grub: patch CVE-2024-45780

Cherry-pick patch mentioning this CVE. (From OE-Core rev: 3c33dbc32859ce45743c507120317a562b1a897d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-11 19:14:12 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-03-15 06:44:47 -0700
commit: 43dc093c92c7b3e84dd81283645c1aca330cb5ec (patch)
tree: a9f6d7fd5e69bb8fb9828c08560d81003025b7a5
parent: 8c9962a6fd4bd7ed70e1574030348269ac3f69c5 (diff)
download: poky-43dc093c92c7b3e84dd81283645c1aca330cb5ec.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
new file mode 100644
index 0000000000..1de0099f94
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
@@ -0,0 +1,93 @@
+From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:58 +0000
+Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
+Both namesize and linksize are derived from hd.size, a 12-digit octal
+number parsed by read_number(). Later direct arithmetic calculation like
+"namesize + 1" and "linksize + 1" may exceed the maximum value of
+grub_size_t leading to heap OOB write. This patch fixes the issue by
+using grub_add() and checking for an overflow.
+Fixes: CVE-2024-45780
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+CVE: CVE-2024-45780
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/tar.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index 646bce5eb..386c09022 100644
+--- a/grub-core/fs/tar.c
+++ b/grub-core/fs/tar.c
+@@ -25,6 +25,7 @@
+ #include <grub/mm.h>
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ {
+   struct head hd;
+   int reread = 0, have_longname = 0, have_longlink = 0;
+  grub_size_t sz;
+ 
+   data->hofs = data->next_hofs;
+ 
+@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+        {
+          grub_err_t err;
+          grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
+-         *name = grub_malloc (namesize + 1);
+
+         if (grub_add (namesize, 1, &sz))
+           return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
+
+         *name = grub_malloc (sz);
+          if (*name == NULL)
+            return grub_errno;
+          err = grub_disk_read (data->disk, 0,
+@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+        {
+          grub_err_t err;
+          grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
+-         if (data->linkname_alloc < linksize + 1)
+
+         if (grub_add (linksize, 1, &sz))
+           return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
+
+         if (data->linkname_alloc < sz)
+            {
+              char *n;
+-             n = grub_calloc (2, linksize + 1);
+             n = grub_calloc (2, sz);
+              if (!n)
+                return grub_errno;
+              grub_free (data->linkname);
+              data->linkname = n;
+-             data->linkname_alloc = 2 * (linksize + 1);
+             data->linkname_alloc = 2 * (sz);
+            }
+ 
+          err = grub_disk_read (data->disk, 0,
+@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+          while (extra_size < sizeof (hd.prefix)
+                 && hd.prefix[extra_size])
+            extra_size++;
+-         *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
+
+         if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
+           return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
+         *name = grub_malloc (sz);
+          if (*name == NULL)
+            return grub_errno;
+          if (hd.prefix[0])
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index f5112d773d..01d9be6bc2 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0001-misc-Implement-grub_strlcpy.patch \
           file://CVE-2024-45781.patch \
           file://CVE-2024-45782_CVE-2024-56737.patch \
+           file://CVE-2024-45780.patch \
 "
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
author	Peter Marko <peter.marko@siemens.com>	2025-03-11 19:14:12 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-03-15 06:44:47 -0700
commit	43dc093c92c7b3e84dd81283645c1aca330cb5ec (patch)
tree	a9f6d7fd5e69bb8fb9828c08560d81003025b7a5
parent	8c9962a6fd4bd7ed70e1574030348269ac3f69c5 (diff)
download	poky-43dc093c92c7b3e84dd81283645c1aca330cb5ec.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch new file mode 100644 index 0000000000..1de0099f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
@@ -0,0 +1,93 @@
		1	From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
		2	From: Lidong Chen <lidong.chen@oracle.com>
		3	Date: Fri, 22 Nov 2024 06:27:58 +0000
		4	Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
		5
		6	Both namesize and linksize are derived from hd.size, a 12-digit octal
		7	number parsed by read_number(). Later direct arithmetic calculation like
		8	"namesize + 1" and "linksize + 1" may exceed the maximum value of
		9	grub_size_t leading to heap OOB write. This patch fixes the issue by
		10	using grub_add() and checking for an overflow.
		11
		12	Fixes: CVE-2024-45780
		13
		14	Reported-by: Nils Langius <nils@langius.de>
		15	Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
		16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		17	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
		18
		19	CVE: CVE-2024-45780
		20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
		21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		22	---
		23	grub-core/fs/tar.c \| 23 ++++++++++++++++++-----
		24	1 file changed, 18 insertions(+), 5 deletions(-)
		25
		26	diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
		27	index 646bce5eb..386c09022 100644
		28	--- a/grub-core/fs/tar.c
		29	+++ b/grub-core/fs/tar.c
		30	@@ -25,6 +25,7 @@
		31	#include <grub/mm.h>
		32	#include <grub/dl.h>
		33	#include <grub/i18n.h>
		34	+#include <grub/safemath.h>
		35
		36	GRUB_MOD_LICENSE ("GPLv3+");
		37
		38	@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data data, char *name,
		39	{
		40	struct head hd;
		41	int reread = 0, have_longname = 0, have_longlink = 0;
		42	+ grub_size_t sz;
		43
		44	data->hofs = data->next_hofs;
		45
		46	@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data data, char *name,
		47	{
		48	grub_err_t err;
		49	grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
		50	- *name = grub_malloc (namesize + 1);
		51	+
		52	+ if (grub_add (namesize, 1, &sz))
		53	+ return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
		54	+
		55	+ *name = grub_malloc (sz);
		56	if (*name == NULL)
		57	return grub_errno;
		58	err = grub_disk_read (data->disk, 0,
		59	@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data data, char *name,
		60	{
		61	grub_err_t err;
		62	grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
		63	- if (data->linkname_alloc < linksize + 1)
		64	+
		65	+ if (grub_add (linksize, 1, &sz))
		66	+ return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
		67	+
		68	+ if (data->linkname_alloc < sz)
		69	{
		70	char *n;
		71	- n = grub_calloc (2, linksize + 1);
		72	+ n = grub_calloc (2, sz);
		73	if (!n)
		74	return grub_errno;
		75	grub_free (data->linkname);
		76	data->linkname = n;
		77	- data->linkname_alloc = 2 * (linksize + 1);
		78	+ data->linkname_alloc = 2 * (sz);
		79	}
		80
		81	err = grub_disk_read (data->disk, 0,
		82	@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data data, char *name,
		83	while (extra_size < sizeof (hd.prefix)
		84	&& hd.prefix[extra_size])
		85	extra_size++;
		86	- *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
		87	+
		88	+ if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
		89	+ return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
		90	+ *name = grub_malloc (sz);
		91	if (*name == NULL)
		92	return grub_errno;
		93	if (hd.prefix[0])


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index f5112d773d..01d9be6bc2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
21	file://0001-misc-Implement-grub_strlcpy.patch \	21	file://0001-misc-Implement-grub_strlcpy.patch \
22	file://CVE-2024-45781.patch \	22	file://CVE-2024-45781.patch \
23	file://CVE-2024-45782_CVE-2024-56737.patch \	23	file://CVE-2024-45782_CVE-2024-56737.patch \
		24	file://CVE-2024-45780.patch \
24	"	25	"
25		26
26	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"	27	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"