diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3695.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3695.patch | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:01:35 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3695 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08] | ||
7 | CVE: CVE-2021-3695 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Drop greyscale support to fix heap out-of-bounds write | ||
11 | |||
12 | A 16-bit greyscale PNG without alpha is processed in the following loop: | ||
13 | |||
14 | for (i = 0; i < (data->image_width * data->image_height); | ||
15 | i++, d1 += 4, d2 += 2) | ||
16 | { | ||
17 | d1[R3] = d2[1]; | ||
18 | d1[G3] = d2[1]; | ||
19 | d1[B3] = d2[1]; | ||
20 | } | ||
21 | |||
22 | The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, | ||
23 | but there are only 3 bytes allocated for storage. This means that image | ||
24 | data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes | ||
25 | out of every 4 following the end of the image. | ||
26 | |||
27 | This has existed since greyscale support was added in 2013 in commit | ||
28 | 3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). | ||
29 | |||
30 | Saving starfield.png as a 16-bit greyscale image without alpha in the gimp | ||
31 | and attempting to load it causes grub-emu to crash - I don't think this code | ||
32 | has ever worked. | ||
33 | |||
34 | Delete all PNG greyscale support. | ||
35 | |||
36 | Fixes: CVE-2021-3695 | ||
37 | |||
38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
40 | --- | ||
41 | grub-core/video/readers/png.c | 89 ++++------------------------------- | ||
42 | 1 file changed, 8 insertions(+), 81 deletions(-) | ||
43 | |||
44 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
45 | index 0157ff7..db4a9d4 100644 | ||
46 | --- a/grub-core/video/readers/png.c | ||
47 | +++ b/grub-core/video/readers/png.c | ||
48 | @@ -100,7 +100,7 @@ struct grub_png_data | ||
49 | |||
50 | unsigned image_width, image_height; | ||
51 | int bpp, is_16bit; | ||
52 | - int raw_bytes, is_gray, is_alpha, is_palette; | ||
53 | + int raw_bytes, is_alpha, is_palette; | ||
54 | int row_bytes, color_bits; | ||
55 | grub_uint8_t *image_data; | ||
56 | |||
57 | @@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
58 | data->bpp = 3; | ||
59 | else | ||
60 | { | ||
61 | - data->is_gray = 1; | ||
62 | - data->bpp = 1; | ||
63 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
64 | + "png: color type not supported"); | ||
65 | } | ||
66 | |||
67 | if ((color_bits != 8) && (color_bits != 16) | ||
68 | && (color_bits != 4 | ||
69 | - || !(data->is_gray || data->is_palette))) | ||
70 | + || !data->is_palette)) | ||
71 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
72 | "png: bit depth must be 8 or 16"); | ||
73 | |||
74 | @@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
75 | } | ||
76 | |||
77 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
78 | - if (data->is_16bit || data->is_gray || data->is_palette) | ||
79 | + if (data->is_16bit || data->is_palette) | ||
80 | #endif | ||
81 | { | ||
82 | data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
83 | @@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data) | ||
84 | int shift; | ||
85 | int mask = (1 << data->color_bits) - 1; | ||
86 | unsigned j; | ||
87 | - if (data->is_gray) | ||
88 | - { | ||
89 | - /* Generic formula is | ||
90 | - (0xff * i) / ((1U << data->color_bits) - 1) | ||
91 | - but for allowed bit depth of 1, 2 and for it's | ||
92 | - equivalent to | ||
93 | - (0xff / ((1U << data->color_bits) - 1)) * i | ||
94 | - Precompute the multipliers to avoid division. | ||
95 | - */ | ||
96 | - | ||
97 | - const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; | ||
98 | - for (i = 0; i < (1U << data->color_bits); i++) | ||
99 | - { | ||
100 | - grub_uint8_t col = multipliers[data->color_bits] * i; | ||
101 | - palette[i][0] = col; | ||
102 | - palette[i][1] = col; | ||
103 | - palette[i][2] = col; | ||
104 | - } | ||
105 | - } | ||
106 | - else | ||
107 | - grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
108 | + | ||
109 | + grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
110 | d1c = d1; | ||
111 | d2c = d2; | ||
112 | for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, | ||
113 | @@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data) | ||
114 | return; | ||
115 | } | ||
116 | |||
117 | - if (data->is_gray) | ||
118 | - { | ||
119 | - switch (data->bpp) | ||
120 | - { | ||
121 | - case 4: | ||
122 | - /* 16-bit gray with alpha. */ | ||
123 | - for (i = 0; i < (data->image_width * data->image_height); | ||
124 | - i++, d1 += 4, d2 += 4) | ||
125 | - { | ||
126 | - d1[R4] = d2[3]; | ||
127 | - d1[G4] = d2[3]; | ||
128 | - d1[B4] = d2[3]; | ||
129 | - d1[A4] = d2[1]; | ||
130 | - } | ||
131 | - break; | ||
132 | - case 2: | ||
133 | - if (data->is_16bit) | ||
134 | - /* 16-bit gray without alpha. */ | ||
135 | - { | ||
136 | - for (i = 0; i < (data->image_width * data->image_height); | ||
137 | - i++, d1 += 4, d2 += 2) | ||
138 | - { | ||
139 | - d1[R3] = d2[1]; | ||
140 | - d1[G3] = d2[1]; | ||
141 | - d1[B3] = d2[1]; | ||
142 | - } | ||
143 | - } | ||
144 | - else | ||
145 | - /* 8-bit gray with alpha. */ | ||
146 | - { | ||
147 | - for (i = 0; i < (data->image_width * data->image_height); | ||
148 | - i++, d1 += 4, d2 += 2) | ||
149 | - { | ||
150 | - d1[R4] = d2[1]; | ||
151 | - d1[G4] = d2[1]; | ||
152 | - d1[B4] = d2[1]; | ||
153 | - d1[A4] = d2[0]; | ||
154 | - } | ||
155 | - } | ||
156 | - break; | ||
157 | - /* 8-bit gray without alpha. */ | ||
158 | - case 1: | ||
159 | - for (i = 0; i < (data->image_width * data->image_height); | ||
160 | - i++, d1 += 3, d2++) | ||
161 | - { | ||
162 | - d1[R3] = d2[0]; | ||
163 | - d1[G3] = d2[0]; | ||
164 | - d1[B3] = d2[0]; | ||
165 | - } | ||
166 | - break; | ||
167 | - } | ||
168 | - return; | ||
169 | - } | ||
170 | - | ||
171 | - { | ||
172 | + { | ||
173 | /* Only copy the upper 8 bit. */ | ||
174 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
175 | for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1); | ||
176 | -- | ||
177 | 2.25.1 | ||
178 | |||