1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
new file mode 100644
index 0000000000..577ec10bea
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
@@ -0,0 +1,67 @@
+From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:59:41 +0530
+Subject: [PATCH] CVE-2022-28734
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4]
+CVE: CVE-2022-28734
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+net/http: Fix OOB write for split http headers
+GRUB has special code for handling an http header that is split
+across two packets.
+The code tracks the end of line by looking for a "\n" byte. The
+code for split headers has always advanced the pointer just past the
+end of the line, whereas the code that handles unsplit headers does
+not advance the pointer. This extra advance causes the length to be
+one greater, which breaks an assumption in parse_line(), leading to
+it writing a NUL byte one byte past the end of the buffer where we
+reconstruct the line from the two packets.
+It's conceivable that an attacker controlled set of packets could
+cause this to zero out the first byte of the "next" pointer of the
+grub_mm_region structure following the current_line buffer.
+Do not advance the pointer in the split header case.
+Fixes: CVE-2022-28734
+---
+ grub-core/net/http.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 5aa4ad3..a220d21 100644
+--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
+@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+   char *end = ptr + len;
+   while (end > ptr && *(end - 1) == '\r')
+     end--;
+
+  /* LF without CR. */
+  if (end == ptr + len)
+    {
+      data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
+      return GRUB_ERR_NONE;
+    }
+   *end = 0;
+
+   /* Trailing CRLF.  */
+   if (data->in_chunk_len == 1)
+     {
+@@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
+          int have_line = 1;
+          char *t;
+          ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
+-         if (ptr)
+-           ptr++;
+-         else
+         if (ptr == NULL)
+            {
+              have_line = 0;
+              ptr = (char *) nb->tail;
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch new file mode 100644 index 0000000000..577ec10bea --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
@@ -0,0 +1,67 @@
	1	From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Mon, 1 Aug 2022 10:59:41 +0530
	4	Subject: [PATCH] CVE-2022-28734
	5
	6	Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4]
	7	CVE: CVE-2022-28734
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9
	10	net/http: Fix OOB write for split http headers
	11
	12	GRUB has special code for handling an http header that is split
	13	across two packets.
	14
	15	The code tracks the end of line by looking for a "\n" byte. The
	16	code for split headers has always advanced the pointer just past the
	17	end of the line, whereas the code that handles unsplit headers does
	18	not advance the pointer. This extra advance causes the length to be
	19	one greater, which breaks an assumption in parse_line(), leading to
	20	it writing a NUL byte one byte past the end of the buffer where we
	21	reconstruct the line from the two packets.
	22
	23	It's conceivable that an attacker controlled set of packets could
	24	cause this to zero out the first byte of the "next" pointer of the
	25	grub_mm_region structure following the current_line buffer.
	26
	27	Do not advance the pointer in the split header case.
	28
	29	Fixes: CVE-2022-28734
	30	---
	31	grub-core/net/http.c \| 12 +++++++++---
	32	1 file changed, 9 insertions(+), 3 deletions(-)
	33
	34	diff --git a/grub-core/net/http.c b/grub-core/net/http.c
	35	index 5aa4ad3..a220d21 100644
	36	--- a/grub-core/net/http.c
	37	+++ b/grub-core/net/http.c
	38	@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
	39	char *end = ptr + len;
	40	while (end > ptr && *(end - 1) == '\r')
	41	end--;
	42	+
	43	+ /* LF without CR. */
	44	+ if (end == ptr + len)
	45	+ {
	46	+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
	47	+ return GRUB_ERR_NONE;
	48	+ }
	49	*end = 0;
	50	+
	51	/* Trailing CRLF. */
	52	if (data->in_chunk_len == 1)
	53	{
	54	@@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
	55	int have_line = 1;
	56	char *t;
	57	ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
	58	- if (ptr)
	59	- ptr++;
	60	- else
	61	+ if (ptr == NULL)
	62	{
	63	have_line = 0;
	64	ptr = (char *) nb->tail;
	65	--
	66	2.25.1
	67