[SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands

From:	Daniel Kiper
Subject:	[SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced
Date:	Tue, 2 Mar 2021 19:00:15 +0100

From: Javier Martinez Canillas <javierm@redhat.com>

The cutmem and badram commands can be used to remove EFI memory regions
and potentially disable the UEFI Secure Boot. Prevent the commands to be
registered if the GRUB is locked down.

Fixes: CVE-2020-27779

Reported-by: Teddy Reed <teddy.reed@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 docs/grub.texi        |  4 ++++
 grub-core/mmap/mmap.c | 13 +++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 4ce31c2d4..5dbb02f1c 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4139,6 +4139,10 @@ this page is to be filtered.  This syntax makes it easy 
to represent patterns
 that are often result of memory damage, due to physical distribution of memory
 cells.
 
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      This prevents removing EFI memory regions to potentially subvert the
+      security mechanisms provided by the UEFI secure boot.
+
 @node blocklist
 @subsection blocklist
 
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
index 64684c23d..3cae68364 100644
--- a/grub-core/mmap/mmap.c
+++ b/grub-core/mmap/mmap.c
@@ -20,6 +20,7 @@
 #include <grub/memory.h>
 #include <grub/machine/memory.h>
 #include <grub/err.h>
+#include <grub/lockdown.h>
 #include <grub/misc.h>
 #include <grub/mm.h>
 #include <grub/command.h>
@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
 
 GRUB_MOD_INIT(mmap)
 {
-  cmd = grub_register_command ("badram", grub_cmd_badram,
-                              N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
-                              N_("Declare memory regions as faulty 
(badram)."));
-  cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
-                                  N_("FROM[K|M|G] TO[K|M|G]"),
-                                  N_("Remove any memory regions in specified 
range."));
+  cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
+                                        N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+                                        N_("Declare memory regions as faulty 
(badram)."));
+  cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
+                                            N_("FROM[K|M|G] TO[K|M|G]"),
+                                            N_("Remove any memory regions in 
specified range."));
 
 }
 
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Daniel Kiper, 2021/03/02
  - Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Colin Watson, 2021/03/17
    - Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Michael Chang, 2021/03/18
- [SECURITY PATCH 002/117] efi: Move the shim_lock verifier to the GRUB core, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 004/117] kern/lockdown: Set a variable if the GRUB is locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 005/117] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 003/117] kern: Add lockdown support, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced, Daniel Kiper <=
- [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 010/117] commands/setpci: Restrict setpci command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 015/117] dl: Only allow unloading modules that are not dependencies, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 013/117] loader/xnu: Don't allow loading extension and packages when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 011/117] commands/hdparm: Restrict hdparm command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 014/117] docs: Document the cutmem command, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 021/117] kern/efi: Fix memory leak on failure, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 019/117] net/tftp: Fix dangling memory pointer, Daniel Kiper, 2021/03/02

Prev by Date: [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
Next by Date: [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down
Previous by thread: [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
Next by thread: [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down
Index(es):
- Date
- Thread