diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3697.patch')
| -rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3697.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch new file mode 100644 index 0000000000..be15e7d1f2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 3 | Date: Tue, 19 Jul 2022 11:13:02 +0530 | ||
| 4 | Subject: [PATCH] CVE-2021-3697 | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6] | ||
| 7 | CVE: CVE-2021-3697 | ||
| 8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 9 | |||
| 10 | video/readers/jpeg: Block int underflow -> wild pointer write | ||
| 11 | |||
| 12 | Certain 1 px wide images caused a wild pointer write in | ||
| 13 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
| 14 | we have the following loop: | ||
| 15 | |||
| 16 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
| 17 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| 18 | |||
| 19 | We did not check if vb * width >= hb * nc1. | ||
| 20 | |||
| 21 | On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
| 22 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
| 23 | we see data->bitmap_ptr jump, e.g.: | ||
| 24 | |||
| 25 | 0x6180_0000_0480 to | ||
| 26 | 0x6181_0000_0498 | ||
| 27 | ^ | ||
| 28 | ~--- carry has occurred and this pointer is now far away from | ||
| 29 | any object. | ||
| 30 | |||
| 31 | On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
| 32 | that won't crash but will overwrite random data. | ||
| 33 | |||
| 34 | Catch the underflow and error out. | ||
| 35 | |||
| 36 | Fixes: CVE-2021-3697 | ||
| 37 | |||
| 38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 40 | --- | ||
| 41 | grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
| 42 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
| 43 | |||
| 44 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
| 45 | index 31359a4..545a60b 100644 | ||
| 46 | --- a/grub-core/video/readers/jpeg.c | ||
| 47 | +++ b/grub-core/video/readers/jpeg.c | ||
| 48 | @@ -23,6 +23,7 @@ | ||
| 49 | #include <grub/mm.h> | ||
| 50 | #include <grub/misc.h> | ||
| 51 | #include <grub/bufio.h> | ||
| 52 | +#include <grub/safemath.h> | ||
| 53 | |||
| 54 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
| 55 | |||
| 56 | @@ -617,6 +618,7 @@ static grub_err_t | ||
| 57 | grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 58 | { | ||
| 59 | unsigned c1, vb, hb, nr1, nc1; | ||
| 60 | + unsigned stride_a, stride_b, stride; | ||
| 61 | int rst = data->dri; | ||
| 62 | |||
| 63 | vb = 8 << data->log_vs; | ||
| 64 | @@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 65 | nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); | ||
| 66 | nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); | ||
| 67 | |||
| 68 | + if (grub_mul(vb, data->image_width, &stride_a) || | ||
| 69 | + grub_mul(hb, nc1, &stride_b) || | ||
| 70 | + grub_sub(stride_a, stride_b, &stride)) | ||
| 71 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 72 | + "jpeg: cannot decode image with these dimensions"); | ||
| 73 | + | ||
| 74 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
| 75 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| 76 | + data->r1++, data->bitmap_ptr += stride * 3) | ||
| 77 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
| 78 | c1++, rst--, data->bitmap_ptr += hb * 3) | ||
| 79 | { | ||
| 80 | -- | ||
| 81 | 2.25.1 | ||
| 82 | |||