|
|
bf0270 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
bf0270 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Date: Mon, 20 Sep 2021 01:12:24 +1000
|
|
|
bf0270 |
Subject: [PATCH] net/tftp: Prevent a UAF and double-free from a failed seek
|
|
|
bf0270 |
|
|
|
bf0270 |
A malicious tftp server can cause UAFs and a double free.
|
|
|
bf0270 |
|
|
|
bf0270 |
An attempt to read from a network file is handled by grub_net_fs_read(). If
|
|
|
bf0270 |
the read is at an offset other than the current offset, grub_net_seek_real()
|
|
|
bf0270 |
is invoked.
|
|
|
bf0270 |
|
|
|
bf0270 |
In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
|
|
|
bf0270 |
currently received packets, and the underlying transport does not provide
|
|
|
bf0270 |
a seek method, then grub_net_seek_real() will close and reopen the network
|
|
|
bf0270 |
protocol layer.
|
|
|
bf0270 |
|
|
|
bf0270 |
For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
|
|
|
bf0270 |
file->data. The file->data pointer is not nulled out after the free.
|
|
|
bf0270 |
|
|
|
bf0270 |
If the ->open() call fails, the file->data will not be reallocated and will
|
|
|
bf0270 |
continue point to a freed memory block. This could happen from a server
|
|
|
bf0270 |
refusing to send the requisite ack to the new tftp request, for example.
|
|
|
bf0270 |
|
|
|
bf0270 |
The seek and the read will then fail, but the grub_file continues to exist:
|
|
|
bf0270 |
the failed seek does not necessarily cause the entire file to be thrown
|
|
|
bf0270 |
away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
|
|
|
bf0270 |
a read failure is interpreted as a decompressor passing on the file, not as
|
|
|
bf0270 |
an invalidation of the entire grub_file_t structure).
|
|
|
bf0270 |
|
|
|
bf0270 |
This means subsequent attempts to read or seek the file will use the old
|
|
|
bf0270 |
file->data after free. Eventually, the file will be close()d again and
|
|
|
bf0270 |
file->data will be freed again.
|
|
|
bf0270 |
|
|
|
bf0270 |
Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
|
|
|
bf0270 |
close() on a broken file (seek is not exposed directly to the file API -
|
|
|
bf0270 |
it is only called as part of read, so this blocks seeks as well).
|
|
|
bf0270 |
|
|
|
bf0270 |
As an additional defence, null out the ->data pointer if tftp_open() fails.
|
|
|
bf0270 |
That would have lead to a simple null pointer dereference rather than
|
|
|
bf0270 |
a mess of UAFs.
|
|
|
bf0270 |
|
|
|
bf0270 |
This may affect other protocols, I haven't checked.
|
|
|
bf0270 |
|
|
|
bf0270 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
bf0270 |
(cherry picked from commit dada1dda695439bb55b2848dddc2d89843552f81)
|
|
|
bf0270 |
(cherry picked from commit 352c5ae8a9fc715712e6ecbd7ccb6218122c748f)
|
|
|
bf0270 |
(cherry picked from commit 61a010085ab9f0ecf42677773a6fc212f1579b0a)
|
|
|
bf0270 |
(cherry picked from commit 277d38531a47be78ac5062894e449726db2baf65)
|
|
|
bf0270 |
---
|
|
|
bf0270 |
grub-core/net/net.c | 11 +++++++++--
|
|
|
bf0270 |
grub-core/net/tftp.c | 1 +
|
|
|
bf0270 |
include/grub/net.h | 1 +
|
|
|
bf0270 |
3 files changed, 11 insertions(+), 2 deletions(-)
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
|
|
bf0270 |
index a27c53eee1..b9e2a4d100 100644
|
|
|
bf0270 |
--- a/grub-core/net/net.c
|
|
|
bf0270 |
+++ b/grub-core/net/net.c
|
|
|
bf0270 |
@@ -1625,7 +1625,8 @@ grub_net_fs_close (grub_file_t file)
|
|
|
bf0270 |
grub_netbuff_free (file->device->net->packs.first->nb);
|
|
|
bf0270 |
grub_net_remove_packet (file->device->net->packs.first);
|
|
|
bf0270 |
}
|
|
|
bf0270 |
- file->device->net->protocol->close (file);
|
|
|
bf0270 |
+ if (!file->device->net->broken)
|
|
|
bf0270 |
+ file->device->net->protocol->close (file);
|
|
|
bf0270 |
grub_free (file->device->net->name);
|
|
|
bf0270 |
return GRUB_ERR_NONE;
|
|
|
bf0270 |
}
|
|
|
bf0270 |
@@ -1847,7 +1848,10 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
|
|
|
bf0270 |
file->device->net->stall = 0;
|
|
|
bf0270 |
err = file->device->net->protocol->open (file, file->device->net->name);
|
|
|
bf0270 |
if (err)
|
|
|
bf0270 |
- return err;
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ file->device->net->broken = 1;
|
|
|
bf0270 |
+ return err;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
grub_net_fs_read_real (file, NULL, offset);
|
|
|
bf0270 |
return grub_errno;
|
|
|
bf0270 |
}
|
|
|
bf0270 |
@@ -1856,6 +1860,9 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
|
|
|
bf0270 |
static grub_ssize_t
|
|
|
bf0270 |
grub_net_fs_read (grub_file_t file, char *buf, grub_size_t len)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
+ if (file->device->net->broken)
|
|
|
bf0270 |
+ return -1;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
if (file->offset != file->device->net->offset)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
grub_err_t err;
|
|
|
bf0270 |
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
|
|
|
bf0270 |
index aa0424dcee..85be965470 100644
|
|
|
bf0270 |
--- a/grub-core/net/tftp.c
|
|
|
bf0270 |
+++ b/grub-core/net/tftp.c
|
|
|
bf0270 |
@@ -402,6 +402,7 @@ tftp_open (struct grub_file *file, const char *filename)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
grub_net_udp_close (data->sock);
|
|
|
bf0270 |
grub_free (data);
|
|
|
bf0270 |
+ file->data = NULL;
|
|
|
bf0270 |
return grub_errno;
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/include/grub/net.h b/include/grub/net.h
|
|
|
bf0270 |
index 9cf6da6897..0d31f00664 100644
|
|
|
bf0270 |
--- a/include/grub/net.h
|
|
|
bf0270 |
+++ b/include/grub/net.h
|
|
|
bf0270 |
@@ -280,6 +280,7 @@ typedef struct grub_net
|
|
|
bf0270 |
grub_fs_t fs;
|
|
|
bf0270 |
int eof;
|
|
|
bf0270 |
int stall;
|
|
|
bf0270 |
+ int broken;
|
|
|
bf0270 |
} *grub_net_t;
|
|
|
bf0270 |
|
|
|
bf0270 |
extern grub_net_t (*EXPORT_VAR (grub_net_open)) (const char *name);
|