grub2/0002-AUDIT-0-http-boot-tracker-bug.patch

From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.com>
Date: Tue, 28 Nov 2017 17:24:38 +0800
Subject: [PATCH] AUDIT-0: http boot tracker bug

Fixing a memory leak in case of error, and a integer overflow, leading to a
heap overflow due to overly large chunk sizes.

We need to check against some maximum value, otherwise values like 0xffffffff
will eventually lead in the allocation functions to small sized buffers, since
the len is rounded up to the next reasonable alignment. The following memcpy
will then smash the heap, leading to RCE.

This is no big issue for pure http boot, since its going to execute an
untrusted kernel anyway, but it will break trusted boot scenarios, where only
signed code is allowed to be executed.

v2: Fix GCC 13 build failure (bsc#1201089)

Signed-off-by: Michael Chang <mchang@suse.com>
---
 grub-core/net/efi/net.c | 4 +++-
 grub-core/net/http.c    | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

--- a/grub-core/net/efi/net.c
+++ b/grub-core/net/efi/net.c
@@ -654,8 +654,10 @@
 
       rd = efi_net_interface (read, file, chunk, sz);
 
-      if (rd <= 0)
+      if (rd <= 0) {
+	grub_free (chunk);
 	return rd;
+      }
 
       if (buf)
 	{
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -31,7 +31,8 @@
 
 enum
   {
-    HTTP_PORT = 80
+    HTTP_PORT = 80,
+    HTTP_MAX_CHUNK_SIZE = GRUB_INT_MAX
   };
 
 
@@ -86,6 +87,8 @@
   if (data->in_chunk_len == 2)
     {
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
       grub_errno = GRUB_ERR_NONE;
       if (data->chunk_rem == 0)
 	{
Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00			`From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001`
			`From: Sebastian Krahmer <krahmer@suse.com>`
			`Date: Tue, 28 Nov 2017 17:24:38 +0800`
			`Subject: [PATCH] AUDIT-0: http boot tracker bug`

			`Fixing a memory leak in case of error, and a integer overflow, leading to a`
			`heap overflow due to overly large chunk sizes.`

			`We need to check against some maximum value, otherwise values like 0xffffffff`
			`will eventually lead in the allocation functions to small sized buffers, since`
			`the len is rounded up to the next reasonable alignment. The following memcpy`
			`will then smash the heap, leading to RCE.`

			`This is no big issue for pure http boot, since its going to execute an`
			`untrusted kernel anyway, but it will break trusted boot scenarios, where only`
			`signed code is allowed to be executed.`

Accepting request 1063542 from home:michael-chang:branches:Base:System - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Fix GCC 13 build failure (bsc#1201089) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/1063542 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=436 2023-02-07 08:20:35 +01:00			`v2: Fix GCC 13 build failure (bsc#1201089)`

Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00			`Signed-off-by: Michael Chang <mchang@suse.com>`
			`---`
			`grub-core/net/efi/net.c \| 4 +++-`
			`grub-core/net/http.c \| 5 ++++-`
			`2 files changed, 7 insertions(+), 2 deletions(-)`

			`--- a/grub-core/net/efi/net.c`
			`+++ b/grub-core/net/efi/net.c`
Accepting request 1063542 from home:michael-chang:branches:Base:System - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Fix GCC 13 build failure (bsc#1201089) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/1063542 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=436 2023-02-07 08:20:35 +01:00			`@@ -654,8 +654,10 @@`
Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00
			`rd = efi_net_interface (read, file, chunk, sz);`

			`- if (rd <= 0)`
			`+ if (rd <= 0) {`
			`+ grub_free (chunk);`
			`return rd;`
			`+ }`

			`if (buf)`
			`{`
			`--- a/grub-core/net/http.c`
			`+++ b/grub-core/net/http.c`
Accepting request 1063542 from home:michael-chang:branches:Base:System - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Fix GCC 13 build failure (bsc#1201089) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/1063542 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=436 2023-02-07 08:20:35 +01:00			`@@ -31,7 +31,8 @@`
Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00
			`enum`
			`{`
			`- HTTP_PORT = 80`
			`+ HTTP_PORT = 80,`
Accepting request 1063542 from home:michael-chang:branches:Base:System - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Fix GCC 13 build failure (bsc#1201089) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/1063542 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=436 2023-02-07 08:20:35 +01:00			`+ HTTP_MAX_CHUNK_SIZE = GRUB_INT_MAX`
Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00			`};`


Accepting request 1105405 from home:michael-chang:grub:2.12rc1 - Implement NV index mode for TPM 2.0 key protector 0001-protectors-Implement-NV-index.patch - Fall back to passphrase mode when the key protector fails to unlock the disk 0002-cryptodisk-Fallback-to-passphrase.patch - Wipe out the cached key cleanly 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch - Make diskfiler to look up cryptodisk devices first 0004-diskfilter-look-up-cryptodisk-devices-first.patch - Version bump to 2.12~rc1 * Added: - grub-2.12~rc1.tar.xz * Removed: - grub-2.06.tar.xz * Patch dropped merged by new version: - grub2-GRUB_CMDLINE_LINUX_RECOVERY-for-recovery-mode.patch - grub2-s390x-02-kexec-module-added-to-emu.patch - grub2-efi-chainloader-root.patch - grub2-Fix-incorrect-netmask-on-ppc64.patch - 0001-osdep-Introduce-include-grub-osdep-major.h-and-use-i.patch - 0002-osdep-linux-hostdisk-Use-stat-instead-of-udevadm-for.patch - 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch - grub2-s390x-10-keep-network-at-kexec.patch - 0001-Fix-build-error-in-binutils-2.36.patch - 0001-emu-fix-executable-stack-marking.patch - 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch - 0001-30_uefi-firmware-fix-printf-format-with-null-byte.patch - 0001-tpm-Pass-unknown-error-as-non-fatal-but-debug-print-.patch - 0001-Filter-out-POSIX-locale-for-translation.patch OBS-URL: https://build.opensuse.org/request/show/1105405 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=458 2023-08-24 05:25:56 +02:00			`@@ -86,6 +87,8 @@`
Accepting request 546339 from home:michael-chang:branches:Base:System - Fix http(s) boot security review (bsc#1058090) * 0002-AUDIT-0-http-boot-tracker-bug.patch OBS-URL: https://build.opensuse.org/request/show/546339 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285 2017-12-03 15:35:21 +01:00			`if (data->in_chunk_len == 2)`
			`{`
			`data->chunk_rem = grub_strtoul (ptr, 0, 16);`
			`+ if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)`
			`+ return GRUB_ERR_NET_PACKET_TOO_BIG;`
			`grub_errno = GRUB_ERR_NONE;`
			`if (data->chunk_rem == 0)`
			`{`