grub-efi crashes upon `exit`
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Debian) |
New
|
Undecided
|
Unassigned | ||
grub2-unsigned (Ubuntu) |
Fix Released
|
Medium
|
Mate Kukri | ||
Mantic |
Fix Released
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
Medium
|
Mate Kukri |
Bug Description
[Impact]
Signed grub2 binaries in Ubuntu Mantic are affected by CVE-2024-2312. Please see details below.
[Test Plan]
Make sure Ubuntu Mantic still boots with the new GRUB.
[Where problems could occur]
Not very likely, Ubuntu Mantic fix is a simple git revert of the faulty change.
=======
This was the original issue description, which is kept for reference.
grub> exit
!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!!
RIP - 000000005AE781A6, CS - 0000000000000038, RFLAGS - 0000000000210202
RAX - 000000005C903E90, RCX - 000000005D93B918, RDX - 000000E8DB694800
RBX - 8000000000000001, RSP - 000000007EEF4AE8, RBP - 000000007EEF04A0
RSI - 000000007EF09440, RDI - 000000007F703B48
R8 - 0000000000000000, R9 - 0000000000000000, R10 - 000000005C8F147C
R11 - 000000005ABB1340, R12 - 0000000000000000, R13 - 000000005ADA7C13
R14 - 000000005C8F15AB, R15 - 000000005C9040A0
DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030
GS - 0000000000000030, SS - 0000000000000030
CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 000000005EC01000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 000000005E9E0000 0000000000000047, LDTR - 0000000000000000
IDTR - 000000005E39F018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 000000007EEF4740
!!!! Find image based on IP(0x5AE781A6) (No PDB) (ImageBase=
Exiting grub-efi causes my OVMF virtual machine to crash with the above error.
The #UD likely comes from some global hook not being uninstalled.
Related branches
- Julian Andres Klode: Pending requested
-
Diff: 2339 lines (+1674/-237)24 files modifieddebian/build-efi-images (+6/-0)
debian/changelog (+26/-0)
debian/control (+2/-0)
debian/grub-sort-version (+2/-2)
debian/patches/grub-sort-version.patch (+16/-1)
debian/patches/kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch (+36/-0)
debian/patches/kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch (+69/-0)
debian/patches/kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch (+34/-0)
debian/patches/nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch (+116/-0)
debian/patches/nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch (+37/-0)
debian/patches/nx/modules-load-module-sections-at-page-aligned-addresses.patch (+390/-0)
debian/patches/nx/modules-strip-.llvm_addrsig-sections-and-similar.patch (+41/-0)
debian/patches/nx/nx-add-memory-attribute-get-set-API.patch (+252/-0)
debian/patches/nx/nx-set-page-permissions-for-loaded-modules.patch (+222/-0)
debian/patches/nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch (+49/-0)
debian/patches/nx/peimage-Add-memory-attribute-support.patch (+132/-0)
debian/patches/secure-boot/efi-use-peimage-shim.patch (+151/-227)
debian/patches/series (+11/-0)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+3/-3)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+1/-1)
debian/patches/ubuntu-support-initrd-less-boot.patch (+1/-1)
debian/rules (+3/-0)
debian/sbat.ubuntu.csv.in (+2/-2)
debian/test_grub_sort_version.py (+72/-0)
CVE References
Changed in grub2-unsigned (Ubuntu): | |
assignee: | nobody → Mate Kukri (mkukri) |
importance: | Undecided → Medium |
tags: | added: foundations-todo |
description: | updated |
description: | updated |
Changed in grub2-unsigned (Ubuntu): | |
status: | New → Fix Committed |
I am setting this to "Private Security" as I believe this potentially is exploitable to gain unsigned code execution and bypass UEFI Secure Boot.