nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0523-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch

bf0270
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
bf0270
From: Daniel Axtens <dja@axtens.net>
bf0270
Date: Mon, 20 Sep 2021 01:12:24 +1000
bf0270
Subject: [PATCH] net/tftp: Prevent a UAF and double-free from a failed seek
bf0270
bf0270
A malicious tftp server can cause UAFs and a double free.
bf0270
bf0270
An attempt to read from a network file is handled by grub_net_fs_read(). If
bf0270
the read is at an offset other than the current offset, grub_net_seek_real()
bf0270
is invoked.
bf0270
bf0270
In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
bf0270
currently received packets, and the underlying transport does not provide
bf0270
a seek method, then grub_net_seek_real() will close and reopen the network
bf0270
protocol layer.
bf0270
bf0270
For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
bf0270
file->data. The file->data pointer is not nulled out after the free.
bf0270
bf0270
If the ->open() call fails, the file->data will not be reallocated and will
bf0270
continue point to a freed memory block. This could happen from a server
bf0270
refusing to send the requisite ack to the new tftp request, for example.
bf0270
bf0270
The seek and the read will then fail, but the grub_file continues to exist:
bf0270
the failed seek does not necessarily cause the entire file to be thrown
bf0270
away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
bf0270
a read failure is interpreted as a decompressor passing on the file, not as
bf0270
an invalidation of the entire grub_file_t structure).
bf0270
bf0270
This means subsequent attempts to read or seek the file will use the old
bf0270
file->data after free. Eventually, the file will be close()d again and
bf0270
file->data will be freed again.
bf0270
bf0270
Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
bf0270
close() on a broken file (seek is not exposed directly to the file API -
bf0270
it is only called as part of read, so this blocks seeks as well).
bf0270
bf0270
As an additional defence, null out the ->data pointer if tftp_open() fails.
bf0270
That would have lead to a simple null pointer dereference rather than
bf0270
a mess of UAFs.
bf0270
bf0270
This may affect other protocols, I haven't checked.
bf0270
bf0270
Signed-off-by: Daniel Axtens <dja@axtens.net>
bf0270
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
bf0270
(cherry picked from commit dada1dda695439bb55b2848dddc2d89843552f81)
bf0270
(cherry picked from commit 352c5ae8a9fc715712e6ecbd7ccb6218122c748f)
bf0270
(cherry picked from commit 61a010085ab9f0ecf42677773a6fc212f1579b0a)
bf0270
(cherry picked from commit 277d38531a47be78ac5062894e449726db2baf65)
bf0270
---
bf0270
 grub-core/net/net.c  | 11 +++++++++--
bf0270
 grub-core/net/tftp.c |  1 +
bf0270
 include/grub/net.h   |  1 +
bf0270
 3 files changed, 11 insertions(+), 2 deletions(-)
bf0270
bf0270
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
bf0270
index a27c53eee1..b9e2a4d100 100644
bf0270
--- a/grub-core/net/net.c
bf0270
+++ b/grub-core/net/net.c
bf0270
@@ -1625,7 +1625,8 @@ grub_net_fs_close (grub_file_t file)
bf0270
       grub_netbuff_free (file->device->net->packs.first->nb);
bf0270
       grub_net_remove_packet (file->device->net->packs.first);
bf0270
     }
bf0270
-  file->device->net->protocol->close (file);
bf0270
+  if (!file->device->net->broken)
bf0270
+    file->device->net->protocol->close (file);
bf0270
   grub_free (file->device->net->name);
bf0270
   return GRUB_ERR_NONE;
bf0270
 }
bf0270
@@ -1847,7 +1848,10 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
bf0270
     file->device->net->stall = 0;
bf0270
     err = file->device->net->protocol->open (file, file->device->net->name);
bf0270
     if (err)
bf0270
-      return err;
bf0270
+      {
bf0270
+	file->device->net->broken = 1;
bf0270
+	return err;
bf0270
+      }
bf0270
     grub_net_fs_read_real (file, NULL, offset);
bf0270
     return grub_errno;
bf0270
   }
bf0270
@@ -1856,6 +1860,9 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
bf0270
 static grub_ssize_t
bf0270
 grub_net_fs_read (grub_file_t file, char *buf, grub_size_t len)
bf0270
 {
bf0270
+  if (file->device->net->broken)
bf0270
+    return -1;
bf0270
+
bf0270
   if (file->offset != file->device->net->offset)
bf0270
     {
bf0270
       grub_err_t err;
bf0270
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
bf0270
index aa0424dcee..85be965470 100644
bf0270
--- a/grub-core/net/tftp.c
bf0270
+++ b/grub-core/net/tftp.c
bf0270
@@ -402,6 +402,7 @@ tftp_open (struct grub_file *file, const char *filename)
bf0270
     {
bf0270
       grub_net_udp_close (data->sock);
bf0270
       grub_free (data);
bf0270
+      file->data = NULL;
bf0270
       return grub_errno;
bf0270
     }
bf0270
 
bf0270
diff --git a/include/grub/net.h b/include/grub/net.h
bf0270
index 9cf6da6897..0d31f00664 100644
bf0270
--- a/include/grub/net.h
bf0270
+++ b/include/grub/net.h
bf0270
@@ -280,6 +280,7 @@ typedef struct grub_net
bf0270
   grub_fs_t fs;
bf0270
   int eof;
bf0270
   int stall;
bf0270
+  int broken;
bf0270
 } *grub_net_t;
bf0270
 
bf0270
 extern grub_net_t (*EXPORT_VAR (grub_net_open)) (const char *name);