[Bug 1889556] [NEW] grub-install failure does not fail package upgrade (and does not roll back to matching modules)

Robert C Jennings 1889556 at bugs.launchpad.net
Thu Jul 30 12:54:12 UTC 2020 

*** This bug is a security vulnerability ***

Public security bug reported:

Failure to install new grub core to the specified device does not
correctly prevent upgrade to incompatible modules (LP: #1889509)

$ sudo debconf-get-selections |grep sda
grub-pc	grub-pc/install_devices_disks_changed	multiselect	/dev/sda
grub-pc	grub-pc/install_devices	multiselect	/dev/sda

$ mount|grep nvme
/dev/nvme0n1p1 on / type ext4 (rw,relatime,discard,data=ordered)

$ ls /dev/sda
ls: cannot access '/dev/sda': No such file or directory

$ sudo env DEBIAN_FRONTEND=noninteractive apt full-upgrade -y
...
Get:10 http://us-west-2.ec2.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grub-pc-bin amd64 2.02~beta2-36ubuntu3.26 [891 kB]
...
Installing for i386-pc platform.
grub-install: error: cannot find a GRUB drive for /dev/sda.  Check your device.map.
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.4.0-1111-aws
Found linux image: /boot/vmlinuz-4.4.0-1109-aws
Found initrd image: /boot/initrd.img-4.4.0-1109-aws
done
...

# update-grub failed during the install but the return code is 0
$ echo $?
0

# The package is installed without apparent error, but the instance will fail to reboot (LP: #1889509)
$ dpkg -l|grep grub-pc
ii  grub-pc                          2.02~beta2-36ubuntu3.26                    amd64        GRand Unified Bootloader, version 2 (PC/BIOS version)
ii  grub-pc-bin                      2.02~beta2-36ubuntu3.26                    amd64        GRand Unified Bootloader, version 2 (PC/BIOS binaries)

# If I reboot it will fail to boot:
Booting from Hard Disk 0...
error: symbol `grub_calloc' not found.
Entering rescue mode...
grub rescue> _

---

Xenial in AWS (us-west-2 ami-060d1be0dd4526759 built on 20200611)
The  debconf for grub was not set to the correct device when cloud-init first ran (LP: #1877491) or when the fix for that was applied (LP: #1889555)
The fact that grub-install fails during the upgrade but does not fail the package install (and cause a rollback) means that how we have a mismatch between grub core and modules which breaks boot (LP: #1889509).

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Groovy)
     Importance: Undecided
         Status: New


** Tags: regression-release regression-security regression-update

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

Status in grub2 package in Ubuntu:
  New
Status in grub2 source package in Xenial:
  New
Status in grub2 source package in Bionic:
  New
Status in grub2 source package in Focal:
  New
Status in grub2 source package in Groovy:
  New

Bug description:
  Failure to install new grub core to the specified device does not
  correctly prevent upgrade to incompatible modules (LP: #1889509)

  $ sudo debconf-get-selections |grep sda
  grub-pc	grub-pc/install_devices_disks_changed	multiselect	/dev/sda
  grub-pc	grub-pc/install_devices	multiselect	/dev/sda

  $ mount|grep nvme
  /dev/nvme0n1p1 on / type ext4 (rw,relatime,discard,data=ordered)

  $ ls /dev/sda
  ls: cannot access '/dev/sda': No such file or directory

  $ sudo env DEBIAN_FRONTEND=noninteractive apt full-upgrade -y
  ...
  Get:10 http://us-west-2.ec2.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grub-pc-bin amd64 2.02~beta2-36ubuntu3.26 [891 kB]
  ...
  Installing for i386-pc platform.
  grub-install: error: cannot find a GRUB drive for /dev/sda.  Check your device.map.
  Generating grub configuration file ...
  Found linux image: /boot/vmlinuz-4.4.0-1111-aws
  Found linux image: /boot/vmlinuz-4.4.0-1109-aws
  Found initrd image: /boot/initrd.img-4.4.0-1109-aws
  done
  ...

  # update-grub failed during the install but the return code is 0
  $ echo $?
  0

  # The package is installed without apparent error, but the instance will fail to reboot (LP: #1889509)
  $ dpkg -l|grep grub-pc
  ii  grub-pc                          2.02~beta2-36ubuntu3.26                    amd64        GRand Unified Bootloader, version 2 (PC/BIOS version)
  ii  grub-pc-bin                      2.02~beta2-36ubuntu3.26                    amd64        GRand Unified Bootloader, version 2 (PC/BIOS binaries)

  # If I reboot it will fail to boot:
  Booting from Hard Disk 0...
  error: symbol `grub_calloc' not found.
  Entering rescue mode...
  grub rescue> _

  ---

  Xenial in AWS (us-west-2 ami-060d1be0dd4526759 built on 20200611)
  The  debconf for grub was not set to the correct device when cloud-init first ran (LP: #1877491) or when the fix for that was applied (LP: #1889555)
  The fact that grub-install fails during the upgrade but does not fail the package install (and cause a rollback) means that how we have a mismatch between grub core and modules which breaks boot (LP: #1889509).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

More information about the foundations-bugs mailing list