1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..090f693be3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+Fixes: CVE-2022-2601
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index df17dba..f110db9 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   struct grub_video_signed_rect bounds;
+   static struct grub_font_glyph *glyph = 0;
+   static grub_size_t max_glyph_size = 0;
+  grub_size_t cur_glyph_size;
+ 
+   ensure_comb_space (glyph_id);
+ 
+@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   if (!glyph_id->ncomb && !glyph_id->attributes)
+     return main_glyph;
+ 
+-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
+    return main_glyph;
+
+  if (max_glyph_size < cur_glyph_size)
+     {
+       grub_free (glyph);
+-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+-      if (max_glyph_size < 8)
+-       max_glyph_size = 8;
+-      glyph = grub_malloc (max_glyph_size);
+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
+       max_glyph_size = 0;
+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+     }
+   if (!glyph)
+     {
+      max_glyph_size = 0;
+       grub_errno = GRUB_ERR_NONE;
+       return main_glyph;
+     }
+ 
+-  grub_memset (glyph, 0, sizeof (*glyph)
+-              + (bounds.width * bounds.height
+-                 + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
+  grub_memset (glyph, 0, cur_glyph_size);
+ 
+   glyph->font = main_glyph->font;
+-  glyph->width = bounds.width;
+-  glyph->height = bounds.height;
+-  glyph->offset_x = bounds.x;
+-  glyph->offset_y = bounds.y;
+  if (bounds.width == 0 || bounds.height == 0 ||
+      grub_cast (bounds.width, &glyph->width) ||
+      grub_cast (bounds.height, &glyph->height) ||
+      grub_cast (bounds.x, &glyph->offset_x) ||
+      grub_cast (bounds.y, &glyph->offset_y))
+    return main_glyph;
+ 
+   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+     grub_font_blit_glyph_mirror (glyph, main_glyph,
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..090f693be3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
	1	From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
	2	From: Zhang Boyang <zhangboyang.id@gmail.com>
	3	Date: Fri, 5 Aug 2022 01:58:27 +0800
	4	Subject: [PATCH] font: Fix several integer overflows in
	5	grub_font_construct_glyph()
	6
	7	This patch fixes several integer overflows in grub_font_construct_glyph().
	8	Glyphs of invalid size, zero or leading to an overflow, are rejected.
	9	The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
	10	returns NULL is fixed too.
	11
	12	Fixes: CVE-2022-2601
	13
	14	Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
	15	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
	16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	17
	18	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
	19
	20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
	21	CVE: CVE-2022-2601
	22	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	23	---
	24	grub-core/font/font.c \| 29 +++++++++++++++++------------
	25	1 file changed, 17 insertions(+), 12 deletions(-)
	26
	27	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
	28	index df17dba..f110db9 100644
	29	--- a/grub-core/font/font.c
	30	+++ b/grub-core/font/font.c
	31	@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
	32	struct grub_video_signed_rect bounds;
	33	static struct grub_font_glyph *glyph = 0;
	34	static grub_size_t max_glyph_size = 0;
	35	+ grub_size_t cur_glyph_size;
	36
	37	ensure_comb_space (glyph_id);
	38
	39	@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
	40	if (!glyph_id->ncomb && !glyph_id->attributes)
	41	return main_glyph;
	42
	43	- if (max_glyph_size < sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
	44	+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) \|\|
	45	+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
	46	+ return main_glyph;
	47	+
	48	+ if (max_glyph_size < cur_glyph_size)
	49	{
	50	grub_free (glyph);
	51	- max_glyph_size = (sizeof (glyph) + (bounds.width bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
	52	- if (max_glyph_size < 8)
	53	- max_glyph_size = 8;
	54	- glyph = grub_malloc (max_glyph_size);
	55	+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
	56	+ max_glyph_size = 0;
	57	+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
	58	}
	59	if (!glyph)
	60	{
	61	+ max_glyph_size = 0;
	62	grub_errno = GRUB_ERR_NONE;
	63	return main_glyph;
	64	}
	65
	66	- grub_memset (glyph, 0, sizeof (*glyph)
	67	- + (bounds.width * bounds.height
	68	- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
	69	+ grub_memset (glyph, 0, cur_glyph_size);
	70
	71	glyph->font = main_glyph->font;
	72	- glyph->width = bounds.width;
	73	- glyph->height = bounds.height;
	74	- glyph->offset_x = bounds.x;
	75	- glyph->offset_y = bounds.y;
	76	+ if (bounds.width == 0 \|\| bounds.height == 0 \|\|
	77	+ grub_cast (bounds.width, &glyph->width) \|\|
	78	+ grub_cast (bounds.height, &glyph->height) \|\|
	79	+ grub_cast (bounds.x, &glyph->offset_x) \|\|
	80	+ grub_cast (bounds.y, &glyph->offset_y))
	81	+ return main_glyph;
	82
	83	if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
	84	grub_font_blit_glyph_mirror (glyph, main_glyph,
	85	--
	86	2.25.1
	87