CVE-2025-0684 - Exploiting Grub2's ReiserFS Symlink Handling for Secure Boot Bypass

_Discovered in early 2025, CVE-2025-0684 exposes a critical flaw in GRUB2's implementation of the ReiserFS filesystem. This vulnerability lets attackers craft malicious ReiserFS filesystems and, through careful manipulation, execute arbitrary code even when Secure Boot is enabled._

Background: What is GRUB2 and ReiserFS?

GRUB2 (Grand Unified Bootloader v2) is the bootloader for almost every modern Linux distribution. If compromised, it can undermine any security mechanism built on top of the boot chain, including Secure Boot.

ReiserFS is a journaling filesystem that, while not as popular nowadays, is still supported by GRUB2. This support introduces a rarely-audited risk area.

The Vulnerability Explained

When GRUB2 loads its configuration and files from a disk, it can encounter symlinks (symbolic links). For ReiserFS, symlink reading is handled by functions in the grub's ReiserFS module. Here's the critical part: When looking up a symlink, GRUB uses filesystem metadata, including user-controlled parameters, to calculate buffer sizes.

The problem? GRUB2’s code fails to guard against integer overflows in these calculations. If a "malicious" ReiserFS filesystem is crafted with tricky geometry, buffer size calculations can overflow. The result: A buffer smaller than necessary is allocated, but the code later writes into it as if it’s larger. Voilà — heap-based out-of-bounds write!

This simple bug can be weaponized in a bootloader context. Here's how.

Vulnerable Code Path

The issue is in grub_reiserfs_read_symlink(), which, when reading a symlink, calculates a buffer size like so (simplified for clarity):

// Pseudo-code, inspired by the actual grub2 codebase
unsigned long symlink_size = inode->size; // user-controlled from filesystem
void *buffer = grub_malloc(symlink_size);

// ... later in the code
grub_reiserfs_read_real(buffer, symlink_size);

What's dangerous is that if symlink_size is large enough to overflow, grub_malloc() may allocate a very small buffer, but the read function will write much more data, overflowing into critical regions of memory.

Proof-of-Concept Exploit

To exploit CVE-2025-0684, an attacker needs to prepare a special ReiserFS filesystem where the symlink’s size field (inode->size) triggers an overflow.

This can be done with tools like reiserfsprogs and manually editing filesystem images, or with custom tooling.

PoC: Crafting a Malicious ReiserFS Filesystem

import struct

def craft_reiserfs_image():
    # This is illustrative pseudocode: actual exploit requires low-level work
    fs_image = bytearray(4096)
    # Put inodes and symlink metadata at their expected places
    symlink_inode_offset = 1024
    symlink_size = xFFFFFFFF # triggers overflow in calculation
    fs_image[symlink_inode_offset:symlink_inode_offset+4] = struct.pack('<I', symlink_size)
    # ... more code to construct a valid reiserfs structure ...
    with open("malicious_reiserfs.img", "wb") as f:
        f.write(fs_image)

craft_reiserfs_image()

When this image is mounted as /boot or another root disk GRUB2 will access, it can typically overwrite memory within GRUB's heap. This may let an attacker:

Execute arbitrary code in early boot**

And because this happens _before_ the Linux kernel starts, even Secure Boot can’t save you: the compromise is below the operating system.

The heap overflow enables arbitrary code execution, such as dropping and running an EFI payload.

5. The attacker now fully controls the boot process, potentially implanting deep-rooted firmware malware.

Why is This Important?

- Pre-OS Exploitation: This is bug in the bootloader, not the operating system. It’s a foundational threat.
- Bypasses Secure Boot: The exploit runs code _before_ Microsoft/UEFI Secure Boot signature checks enforce OS-level security.
- Rarely used code: ReiserFS support in bootloaders is niche — attackers love obscure, low-profile bugs for precisely this reason.

Mitigations and Fix Status

Red Hat and other vendors have issued urgent patches to add proper bounds-checking and prevent integer overflows in the ReiserFS code. The best defense is to update GRUB2 immediately.

References

- Red Hat CVE page: https://access.redhat.com/security/cve/CVE-2025-0684
- CVE NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-0684
- Upstream patch: https://www.gnu.org/software/grub/grub-news.html

If your GRUB2 installation doesn't read from ReiserFS, you are safer, but not immune (a crafted bootable USB could bypass default boot disk settings).

Final Thoughts

CVE-2025-0684 is a classic reminder: obscure code paths are not safe. Even old filesystems like ReiserFS, rarely used, can house security holes that let attackers bypass our most trusted security setups. Keep bootloader components up-to-date, minimize supported filesystems, and keep an eye on the entire boot chain — attackers certainly are.

Timeline

Published on: 03/03/2025 18:15:30 UTC