summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4692.patch98
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4693.patch63
-rw-r--r--meta/recipes-bsp/grub/grub2.inc2
3 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..305fcc93d8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,98 @@
1From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
2From: Maxim Suhanov <dfirblog@gmail.com>
3Date: Mon, 28 Aug 2023 16:31:57 +0300
4Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
5 for the $MFT file
6
7When parsing an extremely fragmented $MFT file, i.e., the file described
8using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
9containing bytes read from the underlying drive to store sector numbers,
10which are consumed later to read data from these sectors into another buffer.
11
12These sectors numbers, two 32-bit integers, are always stored at predefined
13offsets, 0x10 and 0x14, relative to first byte of the selected entry within
14the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
15
16However, when parsing a specially-crafted file system image, this may cause
17the NTFS code to write these integers beyond the buffer boundary, likely
18causing the GRUB memory allocator to misbehave or fail. These integers contain
19values which are controlled by on-disk structures of the NTFS file system.
20
21Such modification and resulting misbehavior may touch a memory range not
22assigned to the GRUB and owned by firmware or another EFI application/driver.
23
24This fix introduces checks to ensure that these sector numbers are never
25written beyond the boundary.
26
27Fixes: CVE-2023-4692
28
29Upstream-Status: Backport from
30[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
31CVE: CVE-2023-4692
32
33Reported-by: Maxim Suhanov <dfirblog@gmail.com>
34Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
35Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
36Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
37---
38 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
39 1 file changed, 17 insertions(+), 1 deletion(-)
40
41diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
42index bbdbe24..c3c4db1 100644
43--- a/grub-core/fs/ntfs.c
44+++ b/grub-core/fs/ntfs.c
45@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
46 }
47 if (at->attr_end)
48 {
49- grub_uint8_t *pa;
50+ grub_uint8_t *pa, *pa_end;
51
52 at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
53 if (at->emft_buf == NULL)
54@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
55 }
56 at->attr_nxt = at->edat_buf;
57 at->attr_end = at->edat_buf + u32at (pa, 0x30);
58+ pa_end = at->edat_buf + n;
59 }
60 else
61 {
62 at->attr_nxt = at->attr_end + u16at (pa, 0x14);
63 at->attr_end = at->attr_end + u32at (pa, 4);
64+ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
65 }
66 at->flags |= GRUB_NTFS_AF_ALST;
67 while (at->attr_nxt < at->attr_end)
68@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
69 at->flags |= GRUB_NTFS_AF_GPOS;
70 at->attr_cur = at->attr_nxt;
71 pa = at->attr_cur;
72+
73+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
74+ {
75+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
76+ return NULL;
77+ }
78+
79 grub_set_unaligned32 ((char *) pa + 0x10,
80 grub_cpu_to_le32 (at->mft->data->mft_start));
81 grub_set_unaligned32 ((char *) pa + 0x14,
82@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
83 {
84 if (*pa != attr)
85 break;
86+
87+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
88+ {
89+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
90+ return NULL;
91+ }
92+
93 if (read_attr
94 (at, pa + 0x10,
95 u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
96--
97cgit v1.1
98
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..420fe92ac3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
1From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
2From: Maxim Suhanov <dfirblog@...>
3Date: Mon, 28 Aug 2023 16:32:33 +0300
4Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
5 attribute
6
7When reading a file containing resident data, i.e., the file data is stored in
8the $DATA attribute within the NTFS file record, not in external clusters,
9there are no checks that this resident data actually fits the corresponding
10file record segment.
11
12When parsing a specially-crafted file system image, the current NTFS code will
13read the file data from an arbitrary, attacker-chosen memory offset and of
14arbitrary, attacker-chosen length.
15
16This allows an attacker to display arbitrary chunks of memory, which could
17contain sensitive information like password hashes or even plain-text,
18obfuscated passwords from BS EFI variables.
19
20This fix implements a check to ensure that resident data is read from the
21corresponding file record segment only.
22
23Fixes: CVE-2023-4693
24
25Upstream-Status: Backport from
26[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
27CVE: CVE-2023-4693
28
29Reported-by: Maxim Suhanov <dfirblog@...>
30Signed-off-by: Maxim Suhanov <dfirblog@...>
31Reviewed-by: Daniel Kiper <daniel.kiper@...>
32Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
33---
34 grub-core/fs/ntfs.c | 13 ++++++++++++-
35 1 file changed, 12 insertions(+), 1 deletion(-)
36
37diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
38index c3c4db1..a68e173 100644
39--- a/grub-core/fs/ntfs.c
40+++ b/grub-core/fs/ntfs.c
41@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
42 {
43 if (ofs + len > u32at (pa, 0x10))
44 return grub_error (GRUB_ERR_BAD_FS, "read out of range");
45- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
46+
47+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
48+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
49+
50+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
51+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
52+
53+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
54+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
55+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
56+
57+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
58 return 0;
59 }
60
61--
62cgit v1.1
63
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 41839698dc..f594e7d3a4 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
42 file://CVE-2022-3775.patch \ 42 file://CVE-2022-3775.patch \
43 file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \ 43 file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \
44 file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ 44 file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \
45 file://CVE-2023-4692.patch \
46 file://CVE-2023-4693.patch \
45" 47"
46 48
47SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" 49SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"