Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1821540 - grub2-editenv: corrupt grubenv with crafted settings
Summary: grub2-editenv: corrupt grubenv with crafted settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: grub2
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1825575 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-07 03:12 UTC by Steve
Modified: 2020-06-09 18:44 UTC (History)
5 users (show)

Fixed In Version: grub2-2.02-109.fc31
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-28 01:59:30 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Steve 2020-04-07 03:12:18 UTC
Description of problem:

By completely filling the grubenv environment block and then removing the fill characters, it is possible to corrupt grubenv.

The corruption takes the form of duplicated variables.

Version-Release number of selected component (if applicable):
grub2-tools-minimal-2.02-107.fc31.x86_64

Procedure:

Start with this grubenv:

# grub2-editenv grubenv.EXP1 list
saved_entry=1
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0

Using grub2-editenv, repeatedly add the "-" character to the "saved_entry" variable until the environment block is completely filled. Here is an intermediate step:

# grub2-editenv grubenv.EXP1 set saved_entry=x--------------------------------------------y

This is the end result of the first stage. Note that the environment block is completely filled:

# hexdump -C grubenv.EXP1 
00000000  23 20 47 52 55 42 20 45  6e 76 69 72 6f 6e 6d 65  |# GRUB Environme|
00000010  6e 74 20 42 6c 6f 63 6b  0a 73 61 76 65 64 5f 65  |nt Block.saved_e|
00000020  6e 74 72 79 3d 78 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |ntry=x----------|
00000030  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00000390  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 79 0a 62 6f 6f  |-----------y.boo|
000003a0  74 5f 73 75 63 63 65 73  73 3d 31 0a 6b 65 72 6e  |t_success=1.kern|
000003b0  65 6c 6f 70 74 73 3d 72  6f 6f 74 3d 55 55 49 44  |elopts=root=UUID|
000003c0  3d 35 34 66 37 39 36 34  35 2d 66 38 35 38 2d 34  |=54f79645-f858-4|
000003d0  36 65 30 2d 61 66 37 61  2d 39 37 61 65 63 63 38  |6e0-af7a-97aecc8|
000003e0  38 66 66 38 37 20 72 6f  20 20 0a 62 6f 6f 74 5f  |8ff87 ro  .boot_|
000003f0  69 6e 64 65 74 65 72 6d  69 6e 61 74 65 3d 30 0a  |indeterminate=0.|
00000400

Next, using grub2-editenv, remove the "-" characters:

# grub2-editenv grubenv.EXP1 set saved_entry=x-y

Now, grubenv.EXP1 is corrupt:

# hexdump -C grubenv.EXP1 
00000000  23 20 47 52 55 42 20 45  6e 76 69 72 6f 6e 6d 65  |# GRUB Environme|
00000010  6e 74 20 42 6c 6f 63 6b  0a 73 61 76 65 64 5f 65  |nt Block.saved_e|
00000020  6e 74 72 79 3d 78 2d 79  0a 62 6f 6f 74 5f 73 75  |ntry=x-y.boot_su|
00000030  63 63 65 73 73 3d 31 0a  6b 65 72 6e 65 6c 6f 70  |ccess=1.kernelop|
00000040  74 73 3d 72 6f 6f 74 3d  55 55 49 44 3d 35 34 66  |ts=root=UUID=54f|
00000050  37 39 36 34 35 2d 66 38  35 38 2d 34 36 65 30 2d  |79645-f858-46e0-|
00000060  61 66 37 61 2d 39 37 61  65 63 63 38 38 66 66 38  |af7a-97aecc88ff8|
00000070  37 20 72 6f 20 20 0a 62  6f 6f 74 5f 69 6e 64 65  |7 ro  .boot_inde|
00000080  74 65 72 6d 69 6e 61 74  65 3d 30 0a 2d 2d 2d 2d  |terminate=0.----|
00000090  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00000390  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 79 0a 62 6f 6f  |-----------y.boo|
000003a0  74 5f 73 75 63 63 65 73  73 3d 31 0a 6b 65 72 6e  |t_success=1.kern|
000003b0  65 6c 6f 70 74 73 3d 72  6f 6f 74 3d 55 55 49 44  |elopts=root=UUID|
000003c0  3d 35 34 66 37 39 36 34  35 2d 66 38 35 38 2d 34  |=54f79645-f858-4|
000003d0  36 65 30 2d 61 66 37 61  2d 39 37 61 65 63 63 38  |6e0-af7a-97aecc8|
000003e0  38 66 66 38 37 20 72 6f  20 20 0a 62 6f 6f 74 5f  |8ff87 ro  .boot_|
000003f0  69 6e 64 65 74 65 72 6d  69 6e 61 74 65 3d 30 0a  |indeterminate=0.|
00000400

And the "list" command shows duplicated variables:

# grub2-editenv grubenv.EXP1 list
saved_entry=x-y
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------y
boot_success=1
kernelopts=root=UUID=54f79645-f858-46e0-af7a-97aecc88ff87 ro  
boot_indeterminate=0

Comment 1 Fedora Update System 2020-05-26 12:41:32 UTC
FEDORA-2020-cb6151044a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-cb6151044a

Comment 2 Javier Martinez Canillas 2020-05-26 13:02:10 UTC
*** Bug 1825575 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2020-05-28 01:59:30 UTC
FEDORA-2020-cb6151044a has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Nik 2020-06-09 18:44:45 UTC
Similar problem has been detected:

I tried installing fedora 31 with Automatic partitioning

addons:         com_redhat_kdump
blivet-gui-utils.log: 
cmdline:        /usr/bin/python3  /sbin/anaconda --liveinst --method=livecd:/dev/mapper/live-base
cmdline_file:   BOOT_IMAGE=/images/pxeboot/vmlinuz root=live:CDLABEL=FEDORA-WS-L rd.live.image rd.live.check quiet
hashmarkername: anaconda
kernel:         5.3.7-301.fc31.x86_64
other involved packages: python3-libs-3.7.4-5.fc31.x86_64
package:        anaconda-core-31.22.6-2.fc31.x86_64
product:        Fedora
reason:         pyanaconda.bootloader.base.BootLoaderError: failed to write boot loader configuration
release:        Fedora release 31 (Thirty One)
version:        31


Note You need to log in before you can comment on or make changes to this bug.