1821540 – grub2-editenv: corrupt grubenv with crafted settings

Bug 1821540 - grub2-editenv: corrupt grubenv with crafted settings

Summary: grub2-editenv: corrupt grubenv with crafted settings

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	grub2
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1825575 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-07 03:12 UTC by Steve
Modified:	2020-06-09 18:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	grub2-2.02-109.fc31
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-28 01:59:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve 2020-04-07 03:12:18 UTC

Description of problem:

By completely filling the grubenv environment block and then removing the fill characters, it is possible to corrupt grubenv.

The corruption takes the form of duplicated variables.

Version-Release number of selected component (if applicable):
grub2-tools-minimal-2.02-107.fc31.x86_64

Procedure:

Start with this grubenv:

# grub2-editenv grubenv.EXP1 list
saved_entry=1
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0

Using grub2-editenv, repeatedly add the "-" character to the "saved_entry" variable until the environment block is completely filled. Here is an intermediate step:

# grub2-editenv grubenv.EXP1 set saved_entry=x--------------------------------------------y

This is the end result of the first stage. Note that the environment block is completely filled:

# hexdump -C grubenv.EXP1 
00000000  23 20 47 52 55 42 20 45  6e 76 69 72 6f 6e 6d 65  |# GRUB Environme|
00000010  6e 74 20 42 6c 6f 63 6b  0a 73 61 76 65 64 5f 65  |nt Block.saved_e|
00000020  6e 74 72 79 3d 78 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |ntry=x----------|
00000030  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00000390  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 79 0a 62 6f 6f  |-----------y.boo|
000003a0  74 5f 73 75 63 63 65 73  73 3d 31 0a 6b 65 72 6e  |t_success=1.kern|
000003b0  65 6c 6f 70 74 73 3d 72  6f 6f 74 3d 55 55 49 44  |elopts=root=UUID|
000003c0  3d 35 34 66 37 39 36 34  35 2d 66 38 35 38 2d 34  |=54f79645-f858-4|
000003d0  36 65 30 2d 61 66 37 61  2d 39 37 61 65 63 63 38  |6e0-af7a-97aecc8|
000003e0  38 66 66 38 37 20 72 6f  20 20 0a 62 6f 6f 74 5f  |8ff87 ro  .boot_|
000003f0  69 6e 64 65 74 65 72 6d  69 6e 61 74 65 3d 30 0a  |indeterminate=0.|
00000400

Next, using grub2-editenv, remove the "-" characters:

# grub2-editenv grubenv.EXP1 set saved_entry=x-y

Now, grubenv.EXP1 is corrupt:

# hexdump -C grubenv.EXP1 
00000000  23 20 47 52 55 42 20 45  6e 76 69 72 6f 6e 6d 65  |# GRUB Environme|
00000010  6e 74 20 42 6c 6f 63 6b  0a 73 61 76 65 64 5f 65  |nt Block.saved_e|
00000020  6e 74 72 79 3d 78 2d 79  0a 62 6f 6f 74 5f 73 75  |ntry=x-y.boot_su|
00000030  63 63 65 73 73 3d 31 0a  6b 65 72 6e 65 6c 6f 70  |ccess=1.kernelop|
00000040  74 73 3d 72 6f 6f 74 3d  55 55 49 44 3d 35 34 66  |ts=root=UUID=54f|
00000050  37 39 36 34 35 2d 66 38  35 38 2d 34 36 65 30 2d  |79645-f858-46e0-|
00000060  61 66 37 61 2d 39 37 61  65 63 63 38 38 66 66 38  |af7a-97aecc88ff8|
00000070  37 20 72 6f 20 20 0a 62  6f 6f 74 5f 69 6e 64 65  |7 ro  .boot_inde|
00000080  74 65 72 6d 69 6e 61 74  65 3d 30 0a 2d 2d 2d 2d  |terminate=0.----|
00000090  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00000390  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 79 0a 62 6f 6f  |-----------y.boo|
000003a0  74 5f 73 75 63 63 65 73  73 3d 31 0a 6b 65 72 6e  |t_success=1.kern|
000003b0  65 6c 6f 70 74 73 3d 72  6f 6f 74 3d 55 55 49 44  |elopts=root=UUID|
000003c0  3d 35 34 66 37 39 36 34  35 2d 66 38 35 38 2d 34  |=54f79645-f858-4|
000003d0  36 65 30 2d 61 66 37 61  2d 39 37 61 65 63 63 38  |6e0-af7a-97aecc8|
000003e0  38 66 66 38 37 20 72 6f  20 20 0a 62 6f 6f 74 5f  |8ff87 ro  .boot_|
000003f0  69 6e 64 65 74 65 72 6d  69 6e 61 74 65 3d 30 0a  |indeterminate=0.|
00000400

And the "list" command shows duplicated variables:

# grub2-editenv grubenv.EXP1 list
saved_entry=x-y
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------y
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0

Comment 1 Fedora Update System 2020-05-26 12:41:32 UTC

FEDORA-2020-cb6151044a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-cb6151044a

Comment 2 Javier Martinez Canillas 2020-05-26 13:02:10 UTC

*** Bug 1825575 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2020-05-28 01:59:30 UTC

FEDORA-2020-cb6151044a has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Nik 2020-06-09 18:44:45 UTC

Similar problem has been detected:

I tried installing fedora 31 with Automatic partitioning

addons:         com_redhat_kdump
blivet-gui-utils.log: 
cmdline:        /usr/bin/python3  /sbin/anaconda --liveinst --method=livecd:/dev/mapper/live-base
cmdline_file:   BOOT_IMAGE=/images/pxeboot/vmlinuz root=live:CDLABEL=FEDORA-WS-L rd.live.image rd.live.check quiet
hashmarkername: anaconda
kernel:         5.3.7-301.fc31.x86_64
other involved packages: python3-libs-3.7.4-5.fc31.x86_64
package:        anaconda-core-31.22.6-2.fc31.x86_64
product:        Fedora
reason:         pyanaconda.bootloader.base.BootLoaderError: failed to write boot loader configuration
release:        Fedora release 31 (Thirty One)
version:        31

Note You need to log in before you can comment on or make changes to this bug.