1*4882a593SmuzhiyunFrom 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Mon, 20 Dec 2021 19:41:21 +1100 4*4882a593SmuzhiyunSubject: [PATCH] net/ip: Do IP fragment maths safely 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunWe can receive packets with invalid IP fragmentation information. This 7*4882a593Smuzhiyuncan lead to rsm->total_len underflowing and becoming very large. 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunThen, in grub_netbuff_alloc(), we add to this very large number, which can 10*4882a593Smuzhiyuncause it to overflow and wrap back around to a small positive number. 11*4882a593SmuzhiyunThe allocation then succeeds, but the resulting buffer is too small and 12*4882a593Smuzhiyunsubsequent operations can write past the end of the buffer. 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunCatch the underflow here. 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunFixes: CVE-2022-28733 17*4882a593Smuzhiyun 18*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 19*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 20*4882a593Smuzhiyun 21*4882a593SmuzhiyunUpstream-Status: Backport 22*4882a593SmuzhiyunCVE: CVE-2022-28733 23*4882a593Smuzhiyun 24*4882a593SmuzhiyunReference to upstream patch: 25*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287 26*4882a593Smuzhiyun 27*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com> 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun--- 30*4882a593Smuzhiyun grub-core/net/ip.c | 10 +++++++++- 31*4882a593Smuzhiyun 1 file changed, 9 insertions(+), 1 deletion(-) 32*4882a593Smuzhiyun 33*4882a593Smuzhiyundiff --git a/grub-core/net/ip.c b/grub-core/net/ip.c 34*4882a593Smuzhiyunindex e3d62e97f..3c3d0be0e 100644 35*4882a593Smuzhiyun--- a/grub-core/net/ip.c 36*4882a593Smuzhiyun+++ b/grub-core/net/ip.c 37*4882a593Smuzhiyun@@ -25,6 +25,7 @@ 38*4882a593Smuzhiyun #include <grub/net/netbuff.h> 39*4882a593Smuzhiyun #include <grub/mm.h> 40*4882a593Smuzhiyun #include <grub/priority_queue.h> 41*4882a593Smuzhiyun+#include <grub/safemath.h> 42*4882a593Smuzhiyun #include <grub/time.h> 43*4882a593Smuzhiyun 44*4882a593Smuzhiyun struct iphdr { 45*4882a593Smuzhiyun@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, 46*4882a593Smuzhiyun { 47*4882a593Smuzhiyun rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) 48*4882a593Smuzhiyun + (nb->tail - nb->data)); 49*4882a593Smuzhiyun- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); 50*4882a593Smuzhiyun+ 51*4882a593Smuzhiyun+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), 52*4882a593Smuzhiyun+ &rsm->total_len)) 53*4882a593Smuzhiyun+ { 54*4882a593Smuzhiyun+ grub_dprintf ("net", "IP reassembly size underflow\n"); 55*4882a593Smuzhiyun+ return GRUB_ERR_NONE; 56*4882a593Smuzhiyun+ } 57*4882a593Smuzhiyun+ 58*4882a593Smuzhiyun rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); 59*4882a593Smuzhiyun if (!rsm->asm_netbuff) 60*4882a593Smuzhiyun { 61*4882a593Smuzhiyun-- 62*4882a593Smuzhiyun2.34.1 63*4882a593Smuzhiyun 64