grub-efi crashes upon `exit`

I am setting this to "Private Security" as I believe this potentially is exploitable to gain unsigned code execution and bypass UEFI Secure Boot.

Marking Debian as affected to as this issue was introduced there.

In the teardown version, when the original functions are put back, do we run the risk of putting back functions from another module that have also been unloaded?

eg:

load A
load B
unload A
unload B

The Unload B operation may be putting back hooks that were installed by A when it was loaded first.

Unloading modules is often very challenging to get correct. Does grub actually *need* this functionality? It might be better to just pave over the functionality and prevent dangling pointers to functions by just never allowing the functions to be unmapped.

Thanks

Do you mean by "teardown version" the original one in peimage code? I don't think there is that specific problem because the only signed grub module that hooks these functions is peimage. And if you chainload multiple copies of GRUB itself (by extension the peimage module contained within) they always load-unload in a stack like manner because we only support chainloading applications.

We can and should get rid of unloading modules at least in secure boot mode, but that wouldnt help with this specific bug sadly. the problem here is that when grub itself exits, the module fini functions are *not called*, apparently by design.
But the systab pointers hooked are system global to UEFI, so we have to re-install them if we want to allow exiting grub itself without resetting the system.

I think moving the hook install/removal to before/after EFI image entry and exit is the right approach here, because with that the hooks arent installed by the time anything can interact with the copy of grub that installed the hooks, and child images running via peimage cannot unload their parent without first exiting themselves. (because there are stackframes pointing to the parent grub anyhow)

Current proposed plan is:

1. Assign CVE ourselves
2. Prepare package updates for noble and sid and set the "CRD" as to whenever we are ready to upload
3. Bump SbatLevel to "grub.peimage,2" in the July update for everyone

+1 Spend some time auditing peimage.c to make sure this is all

Disabling unloading in secure boot mode sounds like a good idea to me.

Your comment about "allow exiting grub without resetting the system" makes me wonder if we strictly need that feature, too. I can see some sense to "once you're in grub you either have to boot the next operating system or you have to reboot". Anything else would allow whatever functionality is in grub to change UEFI context that might mess with some other operating system, right?

Thanks

Currently MAAS relies on exiting GRUB when booting a 3rd party operating system that isn't currently bootable via the Canonical shim. We do plan on fixing this by allowing shim chainloading, but currently exit is required for MAAS.

After that it would be possible to get rid of exit, and from a security engineering perspective it would be nice as it would avoid all the resource deallocation paths, but as a user it would annoy me a little bit, so I am not entirely sure what is the right choice.

Please refer to this issue as CVE-2024-2312.

Máté will implement Debian fix, so extra coordination is not needed.

The public Coordinated Release Date for CVE-2024-2312 has been set to March 20th at 2PM UTC.

A fix has been released to Noble proposed and the CVE has been published.

https://launchpad.net/ubuntu/+source/grub2/2.12-1ubuntu7

The attachment "0001-peimage-Move-systab-hook-un-installation-to-be-right.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

This bug was fixed in the package grub2-unsigned - 2.12-1ubuntu7

---------------
grub2-unsigned (2.12-1ubuntu7) noble; urgency=medium

  * d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER
  * d/grub-sort-version: Update regex to correctly match kernel flavour
  * d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827)
  * debian/: Add tests for grub-sort-version
  * Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)
  * Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"
  * d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry
  * SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127]
    - CVE-2024-2312
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Thu, 04 Apr 2024 11:12:35 +0100

This bug needs verification for mantic, added tags.

Verification OK, mantic remains bootable after upgrading to proposed package.