nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0096-AUDIT-0-http-boot-tracker-bug.patch

5593c8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5593c8
From: Sebastian Krahmer <krahmer@suse.com>
5593c8
Date: Tue, 28 Nov 2017 17:24:38 +0800
5593c8
Subject: [PATCH] AUDIT-0: http boot tracker bug
5593c8
5593c8
Fixing a memory leak in case of error, and a integer overflow, leading to a
5593c8
heap overflow due to overly large chunk sizes.
5593c8
5593c8
We need to check against some maximum value, otherwise values like 0xffffffff
5593c8
will eventually lead in the allocation functions to small sized buffers, since
5593c8
the len is rounded up to the next reasonable alignment. The following memcpy
5593c8
will then smash the heap, leading to RCE.
5593c8
5593c8
This is no big issue for pure http boot, since its going to execute an
5593c8
untrusted kernel anyway, but it will break trusted boot scenarios, where only
5593c8
signed code is allowed to be executed.
5593c8
5593c8
Signed-off-by: Michael Chang <mchang@suse.com>
5593c8
---
5593c8
 grub-core/net/efi/net.c | 4 +++-
5593c8
 grub-core/net/http.c    | 5 ++++-
5593c8
 2 files changed, 7 insertions(+), 2 deletions(-)
5593c8
5593c8
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
5593c8
index 86bce6535d3..4bb308026ce 100644
5593c8
--- a/grub-core/net/efi/net.c
5593c8
+++ b/grub-core/net/efi/net.c
5593c8
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
5593c8
 
5593c8
       rd = efi_net_interface (read, file, chunk, sz);
5593c8
 
5593c8
-      if (rd <= 0)
5593c8
+      if (rd <= 0) {
5593c8
+	grub_free (chunk);
5593c8
 	return rd;
5593c8
+      }
5593c8
 
5593c8
       if (buf)
5593c8
 	{
5593c8
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
5593c8
index 12a2632ea55..b52b558d631 100644
5593c8
--- a/grub-core/net/http.c
5593c8
+++ b/grub-core/net/http.c
5593c8
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
 enum
5593c8
   {
5593c8
-    HTTP_PORT = 80
5593c8
+    HTTP_PORT = 80,
5593c8
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
5593c8
   };
5593c8
 
5593c8
 
5593c8
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
5593c8
   if (data->in_chunk_len == 2)
5593c8
     {
5593c8
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
5593c8
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
5593c8
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
5593c8
       grub_errno = GRUB_ERR_NONE;
5593c8
       if (data->chunk_rem == 0)
5593c8
 	{