import grub2-2.06-94.el9_5

b895be29 · Rocky Automation · e30b3559 · b895be29 · b895be29 · b895be29
Commit b895be29 authored 2 weeks ago by Rocky Automation
--- a/.grub2.checksum
+++ b/.grub2.checksum
-f3bb6a1273f49e64e58f27e517d6e87621953279326760cc53402df7280ec5ce
+5ca2670114bde4a9a35cb89c8e262abfbbe6fb04af8d1d5c85f77ca3dd33bd11
--- a/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+++ b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Tue, 11 Feb 2025 16:38:44 -0600
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+Fixes: CVE-2025-0624
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 2512862..6c0bd00 100644
+--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
+@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ grub_err_t
+-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
+  grub_size_t config_len, suffix_len;
+   char *suffix;
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
+  suffix_len = config_buf_len - (config_len + 1);
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
+          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 6f6e4a8..49b9472 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
+          return err;
+        grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+-       err = grub_net_search_config_file (config);
+       err = grub_net_search_config_file (config, config_len);
+       }
+     if (err != GRUB_ERR_NONE)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 43eba92..1101b03 100644
+--- a/include/grub/net.h
+++ b/include/grub/net.h
+@@ -648,7 +648,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ grub_err_t
+-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ extern char *grub_net_default_server;
--- a/SOURCES/0354-misc-Implement-grub_strlcpy.patch
+++ b/SOURCES/0354-misc-Implement-grub_strlcpy.patch
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH] misc: Implement grub_strlcpy()
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 981526644..0592aa68f 100644
+--- a/include/grub/misc.h
+++ b/include/grub/misc.h
+@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+  char *d = dest;
+  grub_size_t res = 0;
+  /*
+   * We do not subtract one from size here to avoid dealing with underflowing
+   * the value, which is why to_copy is always checked to be greater than one
+   * throughout this function.
+   */
+  grub_size_t to_copy = size;
+
+  /* Copy size - 1 bytes to dest. */
+  if (to_copy > 1)
+    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+      ;
+
+  /*
+   * NUL terminate if size != 0. The previous step may have copied a NUL byte
+   * if it reached the end of the string, but we know dest[size - 1] must always
+   * be a NUL byte.
+   */
+  if (size != 0)
+    dest[size - 1] = '\0';
+
+  /* If there is still space in dest, but are here, we reached the end of src. */
+  if (to_copy > 1)
+    return res;
+
+  /*
+   * If we haven't reached the end of the string, iterate through to determine
+   * the strings total length.
+   */
+  while (*src++ != '\0' && ++res)
+   ;
+
+  return res;
+}
+
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -350,3 +350,5 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
 Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
 Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
 Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
+Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+Patch0354: 0354-misc-Implement-grub_strlcpy.patch
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -16,7 +16,7 @@
 Name: grub2
 Epoch: 1
 Version: 2.06
-Release: 93%{?dist}
+Release: 94%{?dist}
 Summary: Bootloader with support for Linux, Multiboot and more
 License: GPLv3+
 URL: http://www.gnu.org/software/grub/
@@ -548,7 +548,7 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 %changelog
-* Tue Feb 04 2025 Release Engineering <releng@rockylinux.org> - 2.06-93
+* Mon Mar 17 2025 Release Engineering <releng@rockylinux.org> - 2.06-94
 - Removing redhat old cert sources entries (Sherif Nagy)
 - Preserving rhel9 sbat entry based on shim-review feedback ticket no. 194
 - Adding prod cert
@@ -557,6 +557,11 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 - Adding Rocky testing CA, CERT and sbat files
 - Use DER for ppc64le builds from rocky-sb-certs (Louis Abel)
+* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
+- CVE fixes
+- Resolves: CVE-2025-0624
+- Resolves: #RHEL-79842
 * Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
 - cmd/search: Fix a possible NULL ptr dereference
 - Resolves: #RHEL-63828