From 63ecea721b4ee228bb3adc7eb944d6f79e303e0e Mon Sep 17 00:00:00 2001 From: zhuhongbo Date: Fri, 22 Aug 2025 16:22:13 +0800 Subject: [PATCH] fix cve CVE-2025-0624 --- 0500-misc-Implement-grub_strlcpy.patch | 59 +++++++++++++++ ...write-in-grub_net_search_config_file.patch | 72 +++++++++++++++++++ grub.patches | 2 + grub2.spec | 5 +- 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 0500-misc-Implement-grub_strlcpy.patch create mode 100644 0501-net-Fix-OOB-write-in-grub_net_search_config_file.patch diff --git a/0500-misc-Implement-grub_strlcpy.patch b/0500-misc-Implement-grub_strlcpy.patch new file mode 100644 index 0000000..ec77c3b --- /dev/null +++ b/0500-misc-Implement-grub_strlcpy.patch @@ -0,0 +1,59 @@ +From b5dc33e4160856dd12e268c5f79f4b07d492d70e Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 19 Aug 2025 15:36:36 +0800 +Subject: Implement grub_strlcpy + +--- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 1b722c818..88fc2a6b0 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) diff --git a/0501-net-Fix-OOB-write-in-grub_net_search_config_file.patch b/0501-net-Fix-OOB-write-in-grub_net_search_config_file.patch new file mode 100644 index 0000000..74c8169 --- /dev/null +++ b/0501-net-Fix-OOB-write-in-grub_net_search_config_file.patch @@ -0,0 +1,72 @@ +From b5dc33e4160856dd12e268c5f79f4b07d492d70e Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 19 Aug 2025 15:36:36 +0800 +Subject: [PATCH] fix cve CVE-2025-0624 + +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/net.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 7105d1e..e8452c6 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1906,9 +1906,9 @@ grub_net_restore_hw (void) + } + + grub_err_t +-grub_net_search_configfile (char *config) ++grub_net_search_configfile (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + auto int search_through (grub_size_t num_tries, grub_size_t slice_size); +@@ -1945,6 +1945,7 @@ grub_net_search_configfile (char *config) + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -1970,7 +1971,7 @@ grub_net_search_configfile (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (search_through (1, 0) == 0) return GRUB_ERR_NONE; + } + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 04ae9ed..bf22161 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -353,7 +353,7 @@ grub_try_normal (const char *variable) + return GRUB_ERR_FILE_NOT_FOUND; + + grub_snprintf (config, config_len, "%s/grub.cfg", prefix); +- err = grub_net_search_configfile (config); ++ err = grub_net_search_configfile (config, config_len); + } + + if (err != GRUB_ERR_NONE) +diff --git a/include/grub/net.h b/include/grub/net.h +index 0d31f00..25d6980 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -655,6 +655,6 @@ extern char *grub_net_default_server; + #define VLANTAG_IDENTIFIER 0x8100 + + grub_err_t +-grub_net_search_configfile (char *config); ++grub_net_search_configfile (char *config, grub_size_t config_buf_len); + + #endif /* ! GRUB_NET_HEADER */ +-- +2.48.1 + diff --git a/grub.patches b/grub.patches index a566e0f..40ccb82 100644 --- a/grub.patches +++ b/grub.patches @@ -497,3 +497,5 @@ Patch0496: 0496-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch Patch0497: 0497-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch Patch0498: 0498-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch Patch0499: 0499-safemath-add-grub_cast-for-gcc-5.1.patch +Patch0500: 0500-misc-Implement-grub_strlcpy.patch +Patch0501: 0501-net-Fix-OOB-write-in-grub_net_search_config_file.patch diff --git a/grub2.spec b/grub2.spec index bb09383..3f0d2c5 100644 --- a/grub2.spec +++ b/grub2.spec @@ -6,7 +6,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 0.87%{?dist}%{?buildid}.14 +Release: 0.87%{?dist}%{?buildid}.15 Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -469,6 +469,9 @@ fi %endif %changelog +* Fri Aug 22 2025 zhuhongbo - 2.02-0.87.an7.15 +- fix: fix cve CVE-2025-0624 + * Thu Feb 1 2024 Nicolas Frayer - 2.02-087.el7.14 - Rebuild for signing - Related: RHEL-23460 -- Gitee