include loopback and squash4 modules in EFI binary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
grub2-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[SRU Justification]
Development versions of snappy Ubuntu Core leverage grub's squashfs support to load kernels and initramfs directly from the kernel snap (which is a squashfs-format archive). This requires the loopback and the squash4 grub modules to be loaded.
Currently, neither of these modules is included in the signed EFI binaries, therefore this boot strategy is not compatible with SecureBoot.
We should verify that the loopback and squash4 modules are suitable for inclusion in the signed binary, and include them.
[Test case]
1. Grab the snappy image from https:/
2. Install grub-efi-
3. Use kpartx to loop mount /dev/mapper/
4. Replace boot/efi/
5. Unmount the boot partition.
6. Boot the image in a VM using UEFI firmware (not BIOS)
7. Confirm that the image fails to boot with an error about the loopback command not found.
8. Shut down the VM.
9. Install grub-efi-
10. Mount the boot partition again.
11. Replace boot/efi/
12. Unmount the boot partition and remove the kpartx mapping.
13. Boot the image in a VM again, using UEFI firmware.
14. Confirm that the image boots successfully.
[Regression potential]
Minimal. This SRU adds two additional modules to the UEFI boot images, which add a new command and a new filesystem driver respectively. Users who do not have the 'loopback' command in their grub.cfg, and who do not have any squashfs filesystems as raw disks or partitions, should not see any behavior difference. The added modules slightly increase the size of the grub images, from ~1.1MiB to ~1.2MiB. This should not affect the usability of these bootloader images.
Changed in grub2 (Ubuntu): | |
importance: | Undecided → Critical |
description: | updated |
description: | updated |
Changed in grub2-signed (Ubuntu): | |
status: | New → Fix Released |
./grub- core/fs/ squash4. c :
There may be data format mismatches between grub2 and the linux kernel's idea of squashfs:
These are the structures from grub2 for file and long_file:
grub_uint32_t block_size[0];
These are the structures from the linux kernel for squashfs_reg_inode and squashfs_ lreg_inode:
__le16 block_list[0];
squash_mount() checks grub_errno immediately after calling grub_disk_read(), before checking the return code. C idiom is to check "errno"-style variables only if an error is returned -- and also to set "errno"-style variables to 0 immediately before an operation if there's no error-return mechanism in place to avoid errors from previous operations mistakenly linger. This is probably not a security issue.
There are many calls to grub_malloc() with an arithmetic expression; normally these are better replaced with calloc(3)-alike wrappers which can check for integer wraparounds. I don't think any here are exploitable but I could have made a mistake.
grub_squash_ iterate_ dir() has extensive memory leaks in the reading or memory allocation error cases -- probably there's no recovery possible if the system is out of memory when running grub2, but I figured I'd mention it all the same. This is probably not a security issue.
./grub- core/disk/ loopback. c :
grub_loopback_ open() looks like it might handle gigantic sparse files poorly; a file that's within GRUB_DISK_ SECTOR_ SIZE bytes of 2^64 may set disk->total_sectors to a too-small value. This is probably not a security issue.
Now that grub is part of a security boundary the grub_malloc() calls with expressions should probably all be converted to using calloc(3)-style wrappers. It probably isn't worth blocking this specific change on this conversion though.
Thanks