1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
new file mode 100644
index 0000000000..b52273ff50
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
@@ -0,0 +1,62 @@
+From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 15:03:26 +0100
+Subject: [PATCH] gdb: Restrict GDB access when locked down
+The gdbstub* commands allow to start and control a GDB stub running on
+local host that can be used to connect from a remote debugger. Restrict
+this functionality when the GRUB is locked down.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
+index 847a1e1..1818cb6 100644
+--- a/grub-core/gdb/gdb.c
+++ b/grub-core/gdb/gdb.c
+@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
+ GRUB_MOD_INIT (gdb)
+ {
+   grub_gdb_idtinit ();
+-  cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
+-                              N_("PORT"), 
+-                              /* TRANSLATORS: GDB stub is a small part of
+-                                 GDB functionality running on local host
+-                                 which allows remote debugger to
+-                                 connect to it.  */
+-                              N_("Start GDB stub on given port"));
+-  cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
+-                                    /* TRANSLATORS: this refers to triggering
+-                                       a breakpoint so that the user will land
+-                                       into GDB.  */
+-                                    0, N_("Break into GDB"));
+-  cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
+-                                   0, N_("Stop GDB stub"));
+  cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
+                                       N_("PORT"),
+                                       /*
+                                        * TRANSLATORS: GDB stub is a small part of
+                                        * GDB functionality running on local host
+                                        * which allows remote debugger to
+                                        * connect to it.
+                                        */
+                                       N_("Start GDB stub on given port"));
+  cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
+                                             /*
+                                              * TRANSLATORS: this refers to triggering
+                                              * a breakpoint so that the user will land
+                                              * into GDB.
+                                              */
+                                             0, N_("Break into GDB"));
+  cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
+                                            0, N_("Stop GDB stub"));
+ }
+ 
+ GRUB_MOD_FINI (gdb)

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch new file mode 100644 index 0000000000..b52273ff50 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
@@ -0,0 +1,62 @@
	1	From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Wed, 24 Feb 2021 15:03:26 +0100
	4	Subject: [PATCH] gdb: Restrict GDB access when locked down
	5
	6	The gdbstub* commands allow to start and control a GDB stub running on
	7	local host that can be used to connect from a remote debugger. Restrict
	8	this functionality when the GRUB is locked down.
	9
	10	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	11	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	12
	13	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d]
	14	CVE: CVE-2020-27779
	15	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	16	---
	17	grub-core/gdb/gdb.c \| 32 ++++++++++++++++++--------------
	18	1 file changed, 18 insertions(+), 14 deletions(-)
	19
	20	diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
	21	index 847a1e1..1818cb6 100644
	22	--- a/grub-core/gdb/gdb.c
	23	+++ b/grub-core/gdb/gdb.c
	24	@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
	25	GRUB_MOD_INIT (gdb)
	26	{
	27	grub_gdb_idtinit ();
	28	- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
	29	- N_("PORT"),
	30	- /* TRANSLATORS: GDB stub is a small part of
	31	- GDB functionality running on local host
	32	- which allows remote debugger to
	33	- connect to it. */
	34	- N_("Start GDB stub on given port"));
	35	- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
	36	- /* TRANSLATORS: this refers to triggering
	37	- a breakpoint so that the user will land
	38	- into GDB. */
	39	- 0, N_("Break into GDB"));
	40	- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
	41	- 0, N_("Stop GDB stub"));
	42	+ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
	43	+ N_("PORT"),
	44	+ /*
	45	+ * TRANSLATORS: GDB stub is a small part of
	46	+ * GDB functionality running on local host
	47	+ * which allows remote debugger to
	48	+ * connect to it.
	49	+ */
	50	+ N_("Start GDB stub on given port"));
	51	+ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
	52	+ /*
	53	+ * TRANSLATORS: this refers to triggering
	54	+ * a breakpoint so that the user will land
	55	+ * into GDB.
	56	+ */
	57	+ 0, N_("Break into GDB"));
	58	+ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
	59	+ 0, N_("Stop GDB stub"));
	60	}
	61
	62	GRUB_MOD_FINI (gdb)