grub2/0017-net-ip-Do-IP-fragment-maths-safely.patch

From 5c79af15504c599b58a2f3e591850876dfdb5fa2 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 20 Dec 2021 19:41:21 +1100
Subject: [PATCH 17/32] net/ip: Do IP fragment maths safely

We can receive packets with invalid IP fragmentation information. This
can lead to rsm->total_len underflowing and becoming very large.

Then, in grub_netbuff_alloc(), we add to this very large number, which can
cause it to overflow and wrap back around to a small positive number.
The allocation then succeeds, but the resulting buffer is too small and
subsequent operations can write past the end of the buffer.

Catch the underflow here.

Fixes: CVE-2022-28733

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/net/ip.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
index 01410798b3..937be87678 100644
--- a/grub-core/net/ip.c
+++ b/grub-core/net/ip.c
@@ -25,6 +25,7 @@
 #include <grub/net/netbuff.h>
 #include <grub/mm.h>
 #include <grub/priority_queue.h>
+#include <grub/safemath.h>
 #include <grub/time.h>
 
 struct iphdr {
@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
     {
       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
 			+ (nb->tail - nb->data));
-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
+
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
+		    &rsm->total_len))
+	{
+	  grub_dprintf ("net", "IP reassembly size underflow\n");
+	  return GRUB_ERR_NONE;
+	}
+
       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
       if (!rsm->asm_netbuff)
 	{
-- 
2.34.1
Accepting request 981228 from home:michael-chang:branches:Base:System - Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416 2022-06-08 05:04:17 +02:00			`From 5c79af15504c599b58a2f3e591850876dfdb5fa2 Mon Sep 17 00:00:00 2001`
			`From: Daniel Axtens <dja@axtens.net>`
			`Date: Mon, 20 Dec 2021 19:41:21 +1100`
			`Subject: [PATCH 17/32] net/ip: Do IP fragment maths safely`

			`We can receive packets with invalid IP fragmentation information. This`
			`can lead to rsm->total_len underflowing and becoming very large.`

			`Then, in grub_netbuff_alloc(), we add to this very large number, which can`
			`cause it to overflow and wrap back around to a small positive number.`
			`The allocation then succeeds, but the resulting buffer is too small and`
			`subsequent operations can write past the end of the buffer.`

			`Catch the underflow here.`

			`Fixes: CVE-2022-28733`

			`Signed-off-by: Daniel Axtens <dja@axtens.net>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
			`---`
			`grub-core/net/ip.c \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c`
			`index 01410798b3..937be87678 100644`
			`--- a/grub-core/net/ip.c`
			`+++ b/grub-core/net/ip.c`
			`@@ -25,6 +25,7 @@`
			`#include <grub/net/netbuff.h>`
			`#include <grub/mm.h>`
			`#include <grub/priority_queue.h>`
			`+#include <grub/safemath.h>`
			`#include <grub/time.h>`

			`struct iphdr {`
			`@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,`
			`{`
			`rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)`
			`+ (nb->tail - nb->data));`
			`- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));`
			`+`
			`+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),`
			`+ &rsm->total_len))`
			`+ {`
			`+ grub_dprintf ("net", "IP reassembly size underflow\n");`
			`+ return GRUB_ERR_NONE;`
			`+ }`
			`+`
			`rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);`
			`if (!rsm->asm_netbuff)`
			`{`
			`--`
			`2.34.1`