1From 3e8e4c0549240fa209acffceb473e1e509b50c95 Mon Sep 17 00:00:00 2001 2From: Javier Martinez Canillas <javierm@redhat.com> 3Date: Mon, 28 Sep 2020 20:08:41 +0200 4Subject: [PATCH] acpi: Don't register the acpi command when locked down 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9The command is not allowed when lockdown is enforced. Otherwise an 10attacker can instruct the GRUB to load an SSDT table to overwrite 11the kernel lockdown configuration and later load and execute 12unsigned code. 13 14Fixes: CVE-2020-14372 15 16Reported-by: Máté Kukri <km@mkukri.xyz> 17Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 18Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 19Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 20--- 21 docs/grub.texi | 5 +++++ 22 grub-core/commands/acpi.c | 15 ++++++++------- 23 2 files changed, 13 insertions(+), 7 deletions(-) 24 25diff --git a/docs/grub.texi b/docs/grub.texi 26index bbe60a4..98592d3 100644 27--- a/docs/grub.texi 28+++ b/docs/grub.texi 29@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer 30 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the 31 @option{--no-ebda} option is used, the new tables will be known only to 32 GRUB, but may be used by GRUB's EFI emulation. 33+ 34+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). 35+ Otherwise an attacker can instruct the GRUB to load an SSDT table to 36+ overwrite the kernel lockdown configuration and later load and execute 37+ unsigned code. 38 @end deffn 39 40 41diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c 42index 5a1499a..1215f2a 100644 43--- a/grub-core/commands/acpi.c 44+++ b/grub-core/commands/acpi.c 45@@ -27,6 +27,7 @@ 46 #include <grub/mm.h> 47 #include <grub/memory.h> 48 #include <grub/i18n.h> 49+#include <grub/lockdown.h> 50 51 #ifdef GRUB_MACHINE_EFI 52 #include <grub/efi/efi.h> 53@@ -775,13 +776,13 @@ static grub_extcmd_t cmd; 54 55 GRUB_MOD_INIT(acpi) 56 { 57- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, 58- N_("[-1|-2] [--exclude=TABLE1,TABLE2|" 59- "--load-only=TABLE1,TABLE2] FILE1" 60- " [FILE2] [...]"), 61- N_("Load host ACPI tables and tables " 62- "specified by arguments."), 63- options); 64+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, 65+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|" 66+ "--load-only=TABLE1,TABLE2] FILE1" 67+ " [FILE2] [...]"), 68+ N_("Load host ACPI tables and tables " 69+ "specified by arguments."), 70+ options); 71 } 72 73 GRUB_MOD_FINI(acpi) 74-- 752.14.2 76 77