Hello, This doesn't apply on master, can you rebase?
On 20/10/2023 16:09:14+0800, Xiangyu Chen wrote: > From: Xiangyu Chen <xiangyu.c...@windriver.com> > > Crafted file system images can cause heap-based buffer overflow and may > allow arbitrary code execution and secure boot bypass > > Reference: > https://security-tracker.debian.org/tracker/CVE-2023-4692 > > Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com> > --- > .../grub/files/CVE-2023-4692.patch | 98 +++++++++++++++++++ > meta/recipes-bsp/grub/grub2.inc | 1 + > 2 files changed, 99 insertions(+) > create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch > > diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > new file mode 100644 > index 0000000000..305fcc93d8 > --- /dev/null > +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > @@ -0,0 +1,98 @@ > +From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 > +From: Maxim Suhanov <dfirb...@gmail.com> > +Date: Mon, 28 Aug 2023 16:31:57 +0300 > +Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST > attribute > + for the $MFT file > + > +When parsing an extremely fragmented $MFT file, i.e., the file described > +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer > +containing bytes read from the underlying drive to store sector numbers, > +which are consumed later to read data from these sectors into another buffer. > + > +These sectors numbers, two 32-bit integers, are always stored at predefined > +offsets, 0x10 and 0x14, relative to first byte of the selected entry within > +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. > + > +However, when parsing a specially-crafted file system image, this may cause > +the NTFS code to write these integers beyond the buffer boundary, likely > +causing the GRUB memory allocator to misbehave or fail. These integers > contain > +values which are controlled by on-disk structures of the NTFS file system. > + > +Such modification and resulting misbehavior may touch a memory range not > +assigned to the GRUB and owned by firmware or another EFI application/driver. > + > +This fix introduces checks to ensure that these sector numbers are never > +written beyond the boundary. > + > +Fixes: CVE-2023-4692 > + > +Upstream-Status: Backport from > +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] > +CVE: CVE-2023-4692 > + > +Reported-by: Maxim Suhanov <dfirb...@gmail.com> > +Signed-off-by: Maxim Suhanov <dfirb...@gmail.com> > +Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> > +Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com> > +--- > + grub-core/fs/ntfs.c | 18 +++++++++++++++++- > + 1 file changed, 17 insertions(+), 1 deletion(-) > + > +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c > +index bbdbe24..c3c4db1 100644 > +--- a/grub-core/fs/ntfs.c > ++++ b/grub-core/fs/ntfs.c > +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) > + } > + if (at->attr_end) > + { > +- grub_uint8_t *pa; > ++ grub_uint8_t *pa, *pa_end; > + > + at->emft_buf = grub_malloc (at->mft->data->mft_size << > GRUB_NTFS_BLK_SHR); > + if (at->emft_buf == NULL) > +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t > attr) > + } > + at->attr_nxt = at->edat_buf; > + at->attr_end = at->edat_buf + u32at (pa, 0x30); > ++ pa_end = at->edat_buf + n; > + } > + else > + { > + at->attr_nxt = at->attr_end + u16at (pa, 0x14); > + at->attr_end = at->attr_end + u32at (pa, 4); > ++ pa_end = at->mft->buf + (at->mft->data->mft_size << > GRUB_NTFS_BLK_SHR); > + } > + at->flags |= GRUB_NTFS_AF_ALST; > + while (at->attr_nxt < at->attr_end) > +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) > + at->flags |= GRUB_NTFS_AF_GPOS; > + at->attr_cur = at->attr_nxt; > + pa = at->attr_cur; > ++ > ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) > ++ { > ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); > ++ return NULL; > ++ } > ++ > + grub_set_unaligned32 ((char *) pa + 0x10, > + grub_cpu_to_le32 (at->mft->data->mft_start)); > + grub_set_unaligned32 ((char *) pa + 0x14, > +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) > + { > + if (*pa != attr) > + break; > ++ > ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) > ++ { > ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); > ++ return NULL; > ++ } > ++ > + if (read_attr > + (at, pa + 0x10, > + u32at (pa, 0x10) * (at->mft->data->mft_size << > GRUB_NTFS_BLK_SHR), > +-- > +cgit v1.1 > + > diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc > index 41839698dc..5ce8699363 100644 > --- a/meta/recipes-bsp/grub/grub2.inc > +++ b/meta/recipes-bsp/grub/grub2.inc > @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ > file://CVE-2022-3775.patch \ > file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \ > file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ > + file://CVE-2023-4692.patch \ > " > > SRC_URI[sha256sum] = > "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" > -- > 2.34.1 > > > > -- Alexandre Belloni, co-owner and COO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189580): https://lists.openembedded.org/g/openembedded-core/message/189580 Mute This Topic: https://lists.openembedded.org/mt/102077193/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-