grub2/0032-Use-grub_loader_set_ex-for-secureboot-chainloader.patch

262 lines
9.3 KiB
Diff
Raw Normal View History

Accepting request 981228 from home:michael-chang:branches:Base:System - Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
2022-06-08 05:04:17 +02:00
From 836337d9b895da32bcbc451c84bc3a7865a15963 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 18 Apr 2022 22:16:49 +0800
Subject: [PATCH 32/32] Use grub_loader_set_ex() for secureboot chainloader
This is required as many distributions, including SUSE, has been
shipping a variation to load and start image using native functions than
calling out efi protocols when secure boot is enabled and shim lock is
used to verify image.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/loader/efi/chainloader.c | 100 +++++++++++++++++++----------
1 file changed, 66 insertions(+), 34 deletions(-)
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index b3e1e89302..48d69c7795 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -53,10 +53,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
static grub_dl_t my_mod;
-static grub_ssize_t fsize;
-static grub_ssize_t cmdline_len;
-static grub_efi_handle_t dev_handle;
-
#ifdef SUPPORT_SECURE_BOOT
static grub_efi_boolean_t debug_secureboot = 0;
static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
@@ -76,8 +72,6 @@ grub_chainloader_unload (void *context)
b = grub_efi_system_table->boot_services;
efi_call_1 (b->unload_image, image_handle);
- dev_handle = 0;
-
grub_dl_unref (my_mod);
return GRUB_ERR_NONE;
}
@@ -254,6 +248,17 @@ struct pe_coff_loader_image_context
struct grub_pe32_header_no_msdos_stub *pe_hdr;
};
+struct grub_secureboot_chainloader_context
+{
+ grub_efi_physical_address_t address;
+ grub_efi_uintn_t pages;
+ grub_ssize_t fsize;
+ grub_efi_device_path_t *file_path;
+ grub_efi_char16_t *cmdline;
+ grub_ssize_t cmdline_len;
+ grub_efi_handle_t dev_handle;
+};
+
typedef struct pe_coff_loader_image_context pe_coff_loader_image_context_t;
struct grub_efi_shim_lock
@@ -477,11 +482,13 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
}
static grub_efi_boolean_t
-handle_image (void *data, grub_efi_uint32_t datasize)
+handle_image (struct grub_secureboot_chainloader_context *load_context)
{
grub_efi_boot_services_t *b;
grub_efi_loaded_image_t *li, li_bak;
grub_efi_status_t efi_status;
+ void *data = (void *)(unsigned long)load_context->address;
+ grub_efi_uint32_t datasize = load_context->fsize;
char *buffer = NULL;
char *buffer_aligned = NULL;
grub_efi_uint32_t i, size;
@@ -571,10 +578,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)
grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
li->image_base = buffer_aligned;
li->image_size = context.image_size;
- li->load_options = cmdline;
- li->load_options_size = cmdline_len;
- li->file_path = grub_efi_get_media_file_path (file_path);
- li->device_handle = dev_handle;
+ li->load_options = load_context->cmdline;
+ li->load_options_size = load_context->cmdline_len;
+ li->file_path = grub_efi_get_media_file_path (load_context->file_path);
+ li->device_handle = load_context->dev_handle;
if (li->file_path)
{
grub_printf ("file path: ");
@@ -605,26 +612,27 @@ error_exit:
}
static grub_err_t
-grub_secureboot_chainloader_unload (void)
+grub_secureboot_chainloader_unload (void* context)
{
grub_efi_boot_services_t *b;
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
b = grub_efi_system_table->boot_services;
- efi_call_2 (b->free_pages, address, pages);
- grub_free (file_path);
- grub_free (cmdline);
- cmdline = 0;
- file_path = 0;
- dev_handle = 0;
+ efi_call_2 (b->free_pages, sb_context->address, sb_context->pages);
+ grub_free (sb_context->file_path);
+ grub_free (sb_context->cmdline);
+ grub_free (sb_context);
grub_dl_unref (my_mod);
return GRUB_ERR_NONE;
}
static grub_err_t
-grub_secureboot_chainloader_boot (void)
+grub_secureboot_chainloader_boot (void *context)
{
- handle_image ((void *)address, fsize);
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
+
+ handle_image (sb_context);
grub_loader_unset ();
return grub_errno;
}
@@ -635,6 +643,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
int argc, char *argv[])
{
grub_file_t file = 0;
+ grub_ssize_t size;
grub_efi_status_t status;
grub_efi_boot_services_t *b;
grub_device_t dev = 0;
@@ -646,6 +655,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
grub_efi_uintn_t pages = 0;
grub_efi_char16_t *cmdline = NULL;
grub_efi_handle_t image_handle = NULL;
+ grub_ssize_t cmdline_len = 0;
+ grub_efi_handle_t dev_handle = 0;
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@@ -653,8 +664,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
grub_dl_ref (my_mod);
- dev_handle = 0;
-
b = grub_efi_system_table->boot_services;
if (argc > 1)
@@ -732,14 +741,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
grub_printf ("file path: ");
grub_efi_print_device_path (file_path);
- fsize = grub_file_size (file);
- if (!fsize)
+ size = grub_file_size (file);
+ if (!size)
{
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
filename);
goto fail;
}
- pages = (((grub_efi_uintn_t) fsize + ((1 << 12) - 1)) >> 12);
+ pages = (((grub_efi_uintn_t) size + ((1 << 12) - 1)) >> 12);
status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
GRUB_EFI_LOADER_CODE,
@@ -753,7 +762,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
}
boot_image = (void *) ((grub_addr_t) address);
- if (grub_file_read (file, boot_image, fsize) != fsize)
+ if (grub_file_read (file, boot_image, size) != size)
{
if (grub_errno == GRUB_ERR_NONE)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -763,7 +772,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
}
#if defined (__i386__) || defined (__x86_64__)
- if (fsize >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
+ if (size >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
{
struct grub_macho_fat_header *head = boot_image;
if (head->magic
@@ -786,30 +795,42 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
> ~grub_cpu_to_le32 (archs[i].size)
|| grub_cpu_to_le32 (archs[i].offset)
+ grub_cpu_to_le32 (archs[i].size)
- > (grub_size_t) fsize)
+ > (grub_size_t) size)
{
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
filename);
goto fail;
}
boot_image = (char *) boot_image + grub_cpu_to_le32 (archs[i].offset);
- fsize = grub_cpu_to_le32 (archs[i].size);
+ size = grub_cpu_to_le32 (archs[i].size);
}
}
#endif
#ifdef SUPPORT_SECURE_BOOT
/* FIXME is secure boot possible also with universal binaries? */
- if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, fsize)))
+ if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, size)))
{
+ struct grub_secureboot_chainloader_context *sb_context;
+
+ sb_context = grub_malloc (sizeof (*sb_context));
+ if (!sb_context)
+ goto fail;
+ sb_context->cmdline = cmdline;
+ sb_context->cmdline_len = cmdline_len;
+ sb_context->fsize = size;
+ sb_context->dev_handle = dev_handle;
+ sb_context->address = address;
+ sb_context->pages = pages;
+ sb_context->file_path = file_path;
grub_file_close (file);
- grub_loader_set (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, 0);
+ grub_loader_set_ex (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, sb_context, 0);
return 0;
}
#endif
status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
- boot_image, fsize,
+ boot_image, size,
&image_handle);
#ifdef SUPPORT_SECURE_BOOT
if (status == GRUB_EFI_SECURITY_VIOLATION && grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
@@ -817,10 +838,21 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
/* If it failed with security violation while not in secure boot mode,
the firmware might be broken. We try to workaround on that by forcing
the SB method! (bsc#887793) */
+ struct grub_secureboot_chainloader_context *sb_context;
+
grub_dprintf ("chain", "Possible firmware flaw! Security violation while not in secure boot mode.\n");
+ sb_context = grub_malloc (sizeof (*sb_context));
+ if (!sb_context)
+ goto fail;
+ sb_context->cmdline = cmdline;
+ sb_context->cmdline_len = cmdline_len;
+ sb_context->fsize = size;
+ sb_context->dev_handle = dev_handle;
+ sb_context->address = address;
+ sb_context->pages = pages;
grub_file_close (file);
- grub_loader_set (grub_secureboot_chainloader_boot,
- grub_secureboot_chainloader_unload, 0);
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
+ grub_secureboot_chainloader_unload, sb_context, 0);
return 0;
}
#endif
--
2.34.1