diff options
Diffstat (limited to 'poky/meta/recipes-bsp')
5 files changed, 576 insertions, 0 deletions
diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..090f693be3 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch @@ -0,0 +1,87 @@ +From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Fri, 5 Aug 2022 01:58:27 +0800 +Subject: [PATCH] font: Fix several integer overflows in + grub_font_construct_glyph() + +This patch fixes several integer overflows in grub_font_construct_glyph(). +Glyphs of invalid size, zero or leading to an overflow, are rejected. +The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() +returns NULL is fixed too. + +Fixes: CVE-2022-2601 + +Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] +CVE: CVE-2022-2601 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + grub-core/font/font.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index df17dba..f110db9 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, + struct grub_video_signed_rect bounds; + static struct grub_font_glyph *glyph = 0; + static grub_size_t max_glyph_size = 0; ++ grub_size_t cur_glyph_size; + + ensure_comb_space (glyph_id); + +@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, + if (!glyph_id->ncomb && !glyph_id->attributes) + return main_glyph; + +- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) ++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || ++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) ++ return main_glyph; ++ ++ if (max_glyph_size < cur_glyph_size) + { + grub_free (glyph); +- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; +- if (max_glyph_size < 8) +- max_glyph_size = 8; +- glyph = grub_malloc (max_glyph_size); ++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) ++ max_glyph_size = 0; ++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; + } + if (!glyph) + { ++ max_glyph_size = 0; + grub_errno = GRUB_ERR_NONE; + return main_glyph; + } + +- grub_memset (glyph, 0, sizeof (*glyph) +- + (bounds.width * bounds.height +- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); ++ grub_memset (glyph, 0, cur_glyph_size); + + glyph->font = main_glyph->font; +- glyph->width = bounds.width; +- glyph->height = bounds.height; +- glyph->offset_x = bounds.x; +- glyph->offset_y = bounds.y; ++ if (bounds.width == 0 || bounds.height == 0 || ++ grub_cast (bounds.width, &glyph->width) || ++ grub_cast (bounds.height, &glyph->height) || ++ grub_cast (bounds.x, &glyph->offset_x) || ++ grub_cast (bounds.y, &glyph->offset_y)) ++ return main_glyph; + + if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) + grub_font_blit_glyph_mirror (glyph, main_glyph, +-- +2.25.1 + diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-28735.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-28735.patch new file mode 100644 index 0000000000..89b653a8da --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-28735.patch @@ -0,0 +1,271 @@ +From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Thu, 2 Dec 2021 15:03:53 +0100 +Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53] +CVE: CVE-2022-28735 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +We must not allow other verifiers to pass things like the GRUB modules. +Instead of maintaining a blocklist, maintain an allowlist of things +that we do not care about. + +This allowlist really should be made reusable, and shared by the +lockdown verifier, but this is the minimal patch addressing +security concerns where the TPM verifier was able to mark modules +as verified (or the OpenPGP verifier for that matter), when it +should not do so on shim-powered secure boot systems. + +Fixes: CVE-2022-28735 + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/kern/efi/sb.c | 221 ++++++++++++++++++++++++++++++++++++++++ + include/grub/verify.h | 1 + + 2 files changed, 222 insertions(+) + create mode 100644 grub-core/kern/efi/sb.c + +diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c +new file mode 100644 +index 0000000..89c4bb3 +--- /dev/null ++++ b/grub-core/kern/efi/sb.c +@@ -0,0 +1,221 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2020 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. ++ * ++ * UEFI Secure Boot related checkings. ++ */ ++ ++#include <grub/efi/efi.h> ++#include <grub/efi/pe32.h> ++#include <grub/efi/sb.h> ++#include <grub/env.h> ++#include <grub/err.h> ++#include <grub/file.h> ++#include <grub/i386/linux.h> ++#include <grub/kernel.h> ++#include <grub/mm.h> ++#include <grub/types.h> ++#include <grub/verify.h> ++ ++static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; ++ ++/* ++ * Determine whether we're in secure boot mode. ++ * ++ * Please keep the logic in sync with the Linux kernel, ++ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). ++ */ ++grub_uint8_t ++grub_efi_get_secureboot (void) ++{ ++ static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; ++ grub_efi_status_t status; ++ grub_efi_uint32_t attr = 0; ++ grub_size_t size = 0; ++ grub_uint8_t *secboot = NULL; ++ grub_uint8_t *setupmode = NULL; ++ grub_uint8_t *moksbstate = NULL; ++ grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN; ++ const char *secureboot_str = "UNKNOWN"; ++ ++ status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid, ++ &size, (void **) &secboot); ++ ++ if (status == GRUB_EFI_NOT_FOUND) ++ { ++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; ++ goto out; ++ } ++ ++ if (status != GRUB_EFI_SUCCESS) ++ goto out; ++ ++ status = grub_efi_get_variable ("SetupMode", &efi_variable_guid, ++ &size, (void **) &setupmode); ++ ++ if (status != GRUB_EFI_SUCCESS) ++ goto out; ++ ++ if ((*secboot == 0) || (*setupmode == 1)) ++ { ++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; ++ goto out; ++ } ++ ++ /* ++ * See if a user has put the shim into insecure mode. If so, and if the ++ * variable doesn't have the runtime attribute set, we might as well ++ * honor that. ++ */ ++ status = grub_efi_get_variable_with_attributes ("MokSBState", &shim_lock_guid, ++ &size, (void **) &moksbstate, &attr); ++ ++ /* If it fails, we don't care why. Default to secure. */ ++ if (status != GRUB_EFI_SUCCESS) ++ { ++ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; ++ goto out; ++ } ++ ++ if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) ++ { ++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; ++ goto out; ++ } ++ ++ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; ++ ++ out: ++ grub_free (moksbstate); ++ grub_free (setupmode); ++ grub_free (secboot); ++ ++ if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED) ++ secureboot_str = "Disabled"; ++ else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED) ++ secureboot_str = "Enabled"; ++ ++ grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str); ++ ++ return secureboot; ++} ++ ++static grub_err_t ++shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), ++ enum grub_file_type type, ++ void **context __attribute__ ((unused)), ++ enum grub_verify_flags *flags) ++{ ++ *flags = GRUB_VERIFY_FLAGS_NONE; ++ ++ switch (type & GRUB_FILE_TYPE_MASK) ++ { ++ /* Files we check. */ ++ case GRUB_FILE_TYPE_LINUX_KERNEL: ++ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: ++ case GRUB_FILE_TYPE_BSD_KERNEL: ++ case GRUB_FILE_TYPE_XNU_KERNEL: ++ case GRUB_FILE_TYPE_PLAN9_KERNEL: ++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: ++ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; ++ return GRUB_ERR_NONE; ++ ++ /* Files that do not affect secureboot state. */ ++ case GRUB_FILE_TYPE_NONE: ++ case GRUB_FILE_TYPE_LOOPBACK: ++ case GRUB_FILE_TYPE_LINUX_INITRD: ++ case GRUB_FILE_TYPE_OPENBSD_RAMDISK: ++ case GRUB_FILE_TYPE_XNU_RAMDISK: ++ case GRUB_FILE_TYPE_SIGNATURE: ++ case GRUB_FILE_TYPE_PUBLIC_KEY: ++ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST: ++ case GRUB_FILE_TYPE_PRINT_BLOCKLIST: ++ case GRUB_FILE_TYPE_TESTLOAD: ++ case GRUB_FILE_TYPE_GET_SIZE: ++ case GRUB_FILE_TYPE_FONT: ++ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: ++ case GRUB_FILE_TYPE_CAT: ++ case GRUB_FILE_TYPE_HEXCAT: ++ case GRUB_FILE_TYPE_CMP: ++ case GRUB_FILE_TYPE_HASHLIST: ++ case GRUB_FILE_TYPE_TO_HASH: ++ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT: ++ case GRUB_FILE_TYPE_PIXMAP: ++ case GRUB_FILE_TYPE_GRUB_MODULE_LIST: ++ case GRUB_FILE_TYPE_CONFIG: ++ case GRUB_FILE_TYPE_THEME: ++ case GRUB_FILE_TYPE_GETTEXT_CATALOG: ++ case GRUB_FILE_TYPE_FS_SEARCH: ++ case GRUB_FILE_TYPE_LOADENV: ++ case GRUB_FILE_TYPE_SAVEENV: ++ case GRUB_FILE_TYPE_VERIFY_SIGNATURE: ++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; ++ return GRUB_ERR_NONE; ++ ++ /* Other files. */ ++ default: ++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy")); ++ } ++} ++ ++static grub_err_t ++shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) ++{ ++ grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0); ++ ++ if (!sl) ++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found")); ++ ++ if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); ++ ++ return GRUB_ERR_NONE; ++} ++ ++struct grub_file_verifier shim_lock_verifier = ++ { ++ .name = "shim_lock_verifier", ++ .init = shim_lock_verifier_init, ++ .write = shim_lock_verifier_write ++ }; ++ ++void ++grub_shim_lock_verifier_setup (void) ++{ ++ struct grub_module_header *header; ++ grub_efi_shim_lock_protocol_t *sl = ++ grub_efi_locate_protocol (&shim_lock_guid, 0); ++ ++ /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */ ++ if (!sl) ++ { ++ FOR_MODULES (header) ++ { ++ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK) ++ return; ++ } ++ } ++ ++ /* Secure Boot is off. Do not load shim_lock. */ ++ if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) ++ return; ++ ++ /* Enforce shim_lock_verifier. */ ++ grub_verifier_register (&shim_lock_verifier); ++ ++ grub_env_set ("shim_lock", "y"); ++ grub_env_export ("shim_lock"); ++} +diff --git a/include/grub/verify.h b/include/grub/verify.h +index cd129c3..672ae16 100644 +--- a/include/grub/verify.h ++++ b/include/grub/verify.h +@@ -24,6 +24,7 @@ + + enum grub_verify_flags + { ++ GRUB_VERIFY_FLAGS_NONE = 0, + GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1, + GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2, + /* Defer verification to another authority. */ +-- +2.25.1 + diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch @@ -0,0 +1,97 @@ +From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens <dja@axtens.net> +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af] +CVE: CVE-2022-3775 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index f110db9..3b76b22 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +-- +2.25.1 + diff --git a/poky/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/poky/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch @@ -0,0 +1,117 @@ +From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Fri, 5 Aug 2022 00:51:20 +0800 +Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() + +The length of memory allocation and file read may overflow. This patch +fixes the problem by using safemath macros. + +There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe +if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). +It is safe replacement for such code. It has safemath-like prototype. + +This patch also introduces grub_cast(value, pointer), it casts value to +typeof(*pointer) then store the value to *pointer. It returns true when +overflow occurs or false if there is no overflow. The semantics of arguments +and return value are designed to be consistent with other safemath macros. + +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + grub-core/font/font.c | 17 +++++++++++++---- + include/grub/bitmap.h | 18 ++++++++++++++++++ + include/grub/safemath.h | 2 ++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 5edb477..df17dba 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + grub_int16_t xoff; + grub_int16_t yoff; + grub_int16_t dwidth; +- int len; ++ grub_ssize_t len; ++ grub_size_t sz; + + if (index_entry->glyph) + /* Return cached glyph. */ +@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + return 0; + } + +- len = (width * height + 7) / 8; +- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); +- if (!glyph) ++ /* Calculate real struct size of current glyph. */ ++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || ++ grub_add (sizeof (struct grub_font_glyph), len, &sz)) ++ { ++ remove_font (font); ++ return 0; ++ } ++ ++ /* Allocate and initialize the glyph struct. */ ++ glyph = grub_malloc (sz); ++ if (glyph == NULL) + { + remove_font (font); + return 0; +diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h +index 5728f8c..0d9603f 100644 +--- a/include/grub/bitmap.h ++++ b/include/grub/bitmap.h +@@ -23,6 +23,7 @@ + #include <grub/symbol.h> + #include <grub/types.h> + #include <grub/video.h> ++#include <grub/safemath.h> + + struct grub_video_bitmap + { +@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) + return bitmap->mode_info.height; + } + ++/* ++ * Calculate and store the size of data buffer of 1bit bitmap in result. ++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. ++ * Return true when overflow occurs or false if there is no overflow. ++ * This function is intentionally implemented as a macro instead of ++ * an inline function. Although a bit awkward, it preserves data types for ++ * safemath macros and reduces macro side effects as much as possible. ++ * ++ * XXX: Will report false overflow if width * height > UINT64_MAX. ++ */ ++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ ++({ \ ++ grub_uint64_t _bitmap_pixels; \ ++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ ++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ ++}) ++ + void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, + struct grub_video_mode_info *mode_info); + +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +index c17b89b..bb0f826 100644 +--- a/include/grub/safemath.h ++++ b/include/grub/safemath.h +@@ -30,6 +30,8 @@ + #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) + #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) + ++#define grub_cast(a, res) grub_add ((a), 0, (res)) ++ + #else + #error gcc 5.1 or newer or clang 3.8 or newer is required + #endif +-- +2.25.1 + diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index a248af0073..d09eecd8ac 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -102,6 +102,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2022-28733.patch \ file://CVE-2022-28734.patch \ file://CVE-2022-28736.patch \ + file://CVE-2022-28735.patch \ + file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \ + file://CVE-2022-2601.patch \ + file://CVE-2022-3775.patch \ " SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |