grub: Fix for CVE-2023-4692 and CVE-2023-4693

CVE: CVE-2023-4692 Crafted file system images can cause heap-based buffer overflow and may allow arbitrary code execution and secure boot bypass. Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] CVE: CVE-2023-4693 There an out-of-bounds read at fs/ntfs.c, a physically present attacker may leverage that by presenting a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack may allow sensitive data cached in memory or EFI variables values to be leaked presenting a high Confidentiality risk. Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] (From OE-Core rev: a8bc6f041599ce8da275c163c87f155a2f09369c) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Xiangyu Chen <xiangyu.chen@windriver.com> 2023-11-09 12:35:29 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-10 17:44:27 +0000
commit: 8e73cd04459eb6e5feac9331f3381a5fc8f5367a (patch)
tree: ebb1820d9ca8208995e34797dc86cce132524d47
parent: 1f5d257006cc5dd0d676c4a7ebe4ea89b773e137 (diff)
download: poky-8e73cd04459eb6e5feac9331f3381a5fc8f5367a.tar.gz
3 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..305fcc93d8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,98 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
+ for the $MFT file
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+Fixes: CVE-2023-4692
+Upstream-Status: Backport from 
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+CVE: CVE-2023-4692
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index bbdbe24..c3c4db1 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
+      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+            }
+          at->attr_nxt = at->edat_buf;
+          at->attr_end = at->edat_buf + u32at (pa, 0x30);
+         pa_end = at->edat_buf + n;
+        }
+       else
+        {
+          at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+          at->attr_end = at->attr_end + u32at (pa, 4);
+         pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+        }
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+          at->flags |= GRUB_NTFS_AF_GPOS;
+          at->attr_cur = at->attr_nxt;
+          pa = at->attr_cur;
+
+         if ((pa >= pa_end) || (pa_end - pa < 0x18))
+           {
+             grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+             return NULL;
+           }
+
+          grub_set_unaligned32 ((char *) pa + 0x10,
+                                grub_cpu_to_le32 (at->mft->data->mft_start));
+          grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+            {
+              if (*pa != attr)
+                break;
+
+              if ((pa >= pa_end) || (pa_end - pa < 0x18))
+                {
+                 grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
+                 return NULL;
+               }
+
+              if (read_attr
+                  (at, pa + 0x10,
+                   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+-- 
+cgit v1.1
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..420fe92ac3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@...>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
+ attribute
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+Fixes: CVE-2023-4693
+Upstream-Status: Backport from 
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Reported-by: Maxim Suhanov <dfirblog@...>
+Signed-off-by: Maxim Suhanov <dfirblog@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c3c4db1..a68e173 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+        return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
+
+      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+
+      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
+         (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+       return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+
+      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+cgit v1.1
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 41839698dc..f594e7d3a4 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2022-3775.patch \
           file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \
           file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \
+           file://CVE-2023-4692.patch \
+           file://CVE-2023-4693.patch \
 "
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
author	Xiangyu Chen <xiangyu.chen@windriver.com>	2023-11-09 12:35:29 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-11-10 17:44:27 +0000
commit	8e73cd04459eb6e5feac9331f3381a5fc8f5367a (patch)
tree	ebb1820d9ca8208995e34797dc86cce132524d47
parent	1f5d257006cc5dd0d676c4a7ebe4ea89b773e137 (diff)
download	poky-8e73cd04459eb6e5feac9331f3381a5fc8f5367a.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..305fcc93d8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,98 @@
		1	From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
		2	From: Maxim Suhanov <dfirblog@gmail.com>
		3	Date: Mon, 28 Aug 2023 16:31:57 +0300
		4	Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
		5	for the $MFT file
		6
		7	When parsing an extremely fragmented $MFT file, i.e., the file described
		8	using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
		9	containing bytes read from the underlying drive to store sector numbers,
		10	which are consumed later to read data from these sectors into another buffer.
		11
		12	These sectors numbers, two 32-bit integers, are always stored at predefined
		13	offsets, 0x10 and 0x14, relative to first byte of the selected entry within
		14	the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
		15
		16	However, when parsing a specially-crafted file system image, this may cause
		17	the NTFS code to write these integers beyond the buffer boundary, likely
		18	causing the GRUB memory allocator to misbehave or fail. These integers contain
		19	values which are controlled by on-disk structures of the NTFS file system.
		20
		21	Such modification and resulting misbehavior may touch a memory range not
		22	assigned to the GRUB and owned by firmware or another EFI application/driver.
		23
		24	This fix introduces checks to ensure that these sector numbers are never
		25	written beyond the boundary.
		26
		27	Fixes: CVE-2023-4692
		28
		29	Upstream-Status: Backport from
		30	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
		31	CVE: CVE-2023-4692
		32
		33	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
		34	Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
		35	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		36	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		37	---
		38	grub-core/fs/ntfs.c \| 18 +++++++++++++++++-
		39	1 file changed, 17 insertions(+), 1 deletion(-)
		40
		41	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
		42	index bbdbe24..c3c4db1 100644
		43	--- a/grub-core/fs/ntfs.c
		44	+++ b/grub-core/fs/ntfs.c
		45	@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
		46	}
		47	if (at->attr_end)
		48	{
		49	- grub_uint8_t *pa;
		50	+ grub_uint8_t pa, pa_end;
		51
		52	at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
		53	if (at->emft_buf == NULL)
		54	@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
		55	}
		56	at->attr_nxt = at->edat_buf;
		57	at->attr_end = at->edat_buf + u32at (pa, 0x30);
		58	+ pa_end = at->edat_buf + n;
		59	}
		60	else
		61	{
		62	at->attr_nxt = at->attr_end + u16at (pa, 0x14);
		63	at->attr_end = at->attr_end + u32at (pa, 4);
		64	+ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
		65	}
		66	at->flags \|= GRUB_NTFS_AF_ALST;
		67	while (at->attr_nxt < at->attr_end)
		68	@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
		69	at->flags \|= GRUB_NTFS_AF_GPOS;
		70	at->attr_cur = at->attr_nxt;
		71	pa = at->attr_cur;
		72	+
		73	+ if ((pa >= pa_end) \|\| (pa_end - pa < 0x18))
		74	+ {
		75	+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
		76	+ return NULL;
		77	+ }
		78	+
		79	grub_set_unaligned32 ((char *) pa + 0x10,
		80	grub_cpu_to_le32 (at->mft->data->mft_start));
		81	grub_set_unaligned32 ((char *) pa + 0x14,
		82	@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
		83	{
		84	if (*pa != attr)
		85	break;
		86	+
		87	+ if ((pa >= pa_end) \|\| (pa_end - pa < 0x18))
		88	+ {
		89	+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
		90	+ return NULL;
		91	+ }
		92	+
		93	if (read_attr
		94	(at, pa + 0x10,
		95	u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
		96	--
		97	cgit v1.1
		98


diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..420fe92ac3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
		1	From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
		2	From: Maxim Suhanov <dfirblog@...>
		3	Date: Mon, 28 Aug 2023 16:32:33 +0300
		4	Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
		5	attribute
		6
		7	When reading a file containing resident data, i.e., the file data is stored in
		8	the $DATA attribute within the NTFS file record, not in external clusters,
		9	there are no checks that this resident data actually fits the corresponding
		10	file record segment.
		11
		12	When parsing a specially-crafted file system image, the current NTFS code will
		13	read the file data from an arbitrary, attacker-chosen memory offset and of
		14	arbitrary, attacker-chosen length.
		15
		16	This allows an attacker to display arbitrary chunks of memory, which could
		17	contain sensitive information like password hashes or even plain-text,
		18	obfuscated passwords from BS EFI variables.
		19
		20	This fix implements a check to ensure that resident data is read from the
		21	corresponding file record segment only.
		22
		23	Fixes: CVE-2023-4693
		24
		25	Upstream-Status: Backport from
		26	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
		27	CVE: CVE-2023-4693
		28
		29	Reported-by: Maxim Suhanov <dfirblog@...>
		30	Signed-off-by: Maxim Suhanov <dfirblog@...>
		31	Reviewed-by: Daniel Kiper <daniel.kiper@...>
		32	Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
		33	---
		34	grub-core/fs/ntfs.c \| 13 ++++++++++++-
		35	1 file changed, 12 insertions(+), 1 deletion(-)
		36
		37	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
		38	index c3c4db1..a68e173 100644
		39	--- a/grub-core/fs/ntfs.c
		40	+++ b/grub-core/fs/ntfs.c
		41	@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr at, grub_uint8_t pa, grub_uint8_t *dest,
		42	{
		43	if (ofs + len > u32at (pa, 0x10))
		44	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
		45	- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
		46	+
		47	+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
		48	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
		49	+
		50	+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
		51	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
		52	+
		53	+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
		54	+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
		55	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
		56	+
		57	+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
		58	return 0;
		59	}
		60
		61	--
		62	cgit v1.1
		63


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 41839698dc..f594e7d3a4 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
42	file://CVE-2022-3775.patch \	42	file://CVE-2022-3775.patch \
43	file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \	43	file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \
44	file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \	44	file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \
		45	file://CVE-2023-4692.patch \
		46	file://CVE-2023-4693.patch \
45	"	47	"
46		48
47	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"	49	SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"