From 7dbf629038c2b747cce30b7ce29bbbaccb0a0c5c Mon Sep 17 00:00:00 2001
From: mgb01105731 <mgb01105731@alibaba-inc.com>
Date: Thu, 4 Jan 2024 14:24:53 +0800
Subject: [PATCH] fix CVE-2023-4692 and CVE-2023-4693

---
 ...-fix-CVE-2023-4692-and-CVE-2023-4693.patch | 75 +++++++++++++++++++
 grub.patches                                  |  1 +
 grub2.spec                                    |  6 +-
 3 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 0285-fix-CVE-2023-4692-and-CVE-2023-4693.patch

diff --git a/0285-fix-CVE-2023-4692-and-CVE-2023-4693.patch b/0285-fix-CVE-2023-4692-and-CVE-2023-4693.patch
new file mode 100644
index 0000000..7638d96
--- /dev/null
+++ b/0285-fix-CVE-2023-4692-and-CVE-2023-4693.patch
@@ -0,0 +1,75 @@
+From 105165ca190380349757e68c0632c2b5c82d19d0 Mon Sep 17 00:00:00 2001
+From: Fedora Ninjas <grub2-owner@fedoraproject.org>
+Date: Tue, 16 Jan 2024 10:23:42 +0800
+Subject: [PATCH 1/1] CVE-2023-4692 and CVE-2023-4693
+
+---
+ grub-core/fs/ntfs.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..b604e96 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
++      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,14 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    }
+ 	  at->attr_nxt = at->edat_buf;
+ 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
++	  pa_end = at->edat_buf + n;
+ 	}
+       else
+ 	{
+ 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
++	  pa_end = at->mft->buf + (at->mft->data->mft_size <<
++GRUB_NTFS_BLK_SHR);
+ 	}
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -240,6 +243,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    {
+ 	      if (*pa != attr)
+ 		break;
++
++	      if ((pa >= pa_end) || (pa_end - pa < 0x18))
++                {
++                  grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++                  return NULL;
++                }
++
+ 	      if (read_attr
+ 		  (at, pa + 0x10,
+ 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+@@ -386,6 +396,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+       grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++        return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++        return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++        (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << 
++GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++        return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
++
+       return 0;
+     }
+ 
+-- 
+2.41.0
+
diff --git a/grub.patches b/grub.patches
index a9b6d49..07df41d 100644
--- a/grub.patches
+++ b/grub.patches
@@ -282,5 +282,6 @@ Patch0281: 0281-loongarch-Force-initrd-load-address-64KiB-alignment.patch
 Patch0282: 0282-loongarch-Implement-cache-synchronization-operation.patch
 Patch0283: 0283-loongarch-Fix-the-initrd-parameter-passing.patch
 Patch0284: 0284-loongarch-Disable-relaxation-relocations.patch
+Patch0285: 0285-fix-CVE-2023-4692-and-CVE-2023-4693.patch
 
 Patch1000: 1000-change-to-use-fuse3.patch
diff --git a/grub2.spec b/grub2.spec
index 371b979..7781547 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 14
+%define anolis_release 15
 %global _lto_cflags %{nil}
 
 %undefine _hardened_build
@@ -19,6 +19,7 @@ License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
 Source0:	https://ftp.gnu.org/gnu/grub/grub-%{tarversion}.tar.xz
 Source1:	grub.macros
+# It's a commit from their gnulib's development tree.  They don't do releases.
 Source2:	gnulib-%{gnulibversion}.tar.gz
 Source3:	99-grub-mkconfig.install
 Source4:	http://unifoundry.com/pub/unifont/unifont-13.0.06/font-builds/unifont-13.0.06.pcf.gz
@@ -506,6 +507,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Thu Jan 04 2024 mgb01105731 <mgb01105731@alibaba-inc.com> -2.06-15
+- fix CVE-2023-4692 and CVE-2023-4693
+
 * Wed Dec 06 2023 happy_orange <songnannan@linux.alibaba.com> -2.06-14
 - rebuild for loongarch
 
-- 
Gitee