From 5c79af15504c599b58a2f3e591850876dfdb5fa2 Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Mon, 20 Dec 2021 19:41:21 +1100 Subject: [PATCH 17/32] net/ip: Do IP fragment maths safely We can receive packets with invalid IP fragmentation information. This can lead to rsm->total_len underflowing and becoming very large. Then, in grub_netbuff_alloc(), we add to this very large number, which can cause it to overflow and wrap back around to a small positive number. The allocation then succeeds, but the resulting buffer is too small and subsequent operations can write past the end of the buffer. Catch the underflow here. Fixes: CVE-2022-28733 Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper --- grub-core/net/ip.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c index 01410798b3..937be87678 100644 --- a/grub-core/net/ip.c +++ b/grub-core/net/ip.c @@ -25,6 +25,7 @@ #include #include #include +#include #include struct iphdr { @@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, { rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) + (nb->tail - nb->data)); - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); + + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), + &rsm->total_len)) + { + grub_dprintf ("net", "IP reassembly size underflow\n"); + return GRUB_ERR_NONE; + } + rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); if (!rsm->asm_netbuff) { -- 2.34.1