[styhead,13/17] grub: patch CVE-2025-0690

Message ID	20250311181424.8837-13-peter.marko@siemens.com
State	Under Review
Delegated to:	Steve Sakoman
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.65.227, mailfrom: fm-256628-202503111815456e2c0fd16e40599cb2-vpaqme@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [OE-core][styhead][PATCH 13/17] grub: patch CVE-2025-0690 Date: Tue, 11 Mar 2025 19:14:20 +0100 Message-Id: <20250311181424.8837-13-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	[styhead,01/17] grub: drop obsolete CVE statuses \| expand [styhead,01/17] grub: drop obsolete CVE statuses [styhead,02/17] grub: backport strlcpy function [styhead,03/17] grup: patch CVE-2024-45781 [styhead,04/17] grub: patch CVE-2024-45782 and CVE-2024-56737 [styhead,05/17] grub: patch CVE-2024-45780 [styhead,06/17] grub: patch CVE-2024-45783 [styhead,07/17] grub: patch CVE-2025-0624 [styhead,08/17] grub: patch CVE-2024-45774 [styhead,09/17] grub: patch CVE-2024-45775 [styhead,10/17] grub: patch CVE-2025-0622 [styhead,11/17] grub: patch CVE-2024-45776 [styhead,12/17] grub: patch CVE-2024-45777 [styhead,13/17] grub: patch CVE-2025-0690 [styhead,14/17] grub: patch CVE-2025-1118 [styhead,15/17] grub: patch CVE-2024-45778 and CVE-2024-45779 [styhead,16/17] grub: patch CVE-2025-0677, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686 and CVE-2025… [styhead,17/17] grub: patch CVE-2025-0678 and CVE-2025-1125

Message ID

20250311181424.8837-13-peter.marko@siemens.com

State

Under Review

Delegated to:

Steve Sakoman

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][styhead][PATCH 13/17] grub: patch CVE-2025-0690
Date: Tue, 11 Mar 2025 19:14:20 +0100
Message-Id: <20250311181424.8837-13-peter.marko@siemens.com>
In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com>
References: <20250311181424.8837-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

[styhead,01/17] grub: drop obsolete CVE statuses | expand

Commit Message

Peter Marko March 11, 2025, 6:14 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Cherry-pick patch mentioning this CVE.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../grub/files/CVE-2025-0690.patch            | 73 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
new file mode 100644
index 0000000000..be585c96ad
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,73 @@ 
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+
+Fixes: CVE-2025-0690
+
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index 597c90706..8d72e45c9 100644
+--- a/grub-core/commands/read.c
++++ b/grub-core/commands/read.c
+@@ -25,6 +25,7 @@
+ #include <grub/types.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
+ static char *
+ grub_getline (int silent)
+ {
+-  int i;
++  grub_size_t i;
+   char *line;
+   char *tmp;
+   int c;
++  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
++  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -59,8 +61,17 @@ grub_getline (int silent)
+       line[i] = (char) c;
+       if (!silent)
+ 	grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
++      if (grub_add (i, 1, &i))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+ 	{
+ 	  grub_free (line);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index b67b7d2e16..6f0c8a133f 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -31,6 +31,7 @@  SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-0622-03.patch \
            file://CVE-2024-45776.patch \
            file://CVE-2024-45777.patch \
+           file://CVE-2025-0690.patch \
 "
 
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"

[styhead,13/17] grub: patch CVE-2025-0690

Commit Message

Patch