diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2022-28733.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2022-28733.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch new file mode 100644 index 0000000000..6cfdf20e2d --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 1 Aug 2022 10:48:34 +0530 | ||
4 | Subject: [PATCH] CVE-2022-28733 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287] | ||
7 | CVE: CVE-2022-28733 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | net/ip: Do IP fragment maths safely | ||
11 | |||
12 | We can receive packets with invalid IP fragmentation information. This | ||
13 | can lead to rsm->total_len underflowing and becoming very large. | ||
14 | |||
15 | Then, in grub_netbuff_alloc(), we add to this very large number, which can | ||
16 | cause it to overflow and wrap back around to a small positive number. | ||
17 | The allocation then succeeds, but the resulting buffer is too small and | ||
18 | subsequent operations can write past the end of the buffer. | ||
19 | |||
20 | Catch the underflow here. | ||
21 | |||
22 | Fixes: CVE-2022-28733 | ||
23 | |||
24 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
25 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
26 | --- | ||
27 | grub-core/net/ip.c | 10 +++++++++- | ||
28 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c | ||
31 | index ea5edf8..74e4e8b 100644 | ||
32 | --- a/grub-core/net/ip.c | ||
33 | +++ b/grub-core/net/ip.c | ||
34 | @@ -25,6 +25,7 @@ | ||
35 | #include <grub/net/netbuff.h> | ||
36 | #include <grub/mm.h> | ||
37 | #include <grub/priority_queue.h> | ||
38 | +#include <grub/safemath.h> | ||
39 | #include <grub/time.h> | ||
40 | |||
41 | struct iphdr { | ||
42 | @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, | ||
43 | { | ||
44 | rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) | ||
45 | + (nb->tail - nb->data)); | ||
46 | - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); | ||
47 | + | ||
48 | + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), | ||
49 | + &rsm->total_len)) | ||
50 | + { | ||
51 | + grub_dprintf ("net", "IP reassembly size underflow\n"); | ||
52 | + return GRUB_ERR_NONE; | ||
53 | + } | ||
54 | + | ||
55 | rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); | ||
56 | if (!rsm->asm_netbuff) | ||
57 | { | ||
58 | -- | ||
59 | 2.25.1 | ||
60 | |||