GRUB2 ROMFS Integer Overflow Vulnerability Leading to Heap-Based Out-of-Bounds Write and Arbitrary Code Execution

An integer overflow vulnerability has been identified in GRUB2's ROMFS filesystem module. When the module performs a symlink lookup, it uses user-controlled parameters from the filesystem geometry to calculate the internal buffer size. However, the module fails to properly validate these calculations, allowing a maliciously crafted filesystem to overflow the buffer size calculations. This oversight can cause the 'grub_malloc()' function to allocate a smaller size than intended, leading to out-of-bounds writes. The 'grub_disk_read()' function can then be exploited to corrupt GRUB's critical internal data, potentially allowing arbitrary code execution that bypasses Secure Boot protections.

Impact

Exploitation of this vulnerability can lead to heap-based out-of-bounds writes, allowing attackers to corrupt GRUB's internal critical data and execute arbitrary code, bypassing Secure Boot protections.