[Bug 1987924] Re: GRUB may execute the kernel w/ dirty instruction cache on arm64
Launchpad Bug Tracker
1987924 at bugs.launchpad.net
Wed Jan 11 05:29:17 UTC 2023
This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu47.5
---------------
grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium
[ Chris Coulson ]
* SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
- add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
- add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
- CVE-2022-2601, CVE-2022-3775
- LP: #1996950
* Fix various issues as a result of fuzzing, static analysis and code
review:
- add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
- add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
- add debian/patchces/font-Remove-grub_font_dup_glyph.patch
- add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
- add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
- add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
- add debian/patches/fbutil-Fix-integer-overflow.patch
- add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
- add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
- add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
* Forbid loading of external fonts when secure boot is enabled:
- add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
* Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
- update debian/control
- update debian/build-efi-image
- add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
* Fix the squashfs tests during the build
- remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
- add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
* Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
Julian Klode for the base-files hack to make a single binary be able to
depend on 2 different versions of the same package)
[ dann frazier ]
* linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
- d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
[ Chris Coulson ]
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Chris Coulson <chris.coulson at canonical.com> Thu, 17 Nov 2022
13:27:15 +0000
** Changed in: grub2-unsigned (Ubuntu Focal)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2601
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3775
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987924
Title:
GRUB may execute the kernel w/ dirty instruction cache on arm64
Status in grub2-unsigned package in Ubuntu:
Fix Released
Status in grub2-unsigned source package in Bionic:
New
Status in grub2-unsigned source package in Focal:
Fix Released
Status in grub2-unsigned source package in Jammy:
New
Status in grub2-unsigned source package in Kinetic:
Fix Released
Bug description:
[Impact]
Similar to bug 1987541, where shim may execute GRUB w/ polluted instruction cache, GRUB itself also fails to flush the instruction cache for the kernel memory before starting it. This is believed to be the source of some rare crashes seen executing instructions in the kernel EFI stub.
[Test Case]
Put an arm64 server in a reboot loop and watch for a crash (synchronous exception abort) after GRUB has started executing the kernel.
[Fix]
https://github.com/rhboot/grub2/commit/4e9020a937a30873fa63ba34e16c1e6fb7e7b718
[What could go wrong]
The only risk I can identify is possibly-measurable performance impact to booting the kernel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/1987924/+subscriptions
More information about the foundations-bugs
mailing list