unstick r526120

Revision 526120

Date:
2020/02/14 15:41:49
Author:
bapt
Revision Log:
MFH: r525916

sysutils/grub2-bhyve: Neutralize privileged guest commands

GRUB was designed to run in a trusted environment, where anyone with access
to grub2.cfg could also modify grub itself. In grub2-bhyve, we have
modified it to run in host context, but interpret the commands of guest
grub2.cfg. This means we have to worry about malicious guests.

This patch addresses two escalation vectors: font-loading, and the direct
'read', 'write', 'in', and 'out' commands (which read/write arbitrary
addresses). Both reported by Reno Robert.

Disable font-loading by neutering the command. It is believed to be non-
essential and there is at least one buffer overflow in the font loading
code.

Disable reading and writing host memory and IO ports. It is believed to be
non-essential.

admbugs: 948
Reported by: Reno Robert <renorobert AT gmail.com>
Approved by: bapt
Security: yes

Approved by: portmgr (bapt)
Files:

Legend:

 
Added
 
Removed
 
Modified
  • branches/2020Q1

     
  • branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c

     
    1 --- grub-core/commands/iorw.c.orig 2015-08-31 22:42:56 UTC
    2 +++ grub-core/commands/iorw.c
    3 @@ -45,6 +45,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
    4
    5 if (argc != 1)
    6 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
    7 +#if 1 /* BHYVE */
    8 + grub_puts_("Reading host IO ports disabled.");
    9 +#else
    10
    11 addr = grub_strtoul (argv[0], 0, 0);
    12 switch (ctxt->extcmd->cmd->name[sizeof ("in") - 1])
    13 @@ -70,6 +73,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
    14 }
    15 else
    16 grub_printf ("0x%x\n", value);
    17 +#endif
    18
    19 return 0;
    20 }
    21 @@ -84,6 +88,10 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
    22 if (argc != 2 && argc != 3)
    23 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
    24
    25 +#if 1 /* BHYVE */
    26 + grub_puts_("Writing host IO ports disabled.");
    27 +#else
    28 +
    29 addr = grub_strtoul (argv[0], 0, 0);
    30 value = grub_strtoul (argv[1], 0, 0);
    31 if (argc == 3)
    32 @@ -112,6 +120,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
    33 grub_outb (value, addr);
    34 break;
    35 }
    36 +#endif
    37
    38 return 0;
    39 }
  • branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c

     
    1 --- grub-core/commands/memrw.c.orig 2015-08-31 22:42:56 UTC
    2 +++ grub-core/commands/memrw.c
    3 @@ -46,6 +46,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
    4 if (argc != 1)
    5 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
    6
    7 +#if 1 /* BHYVE */
    8 + grub_puts_("Reading host memory disabled.");
    9 +#else
    10 addr = grub_strtoul (argv[0], 0, 0);
    11 switch (ctxt->extcmd->cmd->name[sizeof ("read_") - 1])
    12 {
    13 @@ -69,6 +72,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
    14 }
    15 else
    16 grub_printf ("0x%x\n", value);
    17 +#endif
    18
    19 return 0;
    20 }
    21 @@ -83,6 +87,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
    22 if (argc != 2 && argc != 3)
    23 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
    24
    25 +#if 1 /* BHYVE */
    26 + grub_puts_("Writing host memory disabled.");
    27 +#else
    28 addr = grub_strtoul (argv[0], 0, 0);
    29 value = grub_strtoul (argv[1], 0, 0);
    30 if (argc == 3)
    31 @@ -114,6 +121,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
    32 *((volatile grub_uint8_t *) addr) = value;
    33 break;
    34 }
    35 +#endif
    36
    37 return 0;
    38 }
  • branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c

     
    1 --- grub-core/font/font_cmd.c.orig 2020-02-03 00:11:34 UTC
    2 +++ grub-core/font/font_cmd.c
    3 @@ -28,6 +28,9 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
    4 int argc,
    5 char **args)
    6 {
    7 +#if 1 /* BHYVE */
    8 + grub_puts_("Font loading disabled.");
    9 +#else
    10 if (argc == 0)
    11 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
    12
    13 @@ -38,6 +41,7 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
    14 return grub_error (GRUB_ERR_BAD_FONT, "invalid font");
    15 return grub_errno;
    16 }
    17 +#endif
    18
    19 return GRUB_ERR_NONE;
    20 }
  • branches/2020Q1/sysutils/grub2-bhyve/Makefile

     
    4 4 PORTNAME= grub2-bhyve
    5 5 DISTVERSIONPREFIX= v
    6 6 DISTVERSION= 0.40
    7 PORTREVISION= 7
    7 PORTREVISION= 8
    8 8 CATEGORIES= sysutils
    9 9
    10 10 MAINTAINER= ports@FreeBSD.org