rpms / grub2

Clone
Source Code
GIT

Blame SOURCES/0267-AUDIT-0-http-boot-tracker-bug.patch

c7 c7-beta
  1.   92b5f3a56e468c19c61250f837f860ec8a197b5a
  2.   SOURCES
  3.   0267-AUDIT-0-http-boot-tracker-bug.patch
Blob History Raw
f731ee 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
f731ee 
From: Sebastian Krahmer <krahmer@suse.com>
f731ee 
Date: Tue, 28 Nov 2017 17:24:38 +0800
f731ee 
Subject: [PATCH] AUDIT-0: http boot tracker bug
f731ee
f731ee 
Fixing a memory leak in case of error, and a integer overflow, leading to a
f731ee 
heap overflow due to overly large chunk sizes.
f731ee
f731ee 
We need to check against some maximum value, otherwise values like 0xffffffff
f731ee 
will eventually lead in the allocation functions to small sized buffers, since
f731ee 
the len is rounded up to the next reasonable alignment. The following memcpy
f731ee 
will then smash the heap, leading to RCE.
f731ee
f731ee 
This is no big issue for pure http boot, since its going to execute an
f731ee 
untrusted kernel anyway, but it will break trusted boot scenarios, where only
f731ee 
signed code is allowed to be executed.
f731ee
f731ee 
Signed-off-by: Michael Chang <mchang@suse.com>
f731ee 
---
f731ee 
 grub-core/net/efi/net.c | 4 +++-
f731ee 
 grub-core/net/http.c    | 5 ++++-
f731ee 
 2 files changed, 7 insertions(+), 2 deletions(-)
f731ee
f731ee 
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
f731ee 
index 9e0078ac1c6..2bf15447fd5 100644
f731ee 
--- a/grub-core/net/efi/net.c
f731ee 
+++ b/grub-core/net/efi/net.c
f731ee 
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
f731ee
f731ee 
       rd = efi_net_interface (read, file, chunk, sz);
f731ee
f731ee 
-      if (rd <= 0)
f731ee 
+      if (rd <= 0) {
f731ee 
+	grub_free (chunk);
f731ee 
 	return rd;
f731ee 
+      }
f731ee
f731ee 
       if (buf)
f731ee 
 	{
f731ee 
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
f731ee 
index 2b46e4672fc..82515f352dd 100644
f731ee 
--- a/grub-core/net/http.c
f731ee 
+++ b/grub-core/net/http.c
f731ee 
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
f731ee
f731ee 
 enum
f731ee 
   {
f731ee 
-    HTTP_PORT = 80
f731ee 
+    HTTP_PORT = 80,
f731ee 
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
f731ee 
   };
f731ee
f731ee
f731ee 
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
f731ee 
   if (data->in_chunk_len == 2)
f731ee 
     {
f731ee 
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
f731ee 
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
f731ee 
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
f731ee 
       grub_errno = GRUB_ERR_NONE;
f731ee 
       if (data->chunk_rem == 0)
f731ee 
 	{

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation