yetist
Repos
130
Followers
53
Following
43

Events

issue comment
RFE: add 64-bit LoongArch support

The test result on the LoongArch machine:

Regression Test Summary                                                          
 tests run: 5061                                                                 
 tests skipped: 123                                                              
 tests passed: 5061                                                              
 tests failed: 0                                                                 
 tests errored: 0                                                                
============================================================                     
PASS: regression                                                                 
=============                                                                    
1 test passed                                                                    
=============                                                                    
Created at 1 hour ago

api: add the SCMP_FLTATR_CTL_WAITKILL filter attribute

The SCMP_FLTATR_CTL_WAITKILL attribute requests that the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the seccomp(2) system call when possible, which is currently only when the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.

Signed-off-by: Paul Moore paul@paul-moore.com Signed-off-by: Tom Hromatka tom.hromatka@oracle.com

syscalls: update to Linux v6.0

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn Signed-off-by: WANG Xuerui git@xen0n.name

tests: add fstatfs() syscall in the 06-sim-actions

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn

arch: Add 64-bit LoongArch support

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn Signed-off-by: WANG Xuerui git@xen0n.name

tests: Add 64-bit LoongArch support

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn

doc: update README and manpage for 64-bit LoongArch

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn

Created at 1 hour ago

test case

Created at 1 hour ago

plantsvszombies

wine-app-helper

Created at 2 days ago
create branch
yetist create branch main
Created at 3 days ago

templates: Introduce GRUB_TOP_LEVEL_* vars

A user may wish to use an image that is not sorted as the "latest" version as the top-level entry. For example, in Arch Linux, if a user has the LTS and regular kernels installed, "/boot/vmlinuz-linux-lts" gets sorted as the "latest" compared to "/boot/vmlinuz-linux", meaning the LTS kernel becomes the top-level entry. However, a user may wish to use the regular kernel as the top-level default with the LTS only existing as a backup.

This need can be seen in Arch Linux's AUR with two user-submitted packages0 providing an update hook which patches /etc/grub.d/10_linux to move the desired kernel to the top-level. This patch serves to solve this in a more generic way.

Introduce the GRUB_TOP_LEVEL, GRUB_TOP_LEVEL_XEN and GRUB_TOP_LEVEL_OS_PROBER variables to allow users to specify the top-level entry.

Create grub_move_to_front() as a helper function which moves entries to the front of a list. This function does the heavy lifting of moving the menu entry to the front in each script.

In 10_netbsd, since there isn't an explicit list variable, extract the items that are being iterated through into a list so that we can optionally apply grub_move_to_front() to the list before the loop.

Signed-off-by: Denton Liu liu.denton@gmail.com Reviewed-by: Oskari Pirhonen xxc3ncoredxx@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

loader: Add support for grub-emu to kexec Linux menu entries

The GRUB emulator is used as a debugging utility but it could also be used as a user-space bootloader if there is support to boot an operating system.

The Linux kernel is already able to (re)boot another kernel via the kexec boot mechanism. So the grub-emu tool could rely on this feature and have linux and initrd commands that are used to pass a kernel, initramfs image and command line parameters to kexec for booting a selected menu entry.

By default the systemctl kexec option is used so systemd can shutdown all of the running services before doing a reboot using kexec. But if this is not present, it can fall back to executing the kexec user-space tool directly. The ability to force a kexec-reboot when systemctl kexec fails must only be used in controlled environments to avoid possible filesystem corruption and data loss.

Signed-off-by: Raymund Will rw@suse.com Signed-off-by: John Jolly jjolly@suse.com Signed-off-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

types: Make bool generally available

Add an include on stdbool.h, making the bool type generally available within the GRUB without needing to add a file-specific include every time it would be used.

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

kern/env: Add function for retrieving variables as booleans

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

commands/tpm: Don't propagate measurement failures to the verifiers layer

Currently if an EFI firmware fails to do a TPM measurement for a file, the error will be propagated to the verifiers framework which will prevent it to be opened. This mean that buggy firmwares will lead to the system not booting because files won't be allowed to be loaded. But a failure to do a TPM measurement isn't expected to be a fatal error that causes the system to be unbootable.

To avoid this, don't return errors from .write and .verify_string callbacks and just print a debug message in the case of a TPM measurement failure. Add an environment variable, tpm_fail_fatal, to restore the previous behavior.

Also-authored-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

normal/help: Add paging instructions to normal and help prompts

This is not an ideal solution, as interactive users must always run a command in order to get the behavior they want, but it avoids problematic interactions between prompting and sourcing files.

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

osdep/unix/getroot: Pass -P to zpool status

zpool status by default prints basenames of VDEVs, which means that GRUB would have to go around guessing to see whether a VDEV exists. Instead, it'd be more robust to simply tell zpool to give us full paths to VDEVs via -P.

Signed-off-by: Arsen Arsenović arsen@aarsen.me Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

docs: Correct GRUB_DISABLE_LINUX_PARTUUID documentation

Signed-off-by: szubersk szuberskidamian@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

loader/multiboot_elfxx: Fix memory leak

The commit eb33e61b3 (multiboot: fix memory leak) did not fix all issues. Fix all of them right now.

Fixes: eb33e61b3 (multiboot: fix memory leak)

Signed-off-by: t.feng fengtao40@huawei.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height

Check glyph's width and height against limits specified in font's metadata. Reject the glyph (and font) if such limits are exceeded.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix size overflow in grub_font_get_glyph_internal()

The length of memory allocation and file read may overflow. This patch fixes the problem by using safemath macros.

There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). It is safe replacement for such code. It has safemath-like prototype.

This patch also introduces grub_cast(value, pointer), it casts value to typeof(*pointer) then store the value to *pointer. It returns true when overflow occurs or false if there is no overflow. The semantics of arguments and return value are designed to be consistent with other safemath macros.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix several integer overflows in grub_font_construct_glyph()

This patch fixes several integer overflows in grub_font_construct_glyph(). Glyphs of invalid size, zero or leading to an overflow, are rejected. The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() returns NULL is fixed too.

Fixes: CVE-2022-2601

Reported-by: Zhang Boyang zhangboyang.id@gmail.com Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Remove grub_font_dup_glyph()

Remove grub_font_dup_glyph() since nobody is using it since 2013, and I'm too lazy to fix the integer overflow problem in it.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer overflow in ensure_comb_space()

In fact it can't overflow at all because glyph_id->ncomb is only 8-bit wide. But let's keep safe if somebody changes the width of glyph_id->ncomb in the future. This patch also fixes the inconsistency between render_max_comb_glyphs and render_combining_glyphs when grub_malloc() returns NULL.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer overflow in BMP index

The BMP index (font->bmp_idx) is designed as a reverse lookup table of char entries (font->char_index), in order to speed up lookups for BMP chars (i.e. code < 0x10000). The values in BMP index are the subscripts of the corresponding char entries, stored in grub_uint16_t, while 0xffff means not found.

This patch fixes the problem of large subscript truncated to grub_uint16_t, leading BMP index to return wrong char entry or report false miss. The code now checks for bounds and uses BMP index as a hint, and fallbacks to binary-search if necessary.

On the occasion add a comment about BMP index is initialized to 0xffff.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer underflow in binary search of char index

If search target is less than all entries in font->index then "hi" variable is set to -1, which translates to SIZE_MAX and leads to errors.

This patch fixes the problem by replacing the entire binary search code with the libstdc++'s std::lower_bound() implementation.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

kern/efi/sb: Enforce verification of font files

As a mitigation and hardening measure enforce verification of font files. Then only trusted font files can be load. This will reduce the attack surface at cost of losing the ability of end-users to customize fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize fonts because they have ability to pack fonts into their GRUB bundles.

This goal is achieved by:

  • Removing GRUB_FILE_TYPE_FONT from shim lock verifier's skip-verification list.

  • Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list, so font files must be verified by a verifier before they can be loaded.

Suggested-by: Daniel Kiper daniel.kiper@oracle.com Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

fbutil: Fix integer overflow

Expressions like u64 = u32 * u32 are unsafe because their products are truncated to u32 even if left hand side is u64. This patch fixes all problems like that one in fbutil.

To get right result not only left hand side have to be u64 but it's also necessary to cast at least one of the operands of all leaf operators of right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be u64 = (u64)u32 * u32 + (u64)u32 * u32.

For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any combination of values in (grub_uint64_t)u32 * u32 + u32 expression will not overflow grub_uint64_t.

Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.

This patch also adds a comment to grub_video_fb_get_video_ptr() which says it's arguments must be valid and no sanity check is performed (like its siblings in grub-core/video/fb/fbutil.c).

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix an integer underflow in blit_comb()

The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may evaluate to a very big invalid value even if both ctx.bounds.height and combining_glyphs[i]->height are small integers. For example, if ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this expression evaluates to 2147483647 (expected -1). This is because coordinates are allowed to be negative but ctx.bounds.height is an unsigned int. So, the subtraction operates on unsigned ints and underflows to a very big value. The division makes things even worse. The quotient is still an invalid value even if converted back to int.

This patch fixes the problem by casting ctx.bounds.height to int. As a result the subtraction will operate on int and grub_uint16_t which will be promoted to an int. So, the underflow will no longer happen. Other uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, to ensure coordinates are always calculated on signed integers.

Fixes: CVE-2022-3775

Reported-by: Daniel Axtens dja@axtens.net Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()

As a mitigation and hardening measure add sanity checks to grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch makes these two functions do nothing if target blitting area isn't fully contained in target bitmap. Therefore, if complex calculations in caller overflows and malicious coordinates are given, we are still safe because any coordinates which result in out-of-bound-write are rejected. However, this patch only checks for invalid coordinates, and doesn't provide any protection against invalid source glyph or destination glyph, e.g. mismatch between glyph size and buffer size.

This hardening measure is designed to mitigate possible overflows in blit_comb(). If overflow occurs, it may return invalid bounding box during dry run and call grub_font_blit_glyph() with malicious coordinates during actual blitting. However, we are still safe because the scratch glyph itself is valid, although its size makes no sense, and any invalid coordinates are rejected.

It would be better to call grub_fatal() if illegal parameter is detected. However, doing this may end up in a dangerous recursion because grub_fatal() would print messages to the screen and we are in the progress of drawing characters on the screen.

Reported-by: Daniel Axtens dja@axtens.net Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

Created at 3 days ago

templates: Introduce GRUB_TOP_LEVEL_* vars

A user may wish to use an image that is not sorted as the "latest" version as the top-level entry. For example, in Arch Linux, if a user has the LTS and regular kernels installed, "/boot/vmlinuz-linux-lts" gets sorted as the "latest" compared to "/boot/vmlinuz-linux", meaning the LTS kernel becomes the top-level entry. However, a user may wish to use the regular kernel as the top-level default with the LTS only existing as a backup.

This need can be seen in Arch Linux's AUR with two user-submitted packages0 providing an update hook which patches /etc/grub.d/10_linux to move the desired kernel to the top-level. This patch serves to solve this in a more generic way.

Introduce the GRUB_TOP_LEVEL, GRUB_TOP_LEVEL_XEN and GRUB_TOP_LEVEL_OS_PROBER variables to allow users to specify the top-level entry.

Create grub_move_to_front() as a helper function which moves entries to the front of a list. This function does the heavy lifting of moving the menu entry to the front in each script.

In 10_netbsd, since there isn't an explicit list variable, extract the items that are being iterated through into a list so that we can optionally apply grub_move_to_front() to the list before the loop.

Signed-off-by: Denton Liu liu.denton@gmail.com Reviewed-by: Oskari Pirhonen xxc3ncoredxx@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

loader: Add support for grub-emu to kexec Linux menu entries

The GRUB emulator is used as a debugging utility but it could also be used as a user-space bootloader if there is support to boot an operating system.

The Linux kernel is already able to (re)boot another kernel via the kexec boot mechanism. So the grub-emu tool could rely on this feature and have linux and initrd commands that are used to pass a kernel, initramfs image and command line parameters to kexec for booting a selected menu entry.

By default the systemctl kexec option is used so systemd can shutdown all of the running services before doing a reboot using kexec. But if this is not present, it can fall back to executing the kexec user-space tool directly. The ability to force a kexec-reboot when systemctl kexec fails must only be used in controlled environments to avoid possible filesystem corruption and data loss.

Signed-off-by: Raymund Will rw@suse.com Signed-off-by: John Jolly jjolly@suse.com Signed-off-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

types: Make bool generally available

Add an include on stdbool.h, making the bool type generally available within the GRUB without needing to add a file-specific include every time it would be used.

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

kern/env: Add function for retrieving variables as booleans

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

commands/tpm: Don't propagate measurement failures to the verifiers layer

Currently if an EFI firmware fails to do a TPM measurement for a file, the error will be propagated to the verifiers framework which will prevent it to be opened. This mean that buggy firmwares will lead to the system not booting because files won't be allowed to be loaded. But a failure to do a TPM measurement isn't expected to be a fatal error that causes the system to be unbootable.

To avoid this, don't return errors from .write and .verify_string callbacks and just print a debug message in the case of a TPM measurement failure. Add an environment variable, tpm_fail_fatal, to restore the previous behavior.

Also-authored-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Javier Martinez Canillas javierm@redhat.com Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

normal/help: Add paging instructions to normal and help prompts

This is not an ideal solution, as interactive users must always run a command in order to get the behavior they want, but it avoids problematic interactions between prompting and sourcing files.

Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

osdep/unix/getroot: Pass -P to zpool status

zpool status by default prints basenames of VDEVs, which means that GRUB would have to go around guessing to see whether a VDEV exists. Instead, it'd be more robust to simply tell zpool to give us full paths to VDEVs via -P.

Signed-off-by: Arsen Arsenović arsen@aarsen.me Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

docs: Correct GRUB_DISABLE_LINUX_PARTUUID documentation

Signed-off-by: szubersk szuberskidamian@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

loader/multiboot_elfxx: Fix memory leak

The commit eb33e61b3 (multiboot: fix memory leak) did not fix all issues. Fix all of them right now.

Fixes: eb33e61b3 (multiboot: fix memory leak)

Signed-off-by: t.feng fengtao40@huawei.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height

Check glyph's width and height against limits specified in font's metadata. Reject the glyph (and font) if such limits are exceeded.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix size overflow in grub_font_get_glyph_internal()

The length of memory allocation and file read may overflow. This patch fixes the problem by using safemath macros.

There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). It is safe replacement for such code. It has safemath-like prototype.

This patch also introduces grub_cast(value, pointer), it casts value to typeof(*pointer) then store the value to *pointer. It returns true when overflow occurs or false if there is no overflow. The semantics of arguments and return value are designed to be consistent with other safemath macros.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix several integer overflows in grub_font_construct_glyph()

This patch fixes several integer overflows in grub_font_construct_glyph(). Glyphs of invalid size, zero or leading to an overflow, are rejected. The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() returns NULL is fixed too.

Fixes: CVE-2022-2601

Reported-by: Zhang Boyang zhangboyang.id@gmail.com Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Remove grub_font_dup_glyph()

Remove grub_font_dup_glyph() since nobody is using it since 2013, and I'm too lazy to fix the integer overflow problem in it.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer overflow in ensure_comb_space()

In fact it can't overflow at all because glyph_id->ncomb is only 8-bit wide. But let's keep safe if somebody changes the width of glyph_id->ncomb in the future. This patch also fixes the inconsistency between render_max_comb_glyphs and render_combining_glyphs when grub_malloc() returns NULL.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer overflow in BMP index

The BMP index (font->bmp_idx) is designed as a reverse lookup table of char entries (font->char_index), in order to speed up lookups for BMP chars (i.e. code < 0x10000). The values in BMP index are the subscripts of the corresponding char entries, stored in grub_uint16_t, while 0xffff means not found.

This patch fixes the problem of large subscript truncated to grub_uint16_t, leading BMP index to return wrong char entry or report false miss. The code now checks for bounds and uses BMP index as a hint, and fallbacks to binary-search if necessary.

On the occasion add a comment about BMP index is initialized to 0xffff.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix integer underflow in binary search of char index

If search target is less than all entries in font->index then "hi" variable is set to -1, which translates to SIZE_MAX and leads to errors.

This patch fixes the problem by replacing the entire binary search code with the libstdc++'s std::lower_bound() implementation.

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

kern/efi/sb: Enforce verification of font files

As a mitigation and hardening measure enforce verification of font files. Then only trusted font files can be load. This will reduce the attack surface at cost of losing the ability of end-users to customize fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize fonts because they have ability to pack fonts into their GRUB bundles.

This goal is achieved by:

  • Removing GRUB_FILE_TYPE_FONT from shim lock verifier's skip-verification list.

  • Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list, so font files must be verified by a verifier before they can be loaded.

Suggested-by: Daniel Kiper daniel.kiper@oracle.com Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

fbutil: Fix integer overflow

Expressions like u64 = u32 * u32 are unsafe because their products are truncated to u32 even if left hand side is u64. This patch fixes all problems like that one in fbutil.

To get right result not only left hand side have to be u64 but it's also necessary to cast at least one of the operands of all leaf operators of right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be u64 = (u64)u32 * u32 + (u64)u32 * u32.

For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any combination of values in (grub_uint64_t)u32 * u32 + u32 expression will not overflow grub_uint64_t.

Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.

This patch also adds a comment to grub_video_fb_get_video_ptr() which says it's arguments must be valid and no sanity check is performed (like its siblings in grub-core/video/fb/fbutil.c).

Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Fix an integer underflow in blit_comb()

The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may evaluate to a very big invalid value even if both ctx.bounds.height and combining_glyphs[i]->height are small integers. For example, if ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this expression evaluates to 2147483647 (expected -1). This is because coordinates are allowed to be negative but ctx.bounds.height is an unsigned int. So, the subtraction operates on unsigned ints and underflows to a very big value. The division makes things even worse. The quotient is still an invalid value even if converted back to int.

This patch fixes the problem by casting ctx.bounds.height to int. As a result the subtraction will operate on int and grub_uint16_t which will be promoted to an int. So, the underflow will no longer happen. Other uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, to ensure coordinates are always calculated on signed integers.

Fixes: CVE-2022-3775

Reported-by: Daniel Axtens dja@axtens.net Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()

As a mitigation and hardening measure add sanity checks to grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch makes these two functions do nothing if target blitting area isn't fully contained in target bitmap. Therefore, if complex calculations in caller overflows and malicious coordinates are given, we are still safe because any coordinates which result in out-of-bound-write are rejected. However, this patch only checks for invalid coordinates, and doesn't provide any protection against invalid source glyph or destination glyph, e.g. mismatch between glyph size and buffer size.

This hardening measure is designed to mitigate possible overflows in blit_comb(). If overflow occurs, it may return invalid bounding box during dry run and call grub_font_blit_glyph() with malicious coordinates during actual blitting. However, we are still safe because the scratch glyph itself is valid, although its size makes no sense, and any invalid coordinates are rejected.

It would be better to call grub_fatal() if illegal parameter is detected. However, doing this may end up in a dangerous recursion because grub_fatal() would print messages to the screen and we are in the progress of drawing characters on the screen.

Reported-by: Daniel Axtens dja@axtens.net Signed-off-by: Zhang Boyang zhangboyang.id@gmail.com Reviewed-by: Daniel Kiper daniel.kiper@oracle.com

Created at 3 days ago

update

Created at 3 days ago

update

Created at 3 days ago

update

Created at 3 days ago

update

Created at 3 days ago

update

Created at 3 days ago
create branch
yetist create branch dev/master
Created at 4 days ago
Created at 4 days ago

add support for loong64

Signed-off-by: Xiaotian Wu wuxiaotian@loongson.cn

Created at 5 days ago
create repository
yetist create repository
Created at 1 week ago
Created at 1 week ago
create tag
yetist create tag v20221025
Created at 1 week ago
create branch
yetist create branch 2022.09
Created at 2 weeks ago