grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 rou


From: Daniel Kiper
Subject: [SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round
Date: Tue, 2 Mar 2021 19:00:56 +0100
User-agent: NeoMutt/20170113 (1.7.2)

Hi all,

The BootHole vulnerability [1][2] announced last year encouraged many people to
take a closer look at the security of boot process in general and the GRUB
bootloader in particular. Due to that, during past few months we were getting
reports of, and also discovering various security flaws in the GRUB ourselves.
You can find the list of most severe ones which got CVEs assigned at the end of
this message. The patch bundle fixing all these issues in the upstream GRUB
contains 117 patches.

In addition, we have been working on a generation number based revocation
scheme termed UEFI Secure Boot Advanced Targeting (SBAT) [3]. This will require
an UEFI dbx release and resigning all the artifacts -- shim, GRUB, kernel,
etc. -- needed to boot the system. This is the same as we did for the BootHole
series of vulnerabilities, but the SBAT work is designed to make this process
much less painful in the future.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [4] we are listing at
least some links to the messaging known at the time of this posting.

It is important to know that shim and SBAT development is still ongoing.

Full mitigation against all the CVEs will require an updated UEFI revocation
list (dbx) which, in at least some cases, will not allow Secure Boot with
today's boot artifacts. Vendor shims may explicitly permit known older boot
artifacts to boot. At some stage, the dbx on new hardware will be updated.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter. An updated
dbx from the various affected vendors will also ship, although possibly not at
the same time. The new Microsoft dbx will be provided for download here [5].

I am posting all the GRUB2 upstream patches which fixes all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [6] too.

In particular I would like to thank, in alphabetical order, the following
people who were working really hard on the GRUB, shim and other things related
to these issues:
  - Alexander Burmashev (Oracle),
  - Chris Co (Microsoft),
  - Chris Coulson (Canonical),
  - Cliff Perry (Red Hat),
  - Colin Watson (Debian),
  - D. Jared Dominguez (Red Hat),
  - Daniel Axtens (IBM),
  - Darren Kenny (Oracle),
  - Dimitri John Ledkov (Canonical),
  - Eric Snowberg (Oracle),
  - Ilja Van Sprundel (IOActive),
  - Ilya Okomin (Oracle),
  - Jan Setje-Eilers (Oracle),
  - Javier Martinez Canillas (Red Hat),
  - Jeremiah Cox (Microsoft),
  - John Haxby (Oracle),
  - Jordan Geurten (Microsoft),
  - Joseph Tartaro (IOActive),
  - Julian Andres Klode (Canonical),
  - Marco A Benatto (Red Hat),
  - Mario Limonciello (Dell),
  - Mathieu Trudel-Lapierre (Stack8),
  - Matthew Garrett (Google),
  - Máté Kukri,
  - Noam Rathaus (SSD Secure Disclosure),
  - NyankoSec (SSD Secure Disclosure),
  - Paulo Flabiano Smorigo (Canonical),
  - Peter Jones (Red Hat),
  - Richard Hughes (Red Hat),
  - Sarah Jacobus (Microsoft),
  - Steve McIntyre (Debian),
  - Teddy Reed,
  - Thomas Frauendorfer (Miray Software),
  - Ulrich Bauer (Miray Software),
  - Yves-Alexis Perez (Debian).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

[1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

[2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

[3] https://github.com/rhboot/shim/blob/main/SBAT.md

[4] Canonical: 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
    Debian:    https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot
    Red Hat:   https://access.redhat.com/security/vulnerabilities/RHSB-2021-003
    SUSE:      https://www.suse.com/support/kb/doc/?id=000019892

[5] https://uefi.org/revocationlistfile

[6] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
    https://git.savannah.gnu.org/git/grub.git

*******************************************************************************

CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
               ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.

Reported-by: Máté Kukri

*******************************************************************************

CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.

Reported-by: Chris Coulson (Canonical)

*******************************************************************************

CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.

Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)

*******************************************************************************

CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.

Reported-by: Chris Coulson (Canonical)

*******************************************************************************

CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
               memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.

Reported-by: Teddy Reed

*******************************************************************************

CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.

If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.

This flaw only affects upstream and distributions using the shim_lock verifier.

Reported-by: Dimitri John Ledkov (Canonical)

*******************************************************************************

CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.

Reported-by: Daniel Axtens (IBM)

*******************************************************************************

CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
               space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.

Reported-by: Daniel Axtens (IBM)

*******************************************************************************

 acinclude.m4                                       |  38 ++-
 bootstrap.conf                                     |   3 +-
 conf/Makefile.common                               |   2 +
 conf/Makefile.extra-dist                           |   5 +
 configure.ac                                       |  44 ++-
 docs/grub-dev.texi                                 |  27 ++
 docs/grub.texi                                     | 106 +++++--
 grub-core/Makefile.am                              |   7 +-
 grub-core/Makefile.core.def                        |  14 +-
 grub-core/bus/usb/usb.c                            |  15 +-
 grub-core/commands/acpi.c                          |  15 +-
 grub-core/commands/efi/loadbios.c                  |  16 +-
 grub-core/commands/efi/shim_lock.c                 | 133 ---------
 grub-core/commands/extcmd.c                        |  23 ++
 grub-core/commands/hashsum.c                       |  15 +-
 grub-core/commands/hdparm.c                        |   6 +-
 grub-core/commands/i386/wrmsr.c                    |   5 +-
 grub-core/commands/iorw.c                          |  19 +-
 grub-core/commands/ls.c                            |   2 +-
 grub-core/commands/memrw.c                         |  19 +-
 grub-core/commands/menuentry.c                     |   2 +-
 grub-core/commands/minicmd.c                       |   7 +-
 grub-core/commands/probe.c                         |   6 +-
 grub-core/commands/setpci.c                        |   8 +-
 grub-core/disk/cryptodisk.c                        |   8 +-
 grub-core/disk/ldm.c                               |  62 +++-
 grub-core/disk/lvm.c                               | 101 ++++++-
 grub-core/fs/affs.c                                |  18 +-
 grub-core/fs/btrfs.c                               |   7 +-
 grub-core/fs/fshelp.c                              |  12 +
 grub-core/fs/hfs.c                                 |   7 +-
 grub-core/fs/hfsplus.c                             |  27 ++
 grub-core/fs/jfs.c                                 |  19 +-
 grub-core/fs/nilfs2.c                              |  56 ++--
 grub-core/fs/sfs.c                                 |   9 +-
 grub-core/fs/zfs/zfs.c                             |  43 ++-
 grub-core/fs/zfs/zfsinfo.c                         |   4 +-
 grub-core/gdb/gdb.c                                |  32 ++-
 grub-core/gfxmenu/gui_label.c                      |   4 +
 grub-core/gfxmenu/gui_list.c                       |   2 +-
 grub-core/gfxmenu/gui_progress_bar.c               |   3 +
 grub-core/io/gzio.c                                |  44 ++-
 grub-core/io/lzopio.c                              |   4 -
 grub-core/kern/buffer.c                            | 117 ++++++++
 grub-core/kern/command.c                           |  24 ++
 grub-core/kern/dl.c                                |   9 +
 grub-core/kern/efi/efi.c                           |   1 +
 grub-core/kern/efi/init.c                          |  66 +++++
 grub-core/kern/efi/mm.c                            |  19 +-
 grub-core/kern/efi/sb.c                            |  79 +++++
 grub-core/kern/lockdown.c                          |  84 ++++++
 grub-core/kern/main.c                              |   4 +
 grub-core/kern/misc.c                              | 110 ++++++-
 grub-core/kern/mm.c                                |   2 +-
 grub-core/kern/parser.c                            | 203 ++++++++-----
 grub-core/kern/partition.c                         |   5 +-
 grub-core/{commands => kern}/verifiers.c           |   8 +-
 grub-core/lib/arg.c                                |  13 +
 .../lib/gnulib-patches/fix-null-state-deref.patch  |  12 +
 .../gnulib-patches/fix-regcomp-uninit-token.patch  |  15 +
 .../gnulib-patches/fix-regexec-null-deref.patch    |  12 +
 .../lib/gnulib-patches/fix-uninit-structure.patch  |  11 +
 .../lib/gnulib-patches/fix-unused-value.patch      |  14 +
 grub-core/lib/libgcrypt/mpi/mpicoder.c             |   5 +-
 grub-core/lib/syslinux_parse.c                     |   6 +-
 grub-core/lib/zstd/zstd_decompress.c               |   2 +-
 grub-core/loader/arm/linux.c                       |   6 +-
 grub-core/loader/efi/fdt.c                         |   4 +-
 grub-core/loader/i386/bsd.c                        |   4 +-
 grub-core/loader/xnu.c                             |  65 +++--
 grub-core/mmap/mmap.c                              |  15 +-
 grub-core/net/net.c                                |   9 +-
 grub-core/net/tftp.c                               |   1 +
 grub-core/normal/completion.c                      |  10 +-
 grub-core/script/execute.c                         |   7 +-
 grub-core/term/gfxterm.c                           |   9 +
 grub-core/video/efi_gop.c                          |  25 +-
 grub-core/video/fb/fbfill.c                        |  17 +-
 grub-core/video/fb/video_fb.c                      |  60 ++--
 grub-core/video/readers/jpeg.c                     |  26 ++
 include/grub/buffer.h                              | 144 ++++++++++
 include/grub/command.h                             |   5 +
 include/grub/dl.h                                  |   8 +-
 include/grub/efi/api.h                             |  19 ++
 include/grub/efi/sb.h                              |   3 +
 include/grub/extcmd.h                              |   7 +
 include/grub/hfsplus.h                             |   2 +
 include/grub/kernel.h                              |   3 +-
 include/grub/lockdown.h                            |  44 +++
 include/grub/misc.h                                |  16 ++
 include/grub/stack_protector.h                     |  30 ++
 include/grub/usb.h                                 |  10 +-
 include/grub/util/install.h                        |  11 +-
 include/grub/util/mkimage.h                        |   1 +
 include/grub/verify.h                              |   9 +-
 util/glue-efi.c                                    |  14 +-
 util/grub-editenv.c                                |   8 +-
 util/grub-install-common.c                         |  22 +-
 util/grub-install.c                                |   4 +
 util/grub-mkimage.c                                |  21 +-
 util/grub.d/30_os-prober.in                        |   5 +-
 util/mkimage.c                                     | 317 +++++++++++----------
 102 files changed, 2115 insertions(+), 666 deletions(-)

Alex Burmashev (1):
      templates: Disable the os-prober by default

Chris Coulson (8):
      commands/hashsum: Fix a memory leak
      kern/parser: Fix a memory leak
      kern/parser: Introduce process_char() helper
      kern/parser: Introduce terminate_arg() helper
      kern/parser: Refactor grub_parser_split_cmdline() cleanup
      kern/buffer: Add variable sized heap buffer
      kern/parser: Fix a stack buffer overflow
      kern/efi: Add initial stack protector implementation

Daniel Axtens (35):
      script/execute: Fix NULL dereference in grub_script_execute_cmdline()
      commands/ls: Require device_name is not NULL before printing
      script/execute: Avoid crash when using "$#" outside a function scope
      lib/arg: Block repeated short options that require an argument
      script/execute: Don't crash on a "for" loop with no items
      commands/menuentry: Fix quoting in setparams_prefix()
      kern/misc: Always set *end in grub_strtoull()
      video/readers/jpeg: Catch files with unsupported quantization or Huffman 
tables
      video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
      video/readers/jpeg: Don't decode data before start of stream
      term/gfxterm: Don't set up a font with glyphs that are too big
      fs/fshelp: Catch impermissibly large block sizes in read helper
      fs/hfsplus: Don't fetch a key beyond the end of the node
      fs/hfsplus: Don't use uninitialized data on corrupt filesystems
      fs/hfs: Disable under lockdown
      fs/sfs: Fix over-read of root object name
      fs/jfs: Do not move to leaf level if name length is negative
      fs/jfs: Limit the extents that getblk() can consider
      fs/jfs: Catch infinite recursion
      fs/nilfs2: Reject too-large keys
      fs/nilfs2: Don't search children if provided number is too large
      fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
      io/gzio: Bail if gzio->tl/td is NULL
      io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
      io/gzio: Catch missing values in huft_build() and bail
      io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails
      disk/lvm: Don't go beyond the end of the data we read from disk
      disk/lvm: Don't blast past the end of the circular metadata buffer
      disk/lvm: Bail on missing PV list
      disk/lvm: Do not crash if an expected string is not found
      disk/lvm: Do not overread metadata
      disk/lvm: Sanitize rlocn->offset to prevent wild read
      disk/lvm: Do not allow a LV to be it's own segment's node's LV
      fs/btrfs: Validate the number of stripes/parities in RAID5/6
      fs/btrfs: Squash some uninitialized reads

Daniel Kiper (1):
      util/grub-install: Fix NULL pointer dereferences

Darren Kenny (36):
      mmap: Fix memory leak when iterating over mapped memory
      net/net: Fix possible dereference to of a NULL pointer
      net/tftp: Fix dangling memory pointer
      kern/parser: Fix resource leak if argc == 0
      kern/efi: Fix memory leak on failure
      kern/efi/mm: Fix possible NULL pointer dereference
      gnulib/regexec: Resolve unused variable
      gnulib/regcomp: Fix uninitialized token structure
      gnulib/argp-help: Fix dereference of a possibly NULL state
      gnulib/regexec: Fix possible null-dereference
      gnulib/regcomp: Fix uninitialized re_token
      io/lzopio: Resolve unnecessary self-assignment errors
      zstd: Initialize seq_t structure fully
      kern/partition: Check for NULL before dereferencing input string
      disk/ldm: Fix memory leak on uninserted lv references
      disk/cryptodisk: Fix potential integer overflow
      hfsplus: Check that the volume name length is valid
      zfs: Fix possible negative shift operation
      zfs: Fix possible integer overflows
      zfsinfo: Correct a check for error allocating memory
      affs: Fix memory leaks
      libgcrypt/mpi: Fix possible unintended sign extension
      libgcrypt/mpi: Fix possible NULL dereference
      syslinux: Fix memory leak while parsing
      normal/completion: Fix leaking of memory when processing a completion
      commands/probe: Fix a resource leak when probing disks
      video/efi_gop: Remove unnecessary return value of 
grub_video_gop_fill_mode_info()
      video/fb/fbfill: Fix potential integer overflow
      video/fb/video_fb: Fix multiple integer overflows
      video/fb/video_fb: Fix possible integer overflow
      video/readers/jpeg: Test for an invalid next marker reference from a jpeg 
file
      gfxmenu/gui_list: Remove code that coverity is flagging as dead
      loader/bsd: Check for NULL arg up-front
      loader/xnu: Fix memory leak
      util/grub-editenv: Fix incorrect casting of a signed value
      util/glue-efi: Fix incorrect use of a possibly negative value

Dimitri John Ledkov (2):
      grub-install-common: Add --sbat option
      shim_lock: Only skip loading shim_lock verifier with explicit consent

Javier Martinez Canillas (15):
      kern: Add lockdown support
      kern/lockdown: Set a variable if the GRUB is locked down
      efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
      efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
      acpi: Don't register the acpi command when locked down
      mmap: Don't register cutmem and badram commands when lockdown is enforced
      commands: Restrict commands that can load BIOS or DT blobs when locked 
down
      commands/setpci: Restrict setpci command when locked down
      commands/hdparm: Restrict hdparm command when locked down
      gdb: Restrict GDB access when locked down
      loader/xnu: Don't allow loading extension and packages when locked down
      docs: Document the cutmem command
      dl: Only allow unloading modules that are not dependencies
      usb: Avoid possible out-of-bound accesses caused by malicious devices
      util/mkimage: Remove unused code to add BSS section

Marco A Benatto (5):
      verifiers: Move verifiers API to kernel image
      efi: Move the shim_lock verifier to the GRUB core
      disk/ldm: Make sure comp data is freed before exiting from make_vg()
      loader/xnu: Free driverkey data when an error is detected in 
grub_xnu_writetree_toheap()
      kern/mm: Fix grub_debug_calloc() compilation error

Paulo Flabiano Smorigo (3):
      disk/ldm: If failed then free vg variable too
      zfs: Fix resource leaks while constructing path
      loader/xnu: Check if pointer is NULL before using it

Peter Jones (7):
      util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
      util/mkimage: Always use grub_host_to_target32() to initialize PE stack 
and heap stuff
      util/mkimage: Unify more of the PE32 and PE32+ header set-up
      util/mkimage: Reorder PE optional header fields set-up
      util/mkimage: Improve data_size value calculation
      util/mkimage: Refactor section setup to use a helper
      util/mkimage: Add an option to import SBAT metadata into a .sbat section

Thomas Frauendorfer | Miray Software (4):
      kern/misc: Split parse_printf_args() into format parsing and va_list 
handling
      kern/misc: Add STRING type for internal printf() format handling
      kern/misc: Add function to check printf() format against expected format
      gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label



reply via email to

[Prev in Thread] Current Thread [Next in Thread]