MFH: r525916

sysutils/grub2-bhyve: Neutralize privileged guest commands

GRUB was designed to run in a trusted environment, where anyone with access
to grub2.cfg could also modify grub itself.  In grub2-bhyve, we have
modified it to run in host context, but interpret the commands of guest
grub2.cfg.  This means we have to worry about malicious guests.

This patch addresses two escalation vectors: font-loading, and the direct
'read', 'write', 'in', and 'out' commands (which read/write arbitrary
addresses).  Both reported by Reno Robert.

Disable font-loading by neutering the command.  It is believed to be non-
essential and there is at least one buffer overflow in the font loading
code.

Disable reading and writing host memory and IO ports.  It is believed to be
non-essential.

admbugs:	948
Reported by:	Reno Robert <renorobert AT gmail.com>
Approved by:	bapt
Security:	yes

Approved by:	portmgr (bapt)

sysutils/grub2-bhyve/Makefile

@@ -4,7 +4,7 @@
 PORTNAME=	grub2-bhyve
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.40
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	sysutils
 
 MAINTAINER=	ports@FreeBSD.org

sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c

@@ -0,0 +1,39 @@
+--- grub-core/commands/iorw.c.orig	2015-08-31 22:42:56 UTC
++++ grub-core/commands/iorw.c
+@@ -45,6 +45,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+ 
+   if (argc != 1)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
++#if 1 /* BHYVE */
++  grub_puts_("Reading host IO ports disabled.");
++#else
+ 
+   addr = grub_strtoul (argv[0], 0, 0);
+   switch (ctxt->extcmd->cmd->name[sizeof ("in") - 1])
+@@ -70,6 +73,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+     }
+   else
+     grub_printf ("0x%x\n", value);
++#endif
+ 
+   return 0;
+ }
+@@ -84,6 +88,10 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+   if (argc != 2 && argc != 3)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Writing host IO ports disabled.");
++#else
++
+   addr = grub_strtoul (argv[0], 0, 0);
+   value = grub_strtoul (argv[1], 0, 0);
+   if (argc == 3)
+@@ -112,6 +120,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+ 	grub_outb (value, addr);
+       break;
+     }
++#endif
+ 
+   return 0;
+ }

sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c

@@ -0,0 +1,38 @@
+--- grub-core/commands/memrw.c.orig	2015-08-31 22:42:56 UTC
++++ grub-core/commands/memrw.c
+@@ -46,6 +46,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+   if (argc != 1)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Reading host memory disabled.");
++#else
+   addr = grub_strtoul (argv[0], 0, 0);
+   switch (ctxt->extcmd->cmd->name[sizeof ("read_") - 1])
+     {
+@@ -69,6 +72,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+     }
+   else
+     grub_printf ("0x%x\n", value);
++#endif
+ 
+   return 0;
+ }
+@@ -83,6 +87,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+   if (argc != 2 && argc != 3)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Writing host memory disabled.");
++#else
+   addr = grub_strtoul (argv[0], 0, 0);
+   value = grub_strtoul (argv[1], 0, 0);
+   if (argc == 3)
+@@ -114,6 +121,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+ 	*((volatile grub_uint8_t *) addr) = value;
+       break;
+     }
++#endif
+ 
+   return 0;
+ }

sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c

@@ -0,0 +1,20 @@
+--- grub-core/font/font_cmd.c.orig	2020-02-03 00:11:34 UTC
++++ grub-core/font/font_cmd.c
+@@ -28,6 +28,9 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
+ 		  int argc,
+ 		  char **args)
+ {
++#if 1 /* BHYVE */
++  grub_puts_("Font loading disabled.");
++#else
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+ 
+@@ -38,6 +41,7 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
+ 	  return grub_error (GRUB_ERR_BAD_FONT, "invalid font");
+ 	return grub_errno;
+       }
++#endif
+ 
+   return GRUB_ERR_NONE;
+ }