Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
home:michael-chang:bsc:1218783
grub2
0002-AUDIT-0-http-boot-tracker-bug.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-AUDIT-0-http-boot-tracker-bug.patch of Package grub2
From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001 From: Sebastian Krahmer <krahmer@suse.com> Date: Tue, 28 Nov 2017 17:24:38 +0800 Subject: [PATCH] AUDIT-0: http boot tracker bug Fixing a memory leak in case of error, and a integer overflow, leading to a heap overflow due to overly large chunk sizes. We need to check against some maximum value, otherwise values like 0xffffffff will eventually lead in the allocation functions to small sized buffers, since the len is rounded up to the next reasonable alignment. The following memcpy will then smash the heap, leading to RCE. This is no big issue for pure http boot, since its going to execute an untrusted kernel anyway, but it will break trusted boot scenarios, where only signed code is allowed to be executed. v2: Fix GCC 13 build failure (bsc#1201089) Signed-off-by: Michael Chang <mchang@suse.com> --- grub-core/net/efi/net.c | 4 +++- grub-core/net/http.c | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) --- a/grub-core/net/efi/net.c +++ b/grub-core/net/efi/net.c @@ -654,8 +654,10 @@ rd = efi_net_interface (read, file, chunk, sz); - if (rd <= 0) + if (rd <= 0) { + grub_free (chunk); return rd; + } if (buf) { --- a/grub-core/net/http.c +++ b/grub-core/net/http.c @@ -30,6 +30,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); #define HTTP_PORT ((grub_uint16_t) 80) +#define HTTP_MAX_CHUNK_SIZE GRUB_INT_MAX typedef struct http_data { @@ -82,6 +83,8 @@ if (data->in_chunk_len == 2) { data->chunk_rem = grub_strtoul (ptr, 0, 16); + if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE) + return GRUB_ERR_NET_PACKET_TOO_BIG; grub_errno = GRUB_ERR_NONE; if (data->chunk_rem == 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor