The GRUB may use TPM to verify the integrity of boot components and the
result can determine whether a previously sealed key can be released. If
everything checks out, showing nothing has been tampered with, the key
is released and GRUB unlocks the encrypted root partition for the next
stage of booting.
However, the liberal Command Line Interface (CLI) can be misused by
anyone in this case to access files in the encrypted partition one way
or another. Despite efforts to keep the CLI secure by preventing utility
command output from leaking file content, many techniques in the wild
could still be used to exploit the CLI, enabling attacks or learning
methods to attack. It's nearly impossible to account for all scenarios
where a hack could be applied.
Therefore, to mitigate potential misuse of the CLI after the root device
has been successfully unlocked via TPM, the user should be required to
authenticate using the LUKS password. This added layer of security
ensures that only authorized users can access the CLI reducing the risk
of exploitation or unauthorized access to the encrypted partition.
Fixes: CVE-2024-49504
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When running grub in a VGA console of a KVM pseries guest on PowerPC,
you can see the cursor sweeping over the whole line when entering a
character in editor mode. This is visible because grub always refreshes
the whole line when entering a character in editor mode, and drawing
characters is quite a slow operation with the firmware used for the
powerpc pseries guests (SLOF).
To avoid this ugliness, the cursor should be disabled when refreshing
the screen contents during update_screen().
Signed-off-by: Thomas Huth <thuth@redhat.com>
off new function grub_script_execute_new_scope. Change callers to use
either of them as appropriate.
* grub-core/commands/eval.c: New command eval.
* docs/grub.texi (Commands): Document it.
written bytes.
(grub_get_num_of_utf8_bytes): New function.
(grub_ucs4_to_utf8_alloc): Use grub_get_num_of_utf8_bytes.
* grub-core/normal/menu_entry.c (run): Convert entry to UTF-8 before
executing it.
* include/grub/charset.h (grub_get_num_of_utf8_bytes): New proto.
(grub_ucs4_to_utf8): Change return type.
* grub-core/normal/charset.c (grub_unicode_aglomerate_comb): Don't
agglomerate control characters with combining marks.
(bidi_line_wrap): Allow break on tab.
(grub_unicode_get_comb_start): New function.
* grub-core/normal/menu_entry.c: Restructure to handle wide characters
and tab correctly.
* grub-core/normal/menu_text.c (print_entry): Replace \n, \r, \b and \e
with a space.
* grub-core/normal/term.c (print_ucs4_terminal): New argument
fixed_tab_size. All users updated.
* include/grub/term.h (GRUB_TERM_TAB_WIDTH): New const.
(grub_term_getcharwidth): Handle \t.
* include/grub/unicode.h (grub_unicode_glyph_dup): Fix allocation
and copy.
* grub-core/normal/menu_entry.c (per_term_screen): New member
num_entries.
(print_down): Use num_entries.
(update_screen): Likewise.
(grub_menu_entry_run): Set num_entries.
* grub-core/normal/menu_text.c (menu_viewer_data): New member
num_entries.
(grub_print_message_indented): Move real part to ...
(grub_print_message_indented_real): ... here. Additional argument
dry_run.
(draw_border): Additional argument num_entries.
(print_message): Additional argument dry_run.
(print_entries): Receive menu viewer data.
(grub_menu_init_page): New argment num_entries.
(menu_text_set_chosen_entry): Use num_entries.
(grub_menu_try_text): Likewise.
* grub-core/normal/term.c (print_ucs4_terminal): New argument dry_run.
All users updated.
(grub_ucs4_count_lines): New function.
* include/grub/term.h (grub_term_cursor_x): Moved from here ..
* grub-core/normal/menu_text.c (grub_term_cursor_x): ... to here.
* include/grub/term.h (GRUB_TERM_MESSAGE_HEIGHT): Removed.
(grub_term_border_height): Likewise.
(grub_term_num_entries): Likewise.
warning. (This was in fact always initialised before use, but GCC
wasn't smart enough to prove that.)
* grub-core/script/lexer.c (grub_script_lexer_yywrap): Likewise.
* grub-core/normal/menu.c (grub_menu_execute_entry): New parameter
auto_boot. All users updated.
Declared static.
Handle chosen and default with submenus.
(grub_menu_execute_with_fallback): Declared static.
Don't notify failure if autobooted. Upper level does it.
(menuentry_eq): New function.
(get_entry_number): Use menuentry_eq.
(show_menu): New parameter "autobooted". All users updated.
(grub_show_menu): Likewise.
* include/grub/normal.h (grub_show_menu): Likewise.
* include/grub/menu.h (grub_menu_execute_entry): Removed.
(grub_menu_execute_with_fallback): Likewise.
* grub-core/commands/menuentry.c (grub_normal_add_menu_entry): New
parameter submenu. All users updated.
* grub-core/normal/main.c (free_menu): Rename to ...
(grub_normal_free_menu): ... this. Made global.
* grub-core/normal/menu.c (grub_menu_execute_entry): Open new context
if requested.
* grub-core/normal/menu_entry.c (screen): New field submenu.
(make_screen): Set submenu.
(run): Open new context if requested.
* include/grub/menu.h (grub_menu_entry): New field submenu.
* include/grub/normal.h (grub_normal_free_menu): New proto.
has a chance to see them.
* grub-core/kern/err.c (grub_err_printed_errors): New variable.
(grub_print_error): Increment grub_err_printed_errors.
* grub-core/normal/menu.c (grub_menu_execute_entry): Pause the
execution if any errors were displayed.
(show_menu): Remove old code for pause.
* grub-core/normal/menu_entry.c (run): Likewise.
* grub-core/normal/term.c (grub_normal_char_counter): Removed. All
users updated.
(grub_normal_get_char_counter): Likewise.
* include/grub/err.h (grub_err_printed_errors): New external variable.
* include/grub/normal.h (grub_normal_get_char_counter): Removed.
