y | ||
92 | + combining_glyphs[i]->height / 2), &ctx); | ||
93 | if (min_devwidth < combining_glyphs[i]->width) | ||
94 | min_devwidth = combining_glyphs[i]->width; | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Fri, 5 Aug 2022 00:51:20 +0800 | ||
4 | Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() | ||
5 | |||
6 | The length of memory allocation and file read may overflow. This patch | ||
7 | fixes the problem by using safemath macros. | ||
8 | |||
9 | There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe | ||
10 | if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). | ||
11 | It is safe replacement for such code. It has safemath-like prototype. | ||
12 | |||
13 | This patch also introduces grub_cast(value, pointer), it casts value to | ||
14 | typeof(*pointer) then store the value to *pointer. It returns true when | ||
15 | overflow occurs or false if there is no overflow. The semantics of arguments | ||
16 | and return value are designed to be consistent with other safemath macros. | ||
17 | |||
18 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532] | ||
22 | |||
23 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
24 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
25 | --- | ||
26 | grub-core/font/font.c | 17 +++++++++++++---- | ||
27 | include/grub/bitmap.h | 18 ++++++++++++++++++ | ||
28 | include/grub/safemath.h | 2 ++ | ||
29 | 3 files changed, 33 insertions(+), 4 deletions(-) | ||
30 | |||
31 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
32 | index 5edb477..df17dba 100644 | ||
33 | --- a/grub-core/font/font.c | ||
34 | +++ b/grub-core/font/font.c | ||
35 | @@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
36 | grub_int16_t xoff; | ||
37 | grub_int16_t yoff; | ||
38 | grub_int16_t dwidth; | ||
39 | - int len; | ||
40 | + grub_ssize_t len; | ||
41 | + grub_size_t sz; | ||
42 | |||
43 | if (index_entry->glyph) | ||
44 | /* Return cached glyph. */ | ||
45 | @@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
46 | return 0; | ||
47 | } | ||
48 | |||
49 | - len = (width * height + 7) / 8; | ||
50 | - glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); | ||
51 | - if (!glyph) | ||
52 | + /* Calculate real struct size of current glyph. */ | ||
53 | + if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || | ||
54 | + grub_add (sizeof (struct grub_font_glyph), len, &sz)) | ||
55 | + { | ||
56 | + remove_font (font); | ||
57 | + return 0; | ||
58 | + } | ||
59 | + | ||
60 | + /* Allocate and initialize the glyph struct. */ | ||
61 | + glyph = grub_malloc (sz); | ||
62 | + if (glyph == NULL) | ||
63 | { | ||
64 | remove_font (font); | ||
65 | return 0; | ||
66 | diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h | ||
67 | index 5728f8c..0d9603f 100644 | ||
68 | --- a/include/grub/bitmap.h | ||
69 | +++ b/include/grub/bitmap.h | ||
70 | @@ -23,6 +23,7 @@ | ||
71 | #include <grub/symbol.h> | ||
72 | #include <grub/types.h> | ||
73 | #include <grub/video.h> | ||
74 | +#include <grub/safemath.h> | ||
75 | |||
76 | struct grub_video_bitmap | ||
77 | { | ||
78 | @@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) | ||
79 | return bitmap->mode_info.height; | ||
80 | } | ||
81 | |||
82 | +/* | ||
83 | + * Calculate and store the size of data buffer of 1bit bitmap in result. | ||
84 | + * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. | ||
85 | + * Return true when overflow occurs or false if there is no overflow. | ||
86 | + * This function is intentionally implemented as a macro instead of | ||
87 | + * an inline function. Although a bit awkward, it preserves data types for | ||
88 | + * safemath macros and reduces macro side effects as much as possible. | ||
89 | + * | ||
90 | + * XXX: Will report false overflow if width * height > UINT64_MAX. | ||
91 | + */ | ||
92 | +#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ | ||
93 | +({ \ | ||
94 | + grub_uint64_t _bitmap_pixels; \ | ||
95 | + grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ | ||
96 | + grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ | ||
97 | +}) | ||
98 | + | ||
99 | void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, | ||
100 | struct grub_video_mode_info *mode_info); | ||
101 | |||
102 | diff --git a/include/grub/safemath.h b/include/grub/safemath.h | ||
103 | index c17b89b..bb0f826 100644 | ||
104 | --- a/include/grub/safemath.h | ||
105 | +++ b/include/grub/safemath.h | ||
106 | @@ -30,6 +30,8 @@ | ||
107 | #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) | ||
108 | #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) | ||
109 | |||
110 | +#define grub_cast(a, res) grub_add ((a), 0, (res)) | ||
111 | + | ||
112 | #else | ||
113 | #error gcc 5.1 or newer or clang 3.8 or newer is required | ||
114 | #endif | ||
115 | -- | ||
116 | 2.25.1 | ||
117 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 777839d0b6..d09eecd8ac 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -103,6 +103,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
103 | file://CVE-2022-28734.patch \ | 103 | file://CVE-2022-28734.patch \ |
104 | file://CVE-2022-28736.patch \ | 104 | file://CVE-2022-28736.patch \ |
105 | file://CVE-2022-28735.patch \ | 105 | file://CVE-2022-28735.patch \ |
106 | file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \ | ||
107 | file://CVE-2022-2601.patch \ | ||
108 | file://CVE-2022-3775.patch \ | ||
106 | " | 109 | " |
107 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 110 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
108 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 111 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |