1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
new file mode 100644
index 0000000000..0b37c72f0f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
@@ -0,0 +1,90 @@
+From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 29 Sep 2020 14:08:55 +0200
+Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
+When a module is attempted to be removed its reference counter is always
+decremented. This means that repeated rmmod invocations will cause the
+module to be unloaded even if another module depends on it.
+This may lead to a use-after-free scenario allowing an attacker to execute
+arbitrary code and by-pass the UEFI Secure Boot protection.
+While being there, add the extern keyword to some function declarations in
+that header file.
+Fixes: CVE-2020-25632
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c]
+CVE: CVE-2020-25632
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/minicmd.c | 7 +++++--
+ grub-core/kern/dl.c          | 9 +++++++++
+ include/grub/dl.h            | 8 +++++---
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 6bbce3128..fa498931e 100644
+--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
+@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
+   if (grub_dl_is_persistent (mod))
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
+ 
+-  if (grub_dl_unref (mod) <= 0)
+-    grub_dl_unload (mod);
+  if (grub_dl_ref_count (mod) > 1)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
+
+  grub_dl_unref (mod);
+  grub_dl_unload (mod);
+ 
+   return 0;
+ }
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..48f8a7907 100644
+--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
+@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
+   return --mod->ref_count;
+ }
+ 
+int
+grub_dl_ref_count (grub_dl_t mod)
+{
+  if (mod == NULL)
+    return 0;
+
+  return mod->ref_count;
+}
+
+ static void
+ grub_dl_flush_cache (grub_dl_t mod)
+ {
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index f03c03561..b3753c9ca 100644
+--- a/include/grub/dl.h
+++ b/include/grub/dl.h
+@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
+ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+-void grub_dl_unload_unneeded (void);
+-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
+extern void grub_dl_unload_unneeded (void);
+extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
+extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
+
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+ 
+ #ifndef GRUB_UTIL
+-- 
+2.33.0

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch new file mode 100644 index 0000000000..0b37c72f0f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
@@ -0,0 +1,90 @@
	1	From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Tue, 29 Sep 2020 14:08:55 +0200
	4	Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
	5
	6	When a module is attempted to be removed its reference counter is always
	7	decremented. This means that repeated rmmod invocations will cause the
	8	module to be unloaded even if another module depends on it.
	9
	10	This may lead to a use-after-free scenario allowing an attacker to execute
	11	arbitrary code and by-pass the UEFI Secure Boot protection.
	12
	13	While being there, add the extern keyword to some function declarations in
	14	that header file.
	15
	16	Fixes: CVE-2020-25632
	17
	18	Reported-by: Chris Coulson <chris.coulson@canonical.com>
	19	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	20	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	21
	22	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c]
	23	CVE: CVE-2020-25632
	24	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	25	---
	26	grub-core/commands/minicmd.c \| 7 +++++--
	27	grub-core/kern/dl.c \| 9 +++++++++
	28	include/grub/dl.h \| 8 +++++---
	29	3 files changed, 19 insertions(+), 5 deletions(-)
	30
	31	diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
	32	index 6bbce3128..fa498931e 100644
	33	--- a/grub-core/commands/minicmd.c
	34	+++ b/grub-core/commands/minicmd.c
	35	@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
	36	if (grub_dl_is_persistent (mod))
	37	return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
	38
	39	- if (grub_dl_unref (mod) <= 0)
	40	- grub_dl_unload (mod);
	41	+ if (grub_dl_ref_count (mod) > 1)
	42	+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
	43	+
	44	+ grub_dl_unref (mod);
	45	+ grub_dl_unload (mod);
	46
	47	return 0;
	48	}
	49	diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
	50	index 48eb5e7b6..48f8a7907 100644
	51	--- a/grub-core/kern/dl.c
	52	+++ b/grub-core/kern/dl.c
	53	@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
	54	return --mod->ref_count;
	55	}
	56
	57	+int
	58	+grub_dl_ref_count (grub_dl_t mod)
	59	+{
	60	+ if (mod == NULL)
	61	+ return 0;
	62	+
	63	+ return mod->ref_count;
	64	+}
	65	+
	66	static void
	67	grub_dl_flush_cache (grub_dl_t mod)
	68	{
	69	diff --git a/include/grub/dl.h b/include/grub/dl.h
	70	index f03c03561..b3753c9ca 100644
	71	--- a/include/grub/dl.h
	72	+++ b/include/grub/dl.h
	73	@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
	74	grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
	75	grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
	76	int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
	77	-void grub_dl_unload_unneeded (void);
	78	-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
	79	-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
	80	+extern void grub_dl_unload_unneeded (void);
	81	+extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
	82	+extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
	83	+extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
	84	+
	85	extern grub_dl_t EXPORT_VAR(grub_dl_head);
	86
	87	#ifndef GRUB_UTIL
	88	--
	89	2.33.0
	90