1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
new file mode 100644
index 0000000000..6cfdf20e2d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
@@ -0,0 +1,60 @@
+From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:48:34 +0530
+Subject: [PATCH] CVE-2022-28733
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287]
+CVE: CVE-2022-28733
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+net/ip: Do IP fragment maths safely
+We can receive packets with invalid IP fragmentation information. This
+can lead to rsm->total_len underflowing and becoming very large.
+Then, in grub_netbuff_alloc(), we add to this very large number, which can
+cause it to overflow and wrap back around to a small positive number.
+The allocation then succeeds, but the resulting buffer is too small and
+subsequent operations can write past the end of the buffer.
+Catch the underflow here.
+Fixes: CVE-2022-28733
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index ea5edf8..74e4e8b 100644
+--- a/grub-core/net/ip.c
+++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
+#include <grub/safemath.h>
+ #include <grub/time.h>
+ 
+ struct iphdr {
+@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+     {
+       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+                        + (nb->tail - nb->data));
+-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
+
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
+                   &rsm->total_len))
+       {
+         grub_dprintf ("net", "IP reassembly size underflow\n");
+         return GRUB_ERR_NONE;
+       }
+
+       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+       if (!rsm->asm_netbuff)
+        {
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch new file mode 100644 index 0000000000..6cfdf20e2d --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
@@ -0,0 +1,60 @@
	1	From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Mon, 1 Aug 2022 10:48:34 +0530
	4	Subject: [PATCH] CVE-2022-28733
	5
	6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287]
	7	CVE: CVE-2022-28733
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9
	10	net/ip: Do IP fragment maths safely
	11
	12	We can receive packets with invalid IP fragmentation information. This
	13	can lead to rsm->total_len underflowing and becoming very large.
	14
	15	Then, in grub_netbuff_alloc(), we add to this very large number, which can
	16	cause it to overflow and wrap back around to a small positive number.
	17	The allocation then succeeds, but the resulting buffer is too small and
	18	subsequent operations can write past the end of the buffer.
	19
	20	Catch the underflow here.
	21
	22	Fixes: CVE-2022-28733
	23
	24	Signed-off-by: Daniel Axtens <dja@axtens.net>
	25	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	26	---
	27	grub-core/net/ip.c \| 10 +++++++++-
	28	1 file changed, 9 insertions(+), 1 deletion(-)
	29
	30	diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
	31	index ea5edf8..74e4e8b 100644
	32	--- a/grub-core/net/ip.c
	33	+++ b/grub-core/net/ip.c
	34	@@ -25,6 +25,7 @@
	35	#include <grub/net/netbuff.h>
	36	#include <grub/mm.h>
	37	#include <grub/priority_queue.h>
	38	+#include <grub/safemath.h>
	39	#include <grub/time.h>
	40
	41	struct iphdr {
	42	@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
	43	{
	44	rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
	45	+ (nb->tail - nb->data));
	46	- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
	47	+
	48	+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
	49	+ &rsm->total_len))
	50	+ {
	51	+ grub_dprintf ("net", "IP reassembly size underflow\n");
	52	+ return GRUB_ERR_NONE;
	53	+ }
	54	+
	55	rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
	56	if (!rsm->asm_netbuff)
	57	{
	58	--
	59	2.25.1
	60