Debrand for AlmaLinux

2025-03-19 11:52:33 +00:00 · 2025-03-19 11:52:33 +00:00 · 5013be4de7
commit 5013be4de7
parent 03cd1c2771 e542637ec6
5 changed files with 154 additions and 3 deletions
--- a/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+++ b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Tue, 11 Feb 2025 16:38:44 -0600
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 2512862..6c0bd00 100644
+--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
+@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
+  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
+  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
+          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 6f6e4a8..49b9472 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
+          return err;
+ 
+        grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+-       err = grub_net_search_config_file (config);
+       err = grub_net_search_config_file (config, config_len);
+       }
+ 
+     if (err != GRUB_ERR_NONE)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 43eba92..1101b03 100644
+--- a/include/grub/net.h
+++ b/include/grub/net.h
+@@ -648,7 +648,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
--- a/SOURCES/0354-misc-Implement-grub_strlcpy.patch
+++ b/SOURCES/0354-misc-Implement-grub_strlcpy.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH] misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 981526644..0592aa68f 100644
+--- a/include/grub/misc.h
+++ b/include/grub/misc.h
+@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+  char *d = dest;
+  grub_size_t res = 0;
+  /*
+   * We do not subtract one from size here to avoid dealing with underflowing
+   * the value, which is why to_copy is always checked to be greater than one
+   * throughout this function.
+   */
+  grub_size_t to_copy = size;
+
+  /* Copy size - 1 bytes to dest. */
+  if (to_copy > 1)
+    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+      ;
+
+  /*
+   * NUL terminate if size != 0. The previous step may have copied a NUL byte
+   * if it reached the end of the string, but we know dest[size - 1] must always
+   * be a NUL byte.
+   */
+  if (size != 0)
+    dest[size - 1] = '\0';
+
+  /* If there is still space in dest, but are here, we reached the end of src. */
+  if (to_copy > 1)
+    return res;
+
+  /*
+   * If we haven't reached the end of the string, iterate through to determine
+   * the strings total length.
+   */
+  while (*src++ != '\0' && ++res)
+   ;
+
+  return res;
+}
+
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@ -278,7 +278,7 @@ Provides:	almalinux(grub2-sig-key) = 202303				\
 %{expand:%%ifarch x86_64						\
 Conflicts:	shim-x64 <= 15.6-1.el9.alma					\
 Conflicts:	shim-ia32 <= 15.6-1.el9.alma				\
-%%endif}										\
+%%endif}                                        \
 %{?legacy_provides:Provides:	%{name} = %{evr}}			\
 %{-o:Obsoletes:	%{name}-efi < %{evr}}					\
 									\
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@ -350,3 +350,5 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
 Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
 Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
 Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
+Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+Patch0354: 0354-misc-Implement-grub_strlcpy.patch
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@ -16,7 +16,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	93%{?dist}.alma.1
+Release:	94%{?dist}.alma.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -538,9 +538,14 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif

 %changelog
-* Tue Feb 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2.06-93.alma.1
+* Wed Mar 19 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.06-94.alma.1
 - Debrand for AlmaLinux

+* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
+ - CVE fixes
+ - Resolves: CVE-2025-0624
+ - Resolves: #RHEL-79842
+ 
 * Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
 - cmd/search: Fix a possible NULL ptr dereference
 - Resolves: #RHEL-61263