1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..0e74870ebf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
+ attribute for the $MFT file
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+Fixes: CVE-2023-4692
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+CVE: CVE-2023-4692
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..c8d3683 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
+      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+            }
+          at->attr_nxt = at->edat_buf;
+          at->attr_end = at->edat_buf + u32at (pa, 0x30);
+         pa_end = at->edat_buf + n;
+        }
+       else
+        {
+          at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+          at->attr_end = at->attr_end + u32at (pa, 4);
+         pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+        }
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+          at->flags |= GRUB_NTFS_AF_GPOS;
+          at->attr_cur = at->attr_nxt;
+          pa = at->attr_cur;
+
+         if ((pa >= pa_end) || (pa_end - pa < 0x18))
+           {
+             grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+             return NULL;
+           }
+
+          grub_set_unaligned32 ((char *) pa + 0x10,
+                                grub_cpu_to_le32 (at->mft->data->mft_start));
+          grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+            {
+              if (*pa != attr)
+                break;
+
+              if ((pa >= pa_end) || (pa_end - pa < 0x18))
+                {
+                 grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+                 return NULL;
+               }
+
+              if (read_attr
+                  (at, pa + 0x10,
+                   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..0e74870ebf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
	1	From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
	2	From: Maxim Suhanov <dfirblog@gmail.com>
	3	Date: Mon, 28 Aug 2023 16:31:57 +0300
	4	Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
	5	attribute for the $MFT file
	6
	7	When parsing an extremely fragmented $MFT file, i.e., the file described
	8	using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
	9	containing bytes read from the underlying drive to store sector numbers,
	10	which are consumed later to read data from these sectors into another buffer.
	11
	12	These sectors numbers, two 32-bit integers, are always stored at predefined
	13	offsets, 0x10 and 0x14, relative to first byte of the selected entry within
	14	the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
	15
	16	However, when parsing a specially-crafted file system image, this may cause
	17	the NTFS code to write these integers beyond the buffer boundary, likely
	18	causing the GRUB memory allocator to misbehave or fail. These integers contain
	19	values which are controlled by on-disk structures of the NTFS file system.
	20
	21	Such modification and resulting misbehavior may touch a memory range not
	22	assigned to the GRUB and owned by firmware or another EFI application/driver.
	23
	24	This fix introduces checks to ensure that these sector numbers are never
	25	written beyond the boundary.
	26
	27	Fixes: CVE-2023-4692
	28
	29	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	30	Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
	31	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	32
	33	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
	34	CVE: CVE-2023-4692
	35	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	36	---
	37	grub-core/fs/ntfs.c \| 18 +++++++++++++++++-
	38	1 file changed, 17 insertions(+), 1 deletion(-)
	39
	40	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
	41	index 2f34f76..c8d3683 100644
	42	--- a/grub-core/fs/ntfs.c
	43	+++ b/grub-core/fs/ntfs.c
	44	@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
	45	}
	46	if (at->attr_end)
	47	{
	48	- grub_uint8_t *pa;
	49	+ grub_uint8_t pa, pa_end;
	50
	51	at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
	52	if (at->emft_buf == NULL)
	53	@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
	54	}
	55	at->attr_nxt = at->edat_buf;
	56	at->attr_end = at->edat_buf + u32at (pa, 0x30);
	57	+ pa_end = at->edat_buf + n;
	58	}
	59	else
	60	{
	61	at->attr_nxt = at->attr_end + u16at (pa, 0x14);
	62	at->attr_end = at->attr_end + u32at (pa, 4);
	63	+ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
	64	}
	65	at->flags \|= GRUB_NTFS_AF_ALST;
	66	while (at->attr_nxt < at->attr_end)
	67	@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
	68	at->flags \|= GRUB_NTFS_AF_GPOS;
	69	at->attr_cur = at->attr_nxt;
	70	pa = at->attr_cur;
	71	+
	72	+ if ((pa >= pa_end) \|\| (pa_end - pa < 0x18))
	73	+ {
	74	+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
	75	+ return NULL;
	76	+ }
	77	+
	78	grub_set_unaligned32 ((char *) pa + 0x10,
	79	grub_cpu_to_le32 (at->mft->data->mft_start));
	80	grub_set_unaligned32 ((char *) pa + 0x14,
	81	@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
	82	{
	83	if (*pa != attr)
	84	break;
	85	+
	86	+ if ((pa >= pa_end) \|\| (pa_end - pa < 0x18))
	87	+ {
	88	+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
	89	+ return NULL;
	90	+ }
	91	+
	92	if (read_attr
	93	(at, pa + 0x10,
	94	u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
	95	--
	96	2.25.1
	97