nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0254-net-http-Fix-OOB-write-for-split-http-headers.patch

1c6ba0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
1c6ba0
From: Daniel Axtens <dja@axtens.net>
1c6ba0
Date: Tue, 8 Mar 2022 18:17:03 +1100
1c6ba0
Subject: [PATCH] net/http: Fix OOB write for split http headers
1c6ba0
1c6ba0
GRUB has special code for handling an http header that is split
1c6ba0
across two packets.
1c6ba0
1c6ba0
The code tracks the end of line by looking for a "\n" byte. The
1c6ba0
code for split headers has always advanced the pointer just past the
1c6ba0
end of the line, whereas the code that handles unsplit headers does
1c6ba0
not advance the pointer. This extra advance causes the length to be
1c6ba0
one greater, which breaks an assumption in parse_line(), leading to
1c6ba0
it writing a NUL byte one byte past the end of the buffer where we
1c6ba0
reconstruct the line from the two packets.
1c6ba0
1c6ba0
It's conceivable that an attacker controlled set of packets could
1c6ba0
cause this to zero out the first byte of the "next" pointer of the
1c6ba0
grub_mm_region structure following the current_line buffer.
1c6ba0
1c6ba0
Do not advance the pointer in the split header case.
1c6ba0
1c6ba0
Fixes: CVE-2022-28734
1c6ba0
1c6ba0
Signed-off-by: Daniel Axtens <dja@axtens.net>
1c6ba0
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1c6ba0
(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
1c6ba0
(cherry picked from commit b604916beb6c39e8ed27f72851eb16f3eaa293c5)
1c6ba0
---
1c6ba0
 grub-core/net/http.c | 4 +---
1c6ba0
 1 file changed, 1 insertion(+), 3 deletions(-)
1c6ba0
1c6ba0
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
1c6ba0
index 19cb8768e3..58546739a2 100644
1c6ba0
--- a/grub-core/net/http.c
1c6ba0
+++ b/grub-core/net/http.c
1c6ba0
@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
1c6ba0
 	  int have_line = 1;
1c6ba0
 	  char *t;
1c6ba0
 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
1c6ba0
-	  if (ptr)
1c6ba0
-	    ptr++;
1c6ba0
-	  else
1c6ba0
+	  if (ptr == NULL)
1c6ba0
 	    {
1c6ba0
 	      have_line = 0;
1c6ba0
 	      ptr = (char *) nb->tail;