Hi all, This patch set contains a bundle of fixes for various security flaws discovered, as part of a pro-active hardening effort, in the GRUB2 code recently. The most severe ones, i.e. potentially exploitable, have CVEs assigned and are listed at the end of this email.
Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available. Full mitigation against all CVEs will require updated shim with latest SBAT (Secure Boot Advanced Targeting) [1] data provided by distros and vendors. This time UEFI revocation list (dbx) will not be used and revocation of broken artifacts will be done with SBAT only. For information on how to apply the latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly permit known older boot artifacts to boot. Updated GRUB2, shim and other boot artifacts from all the affected vendors will be made available when the embargo lifts or some time thereafter. I am posting all the GRUB2 upstream patches which fix all security bugs found and reported up until now. Major Linux distros carry or will carry soon one form or another of these patches. Now all the GRUB2 upstream patches are in the GRUB2 git repository [2] too. I would like to thank Nils Langius, B Horn and Jonathan Bar Or for responsible disclosure and preparation of some patches needed to fix known issues. Upstream fixing would not be possible without involvement of following people too: - Alec Brown (Oracle), - Daniel Axtens, - Jan Setje-Eilers (Oracle), - Lidong Chen (Oracle), - Marco A Benatto (Red Hat), - Michael Chang (SUSE), - Ross Philipson (Oracle). Thank you for your hard work! Daniel [1] https://github.com/rhboot/shim/blob/main/SBAT.md https://github.com/rhboot/shim/blob/main/Delivering_Sbat_Revocations.md [2] https://git.savannah.gnu.org/gitweb/?p=grub.git https://git.savannah.gnu.org/git/grub.git ******************************************************************************* CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 Extra SOF0 marker in JPEG file may lead to a out-of-bounds write. An attacker may leverage this by crafting a malicious JPEG file, leading the grub's JPEG parser to fail the bounds checking in its internal buffer resulting in a out-of-bounds memory write. The possibility of overwriting sensitve information in order to bypass secure boot protections are not discarded. Reported-by: Nils Langius ******************************************************************************* CVE-2024-45775: commands/extcmd: Missing check for failed allocation CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H - 5.2 In grub_extcmd_dispatcher() function grub2 calls grub_arg_list_alloc() to allocate memory for the grub's argument list, however it misses to check in case the memory allocation failed. Once the allocation failed, a NULL point will be processed by the parse_option() function leading grub to crash or in some rare scenarios corrupt the IVT data. Reported-by: Nils Langius ******************************************************************************* CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OOB Write and Read CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 When reading language .mo file in grub_mofile_open(), grub2 fails to verify to a integer overflow when allocating its internal buffer. A crafted .mo file may lead to the buffer size calculation to overflow leading to Out-of-bound reads and writes. An attacker may leverage this flaw to leak sensitive data or overwrite critical data possibly leading to the circumvention of secure boot protections. Reported-by: Nils Langius ******************************************************************************* CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow leading to a Out-of-bound write. This may be leveraged by an attacker to overwrite senstive grub2's heap data, eventually leading to the circumvention of secure boot protections Reported-by: Nils Langius ******************************************************************************* CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.1 There's a stack overflow when reading a BFS file system. A crafted BFS filesystem may lead to a uncontrolled loop causing grub2 to crash Reported-by: Nils Langius ******************************************************************************* CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the BFS parser CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N - 4.1 There's an integer overflow in the BFS file system driver. When reading a file with indirect extent map grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause a integer overflow during the file reading, leading to a Heap Ouf-of-Bounds read. As consequence sensitive data may be leaked or the grub2 to crash. Reported-by: Nils Langius ******************************************************************************* CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 When reading tar files, grub2 allocates an internal buffer for the file name however it fails to properly verify the allocation against possible Integer Overflows. It's possible to cause the allocation length to overflow with a crafted tar file leading to a head Out-of-bounds write, as consequence an attacker may leverage this to eventually circumvent secure boot protections. Reported-by: Nils Langius ******************************************************************************* CVE-2024-45781: fs/ufs: OOB write in the heap CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap Out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections. Reported-by: B Horn ******************************************************************************* CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 When reading a HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user provided volume name as input without proper validating the volume name's length. This may read to a heap based Out-of-bounds write, impacting on grub's sensitive data integrity and eventually leading to secure boot protection bypass. Reported-by: B Horn ******************************************************************************* CVE-2024-45783: fs/hfs+: refcount can be decremented twice CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.4 When failing to mount a HFS+ grub hfsplus filesystem driver doesn't properly set a ERRNO value. This may lead to a NULL pointer access. Reported-by: B Horn ******************************************************************************* CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on module unload CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 In some scenarios hooks created by loaded modules are not being removed when the related module is being unloaded. An attacker may leverage this by forcing the grub2 to call the hooks once the module which registered it was unloaded, leading to a Use-after-free vulnerability. If correctly exploited this vulnerability may result int Arbitrary Code Execution eventually allowing the attacker to by-pass secure boot protections. Reported-by: B Horn ******************************************************************************* CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file() CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - 7.5 During the network boot process when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using grub_strcpy() function. During this step it fails to consider the environment variable length when allocating the internal buffer, resulting in a out-of-bounds write. If correctly exploited this issue may result in remote code execution through the same network segment the grub is searching for the boot information, which can be used to by-pass secure boot protections. Reported-by: B Horn ******************************************************************************* CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When performing a symlink lookup the grub's UFS module check the inode's data size to allocate the internal buffer for reading the file content however it misses to check if the symlink data size has overflown. If that happens grub_malloc() may be called with a smaller value than needed, as consequence when further reading the data from disk into the buffer grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack may leverage that by crafting a malicious filesystem and as a result it will corrupt data stored in the heap, it's possible that arbitrary code execution may be achieved through it and to be used to by-pass secure boot mechanisms. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with a overflown length parameter leading to a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When reading data from a jfs filesystem, grub's jfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_jfs_lookup_symlink() function will write past of the internal buffer length during grub_jfs_read_file(). This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When performing a symlink lookup from a romfs filesystem, grub's romfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_romfs_read_symlink() may cause a out-of-bounds writes when calling grub_disk_read() function. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H - 6.1 The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence. Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure boot is enabled CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 The grub's dump command is not blocked when grub is in lockdown mode. This allows the user to read any memory information, an attacker may leverage that in order to extract signatures, salts and other sensitive information from the memory. Reported-by: B Horn Reported-by: Jonathan Bar Or ******************************************************************************* CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-bounds write CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Reported-by: Jonathan Bar Or ******************************************************************************* docs/grub.texi | 30 ++++ grub-core/bus/usb/ehci.c | 2 +- grub-core/commands/extcmd.c | 3 + grub-core/commands/hexdump.c | 7 +- grub-core/commands/ls.c | 6 +- grub-core/commands/memrw.c | 21 +-- grub-core/commands/minicmd.c | 6 +- grub-core/commands/pgp.c | 2 + grub-core/commands/read.c | 19 ++- grub-core/commands/test.c | 21 ++- grub-core/disk/ata.c | 4 +- grub-core/disk/cryptodisk.c | 124 +++++++++++++-- grub-core/disk/diskfilter.c | 9 +- grub-core/disk/ieee1275/obdisk.c | 49 +++++- grub-core/disk/ieee1275/ofdisk.c | 64 ++++++-- grub-core/disk/ldm.c | 42 ++++- grub-core/disk/loopback.c | 18 +++ grub-core/disk/luks2.c | 7 +- grub-core/disk/lvm.c | 20 ++- grub-core/disk/memdisk.c | 9 +- grub-core/disk/plainmount.c | 9 +- grub-core/fs/affs.c | 10 +- grub-core/fs/archelp.c | 9 +- grub-core/fs/bfs.c | 10 +- grub-core/fs/btrfs.c | 39 ++++- grub-core/fs/cbfs.c | 10 +- grub-core/fs/cpio.c | 1 + grub-core/fs/cpio_be.c | 1 + grub-core/fs/cpio_common.c | 34 +++- grub-core/fs/erofs.c | 10 +- grub-core/fs/ext2.c | 11 +- grub-core/fs/f2fs.c | 21 ++- grub-core/fs/fat.c | 1 + grub-core/fs/hfs.c | 3 +- grub-core/fs/hfsplus.c | 3 +- grub-core/fs/hfspluscomp.c | 9 +- grub-core/fs/iso9660.c | 18 ++- grub-core/fs/jfs.c | 92 ++++++++--- grub-core/fs/minix.c | 10 +- grub-core/fs/newc.c | 1 + grub-core/fs/nilfs2.c | 10 +- grub-core/fs/ntfs.c | 273 ++++++++++++++++++++++++++++++--- grub-core/fs/ntfscomp.c | 11 +- grub-core/fs/odc.c | 1 + grub-core/fs/proc.c | 1 + grub-core/fs/reiserfs.c | 10 +- grub-core/fs/romfs.c | 10 +- grub-core/fs/sfs.c | 13 +- grub-core/fs/squash4.c | 21 ++- grub-core/fs/tar.c | 48 ++++-- grub-core/fs/udf.c | 10 +- grub-core/fs/ufs.c | 12 +- grub-core/fs/xfs.c | 33 +++- grub-core/fs/zfs/zfs.c | 87 +++++++++-- grub-core/gettext/gettext.c | 15 +- grub-core/kern/disk.c | 27 +++- grub-core/kern/dl.c | 22 ++- grub-core/kern/file.c | 10 ++ grub-core/kern/main.c | 12 ++ grub-core/kern/misc.c | 9 +- grub-core/kern/partition.c | 22 ++- grub-core/loader/i386/bsd.c | 14 +- grub-core/loader/i386/linux.c | 2 +- grub-core/net/bootp.c | 16 +- grub-core/net/dns.c | 13 +- grub-core/net/drivers/ieee1275/ofnet.c | 20 ++- grub-core/net/net.c | 93 +++++++++-- grub-core/net/tftp.c | 38 +++-- grub-core/normal/auth.c | 30 ++++ grub-core/normal/main.c | 10 +- grub-core/normal/menu.c | 5 +- grub-core/normal/menu_entry.c | 4 + grub-core/osdep/linux/getroot.c | 3 + grub-core/script/execute.c | 17 ++ grub-core/video/readers/jpeg.c | 4 + grub-core/video/readers/png.c | 2 +- include/grub/auth.h | 1 + include/grub/cryptodisk.h | 3 + include/grub/dl.h | 8 +- include/grub/err.h | 4 +- include/grub/fs.h | 4 + include/grub/misc.h | 41 +++++ include/grub/net.h | 13 +- include/grub/ntfs.h | 25 +++ util/misc.c | 4 +- 85 files changed, 1524 insertions(+), 272 deletions(-) Alec Brown (10): disk: Use safe math macros to prevent overflows disk: Prevent overflows when allocating memory for arrays disk: Check if returned pointer for allocated memory is NULL disk/ieee1275/ofdisk: Call grub_ieee1275_close() when grub_malloc() fails net: Check if returned pointer for allocated memory is NULL fs/sfs: Check if allocated memory is NULL bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t normal/menu: Use safe math to avoid an integer overflow loader/i386/linux: Cast left shift to grub_uint32_t loader/i386/bsd: Use safe math to avoid underflow B Horn (31): misc: Implement grub_strlcpy() fs/ufs: Fix a heap OOB write fs/hfs: Fix stack OOB write with grub_strcpy() fs/tar: Initialize name in grub_cpio_find_file() fs/f2fs: Set a grub_errno if mount fails fs/hfsplus: Set a grub_errno if mount fails fs/iso9660: Set a grub_errno if mount fails fs/ntfs: Track the end of the MFT attribute buffer fs/ntfs: Use a helper function to access attributes fs/ntfs: Implement attribute verification fs/xfs: Ensuring failing to mount sets a grub_errno kern/file: Ensure file->data is set kern/file: Implement filesystem reference counting disk/loopback: Reference tracking for the loopback kern/disk: Limit recursion depth kern/partition: Limit recursion in part_iterate() script/execute: Limit the recursion depth net: Unregister net_default_ip and net_default_mac variables hooks on unload net: Remove variables hooks when interface is unregisted net: Fix OOB write in grub_net_search_config_file() net/tftp: Fix stack buffer overflow in tftp_open() kern/dl: Fix for an integer overflow in grub_dl_ref() kern/dl: Use correct segment in grub_dl_set_mem_attrs() kern/dl: Check for the SHF_INFO_LINK flag in grub_dl_relocate_symbols() commands/ls: Fix NULL dereference commands/pgp: Unregister the "check_signatures" hooks on module unload normal: Remove variables hooks on module unload gettext: Remove variables hooks on module unload commands/minicmd: Block the dump command in lockdown mode commands/memrw: Disable memory reading in lockdown mode commands/hexdump: Disable memory reading in lockdown mode Daniel Axtens (3): video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG fs/bfs: Disable under lockdown fs: Disable many filesystems under lockdown Jonathan Bar Or (1): commands/read: Fix an integer overflow when supplying more than 2^31 characters Lidong Chen (23): fs/tar: Integer overflow leads to heap OOB write fs/jfs: Fix OOB read in jfs_getent() fs/jfs: Fix OOB read caused by invalid dir slot index fs/jfs: Use full 40 bits offset and address for a data extent fs/jfs: Inconsistent signed/unsigned types usage in return values commands/extcmd: Missing check for failed allocation gettext: Integer overflow leads to heap OOB write or read gettext: Integer overflow leads to heap OOB write commands/test: Stack overflow due to unlimited recursion depth fs: Use safe math macros to prevent overflows fs: Prevent overflows when allocating memory for arrays fs: Prevent overflows when assigning returned values from read_number() fs/zfs: Use safe math macros to prevent overflows fs/zfs: Prevent overflows when allocating memory for arrays fs/zfs: Check if returned pointer for allocated memory is NULL fs/zfs: Add missing NULL check after grub_strdup() call net: Use safe math macros to prevent overflows net: Prevent overflows when allocating memory for arrays script/execute: Fix potential underflow and NULL dereference osdep/unix/getroot: Fix potential underflow misc: Ensure consistent overflow error messages kern/partition: Add sanity check after grub_strtoul() call kern/misc: Add sanity check after grub_strtoul() call Michael Chang (5): fs/iso9660: Fix invalid free fs/ext2: Fix out-of-bounds read for inline extents fs/ntfs: Fix out-of-bounds read fs/xfs: Fix out-of-bounds read disk/cryptodisk: Require authentication after TPM unlock for CLI access _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
