From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1nycbj-0008Jv-5y for mharc-grub-devel@gnu.org; Tue, 07 Jun 2022 13:03:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37828) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nycbO-0007v6-9m for grub-devel@gnu.org; Tue, 07 Jun 2022 13:02:48 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:32432) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nycbI-0005Sy-Gi for grub-devel@gnu.org; Tue, 07 Jun 2022 13:02:46 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 257F93sK006530 for ; Tue, 7 Jun 2022 17:02:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=AYctXQ8dvIMIWZoDqdZuGven0Gm8Ks/YhUFWYgqbheU=; b=Cwk4b0Dnw8oSVzEI3De6R7HbdJXrncXzcIrLDiUwOPPwS6sQFDOSGCvahO6lpJsUWlsZ KQfhjf8DOQ41wwClYsR4y9UoU0O9WthI3PHOgKaqydCJZwoCEPevvg3yb9y9gPCU2c9f 3aYyQY29Zr4wc+nNCII0uLuBtO/UVRlzgb62qnh3s2pzwvH+lFza4HjJgB80lu7KLPkT kq4JSMnP6t+X0ZwPv9Ci9aC+/YKronlrcX77MG16AphkigRdEKO32jmiE9RXSoj11KWv RJoJ+2wDWfDTVudzN0Djn+uaPKkR/4iXoS7Kjw8PyTuLgI8aycSpodiY82M/YFgL2z6B tg== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ghexebrun-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 07 Jun 2022 17:02:28 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 257H0WYh035766 for ; Tue, 7 Jun 2022 17:02:27 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2103.outbound.protection.outlook.com [104.47.55.103]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3gfwu2qyfu-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 07 Jun 2022 17:02:27 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GlhnnPOm00WtWrn1GVn+AfPAOaIx+HKbJYb4V8CCFVVoQlYdzBTVtm1R4LWfvqmze15wygapYiXElANmWF30gyv+jnbL2rxXyhs4p7cX7HFxewkcxXr1pmk0DBQ/MuB00JRLdd009yVC3wS57PZBKRF/cP46wbwzvsPvmjiMcebuIcv+fA1aV2vqh4nd9JgZNLvqI9UXHGKOtEGwBwUSSDxDAIhkVwoDG7PczlhdnfmPyCA2kOhcyx/l7oaBzQVpSaCLiDpLXd5WVFdx/ykHfwe0MHA7h0u7hjyEWa/L23KOb5hmGe/0FAt9skAOjU+1NmfjxhKrJ9XtGxHC9HTXNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AYctXQ8dvIMIWZoDqdZuGven0Gm8Ks/YhUFWYgqbheU=; b=ANu5CNqRCK8I3CyeCCmwROrfAn2xasu6m6UctM/EkcaLwki/RvKeVeN+GrPk8i95WjZWcz1Jt5ulYkKySVpnPCmOhtgbB2xIURYyt/tjpMGmNUBMAK5bojI/GYPo96Zv+OIQIKahKgdVhPj60YBzB9tYo2wlCKvZyMqc0tDmdRfkVm3oLuzzLQZW3QL7Aq8NeA37S2Dio5iGnVQ1Jaf3lu4G7NlyFHuCq8j6BA6RQMAB7n/GgR/s1yDxvJZ/F1ODgXojPzQ7PeyohXUQ0ynntNacHx0EcTjJ7OmCJ+l6IzRt1DFZYoehZtaN03K86pyWM0ixGrp0keDwk40k+U2Y+Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AYctXQ8dvIMIWZoDqdZuGven0Gm8Ks/YhUFWYgqbheU=; b=vGcPbZLFA0iEzzW0zO32SALBiEmn4/pHFIrC85mWYv+HBDHJdsLui8OooOILAbpZzmRyYQoF9eJ0d2wOy9zWmP7HpA3Oyf07FLzr3Uzqa5qcjUNar2eIS37O3H/WTYXVkScIMZywpo8oeJ8/amY5iDE9fvZ/PTWYpIOmU5Ai3Ts= Received: from BN0PR10MB4822.namprd10.prod.outlook.com (2603:10b6:408:124::13) by BN6PR1001MB2180.namprd10.prod.outlook.com (2603:10b6:405:32::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5314.17; Tue, 7 Jun 2022 17:02:22 +0000 Received: from BN0PR10MB4822.namprd10.prod.outlook.com ([fe80::b83f:8a21:4959:6d3a]) by BN0PR10MB4822.namprd10.prod.outlook.com ([fe80::b83f:8a21:4959:6d3a%8]) with mapi id 15.20.5314.019; Tue, 7 Jun 2022 17:02:22 +0000 From: Daniel Kiper To: grub-devel@gnu.org Subject: [SECURITY PATCH 23/30] net/http: Fix OOB write for split http headers Date: Tue, 7 Jun 2022 19:01:32 +0200 Message-Id: <20220607170139.19968-23-daniel.kiper@oracle.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220607170032.cnhkkxtnsvrzg6te@tomti.i.net-space.pl> References: <20220607170032.cnhkkxtnsvrzg6te@tomti.i.net-space.pl> Content-Type: text/plain X-ClientProxiedBy: AS8P250CA0004.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:330::9) To BN0PR10MB4822.namprd10.prod.outlook.com (2603:10b6:408:124::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 842501b0-3f64-4173-2ac1-08da48a77cec X-MS-TrafficTypeDiagnostic: BN6PR1001MB2180:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: B1eV16ZUKYWWvR5AFye4nltPFEuLnn4nsF+OyJiZexITMlbTQ7Cj/qmmTxQ/YZ8skYNqp88lNv5o64eFzEB1m60ZGTjPFFlsB09KYi2C4FxjbSqJCgefdpzkPcdSw0RFzdfvNTSHGOHtgN4FwX+YROKbXhURSx9aRELMjGsUodf0HYGhp66ICiFrVkrYigXKKyfQ1Wgir0rLygZgA08e9saNtDUCG0srDy/Guad++eA9uT29cd7agLsJ4aMnywpTWWMPBzKsrA0nxAhNxlpocNrIbiqkdqZkrKVEcpXchD2eI1lypWVQf6BHr0FY5wQmxd8U+MCvn5g27mFcgCrkBjTJJfxALCyiXMqPN1ixPqqo8JvcFKL8ThdZOULgVHGmlFxmsek8VyzDhFF/prE0jdrSNB1W+uxw6SqJZkcx3Q/E4NTjKASWlq6SeIbNSogV2XRsoPfWUfyIumoGOxCIdmT7PufG76tffWWjRGv5VpG5rnmSSSJCwaazibDV+qU2mAzo9Bmow9+kCmGj5VTSyK6vxH8LP+RfruKv8/RhWXBhWiFcCnvx9mDw0349oYUjvHbssyCFBtJef8nnPrxCf1I/Ve1wr2lUZaGRddnwKrPMUgXjcdt6E7kh7YfYRuboooqG6ljpHbrYSjmYeKeoN2tRC0J0k6JeF0P79nqz+gSQhASw/UEMx9SFHXAPdtTR14HIL19mAQNVnPAfPoZLag== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0PR10MB4822.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(186003)(2616005)(26005)(8936002)(52116002)(1076003)(38100700002)(66476007)(66946007)(66556008)(6512007)(6666004)(6506007)(2906002)(44832011)(8676002)(36756003)(316002)(6916009)(6486002)(508600001)(5660300002)(38350700002)(86362001)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?u1KDYjYcUVbHtcUb/0nOOEClj8SwxClY6m3DH9ArTfyqorBpsJkZF7uDnOaH?= =?us-ascii?Q?Ng0U8SogTM5LcWG3I9bNGwinXXw/e1JUGXo9FqkJOWjxfbmtrmOpZ+zlnbv0?= =?us-ascii?Q?F9W+j1xMF9/bqNtpCYvMYMUjsFEF5HHM0ZsWKlhxALLLuo3tN9vAaqqe5xjK?= =?us-ascii?Q?weM6k1r1x8jdkcYzHJiYaumsQn1YWSIEqOahgoKnZbDzbQj6WbT8CJI3K1ZX?= =?us-ascii?Q?5YsQ9RyHFESDNdkG9ydl9wkmFgR/oCZ+0XkhTSSMWALsKrCzYVjd8l99iWHO?= =?us-ascii?Q?S+D1kjfNgHCQZgETv2ZlDcFsEJjanSwGHnmzDo58gocOTgxmm6EqJiwO4+9L?= =?us-ascii?Q?W18RchuhS8MxrfmCNQwsp5o8RcZPf7Fqyf67gRqW7S9TqiLljvFPWBqD5o/c?= =?us-ascii?Q?RMOed0E9gx668vA7LozDRAyL/W1BNcCo+wzinDAJB75k6VbY+9t2ypSYaoTg?= =?us-ascii?Q?LINBhzB/fPtnaSUnAjQRi2VyyjeGln4JXpdPmRx2AG2t+D5N8HMoGxOnBliX?= =?us-ascii?Q?Pu5Emab7xc+tYEWH0KYfPu6qLV+7m3gQzv3kdNGzLj1tVXaaLJLviQx7YQMj?= =?us-ascii?Q?uk2whxufWkzUkGZGirVljFCmnboEMul0YXiJ400LgySL9RuOigHOzohkHjME?= =?us-ascii?Q?eoJrdoypMD/yNoQauLj0zbUnlxol/mXG2NMih7fGNVQM/XN+HNlaQN4V6nkh?= =?us-ascii?Q?uAqIUHTGmCDjmd1tBKMX3zwv4W4sfcnqXgZm94SkY+LTpEJp492PRNtGB1bq?= =?us-ascii?Q?cjfX+auqbCtSdW2h0BePKlLlOkhT9Hml9X0rRPxgp2RejuewDGvvLbU5Byx/?= =?us-ascii?Q?irlV2QP2lpZyTTjB1kC0z4eNAYApZjZ5PqmV+jI/pbdQw1WKbsWkDawFtYsx?= =?us-ascii?Q?ZjSr7CiJqIrv+UXp98KS3mf2lmHAvLd/qC3/ccc/zl3tuHSt0bf14rVC98tw?= =?us-ascii?Q?CMXUKHrDRYAASGoY9+GvyWtXWoW32wX6MP94HmtNNIUPY2f2ICc9jf5fu0fn?= =?us-ascii?Q?Cwci7rP3wvkbod2trMNnzn30k8gRJtUTi5NxOpe921SQu3G9JgMJLRKBzavd?= =?us-ascii?Q?ix3bMJ9ylOsN08gzDJ2LFSrkeAly+GjsHk7lv1IbMk42XmJiJfjpD8/XlEFj?= =?us-ascii?Q?DFFPwKhKutkWW1UH2i7PI5JyeicGZAVpjbN1+8hEP46DY0+oCZ0GFqg1f3wM?= =?us-ascii?Q?izTIUnjcUis1AN3f755DgQc4sPQxdRY7XpmH38R7yMRiVK4i2R4CafZX1ELb?= =?us-ascii?Q?+7aCxXJBbJlcKCrJMJBVeBLQyBkVXUb9xae8kS6ceGy3Jq9kMHBofrDl5sQ5?= =?us-ascii?Q?WjglnfAUinDseWvDk5p175jRMBTCa51+pS/T1jud0MJJTOAaIVr8Rv3cPrVF?= =?us-ascii?Q?b8/V9JvBrbQtwL8DMaZYHJvY2M/z1OkyiWMkKoflPXgJ8xjw3Ns2w/PgCH2s?= =?us-ascii?Q?1puHDI/ZyJsTBrqu12GsumFetLnbQGZU3boivAUeThtWgcH1QVGPtbc3Wyiv?= =?us-ascii?Q?a193LIzGbMzloUP7jnLIzwti+T0wIPDExoqzfzP9n03zViby0uHRVS3Eep9t?= =?us-ascii?Q?xJXAyLc92UaL2Cayl6u9Vvp6uT+HguYQtBys6Dbmv8rnev7QvIeTzWZ+c1aE?= =?us-ascii?Q?jzg7hkgdH9+OTyl8dB1ACyfSshHs+3Q2wesRgYWqKHBsvVelk3FFm5kXDBwn?= =?us-ascii?Q?HSJ8vgUXZN+qMgtYc7Uvr88d6iZvhn40moIdbUMYxpTAZ/DbqqwOXzDA2EV9?= =?us-ascii?Q?CiiudwsIQ0kjwh7rUft/YptNOYOuzBM=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 842501b0-3f64-4173-2ac1-08da48a77cec X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB4822.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2022 17:02:22.0480 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ezAeH8AR9Pfqc+TXy9tjoATBMyhvJjQYanDHNp/iwelrjrBgEbIohifbL0G4TfvsEn6t0nuAGCCWePeIy+ZlXA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1001MB2180 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-06-07_07:2022-06-07, 2022-06-07 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206070070 X-Proofpoint-GUID: T9lU2sJzmN-mhvMd-5Qtf0Zab5hG_xFv X-Proofpoint-ORIG-GUID: T9lU2sJzmN-mhvMd-5Qtf0Zab5hG_xFv Received-SPF: pass client-ip=205.220.177.32; envelope-from=daniel.kiper@oracle.com; helo=mx0b-00069f02.pphosted.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2022 17:02:49 -0000 From: Daniel Axtens GRUB has special code for handling an http header that is split across two packets. The code tracks the end of line by looking for a "\n" byte. The code for split headers has always advanced the pointer just past the end of the line, whereas the code that handles unsplit headers does not advance the pointer. This extra advance causes the length to be one greater, which breaks an assumption in parse_line(), leading to it writing a NUL byte one byte past the end of the buffer where we reconstruct the line from the two packets. It's conceivable that an attacker controlled set of packets could cause this to zero out the first byte of the "next" pointer of the grub_mm_region structure following the current_line buffer. Do not advance the pointer in the split header case. Fixes: CVE-2022-28734 Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper --- grub-core/net/http.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/grub-core/net/http.c b/grub-core/net/http.c index f8d7bf0cd..33a0a28c4 100644 --- a/grub-core/net/http.c +++ b/grub-core/net/http.c @@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), int have_line = 1; char *t; ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); - if (ptr) - ptr++; - else + if (ptr == NULL) { have_line = 0; ptr = (char *) nb->tail; -- 2.11.0