Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2017-12-06 08:53:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Wed Dec 6 08:53:04 2017 rev:173 rq:547741 version:2.02
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2017-11-19
11:05:32.600181146 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new/grub2.changes 2017-12-06
08:53:06.757013601 +0100
@@ -1,0 +2,6 @@
+Tue Nov 28 09:35:48 UTC 2017 - mch...@suse.com
+
+- Fix http(s) boot security review (bsc#1058090)
+ * 0002-AUDIT-0-http-boot-tracker-bug.patch
+
+-------------------------------------------------------------------
New:
----
0002-AUDIT-0-http-boot-tracker-bug.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.5fiQuc/_old 2017-12-06 08:53:08.668943608 +0100
+++ /var/tmp/diff_new_pack.5fiQuc/_new 2017-12-06 08:53:08.672943461 +0100
@@ -272,6 +272,7 @@
Patch412: 0013-tpm-i386-pc-diskboot-img.patch
# UEFI HTTP and related network protocol support (FATE#320130)
Patch420: 0001-add-support-for-UEFI-network-protocols.patch
+Patch421: 0002-AUDIT-0-http-boot-tracker-bug.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@@ -535,6 +536,7 @@
%patch411 -p1
%patch412 -p1
%patch420 -p1
+%patch421 -p1
# patches above may update the timestamp of grub.texi
# and via build-aux/mdate-sh they end up in grub2.info, breaking build-compare
[ -z "$SOURCE_DATE_EPOCH" ] ||\
++++++ 0002-AUDIT-0-http-boot-tracker-bug.patch ++++++
>From b5c3492f31a98f5ef0f9bec2c0665ad0b71ad5cb Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krah...@suse.com>
Date: Tue, 28 Nov 2017 17:24:38 +0800
Subject: [PATCH] AUDIT-0: http boot tracker bug
Fixing a memory leak in case of error, and a integer overflow, leading to a
heap overflow due to overly large chunk sizes.
We need to check against some maximum value, otherwise values like 0xffffffff
will eventually lead in the allocation functions to small sized buffers, since
the len is rounded up to the next reasonable alignment. The following memcpy
will then smash the heap, leading to RCE.
This is no big issue for pure http boot, since its going to execute an
untrusted kernel anyway, but it will break trusted boot scenarios, where only
signed code is allowed to be executed.
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/net/efi/net.c | 4 +++-
grub-core/net/http.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
index 0bac343b4..5bc604ff0 100644
--- a/grub-core/net/efi/net.c
+++ b/grub-core/net/efi/net.c
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
rd = efi_net_interface (read, file, chunk, sz);
- if (rd <= 0)
+ if (rd <= 0) {
+ grub_free (chunk);
return rd;
+ }
if (buf)
{
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
index f182d7b87..5004ecfee 100644
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum
{
- HTTP_PORT = 80
+ HTTP_PORT = 80,
+ HTTP_MAX_CHUNK_SIZE = 0x80000000
};
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr,
grub_size_t len)
if (data->in_chunk_len == 2)
{
data->chunk_rem = grub_strtoul (ptr, 0, 16);
+ if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
+ return GRUB_ERR_NET_PACKET_TOO_BIG;
grub_errno = GRUB_ERR_NONE;
if (data->chunk_rem == 0)
{
--
2.12.0
