rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity
c1df6c7a1f
grub2/0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
Michael Chang be3181b1eb Accepting request 876326 from home:michael-chang:branches:Base:System 
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0036-util-mkimage-Improve-data_size-value-calculation.patch
  * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0039-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0025-kern-parser-Fix-a-memory-leak.patch
  * 0026-kern-parser-Introduce-process_char-helper.patch
  * 0027-kern-parser-Introduce-terminate_arg-helper.patch
  * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch

OBS-URL: https://build.opensuse.org/request/show/876326
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=374
2021-03-03 01:40:50 +00:00

116 lines
3.7 KiB
Diff
Raw Blame History

From 6f8f29ca383eaa60a0eab00d4a934a072190c128 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 11 Dec 2020 19:19:21 +0100
Subject: [PATCH 21/46] usb: Avoid possible out-of-bound accesses caused by
malicious devices
The maximum number of configurations and interfaces are fixed but there is
no out-of-bound checking to prevent a malicious USB device to report large
values for these and cause accesses outside the arrays' memory.
Fixes: CVE-2020-25647
Reported-by: Joseph Tartaro (IOActive)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/bus/usb/usb.c | 15 ++++++++++++---
include/grub/usb.h | 10 +++++++---
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
index 8da5e4c74..7cb3cc230 100644
--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
grub_usb_err_t
grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
{
+ if (endpoint >= GRUB_USB_MAX_TOGGLE)
+ return GRUB_USB_ERR_BADDEVICE;
+
dev->toggle[endpoint] = 0;
return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
| GRUB_USB_REQTYPE_STANDARD
@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
return err;
descdev = &dev->descdev;
- for (i = 0; i < 8; i++)
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
dev->config[i].descconf = NULL;
- if (descdev->configcnt == 0)
+ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
{
err = GRUB_USB_ERR_BADDEVICE;
goto fail;
@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
/* Skip the configuration descriptor. */
pos = dev->config[i].descconf->length;
+ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
+ {
+ err = GRUB_USB_ERR_BADDEVICE;
+ goto fail;
+ }
+
/* Read all interfaces. */
for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
{
@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
fail:
- for (i = 0; i < 8; i++)
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
grub_free (dev->config[i].descconf);
return err;
diff --git a/include/grub/usb.h b/include/grub/usb.h
index 512ae1dd0..6475c552f 100644
--- a/include/grub/usb.h
+++ b/include/grub/usb.h
@@ -23,6 +23,10 @@
#include <grub/usbdesc.h>
#include <grub/usbtrans.h>
+#define GRUB_USB_MAX_CONF 8
+#define GRUB_USB_MAX_IF 32
+#define GRUB_USB_MAX_TOGGLE 256
+
typedef struct grub_usb_device *grub_usb_device_t;
typedef struct grub_usb_controller *grub_usb_controller_t;
typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
@@ -167,7 +171,7 @@ struct grub_usb_configuration
struct grub_usb_desc_config *descconf;
/* Interfaces associated to this configuration. */
- struct grub_usb_interface interf[32];
+ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
};
struct grub_usb_hub_port
@@ -191,7 +195,7 @@ struct grub_usb_device
struct grub_usb_controller controller;
/* Device configurations (after opening the device). */
- struct grub_usb_configuration config[8];
+ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
/* Device address. */
int addr;
@@ -203,7 +207,7 @@ struct grub_usb_device
int initialized;
/* Data toggle values (used for bulk transfers only). */
- int toggle[256];
+ int toggle[GRUB_USB_MAX_TOGGLE];
/* Used by libusb wrapper. Schedulded for removal. */
void *data;
--
2.26.2
View Git Blame Copy Permalink