Co-authored-by: Dan Streetman <ddstreet@ieee.org>
This commit is contained in:
Daniel McIlvaney 2023-06-09 16:29:04 -07:00 коммит произвёл GitHub
Родитель 7ea00816e6
Коммит 81627c8324
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 100 добавлений и 2 удалений

Просмотреть файл

@ -12,7 +12,7 @@
Summary: Signed GRand Unified Bootloader for %{buildarch} systems Summary: Signed GRand Unified Bootloader for %{buildarch} systems
Name: grub2-efi-binary-signed-%{buildarch} Name: grub2-efi-binary-signed-%{buildarch}
Version: 2.06 Version: 2.06
Release: 9%{?dist} Release: 10%{?dist}
License: GPLv3+ License: GPLv3+
Vendor: Microsoft Corporation Vendor: Microsoft Corporation
Distribution: Mariner Distribution: Mariner
@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
/boot/efi/EFI/BOOT/%{grubpxeefiname} /boot/efi/EFI/BOOT/%{grubpxeefiname}
%changelog %changelog
* Thu Jun 08 2023 Daniel McIlvaney <damcilva@microsoft.com> - 2.06-10
- CVE-2022-3775
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9 * Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
- Adding XFS support to GRUB - Adding XFS support to GRUB

Просмотреть файл

@ -0,0 +1,91 @@
From 992c06191babc1e109caf40d6a07ec6fdef427af Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Mon, 24 Oct 2022 08:05:35 +0800
Subject: [PATCH] font: Fix an integer underflow in blit_comb()
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
evaluate to a very big invalid value even if both ctx.bounds.height and
combining_glyphs[i]->height are small integers. For example, if
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
expression evaluates to 2147483647 (expected -1). This is because
coordinates are allowed to be negative but ctx.bounds.height is an
unsigned int. So, the subtraction operates on unsigned ints and
underflows to a very big value. The division makes things even worse.
The quotient is still an invalid value even if converted back to int.
This patch fixes the problem by casting ctx.bounds.height to int. As
a result the subtraction will operate on int and grub_uint16_t which
will be promoted to an int. So, the underflow will no longer happen. Other
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
to ensure coordinates are always calculated on signed integers.
Fixes: CVE-2022-3775
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index abd412a5e..3d3d803e8 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -1197,12 +1197,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
ctx.bounds.height = main_glyph->height;
above_rightx = main_glyph->offset_x + main_glyph->width;
- above_righty = ctx.bounds.y + ctx.bounds.height;
+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
above_leftx = main_glyph->offset_x;
- above_lefty = ctx.bounds.y + ctx.bounds.height;
+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
- below_rightx = ctx.bounds.x + ctx.bounds.width;
+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
below_righty = ctx.bounds.y;
comb = grub_unicode_get_comb (glyph_id);
@@ -1215,7 +1215,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
if (!combining_glyphs[i])
continue;
- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
/* CGJ is to avoid diacritics reordering. */
if (comb[i].code
== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
@@ -1225,8 +1225,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
case GRUB_UNICODE_COMB_OVERLAY:
do_blit (combining_glyphs[i],
targetx,
- (ctx.bounds.height - combining_glyphs[i]->height) / 2
- - (ctx.bounds.height + ctx.bounds.y), &ctx);
+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
if (min_devwidth < combining_glyphs[i]->width)
min_devwidth = combining_glyphs[i]->width;
break;
@@ -1299,7 +1299,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
/* Fallthrough. */
case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
do_blit (combining_glyphs[i], targetx,
- -(ctx.bounds.height + ctx.bounds.y + space
+ -((int) ctx.bounds.height + ctx.bounds.y + space
+ combining_glyphs[i]->height), &ctx);
if (min_devwidth < combining_glyphs[i]->width)
min_devwidth = combining_glyphs[i]->width;
@@ -1307,7 +1307,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
case GRUB_UNICODE_COMB_HEBREW_DAGESH:
do_blit (combining_glyphs[i], targetx,
- -(ctx.bounds.height / 2 + ctx.bounds.y
+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ combining_glyphs[i]->height / 2), &ctx);
if (min_devwidth < combining_glyphs[i]->width)
min_devwidth = combining_glyphs[i]->width;
--
2.34.1

Просмотреть файл

@ -6,7 +6,7 @@
Summary: GRand Unified Bootloader Summary: GRand Unified Bootloader
Name: grub2 Name: grub2
Version: 2.06 Version: 2.06
Release: 9%{?dist} Release: 10%{?dist}
License: GPLv3+ License: GPLv3+
Vendor: Microsoft Corporation Vendor: Microsoft Corporation
Distribution: Mariner Distribution: Mariner
@ -51,6 +51,7 @@ Patch0167: 0167-restore-umask-for-grub-config.patch
# Fix to reset the global errno to success upon success. # Fix to reset the global errno to success upon success.
Patch0170: 0170-fix-memory-alloc-errno-reset.patch Patch0170: 0170-fix-memory-alloc-errno-reset.patch
Patch0171: CVE-2022-2601.patch Patch0171: CVE-2022-2601.patch
Patch0172: CVE-2022-3775.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: python3 BuildRequires: python3
@ -326,6 +327,9 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
%endif %endif
%changelog %changelog
* Thu Jun 08 2023 Daniel McIlvaney <damcilva@microsoft.com> - 2.06-10
- CVE-2022-3775
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9 * Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
- Adding XFS support to GRUB - Adding XFS support to GRUB