CVE-2020-14310

Vulnerability

An integer overflow vulnerability exists in the read_section_as_string() function in GRUB2 versions before 2.06. The function expects a font name length to be at most UINT32_MAX - 1 bytes, but it does not verify the supplied length before proceeding with buffer allocation. By crafting a malicious font file containing a NAME section with a length of UINT32_MAX, an attacker can trigger an arithmetic overflow that results in a zero-sized allocation and subsequent heap-based buffer overflow [1][2][3].

Exploitation

To exploit this vulnerability, an attacker must have local access to the system and the ability to boot from or load a specially crafted font file. The attacker crafts a font file with a NAME section whose length field is set to UINT32_MAX. When GRUB2 parses this font, the overflow in read_section_as_string() leads to a zero-sized heap allocation, and attacker-controlled data is then written beyond the boundaries of the allocated buffer [2].

Impact

Successful exploitation allows an attacker to cause a heap-based buffer overflow with attacker-controlled data. This can lead to arbitrary code execution within the GRUB2 context, potentially bypassing UEFI Secure Boot restrictions and compromising the boot process [1][2].

Mitigation

This vulnerability is fixed in GRUB2 version 2.06. Ubuntu released patches in USN-4432-1 [1]. Red Hat addressed the issue via RHSA-2020:3275 and RHSA-2020:3276 for various RHEL versions [2]. Gentoo recommends upgrading to >=sys-devel/grub-2.06_rc1 [3]. No workaround is available; after upgrading, grub-install must be re-run to apply the fix [3].