Patch CVE-2022-3775 in grub2 (#5654)
Co-authored-by: Dan Streetman <ddstreet@ieee.org>
This commit is contained in:
Родитель
7ea00816e6
Коммит
81627c8324
|
@ -12,7 +12,7 @@
|
||||||
Summary: Signed GRand Unified Bootloader for %{buildarch} systems
|
Summary: Signed GRand Unified Bootloader for %{buildarch} systems
|
||||||
Name: grub2-efi-binary-signed-%{buildarch}
|
Name: grub2-efi-binary-signed-%{buildarch}
|
||||||
Version: 2.06
|
Version: 2.06
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Vendor: Microsoft Corporation
|
Vendor: Microsoft Corporation
|
||||||
Distribution: Mariner
|
Distribution: Mariner
|
||||||
|
@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
|
||||||
/boot/efi/EFI/BOOT/%{grubpxeefiname}
|
/boot/efi/EFI/BOOT/%{grubpxeefiname}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 08 2023 Daniel McIlvaney <damcilva@microsoft.com> - 2.06-10
|
||||||
|
- CVE-2022-3775
|
||||||
|
|
||||||
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
|
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
|
||||||
- Adding XFS support to GRUB
|
- Adding XFS support to GRUB
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,91 @@
|
||||||
|
From 992c06191babc1e109caf40d6a07ec6fdef427af Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||||
|
Date: Mon, 24 Oct 2022 08:05:35 +0800
|
||||||
|
Subject: [PATCH] font: Fix an integer underflow in blit_comb()
|
||||||
|
|
||||||
|
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
|
||||||
|
evaluate to a very big invalid value even if both ctx.bounds.height and
|
||||||
|
combining_glyphs[i]->height are small integers. For example, if
|
||||||
|
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
|
||||||
|
expression evaluates to 2147483647 (expected -1). This is because
|
||||||
|
coordinates are allowed to be negative but ctx.bounds.height is an
|
||||||
|
unsigned int. So, the subtraction operates on unsigned ints and
|
||||||
|
underflows to a very big value. The division makes things even worse.
|
||||||
|
The quotient is still an invalid value even if converted back to int.
|
||||||
|
|
||||||
|
This patch fixes the problem by casting ctx.bounds.height to int. As
|
||||||
|
a result the subtraction will operate on int and grub_uint16_t which
|
||||||
|
will be promoted to an int. So, the underflow will no longer happen. Other
|
||||||
|
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
|
||||||
|
to ensure coordinates are always calculated on signed integers.
|
||||||
|
|
||||||
|
Fixes: CVE-2022-3775
|
||||||
|
|
||||||
|
Reported-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/font/font.c | 16 ++++++++--------
|
||||||
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
||||||
|
index abd412a5e..3d3d803e8 100644
|
||||||
|
--- a/grub-core/font/font.c
|
||||||
|
+++ b/grub-core/font/font.c
|
||||||
|
@@ -1197,12 +1197,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||||
|
ctx.bounds.height = main_glyph->height;
|
||||||
|
|
||||||
|
above_rightx = main_glyph->offset_x + main_glyph->width;
|
||||||
|
- above_righty = ctx.bounds.y + ctx.bounds.height;
|
||||||
|
+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
|
||||||
|
|
||||||
|
above_leftx = main_glyph->offset_x;
|
||||||
|
- above_lefty = ctx.bounds.y + ctx.bounds.height;
|
||||||
|
+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
|
||||||
|
|
||||||
|
- below_rightx = ctx.bounds.x + ctx.bounds.width;
|
||||||
|
+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
|
||||||
|
below_righty = ctx.bounds.y;
|
||||||
|
|
||||||
|
comb = grub_unicode_get_comb (glyph_id);
|
||||||
|
@@ -1215,7 +1215,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||||
|
|
||||||
|
if (!combining_glyphs[i])
|
||||||
|
continue;
|
||||||
|
- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
||||||
|
+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
||||||
|
/* CGJ is to avoid diacritics reordering. */
|
||||||
|
if (comb[i].code
|
||||||
|
== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
|
||||||
|
@@ -1225,8 +1225,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||||
|
case GRUB_UNICODE_COMB_OVERLAY:
|
||||||
|
do_blit (combining_glyphs[i],
|
||||||
|
targetx,
|
||||||
|
- (ctx.bounds.height - combining_glyphs[i]->height) / 2
|
||||||
|
- - (ctx.bounds.height + ctx.bounds.y), &ctx);
|
||||||
|
+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
|
||||||
|
+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
|
||||||
|
if (min_devwidth < combining_glyphs[i]->width)
|
||||||
|
min_devwidth = combining_glyphs[i]->width;
|
||||||
|
break;
|
||||||
|
@@ -1299,7 +1299,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||||
|
/* Fallthrough. */
|
||||||
|
case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
|
||||||
|
do_blit (combining_glyphs[i], targetx,
|
||||||
|
- -(ctx.bounds.height + ctx.bounds.y + space
|
||||||
|
+ -((int) ctx.bounds.height + ctx.bounds.y + space
|
||||||
|
+ combining_glyphs[i]->height), &ctx);
|
||||||
|
if (min_devwidth < combining_glyphs[i]->width)
|
||||||
|
min_devwidth = combining_glyphs[i]->width;
|
||||||
|
@@ -1307,7 +1307,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||||
|
|
||||||
|
case GRUB_UNICODE_COMB_HEBREW_DAGESH:
|
||||||
|
do_blit (combining_glyphs[i], targetx,
|
||||||
|
- -(ctx.bounds.height / 2 + ctx.bounds.y
|
||||||
|
+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
|
||||||
|
+ combining_glyphs[i]->height / 2), &ctx);
|
||||||
|
if (min_devwidth < combining_glyphs[i]->width)
|
||||||
|
min_devwidth = combining_glyphs[i]->width;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
Summary: GRand Unified Bootloader
|
Summary: GRand Unified Bootloader
|
||||||
Name: grub2
|
Name: grub2
|
||||||
Version: 2.06
|
Version: 2.06
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Vendor: Microsoft Corporation
|
Vendor: Microsoft Corporation
|
||||||
Distribution: Mariner
|
Distribution: Mariner
|
||||||
|
@ -51,6 +51,7 @@ Patch0167: 0167-restore-umask-for-grub-config.patch
|
||||||
# Fix to reset the global errno to success upon success.
|
# Fix to reset the global errno to success upon success.
|
||||||
Patch0170: 0170-fix-memory-alloc-errno-reset.patch
|
Patch0170: 0170-fix-memory-alloc-errno-reset.patch
|
||||||
Patch0171: CVE-2022-2601.patch
|
Patch0171: CVE-2022-2601.patch
|
||||||
|
Patch0172: CVE-2022-3775.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: device-mapper-devel
|
BuildRequires: device-mapper-devel
|
||||||
BuildRequires: python3
|
BuildRequires: python3
|
||||||
|
@ -326,6 +327,9 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 08 2023 Daniel McIlvaney <damcilva@microsoft.com> - 2.06-10
|
||||||
|
- CVE-2022-3775
|
||||||
|
|
||||||
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
|
* Wed Apr 05 2023 Andy Zaugg <azaugg@linkedin.com> - 2.06-9
|
||||||
- Adding XFS support to GRUB
|
- Adding XFS support to GRUB
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче