Blame SOURCES/0096-AUDIT-0-http-boot-tracker-bug.patch

8e15ce
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8e15ce
From: Sebastian Krahmer <krahmer@suse.com>
8e15ce
Date: Tue, 28 Nov 2017 17:24:38 +0800
8e15ce
Subject: [PATCH] AUDIT-0: http boot tracker bug
8e15ce
8e15ce
Fixing a memory leak in case of error, and a integer overflow, leading to a
8e15ce
heap overflow due to overly large chunk sizes.
8e15ce
8e15ce
We need to check against some maximum value, otherwise values like 0xffffffff
8e15ce
will eventually lead in the allocation functions to small sized buffers, since
8e15ce
the len is rounded up to the next reasonable alignment. The following memcpy
8e15ce
will then smash the heap, leading to RCE.
8e15ce
8e15ce
This is no big issue for pure http boot, since its going to execute an
8e15ce
untrusted kernel anyway, but it will break trusted boot scenarios, where only
8e15ce
signed code is allowed to be executed.
8e15ce
8e15ce
Signed-off-by: Michael Chang <mchang@suse.com>
8e15ce
---
8e15ce
 grub-core/net/efi/net.c | 4 +++-
8e15ce
 grub-core/net/http.c    | 5 ++++-
8e15ce
 2 files changed, 7 insertions(+), 2 deletions(-)
8e15ce
8e15ce
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
8e15ce
index 86bce6535d3..4bb308026ce 100644
8e15ce
--- a/grub-core/net/efi/net.c
8e15ce
+++ b/grub-core/net/efi/net.c
8e15ce
@@ -645,8 +645,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
8e15ce
 
8e15ce
       rd = efi_net_interface (read, file, chunk, sz);
8e15ce
 
8e15ce
-      if (rd <= 0)
8e15ce
+      if (rd <= 0) {
8e15ce
+	grub_free (chunk);
8e15ce
 	return rd;
8e15ce
+      }
8e15ce
 
8e15ce
       if (buf)
8e15ce
 	{
8e15ce
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
8e15ce
index 12a2632ea55..b52b558d631 100644
8e15ce
--- a/grub-core/net/http.c
8e15ce
+++ b/grub-core/net/http.c
8e15ce
@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
8e15ce
 
8e15ce
 enum
8e15ce
   {
8e15ce
-    HTTP_PORT = 80
8e15ce
+    HTTP_PORT = 80,
8e15ce
+    HTTP_MAX_CHUNK_SIZE = 0x80000000
8e15ce
   };
8e15ce
 
8e15ce
 
8e15ce
@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
8e15ce
   if (data->in_chunk_len == 2)
8e15ce
     {
8e15ce
       data->chunk_rem = grub_strtoul (ptr, 0, 16);
8e15ce
+      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
8e15ce
+	  return GRUB_ERR_NET_PACKET_TOO_BIG;
8e15ce
       grub_errno = GRUB_ERR_NONE;
8e15ce
       if (data->chunk_rem == 0)
8e15ce
 	{