mirror of
https://git.yoctoproject.org/poky
synced 2026-03-06 15:29:40 +01:00
grub: fix an integer overflow
This patch adds a fix for a potential integer overflow in grub's video/fb/fbfill. It is a part of a security series [1]. [1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html (From OE-Core rev: fbf3260bd196a5d252ad5ccf2a5fe719d3bd9c7f) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Marta Rybczynska
committed by
Richard Purdie
Richard Purdie
parent
b5eaa833ba
commit
7e7b8e38dc
@@ -0,0 +1,78 @@
|
||||
From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 4 Nov 2020 15:10:51 +0000
|
||||
Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
|
||||
|
||||
The multiplication of 2 unsigned 32-bit integers may overflow before
|
||||
promotion to unsigned 64-bit. We should ensure that the multiplication
|
||||
is done with overflow detection. Additionally, use grub_sub() for
|
||||
subtraction.
|
||||
|
||||
Fixes: CID 73640, CID 73697, CID 73702, CID 73823
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
|
||||
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
|
||||
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
|
||||
---
|
||||
grub-core/video/fb/fbfill.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
|
||||
index 11816d0..a37acd1 100644
|
||||
--- a/grub-core/video/fb/fbfill.c
|
||||
+++ b/grub-core/video/fb/fbfill.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <grub/fbfill.h>
|
||||
#include <grub/fbutil.h>
|
||||
#include <grub/types.h>
|
||||
+#include <grub/safemath.h>
|
||||
#include <grub/video.h>
|
||||
|
||||
/* Generic filler that works for every supported mode. */
|
||||
@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
|
||||
#endif
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -78,6 +78,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
|
||||
file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
|
||||
file://0030-commands-hashsum-Fix-a-memory-leak.patch \
|
||||
file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
|
||||
file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
|
||||
"
|
||||
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
|
||||
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
|
||||
|
||||
Reference in New Issue
Block a user