kumquat-buildroot/boot/grub2
Stefan Sørensen 2f7a8021b5 boot/grub2: Backport Boothole securify fixes
Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

Fixes the following security issues:

 * CVE-2020-10713
   A flaw was found in grub2, prior to version 2.06. An attacker may
   use the GRUB 2 flaw to hijack and tamper the GRUB verification
   process. This flaw also allows the bypass of Secure Boot
   protections. In order to load an untrusted or modified kernel, an
   attacker would first need to establish access to the system such as
   gaining physical access, obtain the ability to alter a pxe-boot
   network, or have remote access to a networked system with root
   access. With this access, an attacker could then craft a string to
   cause a buffer overflow by injecting a malicious payload that leads
   to arbitrary code execution within GRUB. The highest threat from
   this vulnerability is to data confidentiality and integrity as well
   as system availability.

 * CVE-2020-14308
   In grub2 versions before 2.06 the grub memory allocator doesn't
   check for possible arithmetic overflows on the requested allocation
   size. This leads the function to return invalid memory allocations
   which can be further used to cause possible integrity,
   confidentiality and availability impacts during the boot process.

 * CVE-2020-14309
   There's an issue with grub2 in all versions before 2.06 when
   handling squashfs filesystems containing a symbolic link with name
   length of UINT32 bytes in size. The name size leads to an
   arithmetic overflow leading to a zero-size allocation further
   causing a heap-based buffer overflow with attacker controlled data.

 * CVE-2020-14310
   An integer overflow in read_section_from_string may lead to a heap
   based buffer overflow.

 * CVE-2020-14311
   An integer overflow in grub_ext2_read_link may lead to a heap-based
   buffer overflow.

 * CVE-2020-15706
   GRUB2 contains a race condition in grub_script_function_create()
   leading to a use-after-free vulnerability which can be triggered by
   redefining a function whilst the same function is already
   executing, leading to arbitrary code execution and secure boot
   restriction bypass

 * CVE-2020-15707
   Integer overflows were discovered in the functions grub_cmd_initrd
   and grub_initrd_init in the efilinux component of GRUB2, as shipped
   in Debian, Red Hat, and Ubuntu (the functionality is not included
   in GRUB2 upstream), leading to a heap-based buffer overflow. These
   could be triggered by an extremely large number of arguments to the
   initrd command on 32-bit architectures, or a crafted filesystem
   with very large files on any architecture. An attacker could use
   this to execute arbitrary code and bypass UEFI Secure Boot
   restrictions. This issue affects GRUB2 version 2.04 and prior
   versions.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-03 13:38:49 +02:00
..
0001-build-Fix-GRUB-i386-pc-build-with-Ubuntu-gcc.patch
0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0005-calloc-Use-calloc-at-most-places.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0008-font-Do-not-load-more-than-one-NAME-section.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0009-gfxmenu-Fix-double-free-in-load_image.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0011-lzma-Make-sure-we-don-t-dereference-past-array.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0012-term-Fix-overflow-on-user-inputs.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0013-udf-Fix-memory-leak.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0015-tftp-Do-not-use-priority-queue.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0018-script-Remove-unused-fields-from-grub_script_functio.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0021-hfsplus-Fix-two-more-overflows.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0023-emu-Make-grub_free-NULL-safe.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0026-efi-Fix-use-after-free-in-halt-reboot-path.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
Config.in
grub2.hash
grub2.mk boot/grub2: Backport Boothole securify fixes 2020-08-03 13:38:49 +02:00
grub.cfg
readme.txt

Notes on using Grub2 for BIOS-based platforms
=============================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it (either legacy or GPT style partitions work)
   cfdisk disk.img
    - Create one partition, type Linux, for the root
      filesystem. The only constraint is to make sure there
      is enough free space *before* the first partition to
      store Grub2. Leaving 1 MB of free space is safe.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
5. Install Grub2
   sudo ./output/host/sbin/grub-bios-setup \
        -b ./output/host/lib/grub/i386-pc/boot.img \
        -c ./output/images/grub.img -d . /dev/loop0
6. Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

Using genimage
--------------

If you use genimage to generate your complete image,
installing Grub can be tricky. Here is how to achieve Grub's
installation with genimage:

partition boot {
    in-partition-table = "no"
    image = "path_to_boot.img"
    offset = 0
    size = 512
}
partition grub {
    in-partition-table = "no"
    image = "path_to_grub.img"
    offset = 512
}

The result is not byte to byte identical to what
grub-bios-setup does but it works anyway.

To test your BIOS image in Qemu
-------------------------------

qemu-system-{i386,x86-64} -hda disk.img

Notes on using Grub2 for x86/x86_64 EFI-based platforms
=======================================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it with GPT partitions
   cgdisk disk.img
    - Create a first partition, type EF00, for the
      bootloader and kernel image
    - Create a second partition, type 8300, for the root
      filesystem.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the boot partition
   sudo mkfs.vfat -n boot /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo cp -a output/images/efi-part/* /mnt/
   sudo cp output/images/bzImage /mnt/
   sudo umount /mnt
5. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p2
   sudo mount /dev/loop0p2 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
6  Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

To test your i386/x86-64 EFI image in Qemu
------------------------------------------

1. Download the EFI BIOS for Qemu
   Version IA32 or X64 depending on the chosen Grub2
   platform (i386-efi vs. x86-64-efi)
   https://www.kraxel.org/repos/jenkins/edk2/
   (or use one provided by your distribution as OVMF)
2. Extract, and rename OVMF.fd to bios.bin and
   CirrusLogic5446.rom to vgabios-cirrus.bin.
3. qemu-system-{i386,x86-64} -L ovmf-dir/ -hda disk.img
4. Make sure to pass pci=nocrs to the kernel command line,
   to workaround a bug in the EFI BIOS regarding the
   EFI framebuffer.

Notes on using Grub2 for ARM u-boot-based platforms
===================================================

The following steps show how to use the Grub2 arm-uboot platform
support in the simplest way possible and with a single
buildroot-generated filesystem.

 1. Load qemu_arm_vexpress_defconfig

 2. Enable u-boot with the vexpress_ca9x4 board name and with
    u-boot.elf image format.

 3. Enable grub2 for the arm-uboot platform.

 4. Enable "Install kernel image to /boot in target" in the kernel
    menu to populate a /boot directory with zImage in it.

 5. The upstream u-boot vexpress_ca9x4 doesn't have CONFIG_API enabled
    by default, which is required.

    Before building, patch u-boot (for example, make u-boot-extract to
    edit the source before building) file
    include/configs/vexpress_common.h to define:

    #define CONFIG_API
    #define CONFIG_SYS_MMC_MAX_DEVICE   1

 6. Create a custom grub2 config file with the following contents and
    set its path in BR2_TARGET_GRUB2_CFG:

    set default="0"
    set timeout="5"

    menuentry "Buildroot" {
        set root='(hd0)'
        linux /boot/zImage root=/dev/mmcblk0 console=ttyAMA0
        devicetree /boot/vexpress-v2p-ca9.dtb
    }

 7. Create a custom builtin config file with the following contents
    and set its path in BR2_TARGET_GRUB2_BUILTIN_CONFIG:

    set root=(hd0)
    set prefix=/boot/grub

 8. Create a custom post-build script which copies files from
    ${BINARIES_DIR}/boot-part to $(TARGET_DIR)/boot (set its path in
    BR2_ROOTFS_POST_BUILD_SCRIPT):

    #!/bin/sh
    cp -r ${BINARIES_DIR}/boot-part/* ${TARGET_DIR}/boot/

 9. make

10. Run qemu with:

    qemu-system-arm -M vexpress-a9 -kernel output/images/u-boot -m 1024 \
    -nographic -sd output/images/rootfs.ext2

11. In u-boot, stop at the prompt and run grub2 with:

  => ext2load mmc 0:0 ${loadaddr} /boot/grub/grub.img
  => bootm

12. This should bring the grub2 menu, upon which selecting the "Buildroot"
    entry should boot Linux.


Notes on using Grub2 for Aarch64 EFI-based platforms
====================================================

The following steps show how to use the Grub2 arm64-efi platform,
using qemu and EFI firmware built for qemu.

 1. Load aarch64_efi_defconfig

 2. make

 3. Download the EFI firmware for qemu aarch64
    https://www.kraxel.org/repos/jenkins/edk2/
    (or use one provided by your distribution as OVMF-aarch64 or AAVMF)

 4. Run qemu with:

    qemu-system-aarch64 -M virt -cpu cortex-a57 -m 512 -nographic \
    -bios <path/to/EDK2>/QEMU_EFI.fd -hda output/images/disk.img \
    -netdev user,id=eth0 -device virtio-net-device,netdev=eth0

 5. This should bring the grub2 menu, upon which selecting the
    "Buildroot" entry should boot Linux.