diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-01-26 10:20:43 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-02-16 09:48:51 +0000 |
commit | f5fe6f2a64ed32edeab8a0198fe57b45fdccf893 (patch) | |
tree | 71ae2f06da927c07ae521e375ecdf2f64475b060 /meta/recipes-bsp | |
parent | 40d6918639ce8227215e716551495b90f2197dd7 (diff) | |
download | poky-f5fe6f2a64ed32edeab8a0198fe57b45fdccf893.tar.gz |
grub: add a fix for CVE-2020-25632
Fix grub issue with module dereferencing. From the official description
from NVD [1]:
The rmmod implementation allows the unloading of a module used as
a dependency without checking if any other dependent module is still
loaded leading to a use-after-free scenario. This could allow
arbitrary code to be executed or a bypass of Secure Boot protections.
This patch is a part of a bigger security collection for grub [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-25632
[2] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
(From OE-Core rev: d61b9588e5691ef390cfc0f03dc6cb0d142f36de)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-25632.patch | 90 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch new file mode 100644 index 0000000000..0b37c72f0f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Tue, 29 Sep 2020 14:08:55 +0200 | ||
4 | Subject: [PATCH] dl: Only allow unloading modules that are not dependencies | ||
5 | |||
6 | When a module is attempted to be removed its reference counter is always | ||
7 | decremented. This means that repeated rmmod invocations will cause the | ||
8 | module to be unloaded even if another module depends on it. | ||
9 | |||
10 | This may lead to a use-after-free scenario allowing an attacker to execute | ||
11 | arbitrary code and by-pass the UEFI Secure Boot protection. | ||
12 | |||
13 | While being there, add the extern keyword to some function declarations in | ||
14 | that header file. | ||
15 | |||
16 | Fixes: CVE-2020-25632 | ||
17 | |||
18 | Reported-by: Chris Coulson <chris.coulson@canonical.com> | ||
19 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
20 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c] | ||
23 | CVE: CVE-2020-25632 | ||
24 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
25 | --- | ||
26 | grub-core/commands/minicmd.c | 7 +++++-- | ||
27 | grub-core/kern/dl.c | 9 +++++++++ | ||
28 | include/grub/dl.h | 8 +++++--- | ||
29 | 3 files changed, 19 insertions(+), 5 deletions(-) | ||
30 | |||
31 | diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c | ||
32 | index 6bbce3128..fa498931e 100644 | ||
33 | --- a/grub-core/commands/minicmd.c | ||
34 | +++ b/grub-core/commands/minicmd.c | ||
35 | @@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)), | ||
36 | if (grub_dl_is_persistent (mod)) | ||
37 | return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module"); | ||
38 | |||
39 | - if (grub_dl_unref (mod) <= 0) | ||
40 | - grub_dl_unload (mod); | ||
41 | + if (grub_dl_ref_count (mod) > 1) | ||
42 | + return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module"); | ||
43 | + | ||
44 | + grub_dl_unref (mod); | ||
45 | + grub_dl_unload (mod); | ||
46 | |||
47 | return 0; | ||
48 | } | ||
49 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c | ||
50 | index 48eb5e7b6..48f8a7907 100644 | ||
51 | --- a/grub-core/kern/dl.c | ||
52 | +++ b/grub-core/kern/dl.c | ||
53 | @@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod) | ||
54 | return --mod->ref_count; | ||
55 | } | ||
56 | |||
57 | +int | ||
58 | +grub_dl_ref_count (grub_dl_t mod) | ||
59 | +{ | ||
60 | + if (mod == NULL) | ||
61 | + return 0; | ||
62 | + | ||
63 | + return mod->ref_count; | ||
64 | +} | ||
65 | + | ||
66 | static void | ||
67 | grub_dl_flush_cache (grub_dl_t mod) | ||
68 | { | ||
69 | diff --git a/include/grub/dl.h b/include/grub/dl.h | ||
70 | index f03c03561..b3753c9ca 100644 | ||
71 | --- a/include/grub/dl.h | ||
72 | +++ b/include/grub/dl.h | ||
73 | @@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name); | ||
74 | grub_dl_t grub_dl_load_core (void *addr, grub_size_t size); | ||
75 | grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size); | ||
76 | int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod); | ||
77 | -void grub_dl_unload_unneeded (void); | ||
78 | -int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); | ||
79 | -int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); | ||
80 | +extern void grub_dl_unload_unneeded (void); | ||
81 | +extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); | ||
82 | +extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); | ||
83 | +extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod); | ||
84 | + | ||
85 | extern grub_dl_t EXPORT_VAR(grub_dl_head); | ||
86 | |||
87 | #ifndef GRUB_UTIL | ||
88 | -- | ||
89 | 2.33.0 | ||
90 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index db7c23a84a..6a17940afb 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -45,6 +45,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
45 | file://CVE-2020-27779_5.patch \ | 45 | file://CVE-2020-27779_5.patch \ |
46 | file://CVE-2020-27779_6.patch \ | 46 | file://CVE-2020-27779_6.patch \ |
47 | file://CVE-2020-27779_7.patch \ | 47 | file://CVE-2020-27779_7.patch \ |
48 | file://CVE-2020-25632.patch \ | ||
48 | " | 49 | " |
49 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 50 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
50 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 51 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |