Accepting request 546339 from home:michael-chang:branches:Base:System

- Fix http(s) boot security review (bsc#1058090)
  * 0002-AUDIT-0-http-boot-tracker-bug.patch

OBS-URL: https://build.opensuse.org/request/show/546339
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=285

0002-AUDIT-0-http-boot-tracker-bug.patch

@@ -0,0 +1,65 @@
+From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Tue, 28 Nov 2017 17:24:38 +0800
+Subject: [PATCH] AUDIT-0: http boot tracker bug
+
+Fixing a memory leak in case of error, and a integer overflow, leading to a
+heap overflow due to overly large chunk sizes.
+
+We need to check against some maximum value, otherwise values like 0xffffffff
+will eventually lead in the allocation functions to small sized buffers, since
+the len is rounded up to the next reasonable alignment. The following memcpy
+will then smash the heap, leading to RCE.
+
+This is no big issue for pure http boot, since its going to execute an
+untrusted kernel anyway, but it will break trusted boot scenarios, where only
+signed code is allowed to be executed.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/net/efi/net.c | 4 +++-
+ grub-core/net/http.c    | 5 ++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
+index 0bac343b4..5bc604ff0 100644
+--- a/grub-core/net/efi/net.c
++++ b/grub-core/net/efi/net.c
+@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
+ 
+       rd = efi_net_interface (read, file, chunk, sz);
+ 
+-      if (rd <= 0)
++      if (rd <= 0) {
++	grub_free (chunk);
+ 	return rd;
++      }
+ 
+       if (buf)
+ 	{
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index f182d7b87..5004ecfee 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ enum
+   {
+-    HTTP_PORT = 80
++    HTTP_PORT = 80,
++    HTTP_MAX_CHUNK_SIZE = 0x80000000
+   };
+ 
+ 
+@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+   if (data->in_chunk_len == 2)
+     {
+       data->chunk_rem = grub_strtoul (ptr, 0, 16);
++      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
++	  return GRUB_ERR_NET_PACKET_TOO_BIG;
+       grub_errno = GRUB_ERR_NONE;
+       if (data->chunk_rem == 0)
+ 	{
+-- 
+2.12.0
+

grub2.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Nov 28 09:35:48 UTC 2017 - mchang@suse.com
+
+- Fix http(s) boot security review (bsc#1058090)
+  * 0002-AUDIT-0-http-boot-tracker-bug.patch 
+
 -------------------------------------------------------------------
 Tue Nov 14 09:02:19 UTC 2017 - mchang@suse.com
 

grub2.spec

@@ -272,6 +272,7 @@ Patch411:       0012-tpm-Build-tpm-as-module.patch
 Patch412:       0013-tpm-i386-pc-diskboot-img.patch
 # UEFI HTTP and related network protocol support (FATE#320130)
 Patch420:       0001-add-support-for-UEFI-network-protocols.patch
+Patch421:       0002-AUDIT-0-http-boot-tracker-bug.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -535,6 +536,7 @@ swap partition while in resuming
 %patch411 -p1
 %patch412 -p1
 %patch420 -p1
+%patch421 -p1
 # patches above may update the timestamp of grub.texi
 # and via build-aux/mdate-sh they end up in grub2.info, breaking build-compare
 [ -z "$SOURCE_DATE_EPOCH" ] ||\