From owner-svn-ports-all@freebsd.org  Fri Feb 14 15:41:50 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id AD8B2238DC3;
 Fri, 14 Feb 2020 15:41:50 +0000 (UTC)
 (envelope-from bapt@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48JyKp4BlNz3GtS;
 Fri, 14 Feb 2020 15:41:50 +0000 (UTC)
 (envelope-from bapt@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8B4CF25E92;
 Fri, 14 Feb 2020 15:41:50 +0000 (UTC)
 (envelope-from bapt@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 01EFfoBR090739;
 Fri, 14 Feb 2020 15:41:50 GMT (envelope-from bapt@FreeBSD.org)
Received: (from bapt@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 01EFfn8p090735;
 Fri, 14 Feb 2020 15:41:49 GMT (envelope-from bapt@FreeBSD.org)
Message-Id: <202002141541.01EFfn8p090735@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bapt set sender to
 bapt@FreeBSD.org using -f
From: Baptiste Daroussin <bapt@FreeBSD.org>
Date: Fri, 14 Feb 2020 15:41:49 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: svn commit: r526120 - in branches/2020Q1/sysutils/grub2-bhyve: . files
X-SVN-Group: ports-branches
X-SVN-Commit-Author: bapt
X-SVN-Commit-Paths: in branches/2020Q1/sysutils/grub2-bhyve: . files
X-SVN-Commit-Revision: 526120
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 15:41:50 -0000

Author: bapt
Date: Fri Feb 14 15:41:49 2020
New Revision: 526120
URL: https://svnweb.freebsd.org/changeset/ports/526120

Log:
  MFH: r525916
  
  sysutils/grub2-bhyve: Neutralize privileged guest commands
  
  GRUB was designed to run in a trusted environment, where anyone with access
  to grub2.cfg could also modify grub itself.  In grub2-bhyve, we have
  modified it to run in host context, but interpret the commands of guest
  grub2.cfg.  This means we have to worry about malicious guests.
  
  This patch addresses two escalation vectors: font-loading, and the direct
  'read', 'write', 'in', and 'out' commands (which read/write arbitrary
  addresses).  Both reported by Reno Robert.
  
  Disable font-loading by neutering the command.  It is believed to be non-
  essential and there is at least one buffer overflow in the font loading
  code.
  
  Disable reading and writing host memory and IO ports.  It is believed to be
  non-essential.
  
  admbugs:	948
  Reported by:	Reno Robert <renorobert AT gmail.com>
  Approved by:	bapt
  Security:	yes
  
  Approved by:	portmgr (bapt)

Added:
  branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c
     - copied unchanged from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c
  branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c
     - copied unchanged from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c
  branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c
     - copied unchanged from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c
Modified:
  branches/2020Q1/sysutils/grub2-bhyve/Makefile
Directory Properties:
  branches/2020Q1/   (props changed)

Modified: branches/2020Q1/sysutils/grub2-bhyve/Makefile
==============================================================================
--- branches/2020Q1/sysutils/grub2-bhyve/Makefile	Fri Feb 14 15:37:08 2020	(r526119)
+++ branches/2020Q1/sysutils/grub2-bhyve/Makefile	Fri Feb 14 15:41:49 2020	(r526120)
@@ -4,7 +4,7 @@
 PORTNAME=	grub2-bhyve
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.40
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	sysutils
 
 MAINTAINER=	ports@FreeBSD.org

Copied: branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c (from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c	Fri Feb 14 15:41:49 2020	(r526120, copy of r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_iorw.c)
@@ -0,0 +1,39 @@
+--- grub-core/commands/iorw.c.orig	2015-08-31 22:42:56 UTC
++++ grub-core/commands/iorw.c
+@@ -45,6 +45,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+ 
+   if (argc != 1)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
++#if 1 /* BHYVE */
++  grub_puts_("Reading host IO ports disabled.");
++#else
+ 
+   addr = grub_strtoul (argv[0], 0, 0);
+   switch (ctxt->extcmd->cmd->name[sizeof ("in") - 1])
+@@ -70,6 +73,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+     }
+   else
+     grub_printf ("0x%x\n", value);
++#endif
+ 
+   return 0;
+ }
+@@ -84,6 +88,10 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+   if (argc != 2 && argc != 3)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Writing host IO ports disabled.");
++#else
++
+   addr = grub_strtoul (argv[0], 0, 0);
+   value = grub_strtoul (argv[1], 0, 0);
+   if (argc == 3)
+@@ -112,6 +120,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+ 	grub_outb (value, addr);
+       break;
+     }
++#endif
+ 
+   return 0;
+ }

Copied: branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c (from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c	Fri Feb 14 15:41:49 2020	(r526120, copy of r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_commands_memrw.c)
@@ -0,0 +1,38 @@
+--- grub-core/commands/memrw.c.orig	2015-08-31 22:42:56 UTC
++++ grub-core/commands/memrw.c
+@@ -46,6 +46,9 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+   if (argc != 1)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Reading host memory disabled.");
++#else
+   addr = grub_strtoul (argv[0], 0, 0);
+   switch (ctxt->extcmd->cmd->name[sizeof ("read_") - 1])
+     {
+@@ -69,6 +72,7 @@ grub_cmd_read (grub_extcmd_context_t ctxt, int argc, c
+     }
+   else
+     grub_printf ("0x%x\n", value);
++#endif
+ 
+   return 0;
+ }
+@@ -83,6 +87,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+   if (argc != 2 && argc != 3)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
+ 
++#if 1 /* BHYVE */
++  grub_puts_("Writing host memory disabled.");
++#else
+   addr = grub_strtoul (argv[0], 0, 0);
+   value = grub_strtoul (argv[1], 0, 0);
+   if (argc == 3)
+@@ -114,6 +121,7 @@ grub_cmd_write (grub_command_t cmd, int argc, char **a
+ 	*((volatile grub_uint8_t *) addr) = value;
+       break;
+     }
++#endif
+ 
+   return 0;
+ }

Copied: branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c (from r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q1/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c	Fri Feb 14 15:41:49 2020	(r526120, copy of r525916, head/sysutils/grub2-bhyve/files/patch-grub-core_font_font__cmd.c)
@@ -0,0 +1,20 @@
+--- grub-core/font/font_cmd.c.orig	2020-02-03 00:11:34 UTC
++++ grub-core/font/font_cmd.c
+@@ -28,6 +28,9 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
+ 		  int argc,
+ 		  char **args)
+ {
++#if 1 /* BHYVE */
++  grub_puts_("Font loading disabled.");
++#else
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+ 
+@@ -38,6 +41,7 @@ loadfont_command (grub_command_t cmd __attribute__ ((u
+ 	  return grub_error (GRUB_ERR_BAD_FONT, "invalid font");
+ 	return grub_errno;
+       }
++#endif
+ 
+   return GRUB_ERR_NONE;
+ }