[Bug 2112179] Re: Cannot pass unescaped double quotes to the linux command line
Launchpad Bug Tracker
2112179 at bugs.launchpad.net
Mon Aug 18 12:11:06 UTC 2025
This bug was fixed in the package grub2 -
2.14~git20250718.0e36779-1ubuntu2
---------------
grub2 (2.14~git20250718.0e36779-1ubuntu2) questing; urgency=medium
* Fup grub-common -> grub2-common merger in Ubuntu specific delta
grub2 (2.14~git20250718.0e36779-1ubuntu1) questing; urgency=medium
* Merge from Debian experimental; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP #1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP #1871821)
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- UBUNTU: Do not link grub-efi-*-unsigned docs to grub-common
- UBUNTU: Default timeout changes
- UBUNTU: Replace grub-install-extra-removable
- UBUNTU: Revert "Add jfs module to signed UEFI images. Closes: #950959"
- UBUNTU: Revert "Add f2fs module to signed UEFI images"
- UBUNTU: Drop luks2
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels
- forward port fix for LP #1926748
- Forward port the fix for LP #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Drop i386 from grub-efi-amd64*
- Turn depends on grub-efi-amd64/arm64 unversioned
- Install grub-sort-version
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- d/postinst.in: Make empty "grub-pc/install_devices" non-fatal in "noninteractive" mode
- Add debconf options "grub-{efi,pc}/cloud_style_installation"
- grub-common.service: Add After/Requires=boot-complete.target (LP #1992643)
- d/postinst.in: Remove upgrade check for GRUB version we can no longer upgrade from
- Disable ELF metadata injection
- Provide pre-built BIOS and IEEE1275 El-Torito images (LP #2086841)
- Removed patches:
+ install-signed.patch with
+ grub-install-extra-removable.patch
+ grub-install-removable-shim.patch
- Added patches:
+ ubuntu-install-signed.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-vt-handoff.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-os-prober-auto.patch
+ grub-sort-version.patch
+ Revert-kern-ieee1275-init-ppc64-Display-upper_mem_limit-w.patch
+ Revert-kern-ieee1275-init-ppc64-Fix-a-comment.patch
+ Revert-kern-ieee1275-ieee1275-Display-successful-memory-c.patch
+ Revert-loader-powerpc-ieee1275-Use-new-allocation-functio.patch
+ Revert-kern-ieee1275-cmain-ppc64-Introduce-flags-to-ident.patch
+ Revert-kern-ieee1275-init-ppc64-Rename-regions_claim-to-g.patch
+ Revert-kern-ieee1275-init-ppc64-Add-support-for-alignment.patch
+ Revert-kern-ieee1275-init-ppc64-Return-allocated-address-.patch
+ Revert-kern-ieee1275-init-ppc64-Decide-by-request-whether.patch
+ Revert-kern-ieee1275-init-ppc64-Introduce-a-request-for-r.patch
+ grub-install-efi-title.patch
* Add grub.ubuntu26,1 SBAT entry to indicate upcoming LTS
grub2 (2.14~git20250718.0e36779-1) experimental; urgency=medium
[ Mate Kukri ]
* Import git snapshot of upcoming GRUB 2.14 upstream release
* d/patches: rebase patches for 2.14 git snapshot
* d/rules: add erofs_test to XFAIL test
* peimage: add NX support, fix some bugs (LP: #2104316)
* Fix ipconfig2 route table parsing (LP: #2088181)
[ Luca Boccassi ]
* efi images: enable 'bli' module
[ Graham Inggs ]
* debian/control: mark qemu-system build-dependency <!nocheck>
[ Pascal Hambourg ]
* debian/grub.d/05_debian_theme: quote background image pathname in output
[ Mate Kukri ]
* Resolve zfs root identification (Closes: #848945)
* Check out missing distfiles from upstream git branch
* d/build-efi-images: Remove filesystems no longer allowed under lockdown
* debian: Remove references to dead ports kfreebsd-* and kopensolaris-*
* d/control: Sync dependencies of grub-efi-{riscv64,loong64} with grub-efi-*
* d/control: Clean up package relations
* debian: Tanglu is a dead distro, drop references to it
* debian: Get rid of non-systemd init scripts
* debian: Merge grub-common into grub2-common
* debian: Get rid of update-grub script for grub-legacy
* debian: Remove support for the yeeloong target
* Remove support for WUBI (Windows Based Ubuntu Installer)
* debian/patches: Drop a number of obsolete patches
* Add "noescape" argument to cmdline creation (LP: #2112179)
* d/control: Cleanup more package relations
* Remove IA64 support
* Remove old maintscripts
* d/postinst.in: remove grub legacy related functionality
* Add Provides grub-common to merged grub2-common
* Update Debian specific SBAT line to grub.debian14 for forky
grub2 (2.12-9) unstable; urgency=medium
* Apply patch by Ben Hutchings to not strip .exec or .image files
(Closes: #1072167)
grub2 (2.12-8) unstable; urgency=medium
[ Mate Kukri ]
* d/default/grub: Always get distributor string from `/etc/os-release`
* Avoid adding extra GNU/Linux suffix to menu entries (Closes: #1076723)
grub2 (2.12-7) unstable; urgency=medium
[ Mate Kukri ]
* Drop NTFS patches that seem to be causing regressions
(Closes: #1100486, #1100470)
grub2 (2.12-6) unstable; urgency=medium
[ Mate Kukri ]
* Fix out of bounds XSDT access, re-enable ACPI SPCR table support
[ Miroslav Kure ]
* Updated Czech translation of grub debconf messages. (Closes: #1035052)
[ Viktar Siarheichyk ]
* Updated Belarusian translation. (Closes: #1034905)
[ Carles Pina i Estany ]
* Update translation
[ Felix Zielcke ]
* Move d/legacy/* files to grub-legacy.
* Remove traces of ../legacy/ dir in d/rules.
[ Mate Kukri ]
* Cherry-pick upstream security patches
* Bump SBAT level to grub,5
* SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
- CVE-2024-45774
* SECURITY UPDATE: commands/extcmd: Missing check for failed allocation
- CVE-2024-45775
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read
- CVE-2024-45776
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write
- CVE-2024-45777
* SECURITY UPDATE: fs/bfs: Integer overflow
- CVE-2024-45778
* SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read
- CVE-2024-45779
* SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write
- CVE-2024-45780
* SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write
- CVE-2024-45781
* SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write
- CVE-2024-45782
* SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF
- CVE-2024-45783
* SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload
- CVE-2025-0622
* SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file()
- CVE-2025-0624
* SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
- CVE-2025-0677
* SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
- CVE-2025-0678
* SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0684
* SECURITY UODATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0685
* SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0686
* SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution
- CVE-2025-0689
* SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write
- CVE-2025-0690
* SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled
- CVE-2025-1118
* SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
- CVE-2025-1125
* SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835]
-- Mate Kukri <mate.kukri at canonical.com> Wed, 13 Aug 2025 14:57:58
+0100
** Changed in: grub2 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45774
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45775
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45776
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45777
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45778
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45779
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45780
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45781
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45782
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45783
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0622
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0624
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0677
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0678
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0684
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0685
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0686
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0689
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0690
** CVE added: https://cve.org/CVERecord?id=CVE-2025-1118
** CVE added: https://cve.org/CVERecord?id=CVE-2025-1125
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2112179
Title:
Cannot pass unescaped double quotes to the linux command line
Status in grub2 package in Ubuntu:
Fix Released
Bug description:
I am writing a `grub.cfg` which contains this:
```
linux /boot/kernel \
root=/dev/mapper/verity-root \
dm_mod.create="\"verity-root,,ro,0 163840 verity 1 /dev/vda3 /dev/vda3 4096 4096 10240 10240 sha256 ${ROOT_HASH_A} -\"" \
${kernel_common_cmdline}
```
The problem I have is that the kernel then ultimately sees this:
`dm_mod.create=\"verity-root,,ro,0 163840 verity 1 /dev/vda3 /dev/vda3
4096 4096 10240 10240 sha256
4b2693f593b5472ae2661fa9b4a499dce2301e6b66d385d1d7ee8bde1466e87f -\"`
And not
`dm_mod.create="verity-root,,ro,0 163840 verity 1 /dev/vda3 /dev/vda3
4096 4096 10240 10240 sha256
4b2693f593b5472ae2661fa9b4a499dce2301e6b66d385d1d7ee8bde1466e87f -"`
as I intended (and what the documentation states should be the result,
see the paragraph on quoting here:
https://www.gnu.org/software/grub/manual/grub/html_node/Shell_002dlike-
scripting.html).
There are various ways to try and work around the issue, but none result in a command line that the kernel then interprets correctly.
What appears to be the solution intended by the grub authors gives this result:
`"dm_mod.create=verity-root,,ro,0 163840 verity 1 /dev/vda3 /dev/vda3
4096 4096 10240 10240 sha256
4b2693f593b5472ae2661fa9b4a499dce2301e6b66d385d1d7ee8bde1466e87f -"`
However the kernel does not parse this correctly.
One can also try to use escaped spaces to go around the quoting issue, however the backslashes themselves are then automatically escaped by grub in the output, and thus the kernel fails to parse the line correctly too.
In effect, it is not possible to produce a linux command line that
contains unescaped double quotes or backslashes, except in the very
specific way that grub handles the "argument containing a space" case,
which does not function correctly with the kernel parser.
This bug is a known issue and patches have been suggested to solve it,
see here: https://lists.gnu.org/archive/html/grub-
devel/2023-07/msg00089.html
This bug is also related to
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/445952 but is
more narrow: my issue is exclusively about grub adding unwanted escape
characters to the linux command line, not about how it interprets
quotes coming from environment variables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2112179/+subscriptions
More information about the foundations-bugs
mailing list