Skip to content

GitLab

Commit ff8a98ea authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.04-11parrot1 

grub2 (2.04-11parrot1) rolling-testing; urgency=medium
.
  * Import new Debian release.
.
grub2 (2.04-11) unstable; urgency=medium
.
  * grub-install: Fix backup restoration on i386.
.
grub2 (2.04-10) unstable; urgency=medium
.
  [ Ian Campbell ]
  * Remove myself from uploaders.
.
  [ Colin Watson ]
  * When upgrading grub-pc noninteractively, bail out if grub-install fails.
    It's better to fail the upgrade than to produce a possibly-unbootable
    system.
  * Explicitly check whether the target device exists before running
    grub-install, since grub-install copies modules to /boot/grub/ before
    installing the core image, and the new modules might be incompatible
    with the old core image (closes: #966575).
  * Cherry-pick from upstream:
    - tftp: Roll-over block counter to prevent data packets timeouts
      (LP: #1892290).
.
  [ Dimitri John Ledkov ]
  * grub-install: Add backup and restore.
  * Don't call grub-install on fresh install of grub-pc.  It's ...
parent ba1d39f1
Pipeline #1746 canceled with stages
Hide whitespace changes
Inline Side-by-side
debian/.git-dpm
View file @ ff8a98ea
# see git-dpm(1) from git-dpm package
3017210d8539946c516003270cba7f3de569f2b3
3017210d8539946c516003270cba7f3de569f2b3
50f471964d9b954be2c1fb9bb82e608d657d6fc9
50f471964d9b954be2c1fb9bb82e608d657d6fc9
578bb115fbd47e1c464696f1f8d6183e5443975d
578bb115fbd47e1c464696f1f8d6183e5443975d
grub2_2.04.orig.tar.xz
......
debian/changelog
View file @ ff8a98ea
grub2 (2.04-11parrot1) rolling-testing; urgency=medium
* Import new Debian release.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Tue, 05 Jan 2021 23:59:57 +0100
grub2 (2.04-11) unstable; urgency=medium
* grub-install: Fix backup restoration on i386.
-- Colin Watson <cjwatson@debian.org> Sun, 06 Dec 2020 18:29:51 +0000
grub2 (2.04-10) unstable; urgency=medium
[ Ian Campbell ]
* Remove myself from uploaders.
[ Colin Watson ]
* When upgrading grub-pc noninteractively, bail out if grub-install fails.
It's better to fail the upgrade than to produce a possibly-unbootable
system.
* Explicitly check whether the target device exists before running
grub-install, since grub-install copies modules to /boot/grub/ before
installing the core image, and the new modules might be incompatible
with the old core image (closes: #966575).
* Cherry-pick from upstream:
- tftp: Roll-over block counter to prevent data packets timeouts
(LP: #1892290).
[ Dimitri John Ledkov ]
* grub-install: Add backup and restore.
* Don't call grub-install on fresh install of grub-pc. It's the job of
installers to do that after a fresh install.
-- Colin Watson <cjwatson@debian.org> Sun, 08 Nov 2020 16:26:08 +0000
grub2 (2.04-9) unstable; urgency=high
* Backport security patch series from upstream:
- CVE-2020-10713: yylex: Make lexer fatal errors actually be fatal
- safemath: Add some arithmetic primitives that check for overflow
- calloc: Make sure we always have an overflow-checking calloc()
available
- CVE-2020-14308: calloc: Use calloc() at most places
- CVE-2020-14309, CVE-2020-14310, CVE-2020-14311: malloc: Use overflow
checking primitives where we do complex allocations
- iso9660: Don't leak memory on realloc() failures
- font: Do not load more than one NAME section
- gfxmenu: Fix double free in load_image()
- xnu: Fix double free in grub_xnu_devprop_add_property()
- lzma: Make sure we don't dereference past array
- term: Fix overflow on user inputs
- udf: Fix memory leak
- multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
- tftp: Do not use priority queue
- relocator: Protect grub_relocator_alloc_chunk_addr() input args
against integer underflow/overflow
- relocator: Protect grub_relocator_alloc_chunk_align() max_addr against
integer underflow
- script: Remove unused fields from grub_script_function struct
- CVE-2020-15706: script: Avoid a use-after-free when redefining a
function during execution
- relocator: Fix grub_relocator_alloc_chunk_align() top memory
allocation
- hfsplus: fix two more overflows
- lvm: fix two more potential data-dependent alloc overflows
- emu: make grub_free(NULL) safe
- efi: fix some malformed device path arithmetic errors
- Fix a regression caused by "efi: fix some malformed device path
arithmetic errors"
- update safemath with fallback code for gcc older than 5.1
- efi: Fix use-after-free in halt/reboot path
- linux loader: avoid overflow on initrd size calculation
* CVE-2020-15707: linux: Fix integer overflows in initrd size handling
* Apply overflow checking to allocations in Debian patches:
- bootp: Fix integer overflow in parse_dhcp6_option
- unix/config: Fix integer overflow in grub_util_load_config
- deviceiter: Fix integer overflow in grub_util_iterate_devices
-- Colin Watson <cjwatson@debian.org> Wed, 29 Jul 2020 17:58:37 +0100
grub2 (2.04-8parrot1) rolling; urgency=medium
* Import new Debian release.
......
debian/control
View file @ ff8a98ea
......@@ -2,7 +2,8 @@ Source: grub2
Section: admin
Priority: optional
XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Maintainer: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Maintainer: Parrot Dev Team <team@parrotsec.org>
Uploaders: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Build-Depends: debhelper-compat (= 10),
patchutils,
python3,
......@@ -37,8 +38,8 @@ Build-Depends: debhelper-compat (= 10),
Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev
Standards-Version: 3.9.6
Homepage: https://www.gnu.org/software/grub/
Vcs-Git: https://nest.parrotsec.org/packages/debian/grub2
Vcs-Browser: https://nest.parrotsec.org/packages/debian/grub2
Vcs-Git: https://gitlab.com/kalilinux/packages/grub2.git
Vcs-Browser: https://gitlab.com/kalilinux/packages/grub2
Rules-Requires-Root: no
Package: grub2
......
debian/copyright
View file @ ff8a98ea
......@@ -9,9 +9,9 @@ License: GPL-3+
Files: debian/*
Copyright: 2003, 2004, 2005, 2006, 2007, 2008, 2009, Robert Millan
2005, 2006, 2007, Otavio Salvador
2008, 2009, Felix Zielcke
2009, Jordi Mallach
2005, 2006, 2007, Otavio Salvador
2008, 2009, Felix Zielcke
2009, Jordi Mallach
License: GPL-3+
Files: debian/grub-extras/*
......@@ -162,21 +162,21 @@ License: CC-BY-SA-3.0
to Distribute and Publicly Perform Adaptations.
.
For the avoidance of doubt:
Non-waivable Compulsory License Schemes. In those jurisdictions in
which the right to collect royalties through any statutory or
compulsory licensing scheme cannot be waived, the Licensor reserves
the exclusive right to collect such royalties for any exercise by
You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which
the right to collect royalties through any statutory or compulsory
licensing scheme can be waived, the Licensor waives the exclusive
right to collect such royalties for any exercise by You of the
rights granted under this License; and,
Voluntary License Schemes. The Licensor waives the right to collect
royalties, whether individually or, in the event that the Licensor
is a member of a collecting society that administers voluntary
licensing schemes, via that society, from any exercise by You of the
rights granted under this License.
Non-waivable Compulsory License Schemes. In those jurisdictions in
which the right to collect royalties through any statutory or
compulsory licensing scheme cannot be waived, the Licensor reserves
the exclusive right to collect such royalties for any exercise by
You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which
the right to collect royalties through any statutory or compulsory
licensing scheme can be waived, the Licensor waives the exclusive
right to collect such royalties for any exercise by You of the
rights granted under this License; and,
Voluntary License Schemes. The Licensor waives the right to collect
royalties, whether individually or, in the event that the Licensor
is a member of a collecting society that administers voluntary
licensing schemes, via that society, from any exercise by You of the
rights granted under this License.
.
The above rights may be exercised in all media and formats whether now
known or hereafter devised. The above rights include the right to make such
......
debian/gbp.conf
View file @ ff8a98ea
[DEFAULT]
debian-branch = kali/master
debian-tag = kali/%(version)s
pristine-tar = True
[pq]
......
debian/patches/CVE-2020-10713.patch 0 → 100644
View file @ ff8a98ea
From 705b89f19fff03054f7167e1785461492688d61b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 15 Apr 2020 15:45:02 -0400
Subject: yylex: Make lexer fatal errors actually be fatal
When presented with a command that can't be tokenized to anything
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
expecting that will stop further processing, as such:
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
yyleng = (int) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
if ( yyleng >= YYLMAX ) \
YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
yyg->yy_c_buf_p = yy_cp;
The code flex generates expects that YY_FATAL_ERROR() will either return
for it or do some form of longjmp(), or handle the error in some way at
least, and so the strncpy() call isn't in an "else" clause, and thus if
YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
questionable limit, and predictable results ensue.
Unfortunately, our implementation of YY_FATAL_ERROR() is:
#define YY_FATAL_ERROR(msg) \
do { \
grub_printf (_("fatal error: %s\n"), _(msg)); \
} while (0)
The same pattern exists in yyless(), and similar problems exist in users
of YY_INPUT(), several places in the main parsing loop,
yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
yy_scan_buffer(), etc.
All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
the things they do if it returns after calling it are wildly unsafe.
Fixes: CVE-2020-10713
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: CVE-2020-10713.patch
---
grub-core/script/yylex.l | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
index 7b44c37b7..b7203c823 100644
--- a/grub-core/script/yylex.l
+++ b/grub-core/script/yylex.l
@@ -37,11 +37,11 @@
/*
* As we don't have access to yyscanner, we cannot do much except to
- * print the fatal error.
+ * print the fatal error and exit.
*/
#define YY_FATAL_ERROR(msg) \
do { \
- grub_printf (_("fatal error: %s\n"), _(msg)); \
+ grub_fatal (_("fatal error: %s\n"), _(msg));\
} while (0)
#define COPY(str, hint) \
debian/patches/bootp-alloc.patch 0 → 100644
View file @ ff8a98ea
From d8c9aaa767a83470147c843acc6d97f70140ebdf Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 24 Jul 2020 11:24:28 +0100
Subject: bootp: Improve allocation handling in parse_dhcp6_option
This adjusts Debian's net_bootp6 patch to perform safe allocation. (In
practice this isn't a security problem because `ln` is 16 bits so it
can't overflow after promotion to 32 bits.)
Signed-off-by: Colin Watson <cjwatson@debian.org>
Patch-Name: bootp-alloc.patch
---
grub-core/net/bootp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
index dd0ffcdae..efa92b89b 100644
--- a/grub-core/net/bootp.c
+++ b/grub-core/net/bootp.c
@@ -857,7 +857,7 @@ parse_dhcp6_option (const struct grub_net_dhcp6_option *opt, void *data)
break;
}
dhcp6->num_dns_server = ln = len >> 4;
- dhcp6->dns_server_addrs = la = grub_zalloc (ln * sizeof (*la));
+ dhcp6->dns_server_addrs = la = grub_calloc (ln, sizeof (*la));
for (po = opt->data; ln > 0; po += 0x10, la++, ln--)
{
debian/patches/deviceiter-overflow.patch 0 → 100644
View file @ ff8a98ea
From 4bb7f63fd56a4b1408d871eadbdc24cd73c9e9ed Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 24 Jul 2020 11:30:46 +0100
Subject: deviceiter: Fix integer overflow in grub_util_iterate_devices
This adjusts Debian's grub-mkdevicemap restoration patch to perform safe
allocation.
Signed-off-by: Colin Watson <cjwatson@debian.org>
Patch-Name: deviceiter-overflow.patch
---
util/deviceiter.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/util/deviceiter.c b/util/deviceiter.c
index dddc50da7..3a8f2770e 100644
--- a/util/deviceiter.c
+++ b/util/deviceiter.c
@@ -35,6 +35,7 @@
#include <grub/list.h>
#include <grub/misc.h>
#include <grub/emu/misc.h>
+#include <grub/safemath.h>
#ifdef __linux__
# if !defined(__GLIBC__) || \
@@ -576,7 +577,7 @@ grub_util_iterate_devices (int (*hook) (const char *, int, void *), void *hook_d
struct device *devs;
size_t devs_len = 0, devs_max = 1024, dev;
- devs = xmalloc (devs_max * sizeof (*devs));
+ devs = xcalloc (devs_max, sizeof (*devs));
/* Dump all the directory entries into names, resizing if
necessary. */
@@ -598,8 +599,13 @@ grub_util_iterate_devices (int (*hook) (const char *, int, void *), void *hook_d
continue;
if (devs_len >= devs_max)
{
+ size_t sz;
+
devs_max *= 2;
- devs = xrealloc (devs, devs_max * sizeof (*devs));
+ sz = devs_max;
+ if (grub_mul (sz, sizeof (*devs), &sz))
+ grub_util_error ("%s", _("overflow is detected"));
+ devs = xrealloc (devs, sz);
}
devs[devs_len].stable =
xasprintf ("/dev/disk/by-id/%s", entry->d_name);
debian/patches/efi-halt-reboot-use-after-free.patch 0 → 100644
View file @ ff8a98ea
From bb5fc65035e82509b0565bfe2994fbe6cc11016e Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Mon, 20 Jul 2020 23:03:05 +0000
Subject: efi: Fix use-after-free in halt/reboot path
commit 92bfc33db984 ("efi: Free malloc regions on exit")
introduced memory freeing in grub_efi_fini(), which is
used not only by exit path but by halt/reboot one as well.
As result of memory freeing, code and data regions used by
modules, such as halt, reboot, acpi (used by halt) also got
freed. After return to module code, CPU executes, filled
by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as
a code. Which leads to #UD exception later.
grub> halt
!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!!
RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246
RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41
RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000
RSI - 00000000064DB768, RDI - 000000000832C5C3
R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52
R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4
R14 - 0000000003E10D80, R15 - 00000000061E2F60
DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030
GS - 0000000000000030, SS - 0000000000000030
CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000
IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 0000000007F0F4C0
Proposal here is to continue to free allocated memory for
exit boot services path but keep it for halt/reboot path
as it won't be much security concern here.
Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY
loader flag to be used by efi halt/reboot path.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Patch-Name: efi-halt-reboot-use-after-free.patch
---
grub-core/kern/arm/efi/init.c | 3 +++
grub-core/kern/arm64/efi/init.c | 3 +++
grub-core/kern/efi/efi.c | 3 ++-
grub-core/kern/efi/init.c | 1 -
grub-core/kern/i386/efi/init.c | 9 +++++++--
grub-core/kern/ia64/efi/init.c | 9 +++++++--
grub-core/kern/riscv/efi/init.c | 3 +++
grub-core/lib/efi/halt.c | 3 ++-
include/grub/loader.h | 1 +
9 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/grub-core/kern/arm/efi/init.c b/grub-core/kern/arm/efi/init.c
index 06df60e2f..40c3b467f 100644
--- a/grub-core/kern/arm/efi/init.c
+++ b/grub-core/kern/arm/efi/init.c
@@ -71,4 +71,7 @@ grub_machine_fini (int flags)
efi_call_1 (b->close_event, tmr_evt);
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/arm64/efi/init.c b/grub-core/kern/arm64/efi/init.c
index 6224999ec..5010caefd 100644
--- a/grub-core/kern/arm64/efi/init.c
+++ b/grub-core/kern/arm64/efi/init.c
@@ -57,4 +57,7 @@ grub_machine_fini (int flags)
return;
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index e12261fd5..acb38d61f 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -157,7 +157,8 @@ grub_efi_get_loaded_image (grub_efi_handle_t image_handle)
void
grub_reboot (void)
{
- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
+ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
efi_call_4 (grub_efi_system_table->runtime_services->reset_system,
GRUB_EFI_RESET_COLD, GRUB_EFI_SUCCESS, 0, NULL);
for (;;) ;
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 3dfdf2d22..2c31847bf 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -80,5 +80,4 @@ grub_efi_fini (void)
{
grub_efidisk_fini ();
grub_console_fini ();
- grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/i386/efi/init.c b/grub-core/kern/i386/efi/init.c
index da499aba0..deb2eacd8 100644
--- a/grub-core/kern/i386/efi/init.c
+++ b/grub-core/kern/i386/efi/init.c
@@ -39,6 +39,11 @@ grub_machine_init (void)
void
grub_machine_fini (int flags)
{
- if (flags & GRUB_LOADER_FLAG_NORETURN)
- grub_efi_fini ();
+ if (!(flags & GRUB_LOADER_FLAG_NORETURN))
+ return;
+
+ grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/ia64/efi/init.c b/grub-core/kern/ia64/efi/init.c
index b5ecbd091..f1965571b 100644
--- a/grub-core/kern/ia64/efi/init.c
+++ b/grub-core/kern/ia64/efi/init.c
@@ -70,6 +70,11 @@ grub_machine_init (void)
void
grub_machine_fini (int flags)
{
- if (flags & GRUB_LOADER_FLAG_NORETURN)
- grub_efi_fini ();
+ if (!(flags & GRUB_LOADER_FLAG_NORETURN))
+ return;
+
+ grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/riscv/efi/init.c b/grub-core/kern/riscv/efi/init.c
index 7eb1969d0..38795fe67 100644
--- a/grub-core/kern/riscv/efi/init.c
+++ b/grub-core/kern/riscv/efi/init.c
@@ -73,4 +73,7 @@ grub_machine_fini (int flags)
return;
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/lib/efi/halt.c b/grub-core/lib/efi/halt.c
index 5859f0498..29d413641 100644
--- a/grub-core/lib/efi/halt.c
+++ b/grub-core/lib/efi/halt.c
@@ -28,7 +28,8 @@
void
grub_halt (void)
{
- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
+ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
#if !defined(__ia64__) && !defined(__arm__) && !defined(__aarch64__) && \
!defined(__riscv)
grub_acpi_halt ();
diff --git a/include/grub/loader.h b/include/grub/loader.h
index 7f82a499f..b20864282 100644
--- a/include/grub/loader.h
+++ b/include/grub/loader.h
@@ -33,6 +33,7 @@ enum
{
GRUB_LOADER_FLAG_NORETURN = 1,
GRUB_LOADER_FLAG_PXE_NOT_UNLOAD = 2,
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY = 4,
};
void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
debian/patches/efi-malformed-device-path-2.patch 0 → 100644
View file @ ff8a98ea
From c5763039a630dee079f0afbd5ced9cd74efe0b71 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Wed, 22 Jul 2020 17:06:04 +0100
Subject: Fix a regression caused by "efi: fix some malformed device path
arithmetic errors"
This commit introduced a bogus check inside copy_file_path to
determine whether the destination grub_efi_file_path_device_path_t
was valid before anything was copied to it. Depending on the
contents of the heap buffer, this check could fail which would
result in copy_file_path returning early.
Without any error propagated to the caller, make_file_path would
then try to advance the invalid device path node with
GRUB_EFI_NEXT_DEVICE_PATH, which would also fail, returning a NULL
pointer that would subsequently be dereferenced.
Remove the bogus check, and also propagate errors from copy_file_path.
Patch-Name: efi-malformed-device-path-2.patch
---
grub-core/loader/efi/chainloader.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index 978fab002..e9b06242a 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -106,7 +106,7 @@ grub_chainloader_boot (void)
return grub_errno;
}
-static void
+static grub_err_t
copy_file_path (grub_efi_file_path_device_path_t *fp,
const char *str, grub_efi_uint16_t len)
{
@@ -116,15 +116,9 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
- if (!GRUB_EFI_DEVICE_PATH_VALID ((grub_efi_device_path_t *)fp))
- {
- grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI Device Path is invalid");
- return;
- }
-
path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
if (!path_name)
- return;
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path buffer");
size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8,
(const grub_uint8_t *) str, len, 0);
@@ -137,6 +131,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
fp->path_name[size++] = '\0';
fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp);
grub_free (path_name);
+ return GRUB_ERR_NONE;
}
static grub_efi_device_path_t *
@@ -195,13 +190,19 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
d = (grub_efi_device_path_t *) ((char *) file_path
+ ((char *) d - (char *) dp));
grub_efi_print_device_path (d);
- copy_file_path ((grub_efi_file_path_device_path_t *) d,
- dir_start, dir_end - dir_start);
+ if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+ dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
+ {
+ fail:
+ grub_free (file_path);
+ return 0;
+ }
/* Fill the file path for the file. */
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
- copy_file_path ((grub_efi_file_path_device_path_t *) d,
- dir_end + 1, grub_strlen (dir_end + 1));
+ if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+ dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE)
+ goto fail;
/* Fill the end of device path nodes. */
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
debian/patches/efi-malformed-device-path.patch 0 → 100644
View file @ ff8a98ea
From 9735a4b2f52caf79e5804ca3e959f0f444a8716c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 16:53:27 -0400
Subject: efi: fix some malformed device path arithmetic errors.
Several places we take the length of a device path and subtract 4 from
it, without ever checking that it's >= 4. There are also cases where
this kind of malformation will result in unpredictable iteration,
including treating the length from one dp node as the type in the next
node. These are all errors, no matter where the data comes from.
This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
the length is too small. Additionally, it makes several places in the
code check for and return errors in these cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
Patch-Name: efi-malformed-device-path.patch
---
grub-core/kern/efi/efi.c | 67 +++++++++++++++++++++++++-----
grub-core/loader/efi/chainloader.c | 19 ++++++++-
grub-core/loader/i386/xnu.c | 9 ++--
include/grub/efi/api.h | 14 ++++---
4 files changed, 88 insertions(+), 21 deletions(-)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index ad170c7ce..e12261fd5 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -360,7 +360,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)