StarlingX

[Debian] High CVE: CVE-2021-3695/CVE-2021-3696/CVE-2021-3697/CVE-2022-28733/CVE-2022-28734/CVE-2022-28735/CVE-2022-28736 grub2: multiple CVEs

Bug #2034119 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Li Zhou

Bug Description

CVE-2021-3695: https://nvd.nist.gov/vuln/detail/CVE-2021-3695

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2 versions prior grub-2.12.

CVE-2021-3696: https://nvd.nist.gov/vuln/detail/CVE-2021-3696

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

CVE-2021-3697: https://nvd.nist.gov/vuln/detail/CVE-2021-3697

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

CVE-2022-28733: https://nvd.nist.gov/vuln/detail/CVE-2022-28733

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

CVE-2022-28734: https://nvd.nist.gov/vuln/detail/CVE-2022-28734

Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.

CVE-2022-28735: https://nvd.nist.gov/vuln/detail/CVE-2022-28735

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

CVE-2022-28736: https://nvd.nist.gov/vuln/detail/CVE-2022-28736

There's a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn't support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2's memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved.

Base Score: High

Reference:

grub2_2.06-3~deb11u1

Li Zhou (lzhou2)
Changed in starlingx:
assignee: nobody → Li Zhou (lzhou2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/894002

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/894003

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/894002
Committed: https://opendev.org/starlingx/integ/commit/44f318a38d18391a541c1bfc4bdc273d71fbe90c
Submitter: "Zuul (22348)"
Branch: master

commit 44f318a38d18391a541c1bfc4bdc273d71fbe90c
Author: Li Zhou <email address hidden>
Date: Tue Sep 5 13:54:52 2023 +0800

    grub2/grub-efi: fix CVEs

    Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs:
    CVE-2021-3695
    CVE-2021-3696
    CVE-2021-3697
    CVE-2022-28733
    CVE-2022-28734

    The source code of grub2_2.06-3~deb11u1 is from:
    https://snapshot.debian.org/archive/debian/20220807T030023Z/pool
    /main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz

    The relationship between commits and CVEs is as below:
    (1)CVE-2021-3695
    commit <video/readers/png: Drop greyscale support to fix heap
    out-of-bounds write>
    (2)CVE-2021-3696
    commit <video/readers/png: Avoid heap OOB R/W inserting huff table items>
    (3)CVE-2021-3697
    commit <video/readers/jpeg: Block int underflow -> wild pointer write>
    (4)CVE-2022-28733
    commit <net/ip: Do IP fragment maths safely>
    (5)CVE-2022-28734
    commit <net/http: Fix OOB write for split http headers>
    commit <net/http: Error out on headers with LF without CR>

    Test plan:
     - PASS: build grub2/grub-efi.
     - PASS: build-image and install and boot up on lab/qemu.
     - PASS: check that the "stx.N" version number is right for both
             bios(grub2 ver) and uefi(grub-efi ver) boot.

    Partial-Bug: #2034119

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/starlingx/integ/+/894003
Committed: https://opendev.org/starlingx/integ/commit/8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Submitter: "Zuul (22348)"
Branch: master

commit 8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Author: Li Zhou <email address hidden>
Date: Tue Sep 5 14:55:38 2023 +0800

    grub2/grub-efi: fix CVE-2022-28736

    We add patches to fix CVEs for grub instead of upgrading because
    grub2/grub-efi is ported from yocto for secure boot bringing up.

    The patches for CVE-2022-28736 have conflicts with the patches for
    secure boot. So refer to below link to fix this CVE:
    (1) https://patchwork.yoctoproject.org/project/oe-core/patch/
    <email address hidden>/
    (2)https://github.com/jiazhang0/meta-secure-core/pull/257

    The special patches for grub-efi are from layers meta-lat and
    meta-secure-core of yocto upstream, which are based on the patches
    for grub-efi in oe-core layer (including CVE patches). We used to mix
    all the patches together. Now we will move the patches from meta-lat
    and meta-secure-core to the end of sequence for applying patches,
    so that we can keep align with yocto upstream and make it easier
    to maintain the grub here.
    Since there are many patches involved here, we don't change the number
    in patches' name in case confusion is caused if we rename many files.

    Below commits are added for the CVE:
    <loader/efi/chainloader: Simplify the loader state>
    <commands/boot: Add API to pass context to loader>
    <loader/efi/chainloader: Use grub_loader_set_ex()>

    Below patches for secure boot are adapted for conflicts with above:
    secure-core/0009 <efi: chainloader: port shim to grub>
    secure-core/0010 <efi: chainloader: use shim to load and verify an image>
    secure-core/0012 <efi: chainloader: take care of unload undershim>

    All of them are aligned with upstream and no changes here.

    Test plan:
     - PASS: build grub2/grub-efi.
     - PASS: build-image and install and boot up on lab/qemu.
     - PASS: check that the "stx.N" version number is right for both
             bios(grub2 ver) and uefi(grub-efi ver) boot.
     - PASS: the tests are done on lab with secure boot disabled and
             enabled.

    Closes-Bug: #2034119

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.