1 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..d4ba3cafc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c   | 17 +++++++++++++----
+ include/grub/bitmap.h   | 18 ++++++++++++++++++
+ include/grub/safemath.h |  2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 5edb477..df17dba 100644
+--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
+@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+       grub_int16_t xoff;
+       grub_int16_t yoff;
+       grub_int16_t dwidth;
+-      int len;
+      grub_ssize_t len;
+      grub_size_t sz;
+ 
+       if (index_entry->glyph)
+        /* Return cached glyph.  */
+@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+          return 0;
+        }
+ 
+-      len = (width * height + 7) / 8;
+-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+-      if (!glyph)
+      /* Calculate real struct size of current glyph. */
+      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
+         grub_add (sizeof (struct grub_font_glyph), len, &sz))
+       {
+         remove_font (font);
+         return 0;
+       }
+
+      /* Allocate and initialize the glyph struct. */
+      glyph = grub_malloc (sz);
+      if (glyph == NULL)
+        {
+          remove_font (font);
+          return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
+++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
+#include <grub/safemath.h>
+ 
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+   return bitmap->mode_info.height;
+ }
+ 
+/*
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
+ * Return true when overflow occurs or false if there is no overflow.
+ * This function is intentionally implemented as a macro instead of
+ * an inline function. Although a bit awkward, it preserves data types for
+ * safemath macros and reduces macro side effects as much as possible.
+ *
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
+ */
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
+({ \
+  grub_uint64_t _bitmap_pixels; \
+  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
+    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
+})
+
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+                                                    struct grub_video_mode_info *mode_info);
+ 
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
+++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res)    __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res)    __builtin_mul_overflow(a, b, res)
+ 
+#define grub_cast(a, res)      grub_add ((a), 0, (res))
+
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
	1	From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
	2	From: Zhang Boyang <zhangboyang.id@gmail.com>
	3	Date: Fri, 5 Aug 2022 00:51:20 +0800
	4	Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
	5
	6	The length of memory allocation and file read may overflow. This patch
	7	fixes the problem by using safemath macros.
	8
	9	There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
	10	if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
	11	It is safe replacement for such code. It has safemath-like prototype.
	12
	13	This patch also introduces grub_cast(value, pointer), it casts value to
	14	typeof(pointer) then store the value to pointer. It returns true when
	15	overflow occurs or false if there is no overflow. The semantics of arguments
	16	and return value are designed to be consistent with other safemath macros.
	17
	18	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
	19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	20
	21	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
	22
	23	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
	24	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	25	---
	26	grub-core/font/font.c \| 17 +++++++++++++----
	27	include/grub/bitmap.h \| 18 ++++++++++++++++++
	28	include/grub/safemath.h \| 2 ++
	29	3 files changed, 33 insertions(+), 4 deletions(-)
	30
	31	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
	32	index 5edb477..df17dba 100644
	33	--- a/grub-core/font/font.c
	34	+++ b/grub-core/font/font.c
	35	@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
	36	grub_int16_t xoff;
	37	grub_int16_t yoff;
	38	grub_int16_t dwidth;
	39	- int len;
	40	+ grub_ssize_t len;
	41	+ grub_size_t sz;
	42
	43	if (index_entry->glyph)
	44	/* Return cached glyph. */
	45	@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
	46	return 0;
	47	}
	48
	49	- len = (width * height + 7) / 8;
	50	- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
	51	- if (!glyph)
	52	+ /* Calculate real struct size of current glyph. */
	53	+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) \|\|
	54	+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
	55	+ {
	56	+ remove_font (font);
	57	+ return 0;
	58	+ }
	59	+
	60	+ /* Allocate and initialize the glyph struct. */
	61	+ glyph = grub_malloc (sz);
	62	+ if (glyph == NULL)
	63	{
	64	remove_font (font);
	65	return 0;
	66	diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
	67	index 5728f8c..0d9603f 100644
	68	--- a/include/grub/bitmap.h
	69	+++ b/include/grub/bitmap.h
	70	@@ -23,6 +23,7 @@
	71	#include <grub/symbol.h>
	72	#include <grub/types.h>
	73	#include <grub/video.h>
	74	+#include <grub/safemath.h>
	75
	76	struct grub_video_bitmap
	77	{
	78	@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
	79	return bitmap->mode_info.height;
	80	}
	81
	82	+/*
	83	+ * Calculate and store the size of data buffer of 1bit bitmap in result.
	84	+ * Equivalent to "result = (width height + 7) / 8" if no overflow occurs.
	85	+ * Return true when overflow occurs or false if there is no overflow.
	86	+ * This function is intentionally implemented as a macro instead of
	87	+ * an inline function. Although a bit awkward, it preserves data types for
	88	+ * safemath macros and reduces macro side effects as much as possible.
	89	+ *
	90	+ * XXX: Will report false overflow if width * height > UINT64_MAX.
	91	+ */
	92	+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
	93	+({ \
	94	+ grub_uint64_t _bitmap_pixels; \
	95	+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
	96	+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
	97	+})
	98	+
	99	void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
	100	struct grub_video_mode_info *mode_info);
	101
	102	diff --git a/include/grub/safemath.h b/include/grub/safemath.h
	103	index c17b89b..bb0f826 100644
	104	--- a/include/grub/safemath.h
	105	+++ b/include/grub/safemath.h
	106	@@ -30,6 +30,8 @@
	107	#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
	108	#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
	109
	110	+#define grub_cast(a, res) grub_add ((a), 0, (res))
	111	+
	112	#else
	113	#error gcc 5.1 or newer or clang 3.8 or newer is required
	114	#endif
	115	--
	116	2.25.1
	117