Sorry the test plan perhaps could have been clearer: - The automated tests do _not_ currently include XFS. - "create an XFS /boot; boot from it" was part of the manual tests planned
Updated test plan now. ** Description changed: Just to be clear this is now the tracking bug for all GRUB2 CVE fixes in this batch, and not just the insmod refcount overflow it was originally filed for. [ Impact ] * A large batch of secure boot CVEs in GRUB2 were fixed earlier this year and recently un-embargoed. * This has an obvious impact on everyone relying on Secure Boot for any purpose. [ Test Plan ] * In archive, ubuntu-boot-test in plucky, oracular, noble. Local ubuntu-boot-test for jammy, focal. - * Manual test boots of all revs on real hardware. + * Manual test boots of all revs on vms/real hardware. + + * Manual test for XFS /boot on all revs [ Where problems could occur ] * While everything was previously tested, boot regressions are always possible. We will watch the situation and quickly remedy anything asap. ============================================================================== This bug is being reused, but the original bug report is preserved below: Repeatedly executing the `insmod` command on a module leads to the module's reference count to be incremented on each execution. Unfortunately GRUB performs no overflow checks on module reference count, thus leading to the reference count overflowing, and in turn allowing `rrmod` to be executed on such a module. This returns the module's heap memory *while leaving active pointers to it*. Subsequent heap allocations will re-use this memory, potentially allowing an attacker to replace a module with an unsigned payload and lead to its execution. The reference count is a 32-bit integer, and executing enough `insmod`s that leads to overflow will take multiple hours thus making this issue rather time consuming to exploit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055835 Title: GRUB 2025 spring security update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2055835/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
