Re: [OE-core][master][mickledore][PATCH] grub2: fix CVE-2023-4692

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Alexandre Belloni <alexandre.belloni@bootlin.com>
To: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][master][mickledore][PATCH] grub2: fix CVE-2023-4692
Date: Sat, 21 Oct 2023 00:46:59 +0200	[thread overview]
Message-ID: <202310202246598ced9e5d@mail.local> (raw)
In-Reply-To: <20231020080914.1377762-1-xiangyu.chen@eng.windriver.com>

Hello,

This doesn't apply on master, can you rebase?

On 20/10/2023 16:09:14+0800, Xiangyu Chen wrote:
> From: Xiangyu Chen <xiangyu.chen@windriver.com>
> 
> Crafted file system images can cause heap-based buffer overflow and may
> allow arbitrary code execution and secure boot bypass
> 
> Reference:
> https://security-tracker.debian.org/tracker/CVE-2023-4692
> 
> Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
> ---
>  .../grub/files/CVE-2023-4692.patch            | 98 +++++++++++++++++++
>  meta/recipes-bsp/grub/grub2.inc               |  1 +
>  2 files changed, 99 insertions(+)
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch
> 
> diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
> new file mode 100644
> index 0000000000..305fcc93d8
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
> @@ -0,0 +1,98 @@
> +From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
> +From: Maxim Suhanov <dfirblog@gmail.com>
> +Date: Mon, 28 Aug 2023 16:31:57 +0300
> +Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
> + for the $MFT file
> +
> +When parsing an extremely fragmented $MFT file, i.e., the file described
> +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
> +containing bytes read from the underlying drive to store sector numbers,
> +which are consumed later to read data from these sectors into another buffer.
> +
> +These sectors numbers, two 32-bit integers, are always stored at predefined
> +offsets, 0x10 and 0x14, relative to first byte of the selected entry within
> +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
> +
> +However, when parsing a specially-crafted file system image, this may cause
> +the NTFS code to write these integers beyond the buffer boundary, likely
> +causing the GRUB memory allocator to misbehave or fail. These integers contain
> +values which are controlled by on-disk structures of the NTFS file system.
> +
> +Such modification and resulting misbehavior may touch a memory range not
> +assigned to the GRUB and owned by firmware or another EFI application/driver.
> +
> +This fix introduces checks to ensure that these sector numbers are never
> +written beyond the boundary.
> +
> +Fixes: CVE-2023-4692
> +
> +Upstream-Status: Backport from 
> +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
> +CVE: CVE-2023-4692
> +
> +Reported-by: Maxim Suhanov <dfirblog@gmail.com>
> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
> +---
> + grub-core/fs/ntfs.c | 18 +++++++++++++++++-
> + 1 file changed, 17 insertions(+), 1 deletion(-)
> +
> +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
> +index bbdbe24..c3c4db1 100644
> +--- a/grub-core/fs/ntfs.c
> ++++ b/grub-core/fs/ntfs.c
> +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
> +     }
> +   if (at->attr_end)
> +     {
> +-      grub_uint8_t *pa;
> ++      grub_uint8_t *pa, *pa_end;
> + 
> +       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
> +       if (at->emft_buf == NULL)
> +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
> + 	    }
> + 	  at->attr_nxt = at->edat_buf;
> + 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
> ++	  pa_end = at->edat_buf + n;
> + 	}
> +       else
> + 	{
> + 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
> + 	  at->attr_end = at->attr_end + u32at (pa, 4);
> ++	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
> + 	}
> +       at->flags |= GRUB_NTFS_AF_ALST;
> +       while (at->attr_nxt < at->attr_end)
> +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
> + 	  at->flags |= GRUB_NTFS_AF_GPOS;
> + 	  at->attr_cur = at->attr_nxt;
> + 	  pa = at->attr_cur;
> ++
> ++	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
> ++	    {
> ++	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
> ++	      return NULL;
> ++	    }
> ++
> + 	  grub_set_unaligned32 ((char *) pa + 0x10,
> + 				grub_cpu_to_le32 (at->mft->data->mft_start));
> + 	  grub_set_unaligned32 ((char *) pa + 0x14,
> +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
> + 	    {
> + 	      if (*pa != attr)
> + 		break;
> ++
> ++              if ((pa >= pa_end) || (pa_end - pa < 0x18))
> ++                {
> ++	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
> ++	          return NULL;
> ++	        }
> ++
> + 	      if (read_attr
> + 		  (at, pa + 0x10,
> + 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
> +-- 
> +cgit v1.1
> +
> diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
> index 41839698dc..5ce8699363 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>             file://CVE-2022-3775.patch \
>             file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \
>             file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \
> +           file://CVE-2023-4692.patch \
>  "
>  
>  SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#189506): https://lists.openembedded.org/g/openembedded-core/message/189506
> Mute This Topic: https://lists.openembedded.org/mt/102077193/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2023-10-20 22:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-20  8:09 [OE-core][master][mickledore][PATCH] grub2: fix CVE-2023-4692 Xiangyu Chen
2023-10-20 22:46 ` Alexandre Belloni [this message]
2023-11-06 15:50   ` Steve Sakoman
2023-11-08  3:01     ` Xiangyu Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202310202246598ced9e5d@mail.local \
    --to=alexandre.belloni@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=xiangyu.chen@eng.windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox