[SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities - 2022/06/07 round

[Daniel Kiper]

Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially 
exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the 
list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [1] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) [2] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [3] too.

I would like to thank, in alphabetical order, the following people who were 
working
really hard on the GRUB, shim and other things related to these issues:
  - Alec Brown (Oracle),
  - Alexander Burmashev (Oracle),
  - Andrew Cooper (Citrix),
  - Chris Coulson (Canonical),
  - D. Jared Dominguez (Red Hat),
  - Daniel Axtens,
  - Darren Kenny (Oracle),
  - Eric Snowberg (Oracle),
  - Ilya Okomin (Oracle),
  - Jagannathan Raman (Oracle),
  - Jan Setje-Eilers (Oracle),
  - Jeremiah Cox,
  - John Haxby (Oracle),
  - Julian Andres Klode (Canonical),
  - Lidong Chen (Oracle),
  - Marco A Benatto (Red Hat),
  - Marcus Meissner (SUSE),
  - Marta Lewandowska (Red Hat),
  - Michael Chang (SUSE),
  - Peter Jones (Red Hat),
  - Petr Janda (Red Hat),
  - Robbie Harwood (Red Hat),
  - Robert Truxal (Microsoft),
  - Ross Philipson (Oracle),
  - Steve McIntyre (Debian),
  - Sudhakar Kuppusamy (IBM),
  - Tamas K Lengyel (Intel),
  - Todd Cullum (Red Hat),
  - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

[1] Red Hat: https://access.redhat.com/security/security-updates/#/
    SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

[2] https://github.com/rhboot/shim/blob/main/SBAT.md

[3] https://git.savannah.gnu.org/gitweb/?p=grub.git
    https://git.savannah.gnu.org/git/grub.git

*******************************************************************************

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds 
write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

*******************************************************************************

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during 
huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

*******************************************************************************

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in 
the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

*******************************************************************************

CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain
circumstances the total_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

*******************************************************************************

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

*******************************************************************************

CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on 
shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

*******************************************************************************

CVE-2022-28736 grub2: use-after-free in grub_cmd_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub_cmd_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

*******************************************************************************

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle_image() when shim tries to load and 
execute
crafted EFI executables. The handle_image() function takes into account the 
SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

*******************************************************************************

 grub-core/commands/boot.c          |  66 
+++++++++++++++++++++++++++++++++++++++++++++++-------
 grub-core/fs/btrfs.c               | 105 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 grub-core/fs/f2fs.c                |  58 
++++++++++++++++++++++++++++++++++++-----------
 grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
 grub-core/kern/file.c              |   2 ++
 grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
 grub-core/net/dns.c                |  25 ++++++++++++++++-----
 grub-core/net/http.c               |  17 +++++++++-----
 grub-core/net/ip.c                 |  10 ++++++++-
 grub-core/net/net.c                |  11 +++++++--
 grub-core/net/netbuff.c            |  13 +++++++++++
 grub-core/net/tftp.c               |   3 ++-
 grub-core/normal/charset.c         |   2 ++
 grub-core/video/readers/jpeg.c     | 106 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 grub-core/video/readers/png.c      | 158 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
 include/grub/loader.h              |   5 +++++
 include/grub/net.h                 |   1 +
 include/grub/verify.h              |   1 +
 18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
      loader/efi/chainloader: Simplify the loader state
      commands/boot: Add API to pass context to loader
      loader/efi/chainloader: Use grub_loader_set_ex()

Daniel Axtens (20):
      kern/file: Do not leak device_name on error in grub_file_open()
      video/readers/png: Abort sooner if a read operation fails
      video/readers/png: Refuse to handle multiple image headers
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
      video/readers/png: Avoid heap OOB R/W inserting huff table items
      video/readers/png: Sanity check some huffman codes
      video/readers/jpeg: Abort sooner if a read operation fails
      video/readers/jpeg: Do not reallocate a given huff table
      video/readers/jpeg: Refuse to handle multiple start of streams
      video/readers/jpeg: Block int underflow -> wild pointer write
      normal/charset: Fix array out-of-bounds formatting unicode for display
      net/ip: Do IP fragment maths safely
      net/netbuff: Block overly large netbuff allocs
      net/dns: Fix double-free addresses on corrupt DNS response
      net/dns: Don't read past the end of the string we're checking against
      net/tftp: Prevent a UAF and double-free from a failed seek
      net/tftp: Avoid a trivial UAF
      net/http: Do not tear down socket if it's already been torn down
      net/http: Fix OOB write for split http headers
      net/http: Error out on headers with LF without CR

Darren Kenny (3):
      fs/btrfs: Fix several fuzz issues with invalid dir item sizing
      fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
      fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier

Sudhakar Kuppusamy (3):
      fs/f2fs: Do not read past the end of nat journal entries
      fs/f2fs: Do not read past the end of nat bitmap
      fs/f2fs: Do not copy file names that are too long