1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
new file mode 100644
index 0000000000..8bf9090f94
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
@@ -0,0 +1,63 @@
+From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Dec 2021 19:41:21 +1100
+Subject: [PATCH] net/ip: Do IP fragment maths safely
+We can receive packets with invalid IP fragmentation information. This
+can lead to rsm->total_len underflowing and becoming very large.
+Then, in grub_netbuff_alloc(), we add to this very large number, which can
+cause it to overflow and wrap back around to a small positive number.
+The allocation then succeeds, but the resulting buffer is too small and
+subsequent operations can write past the end of the buffer.
+Catch the underflow here.
+Fixes: CVE-2022-28733
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport
+CVE: CVE-2022-28733
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index e3d62e97f..3c3d0be0e 100644
+--- a/grub-core/net/ip.c
+++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
+#include <grub/safemath.h>
+ #include <grub/time.h>
+ 
+ struct iphdr {
+@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+     {
+       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+                        + (nb->tail - nb->data));
+-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
+
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
+                   &rsm->total_len))
+       {
+         grub_dprintf ("net", "IP reassembly size underflow\n");
+         return GRUB_ERR_NONE;
+       }
+
+       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+       if (!rsm->asm_netbuff)
+        {
+-- 
+2.34.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch new file mode 100644 index 0000000000..8bf9090f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
@@ -0,0 +1,63 @@
	1	From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001
	2	From: Daniel Axtens <dja@axtens.net>
	3	Date: Mon, 20 Dec 2021 19:41:21 +1100
	4	Subject: [PATCH] net/ip: Do IP fragment maths safely
	5
	6	We can receive packets with invalid IP fragmentation information. This
	7	can lead to rsm->total_len underflowing and becoming very large.
	8
	9	Then, in grub_netbuff_alloc(), we add to this very large number, which can
	10	cause it to overflow and wrap back around to a small positive number.
	11	The allocation then succeeds, but the resulting buffer is too small and
	12	subsequent operations can write past the end of the buffer.
	13
	14	Catch the underflow here.
	15
	16	Fixes: CVE-2022-28733
	17
	18	Signed-off-by: Daniel Axtens <dja@axtens.net>
	19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	20
	21	Upstream-Status: Backport
	22	CVE: CVE-2022-28733
	23
	24	Reference to upstream patch:
	25	https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287
	26
	27	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
	28
	29	---
	30	grub-core/net/ip.c \| 10 +++++++++-
	31	1 file changed, 9 insertions(+), 1 deletion(-)
	32
	33	diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
	34	index e3d62e97f..3c3d0be0e 100644
	35	--- a/grub-core/net/ip.c
	36	+++ b/grub-core/net/ip.c
	37	@@ -25,6 +25,7 @@
	38	#include <grub/net/netbuff.h>
	39	#include <grub/mm.h>
	40	#include <grub/priority_queue.h>
	41	+#include <grub/safemath.h>
	42	#include <grub/time.h>
	43
	44	struct iphdr {
	45	@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
	46	{
	47	rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
	48	+ (nb->tail - nb->data));
	49	- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
	50	+
	51	+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
	52	+ &rsm->total_len))
	53	+ {
	54	+ grub_dprintf ("net", "IP reassembly size underflow\n");
	55	+ return GRUB_ERR_NONE;
	56	+ }
	57	+
	58	rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
	59	if (!rsm->asm_netbuff)
	60	{
	61	--
	62	2.34.1
	63