proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-08-15 10:43:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

dl: Only allow unloading modules that are not dependencies

Browse Source 
When a module is attempted to be removed its reference counter is always
decremented. This means that repeated rmmod invocations will cause the
module to be unloaded even if another module depends on it.

This may lead to a use-after-free scenario allowing an attacker to execute
arbitrary code and by-pass the UEFI Secure Boot protection.

While being there, add the extern keyword to some function declarations in
that header file.

Fixes: CVE-2020-25632

Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Javier Martinez Canillas 2020-09-29 14:08:55 +02:00 committed by Daniel Kiper
parent f05e79a014
commit 7630ec5397
3 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
grub-core/commands/minicmd.c
View File

@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
if (grub_dl_is_persistent (mod))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
if (grub_dl_unref (mod) <= 0)
grub_dl_unload (mod);
if (grub_dl_ref_count (mod) > 1)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
grub_dl_unref (mod);
grub_dl_unload (mod);
return 0;
}

9
grub-core/kern/dl.c
View File

@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
return --mod->ref_count;
}
int
grub_dl_ref_count (grub_dl_t mod)
{
if (mod == NULL)
return 0;
return mod->ref_count;
}
static void
grub_dl_flush_cache (grub_dl_t mod)
{

8
include/grub/dl.h
View File

@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
void grub_dl_unload_unneeded (void);
int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
extern void grub_dl_unload_unneeded (void);
extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
extern grub_dl_t EXPORT_VAR(grub_dl_head);
#ifndef GRUB_UTIL