mirror of
https://git.yoctoproject.org/poky
synced 2026-04-20 00:32:13 +02:00
grub: fix CVE-2023-4693
Upstream-Status: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94 (From OE-Core rev: 1bbbba098dba85ec1b875512d75f7eca9026e781) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
committed by
Steve Sakoman
Steve Sakoman
parent
24121f9699
commit
f007ad78dd
62
meta/recipes-bsp/grub/files/CVE-2023-4693.patch
Normal file
62
meta/recipes-bsp/grub/files/CVE-2023-4693.patch
Normal file
@@ -0,0 +1,62 @@
|
||||
From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
|
||||
From: Maxim Suhanov <dfirblog@gmail.com>
|
||||
Date: Mon, 28 Aug 2023 16:32:33 +0300
|
||||
Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
|
||||
$DATA attribute
|
||||
|
||||
When reading a file containing resident data, i.e., the file data is stored in
|
||||
the $DATA attribute within the NTFS file record, not in external clusters,
|
||||
there are no checks that this resident data actually fits the corresponding
|
||||
file record segment.
|
||||
|
||||
When parsing a specially-crafted file system image, the current NTFS code will
|
||||
read the file data from an arbitrary, attacker-chosen memory offset and of
|
||||
arbitrary, attacker-chosen length.
|
||||
|
||||
This allows an attacker to display arbitrary chunks of memory, which could
|
||||
contain sensitive information like password hashes or even plain-text,
|
||||
obfuscated passwords from BS EFI variables.
|
||||
|
||||
This fix implements a check to ensure that resident data is read from the
|
||||
corresponding file record segment only.
|
||||
|
||||
Fixes: CVE-2023-4693
|
||||
|
||||
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
|
||||
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
|
||||
Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
|
||||
CVE: CVE-2023-4693
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
grub-core/fs/ntfs.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
|
||||
index 7e43fd6..8f63c83 100644
|
||||
--- a/grub-core/fs/ntfs.c
|
||||
+++ b/grub-core/fs/ntfs.c
|
||||
@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
|
||||
{
|
||||
if (ofs + len > u32at (pa, 0x10))
|
||||
return grub_error (GRUB_ERR_BAD_FS, "read out of range");
|
||||
- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
|
||||
+
|
||||
+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
|
||||
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
|
||||
+
|
||||
+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
|
||||
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
|
||||
+
|
||||
+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
|
||||
+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
|
||||
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
|
||||
+
|
||||
+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -39,6 +39,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
|
||||
file://commands-boot-Add-API-to-pass-context-to-loader.patch \
|
||||
file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \
|
||||
file://CVE-2023-4692.patch \
|
||||
file://CVE-2023-4693.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
|
||||
|
||||
Reference in New Issue
Block a user