fix for CVE-2020-10713

2020-07-31 00:37:51 +08:00 · 2020-07-31 00:37:51 +08:00 · c9c112e1c3
commit c9c112e1c3
parent 2e2f005f5b
3 changed files with 76 additions and 1 deletions
--- a/0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
+++ b/0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
@ -0,0 +1,68 @@
 From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 15 Apr 2020 15:45:02 -0400
 Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors
 actually be fatal
 When presented with a command that can't be tokenized to anything
 smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
 expecting that will stop further processing, as such:
  #define YY_DO_BEFORE_ACTION \
        yyg->yytext_ptr = yy_bp; \
        yyleng = (int) (yy_cp - yy_bp); \
        yyg->yy_hold_char = *yy_cp; \
        *yy_cp = '\0'; \
        if ( yyleng >= YYLMAX ) \
                YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
        yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
        yyg->yy_c_buf_p = yy_cp;
 The code flex generates expects that YY_FATAL_ERROR() will either return
 for it or do some form of longjmp(), or handle the error in some way at
 least, and so the strncpy() call isn't in an "else" clause, and thus if
 YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
 questionable limit, and predictable results ensue.
 Unfortunately, our implementation of YY_FATAL_ERROR() is:
   #define YY_FATAL_ERROR(msg)                     \
     do {                                          \
       grub_printf (_("fatal error: %s\n"), _(msg));     \
     } while (0)
 The same pattern exists in yyless(), and similar problems exist in users
 of YY_INPUT(), several places in the main parsing loop,
 yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
 yy_scan_buffer(), etc.
 All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
 the things they do if it returns after calling it are wildly unsafe.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/script/yylex.l | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
 index 7b44c37b7..b7203c823 100644
 --- a/grub-core/script/yylex.l
 +++ b/grub-core/script/yylex.l
@@ -37,11 +37,11 @@
 /* 
  * As we don't have access to yyscanner, we cannot do much except to
 - * print the fatal error.
 + * print the fatal error and exit.
  */
 #define YY_FATAL_ERROR(msg)                     \
   do {                                          \
 -    grub_printf (_("fatal error: %s\n"), _(msg));     \
 +    grub_fatal (_("fatal error: %s\n"), _(msg));\
   } while (0)
 #define COPY(str, hint)                         \
 -- 
 2.11.0
--- a/grub.patches
+++ b/grub.patches
@ -251,6 +251,7 @@ Patch6008: normal-menu-Do-not-treat-error-values-as-key-presses.patch
 Patch6009: osdep-freebsd-Fix-partition-calculation-for-EBR-entr.patch
 Patch6010: 0001-CVE-2019-14865.patch
 Patch6011: 0002-CVE-2019-14865.patch
 Patch6012: 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
 Patch9000: 0001-fix-grub-search-configfile-failed-in-net.patch
 Patch9001: Workaround-for-EFI-Bug-Plan3.patch
 Patch9002: revert-0067-Be-more-aggro.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	75
+Release:	76
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -361,6 +361,12 @@ fi
 %{_datadir}/man/man*
 %changelog
 * Fri Jul 31 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.02-76
 - Type:cves
 - Id:CVE-2020-10713
 - SUG:NA
 - DESC:fix CVE-2020-10713
 * Fri Jun 5 2020 fengtao <fengtao40@huawei.com> - 2.02-75
 - remove sign for grub efi