From patchwork Tue Sep 9 14:31:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 69859 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4259FCAC587 for ; Tue, 9 Sep 2025 14:31:24 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.15041.1757428283995233173 for ; Tue, 09 Sep 2025 07:31:24 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 394881424 for ; Tue, 9 Sep 2025 07:31:15 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 1AECF3F66E for ; Tue, 9 Sep 2025 07:31:22 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/2] grub2: mark CVE-2024-2312 as not applicable Date: Tue, 9 Sep 2025 15:31:17 +0100 Message-ID: <20250909143118.3819968-1-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 14:31:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223115 This issue is specific to the peimage module that Ubuntu add, and is not an upstream issue. Signed-off-by: Ross Burton --- meta/recipes-bsp/grub/grub2.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index ffa04e415d3..e87d2691704 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -43,6 +43,7 @@ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154 CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" +CVE_STATUS[CVE-2024-2312] = "not-applicable-platform: Applies only to Ubuntu" DEPENDS = "flex-native bison-native gettext-native" From patchwork Tue Sep 9 14:31:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 69860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56880CAC583 for ; Tue, 9 Sep 2025 14:31:34 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.14951.1757428284821759556 for ; Tue, 09 Sep 2025 07:31:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D61091424 for ; Tue, 9 Sep 2025 07:31:15 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id C3CF43F66E for ; Tue, 9 Sep 2025 07:31:23 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/2] grub2: fix CVE-2024-56738 Date: Tue, 9 Sep 2025 15:31:18 +0100 Message-ID: <20250909143118.3819968-2-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250909143118.3819968-1-ross.burton@arm.com> References: <20250909143118.3819968-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 14:31:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223116 Backport an algorithmic change to grub_crypto_memcmp() so that it completes in constant time and thus isn't susceptible to side-channel attacks. Signed-off-by: Ross Burton --- .../grub/files/CVE-2024-56738.patch | 75 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-56738.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch new file mode 100644 index 00000000000..c7b64aa6edc --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch @@ -0,0 +1,75 @@ +From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001 +From: Ross Burton +Date: Tue, 9 Sep 2025 14:23:14 +0100 +Subject: [PATCH] CVE-2024-56738 + +Backport an algorithmic change to grub_crypto_memcmp() so that it completes in +constant time and thus isn't susceptible to side-channel attacks. + +This is a partial backport of grub 0739d24cd +("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11") + +CVE: CVE-2024-56738 +Upstream-Status: Backport [0739d24cd] +Signed-off-by: Ross Burton +--- + grub-core/lib/crypto.c | 23 ++++++++++++++++------- + include/grub/crypto.h | 2 +- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 396f76410..19db7870a 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in) + return GRUB_ACCESS_DENIED; + } + ++/* ++ * Compare byte arrays of length LEN, return 1 if it's not same, ++ * 0, otherwise. ++ */ + int +-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n) ++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len) + { +- register grub_size_t counter = 0; +- const grub_uint8_t *pa, *pb; ++ const grub_uint8_t *a = b1; ++ const grub_uint8_t *b = b2; ++ int ab, ba; ++ grub_size_t i; + +- for (pa = a, pb = b; n; pa++, pb++, n--) ++ /* Constant-time compare. */ ++ for (i = 0, ab = 0, ba = 0; i < len; i++) + { +- if (*pa != *pb) +- counter++; ++ /* If a[i] != b[i], either ab or ba will be negative. */ ++ ab |= a[i] - b[i]; ++ ba |= b[i] - a[i]; + } + +- return !!counter; ++ /* 'ab | ba' is negative when buffers are not equal, extract sign bit. */ ++ return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1; + } + + #ifndef GRUB_UTIL +diff --git a/include/grub/crypto.h b/include/grub/crypto.h +index 31c87c302..20ad4c5f7 100644 +--- a/include/grub/crypto.h ++++ b/include/grub/crypto.h +@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md, + grub_uint8_t *DK, grub_size_t dkLen); + + int +-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n); ++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len); + + int + grub_password_get (char buf[], unsigned buf_size); +-- +2.43.0 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index e87d2691704..b512cbeb458 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -36,6 +36,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45778_CVE-2024-45779.patch \ file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ file://CVE-2025-0678_CVE-2025-1125.patch \ + file://CVE-2024-56738.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"