Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <>
To: "" <>
CC: Daniel Kiper <>
Subject: [SECURITY PATCH 00/30]  Multiple GRUB2 vulnerabilities - 2022/06/07

[ This message was sent to   It's archived at.    ]
[ ]
[ and the 30 individual patches are linked from there as well as in.  ]
[ the git repo. These issues were previously brought to the.          ]
[ linux-distros list.                                                 ]

Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [1] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) [2] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [3] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!


[1] Red Hat:




CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens


CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens


CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens


CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets

A malicious crafted IP packet can lead to an integer underflow in
grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain
circumstances the total_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens


CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens


CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode


CVE-2022-28736 grub2: use-after-free in grub_cmd_chainloader()

There's a use-after-free vulnerability in grub_cmd_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson


CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images

There's a possible overflow in handle_image() when shim tries to load and execute
crafted EFI executables. The handle_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson


grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub_loader_set_ex()

Daniel Axtens (20):
     kern/file: Do not leak device_name on error in grub_file_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

Download attachment "signature.asc" of type "application/pgp-signature" (269 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.