On Fri, Oct 20, 2023 at 12:47 PM Alexandre Belloni via lists.openembedded.org <[email protected]> wrote: > > Hello, > > This doesn't apply on master, can you rebase?
I can't take this patch for nanbield or mickledore until it is accepted in master, so all branches are waiting for an updated patch for master! Steve > > On 20/10/2023 16:09:14+0800, Xiangyu Chen wrote: > > From: Xiangyu Chen <[email protected]> > > > > Crafted file system images can cause heap-based buffer overflow and may > > allow arbitrary code execution and secure boot bypass > > > > Reference: > > https://security-tracker.debian.org/tracker/CVE-2023-4692 > > > > Signed-off-by: Xiangyu Chen <[email protected]> > > --- > > .../grub/files/CVE-2023-4692.patch | 98 +++++++++++++++++++ > > meta/recipes-bsp/grub/grub2.inc | 1 + > > 2 files changed, 99 insertions(+) > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch > > > > diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > > b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > > new file mode 100644 > > index 0000000000..305fcc93d8 > > --- /dev/null > > +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch > > @@ -0,0 +1,98 @@ > > +From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 > > +From: Maxim Suhanov <[email protected]> > > +Date: Mon, 28 Aug 2023 16:31:57 +0300 > > +Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the > > $ATTRIBUTE_LIST attribute > > + for the $MFT file > > + > > +When parsing an extremely fragmented $MFT file, i.e., the file described > > +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer > > +containing bytes read from the underlying drive to store sector numbers, > > +which are consumed later to read data from these sectors into another > > buffer. > > + > > +These sectors numbers, two 32-bit integers, are always stored at predefined > > +offsets, 0x10 and 0x14, relative to first byte of the selected entry within > > +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. > > + > > +However, when parsing a specially-crafted file system image, this may cause > > +the NTFS code to write these integers beyond the buffer boundary, likely > > +causing the GRUB memory allocator to misbehave or fail. These integers > > contain > > +values which are controlled by on-disk structures of the NTFS file system. > > + > > +Such modification and resulting misbehavior may touch a memory range not > > +assigned to the GRUB and owned by firmware or another EFI > > application/driver. > > + > > +This fix introduces checks to ensure that these sector numbers are never > > +written beyond the boundary. > > + > > +Fixes: CVE-2023-4692 > > + > > +Upstream-Status: Backport from > > +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] > > +CVE: CVE-2023-4692 > > + > > +Reported-by: Maxim Suhanov <[email protected]> > > +Signed-off-by: Maxim Suhanov <[email protected]> > > +Reviewed-by: Daniel Kiper <[email protected]> > > +Signed-off-by: Xiangyu Chen <[email protected]> > > +--- > > + grub-core/fs/ntfs.c | 18 +++++++++++++++++- > > + 1 file changed, 17 insertions(+), 1 deletion(-) > > + > > +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c > > +index bbdbe24..c3c4db1 100644 > > +--- a/grub-core/fs/ntfs.c > > ++++ b/grub-core/fs/ntfs.c > > +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t > > attr) > > + } > > + if (at->attr_end) > > + { > > +- grub_uint8_t *pa; > > ++ grub_uint8_t *pa, *pa_end; > > + > > + at->emft_buf = grub_malloc (at->mft->data->mft_size << > > GRUB_NTFS_BLK_SHR); > > + if (at->emft_buf == NULL) > > +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t > > attr) > > + } > > + at->attr_nxt = at->edat_buf; > > + at->attr_end = at->edat_buf + u32at (pa, 0x30); > > ++ pa_end = at->edat_buf + n; > > + } > > + else > > + { > > + at->attr_nxt = at->attr_end + u16at (pa, 0x14); > > + at->attr_end = at->attr_end + u32at (pa, 4); > > ++ pa_end = at->mft->buf + (at->mft->data->mft_size << > > GRUB_NTFS_BLK_SHR); > > + } > > + at->flags |= GRUB_NTFS_AF_ALST; > > + while (at->attr_nxt < at->attr_end) > > +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t > > attr) > > + at->flags |= GRUB_NTFS_AF_GPOS; > > + at->attr_cur = at->attr_nxt; > > + pa = at->attr_cur; > > ++ > > ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) > > ++ { > > ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); > > ++ return NULL; > > ++ } > > ++ > > + grub_set_unaligned32 ((char *) pa + 0x10, > > + grub_cpu_to_le32 (at->mft->data->mft_start)); > > + grub_set_unaligned32 ((char *) pa + 0x14, > > +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t > > attr) > > + { > > + if (*pa != attr) > > + break; > > ++ > > ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) > > ++ { > > ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); > > ++ return NULL; > > ++ } > > ++ > > + if (read_attr > > + (at, pa + 0x10, > > + u32at (pa, 0x10) * (at->mft->data->mft_size << > > GRUB_NTFS_BLK_SHR), > > +-- > > +cgit v1.1 > > + > > diff --git a/meta/recipes-bsp/grub/grub2.inc > > b/meta/recipes-bsp/grub/grub2.inc > > index 41839698dc..5ce8699363 100644 > > --- a/meta/recipes-bsp/grub/grub2.inc > > +++ b/meta/recipes-bsp/grub/grub2.inc > > @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ > > file://CVE-2022-3775.patch \ > > file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \ > > file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch > > \ > > + file://CVE-2023-4692.patch \ > > " > > > > SRC_URI[sha256sum] = > > "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" > > -- > > 2.34.1 > > > > > > > > > > > > -- > Alexandre Belloni, co-owner and COO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190233): https://lists.openembedded.org/g/openembedded-core/message/190233 Mute This Topic: https://lists.openembedded.org/mt/102077193/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
