CVE CyberSecurity Database News

CVE-2022-28733 - How an Integer Underflow in GRUB Network Code Can Compromise Your System

Poster -

In early 2022, security researchers discovered CVE-2022-28733—a critical vulnerability in the GRUB bootloader's network stack. This flaw exists in the grub_net_recv_ip4_packets() function and centers on an integer underflow vulnerability. An attacker who is able to send specially crafted IP packets can exploit this bug to allocate memory incorrectly, leading to the possibility of writing past the buffer. In this post, we will explain how this bug works, look at real code snippets, and discuss what you can do to stay safe.

What Is GRUB and Why Does This Matter?

GRUB (Grand Unified Bootloader) is a common bootloader used in the Linux world. It is responsible for loading the kernel and, sometimes, has networking features (for example, booting over PXE or downloading configuration via TFTP).

A bug in GRUB—especially one that lets someone mess with memory allocations—can be deadly, as it opens the door for malicious code even *before* your operating system starts.

The Problem: Integer Underflow in grub_net_recv_ip4_packets()

Let’s dive into the code. Here is a representative (simplified) code snippet based on the upstream GRUB source:

// Simplified excerpt from grub_net_recv_ip4_packets()
rsm->total_len = grub_be_to_cpu16 (ip->total_len) - (ip->ihl * 4);
buf = grub_malloc (rsm->total_len);
// ...Later, code writes to buf of size rsm->total_len bytes

Key operations

- The function reads the total length of the IP packet header (ip->total_len) and subtracts the header length (ip->ihl * 4).
- The result is stored in rsm->total_len, then used to allocate a buffer with grub_malloc(rsm->total_len).
- The problem is: if ip->ihl is large or ip->total_len is small, the subtraction can result in a very large value (because total_len is an unsigned integer and will underflow), wrapping around (e.g., from  down to 65535).

Malicious scenario

If an attacker crafts a packet where ip->ihl * 4 is bigger than ip->total_len, rsm->total_len will wrap around to a huge number. grub_malloc might then allocate less memory than required or even fail, but the code may continue, leading to writes *past* the buffer.

ip->ihl = 6 (results in 6*4 = 24)

rsm->total_len = 20 - 24;  // Result: xfffffffc (which is 4294967292 on a 32-bit system)


That number is way too big for a buffer—much more than GRUB ever expects.

Send this packet to a system using GRUB’s network boot features (PXE, TFTP, etc.).

3. GRUB allocates a tiny buffer (or possibly even NULL or fails), but code later tries to use the underflowed length to write data.
4. Result: Memory corruption, out-of-bounds writes—possibly letting an attacker run code *before* your OS has even started.

Proof of Concept (Simple Version)

A full exploit would require a lot of context, but you can see the vulnerability with a simple gdb/printf test in a lab setting.

#include <stdio.h>
#include <stdint.h>

int main() {
    uint16_t total_len = 20;
    uint8_t ihl = 6; // 6 * 4 = 24

    uint32_t length = (uint32_t)total_len - (uint32_t)(ihl * 4);
    printf("Calculated length: %u\n", length);
    return ;
}

Output

Calculated length: 4294967292


This output is clearly *not* a valid buffer length!

Real-World References

- CVE-2022-28733 on MITRE
- Original advisory from Oracle
- GRUB upstream patch commit
- Ubuntu Security Notice USN-5555-1
- More technical breakdown on Tenable's Blog

How Was It Fixed?

The fix is simple: validate fields before performing arithmetic, and check for underflow conditions.

Patch Example

if (grub_be_to_cpu16(ip->total_len) < (ip->ihl * 4))
    return GRUB_ERR_BAD_ARGUMENT;

rsm->total_len = grub_be_to_cpu16(ip->total_len) - (ip->ihl * 4);

Update your bootloader: Make sure you have a version of GRUB with the patch.

2. Disable unnecessary network boot: If you don’t use PXE/TFTP, turn it off in firmware.

Conclusion

CVE-2022-28733 is a classic example of how a little arithmetic bug in low-level code can open the door to big trouble. By understanding integer underflows and how they impact memory allocation, you can better appreciate the importance of input validation—even before your OS boots.

Further reading

- Memory safety problems in C and C++
- Network attacks on PXE and UEFI (BlackHat talk)


*This post was written to explain the CVE-2022-28733 vulnerability in clear terms, highlighting both the underlying code and practical implications for everyday systems administrators and security professionals.*

Timeline

Published on: 07/20/2023 01:15:00 UTC
Last modified on: 08/25/2023 23:15:00 UTC