1*4882a593SmuzhiyunFrom ec6bfd3237394c1c7dbf2fd73417173318d22f4b Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Tue, 8 Mar 2022 18:17:03 +1100 4*4882a593SmuzhiyunSubject: [PATCH] net/http: Fix OOB write for split http headers 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunGRUB has special code for handling an http header that is split 7*4882a593Smuzhiyunacross two packets. 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunThe code tracks the end of line by looking for a "\n" byte. The 10*4882a593Smuzhiyuncode for split headers has always advanced the pointer just past the 11*4882a593Smuzhiyunend of the line, whereas the code that handles unsplit headers does 12*4882a593Smuzhiyunnot advance the pointer. This extra advance causes the length to be 13*4882a593Smuzhiyunone greater, which breaks an assumption in parse_line(), leading to 14*4882a593Smuzhiyunit writing a NUL byte one byte past the end of the buffer where we 15*4882a593Smuzhiyunreconstruct the line from the two packets. 16*4882a593Smuzhiyun 17*4882a593SmuzhiyunIt's conceivable that an attacker controlled set of packets could 18*4882a593Smuzhiyuncause this to zero out the first byte of the "next" pointer of the 19*4882a593Smuzhiyungrub_mm_region structure following the current_line buffer. 20*4882a593Smuzhiyun 21*4882a593SmuzhiyunDo not advance the pointer in the split header case. 22*4882a593Smuzhiyun 23*4882a593SmuzhiyunFixes: CVE-2022-28734 24*4882a593Smuzhiyun 25*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 26*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 27*4882a593Smuzhiyun 28*4882a593SmuzhiyunUpstream-Status: Backport 29*4882a593SmuzhiyunCVE: CVE-2022-28734 30*4882a593Smuzhiyun 31*4882a593SmuzhiyunReference to upstream patch: 32*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b 33*4882a593Smuzhiyun 34*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com> 35*4882a593Smuzhiyun--- 36*4882a593Smuzhiyun grub-core/net/http.c | 4 +--- 37*4882a593Smuzhiyun 1 file changed, 1 insertion(+), 3 deletions(-) 38*4882a593Smuzhiyun 39*4882a593Smuzhiyundiff --git a/grub-core/net/http.c b/grub-core/net/http.c 40*4882a593Smuzhiyunindex f8d7bf0cd..33a0a28c4 100644 41*4882a593Smuzhiyun--- a/grub-core/net/http.c 42*4882a593Smuzhiyun+++ b/grub-core/net/http.c 43*4882a593Smuzhiyun@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), 44*4882a593Smuzhiyun int have_line = 1; 45*4882a593Smuzhiyun char *t; 46*4882a593Smuzhiyun ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); 47*4882a593Smuzhiyun- if (ptr) 48*4882a593Smuzhiyun- ptr++; 49*4882a593Smuzhiyun- else 50*4882a593Smuzhiyun+ if (ptr == NULL) 51*4882a593Smuzhiyun { 52*4882a593Smuzhiyun have_line = 0; 53*4882a593Smuzhiyun ptr = (char *) nb->tail; 54*4882a593Smuzhiyun-- 55*4882a593Smuzhiyun2.34.1 56*4882a593Smuzhiyun 57