diff --git a/grub2-verifiers-fix-system-freeze-if-verify-failed.patch b/grub2-verifiers-fix-system-freeze-if-verify-failed.patch new file mode 100644 index 0000000..01db5e9 --- /dev/null +++ b/grub2-verifiers-fix-system-freeze-if-verify-failed.patch @@ -0,0 +1,44 @@ +From d0de8b37f651e13886ef0e0fda285a1294adafe8 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Tue, 18 Feb 2020 18:08:18 +0800 +Subject: [PATCH] verifiers: Fix calling uninitialized function pointer + +The necessary check for NULL before use of function ver->close is not +taking place in the failure path. This patch simply adds the missing +check and fixes the problem that GRUB hangs indefinitely after booting +rogue image without valid signature if secure boot is turned on. + +Now it displays like this for booting rogue UEFI image: + + error: bad shim signature + error: you need to load the kernel first + + Press any key to continue... + +and then you can go back to boot menu by pressing any key or after a few +seconds expired. + +Signed-off-by: Michael Chang +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/verifiers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c +index 0dde48182..7b9297cd3 100644 +--- a/grub-core/commands/verifiers.c ++++ b/grub-core/commands/verifiers.c +@@ -196,7 +196,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + return ret; + + fail: +- ver->close (context); ++ if (ver->close) ++ ver->close (context); + fail_noclose: + verified_free (verified); + grub_free (ret); +-- +2.16.4 + diff --git a/grub2.changes b/grub2.changes index 75612ce..74c9e09 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 18 08:43:30 UTC 2020 - Michael Chang + +- Fix grub hangs after loading rogue image without valid signature for uefi + secure boot (bsc#1159102) + * grub2-verifiers-fix-system-freeze-if-verify-failed.patch + ------------------------------------------------------------------- Tue Feb 4 07:59:40 UTC 2020 - Michael Chang diff --git a/grub2.spec b/grub2.spec index 23619b4..9af7ddd 100644 --- a/grub2.spec +++ b/grub2.spec @@ -223,6 +223,7 @@ Patch85: grub2-getroot-scan-disk-pv.patch Patch92: grub2-util-30_os-prober-multiple-initrd.patch Patch93: grub2-getroot-support-nvdimm.patch Patch94: grub2-install-fix-not-a-directory-error.patch +Patch95: grub2-verifiers-fix-system-freeze-if-verify-failed.patch # Btrfs snapshot booting related patches Patch101: grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch Patch102: grub2-btrfs-02-export-subvolume-envvars.patch @@ -508,6 +509,7 @@ swap partition while in resuming %patch92 -p1 %patch93 -p1 %patch94 -p1 +%patch95 -p1 %patch101 -p1 %patch102 -p1 %patch103 -p1