forked from pool/grub2
e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
172 lines
4.8 KiB
Diff
172 lines
4.8 KiB
Diff
From 7be3f3b1b7be0602056721526878c91d3333f8fd Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Tue, 6 Jul 2021 18:51:35 +1000
|
|
Subject: [PATCH 09/32] video/readers/png: Drop greyscale support to fix heap
|
|
out-of-bounds write
|
|
|
|
A 16-bit greyscale PNG without alpha is processed in the following loop:
|
|
|
|
for (i = 0; i < (data->image_width * data->image_height);
|
|
i++, d1 += 4, d2 += 2)
|
|
{
|
|
d1[R3] = d2[1];
|
|
d1[G3] = d2[1];
|
|
d1[B3] = d2[1];
|
|
}
|
|
|
|
The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
|
|
but there are only 3 bytes allocated for storage. This means that image
|
|
data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
|
|
out of every 4 following the end of the image.
|
|
|
|
This has existed since greyscale support was added in 2013 in commit
|
|
3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
|
|
|
|
Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
|
|
and attempting to load it causes grub-emu to crash - I don't think this code
|
|
has ever worked.
|
|
|
|
Delete all PNG greyscale support.
|
|
|
|
Fixes: CVE-2021-3695
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/video/readers/png.c | 87 +++--------------------------------
|
|
1 file changed, 7 insertions(+), 80 deletions(-)
|
|
|
|
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
|
index 35ae553c8e..a3161e25b6 100644
|
|
--- a/grub-core/video/readers/png.c
|
|
+++ b/grub-core/video/readers/png.c
|
|
@@ -100,7 +100,7 @@ struct grub_png_data
|
|
|
|
unsigned image_width, image_height;
|
|
int bpp, is_16bit;
|
|
- int raw_bytes, is_gray, is_alpha, is_palette;
|
|
+ int raw_bytes, is_alpha, is_palette;
|
|
int row_bytes, color_bits;
|
|
grub_uint8_t *image_data;
|
|
|
|
@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
|
data->bpp = 3;
|
|
else
|
|
{
|
|
- data->is_gray = 1;
|
|
- data->bpp = 1;
|
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "png: color type not supported");
|
|
}
|
|
|
|
if ((color_bits != 8) && (color_bits != 16)
|
|
&& (color_bits != 4
|
|
- || !(data->is_gray || data->is_palette)))
|
|
+ || !data->is_palette))
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
"png: bit depth must be 8 or 16");
|
|
|
|
@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
|
}
|
|
|
|
#ifndef GRUB_CPU_WORDS_BIGENDIAN
|
|
- if (data->is_16bit || data->is_gray || data->is_palette)
|
|
+ if (data->is_16bit || data->is_palette)
|
|
#endif
|
|
{
|
|
data->image_data = grub_calloc (data->image_height, data->row_bytes);
|
|
@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
|
|
int shift;
|
|
int mask = (1 << data->color_bits) - 1;
|
|
unsigned j;
|
|
- if (data->is_gray)
|
|
- {
|
|
- /* Generic formula is
|
|
- (0xff * i) / ((1U << data->color_bits) - 1)
|
|
- but for allowed bit depth of 1, 2 and for it's
|
|
- equivalent to
|
|
- (0xff / ((1U << data->color_bits) - 1)) * i
|
|
- Precompute the multipliers to avoid division.
|
|
- */
|
|
-
|
|
- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
|
|
- for (i = 0; i < (1U << data->color_bits); i++)
|
|
- {
|
|
- grub_uint8_t col = multipliers[data->color_bits] * i;
|
|
- palette[i][0] = col;
|
|
- palette[i][1] = col;
|
|
- palette[i][2] = col;
|
|
- }
|
|
- }
|
|
- else
|
|
- grub_memcpy (palette, data->palette, 3 << data->color_bits);
|
|
+
|
|
+ grub_memcpy (palette, data->palette, 3 << data->color_bits);
|
|
d1c = d1;
|
|
d2c = d2;
|
|
for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
|
|
@@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data)
|
|
return;
|
|
}
|
|
|
|
- if (data->is_gray)
|
|
- {
|
|
- switch (data->bpp)
|
|
- {
|
|
- case 4:
|
|
- /* 16-bit gray with alpha. */
|
|
- for (i = 0; i < (data->image_width * data->image_height);
|
|
- i++, d1 += 4, d2 += 4)
|
|
- {
|
|
- d1[R4] = d2[3];
|
|
- d1[G4] = d2[3];
|
|
- d1[B4] = d2[3];
|
|
- d1[A4] = d2[1];
|
|
- }
|
|
- break;
|
|
- case 2:
|
|
- if (data->is_16bit)
|
|
- /* 16-bit gray without alpha. */
|
|
- {
|
|
- for (i = 0; i < (data->image_width * data->image_height);
|
|
- i++, d1 += 4, d2 += 2)
|
|
- {
|
|
- d1[R3] = d2[1];
|
|
- d1[G3] = d2[1];
|
|
- d1[B3] = d2[1];
|
|
- }
|
|
- }
|
|
- else
|
|
- /* 8-bit gray with alpha. */
|
|
- {
|
|
- for (i = 0; i < (data->image_width * data->image_height);
|
|
- i++, d1 += 4, d2 += 2)
|
|
- {
|
|
- d1[R4] = d2[1];
|
|
- d1[G4] = d2[1];
|
|
- d1[B4] = d2[1];
|
|
- d1[A4] = d2[0];
|
|
- }
|
|
- }
|
|
- break;
|
|
- /* 8-bit gray without alpha. */
|
|
- case 1:
|
|
- for (i = 0; i < (data->image_width * data->image_height);
|
|
- i++, d1 += 3, d2++)
|
|
- {
|
|
- d1[R3] = d2[0];
|
|
- d1[G3] = d2[0];
|
|
- d1[B3] = d2[0];
|
|
- }
|
|
- break;
|
|
- }
|
|
- return;
|
|
- }
|
|
-
|
|
{
|
|
/* Only copy the upper 8 bit. */
|
|
#ifndef GRUB_CPU_WORDS_BIGENDIAN
|
|
--
|
|
2.34.1
|
|
|