diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-25647.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-25647.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch new file mode 100644 index 0000000000..cb77fd4772 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Fri, 11 Dec 2020 19:19:21 +0100 | ||
4 | Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious | ||
5 | devices | ||
6 | |||
7 | The maximum number of configurations and interfaces are fixed but there is | ||
8 | no out-of-bound checking to prevent a malicious USB device to report large | ||
9 | values for these and cause accesses outside the arrays' memory. | ||
10 | |||
11 | Fixes: CVE-2020-25647 | ||
12 | |||
13 | Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com> | ||
14 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | ||
15 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa] | ||
19 | CVE: CVE-2020-25647 | ||
20 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
21 | --- | ||
22 | grub-core/bus/usb/usb.c | 15 ++++++++++++--- | ||
23 | include/grub/usb.h | 10 +++++++--- | ||
24 | 2 files changed, 19 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c | ||
27 | index 8da5e4c74..7cb3cc230 100644 | ||
28 | --- a/grub-core/bus/usb/usb.c | ||
29 | +++ b/grub-core/bus/usb/usb.c | ||
30 | @@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook, | ||
31 | grub_usb_err_t | ||
32 | grub_usb_clear_halt (grub_usb_device_t dev, int endpoint) | ||
33 | { | ||
34 | + if (endpoint >= GRUB_USB_MAX_TOGGLE) | ||
35 | + return GRUB_USB_ERR_BADDEVICE; | ||
36 | + | ||
37 | dev->toggle[endpoint] = 0; | ||
38 | return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT | ||
39 | | GRUB_USB_REQTYPE_STANDARD | ||
40 | @@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
41 | return err; | ||
42 | descdev = &dev->descdev; | ||
43 | |||
44 | - for (i = 0; i < 8; i++) | ||
45 | + for (i = 0; i < GRUB_USB_MAX_CONF; i++) | ||
46 | dev->config[i].descconf = NULL; | ||
47 | |||
48 | - if (descdev->configcnt == 0) | ||
49 | + if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF) | ||
50 | { | ||
51 | err = GRUB_USB_ERR_BADDEVICE; | ||
52 | goto fail; | ||
53 | @@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
54 | /* Skip the configuration descriptor. */ | ||
55 | pos = dev->config[i].descconf->length; | ||
56 | |||
57 | + if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF) | ||
58 | + { | ||
59 | + err = GRUB_USB_ERR_BADDEVICE; | ||
60 | + goto fail; | ||
61 | + } | ||
62 | + | ||
63 | /* Read all interfaces. */ | ||
64 | for (currif = 0; currif < dev->config[i].descconf->numif; currif++) | ||
65 | { | ||
66 | @@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
67 | |||
68 | fail: | ||
69 | |||
70 | - for (i = 0; i < 8; i++) | ||
71 | + for (i = 0; i < GRUB_USB_MAX_CONF; i++) | ||
72 | grub_free (dev->config[i].descconf); | ||
73 | |||
74 | return err; | ||
75 | diff --git a/include/grub/usb.h b/include/grub/usb.h | ||
76 | index 512ae1dd0..6475c552f 100644 | ||
77 | --- a/include/grub/usb.h | ||
78 | +++ b/include/grub/usb.h | ||
79 | @@ -23,6 +23,10 @@ | ||
80 | #include <grub/usbdesc.h> | ||
81 | #include <grub/usbtrans.h> | ||
82 | |||
83 | +#define GRUB_USB_MAX_CONF 8 | ||
84 | +#define GRUB_USB_MAX_IF 32 | ||
85 | +#define GRUB_USB_MAX_TOGGLE 256 | ||
86 | + | ||
87 | typedef struct grub_usb_device *grub_usb_device_t; | ||
88 | typedef struct grub_usb_controller *grub_usb_controller_t; | ||
89 | typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t; | ||
90 | @@ -167,7 +171,7 @@ struct grub_usb_configuration | ||
91 | struct grub_usb_desc_config *descconf; | ||
92 | |||
93 | /* Interfaces associated to this configuration. */ | ||
94 | - struct grub_usb_interface interf[32]; | ||
95 | + struct grub_usb_interface interf[GRUB_USB_MAX_IF]; | ||
96 | }; | ||
97 | |||
98 | struct grub_usb_hub_port | ||
99 | @@ -191,7 +195,7 @@ struct grub_usb_device | ||
100 | struct grub_usb_controller controller; | ||
101 | |||
102 | /* Device configurations (after opening the device). */ | ||
103 | - struct grub_usb_configuration config[8]; | ||
104 | + struct grub_usb_configuration config[GRUB_USB_MAX_CONF]; | ||
105 | |||
106 | /* Device address. */ | ||
107 | int addr; | ||
108 | @@ -203,7 +207,7 @@ struct grub_usb_device | ||
109 | int initialized; | ||
110 | |||
111 | /* Data toggle values (used for bulk transfers only). */ | ||
112 | - int toggle[256]; | ||
113 | + int toggle[GRUB_USB_MAX_TOGGLE]; | ||
114 | |||
115 | /* Used by libusb wrapper. Schedulded for removal. */ | ||
116 | void *data; | ||
117 | -- | ||
118 | 2.33.0 | ||
119 | |||