1 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
new file mode 100644
index 0000000000..7d6e805725
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
+From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:01:35 +0530
+Subject: [PATCH] CVE-2021-3695
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
+CVE: CVE-2021-3695
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+ video/readers/png: Drop greyscale support to fix heap out-of-bounds write
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+      for (i = 0; i < (data->image_width * data->image_height);
+   i++, d1 += 4, d2 += 2)
+{
+  d1[R3] = d2[1];
+  d1[G3] = d2[1];
+  d1[B3] = d2[1];
+}
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+Delete all PNG greyscale support.
+Fixes: CVE-2021-3695
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 89 ++++-------------------------------
+ 1 file changed, 8 insertions(+), 81 deletions(-)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 0157ff7..db4a9d4 100644
+--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+ 
+   unsigned image_width, image_height;
+   int bpp, is_16bit;
+-  int raw_bytes, is_gray, is_alpha, is_palette;
+  int raw_bytes, is_alpha, is_palette;
+   int row_bytes, color_bits;
+   grub_uint8_t *image_data;
+ 
+@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     data->bpp = 3;
+   else
+     {
+-      data->is_gray = 1;
+-      data->bpp = 1;
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: color type not supported");
+     }
+ 
+   if ((color_bits != 8) && (color_bits != 16)
+       && (color_bits != 4
+-         || !(data->is_gray || data->is_palette)))
+         || !data->is_palette))
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: bit depth must be 8 or 16");
+ 
+@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     }
+ 
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+-  if (data->is_16bit || data->is_gray || data->is_palette)
+  if (data->is_16bit || data->is_palette)
+ #endif
+     {
+       data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
+       int shift;
+       int mask = (1 << data->color_bits) - 1;
+       unsigned j;
+-      if (data->is_gray)
+-       {
+-         /* Generic formula is
+-            (0xff * i) / ((1U << data->color_bits) - 1)
+-            but for allowed bit depth of 1, 2 and for it's
+-            equivalent to
+-            (0xff / ((1U << data->color_bits) - 1)) * i
+-            Precompute the multipliers to avoid division.
+-         */
+-
+-         const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+-         for (i = 0; i < (1U << data->color_bits); i++)
+-           {
+-             grub_uint8_t col = multipliers[data->color_bits] * i;
+-             palette[i][0] = col;
+-             palette[i][1] = col;
+-             palette[i][2] = col;
+-           }
+-       }
+-      else
+-       grub_memcpy (palette, data->palette, 3 << data->color_bits);
+
+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
+       d1c = d1;
+       d2c = d2;
+       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
+       return;
+     }
+   
+-  if (data->is_gray)
+-    {
+-      switch (data->bpp)
+-       {
+-       case 4:
+-         /* 16-bit gray with alpha.  */
+-         for (i = 0; i < (data->image_width * data->image_height);
+-              i++, d1 += 4, d2 += 4)
+-           {
+-             d1[R4] = d2[3];
+-             d1[G4] = d2[3];
+-             d1[B4] = d2[3];
+-             d1[A4] = d2[1];
+-           }
+-         break;
+-       case 2:
+-         if (data->is_16bit)
+-           /* 16-bit gray without alpha.  */
+-           {
+-             for (i = 0; i < (data->image_width * data->image_height);
+-                  i++, d1 += 4, d2 += 2)
+-               {
+-                 d1[R3] = d2[1];
+-                 d1[G3] = d2[1];
+-                 d1[B3] = d2[1];
+-               }
+-           }
+-         else
+-           /* 8-bit gray with alpha.  */
+-           {
+-             for (i = 0; i < (data->image_width * data->image_height);
+-                  i++, d1 += 4, d2 += 2)
+-               {
+-                 d1[R4] = d2[1];
+-                 d1[G4] = d2[1];
+-                 d1[B4] = d2[1];
+-                 d1[A4] = d2[0];
+-               }
+-           }
+-         break;
+-         /* 8-bit gray without alpha.  */
+-       case 1:
+-         for (i = 0; i < (data->image_width * data->image_height);
+-              i++, d1 += 3, d2++)
+-           {
+-             d1[R3] = d2[0];
+-             d1[G3] = d2[0];
+-             d1[B3] = d2[0];
+-           }
+-         break;
+-       }
+-      return;
+-    }
+-
+-    {
+  {
+   /* Only copy the upper 8 bit.  */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+       for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
	1	From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Wed, 20 Jul 2022 10:01:35 +0530
	4	Subject: [PATCH] CVE-2021-3695
	5
	6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
	7	CVE: CVE-2021-3695
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9
	10	video/readers/png: Drop greyscale support to fix heap out-of-bounds write
	11
	12	A 16-bit greyscale PNG without alpha is processed in the following loop:
	13
	14	for (i = 0; i < (data->image_width * data->image_height);
	15	i++, d1 += 4, d2 += 2)
	16	{
	17	d1[R3] = d2[1];
	18	d1[G3] = d2[1];
	19	d1[B3] = d2[1];
	20	}
	21
	22	The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
	23	but there are only 3 bytes allocated for storage. This means that image
	24	data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
	25	out of every 4 following the end of the image.
	26
	27	This has existed since greyscale support was added in 2013 in commit
	28	3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
	29
	30	Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
	31	and attempting to load it causes grub-emu to crash - I don't think this code
	32	has ever worked.
	33
	34	Delete all PNG greyscale support.
	35
	36	Fixes: CVE-2021-3695
	37
	38	Signed-off-by: Daniel Axtens <dja@axtens.net>
	39	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	40	---
	41	grub-core/video/readers/png.c \| 89 ++++-------------------------------
	42	1 file changed, 8 insertions(+), 81 deletions(-)
	43
	44	diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
	45	index 0157ff7..db4a9d4 100644
	46	--- a/grub-core/video/readers/png.c
	47	+++ b/grub-core/video/readers/png.c
	48	@@ -100,7 +100,7 @@ struct grub_png_data
	49
	50	unsigned image_width, image_height;
	51	int bpp, is_16bit;
	52	- int raw_bytes, is_gray, is_alpha, is_palette;
	53	+ int raw_bytes, is_alpha, is_palette;
	54	int row_bytes, color_bits;
	55	grub_uint8_t *image_data;
	56
	57	@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
	58	data->bpp = 3;
	59	else
	60	{
	61	- data->is_gray = 1;
	62	- data->bpp = 1;
	63	+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
	64	+ "png: color type not supported");
	65	}
	66
	67	if ((color_bits != 8) && (color_bits != 16)
	68	&& (color_bits != 4
	69	- \|\| !(data->is_gray \|\| data->is_palette)))
	70	+ \|\| !data->is_palette))
	71	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
	72	"png: bit depth must be 8 or 16");
	73
	74	@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
	75	}
	76
	77	#ifndef GRUB_CPU_WORDS_BIGENDIAN
	78	- if (data->is_16bit \|\| data->is_gray \|\| data->is_palette)
	79	+ if (data->is_16bit \|\| data->is_palette)
	80	#endif
	81	{
	82	data->image_data = grub_calloc (data->image_height, data->row_bytes);
	83	@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
	84	int shift;
	85	int mask = (1 << data->color_bits) - 1;
	86	unsigned j;
	87	- if (data->is_gray)
	88	- {
	89	- /* Generic formula is
	90	- (0xff * i) / ((1U << data->color_bits) - 1)
	91	- but for allowed bit depth of 1, 2 and for it's
	92	- equivalent to
	93	- (0xff / ((1U << data->color_bits) - 1)) * i
	94	- Precompute the multipliers to avoid division.
	95	- */
	96	-
	97	- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
	98	- for (i = 0; i < (1U << data->color_bits); i++)
	99	- {
	100	- grub_uint8_t col = multipliers[data->color_bits] * i;
	101	- palette[i][0] = col;
	102	- palette[i][1] = col;
	103	- palette[i][2] = col;
	104	- }
	105	- }
	106	- else
	107	- grub_memcpy (palette, data->palette, 3 << data->color_bits);
	108	+
	109	+ grub_memcpy (palette, data->palette, 3 << data->color_bits);
	110	d1c = d1;
	111	d2c = d2;
	112	for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
	113	@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
	114	return;
	115	}
	116
	117	- if (data->is_gray)
	118	- {
	119	- switch (data->bpp)
	120	- {
	121	- case 4:
	122	- /* 16-bit gray with alpha. */
	123	- for (i = 0; i < (data->image_width * data->image_height);
	124	- i++, d1 += 4, d2 += 4)
	125	- {
	126	- d1[R4] = d2[3];
	127	- d1[G4] = d2[3];
	128	- d1[B4] = d2[3];
	129	- d1[A4] = d2[1];
	130	- }
	131	- break;
	132	- case 2:
	133	- if (data->is_16bit)
	134	- /* 16-bit gray without alpha. */
	135	- {
	136	- for (i = 0; i < (data->image_width * data->image_height);
	137	- i++, d1 += 4, d2 += 2)
	138	- {
	139	- d1[R3] = d2[1];
	140	- d1[G3] = d2[1];
	141	- d1[B3] = d2[1];
	142	- }
	143	- }
	144	- else
	145	- /* 8-bit gray with alpha. */
	146	- {
	147	- for (i = 0; i < (data->image_width * data->image_height);
	148	- i++, d1 += 4, d2 += 2)
	149	- {
	150	- d1[R4] = d2[1];
	151	- d1[G4] = d2[1];
	152	- d1[B4] = d2[1];
	153	- d1[A4] = d2[0];
	154	- }
	155	- }
	156	- break;
	157	- /* 8-bit gray without alpha. */
	158	- case 1:
	159	- for (i = 0; i < (data->image_width * data->image_height);
	160	- i++, d1 += 3, d2++)
	161	- {
	162	- d1[R3] = d2[0];
	163	- d1[G3] = d2[0];
	164	- d1[B3] = d2[0];
	165	- }
	166	- break;
	167	- }
	168	- return;
	169	- }
	170	-
	171	- {
	172	+ {
	173	/* Only copy the upper 8 bit. */
	174	#ifndef GRUB_CPU_WORDS_BIGENDIAN
	175	for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
	176	--
	177	2.25.1
	178