65c99394ff
Grub 2.06 is affected by a number of CVEs, which have been fixed in the master branch of Grub, but are not yet part of any release (there is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1). So this patch backports the relevant fixes for CVE-2022-28736, CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775. It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697 are not reported as affecting Grub by our CVE matching logic because the NVD database uses an incorrect CPE ID in those CVEs: it uses "grub" as the product instead of "grub2" like all other CVEs for grub. This issue has been reported to the NVD maintainers. This requires backporting a lot of patches, but jumping from 2.06 to 2.12-rc1 implies getting 592 commits, which is quite a lot. All Grub test cases are working fine: https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585 https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [Arnout: fix check-package warning in patch 0002] Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
79 lines
2.6 KiB
Diff
79 lines
2.6 KiB
Diff
From 6be7ccfcc33da513de66f71de63fdc129fa019c2 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Wed, 7 Jul 2021 15:38:19 +1000
|
|
Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
|
|
|
|
Certain 1 px wide images caused a wild pointer write in
|
|
grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
|
|
we have the following loop:
|
|
|
|
for (; data->r1 < nr1 && (!data->dri || rst);
|
|
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
|
|
|
We did not check if vb * width >= hb * nc1.
|
|
|
|
On a 64-bit platform, if that turns out to be negative, it will underflow,
|
|
be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
|
|
we see data->bitmap_ptr jump, e.g.:
|
|
|
|
0x6180_0000_0480 to
|
|
0x6181_0000_0498
|
|
^
|
|
~--- carry has occurred and this pointer is now far away from
|
|
any object.
|
|
|
|
On a 32-bit platform, it will decrement the pointer, creating a pointer
|
|
that won't crash but will overwrite random data.
|
|
|
|
Catch the underflow and error out.
|
|
|
|
Fixes: CVE-2021-3697
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Upstream: 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
---
|
|
grub-core/video/readers/jpeg.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
index e31602f76..1d256af01 100644
|
|
--- a/grub-core/video/readers/jpeg.c
|
|
+++ b/grub-core/video/readers/jpeg.c
|
|
@@ -23,6 +23,7 @@
|
|
#include <grub/mm.h>
|
|
#include <grub/misc.h>
|
|
#include <grub/bufio.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -639,6 +640,7 @@ static grub_err_t
|
|
grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
{
|
|
unsigned c1, vb, hb, nr1, nc1;
|
|
+ unsigned stride_a, stride_b, stride;
|
|
int rst = data->dri;
|
|
|
|
vb = 8 << data->log_vs;
|
|
@@ -650,8 +652,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
return grub_error(GRUB_ERR_BAD_FILE_TYPE,
|
|
"jpeg: attempted to decode data before start of stream");
|
|
|
|
+ if (grub_mul(vb, data->image_width, &stride_a) ||
|
|
+ grub_mul(hb, nc1, &stride_b) ||
|
|
+ grub_sub(stride_a, stride_b, &stride))
|
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: cannot decode image with these dimensions");
|
|
+
|
|
for (; data->r1 < nr1 && (!data->dri || rst);
|
|
- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
|
+ data->r1++, data->bitmap_ptr += stride * 3)
|
|
for (c1 = 0; c1 < nc1 && (!data->dri || rst);
|
|
c1++, rst--, data->bitmap_ptr += hb * 3)
|
|
{
|
|
--
|
|
2.41.0
|
|
|