diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779.patch')
| -rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch new file mode 100644 index 0000000000..c82423b8af --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
| 3 | Date: Wed, 14 Oct 2020 16:33:42 +0200 | ||
| 4 | Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown | ||
| 5 | is enforced | ||
| 6 | |||
| 7 | The cutmem and badram commands can be used to remove EFI memory regions | ||
| 8 | and potentially disable the UEFI Secure Boot. Prevent the commands to be | ||
| 9 | registered if the GRUB is locked down. | ||
| 10 | |||
| 11 | Fixes: CVE-2020-27779 | ||
| 12 | |||
| 13 | Reported-by: Teddy Reed <teddy.reed@gmail.com> | ||
| 14 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
| 15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 16 | |||
| 17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9] | ||
| 18 | CVE: CVE-2020-27779 | ||
| 19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
| 20 | --- | ||
| 21 | docs/grub.texi | 4 ++++ | ||
| 22 | grub-core/mmap/mmap.c | 13 +++++++------ | ||
| 23 | 2 files changed, 11 insertions(+), 6 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
| 26 | index 47ac7ff..a1aaee6 100644 | ||
| 27 | --- a/docs/grub.texi | ||
| 28 | +++ b/docs/grub.texi | ||
| 29 | @@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
| 30 | that are often result of memory damage, due to physical distribution of memory | ||
| 31 | cells. | ||
| 32 | |||
| 33 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
| 34 | + This prevents removing EFI memory regions to potentially subvert the | ||
| 35 | + security mechanisms provided by the UEFI secure boot. | ||
| 36 | + | ||
| 37 | @node blocklist | ||
| 38 | @subsection blocklist | ||
| 39 | |||
| 40 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
| 41 | index 57b4e9a..7ebf32e 100644 | ||
| 42 | --- a/grub-core/mmap/mmap.c | ||
| 43 | +++ b/grub-core/mmap/mmap.c | ||
| 44 | @@ -20,6 +20,7 @@ | ||
| 45 | #include <grub/memory.h> | ||
| 46 | #include <grub/machine/memory.h> | ||
| 47 | #include <grub/err.h> | ||
| 48 | +#include <grub/lockdown.h> | ||
| 49 | #include <grub/misc.h> | ||
| 50 | #include <grub/mm.h> | ||
| 51 | #include <grub/command.h> | ||
| 52 | @@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; | ||
| 53 | |||
| 54 | GRUB_MOD_INIT(mmap) | ||
| 55 | { | ||
| 56 | - cmd = grub_register_command ("badram", grub_cmd_badram, | ||
| 57 | - N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
| 58 | - N_("Declare memory regions as faulty (badram).")); | ||
| 59 | - cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, | ||
| 60 | - N_("FROM[K|M|G] TO[K|M|G]"), | ||
| 61 | - N_("Remove any memory regions in specified range.")); | ||
| 62 | + cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, | ||
| 63 | + N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
| 64 | + N_("Declare memory regions as faulty (badram).")); | ||
| 65 | + cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, | ||
| 66 | + N_("FROM[K|M|G] TO[K|M|G]"), | ||
| 67 | + N_("Remove any memory regions in specified range.")); | ||
| 68 | |||
| 69 | } | ||
| 70 | |||