[33/46,dunfell] grub: fix multiple integer overflows

Message ID	20220218100554.1315511-34-rybczynska@gmail.com
State	Accepted, archived
Commit	68b91792ed00f9decc85f300eefe0b7e8f80c98b
Headers	show Return-Path: <rybczynska@gmail.com> ip: 209.85.221.47, mailfrom: rybczynska@gmail.com) From: Marta Rybczynska <rybczynska@gmail.com> To: anuj.mittal@intel.com, openembedded-core@lists.openembedded.org, steve@sakoman.com Cc: Marta Rybczynska <rybczynska@gmail.com>, Marta Rybczynska <marta.rybczynska@huawei.com> Subject: [PATCH 33/46][dunfell] grub: fix multiple integer overflows Date: Fri, 18 Feb 2022 11:05:41 +0100 Message-Id: <20220218100554.1315511-34-rybczynska@gmail.com> In-Reply-To: <20220218100554.1315511-1-rybczynska@gmail.com> References: <20220218100554.1315511-1-rybczynska@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	grub 2.04 security fixes \| expand [00/46,dunfell] grub 2.04 security fixes [01/46,dunfell] grub: fix a memory leak [02/46,dunfell] grub: add a fix for a possible NULL dereference [03/46,dunfell] grub: fix a dangling memory pointer [04/46,dunfell] grub: fix wrong handling of argc == 0 [05/46,dunfell] grub: add a fix for malformed device path handling [06/46,dunfell] grub: fix memory leak at error in grub_efi_get_filename() [07/46,dunfell] grub: add a fix for a possible NULL pointer dereference [08/46,dunfell] grub: add a fix for unused variable in gnulib [09/46,dunfell] grub: fix an unitialized token in gnulib [10/46,dunfell] grub: add a fix a NULL pointer dereference in gnulib [11/46,dunfell] grub: add a fix for NULL pointer dereference [12/46,dunfell] grub: fix an unitialized re_token in gnulib [13/46,dunfell] grub: add a fix for unnecessary assignements [14/46,dunfell] grub: add structure initialization in zstd [15/46,dunfell] grub: add a missing NULL check [16/46,dunfell] grub: fix a memory leak [17/46,dunfell] grub: fix a memory leak [18/46,dunfell] grub: fix a memory leak [19/46,dunfell] grub: fix an integer overflow [20/46,dunfell] grub: add a fix for a length check [21/46,dunfell] grub: add a fix for a possible negative shift [22/46,dunfell] grub: add a fix for a memory leak [23/46,dunfell] grub: add a fix for possible integer overflows [24/46,dunfell] grub: fix an error check [25/46,dunfell] grub: add a fix for a memory leak [26/46,dunfell] grub: add a fix for a possible unintended sign extension [27/46,dunfell] grub: add a fix for a possible NULL dereference [28/46,dunfell] grub: add a fix for a memory leak [29/46,dunfell] grub: add a fix for a memory leak [30/46,dunfell] grub: fix a memory leak [31/46,dunfell] grub: remove unneeded return value [32/46,dunfell] grub: fix an integer overflow [33/46,dunfell] grub: fix multiple integer overflows [34/46,dunfell] grub: fix a possible integer overflow [35/46,dunfell] grub: test for malformed jpeg files [36/46,dunfell] grub: remove dead code [37/46,dunfell] grub: fix checking for NULL [38/46,dunfell] grub: add a fix for a memory leak [39/46,dunfell] grub: avoid a memory leak [40/46,dunfell] grub: add a check for a NULL pointer [41/46,dunfell] grub: add a fix for NULL pointer dereference [42/46,dunfell] grub: add a fix for an incorrect cast [43/46,dunfell] grub: fix incorrect use of a negative value [44/46,dunfell] grub: add a fix for a NULL pointer dereference [45/46,dunfell] grub: avoid a NULL pointer dereference [46/46,dunfell] grub: add a fix for a crash in scripts

Message ID

20220218100554.1315511-34-rybczynska@gmail.com

State

Accepted, archived

Commit

68b91792ed00f9decc85f300eefe0b7e8f80c98b

Headers

From: Marta Rybczynska <rybczynska@gmail.com>
To: anuj.mittal@intel.com,
	openembedded-core@lists.openembedded.org,
	steve@sakoman.com
Cc: Marta Rybczynska <rybczynska@gmail.com>,
	Marta Rybczynska <marta.rybczynska@huawei.com>
Subject: [PATCH 33/46][dunfell] grub: fix multiple integer overflows
Date: Fri, 18 Feb 2022 11:05:41 +0100
Message-Id: <20220218100554.1315511-34-rybczynska@gmail.com>
In-Reply-To: <20220218100554.1315511-1-rybczynska@gmail.com>
References: <20220218100554.1315511-1-rybczynska@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

grub 2.04 security fixes | expand

Commit Message

Marta Rybczynska Feb. 18, 2022, 10:05 a.m. UTC

This patch adds a fix for multiple integer overflows in grub's
video/fb/video_fb. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 ...eo_fb-Fix-multiple-integer-overflows.patch | 104 ++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch

diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000000..544e7f31ae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,104 @@ 
+From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 14:43:44 +0000
+Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
+
+The calculation of the unsigned 64-bit value is being generated by
+multiplying 2, signed or unsigned, 32-bit integers which may overflow
+before promotion to unsigned 64-bit. Fix all of them.
+
+Fixes: CID 73703, CID 73767, CID 73833
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1a602c8..1c9a138 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -25,6 +25,7 @@
+ #include <grub/fbutil.h>
+ #include <grub/bitmap.h>
+ #include <grub/dl.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
+ {
+   if (framebuffer.current_dirty.first_line
+       <= framebuffer.current_dirty.last_line)
+-    grub_memcpy ((char *) framebuffer.pages[0]
+-		 + framebuffer.current_dirty.first_line
+-		 * framebuffer.back_target->mode_info.pitch,
+-		 (char *) framebuffer.back_target->data
+-		 + framebuffer.current_dirty.first_line
+-		 * framebuffer.back_target->mode_info.pitch,
+-		 framebuffer.back_target->mode_info.pitch
+-		 * (framebuffer.current_dirty.last_line
+-		    - framebuffer.current_dirty.first_line));
++    {
++      grub_size_t copy_size;
++
++      if (grub_sub (framebuffer.current_dirty.last_line,
++		    framebuffer.current_dirty.first_line, &copy_size) ||
++	  grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++	{
++	  /* Shouldn't happen, but if it does we've a bug. */
++	  return GRUB_ERR_BUG;
++	}
++
++      grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   copy_size);
++    }
+   framebuffer.current_dirty.first_line
+     = framebuffer.back_target->mode_info.height;
+   framebuffer.current_dirty.last_line = 0;
+@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
+ 				   volatile void *framebuf)
+ {
+   grub_err_t err;
+-  grub_size_t page_size = mode_info.pitch * mode_info.height;
++  grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
+ 
+   framebuffer.offscreen_buffer = grub_zalloc (page_size);
+   if (! framebuffer.offscreen_buffer)
+@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
+     last_line = framebuffer.previous_dirty.last_line;
+ 
+   if (first_line <= last_line)
+-    grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
+-		 + first_line * framebuffer.back_target->mode_info.pitch,
+-		 (char *) framebuffer.back_target->data
+-		 + first_line * framebuffer.back_target->mode_info.pitch,
+-		 framebuffer.back_target->mode_info.pitch
+-		 * (last_line - first_line));
++    {
++      grub_size_t copy_size;
++
++      if (grub_sub (last_line, first_line, &copy_size) ||
++	  grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++	{
++	  /* Shouldn't happen, but if it does we've a bug. */
++	  return GRUB_ERR_BUG;
++	}
++
++      grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   (char *) framebuffer.back_target->data + first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   copy_size);
++    }
++
+   framebuffer.previous_dirty = framebuffer.current_dirty;
+   framebuffer.current_dirty.first_line
+     = framebuffer.back_target->mode_info.height;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 710ab5e361..8b5b9e3b3e 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -79,6 +79,7 @@  SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://0030-commands-hashsum-Fix-a-memory-leak.patch \
            file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
            file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
+           file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
            "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"

[33/46,dunfell] grub: fix multiple integer overflows

Commit Message

Patch