grub2/0179-AUDIT-0-http-boot-tracker-bug.patch
Javier Martinez Canillas 1f092caba7
Drop two efinet patches that were causing issues and a bunch of other fixes
Add comments and revert logic changes in 01_fallback_counting
Remove quotes when reading ID value from /etc/os-release
  Related: rhbz#1650706
blscfg: expand grub_users before passing to grub_normal_add_menu_entry()
  Resolves: rhbz#1650706
Drop buggy downstream patch "efinet: retransmit if our device is busy"
  Resolves: rhbz#1649048
Make the menu entry users option argument to be optional
  Related: rhbz#1652434
10_linux_bls: add missing menu entries options
  Resolves: rhbz#1652434
Drop "Be more aggro about actually using the *configured* network device."
  Resolves: rhbz#1654388
Fix menu entry selection based on title
  Resolves: rhbz#1654936

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2018-12-01 03:28:36 +01:00

62 lines
2 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.com>
Date: Tue, 28 Nov 2017 17:24:38 +0800
Subject: [PATCH] AUDIT-0: http boot tracker bug
Fixing a memory leak in case of error, and a integer overflow, leading to a
heap overflow due to overly large chunk sizes.
We need to check against some maximum value, otherwise values like 0xffffffff
will eventually lead in the allocation functions to small sized buffers, since
the len is rounded up to the next reasonable alignment. The following memcpy
will then smash the heap, leading to RCE.
This is no big issue for pure http boot, since its going to execute an
untrusted kernel anyway, but it will break trusted boot scenarios, where only
signed code is allowed to be executed.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/net/efi/net.c | 4 +++-
grub-core/net/http.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
index 9e0078ac1c6..2bf15447fd5 100644
--- a/grub-core/net/efi/net.c
+++ b/grub-core/net/efi/net.c
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
rd = efi_net_interface (read, file, chunk, sz);
- if (rd <= 0)
+ if (rd <= 0) {
+ grub_free (chunk);
return rd;
+ }
if (buf)
{
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
index 00737c52750..c9c59690a98 100644
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum
{
- HTTP_PORT = 80
+ HTTP_PORT = 80,
+ HTTP_MAX_CHUNK_SIZE = 0x80000000
};
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
if (data->in_chunk_len == 2)
{
data->chunk_rem = grub_strtoul (ptr, 0, 16);
+ if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
+ return GRUB_ERR_NET_PACKET_TOO_BIG;
grub_errno = GRUB_ERR_NONE;
if (data->chunk_rem == 0)
{