Blame SOURCES/0267-AUDIT-0-http-boot-tracker-bug.patch

4fe85b
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
4fe85b
From: Sebastian Krahmer <krahmer@suse.com>
4fe85b
Date: Tue, 28 Nov 2017 17:24:38 +0800
4fe85b
Subject: [PATCH] AUDIT-0: http boot tracker bug
4fe85b
4fe85b
Fixing a memory leak in case of error, and a integer overflow, leading to a
4fe85b
heap overflow due to overly large chunk sizes.
4fe85b
4fe85b
We need to check against some maximum value, otherwise values like 0xffffffff
4fe85b
will eventually lead in the allocation functions to small sized buffers, since
4fe85b
the len is rounded up to the next reasonable alignment. The following memcpy
4fe85b
will then smash the heap, leading to RCE.
4fe85b
4fe85b
This is no big issue for pure http boot, since its going to execute an
4fe85b
untrusted kernel anyway, but it will break trusted boot scenarios, where only
4fe85b
signed code is allowed to be executed.
4fe85b
4fe85b
Signed-off-by: Michael Chang <mchang@suse.com>
4fe85b
---
4fe85b
 grub-core/net/efi/net.c | 4 +++-
4fe85b
 grub-core/net/http.c    | 5 ++++-
4fe85b
 2 files changed, 7 insertions(+), 2 deletions(-)
4fe85b
4fe85b
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
4fe85b
index 9e0078ac1c6..2bf15447fd5 100644
4fe85b
--- a/grub-core/net/efi/net.c
4fe85b
+++ b/grub-core/net/efi/net.c
4fe85b
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
4fe85b
 
4fe85b
       rd = efi_net_interface (read, file, chunk, sz);
4fe85b
 
4fe85b
-      if (rd <= 0)
4fe85b
+      if (rd <= 0) {
4fe85b
+	grub_free (chunk);
4fe85b
 	return rd;
4fe85b
+      }
4fe85b
 
4fe85b
       if (buf)
4fe85b
 	{
4fe85b
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
4fe85b
index 2b46e4672fc..82515f352dd 100644
4fe85b
--- a/grub-core/net/http.c
4fe85b
+++ b/grub-core/net/http.c
4fe85b
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
4fe85b
 
4fe85b
 enum
4fe85b
   {
4fe85b
-    HTTP_PORT = 80
4fe85b
+    HTTP_PORT = 80,
4fe85b
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
4fe85b
   };
4fe85b
 
4fe85b
 
4fe85b
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
4fe85b
   if (data->in_chunk_len == 2)
4fe85b
     {
4fe85b
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
4fe85b
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
4fe85b
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
4fe85b
       grub_errno = GRUB_ERR_NONE;
4fe85b
       if (data->chunk_rem == 0)
4fe85b
 	{