diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2023-4693.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2023-4693.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch deleted file mode 100644 index 420fe92ac38..00000000000 --- a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 -From: Maxim Suhanov <dfirblog@...> -Date: Mon, 28 Aug 2023 16:32:33 +0300 -Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA - attribute - -When reading a file containing resident data, i.e., the file data is stored in -the $DATA attribute within the NTFS file record, not in external clusters, -there are no checks that this resident data actually fits the corresponding -file record segment. - -When parsing a specially-crafted file system image, the current NTFS code will -read the file data from an arbitrary, attacker-chosen memory offset and of -arbitrary, attacker-chosen length. - -This allows an attacker to display arbitrary chunks of memory, which could -contain sensitive information like password hashes or even plain-text, -obfuscated passwords from BS EFI variables. - -This fix implements a check to ensure that resident data is read from the -corresponding file record segment only. - -Fixes: CVE-2023-4693 - -Upstream-Status: Backport from -[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] -CVE: CVE-2023-4693 - -Reported-by: Maxim Suhanov <dfirblog@...> -Signed-off-by: Maxim Suhanov <dfirblog@...> -Reviewed-by: Daniel Kiper <daniel.kiper@...> -Signed-off-by: Xiangyu Chen <xiangyu.chen@...> ---- - grub-core/fs/ntfs.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c -index c3c4db1..a68e173 100644 ---- a/grub-core/fs/ntfs.c -+++ b/grub-core/fs/ntfs.c -@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, - { - if (ofs + len > u32at (pa, 0x10)) - return grub_error (GRUB_ERR_BAD_FS, "read out of range"); -- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); -+ -+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) -+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); -+ -+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) -+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); -+ -+ if (u16at (pa, 0x14) + u32at (pa, 0x10) > -+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) -+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); -+ -+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); - return 0; - } - --- -cgit v1.1 - |