diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-20225.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-20225.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch new file mode 100644 index 0000000000..b864febe62 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Fri, 22 Jan 2021 16:07:29 +1100 | ||
4 | Subject: lib/arg: Block repeated short options that require an argument | ||
5 | |||
6 | Fuzzing found the following crash: | ||
7 | |||
8 | search -hhhhhhhhhhhhhf | ||
9 | |||
10 | We didn't allocate enough option space for 13 hints because the | ||
11 | allocation code counts the number of discrete arguments (i.e. argc). | ||
12 | However, the shortopt parsing code will happily keep processing | ||
13 | a combination of short options without checking if those short | ||
14 | options require an argument. This means you can easily end writing | ||
15 | past the allocated option space. | ||
16 | |||
17 | This fixes a OOB write which can cause heap corruption. | ||
18 | |||
19 | Fixes: CVE-2021-20225 | ||
20 | |||
21 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
22 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
23 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6] | ||
26 | CVE: CVE-2021-20225 | ||
27 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
28 | --- | ||
29 | grub-core/lib/arg.c | 13 +++++++++++++ | ||
30 | 1 file changed, 13 insertions(+) | ||
31 | |||
32 | diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c | ||
33 | index 3288609..537c5e9 100644 | ||
34 | --- a/grub-core/lib/arg.c | ||
35 | +++ b/grub-core/lib/arg.c | ||
36 | @@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv, | ||
37 | it can have an argument value. */ | ||
38 | if (*curshort) | ||
39 | { | ||
40 | + /* | ||
41 | + * Only permit further short opts if this one doesn't | ||
42 | + * require a value. | ||
43 | + */ | ||
44 | + if (opt->type != ARG_TYPE_NONE && | ||
45 | + !(opt->flags & GRUB_ARG_OPTION_OPTIONAL)) | ||
46 | + { | ||
47 | + grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
48 | + N_("missing mandatory option for `%s'"), | ||
49 | + opt->longarg); | ||
50 | + goto fail; | ||
51 | + } | ||
52 | + | ||
53 | if (parse_option (cmd, opt, 0, usr) || grub_errno) | ||
54 | goto fail; | ||
55 | } | ||
56 | -- | ||
57 | 2.25.1 | ||
58 | |||