56 lines
1.4 KiB
Diff
56 lines
1.4 KiB
Diff
|
From 2cb6585529e7d1e522d71a13f382d8cc3d326555 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Daniel Axtens <dja@axtens.net>
|
||
|
|
Date: Sat, 23 Mar 2024 15:59:43 +1100
|
||
|
|
Subject: [PATCH 18/20] fs/bfs: Disable under lockdown
|
||
|
|
|
||
|
|
The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
|
||
|
|
This will also disable the AFS.
|
||
|
|
|
||
|
|
Fixes: CVE-2024-45778
|
||
|
|
Fixes: CVE-2024-45779
|
||
|
|
|
||
|
|
Reported-by: Nils Langius <nils@langius.de>
|
||
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
|
---
|
||
|
|
grub-core/fs/bfs.c | 11 ++++++++---
|
||
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
|
||
|
|
index f37b168958..c92fd79168 100644
|
||
|
|
--- a/grub-core/fs/bfs.c
|
||
|
|
+++ b/grub-core/fs/bfs.c
|
||
|
|
@@ -30,6 +30,7 @@
|
||
|
|
#include <grub/types.h>
|
||
|
|
#include <grub/i18n.h>
|
||
|
|
#include <grub/fshelp.h>
|
||
|
|
+#include <grub/lockdown.h>
|
||
|
|
|
||
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||
|
|
|
||
|
|
@@ -1106,8 +1107,11 @@ GRUB_MOD_INIT (bfs)
|
||
|
|
{
|
||
|
|
COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
|
||
|
|
sizeof (struct grub_bfs_extent));
|
||
|
|
- grub_bfs_fs.mod = mod;
|
||
|
|
- grub_fs_register (&grub_bfs_fs);
|
||
|
|
+ if (!grub_is_lockdown ())
|
||
|
|
+ {
|
||
|
|
+ grub_bfs_fs.mod = mod;
|
||
|
|
+ grub_fs_register (&grub_bfs_fs);
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
|
||
|
|
#ifdef MODE_AFS
|
||
|
|
@@ -1116,5 +1120,6 @@ GRUB_MOD_FINI (afs)
|
||
|
|
GRUB_MOD_FINI (bfs)
|
||
|
|
#endif
|
||
|
|
{
|
||
|
|
- grub_fs_unregister (&grub_bfs_fs);
|
||
|
|
+ if (!grub_is_lockdown ())
|
||
|
|
+ grub_fs_unregister (&grub_bfs_fs);
|
||
|
|
}
|
||
|
|
--
|
||
|
|
2.48.1
|
||
|
|
|