[Bug 1604499] Re: include loopback and squash4 modules in EFI binary

Fri Jul 22 03:57:38 UTC 2016

./grub-core/fs/squash4.c :

There may be data format mismatches between grub2 and the linux kernel's
idea of squashfs:

These are the structures from grub2 for file and long_file:
grub_uint32_t block_size[0];

These are the structures from the linux kernel for squashfs_reg_inode and squashfs_lreg_inode:
__le16                  block_list[0];

squash_mount() checks grub_errno immediately after calling grub_disk_read(), before checking the return code. C idiom is to check "errno"-style variables only if an error is returned -- and also to set "errno"-style variables to 0 immediately before an operation if there's no error-return mechanism in place to avoid errors from previous operations mistakenly linger. This is probably not a security issue.

There are many calls to grub_malloc() with an arithmetic expression;
normally these are better replaced with calloc(3)-alike wrappers which
can check for integer wraparounds. I don't think any here are
exploitable but I could have made a mistake.

grub_squash_iterate_dir() has extensive memory leaks in the reading or
memory allocation error cases -- probably there's no recovery possible
if the system is out of memory when running grub2, but I figured I'd
mention it all the same. This is probably not a security issue.

./grub-core/disk/loopback.c :

grub_loopback_open() looks like it might handle gigantic sparse files
poorly; a file that's within GRUB_DISK_SECTOR_SIZE bytes of 2^64 may set
disk->total_sectors to a too-small value. This is probably not a
security issue.

Now that grub is part of a security boundary the grub_malloc() calls with expressions should probably all be converted to using calloc(3)-style wrappers. It probably isn't worth blocking this specific change on this conversion though.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1604499

Title:
  include loopback and squash4 modules in EFI binary

Status in grub2 package in Ubuntu:
  New
Status in grub2 source package in Xenial:
  New

Bug description:
  Development versions of snappy Ubuntu Core leverage grub's squashfs
  support to load kernels and initramfs directly from the kernel snap
  (which is a squashfs-format archive).  This requires the loopback and
  the squash4 grub modules to be loaded.

  Currently, neither of these modules is included in the signed EFI
  binaries, therefore this boot strategy is not compatible with
  SecureBoot.

  We should verify that the loopback and squash4 modules are suitable
  for inclusion in the signed binary, and include them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1604499/+subscriptions