6243ccd337
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags
As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.
In addition to those patches, 2 extra patches are added:
0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
0074-Constant-time-grub_crypto_memcmp.patch
The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.
The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.
Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125
With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:
- The ISO9660 tests that use grub2:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563
- The grub2 tests:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
- qemu_aarch64_sbsa_defconfig
- qemu_arm_ebbr_defconfig
- qemu_loongarch64_virt_efi_defconfig
- qemu_riscv64_virt_efi_defconfig
- pc_x86_64_bios_defconfig
- pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
- fix patch #72 upstream link to point to the initial patch
sumbission rather than a reply
- merge two _IGNORE_CVES blocks for patch #50 into a single one
- order _IGNORE_CVES blocks by numerical patch order
- order numerically the CVE list in commit log
- add a "Fixes:" tag in patch #74 since its commit log does not
mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ded3e0045a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
70 lines
2.9 KiB
Diff
70 lines
2.9 KiB
Diff
From 156ee67f3e76aee99d6e40e5e029f56d681cb80a Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Fri, 21 Feb 2025 09:06:12 +0800
|
|
Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external
|
|
extents
|
|
|
|
Previously, the number of extent entries was not properly capped based
|
|
on the actual available space. This could lead to insufficient reads for
|
|
external extents, since the computation was based solely on the inline
|
|
extent layout.
|
|
|
|
In this patch, when processing the extent header, we determine whether
|
|
the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an
|
|
external extent block. We then clamp the number of entries accordingly
|
|
(using max_inline_ext for inline extents and max_external_ext for
|
|
external extent blocks).
|
|
|
|
This change ensures that only the valid number of extent entries is
|
|
processed, preventing out-of-bound reads and potential filesystem
|
|
corruption.
|
|
|
|
Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
Upstream: 348cd416a3574348f4255bf2b04ec95938990997
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
---
|
|
grub-core/fs/ext2.c | 17 +++++++++++++++--
|
|
1 file changed, 15 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
|
|
index c3058f7e7..a38c86c4f 100644
|
|
--- a/grub-core/fs/ext2.c
|
|
+++ b/grub-core/fs/ext2.c
|
|
@@ -496,7 +496,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
|
|
int i;
|
|
grub_disk_addr_t ret;
|
|
grub_uint16_t nent;
|
|
+ /* maximum number of extent entries in the inode's inline extent area */
|
|
const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */
|
|
+ /* maximum number of extent entries in the external extent block */
|
|
+ const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE(data) / sizeof (*ext) - 1; /* Minus 1 extent header. */
|
|
|
|
if (grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks,
|
|
fileblock, &leaf) != GRUB_ERR_NONE)
|
|
@@ -513,8 +516,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
|
|
|
|
nent = grub_le_to_cpu16 (leaf->entries);
|
|
|
|
- if (leaf->depth == 0)
|
|
- nent = grub_min (nent, max_inline_ext);
|
|
+ /*
|
|
+ * Determine the effective number of extent entries (nent) to process:
|
|
+ * If the extent header (leaf) is stored inline in the inode's block
|
|
+ * area (i.e. at inode->blocks.dir_blocks), then only max_inline_ext
|
|
+ * entries can fit.
|
|
+ * Otherwise, if the header was read from an external extent block, use
|
|
+ * the larger limit, max_external_ext, based on the full block size.
|
|
+ */
|
|
+ if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks)
|
|
+ nent = grub_min (nent, max_inline_ext);
|
|
+ else
|
|
+ nent = grub_min (nent, max_external_ext);
|
|
|
|
for (i = 0; i < nent; i++)
|
|
{
|
|
--
|
|
2.50.1
|
|
|