rpms/grub2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Debrand for AlmaLinux

Browse Source
This commit is contained in:
Eduard Abdullin 2025-03-19 11:52:33 +00:00 committed by root
commit 5013be4de7
5 changed files with 154 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch Normal file
View File

@ -0,0 +1,79 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Tue, 11 Feb 2025 16:38:44 -0600
Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().
Fixes: CVE-2025-0624
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/net.c | 7 ++++---
grub-core/normal/main.c | 2 +-
include/grub/net.h | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 2512862..6c0bd00 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
}
grub_err_t
-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
{
- grub_size_t config_len;
+ grub_size_t config_len, suffix_len;
char *suffix;
config_len = grub_strlen (config);
config[config_len] = '-';
suffix = config + config_len + 1;
+ suffix_len = config_buf_len - (config_len + 1);
struct grub_net_network_level_interface *inf;
FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
if (client_uuid)
{
- grub_strcpy (suffix, client_uuid);
+ grub_strlcpy (suffix, client_uuid, suffix_len);
if (grub_config_search_through (config, suffix, 1, 0) == 0)
return GRUB_ERR_NONE;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 6f6e4a8..49b9472 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
return err;
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
- err = grub_net_search_config_file (config);
+ err = grub_net_search_config_file (config, config_len);
}
if (err != GRUB_ERR_NONE)
diff --git a/include/grub/net.h b/include/grub/net.h
index 43eba92..1101b03 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -648,7 +648,7 @@ void
grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
grub_err_t
-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
extern char *grub_net_default_server;

65
SOURCES/0354-misc-Implement-grub_strlcpy.patch Normal file
View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sat, 15 Jun 2024 02:33:08 +0100
Subject: [PATCH] misc: Implement grub_strlcpy()
grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
returning the length of src and ensuring dest is always NUL
terminated except when size is 0.
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 981526644..0592aa68f 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
return d - 1;
}
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+ char *d = dest;
+ grub_size_t res = 0;
+ /*
+ * We do not subtract one from size here to avoid dealing with underflowing
+ * the value, which is why to_copy is always checked to be greater than one
+ * throughout this function.
+ */
+ grub_size_t to_copy = size;
+
+ /* Copy size - 1 bytes to dest. */
+ if (to_copy > 1)
+ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+ ;
+
+ /*
+ * NUL terminate if size != 0. The previous step may have copied a NUL byte
+ * if it reached the end of the string, but we know dest[size - 1] must always
+ * be a NUL byte.
+ */
+ if (size != 0)
+ dest[size - 1] = '\0';
+
+ /* If there is still space in dest, but are here, we reached the end of src. */
+ if (to_copy > 1)
+ return res;
+
+ /*
+ * If we haven't reached the end of the string, iterate through to determine
+ * the strings total length.
+ */
+ while (*src++ != '\0' && ++res)
+ ;
+
+ return res;
+}
+
/* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */
static inline void *
grub_memcpy (void *dest, const void *src, grub_size_t n)

2
SOURCES/grub.macros
View File

@ -278,7 +278,7 @@ Provides: almalinux(grub2-sig-key) = 202303 \
%{expand:%%ifarch x86_64 \ %{expand:%%ifarch x86_64 \
Conflicts: shim-x64 <= 15.6-1.el9.alma \ Conflicts: shim-x64 <= 15.6-1.el9.alma \
Conflicts: shim-ia32 <= 15.6-1.el9.alma \ Conflicts: shim-ia32 <= 15.6-1.el9.alma \
%%endif} \ %%endif} \
%{?legacy_provides:Provides: %{name} = %{evr}} \ %{?legacy_provides:Provides: %{name} = %{evr}} \
%{-o:Obsoletes: %{name}-efi < %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \
\ \

2
SOURCES/grub.patches
View File

@ -350,3 +350,5 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
Patch0354: 0354-misc-Implement-grub_strlcpy.patch

9
SPECS/grub2.spec
View File

@ -16,7 +16,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 93%{?dist}.alma.1 Release: 94%{?dist}.alma.1
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -538,9 +538,14 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Tue Feb 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2.06-93.alma.1 * Wed Mar 19 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.06-94.alma.1
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
- CVE fixes
- Resolves: CVE-2025-0624
- Resolves: #RHEL-79842
* Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93 * Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
- cmd/search: Fix a possible NULL ptr dereference - cmd/search: Fix a possible NULL ptr dereference
- Resolves: #RHEL-61263 - Resolves: #RHEL-61263