diff options
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4692.patch | 98 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4693.patch | 63 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 2 |
3 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..305fcc93d8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:31:57 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute | ||
5 | for the $MFT file | ||
6 | |||
7 | When parsing an extremely fragmented $MFT file, i.e., the file described | ||
8 | using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer | ||
9 | containing bytes read from the underlying drive to store sector numbers, | ||
10 | which are consumed later to read data from these sectors into another buffer. | ||
11 | |||
12 | These sectors numbers, two 32-bit integers, are always stored at predefined | ||
13 | offsets, 0x10 and 0x14, relative to first byte of the selected entry within | ||
14 | the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. | ||
15 | |||
16 | However, when parsing a specially-crafted file system image, this may cause | ||
17 | the NTFS code to write these integers beyond the buffer boundary, likely | ||
18 | causing the GRUB memory allocator to misbehave or fail. These integers contain | ||
19 | values which are controlled by on-disk structures of the NTFS file system. | ||
20 | |||
21 | Such modification and resulting misbehavior may touch a memory range not | ||
22 | assigned to the GRUB and owned by firmware or another EFI application/driver. | ||
23 | |||
24 | This fix introduces checks to ensure that these sector numbers are never | ||
25 | written beyond the boundary. | ||
26 | |||
27 | Fixes: CVE-2023-4692 | ||
28 | |||
29 | Upstream-Status: Backport from | ||
30 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] | ||
31 | CVE: CVE-2023-4692 | ||
32 | |||
33 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
34 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
35 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
36 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
37 | --- | ||
38 | grub-core/fs/ntfs.c | 18 +++++++++++++++++- | ||
39 | 1 file changed, 17 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
42 | index bbdbe24..c3c4db1 100644 | ||
43 | --- a/grub-core/fs/ntfs.c | ||
44 | +++ b/grub-core/fs/ntfs.c | ||
45 | @@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
46 | } | ||
47 | if (at->attr_end) | ||
48 | { | ||
49 | - grub_uint8_t *pa; | ||
50 | + grub_uint8_t *pa, *pa_end; | ||
51 | |||
52 | at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
53 | if (at->emft_buf == NULL) | ||
54 | @@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
55 | } | ||
56 | at->attr_nxt = at->edat_buf; | ||
57 | at->attr_end = at->edat_buf + u32at (pa, 0x30); | ||
58 | + pa_end = at->edat_buf + n; | ||
59 | } | ||
60 | else | ||
61 | { | ||
62 | at->attr_nxt = at->attr_end + u16at (pa, 0x14); | ||
63 | at->attr_end = at->attr_end + u32at (pa, 4); | ||
64 | + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
65 | } | ||
66 | at->flags |= GRUB_NTFS_AF_ALST; | ||
67 | while (at->attr_nxt < at->attr_end) | ||
68 | @@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
69 | at->flags |= GRUB_NTFS_AF_GPOS; | ||
70 | at->attr_cur = at->attr_nxt; | ||
71 | pa = at->attr_cur; | ||
72 | + | ||
73 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
74 | + { | ||
75 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
76 | + return NULL; | ||
77 | + } | ||
78 | + | ||
79 | grub_set_unaligned32 ((char *) pa + 0x10, | ||
80 | grub_cpu_to_le32 (at->mft->data->mft_start)); | ||
81 | grub_set_unaligned32 ((char *) pa + 0x14, | ||
82 | @@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
83 | { | ||
84 | if (*pa != attr) | ||
85 | break; | ||
86 | + | ||
87 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
88 | + { | ||
89 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
90 | + return NULL; | ||
91 | + } | ||
92 | + | ||
93 | if (read_attr | ||
94 | (at, pa + 0x10, | ||
95 | u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), | ||
96 | -- | ||
97 | cgit v1.1 | ||
98 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..420fe92ac3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@...> | ||
3 | Date: Mon, 28 Aug 2023 16:32:33 +0300 | ||
4 | Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA | ||
5 | attribute | ||
6 | |||
7 | When reading a file containing resident data, i.e., the file data is stored in | ||
8 | the $DATA attribute within the NTFS file record, not in external clusters, | ||
9 | there are no checks that this resident data actually fits the corresponding | ||
10 | file record segment. | ||
11 | |||
12 | When parsing a specially-crafted file system image, the current NTFS code will | ||
13 | read the file data from an arbitrary, attacker-chosen memory offset and of | ||
14 | arbitrary, attacker-chosen length. | ||
15 | |||
16 | This allows an attacker to display arbitrary chunks of memory, which could | ||
17 | contain sensitive information like password hashes or even plain-text, | ||
18 | obfuscated passwords from BS EFI variables. | ||
19 | |||
20 | This fix implements a check to ensure that resident data is read from the | ||
21 | corresponding file record segment only. | ||
22 | |||
23 | Fixes: CVE-2023-4693 | ||
24 | |||
25 | Upstream-Status: Backport from | ||
26 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] | ||
27 | CVE: CVE-2023-4693 | ||
28 | |||
29 | Reported-by: Maxim Suhanov <dfirblog@...> | ||
30 | Signed-off-by: Maxim Suhanov <dfirblog@...> | ||
31 | Reviewed-by: Daniel Kiper <daniel.kiper@...> | ||
32 | Signed-off-by: Xiangyu Chen <xiangyu.chen@...> | ||
33 | --- | ||
34 | grub-core/fs/ntfs.c | 13 ++++++++++++- | ||
35 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
38 | index c3c4db1..a68e173 100644 | ||
39 | --- a/grub-core/fs/ntfs.c | ||
40 | +++ b/grub-core/fs/ntfs.c | ||
41 | @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, | ||
42 | { | ||
43 | if (ofs + len > u32at (pa, 0x10)) | ||
44 | return grub_error (GRUB_ERR_BAD_FS, "read out of range"); | ||
45 | - grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); | ||
46 | + | ||
47 | + if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
48 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); | ||
49 | + | ||
50 | + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
51 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
52 | + | ||
53 | + if (u16at (pa, 0x14) + u32at (pa, 0x10) > | ||
54 | + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) | ||
55 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
56 | + | ||
57 | + grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); | ||
58 | return 0; | ||
59 | } | ||
60 | |||
61 | -- | ||
62 | cgit v1.1 | ||
63 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 41839698dc..f594e7d3a4 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -42,6 +42,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
42 | file://CVE-2022-3775.patch \ | 42 | file://CVE-2022-3775.patch \ |
43 | file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \ | 43 | file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \ |
44 | file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ | 44 | file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ |
45 | file://CVE-2023-4692.patch \ | ||
46 | file://CVE-2023-4693.patch \ | ||
45 | " | 47 | " |
46 | 48 | ||
47 | SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" | 49 | SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" |