Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
grub2.28278
0017-dl-Only-allow-unloading-modules-that-are-n...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch of Package grub2.28278
From 912ab039a3a74dcd6dda0171128b18524d291ba8 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas <javierm@redhat.com> Date: Tue, 29 Sep 2020 14:08:55 +0200 Subject: [PATCH 17/41] dl: Only allow unloading modules that are not dependencies When a module is attempted to be removed its reference counter is always decremented. This means that repeated rmmod invocations will cause the module to be unloaded even if another module depends on it. This may lead to a use-after-free scenario allowing an attacker to execute arbitrary code and by-pass the UEFI Secure Boot protection. While being there, add the extern keyword to some function declarations in that header file. Fixes: CVE-2020-25632 Reported-by: Chris Coulson <chris.coulson@canonical.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/commands/minicmd.c | 7 +++++-- grub-core/kern/dl.c | 9 +++++++++ include/grub/dl.h | 8 +++++--- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c index a3a118241..6c46d569c 100644 --- a/grub-core/commands/minicmd.c +++ b/grub-core/commands/minicmd.c @@ -137,8 +137,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)), if (! mod) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module"); - if (grub_dl_unref (mod) <= 0) - grub_dl_unload (mod); + if (grub_dl_ref_count (mod) > 1) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module"); + + grub_dl_unref (mod); + grub_dl_unload (mod); return 0; } diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c index 775d784b1..a71aaae43 100644 --- a/grub-core/kern/dl.c +++ b/grub-core/kern/dl.c @@ -554,6 +554,15 @@ grub_dl_unref (grub_dl_t mod) return --mod->ref_count; } +int +grub_dl_ref_count (grub_dl_t mod) +{ + if (mod == NULL) + return 0; + + return mod->ref_count; +} + static void grub_dl_flush_cache (grub_dl_t mod) { diff --git a/include/grub/dl.h b/include/grub/dl.h index 2bca56ce0..05b1c67b3 100644 --- a/include/grub/dl.h +++ b/include/grub/dl.h @@ -202,9 +202,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name); grub_dl_t grub_dl_load_core (void *addr, grub_size_t size); grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size); int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod); -void grub_dl_unload_unneeded (void); -int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); -int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); +extern void grub_dl_unload_unneeded (void); +extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); +extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); +extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod); + extern grub_dl_t EXPORT_VAR(grub_dl_head); #ifndef GRUB_UTIL -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor