forked from pool/grub2
e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
74 lines
2.2 KiB
Diff
74 lines
2.2 KiB
Diff
From e33af61c202972c81aaccdd395d61855e1584f66 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Mon, 20 Dec 2021 21:55:43 +1100
|
|
Subject: [PATCH 20/32] net/dns: Don't read past the end of the string we're
|
|
checking against
|
|
|
|
I don't really understand what's going on here but fuzzing found
|
|
a bug where we read past the end of check_with. That's a C string,
|
|
so use grub_strlen() to make sure we don't overread it.
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/net/dns.c | 19 ++++++++++++++++---
|
|
1 file changed, 16 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
|
|
index 135faac035..17961a9f18 100644
|
|
--- a/grub-core/net/dns.c
|
|
+++ b/grub-core/net/dns.c
|
|
@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
|
|
int *length, char *set)
|
|
{
|
|
const char *readable_ptr = check_with;
|
|
+ int readable_len;
|
|
const grub_uint8_t *ptr;
|
|
char *optr = set;
|
|
int bytes_processed = 0;
|
|
if (length)
|
|
*length = 0;
|
|
+
|
|
+ if (readable_ptr != NULL)
|
|
+ readable_len = grub_strlen (readable_ptr);
|
|
+ else
|
|
+ readable_len = 0;
|
|
+
|
|
for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; )
|
|
{
|
|
/* End marker. */
|
|
@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
|
|
ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]);
|
|
continue;
|
|
}
|
|
- if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)
|
|
+ if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0))
|
|
return 0;
|
|
if (grub_memchr (ptr + 1, 0, *ptr)
|
|
|| grub_memchr (ptr + 1, '.', *ptr))
|
|
return 0;
|
|
if (readable_ptr)
|
|
- readable_ptr += *ptr;
|
|
+ {
|
|
+ readable_ptr += *ptr;
|
|
+ readable_len -= *ptr;
|
|
+ }
|
|
if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0)
|
|
return 0;
|
|
bytes_processed += *ptr + 1;
|
|
@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
|
|
if (optr)
|
|
*optr++ = '.';
|
|
if (readable_ptr && *readable_ptr)
|
|
- readable_ptr++;
|
|
+ {
|
|
+ readable_ptr++;
|
|
+ readable_len--;
|
|
+ }
|
|
ptr += *ptr + 1;
|
|
}
|
|
return 0;
|
|
--
|
|
2.34.1
|
|
|