Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d90d3ae8a667bd34d1af989267e3e3e5f3332a28
rpi-buildroot/boot/grub2/0020-disk-loopback-Reference-tracking-for-the-loopback.patch
Thomas Petazzoni ded3e0045a boot/grub2: add patches to fix numerous CVEs 
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:

  https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags

As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.

In addition to those patches, 2 extra patches are added:

 0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
 0074-Constant-time-grub_crypto_memcmp.patch

The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.

The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.

Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:

CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125

With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:

- The ISO9660 tests that use grub2:
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563

- The grub2 tests:
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
 - qemu_aarch64_sbsa_defconfig
 - qemu_arm_ebbr_defconfig
 - qemu_loongarch64_virt_efi_defconfig
 - qemu_riscv64_virt_efi_defconfig
 - pc_x86_64_bios_defconfig
 - pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
 - fix patch #72 upstream link to point to the initial patch
   sumbission rather than a reply
 - merge two _IGNORE_CVES blocks for patch #50 into a single one
 - order _IGNORE_CVES blocks by numerical patch order
 - order numerically the CVE list in commit log
 - add a "Fixes:" tag in patch #74 since its commit log does not
   mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
2025-08-19 02:50:55 +02:00

109 lines
3.3 KiB
Diff
Raw Blame History

From a81ef3044791e7ee02bd349b5ec0adcbf6947555 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 03:26:19 +0100
Subject: [PATCH] disk/loopback: Reference tracking for the loopback
It was possible to delete a loopback while there were still references
to it. This led to an exploitable use-after-free.
Fixed by implementing a reference counting in the grub_loopback struct.
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream: 67f70f70a36b6e87a65f928fe1e840a12eafb7ae
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
grub-core/disk/loopback.c | 18 ++++++++++++++++++
include/grub/err.h | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/loopback.c b/grub-core/disk/loopback.c
index 4635dcfde..2bea4e922 100644
--- a/grub-core/disk/loopback.c
+++ b/grub-core/disk/loopback.c
@@ -24,6 +24,7 @@
#include <grub/mm.h>
#include <grub/extcmd.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -33,6 +34,7 @@ struct grub_loopback
grub_file_t file;
struct grub_loopback *next;
unsigned long id;
+ grub_uint64_t refcnt;
};
static struct grub_loopback *loopback_list;
@@ -64,6 +66,8 @@ delete_loopback (const char *name)
if (! dev)
return grub_error (GRUB_ERR_BAD_DEVICE, "device not found");
+ if (dev->refcnt > 0)
+ return grub_error (GRUB_ERR_STILL_REFERENCED, "device still referenced");
/* Remove the device from the list. */
*prev = dev->next;
@@ -120,6 +124,7 @@ grub_cmd_loopback (grub_extcmd_context_t ctxt, int argc, char **args)
newdev->file = file;
newdev->id = last_id++;
+ newdev->refcnt = 0;
/* Add the new entry to the list. */
newdev->next = loopback_list;
@@ -161,6 +166,9 @@ grub_loopback_open (const char *name, grub_disk_t disk)
if (! dev)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "can't open device");
+ if (grub_add (dev->refcnt, 1, &dev->refcnt))
+ grub_fatal ("Reference count overflow");
+
/* Use the filesize for the disk size, round up to a complete sector. */
if (dev->file->size != GRUB_FILE_SIZE_UNKNOWN)
disk->total_sectors = ((dev->file->size + GRUB_DISK_SECTOR_SIZE - 1)
@@ -178,6 +186,15 @@ grub_loopback_open (const char *name, grub_disk_t disk)
return 0;
}
+static void
+grub_loopback_close (grub_disk_t disk)
+{
+ struct grub_loopback *dev = disk->data;
+
+ if (grub_sub (dev->refcnt, 1, &dev->refcnt))
+ grub_fatal ("Reference count underflow");
+}
+
static grub_err_t
grub_loopback_read (grub_disk_t disk, grub_disk_addr_t sector,
grub_size_t size, char *buf)
@@ -220,6 +237,7 @@ static struct grub_disk_dev grub_loopback_dev =
.id = GRUB_DISK_DEVICE_LOOPBACK_ID,
.disk_iterate = grub_loopback_iterate,
.disk_open = grub_loopback_open,
+ .disk_close = grub_loopback_close,
.disk_read = grub_loopback_read,
.disk_write = grub_loopback_write,
.next = 0
diff --git a/include/grub/err.h b/include/grub/err.h
index 1c07034cd..b0e54e0a0 100644
--- a/include/grub/err.h
+++ b/include/grub/err.h
@@ -73,7 +73,8 @@ typedef enum
GRUB_ERR_NET_NO_DOMAIN,
GRUB_ERR_EOF,
GRUB_ERR_BAD_SIGNATURE,
- GRUB_ERR_BAD_FIRMWARE
+ GRUB_ERR_BAD_FIRMWARE,
+ GRUB_ERR_STILL_REFERENCED
}
grub_err_t;
--
2.50.1
Reference in New Issue View Git Blame Copy Permalink