1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
new file mode 100644
index 0000000000..cb77fd4772
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
@@ -0,0 +1,119 @@
+From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 11 Dec 2020 19:19:21 +0100
+Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
+ devices
+The maximum number of configurations and interfaces are fixed but there is
+no out-of-bound checking to prevent a malicious USB device to report large
+values for these and cause accesses outside the arrays' memory.
+Fixes: CVE-2020-25647
+Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa]
+CVE: CVE-2020-25647
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/bus/usb/usb.c | 15 ++++++++++++---
+ include/grub/usb.h      | 10 +++++++---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
+index 8da5e4c74..7cb3cc230 100644
+--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
+@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
+ grub_usb_err_t
+ grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
+ {
+  if (endpoint >= GRUB_USB_MAX_TOGGLE)
+    return GRUB_USB_ERR_BADDEVICE;
+
+   dev->toggle[endpoint] = 0;
+   return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
+                                     | GRUB_USB_REQTYPE_STANDARD
+@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+     return err;
+   descdev = &dev->descdev;
+ 
+-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     dev->config[i].descconf = NULL;
+ 
+-  if (descdev->configcnt == 0)
+  if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
+     {
+       err = GRUB_USB_ERR_BADDEVICE;
+       goto fail;
+@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+       /* Skip the configuration descriptor.  */
+       pos = dev->config[i].descconf->length;
+ 
+      if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
+        {
+          err = GRUB_USB_ERR_BADDEVICE;
+          goto fail;
+        }
+
+       /* Read all interfaces.  */
+       for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
+        {
+@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ 
+  fail:
+ 
+-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     grub_free (dev->config[i].descconf);
+ 
+   return err;
+diff --git a/include/grub/usb.h b/include/grub/usb.h
+index 512ae1dd0..6475c552f 100644
+--- a/include/grub/usb.h
+++ b/include/grub/usb.h
+@@ -23,6 +23,10 @@
+ #include <grub/usbdesc.h>
+ #include <grub/usbtrans.h>
+ 
+#define GRUB_USB_MAX_CONF    8
+#define GRUB_USB_MAX_IF      32
+#define GRUB_USB_MAX_TOGGLE  256
+
+ typedef struct grub_usb_device *grub_usb_device_t;
+ typedef struct grub_usb_controller *grub_usb_controller_t;
+ typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
+@@ -167,7 +171,7 @@ struct grub_usb_configuration
+   struct grub_usb_desc_config *descconf;
+ 
+   /* Interfaces associated to this configuration.  */
+-  struct grub_usb_interface interf[32];
+  struct grub_usb_interface interf[GRUB_USB_MAX_IF];
+ };
+ 
+ struct grub_usb_hub_port
+@@ -191,7 +195,7 @@ struct grub_usb_device
+   struct grub_usb_controller controller;
+ 
+   /* Device configurations (after opening the device).  */
+-  struct grub_usb_configuration config[8];
+  struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
+ 
+   /* Device address.  */
+   int addr;
+@@ -203,7 +207,7 @@ struct grub_usb_device
+   int initialized;
+ 
+   /* Data toggle values (used for bulk transfers only).  */
+-  int toggle[256];
+  int toggle[GRUB_USB_MAX_TOGGLE];
+ 
+   /* Used by libusb wrapper.  Schedulded for removal. */
+   void *data;
+-- 
+2.33.0

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch new file mode 100644 index 0000000000..cb77fd4772 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
@@ -0,0 +1,119 @@
	1	From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Fri, 11 Dec 2020 19:19:21 +0100
	4	Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
	5	devices
	6
	7	The maximum number of configurations and interfaces are fixed but there is
	8	no out-of-bound checking to prevent a malicious USB device to report large
	9	values for these and cause accesses outside the arrays' memory.
	10
	11	Fixes: CVE-2020-25647
	12
	13	Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
	14	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	15	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	17
	18	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa]
	19	CVE: CVE-2020-25647
	20	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	21	---
	22	grub-core/bus/usb/usb.c \| 15 ++++++++++++---
	23	include/grub/usb.h \| 10 +++++++---
	24	2 files changed, 19 insertions(+), 6 deletions(-)
	25
	26	diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
	27	index 8da5e4c74..7cb3cc230 100644
	28	--- a/grub-core/bus/usb/usb.c
	29	+++ b/grub-core/bus/usb/usb.c
	30	@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
	31	grub_usb_err_t
	32	grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
	33	{
	34	+ if (endpoint >= GRUB_USB_MAX_TOGGLE)
	35	+ return GRUB_USB_ERR_BADDEVICE;
	36	+
	37	dev->toggle[endpoint] = 0;
	38	return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
	39	\| GRUB_USB_REQTYPE_STANDARD
	40	@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
	41	return err;
	42	descdev = &dev->descdev;
	43
	44	- for (i = 0; i < 8; i++)
	45	+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
	46	dev->config[i].descconf = NULL;
	47
	48	- if (descdev->configcnt == 0)
	49	+ if (descdev->configcnt == 0 \|\| descdev->configcnt > GRUB_USB_MAX_CONF)
	50	{
	51	err = GRUB_USB_ERR_BADDEVICE;
	52	goto fail;
	53	@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
	54	/* Skip the configuration descriptor. */
	55	pos = dev->config[i].descconf->length;
	56
	57	+ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
	58	+ {
	59	+ err = GRUB_USB_ERR_BADDEVICE;
	60	+ goto fail;
	61	+ }
	62	+
	63	/* Read all interfaces. */
	64	for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
	65	{
	66	@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
	67
	68	fail:
	69
	70	- for (i = 0; i < 8; i++)
	71	+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
	72	grub_free (dev->config[i].descconf);
	73
	74	return err;
	75	diff --git a/include/grub/usb.h b/include/grub/usb.h
	76	index 512ae1dd0..6475c552f 100644
	77	--- a/include/grub/usb.h
	78	+++ b/include/grub/usb.h
	79	@@ -23,6 +23,10 @@
	80	#include <grub/usbdesc.h>
	81	#include <grub/usbtrans.h>
	82
	83	+#define GRUB_USB_MAX_CONF 8
	84	+#define GRUB_USB_MAX_IF 32
	85	+#define GRUB_USB_MAX_TOGGLE 256
	86	+
	87	typedef struct grub_usb_device *grub_usb_device_t;
	88	typedef struct grub_usb_controller *grub_usb_controller_t;
	89	typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
	90	@@ -167,7 +171,7 @@ struct grub_usb_configuration
	91	struct grub_usb_desc_config *descconf;
	92
	93	/* Interfaces associated to this configuration. */
	94	- struct grub_usb_interface interf[32];
	95	+ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
	96	};
	97
	98	struct grub_usb_hub_port
	99	@@ -191,7 +195,7 @@ struct grub_usb_device
	100	struct grub_usb_controller controller;
	101
	102	/* Device configurations (after opening the device). */
	103	- struct grub_usb_configuration config[8];
	104	+ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
	105
	106	/* Device address. */
	107	int addr;
	108	@@ -203,7 +207,7 @@ struct grub_usb_device
	109	int initialized;
	110
	111	/* Data toggle values (used for bulk transfers only). */
	112	- int toggle[256];
	113	+ int toggle[GRUB_USB_MAX_TOGGLE];
	114
	115	/* Used by libusb wrapper. Schedulded for removal. */
	116	void *data;
	117	--
	118	2.33.0
	119