From 61e80385391de00c59c759250b2fa387d94309ff Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Tue, 2 Jul 2024 13:54:10 +0200 Subject: [PATCH 1/3] 99-grub-mkconfig: Avoid disabling BLS usage for Xen HVM VMs Xen PV and PVH guest use direct kernel boot and may use 'pygrub' tool to parse guest's grub config. The tool is incompatible with BLS and thus 99-grub-mkconfig.install disables it. The problem is observed with HVM guests which are 'normal' VMs and don't require pygrub compatibility. E.g. legacy AWS instance types are of this kind. Disabling BLS for them is undesired and unjustified. Luckily, kernel driver for Xen provides '/sys/hypervisor/guest_type' interface telling us which type of guest are we running in. Signed-off-by: Vitaly Kuznetsov --- 99-grub-mkconfig.install | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/99-grub-mkconfig.install b/99-grub-mkconfig.install index d9686b5..1411f6a 100755 --- a/99-grub-mkconfig.install +++ b/99-grub-mkconfig.install @@ -8,8 +8,10 @@ fi # also Xen Dom0 use the menuentries from 20_linux_xen and not the ones from # 10_linux. So BLS support needs to be disabled for both Xen Dom0 and DomU. if [[ -e /sys/hypervisor/type ]] && grep -q "^xen$" /sys/hypervisor/type; then - RUN_MKCONFIG=true - DISABLE_BLS=true + if [ ! -e /sys/hypervisor/guest_type ] || ! grep -q "^HVM$" /sys/hypervisor/guest_type; then + RUN_MKCONFIG=true + DISABLE_BLS=true + fi fi ARCH=$(uname -m) From 0f8974ea5582c00f365190d7558fb92332a0e1f1 Mon Sep 17 00:00:00 2001 From: Nicolas Frayer Date: Wed, 26 Feb 2025 12:19:46 +0100 Subject: [PATCH 2/3] fs/ext2: Rework out-of-bounds read for inline and external extents Related: #RHEL-80686 Signed-off-by: Nicolas Frayer --- ...ut-of-bounds-read-for-inline-and-ext.patch | 65 +++++++++++++++++++ grub.patches | 3 +- grub2.spec | 6 +- 3 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 0360-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch diff --git a/0360-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch b/0360-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch new file mode 100644 index 0000000..cad5049 --- /dev/null +++ b/0360-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Chang via Grub-devel +Date: Fri, 21 Feb 2025 09:06:12 +0800 +Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external + extents + +Previously, the number of extent entries was not properly capped based +on the actual available space. This could lead to insufficient reads for +external extents, since the computation was based solely on the inline +extent layout. + +In this patch, when processing the extent header, we determine whether +the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an +external extent block. We then clamp the number of entries accordingly +(using max_inline_ext for inline extents and max_external_ext for +external extent blocks). + +This change ensures that only the valid number of extent entries is +processed, preventing out-of-bound reads and potential filesystem +corruption. + +Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents) + +Signed-off-by: Michael Chang +Tested-by: Christian Hesse +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ext2.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index c3058f7e71f1..a5650c34cf3a 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -496,7 +496,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + int i; + grub_disk_addr_t ret; + grub_uint16_t nent; ++ /* maximum number of extent entries in the inode's inline extent area */ + const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */ ++ /* maximum number of extent entries in the external extent block */ ++ const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE(data) / sizeof (*ext) - 1; /* Minus 1 extent header. */ + + if (grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks, + fileblock, &leaf) != GRUB_ERR_NONE) +@@ -513,8 +516,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + + nent = grub_le_to_cpu16 (leaf->entries); + +- if (leaf->depth == 0) ++ /* ++ * Determine the effective number of extent entries (nent) to process: ++ * If the extent header (leaf) is stored inline in the inode’s block ++ * area (i.e. at inode->blocks.dir_blocks), then only max_inline_ext ++ * entries can fit. ++ * Otherwise, if the header was read from an external extent block, use ++ * the larger limit, max_external_ext, based on the full block size. ++ */ ++ if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks) + nent = grub_min (nent, max_inline_ext); ++ else ++ nent = grub_min (nent, max_external_ext); + + for (i = 0; i < nent; i++) + { diff --git a/grub.patches b/grub.patches index 46ce344..1c4fe1f 100644 --- a/grub.patches +++ b/grub.patches @@ -356,4 +356,5 @@ Patch0355: 0355-normal-menu-Use-safe-math-to-avoid-an-integer-overfl.patch Patch0356: 0356-kern-partition-Add-sanity-check-after-grub_strtoul-c.patch Patch0357: 0357-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch Patch0358: 0358-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch -Patch0359: 0359-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch \ No newline at end of file +Patch0359: 0359-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch +Patch0360: 0360-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch diff --git a/grub2.spec b/grub2.spec index 349efac..4638d11 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -583,6 +583,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Wed Feb 26 2025 Nicolas Frayer - 2.02-10 +- fs/ext2: Rework out-of-bounds read for inline and external extents +- Related: #RHEL-80686 + * Tue Feb 18 2025 Leo Sandoval - 2.02-9 - Add Several CVE fixes - Resolves: CVE-2024-45781 CVE-2024-45783 CVE-2024-45778 From b621d47266e27627b9499d6dc46c9ba0b8d9844b Mon Sep 17 00:00:00 2001 From: Nicolas Frayer Date: Wed, 26 Feb 2025 15:29:20 +0100 Subject: [PATCH 3/3] Bump release to trigger signing tools Signed-off-by: Nicolas Frayer --- grub2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/grub2.spec b/grub2.spec index 4638d11..4ee3150 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -583,6 +583,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Wed Feb 26 2025 Nicolas Frayer - 2.02-11 +- Bump release to trigger signing tools + * Wed Feb 26 2025 Nicolas Frayer - 2.02-10 - fs/ext2: Rework out-of-bounds read for inline and external extents - Related: #RHEL-80686