GRUB was designed to run in a trusted environment, where anyone with access
to grub2.cfg could also modify grub itself. In grub2-bhyve, we have
modified it to run in host context, but interpret the commands of guest
grub2.cfg. This means we have to worry about malicious guests.
This patch addresses two escalation vectors: font-loading, and the direct
'read', 'write', 'in', and 'out' commands (which read/write arbitrary
addresses). Both reported by Reno Robert.
Disable font-loading by neutering the command. It is believed to be non-
essential and there is at least one buffer overflow in the font loading
code.
Disable reading and writing host memory and IO ports. It is believed to be
non-essential.
admbugs: 948
Reported by: Reno Robert <renorobert AT gmail.com>
Approved by: bapt
MFH: 2010Q1 (bapt)
Security: yes
419a5e5ce8