grub: patch CVE-2024-45777

Cherry-pick patch mentioning this CVE. (From OE-Core rev: 2ec4bcda16b92cabf7cf5cb7c68cbe45da269364) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-11 19:17:20 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-03-15 06:40:08 -0700
commit: 5690f247a45b938d531181ee8ef2580a326ff3f9 (patch)
tree: ff8ff9c3c53c56b1754e38fced6db81ea6d401be
parent: 322d87b846231d63c554b7414ce99ac6bef1e7e9 (diff)
download: poky-5690f247a45b938d531181ee8ef2580a326ff3f9.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
new file mode 100644
index 0000000000..0305a95fd5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
@@ -0,0 +1,57 @@
+From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:57 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
+The size calculation of the translation buffer in
+grub_gettext_getstr_from_position() may overflow
+to 0 leading to heap OOB write. This patch fixes
+the issue by using grub_add() and checking for
+an overflow.
+Fixes: CVE-2024-45777
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+CVE: CVE-2024-45777
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/gettext/gettext.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 63bb1ab73..9ffc73428 100644
+--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
+@@ -26,6 +26,7 @@
+ #include <grub/file.h>
+ #include <grub/kernel.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   char *translation;
+   struct string_descriptor desc;
+   grub_err_t err;
+  grub_size_t alloc_sz;
+ 
+   internal_position = (off + position * sizeof (desc));
+ 
+@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   length = grub_cpu_to_le32 (desc.length);
+   offset = grub_cpu_to_le32 (desc.offset);
+ 
+-  translation = grub_malloc (length + 1);
+  if (grub_add (length, 1, &alloc_sz))
+    return NULL;
+
+  translation = grub_malloc (alloc_sz);
+   if (!translation)
+     return NULL;
+ 
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index e4dca6613c..fb33c2bd98 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2025-0622-02.patch \
           file://CVE-2025-0622-03.patch \
           file://CVE-2024-45776.patch \
+           file://CVE-2024-45777.patch \
 "
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
author	Peter Marko <peter.marko@siemens.com>	2025-03-11 19:17:20 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-03-15 06:40:08 -0700
commit	5690f247a45b938d531181ee8ef2580a326ff3f9 (patch)
tree	ff8ff9c3c53c56b1754e38fced6db81ea6d401be
parent	322d87b846231d63c554b7414ce99ac6bef1e7e9 (diff)
download	poky-5690f247a45b938d531181ee8ef2580a326ff3f9.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch new file mode 100644 index 0000000000..0305a95fd5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
@@ -0,0 +1,57 @@
		1	From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
		2	From: Lidong Chen <lidong.chen@oracle.com>
		3	Date: Fri, 22 Nov 2024 06:27:57 +0000
		4	Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
		5
		6	The size calculation of the translation buffer in
		7	grub_gettext_getstr_from_position() may overflow
		8	to 0 leading to heap OOB write. This patch fixes
		9	the issue by using grub_add() and checking for
		10	an overflow.
		11
		12	Fixes: CVE-2024-45777
		13
		14	Reported-by: Nils Langius <nils@langius.de>
		15	Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
		16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		17	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
		18
		19	CVE: CVE-2024-45777
		20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
		21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		22	---
		23	grub-core/gettext/gettext.c \| 7 ++++++-
		24	1 file changed, 6 insertions(+), 1 deletion(-)
		25
		26	diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
		27	index 63bb1ab73..9ffc73428 100644
		28	--- a/grub-core/gettext/gettext.c
		29	+++ b/grub-core/gettext/gettext.c
		30	@@ -26,6 +26,7 @@
		31	#include <grub/file.h>
		32	#include <grub/kernel.h>
		33	#include <grub/i18n.h>
		34	+#include <grub/safemath.h>
		35
		36	GRUB_MOD_LICENSE ("GPLv3+");
		37
		38	@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
		39	char *translation;
		40	struct string_descriptor desc;
		41	grub_err_t err;
		42	+ grub_size_t alloc_sz;
		43
		44	internal_position = (off + position * sizeof (desc));
		45
		46	@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
		47	length = grub_cpu_to_le32 (desc.length);
		48	offset = grub_cpu_to_le32 (desc.offset);
		49
		50	- translation = grub_malloc (length + 1);
		51	+ if (grub_add (length, 1, &alloc_sz))
		52	+ return NULL;
		53	+
		54	+ translation = grub_malloc (alloc_sz);
		55	if (!translation)
		56	return NULL;
		57


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index e4dca6613c..fb33c2bd98 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
31	file://CVE-2025-0622-02.patch \	31	file://CVE-2025-0622-02.patch \
32	file://CVE-2025-0622-03.patch \	32	file://CVE-2025-0622-03.patch \
33	file://CVE-2024-45776.patch \	33	file://CVE-2024-45776.patch \
		34	file://CVE-2024-45777.patch \
34	"	35	"
35		36
36	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"	37	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"