diff --git a/0002-AUDIT-0-http-boot-tracker-bug.patch b/0002-AUDIT-0-http-boot-tracker-bug.patch new file mode 100644 index 0000000..65b12ea --- /dev/null +++ b/0002-AUDIT-0-http-boot-tracker-bug.patch @@ -0,0 +1,65 @@ +From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer +Date: Tue, 28 Nov 2017 17:24:38 +0800 +Subject: [PATCH] AUDIT-0: http boot tracker bug + +Fixing a memory leak in case of error, and a integer overflow, leading to a +heap overflow due to overly large chunk sizes. + +We need to check against some maximum value, otherwise values like 0xffffffff +will eventually lead in the allocation functions to small sized buffers, since +the len is rounded up to the next reasonable alignment. The following memcpy +will then smash the heap, leading to RCE. + +This is no big issue for pure http boot, since its going to execute an +untrusted kernel anyway, but it will break trusted boot scenarios, where only +signed code is allowed to be executed. + +Signed-off-by: Michael Chang +--- + grub-core/net/efi/net.c | 4 +++- + grub-core/net/http.c | 5 ++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c +index 0bac343b4..5bc604ff0 100644 +--- a/grub-core/net/efi/net.c ++++ b/grub-core/net/efi/net.c +@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf, + + rd = efi_net_interface (read, file, chunk, sz); + +- if (rd <= 0) ++ if (rd <= 0) { ++ grub_free (chunk); + return rd; ++ } + + if (buf) + { +diff --git a/grub-core/net/http.c b/grub-core/net/http.c +index f182d7b87..5004ecfee 100644 +--- a/grub-core/net/http.c ++++ b/grub-core/net/http.c +@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + enum + { +- HTTP_PORT = 80 ++ HTTP_PORT = 80, ++ HTTP_MAX_CHUNK_SIZE = 0x80000000 + }; + + +@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) + if (data->in_chunk_len == 2) + { + data->chunk_rem = grub_strtoul (ptr, 0, 16); ++ if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE) ++ return GRUB_ERR_NET_PACKET_TOO_BIG; + grub_errno = GRUB_ERR_NONE; + if (data->chunk_rem == 0) + { +-- +2.12.0 + diff --git a/grub2.changes b/grub2.changes index d8b9b1e..58d182b 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 28 09:35:48 UTC 2017 - mchang@suse.com + +- Fix http(s) boot security review (bsc#1058090) + * 0002-AUDIT-0-http-boot-tracker-bug.patch + ------------------------------------------------------------------- Tue Nov 14 09:02:19 UTC 2017 - mchang@suse.com diff --git a/grub2.spec b/grub2.spec index c208759..0cb919e 100644 --- a/grub2.spec +++ b/grub2.spec @@ -272,6 +272,7 @@ Patch411: 0012-tpm-Build-tpm-as-module.patch Patch412: 0013-tpm-i386-pc-diskboot-img.patch # UEFI HTTP and related network protocol support (FATE#320130) Patch420: 0001-add-support-for-UEFI-network-protocols.patch +Patch421: 0002-AUDIT-0-http-boot-tracker-bug.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -535,6 +536,7 @@ swap partition while in resuming %patch411 -p1 %patch412 -p1 %patch420 -p1 +%patch421 -p1 # patches above may update the timestamp of grub.texi # and via build-aux/mdate-sh they end up in grub2.info, breaking build-compare [ -z "$SOURCE_DATE_EPOCH" ] ||\