Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b57939e61959923180c40aeda7700ee62ef95113
rpi-buildroot/boot/grub2/0027-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch
Thomas Petazzoni 6243ccd337 boot/grub2: add patches to fix numerous CVEs 
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:

  https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags

As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.

In addition to those patches, 2 extra patches are added:

 0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
 0074-Constant-time-grub_crypto_memcmp.patch

The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.

The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.

Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:

CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125

With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:

- The ISO9660 tests that use grub2:
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563

- The grub2 tests:
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
 - qemu_aarch64_sbsa_defconfig
 - qemu_arm_ebbr_defconfig
 - qemu_loongarch64_virt_efi_defconfig
 - qemu_riscv64_virt_efi_defconfig
 - pc_x86_64_bios_defconfig
 - pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
 - fix patch #72 upstream link to point to the initial patch
   sumbission rather than a reply
 - merge two _IGNORE_CVES blocks for patch #50 into a single one
 - order _IGNORE_CVES blocks by numerical patch order
 - order numerically the CVE list in commit log
 - add a "Fixes:" tag in patch #74 since its commit log does not
   mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>

(cherry picked from commit ded3e0045a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-08-21 16:28:56 +02:00

121 lines
3.6 KiB
Diff
Raw Blame History

From 8284fca0f096d01f566eadfdc790232df9f2934e Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Thu, 18 Apr 2024 17:32:34 +0100
Subject: [PATCH] net/tftp: Fix stack buffer overflow in tftp_open()
An overly long filename can be passed to tftp_open() which would cause
grub_normalize_filename() to write out of bounds.
Fixed by adding an extra argument to grub_normalize_filename() for the
space available, making it act closer to a strlcpy(). As several fixed
strings are strcpy()'d after into the same buffer, their total length is
checked to see if they exceed the remaining space in the buffer. If so,
return an error.
On the occasion simplify code a bit by removing unneeded rrqlen zeroing.
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream: 0707accab1b9be5d3645d4700dde3f99209f9367
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
grub-core/net/tftp.c | 38 ++++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 409b1d09b..336b78691 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -266,17 +266,19 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
* forward slashes to a single forward slash.
*/
static void
-grub_normalize_filename (char *normalized, const char *filename)
+grub_normalize_filename (char *normalized, const char *filename, int c)
{
char *dest = normalized;
const char *src = filename;
- while (*src != '\0')
+ while (*src != '\0' && c > 0)
{
if (src[0] == '/' && src[1] == '/')
src++;
- else
+ else {
+ c--;
*dest++ = *src++;
+ }
}
*dest = '\0';
}
@@ -287,7 +289,7 @@ tftp_open (struct grub_file *file, const char *filename)
struct tftphdr *tftph;
char *rrq;
int i;
- int rrqlen;
+ int rrqlen, rrqsize;
int hdrlen;
grub_uint8_t open_data[1500];
struct grub_net_buff nb;
@@ -315,37 +317,45 @@ tftp_open (struct grub_file *file, const char *filename)
tftph = (struct tftphdr *) nb.data;
- rrq = (char *) tftph->u.rrq;
- rrqlen = 0;
-
tftph->opcode = grub_cpu_to_be16_compile_time (TFTP_RRQ);
+ rrq = (char *) tftph->u.rrq;
+ rrqsize = sizeof (tftph->u.rrq);
+
/*
* Copy and normalize the filename to work-around issues on some TFTP
* servers when file names are being matched for remapping.
*/
- grub_normalize_filename (rrq, filename);
- rrqlen += grub_strlen (rrq) + 1;
+ grub_normalize_filename (rrq, filename, rrqsize);
+
+ rrqlen = grub_strlen (rrq) + 1;
rrq += grub_strlen (rrq) + 1;
- grub_strcpy (rrq, "octet");
+ /* Verify there is enough space for the remaining components. */
rrqlen += grub_strlen ("octet") + 1;
+ rrqlen += grub_strlen ("blksize") + 1;
+ rrqlen += grub_strlen ("1024") + 1;
+ rrqlen += grub_strlen ("tsize") + 1;
+ rrqlen += grub_strlen ("0") + 1;
+
+ if (rrqlen >= rrqsize) {
+ grub_free (data);
+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("filename too long"));
+ }
+
+ grub_strcpy (rrq, "octet");
rrq += grub_strlen ("octet") + 1;
grub_strcpy (rrq, "blksize");
- rrqlen += grub_strlen ("blksize") + 1;
rrq += grub_strlen ("blksize") + 1;
grub_strcpy (rrq, "1024");
- rrqlen += grub_strlen ("1024") + 1;
rrq += grub_strlen ("1024") + 1;
grub_strcpy (rrq, "tsize");
- rrqlen += grub_strlen ("tsize") + 1;
rrq += grub_strlen ("tsize") + 1;
grub_strcpy (rrq, "0");
- rrqlen += grub_strlen ("0") + 1;
rrq += grub_strlen ("0") + 1;
hdrlen = sizeof (tftph->opcode) + rrqlen;
--
2.50.1
Reference in New Issue View Git Blame Copy Permalink