Ubuntu
grub2-unsigned package

systemd-stub fails to boot when loaded via peimage

Bug #2057679 reported by Mate Kukri
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-unsigned (Ubuntu)
Fix Released
Undecided
Unassigned
Mantic
Fix Committed
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

systemd-stub fails to boot when loaded via peimage.

This is because peimage internally allocates an ImageHandle for images it starts and loads. systemd-stub will then pass its own ImageHandle as ParentImageHandle to the firmware's LoadImage() function to load and start the embedded Linux kernel.

The UEFI spec doesn't elaborate on this being allowed or not, but it seems like edk2 based firmwares try to locate private data attached to such a ParentImageHandle, then assert.

See original description

Related branches

~ubuntu-uefi-team/grub/+git/ubuntu:ubuntu
Julian Andres Klode: Pending requested
Diff: 863 lines (+280/-234)
12 files modified
debian/build-efi-images (+6/-0)
debian/changelog (+26/-0)
debian/control (+2/-0)
debian/grub-sort-version (+2/-2)
debian/patches/grub-sort-version.patch (+16/-1)
debian/patches/secure-boot/efi-use-peimage-shim.patch (+146/-224)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+3/-3)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+1/-1)
debian/patches/ubuntu-support-initrd-less-boot.patch (+1/-1)
debian/rules (+3/-0)
debian/sbat.ubuntu.csv.in (+2/-2)
debian/test_grub_sort_version.py (+72/-0)

CVE References

Mate Kukri (mkukri)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.12-1ubuntu7

---------------
grub2-unsigned (2.12-1ubuntu7) noble; urgency=medium

  * d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER
  * d/grub-sort-version: Update regex to correctly match kernel flavour
  * d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827)
  * debian/: Add tests for grub-sort-version
  * Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)
  * Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"
  * d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry
  * SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127]
    - CVE-2024-2312
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Thu, 04 Apr 2024 11:12:35 +0100

Changed in grub2-unsigned (Ubuntu Noble):
status: New → Fix Released
Mate Kukri (mkukri)
Changed in grub2-unsigned (Ubuntu Mantic):
status: New → Invalid
status: Invalid → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

This bug needs verification for mantic, added tags.

tags: added: verification-needed verification-needed-mantic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.