| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Axtens <dja@axtens.net> |
| 3 | Date: Wed, 7 Jul 2021 15:38:19 +1000 |
| 4 | Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write |
| 5 | |
| 6 | Certain 1 px wide images caused a wild pointer write in |
| 7 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), |
| 8 | we have the following loop: |
| 9 | |
| 10 | for (; data->r1 < nr1 && (!data->dri || rst); |
| 11 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) |
| 12 | |
| 13 | We did not check if vb * width >= hb * nc1. |
| 14 | |
| 15 | On a 64-bit platform, if that turns out to be negative, it will underflow, |
| 16 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so |
| 17 | we see data->bitmap_ptr jump, e.g.: |
| 18 | |
| 19 | 0x6180_0000_0480 to |
| 20 | 0x6181_0000_0498 |
| 21 | ^ |
| 22 | ~--- carry has occurred and this pointer is now far away from |
| 23 | any object. |
| 24 | |
| 25 | On a 32-bit platform, it will decrement the pointer, creating a pointer |
| 26 | that won't crash but will overwrite random data. |
| 27 | |
| 28 | Catch the underflow and error out. |
| 29 | |
| 30 | Fixes: CVE-2021-3697 |
| 31 | |
| 32 | Signed-off-by: Daniel Axtens <dja@axtens.net> |
| 33 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 34 | |
| 35 | Upstream-Status: Backport |
| 36 | CVE: CVE-2021-3697 |
| 37 | |
| 38 | Reference to upstream patch: |
| 39 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 |
| 40 | |
| 41 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> |
| 42 | --- |
| 43 | grub-core/video/readers/jpeg.c | 10 +++++++++- |
| 44 | 1 file changed, 9 insertions(+), 1 deletion(-) |
| 45 | |
| 46 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c |
| 47 | index 579bbe8a4..09596fbf5 100644 |
| 48 | --- a/grub-core/video/readers/jpeg.c |
| 49 | +++ b/grub-core/video/readers/jpeg.c |
| 50 | @@ -23,6 +23,7 @@ |
| 51 | #include <grub/mm.h> |
| 52 | #include <grub/misc.h> |
| 53 | #include <grub/bufio.h> |
| 54 | +#include <grub/safemath.h> |
| 55 | |
| 56 | GRUB_MOD_LICENSE ("GPLv3+"); |
| 57 | |
| 58 | @@ -699,6 +700,7 @@ static grub_err_t |
| 59 | grub_jpeg_decode_data (struct grub_jpeg_data *data) |
| 60 | { |
| 61 | unsigned c1, vb, hb, nr1, nc1; |
| 62 | + unsigned stride_a, stride_b, stride; |
| 63 | int rst = data->dri; |
| 64 | grub_err_t err = GRUB_ERR_NONE; |
| 65 | |
| 66 | @@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) |
| 67 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, |
| 68 | "jpeg: attempted to decode data before start of stream"); |
| 69 | |
| 70 | + if (grub_mul(vb, data->image_width, &stride_a) || |
| 71 | + grub_mul(hb, nc1, &stride_b) || |
| 72 | + grub_sub(stride_a, stride_b, &stride)) |
| 73 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, |
| 74 | + "jpeg: cannot decode image with these dimensions"); |
| 75 | + |
| 76 | for (; data->r1 < nr1 && (!data->dri || rst); |
| 77 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) |
| 78 | + data->r1++, data->bitmap_ptr += stride * 3) |
| 79 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); |
| 80 | c1++, rst--, data->bitmap_ptr += hb * 3) |
| 81 | { |
| 82 | -- |
| 83 | 2.34.1 |
| 84 | |