diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2023-4692.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4692.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch deleted file mode 100644 index 305fcc93d8..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:31:57 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute | ||
5 | for the $MFT file | ||
6 | |||
7 | When parsing an extremely fragmented $MFT file, i.e., the file described | ||
8 | using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer | ||
9 | containing bytes read from the underlying drive to store sector numbers, | ||
10 | which are consumed later to read data from these sectors into another buffer. | ||
11 | |||
12 | These sectors numbers, two 32-bit integers, are always stored at predefined | ||
13 | offsets, 0x10 and 0x14, relative to first byte of the selected entry within | ||
14 | the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. | ||
15 | |||
16 | However, when parsing a specially-crafted file system image, this may cause | ||
17 | the NTFS code to write these integers beyond the buffer boundary, likely | ||
18 | causing the GRUB memory allocator to misbehave or fail. These integers contain | ||
19 | values which are controlled by on-disk structures of the NTFS file system. | ||
20 | |||
21 | Such modification and resulting misbehavior may touch a memory range not | ||
22 | assigned to the GRUB and owned by firmware or another EFI application/driver. | ||
23 | |||
24 | This fix introduces checks to ensure that these sector numbers are never | ||
25 | written beyond the boundary. | ||
26 | |||
27 | Fixes: CVE-2023-4692 | ||
28 | |||
29 | Upstream-Status: Backport from | ||
30 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] | ||
31 | CVE: CVE-2023-4692 | ||
32 | |||
33 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
34 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
35 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
36 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
37 | --- | ||
38 | grub-core/fs/ntfs.c | 18 +++++++++++++++++- | ||
39 | 1 file changed, 17 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
42 | index bbdbe24..c3c4db1 100644 | ||
43 | --- a/grub-core/fs/ntfs.c | ||
44 | +++ b/grub-core/fs/ntfs.c | ||
45 | @@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
46 | } | ||
47 | if (at->attr_end) | ||
48 | { | ||
49 | - grub_uint8_t *pa; | ||
50 | + grub_uint8_t *pa, *pa_end; | ||
51 | |||
52 | at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
53 | if (at->emft_buf == NULL) | ||
54 | @@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
55 | } | ||
56 | at->attr_nxt = at->edat_buf; | ||
57 | at->attr_end = at->edat_buf + u32at (pa, 0x30); | ||
58 | + pa_end = at->edat_buf + n; | ||
59 | } | ||
60 | else | ||
61 | { | ||
62 | at->attr_nxt = at->attr_end + u16at (pa, 0x14); | ||
63 | at->attr_end = at->attr_end + u32at (pa, 4); | ||
64 | + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
65 | } | ||
66 | at->flags |= GRUB_NTFS_AF_ALST; | ||
67 | while (at->attr_nxt < at->attr_end) | ||
68 | @@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
69 | at->flags |= GRUB_NTFS_AF_GPOS; | ||
70 | at->attr_cur = at->attr_nxt; | ||
71 | pa = at->attr_cur; | ||
72 | + | ||
73 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
74 | + { | ||
75 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
76 | + return NULL; | ||
77 | + } | ||
78 | + | ||
79 | grub_set_unaligned32 ((char *) pa + 0x10, | ||
80 | grub_cpu_to_le32 (at->mft->data->mft_start)); | ||
81 | grub_set_unaligned32 ((char *) pa + 0x14, | ||
82 | @@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
83 | { | ||
84 | if (*pa != attr) | ||
85 | break; | ||
86 | + | ||
87 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
88 | + { | ||
89 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
90 | + return NULL; | ||
91 | + } | ||
92 | + | ||
93 | if (read_attr | ||
94 | (at, pa + 0x10, | ||
95 | u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), | ||
96 | -- | ||
97 | cgit v1.1 | ||
98 | |||