poky/meta/recipes-bsp/grub/files/CVE-2023-4693.patch - mdmillerii/openbmc - Gitiles

 From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@...>
 Date: Mon, 28 Aug 2023 16:32:33 +0300
 Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
  attribute

 When reading a file containing resident data, i.e., the file data is stored in
 the $DATA attribute within the NTFS file record, not in external clusters,
 there are no checks that this resident data actually fits the corresponding
 file record segment.

 When parsing a specially-crafted file system image, the current NTFS code will
 read the file data from an arbitrary, attacker-chosen memory offset and of
 arbitrary, attacker-chosen length.

 This allows an attacker to display arbitrary chunks of memory, which could
 contain sensitive information like password hashes or even plain-text,
 obfuscated passwords from BS EFI variables.

 This fix implements a check to ensure that resident data is read from the
 corresponding file record segment only.

 Fixes: CVE-2023-4693

 Upstream-Status: Backport from
 [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
 CVE: CVE-2023-4693

 Reported-by: Maxim Suhanov <dfirblog@...>
 Signed-off-by: Maxim Suhanov <dfirblog@...>
 Reviewed-by: Daniel Kiper <daniel.kiper@...>
 Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
 ---
  grub-core/fs/ntfs.c | 13 ++++++++++++-
  1 file changed, 12 insertions(+), 1 deletion(-)

 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index c3c4db1..a68e173 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
 @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
      {
        if (ofs + len > u32at (pa, 0x10))
  	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
 -      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
 +
 +      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
 +
 +      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 +
 +      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
 +	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 +
 +      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
        return 0;
      }

 --
 cgit v1.1
	From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
	From: Maxim Suhanov <dfirblog@...>
	Date: Mon, 28 Aug 2023 16:32:33 +0300
	Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
	attribute

	When reading a file containing resident data, i.e., the file data is stored in
	the $DATA attribute within the NTFS file record, not in external clusters,
	there are no checks that this resident data actually fits the corresponding
	file record segment.

	When parsing a specially-crafted file system image, the current NTFS code will
	read the file data from an arbitrary, attacker-chosen memory offset and of
	arbitrary, attacker-chosen length.

	This allows an attacker to display arbitrary chunks of memory, which could
	contain sensitive information like password hashes or even plain-text,
	obfuscated passwords from BS EFI variables.

	This fix implements a check to ensure that resident data is read from the
	corresponding file record segment only.

	Fixes: CVE-2023-4693

	Upstream-Status: Backport from
	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
	CVE: CVE-2023-4693

	Reported-by: Maxim Suhanov <dfirblog@...>
	Signed-off-by: Maxim Suhanov <dfirblog@...>
	Reviewed-by: Daniel Kiper <daniel.kiper@...>
	Signed-off-by: Xiangyu Chen <xiangyu.chen@...>
	---
	grub-core/fs/ntfs.c \| 13 ++++++++++++-
	1 file changed, 12 insertions(+), 1 deletion(-)

	diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
	index c3c4db1..a68e173 100644
	--- a/grub-core/fs/ntfs.c
	+++ b/grub-core/fs/ntfs.c
	@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr at, grub_uint8_t pa, grub_uint8_t *dest,
	{
	if (ofs + len > u32at (pa, 0x10))
	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
	- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
	+
	+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
	+
	+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	+
	+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
	+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
	+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
	+
	+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
	return 0;
	}

	--
	cgit v1.1