diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch new file mode 100644 index 0000000000..e9fc52df86 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Wed, 7 Jul 2021 15:38:19 +1000 | ||
4 | Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write | ||
5 | |||
6 | Certain 1 px wide images caused a wild pointer write in | ||
7 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
8 | we have the following loop: | ||
9 | |||
10 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
11 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
12 | |||
13 | We did not check if vb * width >= hb * nc1. | ||
14 | |||
15 | On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
16 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
17 | we see data->bitmap_ptr jump, e.g.: | ||
18 | |||
19 | 0x6180_0000_0480 to | ||
20 | 0x6181_0000_0498 | ||
21 | ^ | ||
22 | ~--- carry has occurred and this pointer is now far away from | ||
23 | any object. | ||
24 | |||
25 | On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
26 | that won't crash but will overwrite random data. | ||
27 | |||
28 | Catch the underflow and error out. | ||
29 | |||
30 | Fixes: CVE-2021-3697 | ||
31 | |||
32 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
33 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
34 | |||
35 | Upstream-Status: Backport | ||
36 | CVE: CVE-2021-3697 | ||
37 | |||
38 | Reference to upstream patch: | ||
39 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 | ||
40 | |||
41 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
42 | --- | ||
43 | grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
44 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
45 | |||
46 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
47 | index 579bbe8a4..09596fbf5 100644 | ||
48 | --- a/grub-core/video/readers/jpeg.c | ||
49 | +++ b/grub-core/video/readers/jpeg.c | ||
50 | @@ -23,6 +23,7 @@ | ||
51 | #include <grub/mm.h> | ||
52 | #include <grub/misc.h> | ||
53 | #include <grub/bufio.h> | ||
54 | +#include <grub/safemath.h> | ||
55 | |||
56 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
57 | |||
58 | @@ -699,6 +700,7 @@ static grub_err_t | ||
59 | grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
60 | { | ||
61 | unsigned c1, vb, hb, nr1, nc1; | ||
62 | + unsigned stride_a, stride_b, stride; | ||
63 | int rst = data->dri; | ||
64 | grub_err_t err = GRUB_ERR_NONE; | ||
65 | |||
66 | @@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
67 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
68 | "jpeg: attempted to decode data before start of stream"); | ||
69 | |||
70 | + if (grub_mul(vb, data->image_width, &stride_a) || | ||
71 | + grub_mul(hb, nc1, &stride_b) || | ||
72 | + grub_sub(stride_a, stride_b, &stride)) | ||
73 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
74 | + "jpeg: cannot decode image with these dimensions"); | ||
75 | + | ||
76 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
77 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
78 | + data->r1++, data->bitmap_ptr += stride * 3) | ||
79 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
80 | c1++, rst--, data->bitmap_ptr += hb * 3) | ||
81 | { | ||
82 | -- | ||
83 | 2.34.1 | ||
84 | |||