e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
262 lines
9.3 KiB
Diff
262 lines
9.3 KiB
Diff
From 836337d9b895da32bcbc451c84bc3a7865a15963 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Mon, 18 Apr 2022 22:16:49 +0800
|
|
Subject: [PATCH 32/32] Use grub_loader_set_ex() for secureboot chainloader
|
|
|
|
This is required as many distributions, including SUSE, has been
|
|
shipping a variation to load and start image using native functions than
|
|
calling out efi protocols when secure boot is enabled and shim lock is
|
|
used to verify image.
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/loader/efi/chainloader.c | 100 +++++++++++++++++++----------
|
|
1 file changed, 66 insertions(+), 34 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
index b3e1e89302..48d69c7795 100644
|
|
--- a/grub-core/loader/efi/chainloader.c
|
|
+++ b/grub-core/loader/efi/chainloader.c
|
|
@@ -53,10 +53,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
static grub_dl_t my_mod;
|
|
|
|
-static grub_ssize_t fsize;
|
|
-static grub_ssize_t cmdline_len;
|
|
-static grub_efi_handle_t dev_handle;
|
|
-
|
|
#ifdef SUPPORT_SECURE_BOOT
|
|
static grub_efi_boolean_t debug_secureboot = 0;
|
|
static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
|
|
@@ -76,8 +72,6 @@ grub_chainloader_unload (void *context)
|
|
b = grub_efi_system_table->boot_services;
|
|
efi_call_1 (b->unload_image, image_handle);
|
|
|
|
- dev_handle = 0;
|
|
-
|
|
grub_dl_unref (my_mod);
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
@@ -254,6 +248,17 @@ struct pe_coff_loader_image_context
|
|
struct grub_pe32_header_no_msdos_stub *pe_hdr;
|
|
};
|
|
|
|
+struct grub_secureboot_chainloader_context
|
|
+{
|
|
+ grub_efi_physical_address_t address;
|
|
+ grub_efi_uintn_t pages;
|
|
+ grub_ssize_t fsize;
|
|
+ grub_efi_device_path_t *file_path;
|
|
+ grub_efi_char16_t *cmdline;
|
|
+ grub_ssize_t cmdline_len;
|
|
+ grub_efi_handle_t dev_handle;
|
|
+};
|
|
+
|
|
typedef struct pe_coff_loader_image_context pe_coff_loader_image_context_t;
|
|
|
|
struct grub_efi_shim_lock
|
|
@@ -477,11 +482,13 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
|
|
}
|
|
|
|
static grub_efi_boolean_t
|
|
-handle_image (void *data, grub_efi_uint32_t datasize)
|
|
+handle_image (struct grub_secureboot_chainloader_context *load_context)
|
|
{
|
|
grub_efi_boot_services_t *b;
|
|
grub_efi_loaded_image_t *li, li_bak;
|
|
grub_efi_status_t efi_status;
|
|
+ void *data = (void *)(unsigned long)load_context->address;
|
|
+ grub_efi_uint32_t datasize = load_context->fsize;
|
|
char *buffer = NULL;
|
|
char *buffer_aligned = NULL;
|
|
grub_efi_uint32_t i, size;
|
|
@@ -571,10 +578,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)
|
|
grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
|
|
li->image_base = buffer_aligned;
|
|
li->image_size = context.image_size;
|
|
- li->load_options = cmdline;
|
|
- li->load_options_size = cmdline_len;
|
|
- li->file_path = grub_efi_get_media_file_path (file_path);
|
|
- li->device_handle = dev_handle;
|
|
+ li->load_options = load_context->cmdline;
|
|
+ li->load_options_size = load_context->cmdline_len;
|
|
+ li->file_path = grub_efi_get_media_file_path (load_context->file_path);
|
|
+ li->device_handle = load_context->dev_handle;
|
|
if (li->file_path)
|
|
{
|
|
grub_printf ("file path: ");
|
|
@@ -605,26 +612,27 @@ error_exit:
|
|
}
|
|
|
|
static grub_err_t
|
|
-grub_secureboot_chainloader_unload (void)
|
|
+grub_secureboot_chainloader_unload (void* context)
|
|
{
|
|
grub_efi_boot_services_t *b;
|
|
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
|
|
|
|
b = grub_efi_system_table->boot_services;
|
|
- efi_call_2 (b->free_pages, address, pages);
|
|
- grub_free (file_path);
|
|
- grub_free (cmdline);
|
|
- cmdline = 0;
|
|
- file_path = 0;
|
|
- dev_handle = 0;
|
|
+ efi_call_2 (b->free_pages, sb_context->address, sb_context->pages);
|
|
+ grub_free (sb_context->file_path);
|
|
+ grub_free (sb_context->cmdline);
|
|
+ grub_free (sb_context);
|
|
|
|
grub_dl_unref (my_mod);
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
|
|
static grub_err_t
|
|
-grub_secureboot_chainloader_boot (void)
|
|
+grub_secureboot_chainloader_boot (void *context)
|
|
{
|
|
- handle_image ((void *)address, fsize);
|
|
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
|
|
+
|
|
+ handle_image (sb_context);
|
|
grub_loader_unset ();
|
|
return grub_errno;
|
|
}
|
|
@@ -635,6 +643,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
int argc, char *argv[])
|
|
{
|
|
grub_file_t file = 0;
|
|
+ grub_ssize_t size;
|
|
grub_efi_status_t status;
|
|
grub_efi_boot_services_t *b;
|
|
grub_device_t dev = 0;
|
|
@@ -646,6 +655,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_efi_uintn_t pages = 0;
|
|
grub_efi_char16_t *cmdline = NULL;
|
|
grub_efi_handle_t image_handle = NULL;
|
|
+ grub_ssize_t cmdline_len = 0;
|
|
+ grub_efi_handle_t dev_handle = 0;
|
|
|
|
if (argc == 0)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
|
@@ -653,8 +664,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
grub_dl_ref (my_mod);
|
|
|
|
- dev_handle = 0;
|
|
-
|
|
b = grub_efi_system_table->boot_services;
|
|
|
|
if (argc > 1)
|
|
@@ -732,14 +741,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_printf ("file path: ");
|
|
grub_efi_print_device_path (file_path);
|
|
|
|
- fsize = grub_file_size (file);
|
|
- if (!fsize)
|
|
+ size = grub_file_size (file);
|
|
+ if (!size)
|
|
{
|
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
|
filename);
|
|
goto fail;
|
|
}
|
|
- pages = (((grub_efi_uintn_t) fsize + ((1 << 12) - 1)) >> 12);
|
|
+ pages = (((grub_efi_uintn_t) size + ((1 << 12) - 1)) >> 12);
|
|
|
|
status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
|
|
GRUB_EFI_LOADER_CODE,
|
|
@@ -753,7 +762,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
}
|
|
|
|
boot_image = (void *) ((grub_addr_t) address);
|
|
- if (grub_file_read (file, boot_image, fsize) != fsize)
|
|
+ if (grub_file_read (file, boot_image, size) != size)
|
|
{
|
|
if (grub_errno == GRUB_ERR_NONE)
|
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
|
@@ -763,7 +772,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
}
|
|
|
|
#if defined (__i386__) || defined (__x86_64__)
|
|
- if (fsize >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
|
|
+ if (size >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
|
|
{
|
|
struct grub_macho_fat_header *head = boot_image;
|
|
if (head->magic
|
|
@@ -786,30 +795,42 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
> ~grub_cpu_to_le32 (archs[i].size)
|
|
|| grub_cpu_to_le32 (archs[i].offset)
|
|
+ grub_cpu_to_le32 (archs[i].size)
|
|
- > (grub_size_t) fsize)
|
|
+ > (grub_size_t) size)
|
|
{
|
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
|
filename);
|
|
goto fail;
|
|
}
|
|
boot_image = (char *) boot_image + grub_cpu_to_le32 (archs[i].offset);
|
|
- fsize = grub_cpu_to_le32 (archs[i].size);
|
|
+ size = grub_cpu_to_le32 (archs[i].size);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
#ifdef SUPPORT_SECURE_BOOT
|
|
/* FIXME is secure boot possible also with universal binaries? */
|
|
- if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, fsize)))
|
|
+ if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, size)))
|
|
{
|
|
+ struct grub_secureboot_chainloader_context *sb_context;
|
|
+
|
|
+ sb_context = grub_malloc (sizeof (*sb_context));
|
|
+ if (!sb_context)
|
|
+ goto fail;
|
|
+ sb_context->cmdline = cmdline;
|
|
+ sb_context->cmdline_len = cmdline_len;
|
|
+ sb_context->fsize = size;
|
|
+ sb_context->dev_handle = dev_handle;
|
|
+ sb_context->address = address;
|
|
+ sb_context->pages = pages;
|
|
+ sb_context->file_path = file_path;
|
|
grub_file_close (file);
|
|
- grub_loader_set (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, 0);
|
|
+ grub_loader_set_ex (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, sb_context, 0);
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
|
|
- boot_image, fsize,
|
|
+ boot_image, size,
|
|
&image_handle);
|
|
#ifdef SUPPORT_SECURE_BOOT
|
|
if (status == GRUB_EFI_SECURITY_VIOLATION && grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
|
|
@@ -817,10 +838,21 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
/* If it failed with security violation while not in secure boot mode,
|
|
the firmware might be broken. We try to workaround on that by forcing
|
|
the SB method! (bsc#887793) */
|
|
+ struct grub_secureboot_chainloader_context *sb_context;
|
|
+
|
|
grub_dprintf ("chain", "Possible firmware flaw! Security violation while not in secure boot mode.\n");
|
|
+ sb_context = grub_malloc (sizeof (*sb_context));
|
|
+ if (!sb_context)
|
|
+ goto fail;
|
|
+ sb_context->cmdline = cmdline;
|
|
+ sb_context->cmdline_len = cmdline_len;
|
|
+ sb_context->fsize = size;
|
|
+ sb_context->dev_handle = dev_handle;
|
|
+ sb_context->address = address;
|
|
+ sb_context->pages = pages;
|
|
grub_file_close (file);
|
|
- grub_loader_set (grub_secureboot_chainloader_boot,
|
|
- grub_secureboot_chainloader_unload, 0);
|
|
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
|
|
+ grub_secureboot_chainloader_unload, sb_context, 0);
|
|
return 0;
|
|
}
|
|
#endif
|
|
--
|
|
2.34.1
|
|
|