From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: 93sam@debian.org, alexander.burmashev@oracle.com,
amakhalov@vmware.com, chris.coulson@canonical.com,
cjwatson@debian.org, cperry@redhat.com, darren.kenny@oracle.com,
darren.moffat@oracle.com, dave.miner@oracle.com,
degranit@microsoft.com, eric.snowberg@oracle.com,
ilya.okomin@oracle.com, jan.setjeeilers@oracle.com,
jerecox@microsoft.com, jesse@eclypsium.com,
john.haxby@oracle.com, kanth.ghatraju@oracle.com,
konrad.wilk@oracle.com, mbenatto@redhat.com,
mickey@eclypsium.com, msrc57813grub@microsoft.com,
phcoder@gmail.com, pjones@redhat.com, sajacobu@microsoft.com,
todd.vierling@oracle.com, xnox@ubuntu.com
Subject: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Date: Wed, 29 Jul 2020 19:00:13 +0200 [thread overview]
Message-ID: <20200729170041.14082-1-daniel.kiper@oracle.com> (raw)
Hi all,
We have recently been made aware of a problem with GRUB2 by security research
firm Eclypsium that allows a bad actor to circumvent UEFI Secure Boot. Normally,
when Secure Boot is enabled, only modules [1] that have a valid signature can
be loaded. The bug allows this to be circumvented and allow a module to be
loaded that is not signed and therefore breaks the chain of trust that Secure
Boot is supposed to guarantee.
The issue has got assigned following CVE and score:
CVE-2020-10713, 8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
This is the original flaw discovered by Eclypsium, also known as "BootHole" and
is described in Eclypsium's paper [2].
In the deeper analysis prompted by by that bug we have found the additional bugs:
- CVE-2020-14308, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
grub2: grub_malloc does not validate allocation size allowing for
arithmetic overflow and subsequent heap-based buffer overflow,
- CVE-2020-14309, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in grub_squash_read_symlink may lead to
heap based overflow,
- CVE-2020-14310, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow read_section_from_string may lead to heap
based overflow,
- CVE-2020-14311, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in grub_ext2_read_link leads to heap based
buffer overflow,
- CVE-2020-15705, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
grub2: Avoid loading unsigned kernels when grub is booted directly
under secureboot without shim (this is distros specific issue and
does not apply to the GRUB2 upstream),
- CVE-2020-15706, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
script: Avoid a use-after-free when redefining a function during execution,
- CVE-2020-15707, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in initrd size handling.
Mitigation of these bugs will involve not just a new version of GRUB2 for all
the affected platforms but may also require a new shim or a new kernel or both.
Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [3] we are listing at
least some links to the messaging known at the time of this posting.
At some stage, the UEFI revocation list (dbx) on new hardware will be updated
so that today's kernels will not boot on the new hardware. Full mitigation
against the CVE-2020-10713 will require an updated dbx which, in at least some
cases, will not allow Secure Boot with today's kernels. Vendor shims may
explicitly permit known older kernels to boot.
Updated GRUB2, shim and kernels from all the affected vendors will be made
available when the embargo lifts or shortly thereafter. An updated dbx from
the various affected vendors will also ship, although possibly not at the same
time. The new Microsoft dbx will be provided for download here [4].
I am posting all the GRUB2 upstream patches which fixes all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [5] too.
The initial issue was discovered and reported by Mickey Shkatov and Jesse Michael,
both working for Eclypsium.
In particular I would like to thank, in alphabetical order, the following people
who were working really hard on the GRUB, kernel, shim, legal, organizational
and other stuff related to these issues:
- Alexander Burmashev (Oracle),
- Alexey Makhalov (VMware),
- Chris Coulson (Canonical),
- Cliff Perry (Red Hat),
- Colin Watson (Debian),
- Darren Kenny (Oracle),
- Darren Moffat (Oracle),
- Dave Miner (Oracle),
- Derek Granito (Microsoft),
- Dimitri John Ledkov (Canonical),
- Eric Snowberg (Oracle),
- Ilya Okomin (Oracle),
- Jan Setje-Eilers (Oracle),
- Jeremiah Cox (Microsoft),
- Jesse Michael (Eclypsium),
- John Haxby (Oracle),
- Kanth Ghatraju (Oracle),
- Konrad Rzeszutek Wilk (Oracle),
- Marco Benatto (Red Hat),
- Mickey Shkatov (Eclypsium),
- Peter Jones (Red Hat),
- Sarah Jacobus (Microsoft),
- Steve McIntyre (Debian),
- Todd Vierling (Oracle).
Without you all hard work and late hours this joint community work would not
have been possible.
I am proud to be working with you all and thank you.
Daniel
[1] "Modules" used here is a catch-all for things that are loaded and
covers everything from UEFI applications all the way up through the
platform's kernel and any drivers that it may load. Different loaders
have different ways of checking signatures but there is a chain of
trust reaching right back to the origin where Secure Boot is first
enabled.
[2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
[3] Canonical: https://ubuntu.com/security/notices/USN-4432-1
Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader
SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
https://www.suse.com/support/kb/doc/?id=000019673
VMware: https://kb.vmware.com/s/article/80181
[4] https://uefi.org/revocationlistfile
[5] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
https://git.savannah.gnu.org/git/grub.git
INSTALL | 22 +---
grub-core/bus/usb/usbhub.c | 8 +-
grub-core/commands/efi/lsefisystab.c | 3 +-
grub-core/commands/legacycfg.c | 35 +++++--
grub-core/commands/menuentry.c | 2 +-
grub-core/commands/nativedisk.c | 2 +-
grub-core/commands/parttool.c | 12 ++-
grub-core/commands/regexp.c | 2 +-
grub-core/commands/search_wrap.c | 2 +-
grub-core/commands/wildcard.c | 36 ++++++-
grub-core/disk/diskfilter.c | 4 +-
grub-core/disk/ieee1275/ofdisk.c | 2 +-
grub-core/disk/ldm.c | 46 +++++---
grub-core/disk/luks.c | 2 +-
grub-core/disk/lvm.c | 60 ++++++++---
grub-core/disk/xen/xendisk.c | 2 +-
grub-core/efiemu/loadcore.c | 2 +-
grub-core/efiemu/mm.c | 6 +-
grub-core/font/font.c | 16 ++-
grub-core/fs/affs.c | 6 +-
grub-core/fs/btrfs.c | 34 +++---
grub-core/fs/ext2.c | 10 +-
grub-core/fs/hfs.c | 2 +-
grub-core/fs/hfsplus.c | 17 +--
grub-core/fs/iso9660.c | 73 +++++++++----
grub-core/fs/ntfs.c | 4 +-
grub-core/fs/sfs.c | 29 ++++--
grub-core/fs/squash4.c | 45 ++++++--
grub-core/fs/tar.c | 2 +-
grub-core/fs/udf.c | 62 +++++++----
grub-core/fs/xfs.c | 11 +-
grub-core/fs/zfs/zfs.c | 26 +++--
grub-core/fs/zfs/zfscrypt.c | 7 +-
grub-core/gfxmenu/gui_image.c | 5 +-
grub-core/gfxmenu/gui_string_util.c | 2 +-
grub-core/gfxmenu/widget-box.c | 4 +-
grub-core/io/gzio.c | 2 +-
grub-core/kern/arm/efi/init.c | 3 +
grub-core/kern/arm64/efi/init.c | 3 +
grub-core/kern/efi/efi.c | 73 ++++++++++---
grub-core/kern/efi/init.c | 1 -
grub-core/kern/emu/hostdisk.c | 2 +-
grub-core/kern/emu/misc.c | 12 +++
grub-core/kern/emu/mm.c | 13 ++-
grub-core/kern/fs.c | 2 +-
grub-core/kern/i386/efi/init.c | 9 +-
grub-core/kern/ia64/efi/init.c | 9 +-
grub-core/kern/misc.c | 2 +-
grub-core/kern/mm.c | 40 +++++++
grub-core/kern/parser.c | 2 +-
grub-core/kern/riscv/efi/init.c | 3 +
grub-core/kern/uboot/uboot.c | 2 +-
grub-core/lib/LzmaEnc.c | 10 +-
grub-core/lib/arg.c | 20 +++-
grub-core/lib/efi/halt.c | 3 +-
grub-core/lib/i386/relocator.c | 28 ++---
grub-core/lib/json/json.c | 11 +-
grub-core/lib/json/json.h | 5 +-
grub-core/lib/libgcrypt/cipher/ac.c | 8 +-
grub-core/lib/libgcrypt/cipher/primegen.c | 4 +-
grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +-
grub-core/lib/libgcrypt_wrap/mem.c | 11 +-
grub-core/lib/mips/relocator.c | 6 +-
grub-core/lib/posix_wrap/stdlib.h | 8 +-
grub-core/lib/powerpc/relocator.c | 6 +-
grub-core/lib/priority_queue.c | 2 +-
grub-core/lib/reed_solomon.c | 7 +-
grub-core/lib/relocator.c | 14 +--
grub-core/lib/x86_64/efi/relocator.c | 7 +-
grub-core/lib/zstd/fse_decompress.c | 2 +-
grub-core/loader/arm/linux.c | 2 +-
grub-core/loader/efi/chainloader.c | 34 ++++--
grub-core/loader/i386/bsd.c | 8 +-
grub-core/loader/i386/bsdXX.c | 2 +-
grub-core/loader/i386/linux.c | 14 ++-
grub-core/loader/i386/multiboot_mbi.c | 7 +-
grub-core/loader/i386/pc/linux.c | 15 +--
grub-core/loader/i386/xen.c | 12 ++-
grub-core/loader/i386/xnu.c | 30 +++---
grub-core/loader/linux.c | 77 ++++++++++----
grub-core/loader/macho.c | 2 +-
grub-core/loader/mips/linux.c | 9 +-
grub-core/loader/multiboot.c | 2 +-
grub-core/loader/multiboot_elfxx.c | 12 +--
grub-core/loader/multiboot_mbi2.c | 16 +--
grub-core/loader/xnu.c | 13 ++-
grub-core/loader/xnu_resume.c | 2 +-
grub-core/mmap/mmap.c | 4 +-
grub-core/net/bootp.c | 2 +-
grub-core/net/dns.c | 19 ++--
grub-core/net/net.c | 4 +-
grub-core/net/tftp.c | 168 ++++++++++--------------------
grub-core/normal/charset.c | 20 ++--
grub-core/normal/cmdline.c | 28 +++--
grub-core/normal/menu_entry.c | 27 +++--
grub-core/normal/menu_text.c | 4 +-
grub-core/normal/term.c | 4 +-
grub-core/osdep/linux/getroot.c | 6 +-
grub-core/osdep/unix/config.c | 2 +-
grub-core/osdep/windows/getroot.c | 2 +-
grub-core/osdep/windows/hostdisk.c | 4 +-
grub-core/osdep/windows/init.c | 2 +-
grub-core/osdep/windows/platform.c | 4 +-
grub-core/osdep/windows/relpath.c | 2 +-
grub-core/partmap/gpt.c | 2 +-
grub-core/partmap/msdos.c | 2 +-
grub-core/script/argv.c | 16 ++-
grub-core/script/execute.c | 4 +-
grub-core/script/function.c | 16 ++-
grub-core/script/lexer.c | 21 +++-
grub-core/script/parser.y | 3 +-
grub-core/script/yylex.l | 4 +-
grub-core/term/terminfo.c | 9 +-
grub-core/tests/fake_input.c | 2 +-
grub-core/tests/video_checksum.c | 6 +-
grub-core/video/bitmap.c | 25 +++--
grub-core/video/capture.c | 2 +-
grub-core/video/emu/sdl.c | 2 +-
grub-core/video/i386/pc/vga.c | 2 +-
grub-core/video/readers/png.c | 15 ++-
include/grub/compiler.h | 8 ++
include/grub/efi/api.h | 14 ++-
include/grub/emu/misc.h | 1 +
include/grub/loader.h | 1 +
include/grub/mm.h | 6 ++
include/grub/relocator.h | 29 ++++++
include/grub/safemath.h | 37 +++++++
include/grub/script_sh.h | 5 +-
include/grub/unicode.h | 4 +-
util/getroot.c | 2 +-
util/grub-file.c | 2 +-
util/grub-fstest.c | 4 +-
util/grub-install-common.c | 2 +-
util/grub-install.c | 4 +-
util/grub-mkimagexx.c | 6 +-
util/grub-mkrescue.c | 4 +-
util/grub-mkstandalone.c | 2 +-
util/grub-pe2elf.c | 12 +--
util/grub-probe.c | 4 +-
139 files changed, 1168 insertions(+), 606 deletions(-)
Alexey Makhalov (7):
gfxmenu: Fix double free in load_image()
xnu: Fix double free in grub_xnu_devprop_add_property()
tftp: Do not use priority queue
relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow
relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow
relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation
efi: Fix use-after-free in halt/reboot path
Chris Coulson (3):
json: Avoid a double-free when parsing fails.
script: Remove unused fields from grub_script_function struct
script: Avoid a use-after-free when redefining a function during execution
Colin Watson (1):
linux: Fix integer overflows in initrd size handling
Daniel Kiper (2):
font: Do not load more than one NAME section
efi/chainloader: Propagate errors from copy_file_path()
Konrad Rzeszutek Wilk (4):
lzma: Make sure we don't dereference past array
term: Fix overflow on user inputs
udf: Fix memory leak
multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
Peter Jones (11):
yylex: Make lexer fatal errors actually be fatal
safemath: Add some arithmetic primitives that check for overflow
calloc: Make sure we always have an overflow-checking calloc() available
calloc: Use calloc() at most places
malloc: Use overflow checking primitives where we do complex allocations
iso9660: Don't leak memory on realloc() failures
hfsplus: Fix two more overflows
lvm: Fix two more potential data-dependent alloc overflows
emu: Make grub_free(NULL) safe
efi: Fix some malformed device path arithmetic errors
loader/linux: Avoid overflow on initrd size calculation
next reply other threads:[~2020-07-29 17:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-29 17:00 Daniel Kiper [this message]
2020-07-29 17:00 ` [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 04/28] calloc: Use calloc() at most places Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations Daniel Kiper
2021-09-10 16:10 ` Glenn Washburn
2020-07-29 17:00 ` [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 07/28] font: Do not load more than one NAME section Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 12/28] term: Fix overflow on user inputs Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 13/28] udf: Fix memory leak Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 15/28] tftp: Do not use priority queue Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 21/28] hfsplus: Fix two more overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling Daniel Kiper
2020-07-29 20:12 ` [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole Christian Hesse
2020-07-29 20:20 ` John Paul Adrian Glaubitz
2020-07-29 21:20 ` Dimitri John Ledkov
2020-07-29 21:33 ` John Paul Adrian Glaubitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200729170041.14082-1-daniel.kiper@oracle.com \
--to=daniel.kiper@oracle.com \
--cc=93sam@debian.org \
--cc=alexander.burmashev@oracle.com \
--cc=amakhalov@vmware.com \
--cc=chris.coulson@canonical.com \
--cc=cjwatson@debian.org \
--cc=cperry@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=darren.moffat@oracle.com \
--cc=dave.miner@oracle.com \
--cc=degranit@microsoft.com \
--cc=eric.snowberg@oracle.com \
--cc=grub-devel@gnu.org \
--cc=ilya.okomin@oracle.com \
--cc=jan.setjeeilers@oracle.com \
--cc=jerecox@microsoft.com \
--cc=jesse@eclypsium.com \
--cc=john.haxby@oracle.com \
--cc=kanth.ghatraju@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=mbenatto@redhat.com \
--cc=mickey@eclypsium.com \
--cc=msrc57813grub@microsoft.com \
--cc=phcoder@gmail.com \
--cc=pjones@redhat.com \
--cc=sajacobu@microsoft.com \
--cc=todd.vierling@oracle.com \
--cc=xnox@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.