rpms/grub2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL

Browse Source
This commit is contained in:
eabdullin 2025-03-19 14:50:25 +03:00
parent b57b7a27b0
commit 6fdd8b9aca
9 changed files with 263 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch Normal file
View File

@ -0,0 +1,79 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Tue, 11 Feb 2025 16:38:44 -0600
Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().
Fixes: CVE-2025-0624
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/net.c | 7 ++++---
grub-core/normal/main.c | 2 +-
include/grub/net.h | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 2512862..6c0bd00 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
}
grub_err_t
-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
{
- grub_size_t config_len;
+ grub_size_t config_len, suffix_len;
char *suffix;
config_len = grub_strlen (config);
config[config_len] = '-';
suffix = config + config_len + 1;
+ suffix_len = config_buf_len - (config_len + 1);
struct grub_net_network_level_interface *inf;
FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
if (client_uuid)
{
- grub_strcpy (suffix, client_uuid);
+ grub_strlcpy (suffix, client_uuid, suffix_len);
if (grub_config_search_through (config, suffix, 1, 0) == 0)
return GRUB_ERR_NONE;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 6f6e4a8..49b9472 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
return err;
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
- err = grub_net_search_config_file (config);
+ err = grub_net_search_config_file (config, config_len);
}
if (err != GRUB_ERR_NONE)
diff --git a/include/grub/net.h b/include/grub/net.h
index 43eba92..1101b03 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -648,7 +648,7 @@ void
grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
grub_err_t
-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
extern char *grub_net_default_server;

65
SOURCES/0354-misc-Implement-grub_strlcpy.patch Normal file
View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sat, 15 Jun 2024 02:33:08 +0100
Subject: [PATCH] misc: Implement grub_strlcpy()
grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
returning the length of src and ensuring dest is always NUL
terminated except when size is 0.
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 981526644..0592aa68f 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
return d - 1;
}
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+ char *d = dest;
+ grub_size_t res = 0;
+ /*
+ * We do not subtract one from size here to avoid dealing with underflowing
+ * the value, which is why to_copy is always checked to be greater than one
+ * throughout this function.
+ */
+ grub_size_t to_copy = size;
+
+ /* Copy size - 1 bytes to dest. */
+ if (to_copy > 1)
+ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+ ;
+
+ /*
+ * NUL terminate if size != 0. The previous step may have copied a NUL byte
+ * if it reached the end of the string, but we know dest[size - 1] must always
+ * be a NUL byte.
+ */
+ if (size != 0)
+ dest[size - 1] = '\0';
+
+ /* If there is still space in dest, but are here, we reached the end of src. */
+ if (to_copy > 1)
+ return res;
+
+ /*
+ * If we haven't reached the end of the string, iterate through to determine
+ * the strings total length.
+ */
+ while (*src++ != '\0' && ++res)
+ ;
+
+ return res;
+}
+
/* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */
static inline void *
grub_memcpy (void *dest, const void *src, grub_size_t n)

18
SOURCES/20-grub.install
View File

@ -6,6 +6,7 @@ fi
[[ -f /etc/default/grub ]] && . /etc/default/grub
[[ -f /etc/os-release ]] && . /etc/os-release
[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel
COMMAND="$1"
KERNEL_VERSION="$2"
@ -41,8 +42,14 @@ mkbls() {
fi
fi
if [[ $kernelver =~ uek ]]; then
local ver_stanza="$kernelver with Unbreakable Enterprise Kernel"
else
local ver_stanza="$kernelver"
fi
cat <<EOF
title ${NAME} (${kernelver}) ${VERSION}${debugname}
title ${NAME} (${ver_stanza}) ${VERSION}${debugname}
version ${kernelver}${debugid}
linux /vmlinuz-${kernelver}
initrd /initramfs-${kernelver}.img
@ -104,6 +111,7 @@ case "$COMMAND" in
done
fi
KERNEL_NAME="$(rpm -q --queryformat %{NAME} $(rpm -qf $KERNEL_IMAGE))"
eval "$(grub2-get-kernel-settings)" || true
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
@ -129,11 +137,7 @@ case "$COMMAND" in
sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
fi
if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
[ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
[ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
GRUB_UPDATE_DEFAULT_KERNEL=false
fi
@ -152,7 +156,7 @@ case "$COMMAND" in
NEWDEFAULT="${BLS_DEBUG_ID}"
fi
fi
if [ -n "$NEWDEFAULT" ]; then
if [ -n "$NEWDEFAULT" ] && [ "$DEFAULTKERNEL" = "$KERNEL_NAME" ]; then
grub2-editenv - set "saved_entry=${NEWDEFAULT}"
fi

30
SOURCES/bug18504756-use-different-title-for-UEK.patch Normal file
View File

@ -0,0 +1,30 @@
From fd04ca689f52d8bbef13413b4d285c9ba4d0f038 Mon Sep 17 00:00:00 2001
From: build team <natalya.naumova@oracle.com>
Date: Tue, 18 Dec 2018 13:22:12 -0800
Subject: [PATCH 1/1] Use different menuentries for UEK kernel
---
util/grub.d/10_linux.in | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index b54d277..fe8b20f 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -173,7 +173,12 @@ EOF
fi
if [ x$type != xsimple ] ; then
- title=$(mktitle "$type" "$version")
+ if echo "$version" | grep -q uek; then
+ kernel_type_text="with Unbreakable Enterprise Kernel"
+ else
+ kernel_type_text="with Linux"
+ fi
+ title=$(mktitle "$type" "$version $kernel_type_text")
if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
--
1.8.3.1

25
SOURCES/bug26388226-update-redhat-references.patch Normal file
View File

@ -0,0 +1,25 @@
From aba9976ce324fdf845b04b326f7426566a676335 Mon Sep 17 00:00:00 2001
From: "livy.ge" <livy.ge@oracle.com>
Date: Wed, 5 Jul 2017 03:53:48 -0700
Subject: [PATCH] update bug url
---
util/grub-set-password.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
index 6553eaa..03731d5 100644
--- a/util/grub-set-password.in
+++ b/util/grub-set-password.in
@@ -21,7 +21,7 @@ located by default at ${grubdir}.
-v, --version print the version information and exit
-o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
-Report bugs at https://bugzilla.redhat.com.
+Report bugs at https://github.com/oracle/oracle-linux .
EOF
}
--
2.43.5

11
SOURCES/grub.macros
View File

@ -216,7 +216,7 @@
%ifarch x86_64
%global with_efi_common 1
%global with_legacy_modules 0
%global with_legacy_modules 1
%global with_legacy_common 0
%else
%global with_efi_common 0
@ -274,6 +274,11 @@ Requires: %{name}-common = %{evr} \
Requires: %{name}-tools-minimal >= %{evr} \
Requires: %{name}-tools = %{evr} \
Provides: %{name}-efi = %{evr} \
Provides: oracle(grub2-sig-key) = 202204 \
%{expand:%%ifarch x86_64 \
Conflicts: shim-x64 <= 15.3-1.0.5.el9 \
Conflicts: shim-ia32 <= 15.3-1.0.5.el9 \
%%endif} \
%{?legacy_provides:Provides: %{name} = %{evr}} \
%{-o:Obsoletes: %{name}-efi < %{evr}} \
\
@ -372,7 +377,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
rm -f %{1}.conf \
%{nil}
%global grub_modules " all_video boot blscfg \\\
%global grub_modules " all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo ext2 f2fs fat font \\\
gcry_rijndael gcry_rsa gcry_serpent \\\
@ -387,7 +392,7 @@ rm -f %{1}.conf \
search_label serial sleep syslinuxcfg \\\
test tftp version video xfs zstd " \
%ifarch x86_64 aarch64 %{arm} riscv64
%ifarch x86_64 aarch64 %{arm}
%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
-p /EFI/%{efi_vendor} -d grub-core \\\

4
SOURCES/grub.patches
View File

@ -350,3 +350,7 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
Patch0354: 0354-misc-Implement-grub_strlcpy.patch
Patch1000: bug18504756-use-different-title-for-UEK.patch
Patch1001: bug26388226-update-redhat-references.patch

1
SOURCES/sbat.csv.in
View File

@ -1,3 +1,4 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.ol9,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com

46
SPECS/grub2.spec
View File

@ -16,7 +16,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 93%{?dist}
Release: 94.0.1%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -38,21 +38,21 @@ Source12: sbat.csv.in
%include %{SOURCE1}
%ifarch x86_64 aarch64 ppc64le
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%define sb_ca %{SOURCE14}
%define sb_cer %{SOURCE14}
%endif
%if 0%{?centos}
%ifarch x86_64 aarch64 ppc64le
%define sb_key centossecureboot202
%define sb_key OracleSecureBootgrubsigningkey2
%endif
%else
%ifarch x86_64 aarch64
%define sb_key redhatsecureboot502
%define sb_key OracleSecureBootgrubsigningkey2
%endif
%ifarch ppc64le
%define sb_key redhatsecureboot702
%define sb_key OracleSecureBootgrubsigningkey2
%endif
%endif
@ -547,6 +547,40 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Mon Mar 17 2025 Alex Burmashev <alexander.burmashev@oracle.com> - 2.06-94.0.1
- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566]
- Restore correct order of processing config files [Orabug: 36758359]
- Support setting custom kernels as default kernels [Orabug: 36043978]
- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
- Fix CVE-2022-3775 [Orabug: 34871953]
- Enable signing for aarch64 EFI
- Fix signing certificate names
- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
- Replaced bugzilla.oracle.com references [Orabug: 34202300]
- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
- Various coverity fixes [JIRA: OLDIS-16371]
- bump SBAT generation
- Update bug url [Orabug: 34202300]
- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
- Update signing certificate [JIRA: OLDIS-16371]
- fix SBAT data [JIRA: OLDIS-16371]
- Update requires [JIRA: OLDIS-16371]
- Rebuild for SecureBoot signatures [Orabug: 33801813]
- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
- Update Oracle SBAT data [Orabug: 32670033]
- Use new signing certificate [Orabug: 32670033]
- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
- Update upstream references [Orabug: 26388226]
- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
- Put "with" in menuentry instead of "using" [Orabug: 18504756]
- Use different titles for UEK and RHCK kernels [Orabug: 18504756]
* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
- CVE fixes
- Resolves: CVE-2025-0624
- Resolves: #RHEL-79842
* Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
- cmd/search: Fix a possible NULL ptr dereference
- Resolves: #RHEL-61263