grub2/backport-net-Check-against-nb-tail-in-grub_netbuff_pull.patch

From e976dc27f88968bc768224fd8102a508a3a39383 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sat, 5 Mar 2022 00:39:04 +1100
Subject: net: Check against nb->tail in grub_netbuff_pull()

GRUB netbuff structure members track 2 different things: the extent of memory
allocated for the packet, and the extent of memory currently being worked on.

This works out in the structure as follows:

  nb->head: beginning of the allocation
  nb->data: beginning of the working data
  nb->tail: end of the working data
  nb->end:  end of the allocation

The head and end pointers are set in grub_netbuff_alloc() and do not change.
The data and tail pointers are initialised to point at start of the
allocation (that is, head == data == tail initially), and are then
manipulated by grub_netbuff_*() functions. Key functions are as follows:

  - grub_netbuff_put():     "put" more data into the packet - advance nb->tail
  - grub_netbuff_unput():   trim the tail of the packet - retract nb->tail
  - grub_netbuff_pull():    "consume" some packet data - advance nb->data
  - grub_netbuff_reserve(): reserve space for future headers - advance nb->data and nb->tail
  - grub_netbuff_push():    "un-consume" data to allow headers to be written - retract nb->data

Each of those functions does some form of error checking. For example,
grub_netbuff_put() does not allow nb->tail to exceed nb->end, and
grub_netbuff_push() does not allow nb->data to be before nb->head.

However, grub_netbuff_pull()'s error checking is a bit weird. It advances nb->data
and checks that it does not exceed nb->end. That allows you to get into the
situation where nb->data > nb->tail, which should not be.

Make grub_netbuff_pull() check against both nb->tail and nb->end. In theory just
checking against ->tail should be sufficient but the extra check should be
cheap and seems like good defensive practice.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Conflict:NA
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=e976dc27f88968bc768224fd8102a508a3a39383

---
 grub-core/net/netbuff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
index dbeeefe..72e5296 100644
--- a/grub-core/net/netbuff.c
+++ b/grub-core/net/netbuff.c
@@ -54,7 +54,7 @@ grub_err_t
 grub_netbuff_pull (struct grub_net_buff *nb, grub_size_t len)
 {
   nb->data += len;
-  if (nb->data > nb->end)
+  if (nb->data > nb->end || nb->data > nb->tail)
     return grub_error (GRUB_ERR_BUG,
 		       "pull out of the packet range.");
   return GRUB_ERR_NONE;
-- 
cgit v1.1
fix CVE-2021-3697 CVE-2022-28735 CVE-2022-28736 CVE-2022-28734 CVE-2022-28733 CVE-2021-3695 CVE-2021-3696 2022-06-21 13:54:28 +08:00			`From e976dc27f88968bc768224fd8102a508a3a39383 Mon Sep 17 00:00:00 2001`
			`From: Daniel Axtens <dja@axtens.net>`
			`Date: Sat, 5 Mar 2022 00:39:04 +1100`
			`Subject: net: Check against nb->tail in grub_netbuff_pull()`

			`GRUB netbuff structure members track 2 different things: the extent of memory`
			`allocated for the packet, and the extent of memory currently being worked on.`

			`This works out in the structure as follows:`

			`nb->head: beginning of the allocation`
			`nb->data: beginning of the working data`
			`nb->tail: end of the working data`
			`nb->end: end of the allocation`

			`The head and end pointers are set in grub_netbuff_alloc() and do not change.`
			`The data and tail pointers are initialised to point at start of the`
			`allocation (that is, head == data == tail initially), and are then`
			`manipulated by grub_netbuff_*() functions. Key functions are as follows:`

			`- grub_netbuff_put(): "put" more data into the packet - advance nb->tail`
			`- grub_netbuff_unput(): trim the tail of the packet - retract nb->tail`
			`- grub_netbuff_pull(): "consume" some packet data - advance nb->data`
			`- grub_netbuff_reserve(): reserve space for future headers - advance nb->data and nb->tail`
			`- grub_netbuff_push(): "un-consume" data to allow headers to be written - retract nb->data`

			`Each of those functions does some form of error checking. For example,`
			`grub_netbuff_put() does not allow nb->tail to exceed nb->end, and`
			`grub_netbuff_push() does not allow nb->data to be before nb->head.`

			`However, grub_netbuff_pull()'s error checking is a bit weird. It advances nb->data`
			`and checks that it does not exceed nb->end. That allows you to get into the`
			`situation where nb->data > nb->tail, which should not be.`

			`Make grub_netbuff_pull() check against both nb->tail and nb->end. In theory just`
			`checking against ->tail should be sufficient but the extra check should be`
			`cheap and seems like good defensive practice.`

			`Signed-off-by: Daniel Axtens <dja@axtens.net>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`

			`Conflict:NA`
			`Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=e976dc27f88968bc768224fd8102a508a3a39383`

			`---`
			`grub-core/net/netbuff.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c`
			`index dbeeefe..72e5296 100644`
			`--- a/grub-core/net/netbuff.c`
			`+++ b/grub-core/net/netbuff.c`
			`@@ -54,7 +54,7 @@ grub_err_t`
			`grub_netbuff_pull (struct grub_net_buff *nb, grub_size_t len)`
			`{`
			`nb->data += len;`
			`- if (nb->data > nb->end)`
			`+ if (nb->data > nb->end \|\| nb->data > nb->tail)`
			`return grub_error (GRUB_ERR_BUG,`
			`"pull out of the packet range.");`
			`return GRUB_ERR_NONE;`
			`--`
			`cgit v1.1`