summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYogita Urade <yogita.urade@windriver.com>2023-11-17 11:13:49 +0000
committerSteve Sakoman <steve@sakoman.com>2023-11-28 05:00:32 -1000
commitf9527fb2ac6291ed0e0399fcc410c6718c23c410 (patch)
tree5ff8577af1839c5eb7ad55c14abc8af4f0228ee8
parente447b4139fced579feb92006f447d0e5ef11364f (diff)
downloadpoky-f9527fb2ac6291ed0e0399fcc410c6718c23c410.tar.gz
grub: fix CVE-2023-4692
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. References: https://nvd.nist.gov/vuln/detail/CVE-2023-4692 https://bugzilla.redhat.com/show_bug.cgi?id=2236613 (From OE-Core rev: c89835b37366dde6c74f8221fd5a295ecabf8225) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4692.patch97
-rw-r--r--meta/recipes-bsp/grub/grub2.inc1
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..4780e35b7a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
1From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
2From: Maxim Suhanov <dfirblog@gmail.com>
3Date: Thu, 16 Nov 2023 07:21:50 +0000
4Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
5 attribute for the $MFT file
6
7When parsing an extremely fragmented $MFT file, i.e., the file described
8using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
9containing bytes read from the underlying drive to store sector numbers,
10which are consumed later to read data from these sectors into another buffer.
11
12These sectors numbers, two 32-bit integers, are always stored at predefined
13offsets, 0x10 and 0x14, relative to first byte of the selected entry within
14the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
15
16However, when parsing a specially-crafted file system image, this may cause
17the NTFS code to write these integers beyond the buffer boundary, likely
18causing the GRUB memory allocator to misbehave or fail. These integers contain
19values which are controlled by on-disk structures of the NTFS file system.
20
21Such modification and resulting misbehavior may touch a memory range not
22assigned to the GRUB and owned by firmware or another EFI application/driver.
23
24This fix introduces checks to ensure that these sector numbers are never
25written beyond the boundary.
26
27Fixes: CVE-2023-4692
28
29Reported-by: Maxim Suhanov <dfirblog@gmail.com>
30Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
31Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
32
33CVE: CVE-2023-4692
34Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
35
36Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
37---
38 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
39 1 file changed, 17 insertions(+), 1 deletion(-)
40
41diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
42index 2f34f76..6009e49 100644
43--- a/grub-core/fs/ntfs.c
44+++ b/grub-core/fs/ntfs.c
45@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
46 }
47 if (at->attr_end)
48 {
49- grub_uint8_t *pa;
50+ grub_uint8_t *pa, *pa_end;
51
52 at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
53 if (at->emft_buf == NULL)
54@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
55 }
56 at->attr_nxt = at->edat_buf;
57 at->attr_end = at->edat_buf + u32at (pa, 0x30);
58+ pa_end = at->edat_buf + n;
59 }
60 else
61 {
62 at->attr_nxt = at->attr_end + u16at (pa, 0x14);
63 at->attr_end = at->attr_end + u32at (pa, 4);
64+ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
65 }
66 at->flags |= GRUB_NTFS_AF_ALST;
67 while (at->attr_nxt < at->attr_end)
68@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
69 at->flags |= GRUB_NTFS_AF_GPOS;
70 at->attr_cur = at->attr_nxt;
71 pa = at->attr_cur;
72+
73+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
74+ {
75+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
76+ return NULL;
77+ }
78+
79 grub_set_unaligned32 ((char *) pa + 0x10,
80 grub_cpu_to_le32 (at->mft->data->mft_start));
81 grub_set_unaligned32 ((char *) pa + 0x14,
82@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
83 {
84 if (*pa != attr)
85 break;
86+
87+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
88+ {
89+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
90+ return NULL;
91+ }
92+
93 if (read_attr
94 (at, pa + 0x10,
95 u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
96--
972.40.0
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index c14fe315d3..aaee8a1e03 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -38,6 +38,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
38 file://loader-efi-chainloader-Simplify-the-loader-state.patch \ 38 file://loader-efi-chainloader-Simplify-the-loader-state.patch \
39 file://commands-boot-Add-API-to-pass-context-to-loader.patch \ 39 file://commands-boot-Add-API-to-pass-context-to-loader.patch \
40 file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \ 40 file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \
41 file://CVE-2023-4692.patch \
41" 42"
42 43
43SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" 44SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"