1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..420fe92ac3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@...>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
+ attribute
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+Fixes: CVE-2023-4693
+Upstream-Status: Backport from 
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Reported-by: Maxim Suhanov <dfirblog@...>
+Signed-off-by: Maxim Suhanov <dfirblog@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c3c4db1..a68e173 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+        return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
+
+      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+
+      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
+         (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+cgit v1.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..420fe92ac3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
	1	From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
	2	From: Maxim Suhanov <dfirblog@...>
	3	Date: Mon, 28 Aug 2023 16:32:33 +0300
	4	Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
	5	attribute
	6
	7	When reading a file containing resident data, i.e., the file data is stored in
	8	the $DATA attribute within the NTFS file record, not in external clusters,
	9	there are no checks that this resident data actually fits the corresponding
	10	file record segment.
	11
	12	When parsing a specially-crafted file system image, the current NTFS code will
	13	read the file data from an arbitrary, attacker-chosen memory offset and of
	14	arbitrary, attacker-chosen length.
	15
	16	This allows an attacker to display arbitrary chunks of memory, which could
	17	contain sensitive information like password hashes or even plain-text,
	18	obfuscated passwords from BS EFI variables.
	19
	20	This fix implements a check to ensure that resident data is read from the
	21	corresponding file record segment only.
	22
	23	Fixes: CVE-2023-4693
	24
	25	Upstream-Status: Backport from
	26	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
	27	CVE: CVE-2023-4693
	28
	29	Reported-by: Maxim Suhanov <dfirblog@...>
	30	Signed-off-by: Maxim Suhanov <dfirblog@...>
	31	Reviewed-by: Daniel Kiper <daniel.kiper@...>
	32	Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
	33	---
	34	grub-core/fs/ntfs.c \| 13 ++++++++++++-
	35	1 file changed, 12 insertions(+), 1 deletion(-)
	36
	37	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
	38	index c3c4db1..a68e173 100644
	39	--- a/grub-core/fs/ntfs.c
	40	+++ b/grub-core/fs/ntfs.c
	41	@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr at, grub_uint8_t pa, grub_uint8_t *dest,
	42	{
	43	if (ofs + len > u32at (pa, 0x10))
	44	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
	45	- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
	46	+
	47	+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	48	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
	49	+
	50	+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	51	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	52	+
	53	+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
	54	+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
	55	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	56	+
	57	+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
	58	return 0;
	59	}
	60
	61	--
	62	cgit v1.1
	63