Ubuntu
grub2-unsigned package

device tree protocol not always applied

Bug #2028931 reported by Julian Andres Klode
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Focal
Won't Fix
Undecided
Unassigned
Jammy
Won't Fix
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Status tracked in Mantic
Focal
Fix Released
Undecided
Mate Kukri
Jammy
Fix Released
Undecided
Mate Kukri
Lunar
Fix Released
Undecided
Mate Kukri
Mantic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
device tree fixups are not applied when grub_fdt_load() has been called before, as that copies the device tree + extra space into a new fdt variable.

For example, when a pre-LoadFile2 kernel is being loaded, grub passes the initrd via device tree and needs to modify it, for which it calls the function. On pre-2.12 loaders, this happens for every kernel on arm64 as we do not support LoadFile2 there.

[Test plan]
Isaac has run the test to make sure the change works and Mate has verified that it doesn't regress qemu booting across a wide set of scenarios but either way we'd not block update releases on this but would rather reset the tasks after.

[Where problems could occur]
We're moving the fixup of the device tree to directly after loading it, so that grub can make any modifications to set initrd for example (there are no others yet), later.

Device tree fixup suddenly working can of course cause regressions if the fixups in u-boot are wrong.

See original description

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

This is fixed in 2.12~rc1-4 (which also happens to work with kernels > 5.8 anyhow) and will be backported to 2.06 at a later point.

Changed in grub2 (Ubuntu Mantic):
status: Confirmed → Fix Committed
Mate Kukri (mkukri)
Changed in grub2 (Ubuntu Focal):
assignee: nobody → Mate Kukri (mkukri)
Mate Kukri (mkukri)
Changed in grub2 (Ubuntu Jammy):
assignee: nobody → Mate Kukri (mkukri)
Changed in grub2 (Ubuntu Lunar):
assignee: nobody → Mate Kukri (mkukri)
Mate Kukri (mkukri)
Changed in grub2 (Ubuntu Mantic):
assignee: nobody → Mate Kukri (mkukri)
Mate Kukri (mkukri)
tags: added: foundations-todo
Revision history for this message
Julian Andres Klode (juliank) wrote :

mantic was fix released already, so cleaning up state there.

Changed in grub2 (Ubuntu Mantic):
status: Fix Committed → Fix Released
assignee: Mate Kukri (mkukri) → nobody
Julian Andres Klode (juliank)
Changed in grub2 (Ubuntu Focal):
assignee: Mate Kukri (mkukri) → nobody
status: New → Won't Fix
Changed in grub2 (Ubuntu Jammy):
assignee: Mate Kukri (mkukri) → nobody
status: New → Won't Fix
Mate Kukri (mkukri)
Changed in grub2-unsigned (Ubuntu Mantic):
status: New → Fix Released
Julian Andres Klode (juliank)
Changed in grub2 (Ubuntu Lunar):
assignee: Mate Kukri (mkukri) → nobody
status: New → Won't Fix
Mate Kukri (mkukri)
no longer affects: grub2 (Ubuntu)
Julian Andres Klode (juliank)
Changed in grub2-unsigned (Ubuntu Lunar):
assignee: nobody → Mate Kukri (mkukri)
status: New → Triaged
Changed in grub2-unsigned (Ubuntu Jammy):
status: New → Triaged
Changed in grub2-unsigned (Ubuntu Focal):
status: New → Triaged
Mate Kukri (mkukri)
Changed in grub2-unsigned (Ubuntu Jammy):
assignee: nobody → Mate Kukri (mkukri)
Julian Andres Klode (juliank)
Changed in grub2-unsigned (Ubuntu Focal):
assignee: nobody → Mate Kukri (mkukri)
Julian Andres Klode (juliank)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu14.4

---------------
grub2-unsigned (2.06-2ubuntu14.4) jammy; urgency=high

  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
    and may leak sensitive information into the GRUB pager.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
      label.patch:
      fs/ntfs: Fix an OOB read when parsing a volume label
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
      index-at.patch:
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
      entries-fr.patch:
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
      non-resident index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
      reside.patch:
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
      attribute
    - CVE-2023-4693
  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
    overflow and may allow arbitrary code execution and secure boot bypass.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
      ATTRIBUTE_LIST-.patch:
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
      the $MFT file
    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
      fs/ntfs: Make code more readable
    - CVE-2023-4692
  * efi/fdt: Apply device tree fixups directly after loading
    - add debian/patches/fdt-fixup-after-load.patch
    - LP: #2028931
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Mon, 02 Oct 2023 15:26:59 +0100

Changed in grub2-unsigned (Ubuntu Focal):
status: Triaged → Fix Released
Launchpad Janitor (janitor)
Changed in grub2-unsigned (Ubuntu Jammy):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu17.2

---------------
grub2-unsigned (2.06-2ubuntu17.2) lunar; urgency=high

  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
    and may leak sensitive information into the GRUB pager.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
      label.patch:
      fs/ntfs: Fix an OOB read when parsing a volume label
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
      index-at.patch:
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
      entries-fr.patch:
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
      non-resident index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
      reside.patch:
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
      attribute
    - CVE-2023-4693
  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
    overflow and may allow arbitrary code execution and secure boot bypass.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
      ATTRIBUTE_LIST-.patch:
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
      the $MFT file
    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
      fs/ntfs: Make code more readable
    - CVE-2023-4692
  * efi/fdt: Apply device tree fixups directly after loading
    - add debian/patches/fdt-fixup-after-load.patch
    - LP: #2028931
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Mon, 02 Oct 2023 15:25:43 +0100

Changed in grub2-unsigned (Ubuntu Lunar):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.