Grub2: squash4: integer overflow may lead to heap based out-of-bounds write when reading data

Vulnerability

A flaw exists in the squash4 filesystem module of GRUB2. When reading data from a squash4 filesystem, the module uses user-controlled parameters from the filesystem geometry to determine internal buffer sizes. It fails to properly check for integer overflows during these calculations. A maliciously crafted filesystem can cause a buffer size calculation to overflow, resulting in grub_malloc() allocating a smaller buffer than expected. Subsequently, direct_read() performs a heap-based out-of-bounds write when reading data. This affects GRUB2 versions that include the squash4 module; no specific version range is provided in the available references [1][2].

Exploitation

An attacker must be able to supply a specially crafted squash4 filesystem to the target system, for example via a bootable USB drive, CD-ROM, or network boot (PXE). No authentication is required if the attacker controls the boot media. The attacker crafts filesystem geometry values that trigger an integer overflow in the buffer size calculation. When GRUB attempts to read data from this filesystem, the overflow leads to a heap buffer overflow during the direct_read() operation. No user interaction beyond booting from the malicious filesystem is needed [1][2].

Impact

Successful exploitation allows the attacker to corrupt GRUB's internal critical data structures, potentially leading to arbitrary code execution within the GRUB environment. This code execution can bypass Secure Boot protections, as GRUB runs before the operating system and is trusted by the firmware. The attacker gains the ability to execute arbitrary code at the bootloader level, compromising the integrity and security of the entire boot chain [1][2].

Mitigation

As of the publication date (2025-03-03), no patched version of GRUB2 has been disclosed in the available references. Red Hat has acknowledged the issue but has not yet released a fix [1][2]. Until a patch is available, users should avoid using squash4 filesystems with GRUB when possible, or ensure that only trusted, unmodified filesystem images are used. This vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog at the time of writing.