[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely |
|
Date: |
Tue, 7 Jun 2022 19:01:25 +0200 |
From: Daniel Axtens <dja@axtens.net>
We can receive packets with invalid IP fragmentation information. This
can lead to rsm->total_len underflowing and becoming very large.
Then, in grub_netbuff_alloc(), we add to this very large number, which can
cause it to overflow and wrap back around to a small positive number.
The allocation then succeeds, but the resulting buffer is too small and
subsequent operations can write past the end of the buffer.
Catch the underflow here.
Fixes: CVE-2022-28733
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/ip.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
index e3d62e97f..3c3d0be0e 100644
--- a/grub-core/net/ip.c
+++ b/grub-core/net/ip.c
@@ -25,6 +25,7 @@
#include <grub/net/netbuff.h>
#include <grub/mm.h>
#include <grub/priority_queue.h>
+#include <grub/safemath.h>
#include <grub/time.h>
struct iphdr {
@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
{
rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ (nb->tail - nb->data));
- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
+
+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof
(grub_uint32_t),
+ &rsm->total_len))
+ {
+ grub_dprintf ("net", "IP reassembly size underflow\n");
+ return GRUB_ERR_NONE;
+ }
+
rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
if (!rsm->asm_netbuff)
{
--
2.11.0
- [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities - 2022/06/07 round, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 02/30] commands/boot: Add API to pass context to loader, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 01/30] loader/efi/chainloader: Simplify the loader state, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 04/30] kern/efi/sb: Reject non-kernel files in the shim_lock verifier, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely,
Daniel Kiper <=
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, Daniel Kiper, 2022/06/07