diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch new file mode 100644 index 0000000000..f9a6a73ebc --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch @@ -0,0 +1,37 @@ +From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas <javierm@redhat.com> +Date: Wed, 24 Feb 2021 22:59:59 +0100 +Subject: [PATCH] commands/setpci: Restrict setpci command when locked down + +This command can set PCI devices register values, which makes it dangerous +in a locked down configuration. Restrict it so can't be used on this setup. + +Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02] +CVE: CVE-2020-27779 +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + grub-core/commands/setpci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c +index d5bc97d..fa2ba7d 100644 +--- a/grub-core/commands/setpci.c ++++ b/grub-core/commands/setpci.c +@@ -329,10 +329,10 @@ static grub_extcmd_t cmd; + + GRUB_MOD_INIT(setpci) + { +- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0, +- N_("[-s POSITION] [-d DEVICE] [-v VAR] " +- "REGISTER[=VALUE[:MASK]]"), +- N_("Manipulate PCI devices."), options); ++ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0, ++ N_("[-s POSITION] [-d DEVICE] [-v VAR] " ++ "REGISTER[=VALUE[:MASK]]"), ++ N_("Manipulate PCI devices."), options); + } + + GRUB_MOD_FINI(setpci) |