Merge branch 'c9' into a9

This commit is contained in:
eabdullin 2024-06-13 09:32:00 +03:00
commit 83f61f3c7d
4 changed files with 280 additions and 5 deletions

View File

@ -0,0 +1,77 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marta Lewandowska <mlewando@redhat.com>
Date: Fri, 13 Oct 2023 09:13:41 +0200
Subject: [PATCH] grub-install on EFI if forced
UEFI Secure Boot requires signed grub binaries to work, so grub-
install should not be used. However, users who have Secure Boot
disabled and wish to use the command should not be prevented from
doing so if they invoke --force.
fixes bz#1917213 / bz#2240994
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
---
util/grub-install.c | 42 ++++++++++++++++++++++++++----------------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index 5babc7af5518..162162bec6e2 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -899,22 +899,6 @@ main (int argc, char *argv[])
platform = grub_install_get_target (grub_install_source_directory);
- switch (platform)
- {
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
- case GRUB_INSTALL_PLATFORM_I386_EFI:
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
- is_efi = 1;
- grub_util_error (_("this utility cannot be used for EFI platforms"
- " because it does not support UEFI Secure Boot"));
- break;
- default:
- is_efi = 0;
- break;
- }
-
{
char *platname = grub_install_get_platform_name (platform);
fprintf (stderr, _("Installing for %s platform.\n"), platname);
@@ -1027,6 +1011,32 @@ main (int argc, char *argv[])
grub_hostfs_init ();
grub_host_init ();
+ switch (platform)
+ {
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+ case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
+ case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ is_efi = 1;
+ if (!force)
+ grub_util_error (_("This utility should not be used for EFI platforms"
+ " because it does not support UEFI Secure Boot."
+ " If you really wish to proceed, invoke the --force"
+ " option.\nMake sure Secure Boot is disabled before"
+ " proceeding"));
+ break;
+ default:
+ is_efi = 0;
+ break;
+
+ /* pacify warning. */
+ case GRUB_INSTALL_PLATFORM_MAX:
+ break;
+ }
+
/* Find the EFI System Partition. */
if (is_efi)
{

View File

@ -0,0 +1,182 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Thu, 16 May 2024 10:58:32 +0200
Subject: [PATCH] cmd/search: Rework of CVE-2023-4001 fix
The initial fix implemented a new flag that forces the grub cfg
stub to be located on the same disk as grub. This created several
issues such as RAID machines not being able to boot as their
partition names under grub were different from the partition where
grub is located. It also simply means that any machines with the
/boot partition located on a disk other than the one containing grub
won't boot.
This commit denies booting if the grub cfg stub is located on a USB
drive with a duplicated UUID (UUID being the same as the partition
containing the actual grub cfg stub)
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
grub-core/commands/search.c | 136 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 127 insertions(+), 9 deletions(-)
diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
index 94fe8b2872a1..c052cb098c36 100644
--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@@ -30,6 +30,8 @@
#include <grub/i18n.h>
#include <grub/disk.h>
#include <grub/partition.h>
+#include <grub/efi/api.h>
+#include <grub/time.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -54,6 +56,100 @@ struct search_ctx
int is_cache;
};
+static int
+is_device_usb (const char *name)
+{
+ int ret = 0;
+
+ grub_device_t dev = grub_device_open(name);
+
+ if (dev)
+ {
+ struct grub_efidisk_data
+ {
+ grub_efi_handle_t handle;
+ grub_efi_device_path_t *device_path;
+ grub_efi_device_path_t *last_device_path;
+ grub_efi_block_io_t *block_io;
+ struct grub_efidisk_data *next;
+ };
+
+ if (dev->disk && dev->disk->data)
+ {
+ struct grub_efidisk_data *dp = dev->disk->data;
+
+ if ( GRUB_EFI_DEVICE_PATH_TYPE (dp->last_device_path) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE &&
+ GRUB_EFI_DEVICE_PATH_SUBTYPE (dp->last_device_path) == GRUB_EFI_USB_DEVICE_PATH_SUBTYPE)
+ {
+ ret = 1;
+ }
+ }
+ grub_device_close(dev);
+ }
+
+ return ret;
+}
+
+static int
+get_device_uuid(const char *name, char** quid)
+{
+ int ret = 0;
+
+ grub_device_t dev_part = grub_device_open(name);
+
+ if (dev_part)
+ {
+ grub_fs_t fs;
+
+ fs = grub_fs_probe (dev_part);
+
+#ifdef DO_SEARCH_FS_UUID
+#define read_fn fs_uuid
+#else
+#define read_fn fs_label
+#endif
+ if (fs && fs->read_fn)
+ {
+ fs->read_fn (dev_part, quid);
+
+ if (grub_errno == GRUB_ERR_NONE && *quid)
+ {
+ ret = 1;
+ }
+
+ }
+ grub_device_close (dev_part);
+ }
+
+ return ret;
+}
+struct uuid_context {
+ char* name;
+ char* uuid;
+};
+
+static int
+check_for_duplicate (const char *name, void *data)
+{
+ int ret = 0;
+ struct uuid_context * uuid_ctx = (struct uuid_context *)data;
+ char *quid = 0;
+
+ get_device_uuid(name, &quid);
+
+ if (quid == NULL)
+ return 0;
+
+ if (!grub_strcasecmp(quid, uuid_ctx->uuid) && grub_strcasecmp(name, uuid_ctx->name))
+ {
+ ret = 1;
+ }
+
+ grub_free(quid);
+
+ return ret;
+}
+
/* Helper for FUNC_NAME. */
static int
iterate_device (const char *name, void *data)
@@ -104,15 +200,37 @@ iterate_device (const char *name, void *data)
grub_str_sep (root_dev, root_disk, ',', rem_1);
grub_str_sep (name, name_disk, ',', rem_2);
if (root_disk != NULL && *root_disk != '\0' &&
- name_disk != NULL && *name_disk != '\0')
- if (grub_strcmp(root_disk, name_disk) != 0)
- {
- grub_free (root_disk);
- grub_free (name_disk);
- grub_free (rem_1);
- grub_free (rem_2);
- return 0;
- }
+ name_disk != NULL && *name_disk != '\0')
+ {
+ grub_device_t dev, dev_part;
+
+ if (is_device_usb(name) && !is_device_usb(root_dev))
+ {
+ char *quid_name = NULL;
+ int longlist = 0;
+ struct uuid_context uuid_ctx;
+ int ret = 0;
+
+ get_device_uuid(name, &quid_name);
+ if (!grub_strcmp(quid_name, ctx->key))
+ {
+ uuid_ctx.name = name;
+ uuid_ctx.uuid = quid_name;
+
+ ret = grub_device_iterate (check_for_duplicate, &uuid_ctx);
+
+ if (ret)
+ {
+ grub_printf("Duplicated media UUID found, rebooting ...\n");
+ grub_sleep(10);
+ grub_reboot();
+ }
+ }
+
+ if (quid_name) grub_free (quid_name);
+
+ }
+ }
}
grub_free (root_disk);
grub_free (name_disk);

View File

@ -341,3 +341,5 @@ Patch0340: 0340-fs-ntfs-Make-code-more-readable.patch
Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch
Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
Patch0344: 0344-grub-install-on-EFI-if-forced.patch
Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch

View File

@ -16,7 +16,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 77%{?dist}.alma.1 Release: 80%{?dist}.alma.1
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -329,9 +329,11 @@ fi
if test ! -f ${EFI_HOME}/grub.cfg; then if test ! -f ${EFI_HOME}/grub.cfg; then
# there's no config in ESP, create one # there's no config in ESP, create one
grub2-mkconfig -o ${EFI_HOME}/grub.cfg grub2-mkconfig -o ${EFI_HOME}/grub.cfg
cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
fi fi
if grep -q "configfile" ${EFI_HOME}/grub.cfg; then if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
exit 0 # already unified, nothing to do exit 0 # already unified, nothing to do
fi fi
@ -351,8 +353,6 @@ if test -f ${EFI_HOME}/grubenv; then
mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
fi fi
cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%files common -f grub.lang %files common -f grub.lang
@ -524,9 +524,23 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Thu Mar 28 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-77.alma.1 * Thu Jun 13 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.06-80.alma.1
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-80
- Added more code for the previous CVE fix
- Related: #RHEL-36249
- Related: #RHEL-36186
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-79
- cmd/search: Rework of CVE-2023-4001 fix
- Resolves: #RHEL-36249
- Resolves: #RHEL-36186
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-78
- util: grub-install on EFI if forced
- Resolves: #RHEL-20443
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77 * Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77
- kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes - kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes
- Resolves: #RHEL-26322 - Resolves: #RHEL-26322