summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-20225.patch')
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-20225.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
new file mode 100644
index 0000000000..b864febe62
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
+From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: lib/arg: Block repeated short options that require an argument
+
+Fuzzing found the following crash:
+
+ search -hhhhhhhhhhhhhf
+
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+
+This fixes a OOB write which can cause heap corruption.
+
+Fixes: CVE-2021-20225
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
+CVE: CVE-2021-20225
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609..537c5e9 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+ it can have an argument value. */
+ if (*curshort)
+ {
++ /*
++ * Only permit further short opts if this one doesn't
++ * require a value.
++ */
++ if (opt->type != ARG_TYPE_NONE &&
++ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("missing mandatory option for `%s'"),
++ opt->longarg);
++ goto fail;
++ }
++
+ if (parse_option (cmd, opt, 0, usr) || grub_errno)
+ goto fail;
+ }
+--
+2.25.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-04 11:24:08 +0000