From 01aac7e940410e64273643393613e4ee560ce9ca Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Tue, 11 Mar 2025 19:14:10 +0100 Subject: grup: patch CVE-2024-45781 Cherry-pick patch mentioning this CVE. (From OE-Core rev: ef41ef5730d08371d1eb03f94fa9357edf26889f) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-bsp/grub/files/CVE-2024-45781.patch | 35 ++++++++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch (limited to 'meta/recipes-bsp/grub') diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch new file mode 100644 index 0000000000..bd0b6aa04a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch @@ -0,0 +1,35 @@ +From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:03:33 +0100 +Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write + +grub_strcpy() was used to copy a symlink name from the filesystem +image to a heap allocated buffer. This led to a OOB write to adjacent +heap allocations. Fix by using grub_strlcpy(). + +Fixes: CVE-2024-45781 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45781 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba] +Signed-off-by: Peter Marko +--- + grub-core/fs/ufs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index a354c92d9..01235101b 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino) + /* Check against zero is paylindromic, no need to swap. */ + if (data->inode.nblocks == 0 + && INODE_SIZE (data) <= sizeof (data->inode.symlink)) +- grub_strcpy (symlink, (char *) data->inode.symlink); ++ grub_strlcpy (symlink, (char *) data->inode.symlink, sz); + else + { + if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 43ba632ce2..58f4a6e181 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ + file://CVE-2024-45781.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" -- cgit v1.2.3-54-g00ecf