[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole |
|
Date: |
Wed, 29 Jul 2020 19:00:13 +0200 |
Hi all,
We have recently been made aware of a problem with GRUB2 by security research
firm Eclypsium that allows a bad actor to circumvent UEFI Secure Boot. Normally,
when Secure Boot is enabled, only modules [1] that have a valid signature can
be loaded. The bug allows this to be circumvented and allow a module to be
loaded that is not signed and therefore breaks the chain of trust that Secure
Boot is supposed to guarantee.
The issue has got assigned following CVE and score:
CVE-2020-10713, 8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
This is the original flaw discovered by Eclypsium, also known as "BootHole" and
is described in Eclypsium's paper [2].
In the deeper analysis prompted by by that bug we have found the additional
bugs:
- CVE-2020-14308, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
grub2: grub_malloc does not validate allocation size allowing for
arithmetic overflow and subsequent heap-based buffer overflow,
- CVE-2020-14309, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in grub_squash_read_symlink may lead to
heap based overflow,
- CVE-2020-14310, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow read_section_from_string may lead to heap
based overflow,
- CVE-2020-14311, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in grub_ext2_read_link leads to heap based
buffer overflow,
- CVE-2020-15705, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
grub2: Avoid loading unsigned kernels when grub is booted directly
under secureboot without shim (this is distros specific issue and
does not apply to the GRUB2 upstream),
- CVE-2020-15706, 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
script: Avoid a use-after-free when redefining a function during execution,
- CVE-2020-15707, 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
grub2: Integer overflow in initrd size handling.
Mitigation of these bugs will involve not just a new version of GRUB2 for all
the affected platforms but may also require a new shim or a new kernel or both.
Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [3] we are listing at
least some links to the messaging known at the time of this posting.
At some stage, the UEFI revocation list (dbx) on new hardware will be updated
so that today's kernels will not boot on the new hardware. Full mitigation
against the CVE-2020-10713 will require an updated dbx which, in at least some
cases, will not allow Secure Boot with today's kernels. Vendor shims may
explicitly permit known older kernels to boot.
Updated GRUB2, shim and kernels from all the affected vendors will be made
available when the embargo lifts or shortly thereafter. An updated dbx from
the various affected vendors will also ship, although possibly not at the same
time. The new Microsoft dbx will be provided for download here [4].
I am posting all the GRUB2 upstream patches which fixes all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [5] too.
The initial issue was discovered and reported by Mickey Shkatov and Jesse
Michael,
both working for Eclypsium.
In particular I would like to thank, in alphabetical order, the following people
who were working really hard on the GRUB, kernel, shim, legal, organizational
and other stuff related to these issues:
- Alexander Burmashev (Oracle),
- Alexey Makhalov (VMware),
- Chris Coulson (Canonical),
- Cliff Perry (Red Hat),
- Colin Watson (Debian),
- Darren Kenny (Oracle),
- Darren Moffat (Oracle),
- Dave Miner (Oracle),
- Derek Granito (Microsoft),
- Dimitri John Ledkov (Canonical),
- Eric Snowberg (Oracle),
- Ilya Okomin (Oracle),
- Jan Setje-Eilers (Oracle),
- Jeremiah Cox (Microsoft),
- Jesse Michael (Eclypsium),
- John Haxby (Oracle),
- Kanth Ghatraju (Oracle),
- Konrad Rzeszutek Wilk (Oracle),
- Marco Benatto (Red Hat),
- Mickey Shkatov (Eclypsium),
- Peter Jones (Red Hat),
- Sarah Jacobus (Microsoft),
- Steve McIntyre (Debian),
- Todd Vierling (Oracle).
Without you all hard work and late hours this joint community work would not
have been possible.
I am proud to be working with you all and thank you.
Daniel
[1] "Modules" used here is a catch-all for things that are loaded and
covers everything from UEFI applications all the way up through the
platform's kernel and any drivers that it may load. Different loaders
have different ways of checking signatures but there is a chain of
trust reaching right back to the origin where Secure Boot is first
enabled.
[2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
[3] Canonical: https://ubuntu.com/security/notices/USN-4432-1
Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Red Hat:
https://access.redhat.com/security/vulnerabilities/grub2bootloader
SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
https://www.suse.com/support/kb/doc/?id=000019673
VMware: https://kb.vmware.com/s/article/80181
[4] https://uefi.org/revocationlistfile
[5] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
https://git.savannah.gnu.org/git/grub.git
INSTALL | 22 +---
grub-core/bus/usb/usbhub.c | 8 +-
grub-core/commands/efi/lsefisystab.c | 3 +-
grub-core/commands/legacycfg.c | 35 +++++--
grub-core/commands/menuentry.c | 2 +-
grub-core/commands/nativedisk.c | 2 +-
grub-core/commands/parttool.c | 12 ++-
grub-core/commands/regexp.c | 2 +-
grub-core/commands/search_wrap.c | 2 +-
grub-core/commands/wildcard.c | 36 ++++++-
grub-core/disk/diskfilter.c | 4 +-
grub-core/disk/ieee1275/ofdisk.c | 2 +-
grub-core/disk/ldm.c | 46 +++++---
grub-core/disk/luks.c | 2 +-
grub-core/disk/lvm.c | 60 ++++++++---
grub-core/disk/xen/xendisk.c | 2 +-
grub-core/efiemu/loadcore.c | 2 +-
grub-core/efiemu/mm.c | 6 +-
grub-core/font/font.c | 16 ++-
grub-core/fs/affs.c | 6 +-
grub-core/fs/btrfs.c | 34 +++---
grub-core/fs/ext2.c | 10 +-
grub-core/fs/hfs.c | 2 +-
grub-core/fs/hfsplus.c | 17 +--
grub-core/fs/iso9660.c | 73 +++++++++----
grub-core/fs/ntfs.c | 4 +-
grub-core/fs/sfs.c | 29 ++++--
grub-core/fs/squash4.c | 45 ++++++--
grub-core/fs/tar.c | 2 +-
grub-core/fs/udf.c | 62 +++++++----
grub-core/fs/xfs.c | 11 +-
grub-core/fs/zfs/zfs.c | 26 +++--
grub-core/fs/zfs/zfscrypt.c | 7 +-
grub-core/gfxmenu/gui_image.c | 5 +-
grub-core/gfxmenu/gui_string_util.c | 2 +-
grub-core/gfxmenu/widget-box.c | 4 +-
grub-core/io/gzio.c | 2 +-
grub-core/kern/arm/efi/init.c | 3 +
grub-core/kern/arm64/efi/init.c | 3 +
grub-core/kern/efi/efi.c | 73 ++++++++++---
grub-core/kern/efi/init.c | 1 -
grub-core/kern/emu/hostdisk.c | 2 +-
grub-core/kern/emu/misc.c | 12 +++
grub-core/kern/emu/mm.c | 13 ++-
grub-core/kern/fs.c | 2 +-
grub-core/kern/i386/efi/init.c | 9 +-
grub-core/kern/ia64/efi/init.c | 9 +-
grub-core/kern/misc.c | 2 +-
grub-core/kern/mm.c | 40 +++++++
grub-core/kern/parser.c | 2 +-
grub-core/kern/riscv/efi/init.c | 3 +
grub-core/kern/uboot/uboot.c | 2 +-
grub-core/lib/LzmaEnc.c | 10 +-
grub-core/lib/arg.c | 20 +++-
grub-core/lib/efi/halt.c | 3 +-
grub-core/lib/i386/relocator.c | 28 ++---
grub-core/lib/json/json.c | 11 +-
grub-core/lib/json/json.h | 5 +-
grub-core/lib/libgcrypt/cipher/ac.c | 8 +-
grub-core/lib/libgcrypt/cipher/primegen.c | 4 +-
grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +-
grub-core/lib/libgcrypt_wrap/mem.c | 11 +-
grub-core/lib/mips/relocator.c | 6 +-
grub-core/lib/posix_wrap/stdlib.h | 8 +-
grub-core/lib/powerpc/relocator.c | 6 +-
grub-core/lib/priority_queue.c | 2 +-
grub-core/lib/reed_solomon.c | 7 +-
grub-core/lib/relocator.c | 14 +--
grub-core/lib/x86_64/efi/relocator.c | 7 +-
grub-core/lib/zstd/fse_decompress.c | 2 +-
grub-core/loader/arm/linux.c | 2 +-
grub-core/loader/efi/chainloader.c | 34 ++++--
grub-core/loader/i386/bsd.c | 8 +-
grub-core/loader/i386/bsdXX.c | 2 +-
grub-core/loader/i386/linux.c | 14 ++-
grub-core/loader/i386/multiboot_mbi.c | 7 +-
grub-core/loader/i386/pc/linux.c | 15 +--
grub-core/loader/i386/xen.c | 12 ++-
grub-core/loader/i386/xnu.c | 30 +++---
grub-core/loader/linux.c | 77 ++++++++++----
grub-core/loader/macho.c | 2 +-
grub-core/loader/mips/linux.c | 9 +-
grub-core/loader/multiboot.c | 2 +-
grub-core/loader/multiboot_elfxx.c | 12 +--
grub-core/loader/multiboot_mbi2.c | 16 +--
grub-core/loader/xnu.c | 13 ++-
grub-core/loader/xnu_resume.c | 2 +-
grub-core/mmap/mmap.c | 4 +-
grub-core/net/bootp.c | 2 +-
grub-core/net/dns.c | 19 ++--
grub-core/net/net.c | 4 +-
grub-core/net/tftp.c | 168 ++++++++++--------------------
grub-core/normal/charset.c | 20 ++--
grub-core/normal/cmdline.c | 28 +++--
grub-core/normal/menu_entry.c | 27 +++--
grub-core/normal/menu_text.c | 4 +-
grub-core/normal/term.c | 4 +-
grub-core/osdep/linux/getroot.c | 6 +-
grub-core/osdep/unix/config.c | 2 +-
grub-core/osdep/windows/getroot.c | 2 +-
grub-core/osdep/windows/hostdisk.c | 4 +-
grub-core/osdep/windows/init.c | 2 +-
grub-core/osdep/windows/platform.c | 4 +-
grub-core/osdep/windows/relpath.c | 2 +-
grub-core/partmap/gpt.c | 2 +-
grub-core/partmap/msdos.c | 2 +-
grub-core/script/argv.c | 16 ++-
grub-core/script/execute.c | 4 +-
grub-core/script/function.c | 16 ++-
grub-core/script/lexer.c | 21 +++-
grub-core/script/parser.y | 3 +-
grub-core/script/yylex.l | 4 +-
grub-core/term/terminfo.c | 9 +-
grub-core/tests/fake_input.c | 2 +-
grub-core/tests/video_checksum.c | 6 +-
grub-core/video/bitmap.c | 25 +++--
grub-core/video/capture.c | 2 +-
grub-core/video/emu/sdl.c | 2 +-
grub-core/video/i386/pc/vga.c | 2 +-
grub-core/video/readers/png.c | 15 ++-
include/grub/compiler.h | 8 ++
include/grub/efi/api.h | 14 ++-
include/grub/emu/misc.h | 1 +
include/grub/loader.h | 1 +
include/grub/mm.h | 6 ++
include/grub/relocator.h | 29 ++++++
include/grub/safemath.h | 37 +++++++
include/grub/script_sh.h | 5 +-
include/grub/unicode.h | 4 +-
util/getroot.c | 2 +-
util/grub-file.c | 2 +-
util/grub-fstest.c | 4 +-
util/grub-install-common.c | 2 +-
util/grub-install.c | 4 +-
util/grub-mkimagexx.c | 6 +-
util/grub-mkrescue.c | 4 +-
util/grub-mkstandalone.c | 2 +-
util/grub-pe2elf.c | 12 +--
util/grub-probe.c | 4 +-
139 files changed, 1168 insertions(+), 606 deletions(-)
Alexey Makhalov (7):
gfxmenu: Fix double free in load_image()
xnu: Fix double free in grub_xnu_devprop_add_property()
tftp: Do not use priority queue
relocator: Protect grub_relocator_alloc_chunk_addr() input args against
integer underflow/overflow
relocator: Protect grub_relocator_alloc_chunk_align() max_addr against
integer underflow
relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation
efi: Fix use-after-free in halt/reboot path
Chris Coulson (3):
json: Avoid a double-free when parsing fails.
script: Remove unused fields from grub_script_function struct
script: Avoid a use-after-free when redefining a function during execution
Colin Watson (1):
linux: Fix integer overflows in initrd size handling
Daniel Kiper (2):
font: Do not load more than one NAME section
efi/chainloader: Propagate errors from copy_file_path()
Konrad Rzeszutek Wilk (4):
lzma: Make sure we don't dereference past array
term: Fix overflow on user inputs
udf: Fix memory leak
multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
Peter Jones (11):
yylex: Make lexer fatal errors actually be fatal
safemath: Add some arithmetic primitives that check for overflow
calloc: Make sure we always have an overflow-checking calloc() available
calloc: Use calloc() at most places
malloc: Use overflow checking primitives where we do complex allocations
iso9660: Don't leak memory on realloc() failures
hfsplus: Fix two more overflows
lvm: Fix two more potential data-dependent alloc overflows
emu: Make grub_free(NULL) safe
efi: Fix some malformed device path arithmetic errors
loader/linux: Avoid overflow on initrd size calculation
- [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole,
Daniel Kiper <=
- [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 04/28] calloc: Use calloc() at most places, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 07/28] font: Do not load more than one NAME section, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails., Daniel Kiper, 2020/07/29
- [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array, Daniel Kiper, 2020/07/29