diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-01-05 09:40:50 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-01-11 22:28:38 +0000 |
commit | c55481b8066a32afefdd4404b7ce5a7e8ebbb7cd (patch) | |
tree | 4e4cc8ffbd887bfa4cfcefd9592abd0e907383b7 /meta/recipes-bsp/grub/files/CVE-2020-27779.patch | |
parent | 6e6ede294c3391487df196055ad0544b08c2b1b2 (diff) | |
download | poky-c55481b8066a32afefdd4404b7ce5a7e8ebbb7cd.tar.gz |
grub: fix CVE-2020-14372 and CVE-2020-27779
Fix issues with grub in secure boot mode where an attacker could circumvent
secure boot by using acpi and cutmem commands. Also include patches fixing
similar issues.
Most patches are backported directly from grub. One patch
(no-insmod-on-sb.patch) comes from Debian, as the upstream implementation is
too complicated to backport.
CVE-2020-14372 description (from NVD [1]):
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly
enables the usage of the ACPI command when Secure Boot is enabled.
This flaw allows an attacker with privileged access to craft a Secondary
System Description Table (SSDT) containing code to overwrite the Linux
kernel lockdown variable content directly into memory. The table is
further loaded and executed by the kernel, defeating its Secure Boot
lockdown and allowing the attacker to load unsigned code. The highest
threat from this vulnerability is to data confidentiality and integrity,
as well as system availability.
CVE-2020-27779 description (from NVD [2]):
A flaw was found in grub2 in versions prior to 2.06. The cutmem command
does not honor secure boot locking allowing an privileged attacker to
remove address ranges from memory creating an opportunity to circumvent
SecureBoot protections after proper triage about grub's memory layout.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14372
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-27779
(From OE-Core rev: da6c0f3cfc920cea57cd409b17303bf735ccd68d)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch new file mode 100644 index 0000000000..c82423b8af --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 14 Oct 2020 16:33:42 +0200 | ||
4 | Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown | ||
5 | is enforced | ||
6 | |||
7 | The cutmem and badram commands can be used to remove EFI memory regions | ||
8 | and potentially disable the UEFI Secure Boot. Prevent the commands to be | ||
9 | registered if the GRUB is locked down. | ||
10 | |||
11 | Fixes: CVE-2020-27779 | ||
12 | |||
13 | Reported-by: Teddy Reed <teddy.reed@gmail.com> | ||
14 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9] | ||
18 | CVE: CVE-2020-27779 | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | docs/grub.texi | 4 ++++ | ||
22 | grub-core/mmap/mmap.c | 13 +++++++------ | ||
23 | 2 files changed, 11 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
26 | index 47ac7ff..a1aaee6 100644 | ||
27 | --- a/docs/grub.texi | ||
28 | +++ b/docs/grub.texi | ||
29 | @@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
30 | that are often result of memory damage, due to physical distribution of memory | ||
31 | cells. | ||
32 | |||
33 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
34 | + This prevents removing EFI memory regions to potentially subvert the | ||
35 | + security mechanisms provided by the UEFI secure boot. | ||
36 | + | ||
37 | @node blocklist | ||
38 | @subsection blocklist | ||
39 | |||
40 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
41 | index 57b4e9a..7ebf32e 100644 | ||
42 | --- a/grub-core/mmap/mmap.c | ||
43 | +++ b/grub-core/mmap/mmap.c | ||
44 | @@ -20,6 +20,7 @@ | ||
45 | #include <grub/memory.h> | ||
46 | #include <grub/machine/memory.h> | ||
47 | #include <grub/err.h> | ||
48 | +#include <grub/lockdown.h> | ||
49 | #include <grub/misc.h> | ||
50 | #include <grub/mm.h> | ||
51 | #include <grub/command.h> | ||
52 | @@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; | ||
53 | |||
54 | GRUB_MOD_INIT(mmap) | ||
55 | { | ||
56 | - cmd = grub_register_command ("badram", grub_cmd_badram, | ||
57 | - N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
58 | - N_("Declare memory regions as faulty (badram).")); | ||
59 | - cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, | ||
60 | - N_("FROM[K|M|G] TO[K|M|G]"), | ||
61 | - N_("Remove any memory regions in specified range.")); | ||
62 | + cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, | ||
63 | + N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
64 | + N_("Declare memory regions as faulty (badram).")); | ||
65 | + cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, | ||
66 | + N_("FROM[K|M|G] TO[K|M|G]"), | ||
67 | + N_("Remove any memory regions in specified range.")); | ||
68 | |||
69 | } | ||
70 | |||