pool/grub2
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d108ec594a
grub2/0002-AUDIT-0-http-boot-tracker-bug.patch
Michael Chang d108ec594a Accepting request 1196023 from home:michael-chang:test:grub2 
- Introduces a new package, grub2-x86_64-efi-bls, which includes a
  straightforward grubbls.efi file. This file can be copied to the EFI System
  Partition (ESP) along with boot fragments in the Boot Loader Specification
  (BLS) format
  * 0001-Streamline-BLS-and-improve-PCR-stability.patch
- Fix crash in bli module (bsc#1226497)
  * 0001-bli-Fix-crash-in-get_part_uuid.patch

- Rework package dependencies: grub2-common now includes common userland
  utilities and is required by grub2 platform packages. grub2 is now a meta
  package that pulls in the default platform package.

OBS-URL: https://build.opensuse.org/request/show/1196023
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=512
2024-08-27 05:46:01 +00:00

59 lines
1.7 KiB
Diff
Raw Blame History

From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.com>
Date: Tue, 28 Nov 2017 17:24:38 +0800
Subject: [PATCH] AUDIT-0: http boot tracker bug
Fixing a memory leak in case of error, and a integer overflow, leading to a
heap overflow due to overly large chunk sizes.
We need to check against some maximum value, otherwise values like 0xffffffff
will eventually lead in the allocation functions to small sized buffers, since
the len is rounded up to the next reasonable alignment. The following memcpy
will then smash the heap, leading to RCE.
This is no big issue for pure http boot, since its going to execute an
untrusted kernel anyway, but it will break trusted boot scenarios, where only
signed code is allowed to be executed.
v2: Fix GCC 13 build failure (bsc#1201089)
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/net/efi/net.c | 4 +++-
grub-core/net/http.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/grub-core/net/efi/net.c
+++ b/grub-core/net/efi/net.c
@@ -654,8 +654,10 @@
rd = efi_net_interface (read, file, chunk, sz);
- if (rd <= 0)
+ if (rd <= 0) {
+ grub_free (chunk);
return rd;
+ }
if (buf)
{
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -30,6 +30,7 @@
GRUB_MOD_LICENSE ("GPLv3+");
#define HTTP_PORT ((grub_uint16_t) 80)
+#define HTTP_MAX_CHUNK_SIZE GRUB_INT_MAX
typedef struct http_data
{
@@ -82,6 +83,8 @@
if (data->in_chunk_len == 2)
{
data->chunk_rem = grub_strtoul (ptr, 0, 16);
+ if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
+ return GRUB_ERR_NET_PACKET_TOO_BIG;
grub_errno = GRUB_ERR_NONE;
if (data->chunk_rem == 0)
{
Reference in New Issue View Git Blame Copy Permalink