grub2/0242-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
Robbie Harwood f0ad2aaa26 CVE fixes for 2022-05-24
Resolves: CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
Resolves: CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 13:54:45 -04:00

72 lines
2.3 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 20 Dec 2021 21:55:43 +1100
Subject: [PATCH] net/dns: Don't read past the end of the string we're checking
against
I don't really understand what's going on here but fuzzing found
a bug where we read past the end of check_with. That's a C string,
so use grub_strlen() to make sure we don't overread it.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(cherry picked from commit 6a97b3f4b1d5173aa516edc6dedbc63de7306d21)
---
grub-core/net/dns.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 135faac035..17961a9f18 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
int *length, char *set)
{
const char *readable_ptr = check_with;
+ int readable_len;
const grub_uint8_t *ptr;
char *optr = set;
int bytes_processed = 0;
if (length)
*length = 0;
+
+ if (readable_ptr != NULL)
+ readable_len = grub_strlen (readable_ptr);
+ else
+ readable_len = 0;
+
for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; )
{
/* End marker. */
@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]);
continue;
}
- if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)
+ if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0))
return 0;
if (grub_memchr (ptr + 1, 0, *ptr)
|| grub_memchr (ptr + 1, '.', *ptr))
return 0;
if (readable_ptr)
- readable_ptr += *ptr;
+ {
+ readable_ptr += *ptr;
+ readable_len -= *ptr;
+ }
if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0)
return 0;
bytes_processed += *ptr + 1;
@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
if (optr)
*optr++ = '.';
if (readable_ptr && *readable_ptr)
- readable_ptr++;
+ {
+ readable_ptr++;
+ readable_len--;
+ }
ptr += *ptr + 1;
}
return 0;