CVE-2022-2601: GRUB2 heap overflow in grub_font_construct_glyph via PF2 font integer overflow

CVE-2022-2601 is a heap buffer overflow in GRUB2's font rendering pipeline when processing crafted PF2 font files. The vulnerability is in grub_font_construct_glyph() in grub-core/font/font.c (lines 1501-1564).

The root cause is an integer overflow in the computation of max_glyph_size:

max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;

bounds is of type struct grub_video_signed_rect which has unsigned width and unsigned height (both 32-bit unsigned). These accumulate the total dimensions of the main glyph plus all combining glyphs. With a crafted PF2 font containing many GRUB_UNICODE_COMB_ATTACHED_ABOVE_RIGHT combining characters (each with width up to 65535), bounds.width can exceed 65535, and bounds.width * bounds.height can overflow 32-bit unsigned arithmetic and wrap to a small value. This causes:

1. max_glyph_size computed as a small value (e.g., 16434 bytes)
2. A tiny heap buffer allocated for glyph
3. glyph->width = bounds.width is truncated to grub_uint16_t (e.g., still 65535 after truncation)
4. grub_font_blit_glyph() uses target->width * (dy + i) + dx to index into target->bitmap, writing up to 512MB of glyph data into the tiny 16KB buffer → heap overflow

This allows an attacker to bypass Secure Boot by providing a malicious PF2 font file that triggers the heap overflow, enabling arbitrary code execution in the bootloader.

1. Found relevant file by searching for font-related C files: grub-core/font/font.c (1611 lines)
2. Searched for allocation patterns with malloc\|grub_malloc and width\|height
3. Found glyph loading at line 769-770 (different issue) - int len = (width * height + 7) / 8 where width,height are uint16_t, but max product < 2^32
4. Searched for construct_glyph\|max_glyph_size and found the critical function at line 1502
5. Read grub_font_construct_glyph (1502-1564): static glyph buffer with max_glyph_size, computed on line 1528 as (sizeof(*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2
6. Checked struct grub_video_signed_rect: unsigned width; unsigned height; (both 32-bit)
7. Checked struct grub_font_glyph: width/height are grub_uint16_t (16-bit) - so assigning large bounds truncates
8. Found blit_comb function which grows ctx.bounds.width for each GRUB_UNICODE_COMB_ATTACHED_ABOVE_RIGHT combiner: ctx->bounds.width = dx + src->width - ctx->bounds.x + 1
9. Confirmed overflow: bounds.width = 131071, bounds.height = 65535 → 131071 * 65535 = 8,590,000,129 → mod 2^32 = 65537 → (65537+7)/8 = 8193 → max_glyph_size = (24 + 8193) * 2 = 16434 bytes allocated, but glyph->width=65535, glyph->height=65535, blit writes up to 512MB
10. Key grep patterns: construct_glyph, max_glyph_size, bounds.width, grub_video_signed_rect

Confirmed by reading grub-core/font/font.c and tracing the call chain: grub_font_construct_glyph → grub_font_construct_dry_run → blit_comb → do_blit (expands bounds.width for each combining glyph). The integer overflow in unsigned multiplication of bounds.width * bounds.height produces a small allocator size while glyph->width (uint16_t truncation of bounds.width) retains a large effective value, causing the blit loop to write far past the allocated heap buffer.