nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0238-net-http-Fix-OOB-write-for-split-http-headers.patch

b35c50
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b35c50
From: Daniel Axtens <dja@axtens.net>
b35c50
Date: Tue, 8 Mar 2022 18:17:03 +1100
b35c50
Subject: [PATCH] net/http: Fix OOB write for split http headers
b35c50
b35c50
GRUB has special code for handling an http header that is split
b35c50
across two packets.
b35c50
b35c50
The code tracks the end of line by looking for a "\n" byte. The
b35c50
code for split headers has always advanced the pointer just past the
b35c50
end of the line, whereas the code that handles unsplit headers does
b35c50
not advance the pointer. This extra advance causes the length to be
b35c50
one greater, which breaks an assumption in parse_line(), leading to
b35c50
it writing a NUL byte one byte past the end of the buffer where we
b35c50
reconstruct the line from the two packets.
b35c50
b35c50
It's conceivable that an attacker controlled set of packets could
b35c50
cause this to zero out the first byte of the "next" pointer of the
b35c50
grub_mm_region structure following the current_line buffer.
b35c50
b35c50
Do not advance the pointer in the split header case.
b35c50
b35c50
Fixes: CVE-2022-28734
b35c50
b35c50
Signed-off-by: Daniel Axtens <dja@axtens.net>
b35c50
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b35c50
(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
b35c50
---
b35c50
 grub-core/net/http.c | 4 +---
b35c50
 1 file changed, 1 insertion(+), 3 deletions(-)
b35c50
b35c50
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
b35c50
index 19cb8768e3..58546739a2 100644
b35c50
--- a/grub-core/net/http.c
b35c50
+++ b/grub-core/net/http.c
b35c50
@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
b35c50
 	  int have_line = 1;
b35c50
 	  char *t;
b35c50
 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
b35c50
-	  if (ptr)
b35c50
-	    ptr++;
b35c50
-	  else
b35c50
+	  if (ptr == NULL)
b35c50
 	    {
b35c50
 	      have_line = 0;
b35c50
 	      ptr = (char *) nb->tail;