mirror of
git://git.yoctoproject.org/poky.git
synced 2025-07-19 12:59:02 +02:00
grub: patch CVE-2024-45777
Cherry-pick patch mentioning this CVE. (From OE-Core rev: bfebaeb1705d072eb6b42a6dfe9bff4829a49a33) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
parent
c9c5246e9f
commit
bce8588104
57
meta/recipes-bsp/grub/files/CVE-2024-45777.patch
Normal file
57
meta/recipes-bsp/grub/files/CVE-2024-45777.patch
Normal file
|
@ -0,0 +1,57 @@
|
|||
From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
|
||||
From: Lidong Chen <lidong.chen@oracle.com>
|
||||
Date: Fri, 22 Nov 2024 06:27:57 +0000
|
||||
Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
|
||||
|
||||
The size calculation of the translation buffer in
|
||||
grub_gettext_getstr_from_position() may overflow
|
||||
to 0 leading to heap OOB write. This patch fixes
|
||||
the issue by using grub_add() and checking for
|
||||
an overflow.
|
||||
|
||||
Fixes: CVE-2024-45777
|
||||
|
||||
Reported-by: Nils Langius <nils@langius.de>
|
||||
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
|
||||
|
||||
CVE: CVE-2024-45777
|
||||
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
|
||||
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||
---
|
||||
grub-core/gettext/gettext.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
|
||||
index 63bb1ab73..9ffc73428 100644
|
||||
--- a/grub-core/gettext/gettext.c
|
||||
+++ b/grub-core/gettext/gettext.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include <grub/file.h>
|
||||
#include <grub/kernel.h>
|
||||
#include <grub/i18n.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
|
||||
char *translation;
|
||||
struct string_descriptor desc;
|
||||
grub_err_t err;
|
||||
+ grub_size_t alloc_sz;
|
||||
|
||||
internal_position = (off + position * sizeof (desc));
|
||||
|
||||
@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
|
||||
length = grub_cpu_to_le32 (desc.length);
|
||||
offset = grub_cpu_to_le32 (desc.offset);
|
||||
|
||||
- translation = grub_malloc (length + 1);
|
||||
+ if (grub_add (length, 1, &alloc_sz))
|
||||
+ return NULL;
|
||||
+
|
||||
+ translation = grub_malloc (alloc_sz);
|
||||
if (!translation)
|
||||
return NULL;
|
||||
|
|
@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
|
|||
file://CVE-2025-0622-02.patch \
|
||||
file://CVE-2025-0622-03.patch \
|
||||
file://CVE-2024-45776.patch \
|
||||
file://CVE-2024-45777.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
|
||||
|
|
Loading…
Reference in New Issue
Block a user