forked from pool/grub2
fd4fd3a935
- Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 OBS-URL: https://build.opensuse.org/request/show/1035936 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
86 lines
3.6 KiB
Diff
86 lines
3.6 KiB
Diff
From 17e9006484e3da9a38a79f5f0f28f18a15fc4cf8 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Tue, 6 Sep 2022 03:03:21 +0800
|
|
Subject: [PATCH 08/12] fbutil: Fix integer overflow
|
|
|
|
Expressions like u64 = u32 * u32 are unsafe because their products are
|
|
truncated to u32 even if left hand side is u64. This patch fixes all
|
|
problems like that one in fbutil.
|
|
|
|
To get right result not only left hand side have to be u64 but it's also
|
|
necessary to cast at least one of the operands of all leaf operators of
|
|
right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
|
|
u64 = (u64)u32 * u32 + (u64)u32 * u32.
|
|
|
|
For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
|
|
combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
|
|
not overflow grub_uint64_t.
|
|
|
|
Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
|
|
They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
|
|
|
|
This patch also adds a comment to grub_video_fb_get_video_ptr() which
|
|
says it's arguments must be valid and no sanity check is performed
|
|
(like its siblings in grub-core/video/fb/fbutil.c).
|
|
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/video/fb/fbutil.c | 4 ++--
|
|
include/grub/fbutil.h | 13 +++++++++----
|
|
2 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
|
|
index b98bb51fe..25ef39f47 100644
|
|
--- a/grub-core/video/fb/fbutil.c
|
|
+++ b/grub-core/video/fb/fbutil.c
|
|
@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
|
|
case 1:
|
|
if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
|
|
{
|
|
- int bit_index = y * source->mode_info->width + x;
|
|
+ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
|
|
grub_uint8_t *ptr = source->data + bit_index / 8;
|
|
int bit_pos = 7 - bit_index % 8;
|
|
color = (*ptr >> bit_pos) & 0x01;
|
|
@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
|
|
case 1:
|
|
if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
|
|
{
|
|
- int bit_index = y * source->mode_info->width + x;
|
|
+ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
|
|
grub_uint8_t *ptr = source->data + bit_index / 8;
|
|
int bit_pos = 7 - bit_index % 8;
|
|
*ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
|
|
diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
|
|
index 4205eb917..78a1ab3b4 100644
|
|
--- a/include/grub/fbutil.h
|
|
+++ b/include/grub/fbutil.h
|
|
@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
|
|
grub_uint8_t *data;
|
|
};
|
|
|
|
-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
|
|
- and it doesn't make sense, in general, to ask for a pointer
|
|
- to a particular pixel's data. */
|
|
+/*
|
|
+ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
|
|
+ * and it doesn't make sense, in general, to ask for a pointer
|
|
+ * to a particular pixel's data.
|
|
+ *
|
|
+ * This function assumes that bounds checking has been done in previous phase
|
|
+ * and they are opted out in here.
|
|
+ */
|
|
static inline void *
|
|
grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
|
|
unsigned int x, unsigned int y)
|
|
{
|
|
- return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
|
|
+ return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
|
|
}
|
|
|
|
/* Advance pointer by VAL bytes. If there is no unaligned access available,
|
|
--
|
|
2.35.3
|
|
|