Hi Daniel and all, sorry for top posting but this is a question and a request, not a comment.
maintaining a distribution alone I can't afford to carry as many patches as Debian, so: could please mention the commit to which checkout when all these patches will be applied upstream? Thanks in advance and best regards, Didier On 18/02/2025 18:00, Daniel Kiper via Grub-devel wrote: > Hi all, > > This patch set contains a bundle of fixes for various security flaws > discovered, as part of a pro-active hardening effort, in the GRUB2 code > recently. The most severe ones, i.e. potentially exploitable, have CVEs > assigned and are listed at the end of this email. > > Details of exactly what needs updating will be provided by the respective > distros and vendors when updates become available. > > Full mitigation against all CVEs will require updated shim with latest SBAT > (Secure Boot Advanced Targeting) [1] data provided by distros and vendors. > This time UEFI revocation list (dbx) will not be used and revocation of broken > artifacts will be done with SBAT only. For information on how to apply the > latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly > permit known older boot artifacts to boot. > > Updated GRUB2, shim and other boot artifacts from all the affected vendors > will > be made available when the embargo lifts or some time thereafter. > > I am posting all the GRUB2 upstream patches which fix all security bugs found > and reported up until now. Major Linux distros carry or will carry soon one > form or another of these patches. Now all the GRUB2 upstream patches are in > the GRUB2 git repository [2] too. > > I would like to thank Nils Langius, B Horn and Jonathan Bar Or for responsible > disclosure and preparation of some patches needed to fix known issues. > > Upstream fixing would not be possible without involvement of following people > too: > - Alec Brown (Oracle), > - Daniel Axtens, > - Jan Setje-Eilers (Oracle), > - Lidong Chen (Oracle), > - Marco A Benatto (Red Hat), > - Michael Chang (SUSE), > - Ross Philipson (Oracle). > > Thank you for your hard work! > > Daniel > > [1] https://github.com/rhboot/shim/blob/main/SBAT.md > https://github.com/rhboot/shim/blob/main/Delivering_Sbat_Revocations.md > > [2] https://git.savannah.gnu.org/gitweb/?p=grub.git > https://git.savannah.gnu.org/git/grub.git > > ******************************************************************************* > > CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > Extra SOF0 marker in JPEG file may lead to a out-of-bounds write. > An attacker may leverage this by crafting a malicious JPEG file, > leading the grub's JPEG parser to fail the bounds checking in its > internal buffer resulting in a out-of-bounds memory write. The > possibility of overwriting sensitve information in order to bypass > secure boot protections are not discarded. > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45775: commands/extcmd: Missing check for failed allocation > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H - 5.2 > > In grub_extcmd_dispatcher() function grub2 calls grub_arg_list_alloc() > to allocate memory for the grub's argument list, however it misses to > check in case the memory allocation failed. Once the allocation failed, > a NULL point will be processed by the parse_option() function leading > grub to crash or in some rare scenarios corrupt the IVT data. > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OOB Write > and Read > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > When reading language .mo file in grub_mofile_open(), grub2 fails to verify to > a integer overflow when allocating its internal buffer. A crafted .mo file may > lead to the buffer size calculation to overflow leading to Out-of-bound reads > and writes. An attacker may leverage this flaw to leak sensitive data or > overwrite critical data possibly leading to the circumvention of secure boot > protections. > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > The calculation of the translation buffer when reading a language .mo file in > grub_gettext_getstr_from_position() may overflow leading to a Out-of-bound > write. This may be leveraged by an attacker to overwrite senstive grub2's heap > data, eventually leading to the circumvention of secure boot protections > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.1 > > There's a stack overflow when reading a BFS file system. A crafted BFS > filesystem may lead to a uncontrolled loop causing grub2 to crash > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in > the BFS parser > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N - 4.1 > > There's an integer overflow in the BFS file system driver. When reading a file > with indirect extent map grub2 fails to validate the number of extent entries > to be read. A crafted or corrupted BFS filesystem may cause a integer overflow > during the file reading, leading to a Heap Ouf-of-Bounds read. As consequence > sensitive data may be leaked or the grub2 to crash. > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > When reading tar files, grub2 allocates an internal buffer for the file name > however it fails to properly verify the allocation against possible Integer > Overflows. It's possible to cause the allocation length to overflow with > a crafted tar file leading to a head Out-of-bounds write, as consequence an > attacker may leverage this to eventually circumvent secure boot protections. > > Reported-by: Nils Langius > > ******************************************************************************* > > CVE-2024-45781: fs/ufs: OOB write in the heap > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > When reading a symbolic link's name from a UFS filesystem, grub2 fails to > validate the string length taken as an input. The lack of validation may lead > to a heap Out-of-bounds write, causing data integrity issues and eventually > allowing an attacker to circumvent secure boot protections. > > Reported-by: B Horn > > ******************************************************************************* > > CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382) > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7 > > When reading a HFS volume's name at grub_fs_mount(), the HFS filesystem driver > performs a strcpy() using the user provided volume name as input without > proper > validating the volume name's length. This may read to a heap based > Out-of-bounds write, impacting on grub's sensitive data integrity and > eventually leading to secure boot protection bypass. > > Reported-by: B Horn > > ******************************************************************************* > > CVE-2024-45783: fs/hfs+: refcount can be decremented twice > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.4 > > When failing to mount a HFS+ grub hfsplus filesystem driver doesn't properly > set a ERRNO value. This may lead to a NULL pointer access. > > Reported-by: B Horn > > ******************************************************************************* > > CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on > module unload > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > In some scenarios hooks created by loaded modules are not being removed when > the related module is being unloaded. An attacker may leverage this by forcing > the grub2 to call the hooks once the module which registered it was unloaded, > leading to a Use-after-free vulnerability. If correctly exploited this > vulnerability may result int Arbitrary Code Execution eventually allowing the > attacker to by-pass secure boot protections. > > Reported-by: B Horn > > ******************************************************************************* > > CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file() > CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - 7.5 > > During the network boot process when trying to search for the configuration > file, grub copies data from a user controlled environment variable into an > internal buffer using grub_strcpy() function. During this step it fails to > consider the environment variable length when allocating the internal buffer, > resulting in a out-of-bounds write. If correctly exploited this issue may > result in remote code execution through the same network segment the grub is > searching for the boot information, which can be used to by-pass secure boot > protections. > > Reported-by: B Horn > > ******************************************************************************* > > CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds > write when handling symlinks > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When performing a symlink lookup the grub's UFS module check the inode's data > size to allocate the internal buffer for reading the file content however it > misses to check if the symlink data size has overflown. If that happens > grub_malloc() may be called with a smaller value than needed, as consequence > when further reading the data from disk into the buffer > grub_ufs_lookup_symlink() function will write past the end of the allocated > size. An attack may leverage that by crafting a malicious filesystem and as > a result it will corrupt data stored in the heap, it's possible that arbitrary > code execution may be achieved through it and to be used to by-pass secure > boot > mechanisms. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds > write when reading data > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When reading data from a squash4 filesystem, grub's squash4 fs module uses > user-controlled parameters from the filesystem geometry to determine the > internal buffers size, however it misses to properly check for integer > overflows. A maliciouly crafted filesystem may lead some of those buffer size > calculation to overflow, causing it to perform a grub_malloc() operation with > a smaller size than expected. As a result the direct_read() will perform a > heap > based out-of-bounds write during data reading. This flaw may be leveraged to > corrupt grub's internal critical data and may result in arbitrary code > execution by-passing secure boot protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to > heap based out-of-bounds write when reading data > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs > fs > module uses user-controlled parameters from the filesystem geometry to > determine the internal buffers size, however it misses to properly check for > integer overflows. A maliciouly crafted filesystem may lead some of those > buffer size calculation to overflow, causing it to perform a grub_malloc() > operation with a smaller size than expected. As a result the > grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with > a overflown length parameter leading to a heap based out-of-bounds write > during > data reading. This flaw may be leveraged to corrupt grub's internal critical > data and may result in arbitrary code execution by-passing secure boot > protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap > based out-of-bounds write when reading data > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When reading data from a jfs filesystem, grub's jfs filesystem module uses > user-controlled parameters from the filesystem geometry to determine the > internal buffers size, however it misses to properly check for integer > overflows. A maliciouly crafted filesystem may lead some of those buffer size > calculation to overflow, causing it to perform a grub_malloc() operation with > a smaller size than expected. As a result the grub_jfs_lookup_symlink() > function > will write past of the internal buffer length during grub_jfs_read_file(). > This > flaw may be leveraged to corrupt grub's internal critical data and may result > in arbitrary code execution by-passing secure boot protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to > heap based out-of-bounds write when reading data > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When performing a symlink lookup from a romfs filesystem, grub's romfs > filesystem module uses user-controlled parameters from the filesystem geometry > to determine the internal buffers size, however it misses to properly check > for > integer overflows. A maliciouly crafted filesystem may lead some of those > buffer size calculation to overflow, causing it to perform a grub_malloc() > operation with a smaller size than expected. As a result the > grub_romfs_read_symlink() may cause a out-of-bounds writes when calling > grub_disk_read() function. This flaw may be leveraged to corrupt grub's > internal critical data and may result in arbitrary code execution by-passing > secure boot protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may > lead to arbitrary code execution > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When reading data from disk, the grub's UDF filesystem module utilizes the > user > controlled data length metadata to allocate its internal buffers. In certain > scenarios, while iterating through disk sectors, it assumes the read size from > the disk is always smaller than the allocated buffer size which is not > guaranteed. A crafted filesystem image may lead to a heap-based buffer > overflow > resulting in critical data to be corrupted, resulting in the risk of arbitrary > code execution by-passing secure boot protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write > CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H - 6.1 > > The read command is used to read the keyboard input from the user, while reads > it keeps the input length in a 32-bit integer value which is further used to > reallocate the line buffer to accept the next character. During this process, > with a line big enough it's possible to make this variable to overflow leading > to a out-of-bounds write in the heap based buffer. This flaw may be leveraged > to corrupt grub's internal critical data and secure boot bypass is not > discarded as consequence. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure > boot is enabled > CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4 > > The grub's dump command is not blocked when grub is in lockdown mode. This > allows the user to read any memory information, an attacker may leverage that > in order to extract signatures, salts and other sensitive information from the > memory. > > Reported-by: B Horn > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-bounds > write > CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4 > > When reading data from a hfs filesystem, grub's hfs filesystem module uses > user-controlled parameters from the filesystem metadata to calculate the > internal buffers size, however it misses to properly check for integer > overflows. A maliciouly crafted filesystem may lead some of those buffer size > calculation to overflow, causing it to perform a grub_malloc() operation with > a smaller size than expected. As a result the hfsplus_open_compressed_real() > function will write past of the internal buffer length. This flaw may be > leveraged to corrupt grub's internal critical data and may result in arbitrary > code execution by-passing secure boot protections. > > Reported-by: Jonathan Bar Or > > ******************************************************************************* > > docs/grub.texi | 30 ++++ > grub-core/bus/usb/ehci.c | 2 +- > grub-core/commands/extcmd.c | 3 + > grub-core/commands/hexdump.c | 7 +- > grub-core/commands/ls.c | 6 +- > grub-core/commands/memrw.c | 21 +-- > grub-core/commands/minicmd.c | 6 +- > grub-core/commands/pgp.c | 2 + > grub-core/commands/read.c | 19 ++- > grub-core/commands/test.c | 21 ++- > grub-core/disk/ata.c | 4 +- > grub-core/disk/cryptodisk.c | 124 +++++++++++++-- > grub-core/disk/diskfilter.c | 9 +- > grub-core/disk/ieee1275/obdisk.c | 49 +++++- > grub-core/disk/ieee1275/ofdisk.c | 64 ++++++-- > grub-core/disk/ldm.c | 42 ++++- > grub-core/disk/loopback.c | 18 +++ > grub-core/disk/luks2.c | 7 +- > grub-core/disk/lvm.c | 20 ++- > grub-core/disk/memdisk.c | 9 +- > grub-core/disk/plainmount.c | 9 +- > grub-core/fs/affs.c | 10 +- > grub-core/fs/archelp.c | 9 +- > grub-core/fs/bfs.c | 10 +- > grub-core/fs/btrfs.c | 39 ++++- > grub-core/fs/cbfs.c | 10 +- > grub-core/fs/cpio.c | 1 + > grub-core/fs/cpio_be.c | 1 + > grub-core/fs/cpio_common.c | 34 +++- > grub-core/fs/erofs.c | 10 +- > grub-core/fs/ext2.c | 11 +- > grub-core/fs/f2fs.c | 21 ++- > grub-core/fs/fat.c | 1 + > grub-core/fs/hfs.c | 3 +- > grub-core/fs/hfsplus.c | 3 +- > grub-core/fs/hfspluscomp.c | 9 +- > grub-core/fs/iso9660.c | 18 ++- > grub-core/fs/jfs.c | 92 ++++++++--- > grub-core/fs/minix.c | 10 +- > grub-core/fs/newc.c | 1 + > grub-core/fs/nilfs2.c | 10 +- > grub-core/fs/ntfs.c | 273 > ++++++++++++++++++++++++++++++--- > grub-core/fs/ntfscomp.c | 11 +- > grub-core/fs/odc.c | 1 + > grub-core/fs/proc.c | 1 + > grub-core/fs/reiserfs.c | 10 +- > grub-core/fs/romfs.c | 10 +- > grub-core/fs/sfs.c | 13 +- > grub-core/fs/squash4.c | 21 ++- > grub-core/fs/tar.c | 48 ++++-- > grub-core/fs/udf.c | 10 +- > grub-core/fs/ufs.c | 12 +- > grub-core/fs/xfs.c | 33 +++- > grub-core/fs/zfs/zfs.c | 87 +++++++++-- > grub-core/gettext/gettext.c | 15 +- > grub-core/kern/disk.c | 27 +++- > grub-core/kern/dl.c | 22 ++- > grub-core/kern/file.c | 10 ++ > grub-core/kern/main.c | 12 ++ > grub-core/kern/misc.c | 9 +- > grub-core/kern/partition.c | 22 ++- > grub-core/loader/i386/bsd.c | 14 +- > grub-core/loader/i386/linux.c | 2 +- > grub-core/net/bootp.c | 16 +- > grub-core/net/dns.c | 13 +- > grub-core/net/drivers/ieee1275/ofnet.c | 20 ++- > grub-core/net/net.c | 93 +++++++++-- > grub-core/net/tftp.c | 38 +++-- > grub-core/normal/auth.c | 30 ++++ > grub-core/normal/main.c | 10 +- > grub-core/normal/menu.c | 5 +- > grub-core/normal/menu_entry.c | 4 + > grub-core/osdep/linux/getroot.c | 3 + > grub-core/script/execute.c | 17 ++ > grub-core/video/readers/jpeg.c | 4 + > grub-core/video/readers/png.c | 2 +- > include/grub/auth.h | 1 + > include/grub/cryptodisk.h | 3 + > include/grub/dl.h | 8 +- > include/grub/err.h | 4 +- > include/grub/fs.h | 4 + > include/grub/misc.h | 41 +++++ > include/grub/net.h | 13 +- > include/grub/ntfs.h | 25 +++ > util/misc.c | 4 +- > 85 files changed, 1524 insertions(+), 272 deletions(-) > > Alec Brown (10): > disk: Use safe math macros to prevent overflows > disk: Prevent overflows when allocating memory for arrays > disk: Check if returned pointer for allocated memory is NULL > disk/ieee1275/ofdisk: Call grub_ieee1275_close() when grub_malloc() > fails > net: Check if returned pointer for allocated memory is NULL > fs/sfs: Check if allocated memory is NULL > bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t > normal/menu: Use safe math to avoid an integer overflow > loader/i386/linux: Cast left shift to grub_uint32_t > loader/i386/bsd: Use safe math to avoid underflow > > B Horn (31): > misc: Implement grub_strlcpy() > fs/ufs: Fix a heap OOB write > fs/hfs: Fix stack OOB write with grub_strcpy() > fs/tar: Initialize name in grub_cpio_find_file() > fs/f2fs: Set a grub_errno if mount fails > fs/hfsplus: Set a grub_errno if mount fails > fs/iso9660: Set a grub_errno if mount fails > fs/ntfs: Track the end of the MFT attribute buffer > fs/ntfs: Use a helper function to access attributes > fs/ntfs: Implement attribute verification > fs/xfs: Ensuring failing to mount sets a grub_errno > kern/file: Ensure file->data is set > kern/file: Implement filesystem reference counting > disk/loopback: Reference tracking for the loopback > kern/disk: Limit recursion depth > kern/partition: Limit recursion in part_iterate() > script/execute: Limit the recursion depth > net: Unregister net_default_ip and net_default_mac variables hooks on > unload > net: Remove variables hooks when interface is unregisted > net: Fix OOB write in grub_net_search_config_file() > net/tftp: Fix stack buffer overflow in tftp_open() > kern/dl: Fix for an integer overflow in grub_dl_ref() > kern/dl: Use correct segment in grub_dl_set_mem_attrs() > kern/dl: Check for the SHF_INFO_LINK flag in grub_dl_relocate_symbols() > commands/ls: Fix NULL dereference > commands/pgp: Unregister the "check_signatures" hooks on module unload > normal: Remove variables hooks on module unload > gettext: Remove variables hooks on module unload > commands/minicmd: Block the dump command in lockdown mode > commands/memrw: Disable memory reading in lockdown mode > commands/hexdump: Disable memory reading in lockdown mode > > Daniel Axtens (3): > video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG > fs/bfs: Disable under lockdown > fs: Disable many filesystems under lockdown > > Jonathan Bar Or (1): > commands/read: Fix an integer overflow when supplying more than 2^31 > characters > > Lidong Chen (23): > fs/tar: Integer overflow leads to heap OOB write > fs/jfs: Fix OOB read in jfs_getent() > fs/jfs: Fix OOB read caused by invalid dir slot index > fs/jfs: Use full 40 bits offset and address for a data extent > fs/jfs: Inconsistent signed/unsigned types usage in return values > commands/extcmd: Missing check for failed allocation > gettext: Integer overflow leads to heap OOB write or read > gettext: Integer overflow leads to heap OOB write > commands/test: Stack overflow due to unlimited recursion depth > fs: Use safe math macros to prevent overflows > fs: Prevent overflows when allocating memory for arrays > fs: Prevent overflows when assigning returned values from read_number() > fs/zfs: Use safe math macros to prevent overflows > fs/zfs: Prevent overflows when allocating memory for arrays > fs/zfs: Check if returned pointer for allocated memory is NULL > fs/zfs: Add missing NULL check after grub_strdup() call > net: Use safe math macros to prevent overflows > net: Prevent overflows when allocating memory for arrays > script/execute: Fix potential underflow and NULL dereference > osdep/unix/getroot: Fix potential underflow > misc: Ensure consistent overflow error messages > kern/partition: Add sanity check after grub_strtoul() call > kern/misc: Add sanity check after grub_strtoul() call > > Michael Chang (5): > fs/iso9660: Fix invalid free > fs/ext2: Fix out-of-bounds read for inline extents > fs/ntfs: Fix out-of-bounds read > fs/xfs: Fix out-of-bounds read > disk/cryptodisk: Require authentication after TPM unlock for CLI access > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
