From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BB87CC54E58
	for <grub-devel@archiver.kernel.org>; Fri, 15 Mar 2024 07:26:00 +0000 (UTC)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <grub-devel-bounces@gnu.org>)
	id 1rl1wY-0004L5-PR; Fri, 15 Mar 2024 03:25:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <phcoder@gmail.com>) id 1rl1wW-0004Ke-HP
 for grub-devel@gnu.org; Fri, 15 Mar 2024 03:25:28 -0400
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <phcoder@gmail.com>) id 1rl1wS-0004x3-Le
 for grub-devel@gnu.org; Fri, 15 Mar 2024 03:25:27 -0400
Received: by mail-lf1-x12c.google.com with SMTP id
 2adb3069b0e04-51331634948so2694691e87.0
 for <grub-devel@gnu.org>; Fri, 15 Mar 2024 00:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1710487522; x=1711092322; darn=gnu.org;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=LpLBrGx1kMGPw+/sAViTq6rNcmfkUFzFWrFJG1HEku4=;
 b=N2c+an05jP2T+DWNme6MxytXPq74LLtr0dIi9cjP0jpG/G8nlIXG9imyQ8rhzACePT
 theLVGkHjZjeCtol9+p2+A2jlzrDq3yZsq9IOjT6/Q3YavZJ18GCeOAhqDE325nbTDc+
 3tmRfwmfHaMW8n855d/y0wurXTtzTR3TgXk12P09MtP7l31L9Mql9Iss3FsXcfc/+Lb8
 xsVJubUgPaCst8vYCoN7XwRTIDI+szpC49iD5nVG8fdpBmCQI4/cS9oRAxGFegUC7+Vy
 l+ssmDjEg9GzGpfkRzM1OS5F4SP+zJzeS9skYBKE5Otlj+HlT0HVXysnMrQLivaRxWwg
 695Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1710487522; x=1711092322;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=LpLBrGx1kMGPw+/sAViTq6rNcmfkUFzFWrFJG1HEku4=;
 b=t6oRf8H3MijOzZZFQyNZ8P0nKUXZyK4POW89U+ENkQGpurNW1D+GPvsbJcxMweSRyM
 Rv25SQU5UZwqbealM2+ftXCrldSxH1nesU00e+6z2zBVhsDnF3ssb7mYe++d8DHC+8PL
 lm9uXCybWALAjLvyYg/ZUFyMXGRg1830GlmTxbfVXVoClZUmxBFNOFPScyoJaSoHG9e/
 MTjfSuhZpEgkKOFtfl/YuAvQZOzlSVeSDCS5Tc3mpQnMhlEU6Tgymbkok2P0kpNJBvWX
 1Y++e01u9RcfPUMFpuBsqzxagXbr4/QB6vWERsk0RpRbntromGBOkFiOuKgEBYM8u5Fz
 /Btw==
X-Gm-Message-State: AOJu0YyEIZruuzmWX7dp15dQL47gkmVCfEA6qSFz2EEi9XuvjPzs1F6R
 dyN+Ei+w6rGL6YpkHe6alW/8bKP2Y1D3cqo20nX37PxtWD/If7DT1pZkr8eV37fGqhelqJBpiNV
 4T4PaP30j23CDXaOtUmjP8ecoFIhcaJ6F+89jMw==
X-Google-Smtp-Source: AGHT+IEJ7ypjlfuS3qTRkbBHgf2QI3DuEsWt0ge5DSB700uhejeM6SpD8L14YQ4AJV3jUJJxoNqFwYmin8wYmfqbv5E=
X-Received: by 2002:a2e:7d04:0:b0:2d4:2f23:14a9 with SMTP id
 y4-20020a2e7d04000000b002d42f2314a9mr2985051ljc.16.1710487521627; Fri, 15 Mar
 2024 00:25:21 -0700 (PDT)
MIME-Version: 1.0
References: <20240313150748.791236-1-ross.lagerwall@citrix.com>
 <20240313150748.791236-8-ross.lagerwall@citrix.com>
In-Reply-To: <20240313150748.791236-8-ross.lagerwall@citrix.com>
From: "Vladimir 'phcoder' Serbinenko" <phcoder@gmail.com>
Date: Fri, 15 Mar 2024 10:25:10 +0300
Message-ID: <CAEaD8JOAfQ=fsze+a=+LQRB5Krh+uohCK2bd3adXKwfqyUzTkw@mail.gmail.com>
Subject: Re: [PATCH 7/7] verifiers: Verify after decompression
To: The development of GNU GRUB <grub-devel@gnu.org>
Received-SPF: pass client-ip=2a00:1450:4864:20::12c;
 envelope-from=phcoder@gmail.com; helo=mail-lf1-x12c.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
Content-Type: multipart/mixed; boundary="===============6708021230969716623=="
Errors-To: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org
Sender: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org

--===============6708021230969716623==
Content-Type: multipart/alternative; boundary="0000000000001e96fb0613ade9d9"

--0000000000001e96fb0613ade9d9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Verifying after decompression is a bad security practice. It relies on
decompression having no security holes. Given how complex decompression is,
this is almost guaranteed to be false.

Le mer. 13 mars 2024, 18:08, Ross Lagerwall via Grub-devel <
grub-devel@gnu.org> a =C3=A9crit :

> It is convenient and common to have binaries stored in gzip archives
> (e.g. xen.gz). Verification should be run after decompression rather
> than before so reorder the file filter list as appropriate.
>
> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> ---
>  include/grub/file.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/grub/file.h b/include/grub/file.h
> index a5bf3a792d6f..a1ef3582bc7b 100644
> --- a/include/grub/file.h
> +++ b/include/grub/file.h
> @@ -182,10 +182,10 @@ extern grub_disk_read_hook_t
> EXPORT_VAR(grub_file_progress_hook);
>  /* Filters with lower ID are executed first.  */
>  typedef enum grub_file_filter_id
>    {
> -    GRUB_FILE_FILTER_VERIFY,
>      GRUB_FILE_FILTER_GZIO,
>      GRUB_FILE_FILTER_XZIO,
>      GRUB_FILE_FILTER_LZOPIO,
> +    GRUB_FILE_FILTER_VERIFY,
>      GRUB_FILE_FILTER_MAX,
>      GRUB_FILE_FILTER_COMPRESSION_FIRST =3D GRUB_FILE_FILTER_GZIO,
>      GRUB_FILE_FILTER_COMPRESSION_LAST =3D GRUB_FILE_FILTER_LZOPIO,
> --
> 2.43.0
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

--0000000000001e96fb0613ade9d9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Verifying after decompression is a bad security practice.=
 It relies on decompression having no security holes. Given how complex dec=
ompression is, this is almost guaranteed to be false.</div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le mer. 13 mars 2024=
, 18:08, Ross Lagerwall via Grub-devel &lt;<a href=3D"mailto:grub-devel@gnu=
.org">grub-devel@gnu.org</a>&gt; a =C3=A9crit=C2=A0:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">It is convenient and common to have binaries stored in gz=
ip archives<br>
(e.g. xen.gz). Verification should be run after decompression rather<br>
than before so reorder the file filter list as appropriate.<br>
<br>
Signed-off-by: Ross Lagerwall &lt;<a href=3D"mailto:ross.lagerwall@citrix.c=
om" target=3D"_blank" rel=3D"noreferrer">ross.lagerwall@citrix.com</a>&gt;<=
br>
---<br>
=C2=A0include/grub/file.h | 2 +-<br>
=C2=A01 file changed, 1 insertion(+), 1 deletion(-)<br>
<br>
diff --git a/include/grub/file.h b/include/grub/file.h<br>
index a5bf3a792d6f..a1ef3582bc7b 100644<br>
--- a/include/grub/file.h<br>
+++ b/include/grub/file.h<br>
@@ -182,10 +182,10 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_pro=
gress_hook);<br>
=C2=A0/* Filters with lower ID are executed first.=C2=A0 */<br>
=C2=A0typedef enum grub_file_filter_id<br>
=C2=A0 =C2=A0{<br>
-=C2=A0 =C2=A0 GRUB_FILE_FILTER_VERIFY,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_GZIO,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_XZIO,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_LZOPIO,<br>
+=C2=A0 =C2=A0 GRUB_FILE_FILTER_VERIFY,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_MAX,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_COMPRESSION_FIRST =3D GRUB_FILE_FILTER=
_GZIO,<br>
=C2=A0 =C2=A0 =C2=A0GRUB_FILE_FILTER_COMPRESSION_LAST =3D GRUB_FILE_FILTER_=
LZOPIO,<br>
-- <br>
2.43.0<br>
<br>
<br>
_______________________________________________<br>
Grub-devel mailing list<br>
<a href=3D"mailto:Grub-devel@gnu.org" target=3D"_blank" rel=3D"noreferrer">=
Grub-devel@gnu.org</a><br>
<a href=3D"https://lists.gnu.org/mailman/listinfo/grub-devel" rel=3D"norefe=
rrer noreferrer" target=3D"_blank">https://lists.gnu.org/mailman/listinfo/g=
rub-devel</a><br>
</blockquote></div>

--0000000000001e96fb0613ade9d9--


--===============6708021230969716623==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KR3J1Yi1kZXZl
bCBtYWlsaW5nIGxpc3QKR3J1Yi1kZXZlbEBnbnUub3JnCmh0dHBzOi8vbGlzdHMuZ251Lm9yZy9t
YWlsbWFuL2xpc3RpbmZvL2dydWItZGV2ZWwK

--===============6708021230969716623==--