group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 2055835] Re: insmod reference count overflow

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Mate Kukri <2055835@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Mar 2025 14:01:35 -0000
Reply-to: Bug 2055835 <2055835@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Re-using this as a tracking bug for all the GRUB security updates
(because it is already in the changelog).

grub2 uploads should exist for series that runs 2.12, grub2-unsigned for
everything (both 2.06 and 2.12).

** Information type changed from Private Security to Public Security

** Also affects: grub2-unsigned (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: grub2-unsigned (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: grub2-unsigned (Ubuntu Plucky)
   Importance: Undecided
     Assignee: Mate Kukri (mkukri)
       Status: New

** Also affects: grub2-unsigned (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: grub2-unsigned (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: grub2-unsigned (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: grub2-unsigned (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Summary changed:

- insmod reference count overflow
+ insmod reference count overflow (GRUB 2025 spring security update)

** Also affects: grub2 (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: grub2 (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: grub2 (Ubuntu Bionic)
       Status: New => Invalid

** Changed in: grub2 (Ubuntu Focal)
       Status: New => Invalid

** Changed in: grub2 (Ubuntu Jammy)
       Status: New => Invalid

** Changed in: grub2-unsigned (Ubuntu Plucky)
    Milestone: None => ubuntu-25.04-beta

** Changed in: grub2 (Ubuntu Plucky)
    Milestone: None => ubuntu-25.04-beta

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2055835

Title:
  insmod reference count overflow (GRUB 2025 spring security update)

Status in grub2 package in Ubuntu:
  New
Status in grub2-unsigned package in Ubuntu:
  New
Status in grub2 source package in Xenial:
  Invalid
Status in grub2-unsigned source package in Xenial:
  New
Status in grub2 source package in Bionic:
  Invalid
Status in grub2-unsigned source package in Bionic:
  New
Status in grub2 source package in Focal:
  Invalid
Status in grub2-unsigned source package in Focal:
  New
Status in grub2 source package in Jammy:
  Invalid
Status in grub2-unsigned source package in Jammy:
  New
Status in grub2 source package in Noble:
  New
Status in grub2-unsigned source package in Noble:
  New
Status in grub2 source package in Oracular:
  New
Status in grub2-unsigned source package in Oracular:
  New
Status in grub2 source package in Plucky:
  New
Status in grub2-unsigned source package in Plucky:
  New
Status in grub2 package in Debian:
  New

Bug description:
  Repeatedly executing the `insmod` command on a module leads to the
  module's reference count to be incremented on each execution.

  Unfortunately GRUB performs no overflow checks on module reference
  count, thus leading to the reference count overflowing, and in turn
  allowing `rrmod` to be executed on such a module.

  This returns the module's heap memory *while leaving active pointers
  to it*. Subsequent heap allocations will re-use this memory,
  potentially allowing an attacker to replace a module with an unsigned
  payload and lead to its execution.

  The reference count is a 32-bit integer, and executing enough
  `insmod`s to lead to it's overflow takes multiple hours thus making
  this issue exploit rather time consuming.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2055835/+subscriptions