mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-05 03:13:41 +08:00
2f7a8021b5
Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html Fixes the following security issues: * CVE-2020-10713 A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. * CVE-2020-14308 In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. * CVE-2020-14309 There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data. * CVE-2020-14310 An integer overflow in read_section_from_string may lead to a heap based buffer overflow. * CVE-2020-14311 An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow. * CVE-2020-15706 GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass * CVE-2020-15707 Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions. Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
---|---|---|
.. | ||
0001-build-Fix-GRUB-i386-pc-build-with-Ubuntu-gcc.patch | ||
0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch | ||
0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch | ||
0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch | ||
0005-calloc-Use-calloc-at-most-places.patch | ||
0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch | ||
0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch | ||
0008-font-Do-not-load-more-than-one-NAME-section.patch | ||
0009-gfxmenu-Fix-double-free-in-load_image.patch | ||
0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch | ||
0011-lzma-Make-sure-we-don-t-dereference-past-array.patch | ||
0012-term-Fix-overflow-on-user-inputs.patch | ||
0013-udf-Fix-memory-leak.patch | ||
0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch | ||
0015-tftp-Do-not-use-priority-queue.patch | ||
0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch | ||
0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch | ||
0018-script-Remove-unused-fields-from-grub_script_functio.patch | ||
0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch | ||
0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch | ||
0021-hfsplus-Fix-two-more-overflows.patch | ||
0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch | ||
0023-emu-Make-grub_free-NULL-safe.patch | ||
0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch | ||
0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch | ||
0026-efi-Fix-use-after-free-in-halt-reboot-path.patch | ||
0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch | ||
0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch | ||
Config.in | ||
grub2.hash | ||
grub2.mk | ||
grub.cfg | ||
readme.txt |
Notes on using Grub2 for BIOS-based platforms ============================================= 1. Create a disk image dd if=/dev/zero of=disk.img bs=1M count=32 2. Partition it (either legacy or GPT style partitions work) cfdisk disk.img - Create one partition, type Linux, for the root filesystem. The only constraint is to make sure there is enough free space *before* the first partition to store Grub2. Leaving 1 MB of free space is safe. 3. Setup loop device and loop partitions sudo losetup -f disk.img sudo partx -a /dev/loop0 4. Prepare the root partition sudo mkfs.ext3 -L root /dev/loop0p1 sudo mount /dev/loop0p1 /mnt sudo tar -C /mnt -xf output/images/rootfs.tar sudo umount /mnt 5. Install Grub2 sudo ./output/host/sbin/grub-bios-setup \ -b ./output/host/lib/grub/i386-pc/boot.img \ -c ./output/images/grub.img -d . /dev/loop0 6. Cleanup loop device sudo partx -d /dev/loop0 sudo losetup -d /dev/loop0 7. Your disk.img is ready! Using genimage -------------- If you use genimage to generate your complete image, installing Grub can be tricky. Here is how to achieve Grub's installation with genimage: partition boot { in-partition-table = "no" image = "path_to_boot.img" offset = 0 size = 512 } partition grub { in-partition-table = "no" image = "path_to_grub.img" offset = 512 } The result is not byte to byte identical to what grub-bios-setup does but it works anyway. To test your BIOS image in Qemu ------------------------------- qemu-system-{i386,x86-64} -hda disk.img Notes on using Grub2 for x86/x86_64 EFI-based platforms ======================================================= 1. Create a disk image dd if=/dev/zero of=disk.img bs=1M count=32 2. Partition it with GPT partitions cgdisk disk.img - Create a first partition, type EF00, for the bootloader and kernel image - Create a second partition, type 8300, for the root filesystem. 3. Setup loop device and loop partitions sudo losetup -f disk.img sudo partx -a /dev/loop0 4. Prepare the boot partition sudo mkfs.vfat -n boot /dev/loop0p1 sudo mount /dev/loop0p1 /mnt sudo cp -a output/images/efi-part/* /mnt/ sudo cp output/images/bzImage /mnt/ sudo umount /mnt 5. Prepare the root partition sudo mkfs.ext3 -L root /dev/loop0p2 sudo mount /dev/loop0p2 /mnt sudo tar -C /mnt -xf output/images/rootfs.tar sudo umount /mnt 6 Cleanup loop device sudo partx -d /dev/loop0 sudo losetup -d /dev/loop0 7. Your disk.img is ready! To test your i386/x86-64 EFI image in Qemu ------------------------------------------ 1. Download the EFI BIOS for Qemu Version IA32 or X64 depending on the chosen Grub2 platform (i386-efi vs. x86-64-efi) https://www.kraxel.org/repos/jenkins/edk2/ (or use one provided by your distribution as OVMF) 2. Extract, and rename OVMF.fd to bios.bin and CirrusLogic5446.rom to vgabios-cirrus.bin. 3. qemu-system-{i386,x86-64} -L ovmf-dir/ -hda disk.img 4. Make sure to pass pci=nocrs to the kernel command line, to workaround a bug in the EFI BIOS regarding the EFI framebuffer. Notes on using Grub2 for ARM u-boot-based platforms =================================================== The following steps show how to use the Grub2 arm-uboot platform support in the simplest way possible and with a single buildroot-generated filesystem. 1. Load qemu_arm_vexpress_defconfig 2. Enable u-boot with the vexpress_ca9x4 board name and with u-boot.elf image format. 3. Enable grub2 for the arm-uboot platform. 4. Enable "Install kernel image to /boot in target" in the kernel menu to populate a /boot directory with zImage in it. 5. The upstream u-boot vexpress_ca9x4 doesn't have CONFIG_API enabled by default, which is required. Before building, patch u-boot (for example, make u-boot-extract to edit the source before building) file include/configs/vexpress_common.h to define: #define CONFIG_API #define CONFIG_SYS_MMC_MAX_DEVICE 1 6. Create a custom grub2 config file with the following contents and set its path in BR2_TARGET_GRUB2_CFG: set default="0" set timeout="5" menuentry "Buildroot" { set root='(hd0)' linux /boot/zImage root=/dev/mmcblk0 console=ttyAMA0 devicetree /boot/vexpress-v2p-ca9.dtb } 7. Create a custom builtin config file with the following contents and set its path in BR2_TARGET_GRUB2_BUILTIN_CONFIG: set root=(hd0) set prefix=/boot/grub 8. Create a custom post-build script which copies files from ${BINARIES_DIR}/boot-part to $(TARGET_DIR)/boot (set its path in BR2_ROOTFS_POST_BUILD_SCRIPT): #!/bin/sh cp -r ${BINARIES_DIR}/boot-part/* ${TARGET_DIR}/boot/ 9. make 10. Run qemu with: qemu-system-arm -M vexpress-a9 -kernel output/images/u-boot -m 1024 \ -nographic -sd output/images/rootfs.ext2 11. In u-boot, stop at the prompt and run grub2 with: => ext2load mmc 0:0 ${loadaddr} /boot/grub/grub.img => bootm 12. This should bring the grub2 menu, upon which selecting the "Buildroot" entry should boot Linux. Notes on using Grub2 for Aarch64 EFI-based platforms ==================================================== The following steps show how to use the Grub2 arm64-efi platform, using qemu and EFI firmware built for qemu. 1. Load aarch64_efi_defconfig 2. make 3. Download the EFI firmware for qemu aarch64 https://www.kraxel.org/repos/jenkins/edk2/ (or use one provided by your distribution as OVMF-aarch64 or AAVMF) 4. Run qemu with: qemu-system-aarch64 -M virt -cpu cortex-a57 -m 512 -nographic \ -bios <path/to/EDK2>/QEMU_EFI.fd -hda output/images/disk.img \ -netdev user,id=eth0 -device virtio-net-device,netdev=eth0 5. This should bring the grub2 menu, upon which selecting the "Buildroot" entry should boot Linux.