Blame SOURCES/0267-AUDIT-0-http-boot-tracker-bug.patch

f731ee
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
f731ee
From: Sebastian Krahmer <krahmer@suse.com>
f731ee
Date: Tue, 28 Nov 2017 17:24:38 +0800
f731ee
Subject: [PATCH] AUDIT-0: http boot tracker bug
f731ee
f731ee
Fixing a memory leak in case of error, and a integer overflow, leading to a
f731ee
heap overflow due to overly large chunk sizes.
f731ee
f731ee
We need to check against some maximum value, otherwise values like 0xffffffff
f731ee
will eventually lead in the allocation functions to small sized buffers, since
f731ee
the len is rounded up to the next reasonable alignment. The following memcpy
f731ee
will then smash the heap, leading to RCE.
f731ee
f731ee
This is no big issue for pure http boot, since its going to execute an
f731ee
untrusted kernel anyway, but it will break trusted boot scenarios, where only
f731ee
signed code is allowed to be executed.
f731ee
f731ee
Signed-off-by: Michael Chang <mchang@suse.com>
f731ee
---
f731ee
 grub-core/net/efi/net.c | 4 +++-
f731ee
 grub-core/net/http.c    | 5 ++++-
f731ee
 2 files changed, 7 insertions(+), 2 deletions(-)
f731ee
f731ee
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
f731ee
index 9e0078ac1c6..2bf15447fd5 100644
f731ee
--- a/grub-core/net/efi/net.c
f731ee
+++ b/grub-core/net/efi/net.c
f731ee
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
f731ee
 
f731ee
       rd = efi_net_interface (read, file, chunk, sz);
f731ee
 
f731ee
-      if (rd <= 0)
f731ee
+      if (rd <= 0) {
f731ee
+	grub_free (chunk);
f731ee
 	return rd;
f731ee
+      }
f731ee
 
f731ee
       if (buf)
f731ee
 	{
f731ee
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
f731ee
index 2b46e4672fc..82515f352dd 100644
f731ee
--- a/grub-core/net/http.c
f731ee
+++ b/grub-core/net/http.c
f731ee
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
f731ee
 
f731ee
 enum
f731ee
   {
f731ee
-    HTTP_PORT = 80
f731ee
+    HTTP_PORT = 80,
f731ee
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
f731ee
   };
f731ee
 
f731ee
 
f731ee
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
f731ee
   if (data->in_chunk_len == 2)
f731ee
     {
f731ee
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
f731ee
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
f731ee
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
f731ee
       grub_errno = GRUB_ERR_NONE;
f731ee
       if (data->chunk_rem == 0)
f731ee
 	{