From: B Horn <b@horn.uk>
Date: Fri, 1 Nov 2024 19:24:29 +0000 (+0000)
Subject: commands/pgp: Unregister the "check_signatures" hooks on module unload
X-Git-Tag: archive/raspbian/2.12-9+rpi1^2~40
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22Program/%22http:/www.example.com/cgi/%22https:/%22Program?a=commitdiff_plain;h=7c3906064364ae78152e1bf537b2b55551ba5302;p=grub2.git

commands/pgp: Unregister the "check_signatures" hooks on module unload

If the hooks are not removed they can be called after the module has
been unloaded leading to an use-after-free.

Fixes: CVE-2025-0622

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name commands-pgp-Unregister-the-check_signatures-hooks-on-mod.patch
---

diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index c6766f0..5fadc33 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
 
 GRUB_MOD_FINI(pgp)
 {
+  grub_register_variable_hook ("check_signatures", NULL, NULL);
+  grub_env_unset ("check_signatures");
   grub_verifier_unregister (&grub_pubkey_verifier);
   grub_unregister_extcmd (cmd);
   grub_unregister_extcmd (cmd_trust);