From 812bbe4c429b8ff7884be7a8d8429156f1019d28 Mon Sep 17 00:00:00 2001 From: Mate Kukri Date: Mon, 4 Mar 2024 10:11:49 +0000 Subject: [PATCH] peimage: Move systab hook (un)installation to be right before/after the child image entry point (LP: #2054127) GRUB does not call module fini upon exit, thus these hooks remain installed after running the command `exit`, leading to a use-after-free scenario. --- .../secure-boot/efi-use-peimage-shim.patch | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/debian/patches/secure-boot/efi-use-peimage-shim.patch b/debian/patches/secure-boot/efi-use-peimage-shim.patch index 505f92fd5..e08335e84 100644 --- a/debian/patches/secure-boot/efi-use-peimage-shim.patch +++ b/debian/patches/secure-boot/efi-use-peimage-shim.patch @@ -30,9 +30,9 @@ Signed-off-by: Heinrich Schuchardt Signed-off-by: Julian Andres Klode --- grub-core/Makefile.core.def | 12 + - grub-core/loader/efi/peimage.c | 902 +++++++++++++++++++++++++++++++++++++++++ + grub-core/loader/efi/peimage.c | 901 +++++++++++++++++++++++++++++++++++++++++ include/grub/efi/peimage.h | 19 + - 3 files changed, 933 insertions(+) + 3 files changed, 932 insertions(+) create mode 100644 grub-core/loader/efi/peimage.c create mode 100644 include/grub/efi/peimage.h @@ -61,10 +61,10 @@ index 333d3fe..c3ad031 100644 efi = loader/efi/fdt.c; diff --git a/grub-core/loader/efi/peimage.c b/grub-core/loader/efi/peimage.c new file mode 100644 -index 0000000..0387277 +index 0000000..ec4d212 --- /dev/null +++ b/grub-core/loader/efi/peimage.c -@@ -0,0 +1,902 @@ +@@ -0,0 +1,901 @@ +/* peimage.c - load EFI PE binaries (for Secure Boot support) */ + +// SPDX-License-Identifier: GPL-3.0+ @@ -758,8 +758,8 @@ index 0000000..0387277 +unload_image_hook (grub_efi_handle_t image_handle) +{ + if (grub_efi_open_protocol (image_handle, -+ &(grub_guid_t) GRUB_PEIMAGE_MARKER_GUID, -+ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL)) ++ &(grub_guid_t) GRUB_PEIMAGE_MARKER_GUID, ++ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL)) + return GRUB_EFI_UNSUPPORTED; + + return unload_image_orig(image_handle); @@ -865,6 +865,10 @@ index 0000000..0387277 + + if (grub_setjmp (info->jmp)) + { ++ /* Uninstall system table hooks after image exits */ ++ grub_efi_system_table->boot_services->exit = exit_orig; ++ grub_efi_system_table->boot_services->unload_image = unload_image_orig; ++ + status = info->exit_status; + do_unload_image (image_handle); + } @@ -882,6 +886,13 @@ index 0000000..0387277 + grub_arch_sync_caches (info->loaded_image.image_base, + info->loaded_image.image_size); + ++ /* Install system table hooks before entering image */ ++ exit_orig = grub_efi_system_table->boot_services->exit; ++ grub_efi_system_table->boot_services->exit = exit_hook; ++ unload_image_orig = grub_efi_system_table->boot_services->unload_image; ++ grub_efi_system_table->boot_services->unload_image = unload_image_hook; ++ ++ /* Call image entry point */ + status = info->entry_point (image_handle, grub_efi_system_table); + + grub_dprintf ("linux", "Application returned\n"); @@ -949,22 +960,10 @@ index 0000000..0387277 +{ + grub_efi_register_loader (&peimage_loader); + my_mod = mod; -+ -+ // Hook exit handler -+ exit_orig = grub_efi_system_table->boot_services->exit; -+ grub_efi_system_table->boot_services->exit = exit_hook; -+ // Hook unload_image handler -+ unload_image_orig = grub_efi_system_table->boot_services->unload_image; -+ grub_efi_system_table->boot_services->unload_image = unload_image_hook; +} + +GRUB_MOD_FINI (peimage) +{ -+ // Restore exit handler -+ grub_efi_system_table->boot_services->exit = exit_orig; -+ // Restore unload_image handler -+ grub_efi_system_table->boot_services->unload_image = unload_image_orig; -+ + grub_efi_unregister_loader (&peimage_loader); +} diff --git a/include/grub/efi/peimage.h b/include/grub/efi/peimage.h -- 2.39.2