From 81627c8324d5b973ed63fc59f08c5b65b6c8c5fe Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 9 Jun 2023 16:29:04 -0700 Subject: [PATCH] Patch CVE-2022-3775 in grub2 (#5654) Co-authored-by: Dan Streetman --- .../grub2-efi-binary-signed.spec | 5 +- SPECS/grub2/CVE-2022-3775.patch | 91 +++++++++++++++++++ SPECS/grub2/grub2.spec | 6 +- 3 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 SPECS/grub2/CVE-2022-3775.patch diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec index 65a9e4124c..decf9ea0c3 100644 --- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec +++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec @@ -12,7 +12,7 @@ Summary: Signed GRand Unified Bootloader for %{buildarch} systems Name: grub2-efi-binary-signed-%{buildarch} Version: 2.06 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname} /boot/efi/EFI/BOOT/%{grubpxeefiname} %changelog +* Thu Jun 08 2023 Daniel McIlvaney - 2.06-10 +- CVE-2022-3775 + * Wed Apr 05 2023 Andy Zaugg - 2.06-9 - Adding XFS support to GRUB diff --git a/SPECS/grub2/CVE-2022-3775.patch b/SPECS/grub2/CVE-2022-3775.patch new file mode 100644 index 0000000000..89f877c48e --- /dev/null +++ b/SPECS/grub2/CVE-2022-3775.patch @@ -0,0 +1,91 @@ +From 992c06191babc1e109caf40d6a07ec6fdef427af Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index abd412a5e..3d3d803e8 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1197,12 +1197,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1215,7 +1215,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1225,8 +1225,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1299,7 +1299,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1307,7 +1307,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +-- +2.34.1 + diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec index 56d7a8043c..667d5c877b 100644 --- a/SPECS/grub2/grub2.spec +++ b/SPECS/grub2/grub2.spec @@ -6,7 +6,7 @@ Summary: GRand Unified Bootloader Name: grub2 Version: 2.06 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -51,6 +51,7 @@ Patch0167: 0167-restore-umask-for-grub-config.patch # Fix to reset the global errno to success upon success. Patch0170: 0170-fix-memory-alloc-errno-reset.patch Patch0171: CVE-2022-2601.patch +Patch0172: CVE-2022-3775.patch BuildRequires: autoconf BuildRequires: device-mapper-devel BuildRequires: python3 @@ -326,6 +327,9 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME %endif %changelog +* Thu Jun 08 2023 Daniel McIlvaney - 2.06-10 +- CVE-2022-3775 + * Wed Apr 05 2023 Andy Zaugg - 2.06-9 - Adding XFS support to GRUB