diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2022-28734.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2022-28734.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch new file mode 100644 index 0000000000..577ec10bea --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 1 Aug 2022 10:59:41 +0530 | ||
4 | Subject: [PATCH] CVE-2022-28734 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4] | ||
7 | CVE: CVE-2022-28734 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | net/http: Fix OOB write for split http headers | ||
11 | |||
12 | GRUB has special code for handling an http header that is split | ||
13 | across two packets. | ||
14 | |||
15 | The code tracks the end of line by looking for a "\n" byte. The | ||
16 | code for split headers has always advanced the pointer just past the | ||
17 | end of the line, whereas the code that handles unsplit headers does | ||
18 | not advance the pointer. This extra advance causes the length to be | ||
19 | one greater, which breaks an assumption in parse_line(), leading to | ||
20 | it writing a NUL byte one byte past the end of the buffer where we | ||
21 | reconstruct the line from the two packets. | ||
22 | |||
23 | It's conceivable that an attacker controlled set of packets could | ||
24 | cause this to zero out the first byte of the "next" pointer of the | ||
25 | grub_mm_region structure following the current_line buffer. | ||
26 | |||
27 | Do not advance the pointer in the split header case. | ||
28 | |||
29 | Fixes: CVE-2022-28734 | ||
30 | --- | ||
31 | grub-core/net/http.c | 12 +++++++++--- | ||
32 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/grub-core/net/http.c b/grub-core/net/http.c | ||
35 | index 5aa4ad3..a220d21 100644 | ||
36 | --- a/grub-core/net/http.c | ||
37 | +++ b/grub-core/net/http.c | ||
38 | @@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) | ||
39 | char *end = ptr + len; | ||
40 | while (end > ptr && *(end - 1) == '\r') | ||
41 | end--; | ||
42 | + | ||
43 | + /* LF without CR. */ | ||
44 | + if (end == ptr + len) | ||
45 | + { | ||
46 | + data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); | ||
47 | + return GRUB_ERR_NONE; | ||
48 | + } | ||
49 | *end = 0; | ||
50 | + | ||
51 | /* Trailing CRLF. */ | ||
52 | if (data->in_chunk_len == 1) | ||
53 | { | ||
54 | @@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), | ||
55 | int have_line = 1; | ||
56 | char *t; | ||
57 | ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); | ||
58 | - if (ptr) | ||
59 | - ptr++; | ||
60 | - else | ||
61 | + if (ptr == NULL) | ||
62 | { | ||
63 | have_line = 0; | ||
64 | ptr = (char *) nb->tail; | ||
65 | -- | ||
66 | 2.25.1 | ||
67 | |||