mirror of
git://git.yoctoproject.org/poky
synced 2026-04-02 02:49:11 +00:00
7f366c7d84
CVE: CVE-2023-4692 Crafted file system images can cause heap-based buffer overflow and may allow arbitrary code execution and secure boot bypass. Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] CVE: CVE-2023-4693 There an out-of-bounds read at fs/ntfs.c, a physically present attacker may leverage that by presenting a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack may allow sensitive data cached in memory or EFI variables values to be leaked presenting a high Confidentiality risk. Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] (From OE-Core rev: 51236150a3740d95e3601499d3918af5a37f8f86) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit: a8bc6f041599ce8da275c163c87f155a2f09369c) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
64 lines
2.4 KiB
Diff
64 lines
2.4 KiB
Diff
From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
|
|
From: Maxim Suhanov <dfirblog@...>
|
|
Date: Mon, 28 Aug 2023 16:32:33 +0300
|
|
Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
|
|
attribute
|
|
|
|
When reading a file containing resident data, i.e., the file data is stored in
|
|
the $DATA attribute within the NTFS file record, not in external clusters,
|
|
there are no checks that this resident data actually fits the corresponding
|
|
file record segment.
|
|
|
|
When parsing a specially-crafted file system image, the current NTFS code will
|
|
read the file data from an arbitrary, attacker-chosen memory offset and of
|
|
arbitrary, attacker-chosen length.
|
|
|
|
This allows an attacker to display arbitrary chunks of memory, which could
|
|
contain sensitive information like password hashes or even plain-text,
|
|
obfuscated passwords from BS EFI variables.
|
|
|
|
This fix implements a check to ensure that resident data is read from the
|
|
corresponding file record segment only.
|
|
|
|
Fixes: CVE-2023-4693
|
|
|
|
Upstream-Status: Backport from
|
|
[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
|
|
CVE: CVE-2023-4693
|
|
|
|
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
|
|
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
|
|
---
|
|
grub-core/fs/ntfs.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
|
|
index c3c4db1..a68e173 100644
|
|
--- a/grub-core/fs/ntfs.c
|
|
+++ b/grub-core/fs/ntfs.c
|
|
@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
|
|
{
|
|
if (ofs + len > u32at (pa, 0x10))
|
|
return grub_error (GRUB_ERR_BAD_FS, "read out of range");
|
|
- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
|
|
+
|
|
+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
|
|
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
|
|
+
|
|
+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
|
|
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
|
|
+
|
|
+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
|
|
+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
|
|
+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
|
|
+
|
|
+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
cgit v1.1
|
|
|