nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0477-net-http-Fix-OOB-write-for-split-http-headers.patch

d18179
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d18179
From: Daniel Axtens <dja@axtens.net>
d18179
Date: Tue, 8 Mar 2022 18:17:03 +1100
d18179
Subject: [PATCH] net/http: Fix OOB write for split http headers
d18179
d18179
GRUB has special code for handling an http header that is split
d18179
across two packets.
d18179
d18179
The code tracks the end of line by looking for a "\n" byte. The
d18179
code for split headers has always advanced the pointer just past the
d18179
end of the line, whereas the code that handles unsplit headers does
d18179
not advance the pointer. This extra advance causes the length to be
d18179
one greater, which breaks an assumption in parse_line(), leading to
d18179
it writing a NUL byte one byte past the end of the buffer where we
d18179
reconstruct the line from the two packets.
d18179
d18179
It's conceivable that an attacker controlled set of packets could
d18179
cause this to zero out the first byte of the "next" pointer of the
d18179
grub_mm_region structure following the current_line buffer.
d18179
d18179
Do not advance the pointer in the split header case.
d18179
d18179
Fixes: CVE-2022-28734
d18179
d18179
Signed-off-by: Daniel Axtens <dja@axtens.net>
d18179
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
d18179
(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
d18179
(cherry picked from commit b604916beb6c39e8ed27f72851eb16f3eaa293c5)
d18179
(cherry picked from commit c3c6b1167a43275991efd6847160a46ce3839fae)
d18179
(cherry picked from commit 33f4f314fa4ba2d0bec9f95dc77f93395b742fdd)
d18179
---
d18179
 grub-core/net/http.c | 4 +---
d18179
 1 file changed, 1 insertion(+), 3 deletions(-)
d18179
d18179
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
d18179
index 4d787a52cd..443b8ffe87 100644
d18179
--- a/grub-core/net/http.c
d18179
+++ b/grub-core/net/http.c
d18179
@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
d18179
 	  int have_line = 1;
d18179
 	  char *t;
d18179
 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
d18179
-	  if (ptr)
d18179
-	    ptr++;
d18179
-	  else
d18179
+	  if (ptr == NULL)
d18179
 	    {
d18179
 	      have_line = 0;
d18179
 	      ptr = (char *) nb->tail;