mirror of
https://git.yoctoproject.org/poky
synced 2026-05-31 00:39:46 +00:00
grub: patch CVE-2025-0678 and CVE-2025-1125
Cherry-pick patch mentioning these CVEs. (From OE-Core rev: d0283e421e41b6775f40a51de6018c2c5cfda61f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
committed by
Steve Sakoman
Steve Sakoman
parent
373e83b89c
commit
d5bb46337d
@@ -0,0 +1,87 @@
|
|||||||
|
From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lidong Chen <lidong.chen@oracle.com>
|
||||||
|
Date: Tue, 21 Jan 2025 19:02:37 +0000
|
||||||
|
Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
|
||||||
|
|
||||||
|
Use grub_calloc() when allocating memory for arrays to ensure proper
|
||||||
|
overflow checks are in place.
|
||||||
|
|
||||||
|
The HFS+ and squash4 security vulnerabilities were reported by
|
||||||
|
Jonathan Bar Or <jonathanbaror@gmail.com>.
|
||||||
|
|
||||||
|
Fixes: CVE-2025-0678
|
||||||
|
Fixes: CVE-2025-1125
|
||||||
|
|
||||||
|
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
|
||||||
|
CVE: CVE-2025-0678
|
||||||
|
CVE: CVE-2025-1125
|
||||||
|
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
|
||||||
|
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||||
|
---
|
||||||
|
grub-core/fs/btrfs.c | 4 ++--
|
||||||
|
grub-core/fs/hfspluscomp.c | 9 +++++++--
|
||||||
|
grub-core/fs/squash4.c | 8 ++++----
|
||||||
|
3 files changed, 13 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
|
||||||
|
index 0625b1166..9c1e925c9 100644
|
||||||
|
--- a/grub-core/fs/btrfs.c
|
||||||
|
+++ b/grub-core/fs/btrfs.c
|
||||||
|
@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
|
||||||
|
}
|
||||||
|
|
||||||
|
data->n_devices_allocated = 16;
|
||||||
|
- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
|
||||||
|
- * data->n_devices_allocated);
|
||||||
|
+ data->devices_attached = grub_calloc (data->n_devices_allocated,
|
||||||
|
+ sizeof (data->devices_attached[0]));
|
||||||
|
if (!data->devices_attached)
|
||||||
|
{
|
||||||
|
grub_free (data);
|
||||||
|
diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
|
||||||
|
index 48ae438d8..a80954ee6 100644
|
||||||
|
--- a/grub-core/fs/hfspluscomp.c
|
||||||
|
+++ b/grub-core/fs/hfspluscomp.c
|
||||||
|
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
node->compress_index_size = grub_le_to_cpu32 (index_size);
|
||||||
|
- node->compress_index = grub_malloc (node->compress_index_size
|
||||||
|
- * sizeof (node->compress_index[0]));
|
||||||
|
+ node->compress_index = grub_calloc (node->compress_index_size,
|
||||||
|
+ sizeof (node->compress_index[0]));
|
||||||
|
if (!node->compress_index)
|
||||||
|
{
|
||||||
|
node->compressed = 0;
|
||||||
|
grub_free (attr_node);
|
||||||
|
return grub_errno;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
|
||||||
|
+ * due to relevant checks done in grub_calloc() above.
|
||||||
|
+ */
|
||||||
|
if (grub_hfsplus_read_file (node, 0, 0,
|
||||||
|
0x104 + sizeof (index_size),
|
||||||
|
node->compress_index_size
|
||||||
|
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
|
||||||
|
index f91ff3bfa..cf2bca822 100644
|
||||||
|
--- a/grub-core/fs/squash4.c
|
||||||
|
+++ b/grub-core/fs/squash4.c
|
||||||
|
@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
|
||||||
|
- ino->block_sizes = grub_malloc (total_blocks
|
||||||
|
- * sizeof (ino->block_sizes[0]));
|
||||||
|
- ino->cumulated_block_sizes = grub_malloc (total_blocks
|
||||||
|
- * sizeof (ino->cumulated_block_sizes[0]));
|
||||||
|
+ ino->block_sizes = grub_calloc (total_blocks,
|
||||||
|
+ sizeof (ino->block_sizes[0]));
|
||||||
|
+ ino->cumulated_block_sizes = grub_calloc (total_blocks,
|
||||||
|
+ sizeof (ino->cumulated_block_sizes[0]));
|
||||||
|
if (!ino->block_sizes || !ino->cumulated_block_sizes)
|
||||||
|
{
|
||||||
|
grub_free (ino->block_sizes);
|
||||||
@@ -35,6 +35,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
|
|||||||
file://CVE-2025-1118.patch \
|
file://CVE-2025-1118.patch \
|
||||||
file://CVE-2024-45778_CVE-2024-45779.patch \
|
file://CVE-2024-45778_CVE-2024-45779.patch \
|
||||||
file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
|
file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
|
||||||
|
file://CVE-2025-0678_CVE-2025-1125.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
|
SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
|
||||||
|
|||||||
Reference in New Issue
Block a user