diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-14372.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch new file mode 100644 index 0000000000..08e7666cde --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch @@ -0,0 +1,76 @@ +From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas <javierm@redhat.com> +Date: Mon, 28 Sep 2020 20:08:41 +0200 +Subject: [PATCH] acpi: Don't register the acpi command when locked down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The command is not allowed when lockdown is enforced. Otherwise an +attacker can instruct the GRUB to load an SSDT table to overwrite +the kernel lockdown configuration and later load and execute +unsigned code. + +Fixes: CVE-2020-14372 + +Reported-by: Máté Kukri <km@mkukri.xyz> +Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95] +CVE: CVE-2020-14372 +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + docs/grub.texi | 5 +++++ + grub-core/commands/acpi.c | 15 ++++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/docs/grub.texi b/docs/grub.texi +index 0786427..47ac7ff 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer + (RSDP) in the Extended BIOS Data Area to point to the new tables. If the + @option{--no-ebda} option is used, the new tables will be known only to + GRUB, but may be used by GRUB's EFI emulation. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ Otherwise an attacker can instruct the GRUB to load an SSDT table to ++ overwrite the kernel lockdown configuration and later load and execute ++ unsigned code. + @end deffn + + +diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c +index 5a1499a..1215f2a 100644 +--- a/grub-core/commands/acpi.c ++++ b/grub-core/commands/acpi.c +@@ -27,6 +27,7 @@ + #include <grub/mm.h> + #include <grub/memory.h> + #include <grub/i18n.h> ++#include <grub/lockdown.h> + + #ifdef GRUB_MACHINE_EFI + #include <grub/efi/efi.h> +@@ -775,13 +776,13 @@ static grub_extcmd_t cmd; + + GRUB_MOD_INIT(acpi) + { +- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, +- N_("[-1|-2] [--exclude=TABLE1,TABLE2|" +- "--load-only=TABLE1,TABLE2] FILE1" +- " [FILE2] [...]"), +- N_("Load host ACPI tables and tables " +- "specified by arguments."), +- options); ++ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, ++ N_("[-1|-2] [--exclude=TABLE1,TABLE2|" ++ "--load-only=TABLE1,TABLE2] FILE1" ++ " [FILE2] [...]"), ++ N_("Load host ACPI tables and tables " ++ "specified by arguments."), ++ options); + } + + GRUB_MOD_FINI(acpi) |