packages/grub2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from upstream

Browse Source 
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
This commit is contained in:
Qiumiao Zhang 2023-09-13 22:49:55 +08:00
parent 0793726a95
commit fbde2eddf8
6 changed files with 200 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
backport-fs-udf-Fix-out-of-bounds-access.patch Normal file
View File

@ -0,0 +1,119 @@
From a24ea9241cb42e8ba670ac8d8ce54275df73a271 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Wed, 7 Jun 2023 01:31:06 +0000
Subject: fs/udf: Fix out of bounds access
Implemented a boundary check before advancing the allocation
descriptors pointer.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=a24ea9241cb42e8ba670ac8d8ce54275df73a271
Conflict:NA
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/udf.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 7679ea3..b836e61 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -114,6 +114,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define GRUB_UDF_PARTMAP_TYPE_1 1
#define GRUB_UDF_PARTMAP_TYPE_2 2
+#define GRUB_UDF_INVALID_STRUCT_PTR(_ptr, _struct) \
+ ((char *) (_ptr) >= end_ptr || \
+ ((grub_ssize_t) (end_ptr - (char *) (_ptr)) < (grub_ssize_t) sizeof (_struct)))
+
struct grub_udf_lb_addr
{
grub_uint32_t block_num;
@@ -458,6 +462,7 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
char *ptr;
grub_ssize_t len;
grub_disk_addr_t filebytes;
+ char *end_ptr;
switch (U16 (node->block.fe.tag.tag_ident))
{
@@ -476,9 +481,17 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
return 0;
}
+ end_ptr = (char *) node + get_fshelp_size (node->data);
+
if ((U16 (node->block.fe.icbtag.flags) & GRUB_UDF_ICBTAG_FLAG_AD_MASK)
== GRUB_UDF_ICBTAG_FLAG_AD_SHORT)
{
+ if (GRUB_UDF_INVALID_STRUCT_PTR (ptr, struct grub_udf_short_ad))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+ return 0;
+ }
+
struct grub_udf_short_ad *ad = (struct grub_udf_short_ad *) ptr;
filebytes = fileblock * U32 (node->data->lvd.bsize);
@@ -542,10 +555,22 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
filebytes -= adlen;
ad++;
len -= sizeof (struct grub_udf_short_ad);
+
+ if (GRUB_UDF_INVALID_STRUCT_PTR (ad, struct grub_udf_short_ad))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+ return 0;
+ }
}
}
else
{
+ if (GRUB_UDF_INVALID_STRUCT_PTR (ptr, struct grub_udf_long_ad))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+ return 0;
+ }
+
struct grub_udf_long_ad *ad = (struct grub_udf_long_ad *) ptr;
filebytes = fileblock * U32 (node->data->lvd.bsize);
@@ -611,6 +636,12 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
filebytes -= adlen;
ad++;
len -= sizeof (struct grub_udf_long_ad);
+
+ if (GRUB_UDF_INVALID_STRUCT_PTR (ad, struct grub_udf_long_ad))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+ return 0;
+ }
}
}
@@ -630,6 +661,7 @@ grub_udf_read_file (grub_fshelp_node_t node,
case GRUB_UDF_ICBTAG_FLAG_AD_IN_ICB:
{
char *ptr;
+ char *end_ptr = (char *) node + get_fshelp_size (node->data);
ptr = ((U16 (node->block.fe.tag.tag_ident) == GRUB_UDF_TAG_IDENT_FE) ?
((char *) &node->block.fe.ext_attr[0]
@@ -637,6 +669,12 @@ grub_udf_read_file (grub_fshelp_node_t node,
((char *) &node->block.efe.ext_attr[0]
+ U32 (node->block.efe.ext_attr_length)));
+ if ((ptr + pos + len) > end_ptr)
+ {
+ grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
+ return 0;
+ }
+
grub_memcpy (buf, ptr + pos, len);
return len;
--
cgit v1.1

38
backport-lib-relocator-Fix-OOB-write-when-initializing-lo-freebytes.patch Normal file
View File

@ -0,0 +1,38 @@
From 9dbfbcd660470c3b951d15af0f6ce5a423185ad2 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Fri, 23 Jun 2023 00:02:24 +0200
Subject: lib/relocator: Fix OOB write when initializing lo->freebytes[]
Fixes: CID 96636
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=9dbfbcd660470c3b951d15af0f6ce5a423185ad2
Conflict:NA
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
---
grub-core/lib/relocator.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 568fc0b..e0478ae 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -881,9 +881,11 @@ malloc_in_range (struct grub_relocator *rel,
offend = GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT;
lo->freebytes[offstart / 8]
&= ((1 << (8 - (start % 8))) - 1);
- grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
- offend / 8 - (offstart + 7) / 8);
- lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
+ if (offend / 8 > (offstart + 7) / 8)
+ grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
+ offend / 8 - (offstart + 7) / 8);
+ if (offend < GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT)
+ lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
}
break;
#endif
--
cgit v1.1

29
backport-util-grub-mount-Fix-memory-leak-in-fuse_getattr.patch Normal file
View File

@ -0,0 +1,29 @@
From 3077b39baef99afe534b582b9024bba877786e40 Mon Sep 17 00:00:00 2001
From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
Date: Tue, 25 Jul 2023 11:18:59 +0800
Subject: util/grub-mount: Fix memory leak in fuse_getattr()
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=3077b39baef99afe534b582b9024bba877786e40
Conflict:NA
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
util/grub-mount.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/util/grub-mount.c b/util/grub-mount.c
index 1c35b6a..c69889d 100644
--- a/util/grub-mount.c
+++ b/util/grub-mount.c
@@ -198,6 +198,7 @@ fuse_getattr (const char *path, struct stat *st,
(fs->fs_dir) (dev, path2, fuse_getattr_find_file, &ctx);
grub_free (path2);
+ free (pathname);
if (!ctx.file_exists)
{
grub_errno = GRUB_ERR_NONE;
--
cgit v1.1

3
grub.patches
View File

@ -341,3 +341,6 @@ Patch0331: backport-util-grub-install-common-Fix-the-key-of.patch
Patch0332: backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch
Patch0333: backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch
Patch0334: backport-RISC-V-Handle-R_RISCV_CALL_PLT-reloc.patch
Patch0335: backport-fs-udf-Fix-out-of-bounds-access.patch
Patch0336: backport-lib-relocator-Fix-OOB-write-when-initializing-lo-freebytes.patch
Patch0337: backport-util-grub-mount-Fix-memory-leak-in-fuse_getattr.patch

10
grub2.spec
View File

@ -14,7 +14,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 36
Release: 37
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -440,6 +440,14 @@ fi
%{_datadir}/man/man*
%changelog
* Wed Sep 13 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-37
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fs/udf: Fix out of bounds access
lib/relocator: Fix OOB write when initializing lo->freebytes[]
util/grub-mount: Fix memory leak in fuse_getattr()
* Fri Sep 1 2023 ouuleilei <wangliu@iscas.ac.cn> - 1:2.06-36
add a patch to fix build error

2
sbat.csv.in
View File

@ -1,3 +1,3 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub.openeuler,1,The openEuler Project,grub2,@@VERSION_RELEASE@@,https://gitee.com/src-openeuler/grub2