|
|
bf0270 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
bf0270 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Date: Tue, 8 Mar 2022 18:17:03 +1100
|
|
|
bf0270 |
Subject: [PATCH] net/http: Fix OOB write for split http headers
|
|
|
bf0270 |
|
|
|
bf0270 |
GRUB has special code for handling an http header that is split
|
|
|
bf0270 |
across two packets.
|
|
|
bf0270 |
|
|
|
bf0270 |
The code tracks the end of line by looking for a "\n" byte. The
|
|
|
bf0270 |
code for split headers has always advanced the pointer just past the
|
|
|
bf0270 |
end of the line, whereas the code that handles unsplit headers does
|
|
|
bf0270 |
not advance the pointer. This extra advance causes the length to be
|
|
|
bf0270 |
one greater, which breaks an assumption in parse_line(), leading to
|
|
|
bf0270 |
it writing a NUL byte one byte past the end of the buffer where we
|
|
|
bf0270 |
reconstruct the line from the two packets.
|
|
|
bf0270 |
|
|
|
bf0270 |
It's conceivable that an attacker controlled set of packets could
|
|
|
bf0270 |
cause this to zero out the first byte of the "next" pointer of the
|
|
|
bf0270 |
grub_mm_region structure following the current_line buffer.
|
|
|
bf0270 |
|
|
|
bf0270 |
Do not advance the pointer in the split header case.
|
|
|
bf0270 |
|
|
|
bf0270 |
Fixes: CVE-2022-28734
|
|
|
bf0270 |
|
|
|
bf0270 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
bf0270 |
(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
|
|
|
bf0270 |
(cherry picked from commit b604916beb6c39e8ed27f72851eb16f3eaa293c5)
|
|
|
bf0270 |
(cherry picked from commit c3c6b1167a43275991efd6847160a46ce3839fae)
|
|
|
bf0270 |
---
|
|
|
bf0270 |
grub-core/net/http.c | 4 +---
|
|
|
bf0270 |
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
|
|
|
bf0270 |
index 5223ca57a4..7fa2dcaea7 100644
|
|
|
bf0270 |
--- a/grub-core/net/http.c
|
|
|
bf0270 |
+++ b/grub-core/net/http.c
|
|
|
bf0270 |
@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
|
|
|
bf0270 |
int have_line = 1;
|
|
|
bf0270 |
char *t;
|
|
|
bf0270 |
ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
|
|
|
bf0270 |
- if (ptr)
|
|
|
bf0270 |
- ptr++;
|
|
|
bf0270 |
- else
|
|
|
bf0270 |
+ if (ptr == NULL)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
have_line = 0;
|
|
|
bf0270 |
ptr = (char *) nb->tail;
|