grub2/0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch

From e0cc6a601865a72cfe316f2cbbaaefcdd2ad8c69 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Tue, 5 Apr 2022 11:48:58 +0100
Subject: [PATCH 04/32] loader/efi/chainloader: Use grub_loader_set_ex()

This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
a use-after-free bug that occurs when grub_cmd_chainloader() is executed
more than once before a boot attempt is performed.

Fixes: CVE-2022-28736

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/loader/efi/chainloader.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index 1ec09a166c..b3e1e89302 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -54,7 +54,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
 static grub_dl_t my_mod;
 
 static grub_ssize_t fsize;
-static grub_efi_handle_t image_handle;
 static grub_ssize_t cmdline_len;
 static grub_efi_handle_t dev_handle;
 
@@ -64,8 +63,9 @@ static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle,  grub_e
 #endif
 
 static grub_err_t
-grub_chainloader_unload (void)
+grub_chainloader_unload (void *context)
 {
+  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
   grub_efi_loaded_image_t *loaded_image;
   grub_efi_boot_services_t *b;
 
@@ -83,8 +83,9 @@ grub_chainloader_unload (void)
 }
 
 static grub_err_t
-grub_chainloader_boot (void)
+grub_chainloader_boot (void *context)
 {
+  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
   grub_efi_boot_services_t *b;
   grub_efi_status_t status;
   grub_efi_uintn_t exit_data_size;
@@ -644,6 +645,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
   grub_efi_physical_address_t address = 0;
   grub_efi_uintn_t pages = 0;
   grub_efi_char16_t *cmdline = NULL;
+  grub_efi_handle_t image_handle = NULL;
 
   if (argc == 0)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@@ -856,7 +858,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
   efi_call_2 (b->free_pages, address, pages);
   grub_free (file_path);
 
-  grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
+  grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
   return 0;
 
  fail:
@@ -874,10 +876,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
     efi_call_2 (b->free_pages, address, pages);
 
   if (image_handle != NULL)
-    {
-      efi_call_1 (b->unload_image, image_handle);
-      image_handle = NULL;
-    }
+    efi_call_1 (b->unload_image, image_handle);
 
   grub_dl_unref (my_mod);
 
-- 
2.34.1