Commit Graph

14672 Commits

Author SHA1 Message Date
Steve McIntyre
d6be13a9e7 Don't install fallback to removable media
It only causes problems. Closes: #1016737
2023-01-15 23:47:09 +00:00
Steve McIntyre
036c38093b /etc/default/grub: Fix comment about text-mode console
Fixes #845683
2022-12-29 20:59:36 +00:00
Steve McIntyre
44e74e2a73 postinst: be more verbose when using grub-install
to install onto devices
2022-12-29 13:39:36 +00:00
Steve McIntyre
9ba3bf3855 grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
Apply patch from upstream,

Closes: #1001414
2022-12-29 13:36:46 +00:00
Steve McIntyre
9df17d0bdb Include upstream patch to enable EFI zboot support on arm64
Closes: #1026092
2022-12-14 16:57:42 +00:00
Steve McIntyre
16895d90dd Switch build-deps from gcc-10 to gcc-12. Closes: #1022184
Also needs backports from upstream commits to fix warnings/errors
from using gcc 12:

be8eb0eed util/mkimage: Fix dangling pointer may be used error
acffb8148 build: Fix -Werror=array-bounds array subscript 0 is outside array bounds
3ce13d974 lib/reed_solomon: Fix array subscript 0 is outside array bounds
2022-12-11 16:47:49 +00:00
Steve McIntyre
552fb31330 Fix an issue in an f2fs security fix which caused mount failures
Closes: #1021846. Thanks to программист некто for helping to debug the
problem!
2022-12-11 12:09:24 +00:00
Steve McIntyre
1fd7f8c9c9 Fix error handling in grub_file_open()
Make font fallback handling work!
2022-12-06 03:15:39 +00:00
Steve McIntyre
28632f1776 Release version 2.06-6 2022-12-04 20:42:19 +00:00
Steve McIntyre
2c1a132e34 Switch away from git-dpm 2022-12-04 18:22:27 +00:00
Steve McIntyre
e2dc71dd03 Bump Debian SBAT level to 4
Due to a mistake in the buster update that left the CVE-2022-2601 bugs
in place, we need to bump SBAT for all of the Debian GRUB binaries. :-(
2022-12-04 17:08:31 +00:00
Steve McIntyre
5055c4741e Add fonts to the EFI images
The previous security updates disallowed loading unsigned fonts when
in SB mode. To make things work again:

 * Embed the "unicode" font into the embedded memdisk image so it can
   be loaded.
 * Add the memdisk to our normal grubx64.efi loader too
 * Add a patch from Chris Coulson to make the font loader look for
   fonts in the memdisk whenever they're loaded.

Closes: #1024395, #1025352, #1024447
2022-12-04 17:02:56 +00:00
Steve McIntyre
25fe9dd841 Pull in upstream patches to harden font and image handling
CVE-2022-2601, CVE-2022-3775

Bump SBAT level to 3 for grub-efi packages
2022-11-14 18:10:12 +00:00
Zhang Boyang
afa02a1bb2 normal/charset: Fix an integer overflow in grub_unicode_aglomerate_comb()
The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.

This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
b272bbd408 font: Assign null_font to glyphs in ascii_font_glyph[]
The calculations in blit_comb() need information from glyph's font, e.g.
grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
NULL if main_glyph comes from ascii_font_glyph[]. Therefore
grub_font_get_*() crashes because of NULL pointer.

There is already a solution, the null_font. So, assign it to those glyphs
in ascii_font_glyph[].

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
918f5efa88 font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()
As a mitigation and hardening measure add sanity checks to
grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
makes these two functions do nothing if target blitting area isn't fully
contained in target bitmap. Therefore, if complex calculations in caller
overflows and malicious coordinates are given, we are still safe because
any coordinates which result in out-of-bound-write are rejected. However,
this patch only checks for invalid coordinates, and doesn't provide any
protection against invalid source glyph or destination glyph, e.g.
mismatch between glyph size and buffer size.

This hardening measure is designed to mitigate possible overflows in
blit_comb(). If overflow occurs, it may return invalid bounding box
during dry run and call grub_font_blit_glyph() with malicious
coordinates during actual blitting. However, we are still safe because
the scratch glyph itself is valid, although its size makes no sense, and
any invalid coordinates are rejected.

It would be better to call grub_fatal() if illegal parameter is detected.
However, doing this may end up in a dangerous recursion because grub_fatal()
would print messages to the screen and we are in the progress of drawing
characters on the screen.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
f0d0d3e0d1 font: Fix an integer underflow in blit_comb()
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
evaluate to a very big invalid value even if both ctx.bounds.height and
combining_glyphs[i]->height are small integers. For example, if
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
expression evaluates to 2147483647 (expected -1). This is because
coordinates are allowed to be negative but ctx.bounds.height is an
unsigned int. So, the subtraction operates on unsigned ints and
underflows to a very big value. The division makes things even worse.
The quotient is still an invalid value even if converted back to int.

This patch fixes the problem by casting ctx.bounds.height to int. As
a result the subtraction will operate on int and grub_uint16_t which
will be promoted to an int. So, the underflow will no longer happen. Other
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
to ensure coordinates are always calculated on signed integers.

Fixes: CVE-2022-3775

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
c2491cb80c fbutil: Fix integer overflow
Expressions like u64 = u32 * u32 are unsafe because their products are
truncated to u32 even if left hand side is u64. This patch fixes all
problems like that one in fbutil.

To get right result not only left hand side have to be u64 but it's also
necessary to cast at least one of the operands of all leaf operators of
right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
u64 = (u64)u32 * u32 + (u64)u32 * u32.

For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
not overflow grub_uint64_t.

Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.

This patch also adds a comment to grub_video_fb_get_video_ptr() which
says it's arguments must be valid and no sanity check is performed
(like its siblings in grub-core/video/fb/fbutil.c).

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
03d18df312 kern/efi/sb: Enforce verification of font files
As a mitigation and hardening measure enforce verification of font
files. Then only trusted font files can be load. This will reduce the
attack surface at cost of losing the ability of end-users to customize
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
fonts because they have ability to pack fonts into their GRUB bundles.

This goal is achieved by:

  * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
    skip-verification list.

  * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
    so font files must be verified by a verifier before they can be loaded.

Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
c274accb46 font: Fix integer underflow in binary search of char index
If search target is less than all entries in font->index then "hi"
variable is set to -1, which translates to SIZE_MAX and leads to errors.

This patch fixes the problem by replacing the entire binary search code
with the libstdc++'s std::lower_bound() implementation.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
b24a98f935 font: Fix integer overflow in BMP index
The BMP index (font->bmp_idx) is designed as a reverse lookup table of
char entries (font->char_index), in order to speed up lookups for BMP
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
means not found.

This patch fixes the problem of large subscript truncated to grub_uint16_t,
leading BMP index to return wrong char entry or report false miss. The
code now checks for bounds and uses BMP index as a hint, and fallbacks
to binary-search if necessary.

On the occasion add a comment about BMP index is initialized to 0xffff.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
96409d679a font: Fix integer overflow in ensure_comb_space()
In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
in the future. This patch also fixes the inconsistency between
render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
returns NULL.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
abce8a8ff6 font: Remove grub_font_dup_glyph()
Remove grub_font_dup_glyph() since nobody is using it since 2013, and
I'm too lazy to fix the integer overflow problem in it.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
598911a414 font: Fix several integer overflows in grub_font_construct_glyph()
This patch fixes several integer overflows in grub_font_construct_glyph().
Glyphs of invalid size, zero or leading to an overflow, are rejected.
The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
returns NULL is fixed too.

Fixes: CVE-2022-2601

Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
2f01e9c03b font: Fix size overflow in grub_font_get_glyph_internal()
The length of memory allocation and file read may overflow. This patch
fixes the problem by using safemath macros.

There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
It is safe replacement for such code. It has safemath-like prototype.

This patch also introduces grub_cast(value, pointer), it casts value to
typeof(*pointer) then store the value to *pointer. It returns true when
overflow occurs or false if there is no overflow. The semantics of arguments
and return value are designed to be consistent with other safemath macros.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Zhang Boyang
280a9f2163 font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height
Check glyph's width and height against limits specified in font's
metadata. Reject the glyph (and font) if such limits are exceeded.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Alec Brown
85856560d5 video/readers: Add artificial limit to image dimensions
In grub-core/video/readers/jpeg.c, the height and width of a JPEG image don't
have an upper limit for how big the JPEG image can be. In Coverity, this is
getting flagged as an untrusted loop bound. This issue can also seen in PNG and
TGA format images as well but Coverity isn't flagging it. To prevent this, the
constant IMAGE_HW_MAX_PX is being added to include/grub/bitmap.h, which has
a value of 16384, to act as an artificial limit and restrict the height and
width of images. This value was picked as it is double the current max
resolution size, which is 8K.

Fixes: CID 292450

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-11-12 22:51:49 +00:00
Steve McIntyre
cff73ced22 Explicitly unset SOURCE_DATE_EPOCH before running fs tests.
In some filesystem utils like mksquashfs, it will silently change
behaviour and cause timestamps to unexpectedly change. Reproducible
builds are good and useful for shipped artifacts, but this causes
build-time tests to fail.
2022-09-18 22:51:10 +01:00
Steve McIntyre
29ca8971e2 Releasing package grub2 version 2.06-4 2022-09-14 22:41:31 +01:00
Steve McIntyre
582873fcd2 Don't strip Xen binaries so they work again.
Closes: #1017944. Thanks to Valentin Kleibel for the patch.
2022-09-14 22:40:29 +01:00
Steve McIntyre
a42e72c2cb Add serial to the signed grub efi images. Closes: #1013962 2022-08-23 22:35:47 +01:00
Steve McIntyre
1f1ddc95a5 grub2-common: Remove dependency on install-info
it's apparently not needed. Closes: #1013698
2022-08-23 22:30:06 +01:00
Steve McIntyre
7c6510aa13 Also close #1009336 for GRUB_DISABLE_OS_PROBER in /etc/default/grub 2022-08-23 22:24:59 +01:00
Steve McIntyre
4d69ba5a3c Add smbios to the signed grub efi images. Closes: #1008106 2022-08-23 22:23:32 +01:00
Steve McIntyre
a8e37e17ae Add a commented-out GRUB_DISABLE_OS_PROBER section
to /etc/default/grub to make it easier for users to turn os-prober
back on if they want it. Closes: #1013797
2022-08-23 22:14:04 +01:00
Steve McIntyre
3a6c7d088f Update the 2.06-3 changelog to mention closure of CVE-2022-28736 2022-07-30 15:23:48 +01:00
Julian Andres Klode
f844128767
releasing package grub2 version 2.06-3 2022-06-10 11:17:00 +02:00
Julian Andres Klode
6671639d47 Security updates 2022-06-10 10:43:34 +02:00
Julian Andres Klode
574e41e0da merge patched into master 2022-06-10 10:30:47 +02:00
Darren Kenny
589500ad37 fs/btrfs: Fix more fuzz issues related to chunks
The corpus was generating issues in grub_btrfs_read_logical() when
attempting to iterate over stripe entries in the superblock's
bootmapping.

In most cases the reason for the failure was that the number of stripes
in chunk->nstripes exceeded the possible space statically allocated in
superblock bootmapping space. Each stripe entry in the bootmapping block
consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.

Another issue that came up was that while calculating the chunk size,
in an earlier piece of code in that function, depending on the data
provided in the btrfs file system, it would end up calculating a size
that was too small to contain even 1 grub_btrfs_chunk_item, which is
obviously invalid too.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Darren Kenny
22976cf1b9 fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
The fuzzer is generating btrfs file systems that have chunks with
invalid combinations of stripes and substripes for the given RAID
configurations.

After examining the Linux kernel fs/btrfs/tree-checker.c code, it
appears that sub-stripes should only be applied to RAID10, and in that
case there should only ever be 2 of them.

Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4
should have 2. 3 or 4 stripes respectively, which is what redundancy
corresponds.

Some of the chunks ended up with a size of 0, which grub_malloc() still
returned memory for and in turn generated ASAN errors later when
accessed.

While it would be possible to specifically limit the number of stripes,
a more correct test was on the combination of the chunk item, and the
number of stripes by the size of the chunk stripe structure in
comparison to the size of the chunk itself.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Darren Kenny
23c785c3e9 fs/btrfs: Fix several fuzz issues with invalid dir item sizing
According to the btrfs code in Linux, the structure of a directory item
leaf should be of the form:

  |struct btrfs_dir_item|name|data|

in GRUB the name len and data len are in the grub_btrfs_dir_item
structure's n and m fields respectively.

The combined size of the structure, name and data should be less than
the allocated memory, a difference to the Linux kernel's struct
btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for
where the name is stored, so we adjust for that too.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Sudhakar Kuppusamy
998bd74c11 fs/f2fs: Do not copy file names that are too long
A corrupt f2fs file system might specify a name length which is greater
than the maximum name length supported by the GRUB f2fs driver.

We will allocate enough memory to store the overly long name, but there
are only F2FS_NAME_LEN bytes in the source, so we would read past the end
of the source.

While checking directory entries, do not copy a file name with an invalid
length.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Sudhakar Kuppusamy
9561d7ef62 fs/f2fs: Do not read past the end of nat bitmap
A corrupt f2fs filesystem could have a block offset or a bitmap
offset that would cause us to read beyond the bounds of the nat
bitmap.

Introduce the nat_bitmap_size member in grub_f2fs_data which holds
the size of nat bitmap.

Set the size when loading the nat bitmap in nat_bitmap_ptr(), and
catch when an invalid offset would create a pointer past the end of
the allocated space.

Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid
reading past the end of the nat bitmap.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Sudhakar Kuppusamy
2d014248d5 fs/f2fs: Do not read past the end of nat journal entries
A corrupt f2fs file system could specify a nat journal entry count
that is beyond the maximum NAT_JOURNAL_ENTRIES.

Check if the specified nat journal entry count before accessing the
array, and throw an error if it is too large.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Daniel Axtens
870b94755b net/http: Error out on headers with LF without CR
In a similar vein to the previous patch, parse_line() would write
a NUL byte past the end of the buffer if there was an HTTP header
with a LF rather than a CRLF.

RFC-2616 says:

  Many HTTP/1.1 header field values consist of words separated by LWS
  or special characters. These special characters MUST be in a quoted
  string to be used within a parameter value (as defined in section 3.6).

We don't support quoted sections or continuation lines, etc.

If we see an LF that's not part of a CRLF, bail out.

Fixes: CVE-2022-28734

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Daniel Axtens
f407a45bd3 net/http: Fix OOB write for split http headers
GRUB has special code for handling an http header that is split
across two packets.

The code tracks the end of line by looking for a "\n" byte. The
code for split headers has always advanced the pointer just past the
end of the line, whereas the code that handles unsplit headers does
not advance the pointer. This extra advance causes the length to be
one greater, which breaks an assumption in parse_line(), leading to
it writing a NUL byte one byte past the end of the buffer where we
reconstruct the line from the two packets.

It's conceivable that an attacker controlled set of packets could
cause this to zero out the first byte of the "next" pointer of the
grub_mm_region structure following the current_line buffer.

Do not advance the pointer in the split header case.

Fixes: CVE-2022-28734

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Daniel Axtens
6df718714d net/http: Do not tear down socket if it's already been torn down
It's possible for data->sock to get torn down in tcp error handling.
If we unconditionally tear it down again we will end up doing writes
to an offset of the NULL pointer when we go to tear it down again.

Detect if it has been torn down and don't do it again.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Daniel Axtens
fb66f40ba6 net/tftp: Avoid a trivial UAF
Under tftp errors, we print a tftp error message from the tftp header.
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
we were freeing the nb and then dereferencing it. Don't do that, use it
and then free it later.

This isn't really _bad_ per se, especially as we're single-threaded, but
it trips up fuzzers.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00
Daniel Axtens
e7573be61b net/tftp: Prevent a UAF and double-free from a failed seek
A malicious tftp server can cause UAFs and a double free.

An attempt to read from a network file is handled by grub_net_fs_read(). If
the read is at an offset other than the current offset, grub_net_seek_real()
is invoked.

In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
currently received packets, and the underlying transport does not provide
a seek method, then grub_net_seek_real() will close and reopen the network
protocol layer.

For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
file->data. The file->data pointer is not nulled out after the free.

If the ->open() call fails, the file->data will not be reallocated and will
continue point to a freed memory block. This could happen from a server
refusing to send the requisite ack to the new tftp request, for example.

The seek and the read will then fail, but the grub_file continues to exist:
the failed seek does not necessarily cause the entire file to be thrown
away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
a read failure is interpreted as a decompressor passing on the file, not as
an invalidation of the entire grub_file_t structure).

This means subsequent attempts to read or seek the file will use the old
file->data after free. Eventually, the file will be close()d again and
file->data will be freed again.

Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
close() on a broken file (seek is not exposed directly to the file API -
it is only called as part of read, so this blocks seeks as well).

As an additional defence, null out the ->data pointer if tftp_open() fails.
That would have lead to a simple null pointer dereference rather than
a mess of UAFs.

This may affect other protocols, I haven't checked.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2022-06-08 12:41:03 +02:00