[Bug 2055835] Re: insmod reference count overflow (GRUB 2025 spring security update)
Ubuntu Foundations Team Bug Bot
2055835 at bugs.launchpad.net
Fri Mar 14 04:33:34 UTC 2025
The attachment "0001-Do-not-increment-reference-count-when-insmod-is-
call.patch" seems to be a patch. If it isn't, please remove the "patch"
flag from the attachment, remove the "patch" tag, and if you are a
member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2055835
Title:
insmod reference count overflow (GRUB 2025 spring security update)
Status in grub2 package in Ubuntu:
New
Status in grub2-unsigned package in Ubuntu:
New
Status in grub2 source package in Xenial:
Invalid
Status in grub2-unsigned source package in Xenial:
New
Status in grub2 source package in Bionic:
Invalid
Status in grub2-unsigned source package in Bionic:
New
Status in grub2 source package in Focal:
Invalid
Status in grub2-unsigned source package in Focal:
New
Status in grub2 source package in Jammy:
Invalid
Status in grub2-unsigned source package in Jammy:
New
Status in grub2 source package in Noble:
New
Status in grub2-unsigned source package in Noble:
New
Status in grub2 source package in Oracular:
New
Status in grub2-unsigned source package in Oracular:
New
Status in grub2 source package in Plucky:
New
Status in grub2-unsigned source package in Plucky:
New
Status in grub2 package in Debian:
New
Bug description:
Repeatedly executing the `insmod` command on a module leads to the
module's reference count to be incremented on each execution.
Unfortunately GRUB performs no overflow checks on module reference
count, thus leading to the reference count overflowing, and in turn
allowing `rrmod` to be executed on such a module.
This returns the module's heap memory *while leaving active pointers
to it*. Subsequent heap allocations will re-use this memory,
potentially allowing an attacker to replace a module with an unsigned
payload and lead to its execution.
The reference count is a 32-bit integer, and executing enough
`insmod`s to lead to it's overflow takes multiple hours thus making
this issue exploit rather time consuming.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2055835/+subscriptions
More information about the foundations-bugs
mailing list