<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Multiple GRUB2 vulnerabilities
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: John Haxby <john.haxby () oracle com>
Date: Tue, 2 Mar 2021 18:13:44 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 2021-02-23 we notified the distros list about multiple grub vulnerabilities. This is the formal announcement sent
to grub-devel which explains in a little more detail what has been done.
jch
Begin forwarded message:
From: Daniel Kiper <daniel.kiper () oracle com>
Subject: [SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round
Date: 2 March 2021 at 18:00:56 GMT
To: grub-devel () gnu org
[snip]
Hi all,
The BootHole vulnerability [1][2] announced last year encouraged many people to
take a closer look at the security of boot process in general and the GRUB
bootloader in particular. Due to that, during past few months we were getting
reports of, and also discovering various security flaws in the GRUB ourselves.
You can find the list of most severe ones which got CVEs assigned at the end of
this message. The patch bundle fixing all these issues in the upstream GRUB
contains 117 patches.
In addition, we have been working on a generation number based revocation
scheme termed UEFI Secure Boot Advanced Targeting (SBAT) [3]. This will require
an UEFI dbx release and resigning all the artifacts -- shim, GRUB, kernel,
etc. -- needed to boot the system. This is the same as we did for the BootHole
series of vulnerabilities, but the SBAT work is designed to make this process
much less painful in the future.
Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [4] we are listing at
least some links to the messaging known at the time of this posting.
It is important to know that shim and SBAT development is still ongoing.
Full mitigation against all the CVEs will require an updated UEFI revocation
list (dbx) which, in at least some cases, will not allow Secure Boot with
today's boot artifacts. Vendor shims may explicitly permit known older boot
artifacts to boot. At some stage, the dbx on new hardware will be updated.
Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter. An updated
dbx from the various affected vendors will also ship, although possibly not at
the same time. The new Microsoft dbx will be provided for download here [5].
I am posting all the GRUB2 upstream patches which fixes all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [6] too.
[snip]
Daniel
[1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
[2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
[3] https://github.com/rhboot/shim/blob/main/SBAT.md
[4] Canonical: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
Debian: https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot
Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2021-003
SUSE: https://www.suse.com/support/kb/doc/?id=000019892
[5] https://uefi.org/revocationlistfile
[6] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
https://git.savannah.gnu.org/git/grub.git
*******************************************************************************
CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.
Reported-by: Máté Kukri
*******************************************************************************
CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.
Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)
*******************************************************************************
CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.
Reported-by: Teddy Reed
*******************************************************************************
CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.
If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.
This flaw only affects upstream and distributions using the shim_lock verifier.
Reported-by: Dimitri John Ledkov (Canonical)
*******************************************************************************
CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
acinclude.m4 | 38 ++-
bootstrap.conf | 3 +-
conf/Makefile.common | 2 +
conf/Makefile.extra-dist | 5 +
configure.ac | 44 ++-
docs/grub-dev.texi | 27 ++
docs/grub.texi | 106 +++++--
grub-core/Makefile.am | 7 +-
grub-core/Makefile.core.def | 14 +-
grub-core/bus/usb/usb.c | 15 +-
grub-core/commands/acpi.c | 15 +-
grub-core/commands/efi/loadbios.c | 16 +-
grub-core/commands/efi/shim_lock.c | 133 ---------
grub-core/commands/extcmd.c | 23 ++
grub-core/commands/hashsum.c | 15 +-
grub-core/commands/hdparm.c | 6 +-
grub-core/commands/i386/wrmsr.c | 5 +-
grub-core/commands/iorw.c | 19 +-
grub-core/commands/ls.c | 2 +-
grub-core/commands/memrw.c | 19 +-
grub-core/commands/menuentry.c | 2 +-
grub-core/commands/minicmd.c | 7 +-
grub-core/commands/probe.c | 6 +-
grub-core/commands/setpci.c | 8 +-
grub-core/disk/cryptodisk.c | 8 +-
grub-core/disk/ldm.c | 62 +++-
grub-core/disk/lvm.c | 101 ++++++-
grub-core/fs/affs.c | 18 +-
grub-core/fs/btrfs.c | 7 +-
grub-core/fs/fshelp.c | 12 +
grub-core/fs/hfs.c | 7 +-
grub-core/fs/hfsplus.c | 27 ++
grub-core/fs/jfs.c | 19 +-
grub-core/fs/nilfs2.c | 56 ++--
grub-core/fs/sfs.c | 9 +-
grub-core/fs/zfs/zfs.c | 43 ++-
grub-core/fs/zfs/zfsinfo.c | 4 +-
grub-core/gdb/gdb.c | 32 ++-
grub-core/gfxmenu/gui_label.c | 4 +
grub-core/gfxmenu/gui_list.c | 2 +-
grub-core/gfxmenu/gui_progress_bar.c | 3 +
grub-core/io/gzio.c | 44 ++-
grub-core/io/lzopio.c | 4 -
grub-core/kern/buffer.c | 117 ++++++++
grub-core/kern/command.c | 24 ++
grub-core/kern/dl.c | 9 +
grub-core/kern/efi/efi.c | 1 +
grub-core/kern/efi/init.c | 66 +++++
grub-core/kern/efi/mm.c | 19 +-
grub-core/kern/efi/sb.c | 79 +++++
grub-core/kern/lockdown.c | 84 ++++++
grub-core/kern/main.c | 4 +
grub-core/kern/misc.c | 110 ++++++-
grub-core/kern/mm.c | 2 +-
grub-core/kern/parser.c | 203 ++++++++-----
grub-core/kern/partition.c | 5 +-
grub-core/{commands => kern}/verifiers.c | 8 +-
grub-core/lib/arg.c | 13 +
.../lib/gnulib-patches/fix-null-state-deref.patch | 12 +
.../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +
.../gnulib-patches/fix-regexec-null-deref.patch | 12 +
.../lib/gnulib-patches/fix-uninit-structure.patch | 11 +
.../lib/gnulib-patches/fix-unused-value.patch | 14 +
grub-core/lib/libgcrypt/mpi/mpicoder.c | 5 +-
grub-core/lib/syslinux_parse.c | 6 +-
grub-core/lib/zstd/zstd_decompress.c | 2 +-
grub-core/loader/arm/linux.c | 6 +-
grub-core/loader/efi/fdt.c | 4 +-
grub-core/loader/i386/bsd.c | 4 +-
grub-core/loader/xnu.c | 65 +++--
grub-core/mmap/mmap.c | 15 +-
grub-core/net/net.c | 9 +-
grub-core/net/tftp.c | 1 +
grub-core/normal/completion.c | 10 +-
grub-core/script/execute.c | 7 +-
grub-core/term/gfxterm.c | 9 +
grub-core/video/efi_gop.c | 25 +-
grub-core/video/fb/fbfill.c | 17 +-
grub-core/video/fb/video_fb.c | 60 ++--
grub-core/video/readers/jpeg.c | 26 ++
include/grub/buffer.h | 144 ++++++++++
include/grub/command.h | 5 +
include/grub/dl.h | 8 +-
include/grub/efi/api.h | 19 ++
include/grub/efi/sb.h | 3 +
include/grub/extcmd.h | 7 +
include/grub/hfsplus.h | 2 +
include/grub/kernel.h | 3 +-
include/grub/lockdown.h | 44 +++
include/grub/misc.h | 16 ++
include/grub/stack_protector.h | 30 ++
include/grub/usb.h | 10 +-
include/grub/util/install.h | 11 +-
include/grub/util/mkimage.h | 1 +
include/grub/verify.h | 9 +-
util/glue-efi.c | 14 +-
util/grub-editenv.c | 8 +-
util/grub-install-common.c | 22 +-
util/grub-install.c | 4 +
util/grub-mkimage.c | 21 +-
util/grub.d/30_os-prober.in | 5 +-
util/mkimage.c | 317 +++++++++++----------
102 files changed, 2115 insertions(+), 666 deletions(-)
Alex Burmashev (1):
templates: Disable the os-prober by default
Chris Coulson (8):
commands/hashsum: Fix a memory leak
kern/parser: Fix a memory leak
kern/parser: Introduce process_char() helper
kern/parser: Introduce terminate_arg() helper
kern/parser: Refactor grub_parser_split_cmdline() cleanup
kern/buffer: Add variable sized heap buffer
kern/parser: Fix a stack buffer overflow
kern/efi: Add initial stack protector implementation
Daniel Axtens (35):
script/execute: Fix NULL dereference in grub_script_execute_cmdline()
commands/ls: Require device_name is not NULL before printing
script/execute: Avoid crash when using "$#" outside a function scope
lib/arg: Block repeated short options that require an argument
script/execute: Don't crash on a "for" loop with no items
commands/menuentry: Fix quoting in setparams_prefix()
kern/misc: Always set *end in grub_strtoull()
video/readers/jpeg: Catch files with unsupported quantization or Huffman tables
video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
video/readers/jpeg: Don't decode data before start of stream
term/gfxterm: Don't set up a font with glyphs that are too big
fs/fshelp: Catch impermissibly large block sizes in read helper
fs/hfsplus: Don't fetch a key beyond the end of the node
fs/hfsplus: Don't use uninitialized data on corrupt filesystems
fs/hfs: Disable under lockdown
fs/sfs: Fix over-read of root object name
fs/jfs: Do not move to leaf level if name length is negative
fs/jfs: Limit the extents that getblk() can consider
fs/jfs: Catch infinite recursion
fs/nilfs2: Reject too-large keys
fs/nilfs2: Don't search children if provided number is too large
fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
io/gzio: Bail if gzio->tl/td is NULL
io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
io/gzio: Catch missing values in huft_build() and bail
io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails
disk/lvm: Don't go beyond the end of the data we read from disk
disk/lvm: Don't blast past the end of the circular metadata buffer
disk/lvm: Bail on missing PV list
disk/lvm: Do not crash if an expected string is not found
disk/lvm: Do not overread metadata
disk/lvm: Sanitize rlocn->offset to prevent wild read
disk/lvm: Do not allow a LV to be it's own segment's node's LV
fs/btrfs: Validate the number of stripes/parities in RAID5/6
fs/btrfs: Squash some uninitialized reads
Daniel Kiper (1):
util/grub-install: Fix NULL pointer dereferences
Darren Kenny (36):
mmap: Fix memory leak when iterating over mapped memory
net/net: Fix possible dereference to of a NULL pointer
net/tftp: Fix dangling memory pointer
kern/parser: Fix resource leak if argc == 0
kern/efi: Fix memory leak on failure
kern/efi/mm: Fix possible NULL pointer dereference
gnulib/regexec: Resolve unused variable
gnulib/regcomp: Fix uninitialized token structure
gnulib/argp-help: Fix dereference of a possibly NULL state
gnulib/regexec: Fix possible null-dereference
gnulib/regcomp: Fix uninitialized re_token
io/lzopio: Resolve unnecessary self-assignment errors
zstd: Initialize seq_t structure fully
kern/partition: Check for NULL before dereferencing input string
disk/ldm: Fix memory leak on uninserted lv references
disk/cryptodisk: Fix potential integer overflow
hfsplus: Check that the volume name length is valid
zfs: Fix possible negative shift operation
zfs: Fix possible integer overflows
zfsinfo: Correct a check for error allocating memory
affs: Fix memory leaks
libgcrypt/mpi: Fix possible unintended sign extension
libgcrypt/mpi: Fix possible NULL dereference
syslinux: Fix memory leak while parsing
normal/completion: Fix leaking of memory when processing a completion
commands/probe: Fix a resource leak when probing disks
video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info()
video/fb/fbfill: Fix potential integer overflow
video/fb/video_fb: Fix multiple integer overflows
video/fb/video_fb: Fix possible integer overflow
video/readers/jpeg: Test for an invalid next marker reference from a jpeg file
gfxmenu/gui_list: Remove code that coverity is flagging as dead
loader/bsd: Check for NULL arg up-front
loader/xnu: Fix memory leak
util/grub-editenv: Fix incorrect casting of a signed value
util/glue-efi: Fix incorrect use of a possibly negative value
Dimitri John Ledkov (2):
grub-install-common: Add --sbat option
shim_lock: Only skip loading shim_lock verifier with explicit consent
Javier Martinez Canillas (15):
kern: Add lockdown support
kern/lockdown: Set a variable if the GRUB is locked down
efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
acpi: Don't register the acpi command when locked down
mmap: Don't register cutmem and badram commands when lockdown is enforced
commands: Restrict commands that can load BIOS or DT blobs when locked down
commands/setpci: Restrict setpci command when locked down
commands/hdparm: Restrict hdparm command when locked down
gdb: Restrict GDB access when locked down
loader/xnu: Don't allow loading extension and packages when locked down
docs: Document the cutmem command
dl: Only allow unloading modules that are not dependencies
usb: Avoid possible out-of-bound accesses caused by malicious devices
util/mkimage: Remove unused code to add BSS section
Marco A Benatto (5):
verifiers: Move verifiers API to kernel image
efi: Move the shim_lock verifier to the GRUB core
disk/ldm: Make sure comp data is freed before exiting from make_vg()
loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap()
kern/mm: Fix grub_debug_calloc() compilation error
Paulo Flabiano Smorigo (3):
disk/ldm: If failed then free vg variable too
zfs: Fix resource leaks while constructing path
loader/xnu: Check if pointer is NULL before using it
Peter Jones (7):
util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff
util/mkimage: Unify more of the PE32 and PE32+ header set-up
util/mkimage: Reorder PE optional header fields set-up
util/mkimage: Improve data_size value calculation
util/mkimage: Refactor section setup to use a helper
util/mkimage: Add an option to import SBAT metadata into a .sbat section
Thomas Frauendorfer | Miray Software (4):
kern/misc: Split parse_printf_args() into format parsing and va_list handling
kern/misc: Add STRING type for internal printf() format handling
kern/misc: Add function to check printf() format against expected format
gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple GRUB2 vulnerabilities John Haxby (Mar 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->