import OL
This commit is contained in:
parent
b57b7a27b0
commit
6fdd8b9aca
@ -0,0 +1,79 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: B Horn <b@horn.uk>
|
||||
Date: Tue, 11 Feb 2025 16:38:44 -0600
|
||||
Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
|
||||
|
||||
The function included a call to grub_strcpy() which copied data from an
|
||||
environment variable to a buffer allocated in grub_cmd_normal(). The
|
||||
grub_cmd_normal() didn't consider the length of the environment variable.
|
||||
So, the copy operation could exceed the allocation and lead to an OOB
|
||||
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
|
||||
pass the underlying buffers size to the grub_net_search_config_file().
|
||||
|
||||
Fixes: CVE-2025-0624
|
||||
|
||||
Signed-off-by: B Horn <b@horn.uk>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/net/net.c | 7 ++++---
|
||||
grub-core/normal/main.c | 2 +-
|
||||
include/grub/net.h | 2 +-
|
||||
3 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
||||
index 2512862..6c0bd00 100644
|
||||
--- a/grub-core/net/net.c
|
||||
+++ b/grub-core/net/net.c
|
||||
@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
|
||||
}
|
||||
|
||||
grub_err_t
|
||||
-grub_net_search_config_file (char *config)
|
||||
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
|
||||
{
|
||||
- grub_size_t config_len;
|
||||
+ grub_size_t config_len, suffix_len;
|
||||
char *suffix;
|
||||
|
||||
config_len = grub_strlen (config);
|
||||
config[config_len] = '-';
|
||||
suffix = config + config_len + 1;
|
||||
+ suffix_len = config_buf_len - (config_len + 1);
|
||||
|
||||
struct grub_net_network_level_interface *inf;
|
||||
FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
|
||||
@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
|
||||
|
||||
if (client_uuid)
|
||||
{
|
||||
- grub_strcpy (suffix, client_uuid);
|
||||
+ grub_strlcpy (suffix, client_uuid, suffix_len);
|
||||
if (grub_config_search_through (config, suffix, 1, 0) == 0)
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||
index 6f6e4a8..49b9472 100644
|
||||
--- a/grub-core/normal/main.c
|
||||
+++ b/grub-core/normal/main.c
|
||||
@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
|
||||
return err;
|
||||
|
||||
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
|
||||
- err = grub_net_search_config_file (config);
|
||||
+ err = grub_net_search_config_file (config, config_len);
|
||||
}
|
||||
|
||||
if (err != GRUB_ERR_NONE)
|
||||
diff --git a/include/grub/net.h b/include/grub/net.h
|
||||
index 43eba92..1101b03 100644
|
||||
--- a/include/grub/net.h
|
||||
+++ b/include/grub/net.h
|
||||
@@ -648,7 +648,7 @@ void
|
||||
grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
|
||||
|
||||
grub_err_t
|
||||
-grub_net_search_config_file (char *config);
|
||||
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
|
||||
|
||||
extern char *grub_net_default_server;
|
||||
|
65
SOURCES/0354-misc-Implement-grub_strlcpy.patch
Normal file
65
SOURCES/0354-misc-Implement-grub_strlcpy.patch
Normal file
@ -0,0 +1,65 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: B Horn <b@horn.uk>
|
||||
Date: Sat, 15 Jun 2024 02:33:08 +0100
|
||||
Subject: [PATCH] misc: Implement grub_strlcpy()
|
||||
|
||||
grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
|
||||
returning the length of src and ensuring dest is always NUL
|
||||
terminated except when size is 0.
|
||||
|
||||
Signed-off-by: B Horn <b@horn.uk>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 39 insertions(+)
|
||||
|
||||
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||
index 981526644..0592aa68f 100644
|
||||
--- a/include/grub/misc.h
|
||||
+++ b/include/grub/misc.h
|
||||
@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
|
||||
return d - 1;
|
||||
}
|
||||
|
||||
+static inline grub_size_t
|
||||
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
|
||||
+{
|
||||
+ char *d = dest;
|
||||
+ grub_size_t res = 0;
|
||||
+ /*
|
||||
+ * We do not subtract one from size here to avoid dealing with underflowing
|
||||
+ * the value, which is why to_copy is always checked to be greater than one
|
||||
+ * throughout this function.
|
||||
+ */
|
||||
+ grub_size_t to_copy = size;
|
||||
+
|
||||
+ /* Copy size - 1 bytes to dest. */
|
||||
+ if (to_copy > 1)
|
||||
+ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
|
||||
+ ;
|
||||
+
|
||||
+ /*
|
||||
+ * NUL terminate if size != 0. The previous step may have copied a NUL byte
|
||||
+ * if it reached the end of the string, but we know dest[size - 1] must always
|
||||
+ * be a NUL byte.
|
||||
+ */
|
||||
+ if (size != 0)
|
||||
+ dest[size - 1] = '\0';
|
||||
+
|
||||
+ /* If there is still space in dest, but are here, we reached the end of src. */
|
||||
+ if (to_copy > 1)
|
||||
+ return res;
|
||||
+
|
||||
+ /*
|
||||
+ * If we haven't reached the end of the string, iterate through to determine
|
||||
+ * the strings total length.
|
||||
+ */
|
||||
+ while (*src++ != '\0' && ++res)
|
||||
+ ;
|
||||
+
|
||||
+ return res;
|
||||
+}
|
||||
+
|
||||
/* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */
|
||||
static inline void *
|
||||
grub_memcpy (void *dest, const void *src, grub_size_t n)
|
@ -6,6 +6,7 @@ fi
|
||||
|
||||
[[ -f /etc/default/grub ]] && . /etc/default/grub
|
||||
[[ -f /etc/os-release ]] && . /etc/os-release
|
||||
[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel
|
||||
|
||||
COMMAND="$1"
|
||||
KERNEL_VERSION="$2"
|
||||
@ -41,8 +42,14 @@ mkbls() {
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $kernelver =~ uek ]]; then
|
||||
local ver_stanza="$kernelver with Unbreakable Enterprise Kernel"
|
||||
else
|
||||
local ver_stanza="$kernelver"
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
||||
title ${NAME} (${ver_stanza}) ${VERSION}${debugname}
|
||||
version ${kernelver}${debugid}
|
||||
linux /vmlinuz-${kernelver}
|
||||
initrd /initramfs-${kernelver}.img
|
||||
@ -104,6 +111,7 @@ case "$COMMAND" in
|
||||
done
|
||||
fi
|
||||
|
||||
KERNEL_NAME="$(rpm -q --queryformat %{NAME} $(rpm -qf $KERNEL_IMAGE))"
|
||||
eval "$(grub2-get-kernel-settings)" || true
|
||||
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
|
||||
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
|
||||
@ -129,11 +137,7 @@ case "$COMMAND" in
|
||||
sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
|
||||
fi
|
||||
|
||||
if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
|
||||
[ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
|
||||
( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
|
||||
[ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
|
||||
( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
|
||||
if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
|
||||
GRUB_UPDATE_DEFAULT_KERNEL=false
|
||||
fi
|
||||
|
||||
@ -152,7 +156,7 @@ case "$COMMAND" in
|
||||
NEWDEFAULT="${BLS_DEBUG_ID}"
|
||||
fi
|
||||
fi
|
||||
if [ -n "$NEWDEFAULT" ]; then
|
||||
if [ -n "$NEWDEFAULT" ] && [ "$DEFAULTKERNEL" = "$KERNEL_NAME" ]; then
|
||||
grub2-editenv - set "saved_entry=${NEWDEFAULT}"
|
||||
fi
|
||||
|
||||
|
30
SOURCES/bug18504756-use-different-title-for-UEK.patch
Normal file
30
SOURCES/bug18504756-use-different-title-for-UEK.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From fd04ca689f52d8bbef13413b4d285c9ba4d0f038 Mon Sep 17 00:00:00 2001
|
||||
From: build team <natalya.naumova@oracle.com>
|
||||
Date: Tue, 18 Dec 2018 13:22:12 -0800
|
||||
Subject: [PATCH 1/1] Use different menuentries for UEK kernel
|
||||
|
||||
---
|
||||
util/grub.d/10_linux.in | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index b54d277..fe8b20f 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -173,7 +173,12 @@ EOF
|
||||
fi
|
||||
|
||||
if [ x$type != xsimple ] ; then
|
||||
- title=$(mktitle "$type" "$version")
|
||||
+ if echo "$version" | grep -q uek; then
|
||||
+ kernel_type_text="with Unbreakable Enterprise Kernel"
|
||||
+ else
|
||||
+ kernel_type_text="with Linux"
|
||||
+ fi
|
||||
+ title=$(mktitle "$type" "$version $kernel_type_text")
|
||||
if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
|
||||
replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
|
||||
quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
|
||||
--
|
||||
1.8.3.1
|
||||
|
25
SOURCES/bug26388226-update-redhat-references.patch
Normal file
25
SOURCES/bug26388226-update-redhat-references.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From aba9976ce324fdf845b04b326f7426566a676335 Mon Sep 17 00:00:00 2001
|
||||
From: "livy.ge" <livy.ge@oracle.com>
|
||||
Date: Wed, 5 Jul 2017 03:53:48 -0700
|
||||
Subject: [PATCH] update bug url
|
||||
|
||||
---
|
||||
util/grub-set-password.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
|
||||
index 6553eaa..03731d5 100644
|
||||
--- a/util/grub-set-password.in
|
||||
+++ b/util/grub-set-password.in
|
||||
@@ -21,7 +21,7 @@ located by default at ${grubdir}.
|
||||
-v, --version print the version information and exit
|
||||
-o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
|
||||
|
||||
-Report bugs at https://bugzilla.redhat.com.
|
||||
+Report bugs at https://github.com/oracle/oracle-linux .
|
||||
EOF
|
||||
}
|
||||
|
||||
--
|
||||
2.43.5
|
||||
|
@ -216,7 +216,7 @@
|
||||
|
||||
%ifarch x86_64
|
||||
%global with_efi_common 1
|
||||
%global with_legacy_modules 0
|
||||
%global with_legacy_modules 1
|
||||
%global with_legacy_common 0
|
||||
%else
|
||||
%global with_efi_common 0
|
||||
@ -274,6 +274,11 @@ Requires: %{name}-common = %{evr} \
|
||||
Requires: %{name}-tools-minimal >= %{evr} \
|
||||
Requires: %{name}-tools = %{evr} \
|
||||
Provides: %{name}-efi = %{evr} \
|
||||
Provides: oracle(grub2-sig-key) = 202204 \
|
||||
%{expand:%%ifarch x86_64 \
|
||||
Conflicts: shim-x64 <= 15.3-1.0.5.el9 \
|
||||
Conflicts: shim-ia32 <= 15.3-1.0.5.el9 \
|
||||
%%endif} \
|
||||
%{?legacy_provides:Provides: %{name} = %{evr}} \
|
||||
%{-o:Obsoletes: %{name}-efi < %{evr}} \
|
||||
\
|
||||
@ -372,7 +377,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
|
||||
rm -f %{1}.conf \
|
||||
%{nil}
|
||||
|
||||
%global grub_modules " all_video boot blscfg \\\
|
||||
%global grub_modules " all_video boot blscfg btrfs \\\
|
||||
cat configfile cryptodisk \\\
|
||||
echo ext2 f2fs fat font \\\
|
||||
gcry_rijndael gcry_rsa gcry_serpent \\\
|
||||
@ -387,7 +392,7 @@ rm -f %{1}.conf \
|
||||
search_label serial sleep syslinuxcfg \\\
|
||||
test tftp version video xfs zstd " \
|
||||
|
||||
%ifarch x86_64 aarch64 %{arm} riscv64
|
||||
%ifarch x86_64 aarch64 %{arm}
|
||||
%define efi_mkimage() \
|
||||
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
|
||||
-p /EFI/%{efi_vendor} -d grub-core \\\
|
||||
|
@ -350,3 +350,7 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
|
||||
Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
|
||||
Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
|
||||
Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
|
||||
Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
|
||||
Patch0354: 0354-misc-Implement-grub_strlcpy.patch
|
||||
Patch1000: bug18504756-use-different-title-for-UEK.patch
|
||||
Patch1001: bug26388226-update-redhat-references.patch
|
@ -1,3 +1,4 @@
|
||||
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||
grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
|
||||
grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
|
||||
grub.ol9,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com
|
||||
|
@ -16,7 +16,7 @@
|
||||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.06
|
||||
Release: 93%{?dist}
|
||||
Release: 94.0.1%{?dist}
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
License: GPLv3+
|
||||
URL: http://www.gnu.org/software/grub/
|
||||
@ -38,21 +38,21 @@ Source12: sbat.csv.in
|
||||
%include %{SOURCE1}
|
||||
|
||||
%ifarch x86_64 aarch64 ppc64le
|
||||
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
|
||||
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
|
||||
%define sb_ca %{SOURCE14}
|
||||
%define sb_cer %{SOURCE14}
|
||||
%endif
|
||||
|
||||
%if 0%{?centos}
|
||||
|
||||
%ifarch x86_64 aarch64 ppc64le
|
||||
%define sb_key centossecureboot202
|
||||
%define sb_key OracleSecureBootgrubsigningkey2
|
||||
%endif
|
||||
%else
|
||||
%ifarch x86_64 aarch64
|
||||
%define sb_key redhatsecureboot502
|
||||
%define sb_key OracleSecureBootgrubsigningkey2
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define sb_key redhatsecureboot702
|
||||
%define sb_key OracleSecureBootgrubsigningkey2
|
||||
%endif
|
||||
|
||||
%endif
|
||||
@ -547,6 +547,40 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 17 2025 Alex Burmashev <alexander.burmashev@oracle.com> - 2.06-94.0.1
|
||||
- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566]
|
||||
- Restore correct order of processing config files [Orabug: 36758359]
|
||||
- Support setting custom kernels as default kernels [Orabug: 36043978]
|
||||
- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
|
||||
- Fix CVE-2022-3775 [Orabug: 34871953]
|
||||
- Enable signing for aarch64 EFI
|
||||
- Fix signing certificate names
|
||||
- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
|
||||
- Replaced bugzilla.oracle.com references [Orabug: 34202300]
|
||||
- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
|
||||
- Various coverity fixes [JIRA: OLDIS-16371]
|
||||
- bump SBAT generation
|
||||
- Update bug url [Orabug: 34202300]
|
||||
- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
|
||||
- Update signing certificate [JIRA: OLDIS-16371]
|
||||
- fix SBAT data [JIRA: OLDIS-16371]
|
||||
- Update requires [JIRA: OLDIS-16371]
|
||||
- Rebuild for SecureBoot signatures [Orabug: 33801813]
|
||||
- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
|
||||
- Update Oracle SBAT data [Orabug: 32670033]
|
||||
- Use new signing certificate [Orabug: 32670033]
|
||||
- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
|
||||
- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
|
||||
- Update upstream references [Orabug: 26388226]
|
||||
- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
|
||||
- Put "with" in menuentry instead of "using" [Orabug: 18504756]
|
||||
- Use different titles for UEK and RHCK kernels [Orabug: 18504756]
|
||||
|
||||
* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
|
||||
- CVE fixes
|
||||
- Resolves: CVE-2025-0624
|
||||
- Resolves: #RHEL-79842
|
||||
|
||||
* Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
|
||||
- cmd/search: Fix a possible NULL ptr dereference
|
||||
- Resolves: #RHEL-61263
|
||||
|
Loading…
Reference in New Issue
Block a user