rpms / grub2

Clone
Source Code
GIT

Blame SOURCES/0525-net-ip-Do-IP-fragment-maths-safely.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-i686 c8 c8-beta c8s c9 c9-beta
  1.   c8s
  2.   SOURCES
  3.   0525-net-ip-Do-IP-fragment-maths-safely.patch
Blob History Raw
0ccc47 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0ccc47 
From: Daniel Axtens <dja@axtens.net>
0ccc47 
Date: Mon, 20 Dec 2021 19:41:21 +1100
0ccc47 
Subject: [PATCH] net/ip: Do IP fragment maths safely
0ccc47
0ccc47 
This avoids an underflow and subsequent unpleasantness.
0ccc47
0ccc47 
Fixes: CVE-2022-28733
0ccc47
0ccc47 
Signed-off-by: Daniel Axtens <dja@axtens.net>
0ccc47 
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
0ccc47 
(cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
0ccc47 
(cherry picked from commit 552ad34583e788542e9ca08524a0d4bc8f98c297)
0ccc47 
(cherry picked from commit 2c8cb7e3b8b48b136a950e5692fa6251b76df90e)
0ccc47 
---
0ccc47 
 grub-core/net/ip.c | 10 +++++++++-
0ccc47 
 1 file changed, 9 insertions(+), 1 deletion(-)
0ccc47
0ccc47 
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
0ccc47 
index 9a4e589aa3..c766ac65f5 100644
0ccc47 
--- a/grub-core/net/ip.c
0ccc47 
+++ b/grub-core/net/ip.c
0ccc47 
@@ -25,6 +25,7 @@
0ccc47 
 #include <grub/net/netbuff.h>
0ccc47 
 #include <grub/mm.h>
0ccc47 
 #include <grub/priority_queue.h>
0ccc47 
+#include <grub/safemath.h>
0ccc47 
 #include <grub/time.h>
0ccc47
0ccc47 
 struct iphdr {
0ccc47 
@@ -552,7 +553,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
0ccc47 
     {
0ccc47 
       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
0ccc47 
 			+ (nb->tail - nb->data));
0ccc47 
-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
0ccc47 
+
0ccc47 
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
0ccc47 
+		    &rsm->total_len))
0ccc47 
+	{
0ccc47 
+	  grub_dprintf ("net", "IP reassembly size underflow\n");
0ccc47 
+	  return GRUB_ERR_NONE;
0ccc47 
+	}
0ccc47 
+
0ccc47 
       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
0ccc47 
       if (!rsm->asm_netbuff)
0ccc47 
 	{

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation