grub:master

Last commit made on 2022-11-14
Get this branch:
git clone -b master https://git.launchpad.net/grub

Branch merges

Branch information

Name:
master
Repository:
lp:grub

Recent commits

1514678... by zhangboyang.id@gmail.com

normal/charset: Fix an integer overflow in grub_unicode_aglomerate_comb()

The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.

This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.

Reported-by: Daniel Axtens <email address hidden>
Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

22b77b8... by zhangboyang.id@gmail.com

font: Assign null_font to glyphs in ascii_font_glyph[]

The calculations in blit_comb() need information from glyph's font, e.g.
grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
NULL if main_glyph comes from ascii_font_glyph[]. Therefore
grub_font_get_*() crashes because of NULL pointer.

There is already a solution, the null_font. So, assign it to those glyphs
in ascii_font_glyph[].

Reported-by: Daniel Axtens <email address hidden>
Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

9d81f71... by zhangboyang.id@gmail.com

font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()

As a mitigation and hardening measure add sanity checks to
grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
makes these two functions do nothing if target blitting area isn't fully
contained in target bitmap. Therefore, if complex calculations in caller
overflows and malicious coordinates are given, we are still safe because
any coordinates which result in out-of-bound-write are rejected. However,
this patch only checks for invalid coordinates, and doesn't provide any
protection against invalid source glyph or destination glyph, e.g.
mismatch between glyph size and buffer size.

This hardening measure is designed to mitigate possible overflows in
blit_comb(). If overflow occurs, it may return invalid bounding box
during dry run and call grub_font_blit_glyph() with malicious
coordinates during actual blitting. However, we are still safe because
the scratch glyph itself is valid, although its size makes no sense, and
any invalid coordinates are rejected.

It would be better to call grub_fatal() if illegal parameter is detected.
However, doing this may end up in a dangerous recursion because grub_fatal()
would print messages to the screen and we are in the progress of drawing
characters on the screen.

Reported-by: Daniel Axtens <email address hidden>
Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

992c061... by zhangboyang.id@gmail.com

font: Fix an integer underflow in blit_comb()

The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
evaluate to a very big invalid value even if both ctx.bounds.height and
combining_glyphs[i]->height are small integers. For example, if
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
expression evaluates to 2147483647 (expected -1). This is because
coordinates are allowed to be negative but ctx.bounds.height is an
unsigned int. So, the subtraction operates on unsigned ints and
underflows to a very big value. The division makes things even worse.
The quotient is still an invalid value even if converted back to int.

This patch fixes the problem by casting ctx.bounds.height to int. As
a result the subtraction will operate on int and grub_uint16_t which
will be promoted to an int. So, the underflow will no longer happen. Other
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
to ensure coordinates are always calculated on signed integers.

Fixes: CVE-2022-3775

Reported-by: Daniel Axtens <email address hidden>
Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

1eac01c... by zhangboyang.id@gmail.com

fbutil: Fix integer overflow

Expressions like u64 = u32 * u32 are unsafe because their products are
truncated to u32 even if left hand side is u64. This patch fixes all
problems like that one in fbutil.

To get right result not only left hand side have to be u64 but it's also
necessary to cast at least one of the operands of all leaf operators of
right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
u64 = (u64)u32 * u32 + (u64)u32 * u32.

For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
not overflow grub_uint64_t.

Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.

This patch also adds a comment to grub_video_fb_get_video_ptr() which
says it's arguments must be valid and no sanity check is performed
(like its siblings in grub-core/video/fb/fbutil.c).

Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

93a786a... by zhangboyang.id@gmail.com

kern/efi/sb: Enforce verification of font files

As a mitigation and hardening measure enforce verification of font
files. Then only trusted font files can be load. This will reduce the
attack surface at cost of losing the ability of end-users to customize
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
fonts because they have ability to pack fonts into their GRUB bundles.

This goal is achieved by:

  * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
    skip-verification list.

  * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
    so font files must be verified by a verifier before they can be loaded.

Suggested-by: Daniel Kiper <email address hidden>
Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

1d20155... by zhangboyang.id@gmail.com

font: Fix integer underflow in binary search of char index

If search target is less than all entries in font->index then "hi"
variable is set to -1, which translates to SIZE_MAX and leads to errors.

This patch fixes the problem by replacing the entire binary search code
with the libstdc++'s std::lower_bound() implementation.

Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

b9396da... by zhangboyang.id@gmail.com

font: Fix integer overflow in BMP index

The BMP index (font->bmp_idx) is designed as a reverse lookup table of
char entries (font->char_index), in order to speed up lookups for BMP
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
means not found.

This patch fixes the problem of large subscript truncated to grub_uint16_t,
leading BMP index to return wrong char entry or report false miss. The
code now checks for bounds and uses BMP index as a hint, and fallbacks
to binary-search if necessary.

On the occasion add a comment about BMP index is initialized to 0xffff.

Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

23843fe... by zhangboyang.id@gmail.com

font: Fix integer overflow in ensure_comb_space()

In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
in the future. This patch also fixes the inconsistency between
render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
returns NULL.

Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>

c512922... by zhangboyang.id@gmail.com

font: Remove grub_font_dup_glyph()

Remove grub_font_dup_glyph() since nobody is using it since 2013, and
I'm too lazy to fix the integer overflow problem in it.

Signed-off-by: Zhang Boyang <email address hidden>
Reviewed-by: Daniel Kiper <email address hidden>