diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2023-4693.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4693.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch deleted file mode 100644 index 420fe92ac3..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@...> | ||
3 | Date: Mon, 28 Aug 2023 16:32:33 +0300 | ||
4 | Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA | ||
5 | attribute | ||
6 | |||
7 | When reading a file containing resident data, i.e., the file data is stored in | ||
8 | the $DATA attribute within the NTFS file record, not in external clusters, | ||
9 | there are no checks that this resident data actually fits the corresponding | ||
10 | file record segment. | ||
11 | |||
12 | When parsing a specially-crafted file system image, the current NTFS code will | ||
13 | read the file data from an arbitrary, attacker-chosen memory offset and of | ||
14 | arbitrary, attacker-chosen length. | ||
15 | |||
16 | This allows an attacker to display arbitrary chunks of memory, which could | ||
17 | contain sensitive information like password hashes or even plain-text, | ||
18 | obfuscated passwords from BS EFI variables. | ||
19 | |||
20 | This fix implements a check to ensure that resident data is read from the | ||
21 | corresponding file record segment only. | ||
22 | |||
23 | Fixes: CVE-2023-4693 | ||
24 | |||
25 | Upstream-Status: Backport from | ||
26 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] | ||
27 | CVE: CVE-2023-4693 | ||
28 | |||
29 | Reported-by: Maxim Suhanov <dfirblog@...> | ||
30 | Signed-off-by: Maxim Suhanov <dfirblog@...> | ||
31 | Reviewed-by: Daniel Kiper <daniel.kiper@...> | ||
32 | Signed-off-by: Xiangyu Chen <xiangyu.chen@...> | ||
33 | --- | ||
34 | grub-core/fs/ntfs.c | 13 ++++++++++++- | ||
35 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
38 | index c3c4db1..a68e173 100644 | ||
39 | --- a/grub-core/fs/ntfs.c | ||
40 | +++ b/grub-core/fs/ntfs.c | ||
41 | @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, | ||
42 | { | ||
43 | if (ofs + len > u32at (pa, 0x10)) | ||
44 | return grub_error (GRUB_ERR_BAD_FS, "read out of range"); | ||
45 | - grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); | ||
46 | + | ||
47 | + if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
48 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); | ||
49 | + | ||
50 | + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
51 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
52 | + | ||
53 | + if (u16at (pa, 0x14) + u32at (pa, 0x10) > | ||
54 | + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) | ||
55 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
56 | + | ||
57 | + grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); | ||
58 | return 0; | ||
59 | } | ||
60 | |||
61 | -- | ||
62 | cgit v1.1 | ||
63 | |||