| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 1 | From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Axtens <dja@axtens.net> |
| 3 | Date: Mon, 20 Dec 2021 19:41:21 +1100 |
| 4 | Subject: [PATCH] net/ip: Do IP fragment maths safely |
| 5 | |
| 6 | We can receive packets with invalid IP fragmentation information. This |
| 7 | can lead to rsm->total_len underflowing and becoming very large. |
| 8 | |
| 9 | Then, in grub_netbuff_alloc(), we add to this very large number, which can |
| 10 | cause it to overflow and wrap back around to a small positive number. |
| 11 | The allocation then succeeds, but the resulting buffer is too small and |
| 12 | subsequent operations can write past the end of the buffer. |
| 13 | |
| 14 | Catch the underflow here. |
| 15 | |
| 16 | Fixes: CVE-2022-28733 |
| 17 | |
| 18 | Signed-off-by: Daniel Axtens <dja@axtens.net> |
| 19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 20 | |
| 21 | Upstream-Status: Backport |
| 22 | CVE: CVE-2022-28733 |
| 23 | |
| 24 | Reference to upstream patch: |
| 25 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287 |
| 26 | |
| 27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> |
| 28 | |
| 29 | --- |
| 30 | grub-core/net/ip.c | 10 +++++++++- |
| 31 | 1 file changed, 9 insertions(+), 1 deletion(-) |
| 32 | |
| 33 | diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c |
| 34 | index e3d62e97f..3c3d0be0e 100644 |
| 35 | --- a/grub-core/net/ip.c |
| 36 | +++ b/grub-core/net/ip.c |
| 37 | @@ -25,6 +25,7 @@ |
| 38 | #include <grub/net/netbuff.h> |
| 39 | #include <grub/mm.h> |
| 40 | #include <grub/priority_queue.h> |
| 41 | +#include <grub/safemath.h> |
| 42 | #include <grub/time.h> |
| 43 | |
| 44 | struct iphdr { |
| 45 | @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, |
| 46 | { |
| 47 | rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) |
| 48 | + (nb->tail - nb->data)); |
| 49 | - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); |
| 50 | + |
| 51 | + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), |
| 52 | + &rsm->total_len)) |
| 53 | + { |
| 54 | + grub_dprintf ("net", "IP reassembly size underflow\n"); |
| 55 | + return GRUB_ERR_NONE; |
| 56 | + } |
| 57 | + |
| 58 | rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); |
| 59 | if (!rsm->asm_netbuff) |
| 60 | { |
| 61 | -- |
| 62 | 2.34.1 |
| 63 | |