| From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001 |
| From: Hitendra Prajapati <hprajapati@mvista.com> |
| Date: Tue, 19 Jul 2022 11:13:02 +0530 |
| Subject: [PATCH] CVE-2021-3697 |
| |
| Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6] |
| CVE: CVE-2021-3697 |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| |
| video/readers/jpeg: Block int underflow -> wild pointer write |
| |
| Certain 1 px wide images caused a wild pointer write in |
| grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), |
| we have the following loop: |
| |
| for (; data->r1 < nr1 && (!data->dri || rst); |
| data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) |
| |
| We did not check if vb * width >= hb * nc1. |
| |
| On a 64-bit platform, if that turns out to be negative, it will underflow, |
| be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so |
| we see data->bitmap_ptr jump, e.g.: |
| |
| 0x6180_0000_0480 to |
| 0x6181_0000_0498 |
| ^ |
| ~--- carry has occurred and this pointer is now far away from |
| any object. |
| |
| On a 32-bit platform, it will decrement the pointer, creating a pointer |
| that won't crash but will overwrite random data. |
| |
| Catch the underflow and error out. |
| |
| Fixes: CVE-2021-3697 |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| --- |
| grub-core/video/readers/jpeg.c | 10 +++++++++- |
| 1 file changed, 9 insertions(+), 1 deletion(-) |
| |
| diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c |
| index 31359a4..545a60b 100644 |
| --- a/grub-core/video/readers/jpeg.c |
| +++ b/grub-core/video/readers/jpeg.c |
| @@ -23,6 +23,7 @@ |
| #include <grub/mm.h> |
| #include <grub/misc.h> |
| #include <grub/bufio.h> |
| +#include <grub/safemath.h> |
| |
| GRUB_MOD_LICENSE ("GPLv3+"); |
| |
| @@ -617,6 +618,7 @@ static grub_err_t |
| grub_jpeg_decode_data (struct grub_jpeg_data *data) |
| { |
| unsigned c1, vb, hb, nr1, nc1; |
| + unsigned stride_a, stride_b, stride; |
| int rst = data->dri; |
| |
| vb = 8 << data->log_vs; |
| @@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) |
| nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); |
| nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); |
| |
| + if (grub_mul(vb, data->image_width, &stride_a) || |
| + grub_mul(hb, nc1, &stride_b) || |
| + grub_sub(stride_a, stride_b, &stride)) |
| + return grub_error (GRUB_ERR_BAD_FILE_TYPE, |
| + "jpeg: cannot decode image with these dimensions"); |
| + |
| for (; data->r1 < nr1 && (!data->dri || rst); |
| - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) |
| + data->r1++, data->bitmap_ptr += stride * 3) |
| for (c1 = 0; c1 < nc1 && (!data->dri || rst); |
| c1++, rst--, data->bitmap_ptr += hb * 3) |
| { |
| -- |
| 2.25.1 |
| |