forked from pool/grub2
Accepting request 1073013 from home:michael-chang:branches:Base:System
- Restrict cryptsetup key file permission for better security (bsc#1207499) * 0001-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch * 0002-Restrict-cryptsetup-key-file-permission-for-better-s.patch OBS-URL: https://build.opensuse.org/request/show/1073013 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=446
This commit is contained in:
parent
3c4b4c1ff8
commit
448b5a32b0
146
0001-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
Normal file
146
0001-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
From 1dcab5bf3843abc997f7e7dba32e5dbcb9bf66b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Fri, 25 Nov 2022 15:37:35 +0800
|
||||||
|
Subject: [PATCH 1/2] loader/linux: Ensure the newc pathname is NULL-terminated
|
||||||
|
|
||||||
|
Per "man 5 cpio", the namesize in the cpio header includes the trailing
|
||||||
|
NUL byte of the pathname and the pathname is followed by NUL bytes, but
|
||||||
|
the current implementation ignores the trailing NUL byte when making
|
||||||
|
the newc header. Although make_header() tries to pad the pathname string,
|
||||||
|
the padding won't happen when strlen(name) + sizeof(struct newc_head)
|
||||||
|
is a multiple of 4, and the non-NULL-terminated pathname may lead to
|
||||||
|
unexpected results.
|
||||||
|
|
||||||
|
Assume that a file is created with 'echo -n aaaa > /boot/test12' and
|
||||||
|
loaded by grub2:
|
||||||
|
|
||||||
|
linux /boot/vmlinuz
|
||||||
|
initrd newc:test12:/boot/test12 /boot/initrd
|
||||||
|
|
||||||
|
The initrd command eventually invoked grub_initrd_load() and sent
|
||||||
|
't''e''s''t''1''2' to make_header() to generate the header:
|
||||||
|
|
||||||
|
00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00|
|
||||||
|
00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800|
|
||||||
|
00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163|
|
||||||
|
000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400|
|
||||||
|
000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300|
|
||||||
|
000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
|
||||||
|
000000d0 30 30 30 30 30 36 30 30 30 30 30 30 30 30 74 65 |00000600000000te|
|
||||||
|
^namesize
|
||||||
|
000000e0 73 74 31 32 61 61 61 61 30 37 30 37 30 31 30 30 |st12aaaa07070100|
|
||||||
|
^^ end of the pathname
|
||||||
|
|
||||||
|
Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4,
|
||||||
|
make_header() didn't pad the pathname, and the file content followed
|
||||||
|
"test12" immediately. This violates the cpio format and may trigger such
|
||||||
|
error during linux boot:
|
||||||
|
|
||||||
|
Initramfs unpacking failed: ZSTD-compressed data is trunc
|
||||||
|
|
||||||
|
To avoid the potential problems, this commit counts the trailing NUL byte
|
||||||
|
in when calling make_header() and adjusts the initrd size accordingly.
|
||||||
|
|
||||||
|
Now the header becomes
|
||||||
|
|
||||||
|
00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00|
|
||||||
|
00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800|
|
||||||
|
00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163|
|
||||||
|
000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400|
|
||||||
|
000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300|
|
||||||
|
000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
|
||||||
|
000000d0 30 30 30 30 30 37 30 30 30 30 30 30 30 30 74 65 |00000700000000te|
|
||||||
|
^namesize
|
||||||
|
000000e0 73 74 31 32 00 00 00 00 61 61 61 61 30 37 30 37 |st12....aaaa0707|
|
||||||
|
^^ end of the pathname
|
||||||
|
|
||||||
|
Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and
|
||||||
|
the user can safely read the pathname without a further check.
|
||||||
|
|
||||||
|
To conform to the cpio format, the headers for "TRAILER!!!" are also
|
||||||
|
adjusted to include the trailing NUL byte, not ignore it.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/linux.c | 25 ++++++++++++++++++-------
|
||||||
|
1 file changed, 18 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
|
||||||
|
index 8f0fad805..e4018e65e 100644
|
||||||
|
--- a/grub-core/loader/linux.c
|
||||||
|
+++ b/grub-core/loader/linux.c
|
||||||
|
@@ -130,12 +130,23 @@ insert_dir (const char *name, struct dir **root,
|
||||||
|
n->name = grub_strndup (cb, ce - cb);
|
||||||
|
if (ptr)
|
||||||
|
{
|
||||||
|
+ /*
|
||||||
|
+ * Create the substring with the trailing NUL byte
|
||||||
|
+ * to be included in the cpio header.
|
||||||
|
+ */
|
||||||
|
+ char *tmp_name = grub_strndup (name, ce - name);
|
||||||
|
+ if (!tmp_name) {
|
||||||
|
+ grub_free (n->name);
|
||||||
|
+ grub_free (n);
|
||||||
|
+ return grub_errno;
|
||||||
|
+ }
|
||||||
|
grub_dprintf ("linux", "Creating directory %s, %s\n", name, ce);
|
||||||
|
- ptr = make_header (ptr, name, ce - name,
|
||||||
|
+ ptr = make_header (ptr, tmp_name, ce - name + 1,
|
||||||
|
040777, 0);
|
||||||
|
+ grub_free (tmp_name);
|
||||||
|
}
|
||||||
|
if (grub_add (*size,
|
||||||
|
- ALIGN_UP ((ce - (char *) name)
|
||||||
|
+ ALIGN_UP ((ce - (char *) name + 1)
|
||||||
|
+ sizeof (struct newc_head), 4),
|
||||||
|
size))
|
||||||
|
{
|
||||||
|
@@ -260,7 +271,7 @@ grub_initrd_init (int argc, char *argv[],
|
||||||
|
grub_initrd_close (initrd_ctx);
|
||||||
|
return grub_errno;
|
||||||
|
}
|
||||||
|
- name_len = grub_strlen (initrd_ctx->components[i].newc_name);
|
||||||
|
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1;
|
||||||
|
if (grub_add (initrd_ctx->size,
|
||||||
|
ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
|
||||||
|
&initrd_ctx->size) ||
|
||||||
|
@@ -274,7 +285,7 @@ grub_initrd_init (int argc, char *argv[],
|
||||||
|
{
|
||||||
|
if (grub_add (initrd_ctx->size,
|
||||||
|
ALIGN_UP (sizeof (struct newc_head)
|
||||||
|
- + sizeof ("TRAILER!!!") - 1, 4),
|
||||||
|
+ + sizeof ("TRAILER!!!"), 4),
|
||||||
|
&initrd_ctx->size))
|
||||||
|
goto overflow;
|
||||||
|
free_dir (root);
|
||||||
|
@@ -302,7 +313,7 @@ grub_initrd_init (int argc, char *argv[],
|
||||||
|
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
|
||||||
|
if (grub_add (initrd_ctx->size,
|
||||||
|
ALIGN_UP (sizeof (struct newc_head)
|
||||||
|
- + sizeof ("TRAILER!!!") - 1, 4),
|
||||||
|
+ + sizeof ("TRAILER!!!"), 4),
|
||||||
|
&initrd_ctx->size))
|
||||||
|
goto overflow;
|
||||||
|
free_dir (root);
|
||||||
|
@@ -378,7 +389,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
||||||
|
}
|
||||||
|
else if (newc)
|
||||||
|
{
|
||||||
|
- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1,
|
||||||
|
+ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"),
|
||||||
|
0, 0);
|
||||||
|
free_dir (root);
|
||||||
|
root = 0;
|
||||||
|
@@ -406,7 +417,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
||||||
|
{
|
||||||
|
grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
|
||||||
|
ptr += ALIGN_UP_OVERHEAD (cursize, 4);
|
||||||
|
- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
|
||||||
|
+ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), 0, 0);
|
||||||
|
}
|
||||||
|
free_dir (root);
|
||||||
|
root = 0;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -0,0 +1,64 @@
|
|||||||
|
From 9f18541245858f53fea72d8d60304f9015d88b5f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Fri, 17 Mar 2023 22:00:23 +0800
|
||||||
|
Subject: [PATCH 2/2] Restrict cryptsetup key file permission for better
|
||||||
|
security
|
||||||
|
|
||||||
|
GRUB's default permission 777 for concatenated initrd files was too
|
||||||
|
permissive for the cryptsetup key file, causing a complaint from
|
||||||
|
systemd-cryptsetup during boot. This commit replaces the 0777 permission
|
||||||
|
with a more secure 0400 permission for the key file.
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/linux.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
|
||||||
|
index e4018e65e..fc71a78d7 100644
|
||||||
|
--- a/grub-core/loader/linux.c
|
||||||
|
+++ b/grub-core/loader/linux.c
|
||||||
|
@@ -32,6 +32,7 @@ struct grub_linux_initrd_component
|
||||||
|
char *buf;
|
||||||
|
char *newc_name;
|
||||||
|
grub_off_t size;
|
||||||
|
+ grub_uint32_t mode;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct dir
|
||||||
|
@@ -202,6 +203,7 @@ grub_initrd_component (const char *buf, int bufsz, const char *newc_name,
|
||||||
|
grub_memcpy (comp->buf, buf, bufsz);
|
||||||
|
initrd_ctx->nfiles++;
|
||||||
|
comp->size = bufsz;
|
||||||
|
+ comp->mode = 0100400;
|
||||||
|
if (grub_add (initrd_ctx->size, comp->size,
|
||||||
|
&initrd_ctx->size))
|
||||||
|
goto overflow;
|
||||||
|
@@ -271,6 +273,7 @@ grub_initrd_init (int argc, char *argv[],
|
||||||
|
grub_initrd_close (initrd_ctx);
|
||||||
|
return grub_errno;
|
||||||
|
}
|
||||||
|
+ initrd_ctx->components[i].mode = 0100777;
|
||||||
|
name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1;
|
||||||
|
if (grub_add (initrd_ctx->size,
|
||||||
|
ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
|
||||||
|
@@ -372,6 +375,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
||||||
|
if (initrd_ctx->components[i].newc_name)
|
||||||
|
{
|
||||||
|
grub_size_t dir_size;
|
||||||
|
+ grub_uint32_t mode = initrd_ctx->components[i].mode;
|
||||||
|
|
||||||
|
if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
|
||||||
|
&dir_size))
|
||||||
|
@@ -383,7 +387,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
||||||
|
ptr += dir_size;
|
||||||
|
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
|
||||||
|
grub_strlen (initrd_ctx->components[i].newc_name) + 1,
|
||||||
|
- 0100777,
|
||||||
|
+ mode,
|
||||||
|
initrd_ctx->components[i].size);
|
||||||
|
newc = 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 20 05:02:01 UTC 2023 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Restrict cryptsetup key file permission for better security (bsc#1207499)
|
||||||
|
* 0001-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
|
||||||
|
* 0002-Restrict-cryptsetup-key-file-permission-for-better-s.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 15 21:46:00 UTC 2023 - Hans-Peter Jansen <hpj@urpla.net>
|
Wed Mar 15 21:46:00 UTC 2023 - Hans-Peter Jansen <hpj@urpla.net>
|
||||||
|
|
||||||
|
@ -503,6 +503,8 @@ Patch974: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
|
|||||||
Patch975: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
|
Patch975: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
|
||||||
# Make grub more robust against storage race condition causing system boot failures (bsc#1189036)
|
# Make grub more robust against storage race condition causing system boot failures (bsc#1189036)
|
||||||
Patch976: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
|
Patch976: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
|
||||||
|
Patch977: 0001-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
|
||||||
|
Patch978: 0002-Restrict-cryptsetup-key-file-permission-for-better-s.patch
|
||||||
|
|
||||||
Requires: gettext-runtime
|
Requires: gettext-runtime
|
||||||
%if 0%{?suse_version} >= 1140
|
%if 0%{?suse_version} >= 1140
|
||||||
|
Loading…
Reference in New Issue
Block a user