From b524202569789ead872d1d71d35257f1e9d8a601 Mon Sep 17 00:00:00 2001
From: Peridot Bot <rockyautomation@rockylinux.org>
Date: Wed, 12 Jun 2024 01:31:55 +0000
Subject: [PATCH] import grub2-2.06-80.el9_4
---
.grub2.checksum | 2 +-
.../0344-grub-install-on-EFI-if-forced.patch | 77 ++++++++
...d-search-Rework-of-CVE-2023-4001-fix.patch | 182 ++++++++++++++++++
SOURCES/grub.patches | 2 +
SPECS/grub2.spec | 22 ++-
5 files changed, 279 insertions(+), 6 deletions(-)
create mode 100644 SOURCES/0344-grub-install-on-EFI-if-forced.patch
create mode 100644 SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
diff --git a/.grub2.checksum b/.grub2.checksum
index f5c6ecd..20fc551 100644
--- a/.grub2.checksum
+++ b/.grub2.checksum
@@ -1 +1 @@
-8e0ad9783c648f001168ba5876d58958a0be6c86f62e694babeb9cae5ff19ec6
+28206f6ddbbcaa61d84e5d5d0cd2debe5d942b9e26c9215c2714f5b781db3cbe
diff --git a/SOURCES/0344-grub-install-on-EFI-if-forced.patch b/SOURCES/0344-grub-install-on-EFI-if-forced.patch
new file mode 100644
index 0000000..ad231ac
--- /dev/null
+++ b/SOURCES/0344-grub-install-on-EFI-if-forced.patch
@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marta Lewandowska <mlewando@redhat.com>
+Date: Fri, 13 Oct 2023 09:13:41 +0200
+Subject: [PATCH] grub-install on EFI if forced
+
+UEFI Secure Boot requires signed grub binaries to work, so grub-
+install should not be used. However, users who have Secure Boot
+disabled and wish to use the command should not be prevented from
+doing so if they invoke --force.
+
+fixes bz#1917213 / bz#2240994
+
+Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
+---
+ util/grub-install.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 5babc7af5518..162162bec6e2 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -899,22 +899,6 @@ main (int argc, char *argv[])
+
+ platform = grub_install_get_target (grub_install_source_directory);
+
+- switch (platform)
+- {
+- case GRUB_INSTALL_PLATFORM_ARM_EFI:
+- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+- case GRUB_INSTALL_PLATFORM_I386_EFI:
+- case GRUB_INSTALL_PLATFORM_IA64_EFI:
+- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+- is_efi = 1;
+- grub_util_error (_("this utility cannot be used for EFI platforms"
+- " because it does not support UEFI Secure Boot"));
+- break;
+- default:
+- is_efi = 0;
+- break;
+- }
+-
+ {
+ char *platname = grub_install_get_platform_name (platform);
+ fprintf (stderr, _("Installing for %s platform.\n"), platname);
+@@ -1027,6 +1011,32 @@ main (int argc, char *argv[])
+ grub_hostfs_init ();
+ grub_host_init ();
+
++ switch (platform)
++ {
++ case GRUB_INSTALL_PLATFORM_I386_EFI:
++ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
++ case GRUB_INSTALL_PLATFORM_ARM_EFI:
++ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
++ case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
++ case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
++ case GRUB_INSTALL_PLATFORM_IA64_EFI:
++ is_efi = 1;
++ if (!force)
++ grub_util_error (_("This utility should not be used for EFI platforms"
++ " because it does not support UEFI Secure Boot."
++ " If you really wish to proceed, invoke the --force"
++ " option.\nMake sure Secure Boot is disabled before"
++ " proceeding"));
++ break;
++ default:
++ is_efi = 0;
++ break;
++
++ /* pacify warning. */
++ case GRUB_INSTALL_PLATFORM_MAX:
++ break;
++ }
++
+ /* Find the EFI System Partition. */
+ if (is_efi)
+ {
diff --git a/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch b/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
new file mode 100644
index 0000000..068bc77
--- /dev/null
+++ b/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
@@ -0,0 +1,182 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Thu, 16 May 2024 10:58:32 +0200
+Subject: [PATCH] cmd/search: Rework of CVE-2023-4001 fix
+
+The initial fix implemented a new flag that forces the grub cfg
+stub to be located on the same disk as grub. This created several
+issues such as RAID machines not being able to boot as their
+partition names under grub were different from the partition where
+grub is located. It also simply means that any machines with the
+/boot partition located on a disk other than the one containing grub
+won't boot.
+This commit denies booting if the grub cfg stub is located on a USB
+drive with a duplicated UUID (UUID being the same as the partition
+containing the actual grub cfg stub)
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ grub-core/commands/search.c | 136 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 127 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
+index 94fe8b2872a1..c052cb098c36 100644
+--- a/grub-core/commands/search.c
++++ b/grub-core/commands/search.c
+@@ -30,6 +30,8 @@
+ #include <grub/i18n.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/efi/api.h>
++#include <grub/time.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -54,6 +56,100 @@ struct search_ctx
+ int is_cache;
+ };
+
++static int
++is_device_usb (const char *name)
++{
++ int ret = 0;
++
++ grub_device_t dev = grub_device_open(name);
++
++ if (dev)
++ {
++ struct grub_efidisk_data
++ {
++ grub_efi_handle_t handle;
++ grub_efi_device_path_t *device_path;
++ grub_efi_device_path_t *last_device_path;
++ grub_efi_block_io_t *block_io;
++ struct grub_efidisk_data *next;
++ };
++
++ if (dev->disk && dev->disk->data)
++ {
++ struct grub_efidisk_data *dp = dev->disk->data;
++
++ if ( GRUB_EFI_DEVICE_PATH_TYPE (dp->last_device_path) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE &&
++ GRUB_EFI_DEVICE_PATH_SUBTYPE (dp->last_device_path) == GRUB_EFI_USB_DEVICE_PATH_SUBTYPE)
++ {
++ ret = 1;
++ }
++ }
++ grub_device_close(dev);
++ }
++
++ return ret;
++}
++
++static int
++get_device_uuid(const char *name, char** quid)
++{
++ int ret = 0;
++
++ grub_device_t dev_part = grub_device_open(name);
++
++ if (dev_part)
++ {
++ grub_fs_t fs;
++
++ fs = grub_fs_probe (dev_part);
++
++#ifdef DO_SEARCH_FS_UUID
++#define read_fn fs_uuid
++#else
++#define read_fn fs_label
++#endif
++ if (fs && fs->read_fn)
++ {
++ fs->read_fn (dev_part, quid);
++
++ if (grub_errno == GRUB_ERR_NONE && *quid)
++ {
++ ret = 1;
++ }
++
++ }
++ grub_device_close (dev_part);
++ }
++
++ return ret;
++}
++struct uuid_context {
++ char* name;
++ char* uuid;
++};
++
++static int
++check_for_duplicate (const char *name, void *data)
++{
++ int ret = 0;
++ struct uuid_context * uuid_ctx = (struct uuid_context *)data;
++ char *quid = 0;
++
++ get_device_uuid(name, &quid);
++
++ if (quid == NULL)
++ return 0;
++
++ if (!grub_strcasecmp(quid, uuid_ctx->uuid) && grub_strcasecmp(name, uuid_ctx->name))
++ {
++ ret = 1;
++ }
++
++ grub_free(quid);
++
++ return ret;
++}
++
+ /* Helper for FUNC_NAME. */
+ static int
+ iterate_device (const char *name, void *data)
+@@ -104,15 +200,37 @@ iterate_device (const char *name, void *data)
+ grub_str_sep (root_dev, root_disk, ',', rem_1);
+ grub_str_sep (name, name_disk, ',', rem_2);
+ if (root_disk != NULL && *root_disk != '\0' &&
+- name_disk != NULL && *name_disk != '\0')
+- if (grub_strcmp(root_disk, name_disk) != 0)
+- {
+- grub_free (root_disk);
+- grub_free (name_disk);
+- grub_free (rem_1);
+- grub_free (rem_2);
+- return 0;
+- }
++ name_disk != NULL && *name_disk != '\0')
++ {
++ grub_device_t dev, dev_part;
++
++ if (is_device_usb(name) && !is_device_usb(root_dev))
++ {
++ char *quid_name = NULL;
++ int longlist = 0;
++ struct uuid_context uuid_ctx;
++ int ret = 0;
++
++ get_device_uuid(name, &quid_name);
++ if (!grub_strcmp(quid_name, ctx->key))
++ {
++ uuid_ctx.name = name;
++ uuid_ctx.uuid = quid_name;
++
++ ret = grub_device_iterate (check_for_duplicate, &uuid_ctx);
++
++ if (ret)
++ {
++ grub_printf("Duplicated media UUID found, rebooting ...\n");
++ grub_sleep(10);
++ grub_reboot();
++ }
++ }
++
++ if (quid_name) grub_free (quid_name);
++
++ }
++ }
+ }
+ grub_free (root_disk);
+ grub_free (name_disk);
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 7782ccd..ba10b27 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -341,3 +341,5 @@ Patch0340: 0340-fs-ntfs-Make-code-more-readable.patch
Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch
Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
+Patch0344: 0344-grub-install-on-EFI-if-forced.patch
+Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 822a846..d2efd10 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -16,7 +16,7 @@
Name: grub2
Epoch: 1
Version: 2.06
-Release: 77%{?dist}
+Release: 80%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@@ -339,9 +339,11 @@ fi
if test ! -f ${EFI_HOME}/grub.cfg; then
# there's no config in ESP, create one
grub2-mkconfig -o ${EFI_HOME}/grub.cfg
+ cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
+ cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
fi
-if grep -q "configfile" ${EFI_HOME}/grub.cfg; then
+if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
exit 0 # already unified, nothing to do
fi
@@ -361,8 +363,6 @@ if test -f ${EFI_HOME}/grubenv; then
mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
fi
-cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
-cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%files common -f grub.lang
@@ -534,7 +534,7 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
-* Wed May 01 2024 Release Engineering <releng@rockylinux.org> - 2.06-77
+* Wed Jun 12 2024 Release Engineering <releng@rockylinux.org> - 2.06-80
- Removing redhat old cert sources entries (Sherif Nagy)
- Preserving rhel9 sbat entry based on shim-review feedback ticket no. 194
- Adding prod cert
@@ -543,6 +543,18 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
- Adding Rocky testing CA, CERT and sbat files
- Use DER for ppc64le builds from rocky-sb-certs (Louis Abel)
+* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-80
+- Added more code for the previous CVE fix
+- Related: #RHEL-39405
+
+* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-79
+- cmd/search: Rework of CVE-2023-4001 fix
+- Resolves: #RHEL-39405
+
+* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-78
+- util: grub-install on EFI if forced
+- Resolves: #RHEL-20443
+
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77
- kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes
- Resolves: #RHEL-26322
--
GitLab