Headline
CVE-2020-27749: Stack buffer overflow in grub_parser_split_cmdline()
A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description Marco Benatto 2020-11-20 13:39:58 UTC
grub_parser_split_cmdline expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections.
Comment 2 Marco Benatto 2020-11-20 15:42:51 UTC
Acknowledgments:
Name: Chris Coulson (Canonical)
Comment 7 Marco Benatto 2021-03-02 18:39:48 UTC
Created grub2 tracking bugs for this issue:
Affects: fedora-all [bug 1934249]
Comment 13 errata-xmlrpc 2021-03-02 20:09:35 UTC
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support
Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702