From 7b0d0e6fb517ac528f0e71745975aeecc52f1170 Mon Sep 17 00:00:00 2001 From: Nicolas Frayer Date: Thu, 17 Oct 2024 09:29:05 +0200 Subject: [PATCH] acpi: Fix out of bounds access in grub_acpi_xsdt_find_table() Resolves: #2317048 Signed-off-by: Nicolas Frayer --- ...bounds-access-in-grub_acpi_xsdt_find.patch | 34 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 6 +++- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0278-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch diff --git a/0278-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch b/0278-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch new file mode 100644 index 0000000..20d2de3 --- /dev/null +++ b/0278-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Wed, 16 Oct 2024 16:20:24 +1100 +Subject: [PATCH] acpi: Fix out of bounds access in grub_acpi_xsdt_find_table() + +The calculation of the size of the table was incorrect (copy/pasta from +grub_acpi_rsdt_find_table() I assume...). The entries are 64-bit long. + +This causes us to access beyond the end of the table which is causing +crashes during boot on some systems. Typically this is causing a crash +on VMWare when using UEFI and enabling serial autodetection, as + +grub_acpi_find_table (GRUB_ACPI_SPCR_SIGNATURE); + +Will goes past the end of the table (the SPCR table doesn't exits) + +Signed-off-by: Benjamin Herrenschmidt +--- + grub-core/kern/acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/kern/acpi.c b/grub-core/kern/acpi.c +index 48ded4e2ea6e..8ff0835d501f 100644 +--- a/grub-core/kern/acpi.c ++++ b/grub-core/kern/acpi.c +@@ -75,7 +75,7 @@ grub_acpi_xsdt_find_table (struct grub_acpi_table_header *xsdt, const char *sig) + return 0; + + ptr = (grub_unaligned_uint64_t *) (xsdt + 1); +- s = (xsdt->length - sizeof (*xsdt)) / sizeof (grub_uint32_t); ++ s = (xsdt->length - sizeof (*xsdt)) / sizeof (grub_uint64_t); + for (; s; s--, ptr++) + { + struct grub_acpi_table_header *tbl; diff --git a/grub.patches b/grub.patches index 452a66f..ff170a1 100644 --- a/grub.patches +++ b/grub.patches @@ -275,3 +275,4 @@ Patch0274: 0274-grub-core-net-arp.c-fix-variable-name.patch Patch0275: 0275-load-EFI-commands-inside-test-expressions.patch Patch0276: 0276-efi-loader-Check-if-NX-is-required-in-grub_efi_linux.patch Patch0277: 0277-Stop-grub.efi-from-always-printing-dynamic_load_symb.patch +Patch0278: 0278-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch diff --git a/grub2.spec b/grub2.spec index 6be3cea..a320533 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -560,6 +560,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Thu Oct 17 2024 Nicolas Frayer 2.12-10 +- acpi: Fix out of bounds access in grub_acpi_xsdt_find_table() +- Resolves: #2317048 + * Thu Oct 3 2024 Nicolas Frayer 2.12-9 - Stop grub.efi from always printing "dynamic_load_symbols %p\n" during boot - Resolves: #2316279