1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..e2e3f35584
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+Fixes: CVE-2022-3775
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index f110db9..3b76b22 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+   ctx.bounds.height = main_glyph->height;
+ 
+   above_rightx = main_glyph->offset_x + main_glyph->width;
+-  above_righty = ctx.bounds.y + ctx.bounds.height;
+  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+   above_leftx = main_glyph->offset_x;
+-  above_lefty = ctx.bounds.y + ctx.bounds.height;
+  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+-  below_rightx = ctx.bounds.x + ctx.bounds.width;
+  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+   below_righty = ctx.bounds.y;
+ 
+   comb = grub_unicode_get_comb (glyph_id);
+@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+       if (!combining_glyphs[i])
+        continue;
+-      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+       /* CGJ is to avoid diacritics reordering. */
+       if (comb[i].code
+          == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+        case GRUB_UNICODE_COMB_OVERLAY:
+          do_blit (combining_glyphs[i],
+                   targetx,
+-                  (ctx.bounds.height - combining_glyphs[i]->height) / 2
+-                  - (ctx.bounds.height + ctx.bounds.y), &ctx);
+                  ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
+                  - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+          break;
+@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+          /* Fallthrough.  */
+        case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height + ctx.bounds.y + space
+                  -((int) ctx.bounds.height + ctx.bounds.y + space
+                     + combining_glyphs[i]->height), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+        case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+          do_blit (combining_glyphs[i], targetx,
+-                  -(ctx.bounds.height / 2 + ctx.bounds.y
+                  -((int) ctx.bounds.height / 2 + ctx.bounds.y
+                     + combining_glyphs[i]->height / 2), &ctx);
+          if (min_devwidth < combining_glyphs[i]->width)
+            min_devwidth = combining_glyphs[i]->width;
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
	1	From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
	2	From: Zhang Boyang <zhangboyang.id@gmail.com>
	3	Date: Mon, 24 Oct 2022 08:05:35 +0800
	4	Subject: [PATCH] font: Fix an integer underflow in blit_comb()
	5
	6	The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
	7	evaluate to a very big invalid value even if both ctx.bounds.height and
	8	combining_glyphs[i]->height are small integers. For example, if
	9	ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
	10	expression evaluates to 2147483647 (expected -1). This is because
	11	coordinates are allowed to be negative but ctx.bounds.height is an
	12	unsigned int. So, the subtraction operates on unsigned ints and
	13	underflows to a very big value. The division makes things even worse.
	14	The quotient is still an invalid value even if converted back to int.
	15
	16	This patch fixes the problem by casting ctx.bounds.height to int. As
	17	a result the subtraction will operate on int and grub_uint16_t which
	18	will be promoted to an int. So, the underflow will no longer happen. Other
	19	uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
	20	to ensure coordinates are always calculated on signed integers.
	21
	22	Fixes: CVE-2022-3775
	23
	24	Reported-by: Daniel Axtens <dja@axtens.net>
	25	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
	26	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	27
	28	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
	29
	30	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
	31	CVE: CVE-2022-3775
	32	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	33	---
	34	grub-core/font/font.c \| 16 ++++++++--------
	35	1 file changed, 8 insertions(+), 8 deletions(-)
	36
	37	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
	38	index f110db9..3b76b22 100644
	39	--- a/grub-core/font/font.c
	40	+++ b/grub-core/font/font.c
	41	@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
	42	ctx.bounds.height = main_glyph->height;
	43
	44	above_rightx = main_glyph->offset_x + main_glyph->width;
	45	- above_righty = ctx.bounds.y + ctx.bounds.height;
	46	+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
	47
	48	above_leftx = main_glyph->offset_x;
	49	- above_lefty = ctx.bounds.y + ctx.bounds.height;
	50	+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
	51
	52	- below_rightx = ctx.bounds.x + ctx.bounds.width;
	53	+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
	54	below_righty = ctx.bounds.y;
	55
	56	comb = grub_unicode_get_comb (glyph_id);
	57	@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
	58
	59	if (!combining_glyphs[i])
	60	continue;
	61	- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
	62	+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
	63	/* CGJ is to avoid diacritics reordering. */
	64	if (comb[i].code
	65	== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
	66	@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
	67	case GRUB_UNICODE_COMB_OVERLAY:
	68	do_blit (combining_glyphs[i],
	69	targetx,
	70	- (ctx.bounds.height - combining_glyphs[i]->height) / 2
	71	- - (ctx.bounds.height + ctx.bounds.y), &ctx);
	72	+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
	73	+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
	74	if (min_devwidth < combining_glyphs[i]->width)
	75	min_devwidth = combining_glyphs[i]->width;
	76	break;
	77	@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
	78	/* Fallthrough. */
	79	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
	80	do_blit (combining_glyphs[i], targetx,
	81	- -(ctx.bounds.height + ctx.bounds.y + space
	82	+ -((int) ctx.bounds.height + ctx.bounds.y + space
	83	+ combining_glyphs[i]->height), &ctx);
	84	if (min_devwidth < combining_glyphs[i]->width)
	85	min_devwidth = combining_glyphs[i]->width;
	86	@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
	87
	88	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
	89	do_blit (combining_glyphs[i], targetx,
	90	- -(ctx.bounds.height / 2 + ctx.bounds.y
	91	+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
	92	+ combining_glyphs[i]->height / 2), &ctx);
	93	if (min_devwidth < combining_glyphs[i]->width)
	94	min_devwidth = combining_glyphs[i]->width;
	95	--
	96	2.25.1
	97