nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone
f725e3
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
f725e3
From: Sebastian Krahmer <krahmer@suse.com>
f725e3
Date: Tue, 28 Nov 2017 17:24:38 +0800
f725e3
Subject: [PATCH] AUDIT-0: http boot tracker bug
f725e3
f725e3
Fixing a memory leak in case of error, and a integer overflow, leading to a
f725e3
heap overflow due to overly large chunk sizes.
f725e3
f725e3
We need to check against some maximum value, otherwise values like 0xffffffff
f725e3
will eventually lead in the allocation functions to small sized buffers, since
f725e3
the len is rounded up to the next reasonable alignment. The following memcpy
f725e3
will then smash the heap, leading to RCE.
f725e3
f725e3
This is no big issue for pure http boot, since its going to execute an
f725e3
untrusted kernel anyway, but it will break trusted boot scenarios, where only
f725e3
signed code is allowed to be executed.
f725e3
f725e3
Signed-off-by: Michael Chang <mchang@suse.com>
f725e3
---
f725e3
 grub-core/net/efi/net.c | 4 +++-
f725e3
 grub-core/net/http.c    | 5 ++++-
f725e3
 2 files changed, 7 insertions(+), 2 deletions(-)
f725e3
f725e3
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
f725e3
index 9e0078ac1c6..2bf15447fd5 100644
f725e3
--- a/grub-core/net/efi/net.c
f725e3
+++ b/grub-core/net/efi/net.c
f725e3
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
f725e3
 
f725e3
       rd = efi_net_interface (read, file, chunk, sz);
f725e3
 
f725e3
-      if (rd <= 0)
f725e3
+      if (rd <= 0) {
f725e3
+	grub_free (chunk);
f725e3
 	return rd;
f725e3
+      }
f725e3
 
f725e3
       if (buf)
f725e3
 	{
f725e3
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
f725e3
index 2b46e4672fc..82515f352dd 100644
f725e3
--- a/grub-core/net/http.c
f725e3
+++ b/grub-core/net/http.c
f725e3
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
f725e3
 
f725e3
 enum
f725e3
   {
f725e3
-    HTTP_PORT = 80
f725e3
+    HTTP_PORT = 80,
f725e3
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
f725e3
   };
f725e3
 
f725e3
 
f725e3
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
f725e3
   if (data->in_chunk_len == 2)
f725e3
     {
f725e3
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
f725e3
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
f725e3
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
f725e3
       grub_errno = GRUB_ERR_NONE;
f725e3
       if (data->chunk_rem == 0)
f725e3
 	{