grub2/0251-net-netbuff-Block-overly-large-netbuff-allocs.patch
Robbie Harwood 42b3050a74 CVE fixes for 2022-05-24
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Resolves: #2070688

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 14:09:47 -04:00

48 lines
1.5 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 8 Mar 2022 23:47:46 +1100
Subject: [PATCH] net/netbuff: Block overly large netbuff allocs
A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
reassembly.
This helps avoid some bugs (and provides a spot to instrument to catch
them at their source).
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(cherry picked from commit ee9591103004cd13b4efadda671536090ca7fd57)
(cherry picked from commit acde668bb9d9fa862a1a63e3bbd5fa47fdfa9183)
---
grub-core/net/netbuff.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
index dbeeefe478..d5e9e9a0d7 100644
--- a/grub-core/net/netbuff.c
+++ b/grub-core/net/netbuff.c
@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len)
COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0);
+ /*
+ * The largest size of a TCP packet is 64 KiB, and everything else
+ * should be a lot smaller - most MTUs are 1500 or less. Cap data
+ * size at 64 KiB + a buffer.
+ */
+ if (len > 0xffffUL + 0x1000UL)
+ {
+ grub_error (GRUB_ERR_BUG,
+ "attempted to allocate a packet that is too big");
+ return NULL;
+ }
+
if (len < NETBUFFMINLEN)
len = NETBUFFMINLEN;
len = ALIGN_UP (len, NETBUFF_ALIGN);
+
#ifdef GRUB_MACHINE_EMU
data = grub_malloc (len + sizeof (*nb));
#else