nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0527-net-http-Fix-OOB-write-for-split-http-headers.patch

bf0270
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
bf0270
From: Daniel Axtens <dja@axtens.net>
bf0270
Date: Tue, 8 Mar 2022 18:17:03 +1100
bf0270
Subject: [PATCH] net/http: Fix OOB write for split http headers
bf0270
bf0270
GRUB has special code for handling an http header that is split
bf0270
across two packets.
bf0270
bf0270
The code tracks the end of line by looking for a "\n" byte. The
bf0270
code for split headers has always advanced the pointer just past the
bf0270
end of the line, whereas the code that handles unsplit headers does
bf0270
not advance the pointer. This extra advance causes the length to be
bf0270
one greater, which breaks an assumption in parse_line(), leading to
bf0270
it writing a NUL byte one byte past the end of the buffer where we
bf0270
reconstruct the line from the two packets.
bf0270
bf0270
It's conceivable that an attacker controlled set of packets could
bf0270
cause this to zero out the first byte of the "next" pointer of the
bf0270
grub_mm_region structure following the current_line buffer.
bf0270
bf0270
Do not advance the pointer in the split header case.
bf0270
bf0270
Fixes: CVE-2022-28734
bf0270
bf0270
Signed-off-by: Daniel Axtens <dja@axtens.net>
bf0270
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
bf0270
(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
bf0270
(cherry picked from commit b604916beb6c39e8ed27f72851eb16f3eaa293c5)
bf0270
(cherry picked from commit c3c6b1167a43275991efd6847160a46ce3839fae)
bf0270
(cherry picked from commit 9b4ef71ed4f6fce00e868e3223cdbfb734e840d6)
bf0270
---
bf0270
 grub-core/net/http.c | 4 +---
bf0270
 1 file changed, 1 insertion(+), 3 deletions(-)
bf0270
bf0270
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
bf0270
index 5223ca57a4..7fa2dcaea7 100644
bf0270
--- a/grub-core/net/http.c
bf0270
+++ b/grub-core/net/http.c
bf0270
@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
bf0270
 	  int have_line = 1;
bf0270
 	  char *t;
bf0270
 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
bf0270
-	  if (ptr)
bf0270
-	    ptr++;
bf0270
-	  else
bf0270
+	  if (ptr == NULL)
bf0270
 	    {
bf0270
 	      have_line = 0;
bf0270
 	      ptr = (char *) nb->tail;