Blame - poky/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch - openbmc/openbmc

blob: 8bf9090f944aeb5c4f5a91539c1369ea4a100bb3 [file] [log] [blame]

Patrick Williams	92b42cb	2022-09-03 06:53:57 -0500	[diff] [blame^]	1	From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001
				2	From: Daniel Axtens <dja@axtens.net>
				3	Date: Mon, 20 Dec 2021 19:41:21 +1100
				4	Subject: [PATCH] net/ip: Do IP fragment maths safely
				5
				6	We can receive packets with invalid IP fragmentation information. This
				7	can lead to rsm->total_len underflowing and becoming very large.
				8
				9	Then, in grub_netbuff_alloc(), we add to this very large number, which can
				10	cause it to overflow and wrap back around to a small positive number.
				11	The allocation then succeeds, but the resulting buffer is too small and
				12	subsequent operations can write past the end of the buffer.
				13
				14	Catch the underflow here.
				15
				16	Fixes: CVE-2022-28733
				17
				18	Signed-off-by: Daniel Axtens <dja@axtens.net>
				19	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
				20
				21	Upstream-Status: Backport
				22	CVE: CVE-2022-28733
				23
				24	Reference to upstream patch:
				25	https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287
				26
				27	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
				28
				29	---
				30	grub-core/net/ip.c \| 10 +++++++++-
				31	1 file changed, 9 insertions(+), 1 deletion(-)
				32
				33	diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
				34	index e3d62e97f..3c3d0be0e 100644
				35	--- a/grub-core/net/ip.c
				36	+++ b/grub-core/net/ip.c
				37	@@ -25,6 +25,7 @@
				38	#include <grub/net/netbuff.h>
				39	#include <grub/mm.h>
				40	#include <grub/priority_queue.h>
				41	+#include <grub/safemath.h>
				42	#include <grub/time.h>
				43
				44	struct iphdr {
				45	@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
				46	{
				47	rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
				48	+ (nb->tail - nb->data));
				49	- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
				50	+
				51	+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
				52	+ &rsm->total_len))
				53	+ {
				54	+ grub_dprintf ("net", "IP reassembly size underflow\n");
				55	+ return GRUB_ERR_NONE;
				56	+ }
				57	+
				58	rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
				59	if (!rsm->asm_netbuff)
				60	{
				61	--
				62	2.34.1
				63