diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch b/SOURCES/0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch index 7101637..617f51b 100644 --- a/SOURCES/0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch +++ b/SOURCES/0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch @@ -1,8 +1,8 @@ -From a897321d9c318c18c92c6431115fd9be71fedba1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: "mike.travis@hpe.com" Date: Wed, 28 Mar 2018 11:42:18 -0500 -Subject: [PATCH 288/288] efi/uga: Fix PCIe LER when GRUB2 accesses non-enabled - MMIO data from VGA +Subject: [PATCH] efi/uga: Fix PCIe LER when GRUB2 accesses non-enabled MMIO + data from VGA A GPU inserted into a PCIe I/O slot disappears during system startup. The problem centers around GRUB and a specific VGA init function in @@ -45,6 +45,3 @@ index 1d4091c5631..97a607c01a5 100644 { int i; --- -2.17.1 - diff --git a/SOURCES/0289-efidisk-prevent-errors-from-diskfilter-scan-of-remov.patch b/SOURCES/0289-efidisk-prevent-errors-from-diskfilter-scan-of-remov.patch index 70abdb9..22bee04 100644 --- a/SOURCES/0289-efidisk-prevent-errors-from-diskfilter-scan-of-remov.patch +++ b/SOURCES/0289-efidisk-prevent-errors-from-diskfilter-scan-of-remov.patch @@ -1,4 +1,4 @@ -From 8f4dc1510c0f42a549b91c28eda74fe8a1e2a5d4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Andrei Borzenkov Date: Fri, 26 Feb 2016 21:44:37 +0300 Subject: [PATCH] efidisk: prevent errors from diskfilter scan of removable @@ -49,6 +49,3 @@ index f04f20b84ff..41adc1b0421 100644 (unsigned long long) sector, disk->name); return GRUB_ERR_NONE; --- -2.20.1 - diff --git a/SOURCES/0290-Prepend-prefix-when-HTTP-path-is-relative.patch b/SOURCES/0290-Prepend-prefix-when-HTTP-path-is-relative.patch index 41ddacb..1b1af53 100644 --- a/SOURCES/0290-Prepend-prefix-when-HTTP-path-is-relative.patch +++ b/SOURCES/0290-Prepend-prefix-when-HTTP-path-is-relative.patch @@ -1,7 +1,7 @@ -From 2370f3f3db0f6887d6be36880be9dc6237cb4f3f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Stephen Benjamin Date: Thu, 16 Aug 2018 16:58:51 -0400 -Subject: [PATCH 290/335] Prepend prefix when HTTP path is relative +Subject: [PATCH] Prepend prefix when HTTP path is relative This sets a couple of variables. With the url http://www.example.com/foo/bar : http_path: /foo/bar @@ -9,8 +9,8 @@ http_url: http://www.example.com/foo/bar Signed-off-by: Peter Jones --- - grub-core/kern/main.c | 10 ++++- - grub-core/net/efi/http.c | 82 ++++++++++++++++++++++++++++++---------- + grub-core/kern/main.c | 10 +++++- + grub-core/net/efi/http.c | 82 ++++++++++++++++++++++++++++++++++++------------ 2 files changed, 71 insertions(+), 21 deletions(-) diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c @@ -148,6 +148,3 @@ index 243acbaa35b..de351b2cd03 100644 buf = grub_malloc (size); efihttp_read (dev, buf, size); --- -2.26.2 - diff --git a/SOURCES/0291-efi-http-Export-fw-http-_path-variables-to-make-them.patch b/SOURCES/0291-efi-http-Export-fw-http-_path-variables-to-make-them.patch index e1fad33..1f85760 100644 --- a/SOURCES/0291-efi-http-Export-fw-http-_path-variables-to-make-them.patch +++ b/SOURCES/0291-efi-http-Export-fw-http-_path-variables-to-make-them.patch @@ -1,8 +1,7 @@ -From 4ff5717d7c45e53637ac5dedf8b37bc25268e2e7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Thu, 5 Mar 2020 16:21:47 +0100 -Subject: [PATCH 291/335] efi/http: Export {fw,http}_path variables to make - them global +Subject: [PATCH] efi/http: Export {fw,http}_path variables to make them global The fw_path environment variable is used by http_configure() function to determine the HTTP path that should be used as prefix when using relative @@ -49,6 +48,3 @@ index de351b2cd03..755b7a6d054 100644 } } --- -2.26.2 - diff --git a/SOURCES/0292-efi-http-Enclose-literal-IPv6-addresses-in-square-br.patch b/SOURCES/0292-efi-http-Enclose-literal-IPv6-addresses-in-square-br.patch index aa51d9a..c394549 100644 --- a/SOURCES/0292-efi-http-Enclose-literal-IPv6-addresses-in-square-br.patch +++ b/SOURCES/0292-efi-http-Enclose-literal-IPv6-addresses-in-square-br.patch @@ -1,8 +1,7 @@ -From 37bc0adedaba1c662125f9ece262c918155d69ac Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Thu, 5 Mar 2020 16:21:58 +0100 -Subject: [PATCH 292/335] efi/http: Enclose literal IPv6 addresses in square - brackets +Subject: [PATCH] efi/http: Enclose literal IPv6 addresses in square brackets According to RFC 2732 (https://www.ietf.org/rfc/rfc2732.txt), literal IPv6 addresses must be enclosed in square brackets. But GRUB currently does not @@ -113,6 +112,3 @@ index 755b7a6d054..fc8cb25ae0a 100644 if (status != GRUB_EFI_SUCCESS) { efi_call_1 (b->close_event, request_token.event); --- -2.26.2 - diff --git a/SOURCES/0293-efi-net-Allow-to-specify-a-port-number-in-addresses.patch b/SOURCES/0293-efi-net-Allow-to-specify-a-port-number-in-addresses.patch index 9c20c5e..3c3dd79 100644 --- a/SOURCES/0293-efi-net-Allow-to-specify-a-port-number-in-addresses.patch +++ b/SOURCES/0293-efi-net-Allow-to-specify-a-port-number-in-addresses.patch @@ -1,7 +1,7 @@ -From e38e81e73ca86b80d0a90be44d0bd257ad0148ff Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Mon, 9 Mar 2020 15:29:45 +0100 -Subject: [PATCH 293/335] efi/net: Allow to specify a port number in addresses +Subject: [PATCH] efi/net: Allow to specify a port number in addresses The grub_efi_net_parse_address() function is not covering the case where a port number is specified in an IPv4 or IPv6 address, so will fail to parse @@ -46,6 +46,3 @@ index f208d1b180c..8981abcb83d 100644 { ip6->prefix_length = 128; ip6->is_anycast = 0; --- -2.26.2 - diff --git a/SOURCES/0294-efi-ip4_config-Improve-check-to-detect-literal-IPv6-.patch b/SOURCES/0294-efi-ip4_config-Improve-check-to-detect-literal-IPv6-.patch index f0a71e7..f92dee4 100644 --- a/SOURCES/0294-efi-ip4_config-Improve-check-to-detect-literal-IPv6-.patch +++ b/SOURCES/0294-efi-ip4_config-Improve-check-to-detect-literal-IPv6-.patch @@ -1,7 +1,7 @@ -From f865c027b51915e178945168b8f94c4148b43907 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Mon, 9 Mar 2020 15:30:05 +0100 -Subject: [PATCH 294/335] efi/ip4_config: Improve check to detect literal IPv6 +Subject: [PATCH] efi/ip4_config: Improve check to detect literal IPv6 addresses The grub_efi_string_to_ip4_address() function wrongly assumes that an IPv6 @@ -46,6 +46,3 @@ index b711a5d9457..313c818b184 100644 for (i = 0; i < 4; i++) { unsigned long t; --- -2.26.2 - diff --git a/SOURCES/0295-efi-net-Print-a-debug-message-if-parsing-the-address.patch b/SOURCES/0295-efi-net-Print-a-debug-message-if-parsing-the-address.patch index 8bcb8f8..49954be 100644 --- a/SOURCES/0295-efi-net-Print-a-debug-message-if-parsing-the-address.patch +++ b/SOURCES/0295-efi-net-Print-a-debug-message-if-parsing-the-address.patch @@ -1,8 +1,7 @@ -From d71587f7ed21e623e1c61855c127a13b7256e421 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 10 Mar 2020 11:23:49 +0100 -Subject: [PATCH 295/335] efi/net: Print a debug message if parsing the address - fails +Subject: [PATCH] efi/net: Print a debug message if parsing the address fails Currently if parsing the address fails an error message is printed. But in most cases this isn't a fatal error since the grub_efi_net_parse_address() @@ -67,6 +66,3 @@ index 8981abcb83d..86bcae281a7 100644 { grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("disk `%s' no route found"), name); --- -2.26.2 - diff --git a/SOURCES/0296-btrfs-avoid-used-uninitialized-error-with-GCC7.patch b/SOURCES/0296-btrfs-avoid-used-uninitialized-error-with-GCC7.patch index 3b838ef..b8146e6 100644 --- a/SOURCES/0296-btrfs-avoid-used-uninitialized-error-with-GCC7.patch +++ b/SOURCES/0296-btrfs-avoid-used-uninitialized-error-with-GCC7.patch @@ -1,7 +1,7 @@ -From 32fb865bb398d1e310c1ecfe9fabd4dabd17c90d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Andrei Borzenkov Date: Tue, 4 Apr 2017 19:22:32 +0300 -Subject: [PATCH 296/336] btrfs: avoid "used uninitialized" error with GCC7 +Subject: [PATCH] btrfs: avoid "used uninitialized" error with GCC7 sblock was local and so considered new variable on every loop iteration. @@ -28,6 +28,3 @@ index 4a6efffeb46..24a71045025 100644 /* Don't try additional superblocks beyond device size. */ if (i && (grub_le_to_cpu64 (sblock.this_device.size) >> GRUB_DISK_SECTOR_BITS) <= superblock_sectors[i]) --- -2.26.2 - diff --git a/SOURCES/0297-build-Use-AC_HEADER_MAJOR-to-find-device-macros.patch b/SOURCES/0297-build-Use-AC_HEADER_MAJOR-to-find-device-macros.patch index 20bcac7..44b2e41 100644 --- a/SOURCES/0297-build-Use-AC_HEADER_MAJOR-to-find-device-macros.patch +++ b/SOURCES/0297-build-Use-AC_HEADER_MAJOR-to-find-device-macros.patch @@ -1,7 +1,7 @@ -From 2ef912c5d484bbc5427dca6e1c22808f870cb66e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Tue, 19 Apr 2016 14:27:22 -0400 -Subject: [PATCH 297/336] build: Use AC_HEADER_MAJOR to find device macros +Subject: [PATCH] build: Use AC_HEADER_MAJOR to find device macros Depending on the OS/libc, device macros are defined in different headers. This change ensures we include the right one. @@ -104,6 +104,3 @@ index e3887cbea68..026dd79b2d6 100644 #if defined(HAVE_LIBZFS) && defined(HAVE_LIBNVPAIR) # include --- -2.26.2 - diff --git a/SOURCES/0298-Fix-build-with-glibc-2.20.patch b/SOURCES/0298-Fix-build-with-glibc-2.20.patch index a5b4ed6..d81d217 100644 --- a/SOURCES/0298-Fix-build-with-glibc-2.20.patch +++ b/SOURCES/0298-Fix-build-with-glibc-2.20.patch @@ -1,7 +1,7 @@ -From 4c926bc85d44fc11324f2e7e6337e156eb1c7e5e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 3 Sep 2014 01:15:08 -0700 -Subject: [PATCH 298/336] Fix build with glibc 2.20 +Subject: [PATCH] Fix build with glibc 2.20 * grub-core/kern/emu/hostfs.c: squahes below warning warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" @@ -42,6 +42,3 @@ index a2da9743231..d3f26cf2f0d 100644 2014-06-21 Роман Пехов * grub-core/commands/loadenv.c (check_blocklists): Fix overlap check. --- -2.26.2 - diff --git a/SOURCES/0299-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch b/SOURCES/0299-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch index 8c8db58..1a2c9a5 100644 --- a/SOURCES/0299-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch +++ b/SOURCES/0299-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch @@ -1,7 +1,7 @@ -From 090453af07db09c4856fe8573436f10bb4b3f114 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 15 Apr 2020 15:45:02 -0400 -Subject: [PATCH 299/336] yylex: Make lexer fatal errors actually be fatal +Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal When presented with a command that can't be tokenized to anything smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), @@ -65,6 +65,3 @@ index 9c2cfe11531..a3f15dfe571 100644 } while (0) #define COPY(str, hint) \ --- -2.26.2 - diff --git a/SOURCES/0300-safemath-Add-some-arithmetic-primitives-that-check-f.patch b/SOURCES/0300-safemath-Add-some-arithmetic-primitives-that-check-f.patch index ebe8ece..69c7442 100644 --- a/SOURCES/0300-safemath-Add-some-arithmetic-primitives-that-check-f.patch +++ b/SOURCES/0300-safemath-Add-some-arithmetic-primitives-that-check-f.patch @@ -1,8 +1,8 @@ -From 5c0dc6965ffb6e6bb86b56a363c0f9a38a38be61 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 15 Jun 2020 10:58:42 -0400 -Subject: [PATCH 300/336] safemath: Add some arithmetic primitives that check - for overflow +Subject: [PATCH] safemath: Add some arithmetic primitives that check for + overflow This adds a new header, include/grub/safemath.h, that includes easy to use wrappers for __builtin_{add,sub,mul}_overflow() declared like: @@ -120,6 +120,3 @@ index b67cd7f3476..8f46a3e999c 100644 * GNU Make * GNU Bison 2.3 or later * GNU gettext 0.17 or later --- -2.26.2 - diff --git a/SOURCES/0301-calloc-Make-sure-we-always-have-an-overflow-checking.patch b/SOURCES/0301-calloc-Make-sure-we-always-have-an-overflow-checking.patch index c83b4c4..042da3b 100644 --- a/SOURCES/0301-calloc-Make-sure-we-always-have-an-overflow-checking.patch +++ b/SOURCES/0301-calloc-Make-sure-we-always-have-an-overflow-checking.patch @@ -1,7 +1,7 @@ -From 32e0b660ff1a49517eaf22a10ee93b3f9a689c91 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 15 Jun 2020 12:15:29 -0400 -Subject: [PATCH 301/336] calloc: Make sure we always have an overflow-checking +Subject: [PATCH] calloc: Make sure we always have an overflow-checking calloc() available This tries to make sure that everywhere in this source tree, we always have @@ -13,13 +13,13 @@ Signed-off-by: Peter Jones Reviewed-by: Daniel Kiper Upstream-commit-id: 79e51ab7a9a --- - grub-core/kern/emu/misc.c | 12 +++++++++ - grub-core/kern/emu/mm.c | 10 ++++++++ - grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++ - grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++-- - grub-core/lib/posix_wrap/stdlib.h | 8 +++++- + grub-core/kern/emu/misc.c | 12 ++++++++++++ + grub-core/kern/emu/mm.c | 10 ++++++++++ + grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++ + grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++-- + grub-core/lib/posix_wrap/stdlib.h | 8 +++++++- include/grub/emu/misc.h | 1 + - include/grub/mm.h | 6 +++++ + include/grub/mm.h | 6 ++++++ 7 files changed, 85 insertions(+), 3 deletions(-) diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c @@ -238,6 +238,3 @@ index 28e2e53eb32..9c38dd3ca5d 100644 void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line, grub_size_t size); void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line, --- -2.26.2 - diff --git a/SOURCES/0302-calloc-Use-calloc-at-most-places.patch b/SOURCES/0302-calloc-Use-calloc-at-most-places.patch index 062e462..1f75694 100644 --- a/SOURCES/0302-calloc-Use-calloc-at-most-places.patch +++ b/SOURCES/0302-calloc-Use-calloc-at-most-places.patch @@ -1,7 +1,7 @@ -From fc1c035be81a22f6d5dda205ea4f480a6725599f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 15 Jun 2020 12:26:01 -0400 -Subject: [PATCH 302/336] calloc: Use calloc() at most places +Subject: [PATCH] calloc: Use calloc() at most places This modifies most of the places we do some form of: @@ -23,18 +23,18 @@ Signed-off-by: Peter Jones Reviewed-by: Daniel Kiper Upstream-commit-id: 48eeedf1e4b --- - grub-core/bus/usb/usbhub.c | 8 +-- + grub-core/bus/usb/usbhub.c | 8 ++-- grub-core/commands/efi/lsefisystab.c | 3 +- - grub-core/commands/legacycfg.c | 25 +++++++-- + grub-core/commands/legacycfg.c | 25 ++++++++++-- grub-core/commands/menuentry.c | 2 +- grub-core/commands/nativedisk.c | 2 +- - grub-core/commands/parttool.c | 12 +++-- + grub-core/commands/parttool.c | 12 ++++-- grub-core/commands/regexp.c | 2 +- grub-core/commands/search_wrap.c | 2 +- grub-core/disk/diskfilter.c | 4 +- - grub-core/disk/ldm.c | 14 ++--- + grub-core/disk/ldm.c | 14 +++---- grub-core/disk/luks.c | 2 +- - grub-core/disk/lvm.c | 8 +-- + grub-core/disk/lvm.c | 8 ++-- grub-core/disk/xen/xendisk.c | 2 +- grub-core/efiemu/loadcore.c | 2 +- grub-core/efiemu/mm.c | 6 +-- @@ -42,7 +42,7 @@ Upstream-commit-id: 48eeedf1e4b grub-core/fs/affs.c | 6 +-- grub-core/fs/btrfs.c | 4 +- grub-core/fs/hfs.c | 2 +- - grub-core/fs/hfsplus.c | 63 ++++++++++++++++------- + grub-core/fs/hfsplus.c | 63 +++++++++++++++++++++---------- grub-core/fs/iso9660.c | 2 +- grub-core/fs/ntfs.c | 4 +- grub-core/fs/sfs.c | 2 +- @@ -52,20 +52,20 @@ Upstream-commit-id: 48eeedf1e4b grub-core/gfxmenu/gui_string_util.c | 2 +- grub-core/gfxmenu/widget-box.c | 4 +- grub-core/io/gzio.c | 2 +- - grub-core/kern/efi/efi.c | 31 +++++++++-- + grub-core/kern/efi/efi.c | 31 ++++++++++++--- grub-core/kern/emu/hostdisk.c | 2 +- grub-core/kern/fs.c | 2 +- grub-core/kern/misc.c | 2 +- grub-core/kern/parser.c | 2 +- grub-core/kern/uboot/uboot.c | 2 +- - grub-core/lib/libgcrypt/cipher/ac.c | 8 +-- + grub-core/lib/libgcrypt/cipher/ac.c | 8 ++-- grub-core/lib/libgcrypt/cipher/primegen.c | 4 +- grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +- grub-core/lib/priority_queue.c | 2 +- - grub-core/lib/reed_solomon.c | 7 ++- - grub-core/lib/relocator.c | 10 ++-- + grub-core/lib/reed_solomon.c | 7 ++-- + grub-core/lib/relocator.c | 10 ++--- grub-core/loader/arm/linux.c | 2 +- - grub-core/loader/efi/chainloader.c | 11 ++-- + grub-core/loader/efi/chainloader.c | 11 ++++-- grub-core/loader/i386/bsdXX.c | 2 +- grub-core/loader/i386/xnu.c | 4 +- grub-core/loader/macho.c | 2 +- @@ -73,11 +73,11 @@ Upstream-commit-id: 48eeedf1e4b grub-core/loader/xnu.c | 2 +- grub-core/mmap/mmap.c | 4 +- grub-core/net/bootp.c | 2 +- - grub-core/net/dns.c | 10 ++-- + grub-core/net/dns.c | 10 ++--- grub-core/net/net.c | 4 +- - grub-core/normal/charset.c | 10 ++-- - grub-core/normal/cmdline.c | 14 ++--- - grub-core/normal/menu_entry.c | 14 ++--- + grub-core/normal/charset.c | 10 ++--- + grub-core/normal/cmdline.c | 14 +++---- + grub-core/normal/menu_entry.c | 14 +++---- grub-core/normal/menu_text.c | 4 +- grub-core/normal/term.c | 4 +- grub-core/osdep/linux/getroot.c | 6 +-- @@ -103,7 +103,7 @@ Upstream-commit-id: 48eeedf1e4b util/grub-install.c | 4 +- util/grub-mkimagexx.c | 4 +- util/grub-mkstandalone.c | 2 +- - util/grub-pe2elf.c | 12 ++--- + util/grub-pe2elf.c | 12 +++--- util/grub-probe.c | 4 +- include/grub/unicode.h | 4 +- 83 files changed, 261 insertions(+), 186 deletions(-) @@ -1943,6 +1943,3 @@ index a0403e91f9a..4de986a8576 100644 if (!out->combining_ptr) return; grub_memcpy (out->combining_ptr, in->combining_ptr, --- -2.26.2 - diff --git a/SOURCES/0303-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/SOURCES/0303-malloc-Use-overflow-checking-primitives-where-we-do-.patch index 725fc84..ffbab40 100644 --- a/SOURCES/0303-malloc-Use-overflow-checking-primitives-where-we-do-.patch +++ b/SOURCES/0303-malloc-Use-overflow-checking-primitives-where-we-do-.patch @@ -1,8 +1,8 @@ -From 27fe6083630c57641231d2056220288135b111ef Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 15 Jun 2020 12:28:27 -0400 -Subject: [PATCH 303/336] malloc: Use overflow checking primitives where we do - complex allocations +Subject: [PATCH] malloc: Use overflow checking primitives where we do complex + allocations This attempts to fix the places where we do the following where arithmetic_expr may include unvalidated data: @@ -30,29 +30,29 @@ Signed-off-by: Peter Jones Reviewed-by: Daniel Kiper Upstream-commit-id: 5fb2befbf04 --- - grub-core/commands/legacycfg.c | 29 ++++++++++++++---- - grub-core/commands/wildcard.c | 36 ++++++++++++++++++---- - grub-core/disk/ldm.c | 32 ++++++++++++++------ - grub-core/font/font.c | 7 ++++- - grub-core/fs/btrfs.c | 29 ++++++++++++------ - grub-core/fs/ext2.c | 10 ++++++- - grub-core/fs/iso9660.c | 55 +++++++++++++++++++++++----------- - grub-core/fs/sfs.c | 27 +++++++++++++---- - grub-core/fs/squash4.c | 45 +++++++++++++++++++++------- - grub-core/fs/udf.c | 42 +++++++++++++++++--------- - grub-core/fs/xfs.c | 11 ++++--- - grub-core/fs/zfs/zfs.c | 22 +++++++++----- - grub-core/fs/zfs/zfscrypt.c | 7 ++++- - grub-core/lib/arg.c | 20 +++++++++++-- - grub-core/loader/i386/bsd.c | 8 ++++- - grub-core/net/dns.c | 9 +++++- - grub-core/normal/charset.c | 10 +++++-- - grub-core/normal/cmdline.c | 14 +++++++-- - grub-core/normal/menu_entry.c | 14 +++++++-- - grub-core/script/argv.c | 16 ++++++++-- - grub-core/script/lexer.c | 21 +++++++++++-- - grub-core/video/bitmap.c | 25 ++++++++++------ - grub-core/video/readers/png.c | 13 ++++++-- + grub-core/commands/legacycfg.c | 29 ++++++++++++++++++---- + grub-core/commands/wildcard.c | 36 +++++++++++++++++++++++---- + grub-core/disk/ldm.c | 32 +++++++++++++++++------- + grub-core/font/font.c | 7 +++++- + grub-core/fs/btrfs.c | 29 +++++++++++++++------- + grub-core/fs/ext2.c | 10 +++++++- + grub-core/fs/iso9660.c | 55 +++++++++++++++++++++++++++++------------- + grub-core/fs/sfs.c | 27 +++++++++++++++++---- + grub-core/fs/squash4.c | 45 +++++++++++++++++++++++++--------- + grub-core/fs/udf.c | 42 +++++++++++++++++++++----------- + grub-core/fs/xfs.c | 11 ++++++--- + grub-core/fs/zfs/zfs.c | 22 +++++++++++------ + grub-core/fs/zfs/zfscrypt.c | 7 +++++- + grub-core/lib/arg.c | 20 +++++++++++++-- + grub-core/loader/i386/bsd.c | 8 +++++- + grub-core/net/dns.c | 9 ++++++- + grub-core/normal/charset.c | 10 ++++++-- + grub-core/normal/cmdline.c | 14 +++++++++-- + grub-core/normal/menu_entry.c | 14 +++++++++-- + grub-core/script/argv.c | 16 ++++++++++-- + grub-core/script/lexer.c | 21 +++++++++++++--- + grub-core/video/bitmap.c | 25 ++++++++++++------- + grub-core/video/readers/png.c | 13 ++++++++-- 23 files changed, 387 insertions(+), 115 deletions(-) diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c @@ -1325,6 +1325,3 @@ index 0a1c6584dd3..39560f56fdc 100644 #ifndef GRUB_CPU_WORDS_BIGENDIAN if (data->is_16bit || data->is_gray || data->is_palette) --- -2.26.2 - diff --git a/SOURCES/0304-iso9660-Don-t-leak-memory-on-realloc-failures.patch b/SOURCES/0304-iso9660-Don-t-leak-memory-on-realloc-failures.patch index 3494d8d..3ab83b6 100644 --- a/SOURCES/0304-iso9660-Don-t-leak-memory-on-realloc-failures.patch +++ b/SOURCES/0304-iso9660-Don-t-leak-memory-on-realloc-failures.patch @@ -1,7 +1,7 @@ -From 73b56b15b1951e1cbff50fa86ac55faabf5a4176 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 4 Jul 2020 12:25:09 -0400 -Subject: [PATCH 304/336] iso9660: Don't leak memory on realloc() failures +Subject: [PATCH] iso9660: Don't leak memory on realloc() failures Signed-off-by: Peter Jones Reviewed-by: Daniel Kiper @@ -64,6 +64,3 @@ index d6dc55b5803..f1611c5e311 100644 /* In pos + 1 the length of the `Component Record' is stored. */ pos += entry->data[pos + 1] + 2; --- -2.26.2 - diff --git a/SOURCES/0305-font-Do-not-load-more-than-one-NAME-section.patch b/SOURCES/0305-font-Do-not-load-more-than-one-NAME-section.patch index 6432e54..de79a3e 100644 --- a/SOURCES/0305-font-Do-not-load-more-than-one-NAME-section.patch +++ b/SOURCES/0305-font-Do-not-load-more-than-one-NAME-section.patch @@ -1,7 +1,7 @@ -From fff5140620c52db3b7ebca5921d1d237b1dcc7ae Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Daniel Kiper Date: Tue, 7 Jul 2020 15:36:26 +0200 -Subject: [PATCH 305/336] font: Do not load more than one NAME section +Subject: [PATCH] font: Do not load more than one NAME section The GRUB font file can have one NAME section only. Though if somebody crafts a broken font file with many NAME sections and loads it then the @@ -33,6 +33,3 @@ index 71d3f78b88a..5ff5f438b40 100644 font->name = read_section_as_string (§ion); if (!font->name) goto fail; --- -2.26.2 - diff --git a/SOURCES/0306-gfxmenu-Fix-double-free-in-load_image.patch b/SOURCES/0306-gfxmenu-Fix-double-free-in-load_image.patch index b9282d7..97416b9 100644 --- a/SOURCES/0306-gfxmenu-Fix-double-free-in-load_image.patch +++ b/SOURCES/0306-gfxmenu-Fix-double-free-in-load_image.patch @@ -1,7 +1,7 @@ -From eb7980539440795b87bb3ab15397855700e4cfb1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Wed, 8 Jul 2020 20:41:56 +0000 -Subject: [PATCH 306/336] gfxmenu: Fix double free in load_image() +Subject: [PATCH] gfxmenu: Fix double free in load_image() self->bitmap should be zeroed after free. Otherwise, there is a chance to double free (USE_AFTER_FREE) it later in rescale_image(). @@ -31,6 +31,3 @@ index 29784ed2d9a..6b2e976f16e 100644 if (self->raw_bitmap) grub_video_bitmap_destroy (self->raw_bitmap); --- -2.26.2 - diff --git a/SOURCES/0307-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch b/SOURCES/0307-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch index fc809db..f5b1262 100644 --- a/SOURCES/0307-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch +++ b/SOURCES/0307-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch @@ -1,8 +1,7 @@ -From 45c4c44de701e867c093ef7cc73faadfef28adf0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Wed, 8 Jul 2020 21:30:43 +0000 -Subject: [PATCH 307/336] xnu: Fix double free in - grub_xnu_devprop_add_property() +Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property() grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get allocated and freed in the caller. @@ -52,6 +51,3 @@ index 875048e1353..424488a9f7c 100644 grub_list_push (GRUB_AS_LIST_P (&dev->properties), GRUB_AS_LIST (prop)); return GRUB_ERR_NONE; --- -2.26.2 - diff --git a/SOURCES/0308-lzma-Make-sure-we-don-t-dereference-past-array.patch b/SOURCES/0308-lzma-Make-sure-we-don-t-dereference-past-array.patch index d07d633..d5a31f5 100644 --- a/SOURCES/0308-lzma-Make-sure-we-don-t-dereference-past-array.patch +++ b/SOURCES/0308-lzma-Make-sure-we-don-t-dereference-past-array.patch @@ -1,7 +1,7 @@ -From 41487914bf5fe814c80011a55c510700cdec5dff Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Thu, 9 Jul 2020 03:05:23 +0000 -Subject: [PATCH 308/336] lzma: Make sure we don't dereference past array +Subject: [PATCH] lzma: Make sure we don't dereference past array The two dimensional array p->posSlotEncoder[4][64] is being dereferenced using the GetLenToPosState() macro which checks if len is less than 5, @@ -47,6 +47,3 @@ index f2ec04a8c28..753e56a95e3 100644 if (posSlot >= kStartPosModelIndex) { --- -2.26.2 - diff --git a/SOURCES/0309-term-Fix-overflow-on-user-inputs.patch b/SOURCES/0309-term-Fix-overflow-on-user-inputs.patch index 9eff113..1710a73 100644 --- a/SOURCES/0309-term-Fix-overflow-on-user-inputs.patch +++ b/SOURCES/0309-term-Fix-overflow-on-user-inputs.patch @@ -1,7 +1,7 @@ -From a5fa3f370171482c7cdcb44af99e24040d1632ce Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Tue, 7 Jul 2020 15:12:25 -0400 -Subject: [PATCH 309/336] term: Fix overflow on user inputs +Subject: [PATCH] term: Fix overflow on user inputs This requires a very weird input from the serial interface but can cause an overflow in input_buf (keys) overwriting the next variable (npending) @@ -61,6 +61,3 @@ index 7cb7909c8cf..aea9ffd0af7 100644 #if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275) if (data->npending == 1 && data->input_buf[0] == '\e' --- -2.26.2 - diff --git a/SOURCES/0310-udf-Fix-memory-leak.patch b/SOURCES/0310-udf-Fix-memory-leak.patch index 9c20757..6c185db 100644 --- a/SOURCES/0310-udf-Fix-memory-leak.patch +++ b/SOURCES/0310-udf-Fix-memory-leak.patch @@ -1,7 +1,7 @@ -From 7ba278675832c85846faa7191a958a84cb7ace11 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Tue, 7 Jul 2020 22:02:31 -0400 -Subject: [PATCH 310/336] udf: Fix memory leak +Subject: [PATCH] udf: Fix memory leak Fixes: CID 73796 @@ -51,6 +51,3 @@ index 99b001f2066..c23c0120f49 100644 if (filename && hook (filename, type, child, hook_data)) { --- -2.26.2 - diff --git a/SOURCES/0311-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch b/SOURCES/0311-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch index c895735..5759746 100644 --- a/SOURCES/0311-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch +++ b/SOURCES/0311-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch @@ -1,8 +1,8 @@ -From 0f008fb687338498ee7d84980a7aca6aa4dec919 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Fri, 26 Jun 2020 10:51:43 -0400 -Subject: [PATCH 311/336] multiboot2: Fix memory leak if - grub_create_loader_cmdline() fails +Subject: [PATCH] multiboot2: Fix memory leak if grub_create_loader_cmdline() + fails Fixes: CID 292468 @@ -42,6 +42,3 @@ index 83e8919fa9a..7e01dfb5ee7 100644 if (modules_last) modules_last->next = newmod; --- -2.26.2 - diff --git a/SOURCES/0312-tftp-Do-not-use-priority-queue.patch b/SOURCES/0312-tftp-Do-not-use-priority-queue.patch index 2a0f2ae..13981f4 100644 --- a/SOURCES/0312-tftp-Do-not-use-priority-queue.patch +++ b/SOURCES/0312-tftp-Do-not-use-priority-queue.patch @@ -1,7 +1,7 @@ -From c883f21166fe105f25a7ee3919f9cb3e93b992c9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Thu, 9 Jul 2020 08:10:40 +0000 -Subject: [PATCH 312/336] tftp: Do not use priority queue +Subject: [PATCH] tftp: Do not use priority queue There is not need to reassemble the order of blocks. Per RFC 1350, server must wait for the ACK, before sending next block. Data packets @@ -31,7 +31,7 @@ Signed-off-by: Alexey Makhalov Reviewed-by: Daniel Kiper Upstream-commit-id: 8316694c4f7 --- - grub-core/net/tftp.c | 174 ++++++++++++++----------------------------- + grub-core/net/tftp.c | 174 ++++++++++++++++----------------------------------- 1 file changed, 54 insertions(+), 120 deletions(-) diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c @@ -284,6 +284,3 @@ index e267af354f4..79c16f9b041 100644 grub_free (data); return GRUB_ERR_NONE; } --- -2.26.2 - diff --git a/SOURCES/0313-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch b/SOURCES/0313-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch index 6c6a7c0..962a509 100644 --- a/SOURCES/0313-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch +++ b/SOURCES/0313-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch @@ -1,8 +1,8 @@ -From b3725e88e9124bcdc77b962bf25863e2e50d7fc2 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Wed, 15 Jul 2020 06:42:37 +0000 -Subject: [PATCH 313/336] relocator: Protect grub_relocator_alloc_chunk_addr() - input args against integer underflow/overflow +Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() input + args against integer underflow/overflow Use arithmetic macros from safemath.h to accomplish it. In this commit, I didn't want to be too paranoid to check every possible math equation @@ -161,6 +161,3 @@ index fdf61b6f9f7..66731d2528b 100644 grub_xnu_heap_size += size; grub_dprintf ("xnu", "val=%p\n", *src); return GRUB_ERR_NONE; --- -2.26.2 - diff --git a/SOURCES/0314-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch b/SOURCES/0314-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch index e8a1aed..1ed2c3b 100644 --- a/SOURCES/0314-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch +++ b/SOURCES/0314-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch @@ -1,7 +1,7 @@ -From 940b7872052d8539c7699e6323fda9467c87f67c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Wed, 8 Jul 2020 01:44:38 +0000 -Subject: [PATCH 314/336] relocator: Protect grub_relocator_alloc_chunk_align() +Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow This commit introduces integer underflow mitigation in max_addr calculation @@ -20,7 +20,7 @@ Signed-off-by: Alexey Makhalov Reviewed-by: Daniel Kiper Upstream-commit-id: 10498c8ba17 --- - grub-core/lib/i386/relocator.c | 28 ++++++++++---------------- + grub-core/lib/i386/relocator.c | 28 +++++++++++----------------- grub-core/lib/mips/relocator.c | 6 ++---- grub-core/lib/powerpc/relocator.c | 6 ++---- grub-core/loader/i386/linux.c | 5 ++--- @@ -29,9 +29,9 @@ Upstream-commit-id: 10498c8ba17 grub-core/loader/mips/linux.c | 9 +++------ grub-core/loader/multiboot.c | 2 +- grub-core/loader/multiboot_elfxx.c | 5 ++--- - grub-core/loader/multiboot_mbi2.c | 11 ++++++---- + grub-core/loader/multiboot_mbi2.c | 11 +++++++---- grub-core/loader/xnu_resume.c | 2 +- - include/grub/relocator.h | 29 +++++++++++++++++++++++++++ + include/grub/relocator.h | 29 +++++++++++++++++++++++++++++ 12 files changed, 65 insertions(+), 51 deletions(-) diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c @@ -309,6 +309,3 @@ index 24d8672d22c..1b3bdd92ac6 100644 #define GRUB_RELOCATOR_PREFERENCE_NONE 0 #define GRUB_RELOCATOR_PREFERENCE_LOW 1 #define GRUB_RELOCATOR_PREFERENCE_HIGH 2 --- -2.26.2 - diff --git a/SOURCES/0315-script-Remove-unused-fields-from-grub_script_functio.patch b/SOURCES/0315-script-Remove-unused-fields-from-grub_script_functio.patch index 6c364b9..93beaac 100644 --- a/SOURCES/0315-script-Remove-unused-fields-from-grub_script_functio.patch +++ b/SOURCES/0315-script-Remove-unused-fields-from-grub_script_functio.patch @@ -1,8 +1,7 @@ -From 1f12e039922b59787070bb311da86d16e498da66 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Fri, 10 Jul 2020 11:21:14 +0100 -Subject: [PATCH 315/336] script: Remove unused fields from - grub_script_function struct +Subject: [PATCH] script: Remove unused fields from grub_script_function struct Signed-off-by: Chris Coulson Reviewed-by: Daniel Kiper @@ -29,6 +28,3 @@ index 360c2be1f05..b382bcf09bc 100644 }; typedef struct grub_script_function *grub_script_function_t; --- -2.26.2 - diff --git a/SOURCES/0316-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/SOURCES/0316-script-Avoid-a-use-after-free-when-redefining-a-func.patch index dc6cc67..49b58e0 100644 --- a/SOURCES/0316-script-Avoid-a-use-after-free-when-redefining-a-func.patch +++ b/SOURCES/0316-script-Avoid-a-use-after-free-when-redefining-a-func.patch @@ -1,8 +1,8 @@ -From 0950880ab9a53d7632ca849ad2375352a3c2c972 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Fri, 10 Jul 2020 14:41:45 +0100 -Subject: [PATCH 316/336] script: Avoid a use-after-free when redefining a - function during execution +Subject: [PATCH] script: Avoid a use-after-free when redefining a function + during execution Defining a new function with the same name as a previously defined function causes the grub_script and associated resources for the @@ -103,6 +103,3 @@ index 1d60e9de2f3..26b72e52556 100644 } state->scripts = $3; --- -2.26.2 - diff --git a/SOURCES/0317-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch b/SOURCES/0317-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch index 08e3c7d..b4e9978 100644 --- a/SOURCES/0317-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch +++ b/SOURCES/0317-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch @@ -1,8 +1,8 @@ -From f759247e7706c921d1300e67a7ebcb5a997d43aa Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Fri, 17 Jul 2020 05:17:26 +0000 -Subject: [PATCH 317/336] relocator: Fix grub_relocator_alloc_chunk_align() top - memory allocation +Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top memory + allocation Current implementation of grub_relocator_alloc_chunk_align() does not allow allocation of the top byte. @@ -41,6 +41,3 @@ index 7ea72069a45..833ace70eb3 100644 #ifdef GRUB_MACHINE_PCBIOS if (min_addr < 0x1000) --- -2.26.2 - diff --git a/SOURCES/0318-hfsplus-fix-two-more-overflows.patch b/SOURCES/0318-hfsplus-fix-two-more-overflows.patch index f96e42f..84fea82 100644 --- a/SOURCES/0318-hfsplus-fix-two-more-overflows.patch +++ b/SOURCES/0318-hfsplus-fix-two-more-overflows.patch @@ -1,7 +1,7 @@ -From 7bfc4727df287c0cf642cf4861c7ede073996f96 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 14:43:31 -0400 -Subject: [PATCH 318/336] hfsplus: fix two more overflows +Subject: [PATCH] hfsplus: fix two more overflows Both node->size and node->namelen come from the supplied filesystem, which may be user-supplied. We can't trust them for the math unless we @@ -52,6 +52,3 @@ index 05016ee98a4..2ef0b8d3fec 100644 if (! filename) return 0; --- -2.26.2 - diff --git a/SOURCES/0319-lvm-fix-two-more-potential-data-dependent-alloc-over.patch b/SOURCES/0319-lvm-fix-two-more-potential-data-dependent-alloc-over.patch index 0413ff3..21dbf0e 100644 --- a/SOURCES/0319-lvm-fix-two-more-potential-data-dependent-alloc-over.patch +++ b/SOURCES/0319-lvm-fix-two-more-potential-data-dependent-alloc-over.patch @@ -1,8 +1,7 @@ -From f4e192a971ed2144fde43946d6574f970b9e2e20 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 15:48:20 -0400 -Subject: [PATCH 319/336] lvm: fix two more potential data-dependent alloc - overflows +Subject: [PATCH] lvm: fix two more potential data-dependent alloc overflows It appears to be possible to make a (possibly invalid) lvm PV with a metadata size field that overflows our type when adding it to the @@ -14,7 +13,7 @@ Signed-off-by: Peter Jones Signed-off-by: Darren Kenny Upstream-commit-id: 45ec6046ea0 --- - grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++-------- + grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c @@ -108,6 +107,3 @@ index 680a796cb48..e3268d1a28d 100644 if (!lv->fullname) goto lvs_fail; --- -2.26.2 - diff --git a/SOURCES/0320-emu-make-grub_free-NULL-safe.patch b/SOURCES/0320-emu-make-grub_free-NULL-safe.patch index 59dce1e..64ecc34 100644 --- a/SOURCES/0320-emu-make-grub_free-NULL-safe.patch +++ b/SOURCES/0320-emu-make-grub_free-NULL-safe.patch @@ -1,7 +1,7 @@ -From b074ba5bfbfc70c09b35a8e276c54cdce13e088d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 16:08:08 -0400 -Subject: [PATCH 320/336] emu: make grub_free(NULL) safe +Subject: [PATCH] emu: make grub_free(NULL) safe The grub_free() implementation in kern/mm.c safely handles NULL pointers, and code at many places depends on this. We don't know that @@ -29,6 +29,3 @@ index 145b01d3719..4d1046a219e 100644 } void * --- -2.26.2 - diff --git a/SOURCES/0321-efi-fix-some-malformed-device-path-arithmetic-errors.patch b/SOURCES/0321-efi-fix-some-malformed-device-path-arithmetic-errors.patch index 8725fe0..4953793 100644 --- a/SOURCES/0321-efi-fix-some-malformed-device-path-arithmetic-errors.patch +++ b/SOURCES/0321-efi-fix-some-malformed-device-path-arithmetic-errors.patch @@ -1,8 +1,7 @@ -From 9db27e9db2d0c2f147d6ea3c2f60dd6620af5fbf Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 16:53:27 -0400 -Subject: [PATCH 321/336] efi: fix some malformed device path arithmetic - errors. +Subject: [PATCH] efi: fix some malformed device path arithmetic errors. Several places we take the length of a device path and subtract 4 from it, without ever checking that it's >= 4. There are also cases where @@ -19,10 +18,10 @@ code check for and return errors in these cases. Signed-off-by: Peter Jones Upstream-commit-id: 23e68a83990 --- - grub-core/kern/efi/efi.c | 67 +++++++++++++++++++++++++----- - grub-core/loader/efi/chainloader.c | 19 ++++++++- - grub-core/loader/i386/xnu.c | 9 ++-- - include/grub/efi/api.h | 14 ++++--- + grub-core/kern/efi/efi.c | 67 ++++++++++++++++++++++++++++++++------ + grub-core/loader/efi/chainloader.c | 19 +++++++++-- + grub-core/loader/i386/xnu.c | 9 ++--- + include/grub/efi/api.h | 14 +++++--- 4 files changed, 88 insertions(+), 21 deletions(-) diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c @@ -247,6 +246,3 @@ index fbd1c4b529d..9860fd16189 100644 /* Hardware Device Path. */ #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1 --- -2.26.2 - diff --git a/SOURCES/0322-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch b/SOURCES/0322-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch index e27a103..8e552f2 100644 --- a/SOURCES/0322-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch +++ b/SOURCES/0322-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch @@ -1,8 +1,8 @@ -From a5c5bcf1ac7b0057496b10a030fe1d9d24eb2775 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Wed, 22 Jul 2020 17:06:04 +0100 -Subject: [PATCH 322/336] Fix a regression caused by "efi: fix some malformed - device path arithmetic errors" +Subject: [PATCH] Fix a regression caused by "efi: fix some malformed device + path arithmetic errors" This commit introduced a bogus check inside copy_file_path to determine whether the destination grub_efi_file_path_device_path_t @@ -83,6 +83,3 @@ index b90dfd6c5a6..dbcdf333b62 100644 /* Fill the end of device path nodes. */ d = GRUB_EFI_NEXT_DEVICE_PATH (d); --- -2.26.2 - diff --git a/SOURCES/0323-update-safemath-with-fallback-code-for-gcc-older-tha.patch b/SOURCES/0323-update-safemath-with-fallback-code-for-gcc-older-tha.patch index 329ac4b..d0feb8c 100644 --- a/SOURCES/0323-update-safemath-with-fallback-code-for-gcc-older-tha.patch +++ b/SOURCES/0323-update-safemath-with-fallback-code-for-gcc-older-tha.patch @@ -1,8 +1,7 @@ -From 6c4c027abfb58272a3604db4094733b4388c1638 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexander Burmashev Date: Wed, 22 Jul 2020 06:04:38 -0700 -Subject: [PATCH 323/336] update safemath with fallback code for gcc older than - 5.1 +Subject: [PATCH] update safemath with fallback code for gcc older than 5.1 The code used in the header was taken from linux kernel commit f0907827a8a9152aedac2833ed1b674a7b2a44f2. Rasmus Villemoes @@ -13,7 +12,7 @@ sources Signed-off-by: Alex Burmashev --- - include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++- + include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 118 insertions(+), 1 deletion(-) diff --git a/include/grub/safemath.h b/include/grub/safemath.h @@ -146,6 +145,3 @@ index c17b89bba17..1ccac276b59 100644 #endif #endif /* GRUB_SAFEMATH_H */ --- -2.26.2 - diff --git a/SOURCES/0324-efi-Free-malloc-regions-on-exit.patch b/SOURCES/0324-efi-Free-malloc-regions-on-exit.patch index 7065bb1..f9030d0 100644 --- a/SOURCES/0324-efi-Free-malloc-regions-on-exit.patch +++ b/SOURCES/0324-efi-Free-malloc-regions-on-exit.patch @@ -1,7 +1,7 @@ -From 6bea96c79a0c25cfd4ca1e0ff203fa7600be5a58 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 31 Aug 2017 16:40:19 +0200 -Subject: [PATCH 324/336] efi: Free malloc regions on exit +Subject: [PATCH] efi: Free malloc regions on exit When we exit grub, we don't free all the memory that we allocated earlier for our heap region. This can cause problems with setups where you try @@ -13,7 +13,7 @@ Reviewed-by: Daniel Kiper Upstream-commit-id: 92bfc33db98 --- grub-core/kern/efi/init.c | 1 + - grub-core/kern/efi/mm.c | 82 +++++++++++++++++++++++++++++++++++++++ + grub-core/kern/efi/mm.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++ include/grub/efi/efi.h | 1 + 3 files changed, 84 insertions(+) @@ -153,6 +153,3 @@ index 9a2da0eb38d..f761bbb1389 100644 grub_efi_loaded_image_t *EXPORT_FUNC(grub_efi_get_loaded_image) (grub_efi_handle_t image_handle); void EXPORT_FUNC(grub_efi_print_device_path) (grub_efi_device_path_t *dp); char *EXPORT_FUNC(grub_efi_get_filename) (grub_efi_device_path_t *dp); --- -2.26.2 - diff --git a/SOURCES/0325-efi-Fix-use-after-free-in-halt-reboot-path.patch b/SOURCES/0325-efi-Fix-use-after-free-in-halt-reboot-path.patch index 3e4e83f..be4c08c 100644 --- a/SOURCES/0325-efi-Fix-use-after-free-in-halt-reboot-path.patch +++ b/SOURCES/0325-efi-Fix-use-after-free-in-halt-reboot-path.patch @@ -1,7 +1,7 @@ -From e6c7a7c575e47632116d62456513f7617efcba2a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexey Makhalov Date: Mon, 20 Jul 2020 23:03:05 +0000 -Subject: [PATCH 325/336] efi: Fix use-after-free in halt/reboot path +Subject: [PATCH] efi: Fix use-after-free in halt/reboot path commit 92bfc33db984 ("efi: Free malloc regions on exit") introduced memory freeing in grub_efi_fini(), which is @@ -140,6 +140,3 @@ index 7f82a499fd9..b208642821b 100644 }; void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), --- -2.26.2 - diff --git a/SOURCES/0326-build-grub-module-verifier-make-output-more-useful.patch b/SOURCES/0326-build-grub-module-verifier-make-output-more-useful.patch index bad7d81..b403fc4 100644 --- a/SOURCES/0326-build-grub-module-verifier-make-output-more-useful.patch +++ b/SOURCES/0326-build-grub-module-verifier-make-output-more-useful.patch @@ -1,7 +1,7 @@ -From a0951a168054fa30a1c1d48b5edf066d8e08900d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 18 Jul 2020 18:28:14 -0400 -Subject: [PATCH 326/336] build-grub-module-verifier: make output more useful +Subject: [PATCH] build-grub-module-verifier: make output more useful - show the user which module has the error - show which section relocation errors are in @@ -10,7 +10,7 @@ Subject: [PATCH 326/336] build-grub-module-verifier: make output more useful Signed-off-by: Peter Jones --- util/grub-module-verifier.c | 4 +-- - util/grub-module-verifierXX.c | 61 ++++++++++++++++++---------------- + util/grub-module-verifierXX.c | 61 ++++++++++++++++++++++-------------------- include/grub/module_verifier.h | 4 +-- 3 files changed, 36 insertions(+), 33 deletions(-) @@ -231,6 +231,3 @@ index 6cddff30f2e..7dd0fa18ec8 100644 -void grub_module_verify32(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch); +void grub_module_verify64(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch, const char * filename); +void grub_module_verify32(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch, const char * filename); --- -2.26.2 - diff --git a/SOURCES/0327-efi-dhcp-fix-some-allocation-error-checking.patch b/SOURCES/0327-efi-dhcp-fix-some-allocation-error-checking.patch index 847e792..7549733 100644 --- a/SOURCES/0327-efi-dhcp-fix-some-allocation-error-checking.patch +++ b/SOURCES/0327-efi-dhcp-fix-some-allocation-error-checking.patch @@ -1,7 +1,7 @@ -From 66ca8a14dae8a2afdeffd93f6560f655c040f93a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 17:11:06 -0400 -Subject: [PATCH 327/336] efi+dhcp: fix some allocation error checking. +Subject: [PATCH] efi+dhcp: fix some allocation error checking. Signed-off-by: Peter Jones --- @@ -35,6 +35,3 @@ index dbef63d8c08..e5c79b748b0 100644 } if (status != GRUB_EFI_SUCCESS) --- -2.26.2 - diff --git a/SOURCES/0328-efi-http-fix-some-allocation-error-checking.patch b/SOURCES/0328-efi-http-fix-some-allocation-error-checking.patch index c201150..4dffab9 100644 --- a/SOURCES/0328-efi-http-fix-some-allocation-error-checking.patch +++ b/SOURCES/0328-efi-http-fix-some-allocation-error-checking.patch @@ -1,7 +1,7 @@ -From 5a964a7f388dd0ecf865fc0fde802b561aab2fb6 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 17:14:15 -0400 -Subject: [PATCH 328/336] efi+http: fix some allocation error checking. +Subject: [PATCH] efi+http: fix some allocation error checking. Signed-off-by: Peter Jones --- @@ -37,6 +37,3 @@ index fc8cb25ae0a..26647a50fa4 100644 file->size = size; file->data = buf; --- -2.26.2 - diff --git a/SOURCES/0329-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch b/SOURCES/0329-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch index 5b7ac9e..5001d54 100644 --- a/SOURCES/0329-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch +++ b/SOURCES/0329-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch @@ -1,8 +1,7 @@ -From ed7411d55fd5eae7b6c540e99cb2f41156d3e4c5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 17:27:00 -0400 -Subject: [PATCH 329/336] efi/ip[46]_config.c: fix some potential allocation - overflows +Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows In theory all of this data comes from the firmware stack and it should be safe, but it's better to be paranoid. @@ -136,6 +135,3 @@ index 017c4d05bc7..a46f6f9b685 100644 { char *gateway, *destination; grub_uint64_t u64_gateway[2]; --- -2.26.2 - diff --git a/SOURCES/0330-Fix-up-some-types-for-gcc-4.8-compat-safemath.h.patch b/SOURCES/0330-Fix-up-some-types-for-gcc-4.8-compat-safemath.h.patch index 24b5186..70e026a 100644 --- a/SOURCES/0330-Fix-up-some-types-for-gcc-4.8-compat-safemath.h.patch +++ b/SOURCES/0330-Fix-up-some-types-for-gcc-4.8-compat-safemath.h.patch @@ -1,7 +1,7 @@ -From 69af5fe86a8d3788c1bb95cbbacdb7d9b3f774d7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 23 Jul 2020 15:02:48 -0400 -Subject: [PATCH 330/336] Fix up some types for gcc 4.8 compat safemath.h +Subject: [PATCH] Fix up some types for gcc 4.8 compat safemath.h The compat macros aren't as forgiving as __builtin_*_overflow(). @@ -214,6 +214,3 @@ index 2143ff7cd89..d89c0dafd52 100644 goto fail; n = grub_realloc (out->combining_ptr, sz); --- -2.26.2 - diff --git a/SOURCES/0331-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch b/SOURCES/0331-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch index fa4d858..dbf4dce 100644 --- a/SOURCES/0331-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch +++ b/SOURCES/0331-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch @@ -1,7 +1,7 @@ -From f3c1a5319b5342362fcb8819c3df0dd790e4f3e6 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 24 Jul 2020 17:18:09 +0100 -Subject: [PATCH 331/336] efilinux: Fix integer overflows in grub_cmd_initrd +Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with @@ -46,6 +46,3 @@ index 7166ec17f8f..95dbb9e20af 100644 } initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size)); --- -2.26.2 - diff --git a/SOURCES/0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch b/SOURCES/0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch index e055036..fc576f7 100644 --- a/SOURCES/0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch +++ b/SOURCES/0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch @@ -1,8 +1,7 @@ -From ca8b750f4c618cecddb3c2694509dc19daeae46a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 24 Jul 2020 13:57:27 -0400 -Subject: [PATCH 332/336] linux loader: avoid overflow on initrd size - calculation +Subject: [PATCH] linux loader: avoid overflow on initrd size calculation Signed-off-by: Peter Jones --- @@ -24,6 +23,3 @@ index be6fa0f4d45..2305281df04 100644 if (!initrd_ctx->components) return grub_errno; --- -2.26.2 - diff --git a/SOURCES/0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch b/SOURCES/0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch index c5c7f17..2c7982c 100644 --- a/SOURCES/0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch +++ b/SOURCES/0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch @@ -1,8 +1,7 @@ -From 02bdaed98f9a17a06f71ce7e21d9af2bd6547dfc Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Wed, 22 Jul 2020 11:31:43 +0100 -Subject: [PATCH 333/336] linuxefi: fail kernel validation without shim - protocol. +Subject: [PATCH] linuxefi: fail kernel validation without shim protocol. If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature @@ -99,6 +98,3 @@ index 95dbb9e20af..c146bc58e3d 100644 } params = grub_efi_allocate_pages_max (0x3fffffff, --- -2.26.2 - diff --git a/SOURCES/0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/SOURCES/0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch index a51b5ce..152055d 100644 --- a/SOURCES/0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch +++ b/SOURCES/0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch @@ -1,7 +1,7 @@ -From ea5144a3ca0b58e785dd9729e6c2d6a81e18870c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 25 Jul 2020 12:15:37 +0100 -Subject: [PATCH 334/336] linux: Fix integer overflows in initrd size handling +Subject: [PATCH] linux: Fix integer overflows in initrd size handling These could be triggered by a crafted filesystem with very large files. @@ -10,7 +10,7 @@ Fixes: CVE-2020-15707 Signed-off-by: Colin Watson Reviewed-by: Jan Setje-Eilers --- - grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++----------- + grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 20 deletions(-) diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c @@ -163,6 +163,3 @@ index 2305281df04..951f7556fb4 100644 ptr = make_header (ptr, initrd_ctx->components[i].newc_name, grub_strlen (initrd_ctx->components[i].newc_name), 0100777, --- -2.26.2 - diff --git a/SOURCES/0335-tftp-roll-over-block-counter-to-prevent-timeouts-with.patch b/SOURCES/0335-tftp-roll-over-block-counter-to-prevent-timeouts-with.patch index cbff5b2..2348e91 100644 --- a/SOURCES/0335-tftp-roll-over-block-counter-to-prevent-timeouts-with.patch +++ b/SOURCES/0335-tftp-roll-over-block-counter-to-prevent-timeouts-with.patch @@ -23,7 +23,7 @@ Signed-off-by: Javier Martinez Canillas 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c -index 79c16f9b041..84162e6f1bd 100644 +index 79c16f9b041..b9a4b607a3d 100644 --- a/grub-core/net/tftp.c +++ b/grub-core/net/tftp.c @@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), diff --git a/SOURCES/0336-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch b/SOURCES/0336-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch new file mode 100644 index 0000000..868153b --- /dev/null +++ b/SOURCES/0336-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 6 Nov 2020 14:14:24 +0100 +Subject: [PATCH] at_keyboard: Fix keyboards that report IBM PC AT scan codes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GRUB has support for both the IBM PC XT (Set 1) and IBM PC AT (Set 2) key +scan code mappings. But the driver always hardcodes to Set 1, overwriting +the mode that was queried in the grub_keyboard_controller_init() function. + +This breaks keyboard mapping on machines whose firmwares are not using the +Set 1. For example, this is the case in Lenovo P71 and HP Elitebook 8770W +laptops that report key scan codes using Set 2. + +Instead of hardcoding to Set 1, use the value that was queried before. + +Reported-by: Renaud Métrich +Signed-off-by: Javier Martinez Canillas +--- + grub-core/term/at_keyboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c +index b4257e84a04..cbec595d166 100644 +--- a/grub-core/term/at_keyboard.c ++++ b/grub-core/term/at_keyboard.c +@@ -355,7 +355,7 @@ set_scancodes (void) + } + + #if !USE_SCANCODE_SET +- current_set = 1; ++ current_set = grub_keyboard_orig_set; + return; + #else + diff --git a/SOURCES/0337-kern-Add-lockdown-support.patch b/SOURCES/0337-kern-Add-lockdown-support.patch new file mode 100644 index 0000000..f76e7e9 --- /dev/null +++ b/SOURCES/0337-kern-Add-lockdown-support.patch @@ -0,0 +1,441 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 19 Feb 2021 10:33:54 +0100 +Subject: [PATCH] kern: Add lockdown support + +When the GRUB starts on a secure boot platform, some commands can be +used to subvert the protections provided by the verification mechanism and +could lead to booting untrusted system. + +To prevent that situation, allow GRUB to be locked down. That way the code +may check if GRUB has been locked down and further restrict the commands +that are registered or what subset of their functionality could be used. + +The lockdown support adds the following components: + +* The grub_lockdown() function which can be used to lockdown GRUB if, + e.g., UEFI Secure Boot is enabled. + +* The grub_is_lockdown() function which can be used to check if the GRUB + was locked down. + +* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI + tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other + verifiers. These files are only successfully verified if another registered + verifier returns success. Otherwise, the whole verification process fails. + + For example, PE/COFF binaries verification can be done by the shim_lock + verifier which validates the signatures using the shim_lock protocol. + However, the verification is not deferred directly to the shim_lock verifier. + The shim_lock verifier is hooked into the verification process instead. + +* A set of grub_{command,extcmd}_lockdown functions that can be used by + code registering command handlers, to only register unsafe commands if + the GRUB has not been locked down. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/Makefile.core.def | 1 + + grub-core/commands/extcmd.c | 23 +++++++++++ + grub-core/kern/command.c | 24 ++++++++++++ + grub-core/kern/lockdown.c | 93 +++++++++++++++++++++++++++++++++++++++++++++ + include/grub/command.h | 5 +++ + include/grub/extcmd.h | 7 ++++ + include/grub/lockdown.h | 44 +++++++++++++++++++++ + conf/Makefile.common | 2 + + docs/grub-dev.texi | 27 +++++++++++++ + docs/grub.texi | 9 +++++ + grub-core/Makefile.am | 5 ++- + 11 files changed, 239 insertions(+), 1 deletion(-) + create mode 100644 grub-core/kern/lockdown.c + create mode 100644 include/grub/lockdown.h + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 00110ae5efd..2beb1d83a63 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -173,6 +173,7 @@ kernel = { + efi = kern/efi/init.c; + efi = kern/efi/mm.c; + efi = term/efi/console.c; ++ efi = kern/lockdown.c; + efi = lib/envblk.c; + + common = kern/efi/sb.c; +diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c +index 69574e2b05b..90a5ca24a64 100644 +--- a/grub-core/commands/extcmd.c ++++ b/grub-core/commands/extcmd.c +@@ -19,6 +19,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, + summary, description, parser, 1); + } + ++static grub_err_t ++grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), ++ int argc __attribute__ ((unused)), ++ char **argv __attribute__ ((unused))) ++{ ++ return grub_error (GRUB_ERR_ACCESS_DENIED, ++ N_("%s: the command is not allowed when lockdown is enforced"), ++ ctxt->extcmd->cmd->name); ++} ++ ++grub_extcmd_t ++grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, ++ grub_command_flags_t flags, const char *summary, ++ const char *description, ++ const struct grub_arg_option *parser) ++{ ++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) ++ func = grub_extcmd_lockdown; ++ ++ return grub_register_extcmd (name, func, flags, summary, description, parser); ++} ++ + void + grub_unregister_extcmd (grub_extcmd_t ext) + { +diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c +index acd72187992..4aabcd4b5f9 100644 +--- a/grub-core/kern/command.c ++++ b/grub-core/kern/command.c +@@ -17,6 +17,7 @@ + * along with GRUB. If not, see . + */ + ++#include + #include + #include + +@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, + return cmd; + } + ++static grub_err_t ++grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), ++ int argc __attribute__ ((unused)), ++ char **argv __attribute__ ((unused))) ++ ++{ ++ return grub_error (GRUB_ERR_ACCESS_DENIED, ++ N_("%s: the command is not allowed when lockdown is enforced"), ++ cmd->name); ++} ++ ++grub_command_t ++grub_register_command_lockdown (const char *name, ++ grub_command_func_t func, ++ const char *summary, ++ const char *description) ++{ ++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) ++ func = grub_cmd_lockdown; ++ ++ return grub_register_command_prio (name, func, summary, description, 0); ++} ++ + void + grub_unregister_command (grub_command_t cmd) + { +diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c +new file mode 100644 +index 00000000000..f87ddaeb1ee +--- /dev/null ++++ b/grub-core/kern/lockdown.c +@@ -0,0 +1,93 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2020 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ * ++ */ ++ ++#include ++#include ++#include ++ ++/* There is no verifier framework in grub 2.02 */ ++#if 0 ++#include ++#endif ++ ++static int lockdown = GRUB_LOCKDOWN_DISABLED; ++ ++/* There is no verifier framework in grub 2.02 */ ++#if 0 ++static grub_err_t ++lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), ++ enum grub_file_type type, ++ void **context __attribute__ ((unused)), ++ enum grub_verify_flags *flags) ++{ ++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; ++ ++ switch (type & GRUB_FILE_TYPE_MASK) ++ { ++ case GRUB_FILE_TYPE_GRUB_MODULE: ++ case GRUB_FILE_TYPE_LINUX_KERNEL: ++ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: ++ case GRUB_FILE_TYPE_XEN_HYPERVISOR: ++ case GRUB_FILE_TYPE_BSD_KERNEL: ++ case GRUB_FILE_TYPE_XNU_KERNEL: ++ case GRUB_FILE_TYPE_PLAN9_KERNEL: ++ case GRUB_FILE_TYPE_NTLDR: ++ case GRUB_FILE_TYPE_TRUECRYPT: ++ case GRUB_FILE_TYPE_FREEDOS: ++ case GRUB_FILE_TYPE_PXECHAINLOADER: ++ case GRUB_FILE_TYPE_PCCHAINLOADER: ++ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: ++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: ++ case GRUB_FILE_TYPE_ACPI_TABLE: ++ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: ++ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; ++ ++ /* Fall through. */ ++ ++ default: ++ return GRUB_ERR_NONE; ++ } ++} ++ ++struct grub_file_verifier lockdown_verifier = ++ { ++ .name = "lockdown_verifier", ++ .init = lockdown_verifier_init, ++ }; ++#endif ++ ++void ++grub_lockdown (void) ++{ ++ lockdown = GRUB_LOCKDOWN_ENABLED; ++ ++ /* ++ * XXX: The lockdown verifier doesn't make sense until ++ * GRUB has moved to the shim_lock verifier. ++ */ ++#if 0 ++ grub_verifier_register (&lockdown_verifier); ++#endif ++} ++ ++int ++grub_is_lockdown (void) ++{ ++ return lockdown; ++} +diff --git a/include/grub/command.h b/include/grub/command.h +index eee4e847ee4..2a6f7f84697 100644 +--- a/include/grub/command.h ++++ b/include/grub/command.h +@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, + const char *summary, + const char *description, + int prio); ++grub_command_t ++EXPORT_FUNC(grub_register_command_lockdown) (const char *name, ++ grub_command_func_t func, ++ const char *summary, ++ const char *description); + void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); + + static inline grub_command_t +diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h +index 19fe592669e..fe9248b8bb6 100644 +--- a/include/grub/extcmd.h ++++ b/include/grub/extcmd.h +@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, + const char *description, + const struct grub_arg_option *parser); + ++grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, ++ grub_extcmd_func_t func, ++ grub_command_flags_t flags, ++ const char *summary, ++ const char *description, ++ const struct grub_arg_option *parser); ++ + grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, + grub_extcmd_func_t func, + grub_command_flags_t flags, +diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h +new file mode 100644 +index 00000000000..40531fa823b +--- /dev/null ++++ b/include/grub/lockdown.h +@@ -0,0 +1,44 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2020 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#ifndef GRUB_LOCKDOWN_H ++#define GRUB_LOCKDOWN_H 1 ++ ++#include ++ ++#define GRUB_LOCKDOWN_DISABLED 0 ++#define GRUB_LOCKDOWN_ENABLED 1 ++ ++#ifdef GRUB_MACHINE_EFI ++extern void ++EXPORT_FUNC (grub_lockdown) (void); ++extern int ++EXPORT_FUNC (grub_is_lockdown) (void); ++#else ++static inline void ++grub_lockdown (void) ++{ ++} ++ ++static inline int ++grub_is_lockdown (void) ++{ ++ return GRUB_LOCKDOWN_DISABLED; ++} ++#endif ++#endif /* ! GRUB_LOCKDOWN_H */ +diff --git a/conf/Makefile.common b/conf/Makefile.common +index 9e0e8364f38..c7c3ab48d8e 100644 +--- a/conf/Makefile.common ++++ b/conf/Makefile.common +@@ -91,7 +91,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER + CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' + CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' + CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' ++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' + CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' ++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' + CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' + CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ + $(CPPFLAGS_PARTTOOL_LIST) $(CPPFLAGS_PARTMAP_LIST) \ +diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi +index 7c6244cdb71..eb03856d2f1 100644 +--- a/docs/grub-dev.texi ++++ b/docs/grub-dev.texi +@@ -84,6 +84,7 @@ This edition documents version @value{VERSION}. + * Video Subsystem:: + * PFF2 Font File Format:: + * Graphical Menu Software Design:: ++* Lockdown framework:: + * Copying This Manual:: Copying This Manual + * Index:: + @end menu +@@ -1949,6 +1950,32 @@ the graphics mode that was in use before @code{grub_video_setup()} was called + might fix some of the problems. + + ++@node Lockdown framework ++@chapter Lockdown framework ++ ++The GRUB can be locked down, which is a restricted mode where some operations ++are not allowed. For instance, some commands cannot be used when the GRUB is ++locked down. ++ ++The function ++@code{grub_lockdown()} is used to lockdown GRUB and the function ++@code{grub_is_lockdown()} function can be used to check whether lockdown is ++enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} ++and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. ++ ++The following functions can be used to register the commands that can only be ++used when lockdown is disabled: ++ ++@itemize ++ ++@item @code{grub_cmd_lockdown()} registers command which should not run when the ++GRUB is in lockdown mode. ++ ++@item @code{grub_cmd_lockdown()} registers extended command which should not run ++when the GRUB is in lockdown mode. ++ ++@end itemize ++ + @node Copying This Manual + @appendix Copying This Manual + +diff --git a/docs/grub.texi b/docs/grub.texi +index bd3457af9a9..cb52684367f 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -5466,6 +5466,8 @@ environment variables and commands are listed in the same order. + @menu + * Authentication and authorisation:: Users and access control + * Using digital signatures:: Booting digitally signed code ++* Lockdown:: Lockdown when booting on a secure setup ++ + @end menu + + @node Authentication and authorisation +@@ -5626,6 +5628,13 @@ or BIOS) configuration to cause the machine to boot from a different + (attacker-controlled) device. GRUB is at best only one link in a + secure boot chain. + ++@node Lockdown ++@section Lockdown when booting on a secure setup ++ ++The GRUB can be locked down when booted on a secure boot environment, for example ++if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will ++be restricted and some operations/commands cannot be executed. ++ + @node Platform limitations + @chapter Platform limitations + +diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am +index 59a00f11fab..e15846ba75b 100644 +--- a/grub-core/Makefile.am ++++ b/grub-core/Makefile.am +@@ -80,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h ++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h +@@ -327,8 +328,10 @@ command.lst: $(MARKER_FILES) + b=`basename $$pp .marker`; \ + sed -n \ + -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ ++ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ + -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ +- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ ++ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ ++ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ + done) | sort -u > $@ + platform_DATA += command.lst + CLEANFILES += command.lst diff --git a/SOURCES/0338-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch b/SOURCES/0338-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch new file mode 100644 index 0000000..5a2b26a --- /dev/null +++ b/SOURCES/0338-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 2 Feb 2021 19:59:48 +0100 +Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down + +It may be useful for scripts to determine whether the GRUB is locked +down or not. Add the lockdown variable which is set to "y" when the GRUB +is locked down. + +Suggested-by: Dimitri John Ledkov +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/kern/lockdown.c | 4 ++++ + docs/grub.texi | 3 +++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c +index f87ddaeb1ee..30cba7f5ea2 100644 +--- a/grub-core/kern/lockdown.c ++++ b/grub-core/kern/lockdown.c +@@ -18,6 +18,7 @@ + */ + + #include ++#include + #include + #include + +@@ -84,6 +85,9 @@ grub_lockdown (void) + #if 0 + grub_verifier_register (&lockdown_verifier); + #endif ++ ++ grub_env_set ("lockdown", "y"); ++ grub_env_export ("lockdown"); + } + + int +diff --git a/docs/grub.texi b/docs/grub.texi +index cb52684367f..6f331422bd3 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -5635,6 +5635,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl + if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will + be restricted and some operations/commands cannot be executed. + ++The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. ++Otherwise it does not exit. ++ + @node Platform limitations + @chapter Platform limitations + diff --git a/SOURCES/0339-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch b/SOURCES/0339-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch new file mode 100644 index 0000000..9ba2bb6 --- /dev/null +++ b/SOURCES/0339-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 28 Sep 2020 20:08:29 +0200 +Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled + +If the UEFI Secure Boot is enabled then the GRUB must be locked down +to prevent executing code that can potentially be used to subvert its +verification mechanisms. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/init.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c +index e8bf993f6d4..ed33201f12a 100644 +--- a/grub-core/kern/efi/init.c ++++ b/grub-core/kern/efi/init.c +@@ -20,6 +20,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -70,6 +72,23 @@ grub_efi_init (void) + /* Initialize the memory management system. */ + grub_efi_mm_init (); + ++ /* ++ * Lockdown the GRUB and register the shim_lock verifier ++ * if the UEFI Secure Boot is enabled. ++ */ ++ if (grub_efi_secure_boot ()) ++ { ++ grub_lockdown (); ++ ++ /* ++ * TODO: Move GRUB to using the shim_lock verifier and ++ * enable the lockdown verifier. ++ */ ++#if 0 ++ grub_shim_lock_verifier_setup (); ++#endif ++ } ++ + efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, + 0, 0, 0, NULL); + diff --git a/SOURCES/0340-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch b/SOURCES/0340-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch new file mode 100644 index 0000000..a902271 --- /dev/null +++ b/SOURCES/0340-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch @@ -0,0 +1,137 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 28 Sep 2020 20:08:33 +0200 +Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled + modules list + +Now the GRUB can check if it has been locked down and this can be used to +prevent executing commands that can be utilized to circumvent the UEFI +Secure Boot mechanisms. So, instead of hardcoding a list of modules that +have to be disabled, prevent the usage of commands that can be dangerous. + +This not only allows the commands to be disabled on other platforms, but +also properly separate the concerns. Since the shim_lock verifier logic +should be only about preventing to run untrusted binaries and not about +defining these kind of policies. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/iorw.c | 26 ++++++++++---------------- + grub-core/commands/memrw.c | 26 ++++++++++---------------- + 2 files changed, 20 insertions(+), 32 deletions(-) + +diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c +index 41a7f3f0466..584baec8f91 100644 +--- a/grub-core/commands/iorw.c ++++ b/grub-core/commands/iorw.c +@@ -23,7 +23,7 @@ + #include + #include + #include +-#include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -119,9 +119,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv) + + GRUB_MOD_INIT(memrw) + { +- if (grub_efi_secure_boot()) +- return; +- + cmd_read_byte = + grub_register_extcmd ("inb", grub_cmd_read, 0, + N_("PORT"), N_("Read 8-bit value from PORT."), +@@ -135,24 +132,21 @@ GRUB_MOD_INIT(memrw) + N_("PORT"), N_("Read 32-bit value from PORT."), + options); + cmd_write_byte = +- grub_register_command ("outb", grub_cmd_write, +- N_("PORT VALUE [MASK]"), +- N_("Write 8-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outb", grub_cmd_write, ++ N_("PORT VALUE [MASK]"), ++ N_("Write 8-bit VALUE to PORT.")); + cmd_write_word = +- grub_register_command ("outw", grub_cmd_write, +- N_("PORT VALUE [MASK]"), +- N_("Write 16-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outw", grub_cmd_write, ++ N_("PORT VALUE [MASK]"), ++ N_("Write 16-bit VALUE to PORT.")); + cmd_write_dword = +- grub_register_command ("outl", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 32-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outl", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 32-bit VALUE to PORT.")); + } + + GRUB_MOD_FINI(memrw) + { +- if (grub_efi_secure_boot()) +- return; +- + grub_unregister_extcmd (cmd_read_byte); + grub_unregister_extcmd (cmd_read_word); + grub_unregister_extcmd (cmd_read_dword); +diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c +index 088cbe9e2bc..d401a6db0ef 100644 +--- a/grub-core/commands/memrw.c ++++ b/grub-core/commands/memrw.c +@@ -22,7 +22,7 @@ + #include + #include + #include +-#include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -121,9 +121,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv) + + GRUB_MOD_INIT(memrw) + { +- if (grub_efi_secure_boot()) +- return; +- + cmd_read_byte = + grub_register_extcmd ("read_byte", grub_cmd_read, 0, + N_("ADDR"), N_("Read 8-bit value from ADDR."), +@@ -137,24 +134,21 @@ GRUB_MOD_INIT(memrw) + N_("ADDR"), N_("Read 32-bit value from ADDR."), + options); + cmd_write_byte = +- grub_register_command ("write_byte", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 8-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_byte", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 8-bit VALUE to ADDR.")); + cmd_write_word = +- grub_register_command ("write_word", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 16-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_word", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 16-bit VALUE to ADDR.")); + cmd_write_dword = +- grub_register_command ("write_dword", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 32-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_dword", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 32-bit VALUE to ADDR.")); + } + + GRUB_MOD_FINI(memrw) + { +- if (grub_efi_secure_boot()) +- return; +- + grub_unregister_extcmd (cmd_read_byte); + grub_unregister_extcmd (cmd_read_word); + grub_unregister_extcmd (cmd_read_dword); diff --git a/SOURCES/0341-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch b/SOURCES/0341-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch new file mode 100644 index 0000000..2b925ba --- /dev/null +++ b/SOURCES/0341-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 28 Sep 2020 20:08:41 +0200 +Subject: [PATCH] acpi: Don't register the acpi command when locked down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The command is not allowed when lockdown is enforced. Otherwise an +attacker can instruct the GRUB to load an SSDT table to overwrite +the kernel lockdown configuration and later load and execute +unsigned code. + +Fixes: CVE-2020-14372 + +Reported-by: Máté Kukri +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/acpi.c | 15 ++++++++------- + docs/grub.texi | 5 +++++ + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c +index 97c2cf282f9..230e710a19e 100644 +--- a/grub-core/commands/acpi.c ++++ b/grub-core/commands/acpi.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #ifdef GRUB_MACHINE_EFI + #include +@@ -779,13 +780,13 @@ static grub_extcmd_t cmd; + + GRUB_MOD_INIT(acpi) + { +- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, +- N_("[-1|-2] [--exclude=TABLE1,TABLE2|" +- "--load-only=TABLE1,TABLE2] FILE1" +- " [FILE2] [...]"), +- N_("Load host ACPI tables and tables " +- "specified by arguments."), +- options); ++ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, ++ N_("[-1|-2] [--exclude=TABLE1,TABLE2|" ++ "--load-only=TABLE1,TABLE2] FILE1" ++ " [FILE2] [...]"), ++ N_("Load host ACPI tables and tables " ++ "specified by arguments."), ++ options); + } + + GRUB_MOD_FINI(acpi) +diff --git a/docs/grub.texi b/docs/grub.texi +index 6f331422bd3..741f6c3fb51 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -3917,6 +3917,11 @@ Normally, this command will replace the Root System Description Pointer + (RSDP) in the Extended BIOS Data Area to point to the new tables. If the + @option{--no-ebda} option is used, the new tables will be known only to + GRUB, but may be used by GRUB's EFI emulation. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ Otherwise an attacker can instruct the GRUB to load an SSDT table to ++ overwrite the kernel lockdown configuration and later load and execute ++ unsigned code. + @end deffn + + diff --git a/SOURCES/0342-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch b/SOURCES/0342-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch new file mode 100644 index 0000000..2f77833 --- /dev/null +++ b/SOURCES/0342-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 14 Oct 2020 16:33:42 +0200 +Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown + is enforced + +The cutmem and badram commands can be used to remove EFI memory regions +and potentially disable the UEFI Secure Boot. Prevent the commands to be +registered if the GRUB is locked down. + +Fixes: CVE-2020-27779 + +Reported-by: Teddy Reed +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/mmap/mmap.c | 13 +++++++------ + docs/grub.texi | 4 ++++ + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c +index 57b4e9a72a9..7ebf32e1e5e 100644 +--- a/grub-core/mmap/mmap.c ++++ b/grub-core/mmap/mmap.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; + + GRUB_MOD_INIT(mmap) + { +- cmd = grub_register_command ("badram", grub_cmd_badram, +- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), +- N_("Declare memory regions as faulty (badram).")); +- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, +- N_("FROM[K|M|G] TO[K|M|G]"), +- N_("Remove any memory regions in specified range.")); ++ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, ++ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), ++ N_("Declare memory regions as faulty (badram).")); ++ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, ++ N_("FROM[K|M|G] TO[K|M|G]"), ++ N_("Remove any memory regions in specified range.")); + + } + +diff --git a/docs/grub.texi b/docs/grub.texi +index 741f6c3fb51..5a1cfd4aea9 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -3982,6 +3982,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns + that are often result of memory damage, due to physical distribution of memory + cells. + ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ This prevents removing EFI memory regions to potentially subvert the ++ security mechanisms provided by the UEFI secure boot. ++ + @node blocklist + @subsection blocklist + diff --git a/SOURCES/0343-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch b/SOURCES/0343-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch new file mode 100644 index 0000000..47cfd28 --- /dev/null +++ b/SOURCES/0343-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch @@ -0,0 +1,92 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 24 Feb 2021 09:00:05 +0100 +Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs + when locked down + +There are some more commands that should be restricted when the GRUB is +locked down. Following is the list of commands and reasons to restrict: + + * fakebios: creates BIOS-like structures for backward compatibility with + existing OSes. This should not be allowed when locked down. + + * loadbios: reads a BIOS dump from storage and loads it. This action + should not be allowed when locked down. + + * devicetree: loads a Device Tree blob and passes it to the OS. It replaces + any Device Tree provided by the firmware. This also should + not be allowed when locked down. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/efi/loadbios.c | 14 +++++++------- + grub-core/loader/arm/linux.c | 6 +++--- + docs/grub.texi | 6 ++++-- + 3 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c +index 132cadbc764..3da4c26df7a 100644 +--- a/grub-core/commands/efi/loadbios.c ++++ b/grub-core/commands/efi/loadbios.c +@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; + + GRUB_MOD_INIT(loadbios) + { +- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, +- 0, N_("Create BIOS-like structures for" +- " backward compatibility with" +- " existing OS.")); ++ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, ++ 0, N_("Create BIOS-like structures for" ++ " backward compatibility with" ++ " existing OS.")); + +- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, +- N_("BIOS_DUMP [INT10_DUMP]"), +- N_("Load BIOS dump.")); ++ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, ++ N_("BIOS_DUMP [INT10_DUMP]"), ++ N_("Load BIOS dump.")); + } + + GRUB_MOD_FINI(loadbios) +diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c +index 1b195e0899e..8fc905e26ca 100644 +--- a/grub-core/loader/arm/linux.c ++++ b/grub-core/loader/arm/linux.c +@@ -513,9 +513,9 @@ GRUB_MOD_INIT (linux) + 0, N_("Load Linux.")); + cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, + 0, N_("Load initrd.")); +- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, +- /* TRANSLATORS: DTB stands for device tree blob. */ +- 0, N_("Load DTB file.")); ++ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, ++ /* TRANSLATORS: DTB stands for device tree blob. */ ++ 0, N_("Load DTB file.")); + my_mod = mod; + fdt_addr = (void *) grub_arm_firmware_get_boot_data (); + machine_type = grub_arm_firmware_get_machine_type (); +diff --git a/docs/grub.texi b/docs/grub.texi +index 5a1cfd4aea9..432610991b7 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -4157,13 +4157,15 @@ hour, minute, and second unchanged. + + + @node devicetree +-@subsection linux ++@subsection devicetree + + @deffn Command devicetree file + Load a device tree blob (.dtb) from a filesystem, for later use by a Linux + kernel. Does not perform merging with any device tree supplied by firmware, + but rather replaces it completely. +-@ref{GNU/Linux}. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ This is done to prevent subverting various security mechanisms. + @end deffn + + @node distrust diff --git a/SOURCES/0344-commands-setpci-Restrict-setpci-command-when-locked-.patch b/SOURCES/0344-commands-setpci-Restrict-setpci-command-when-locked-.patch new file mode 100644 index 0000000..1bb09d4 --- /dev/null +++ b/SOURCES/0344-commands-setpci-Restrict-setpci-command-when-locked-.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 24 Feb 2021 22:59:59 +0100 +Subject: [PATCH] commands/setpci: Restrict setpci command when locked down + +This command can set PCI devices register values, which makes it dangerous +in a locked down configuration. Restrict it so can't be used on this setup. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/setpci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c +index d5bc97d60b2..fa2ba7d8919 100644 +--- a/grub-core/commands/setpci.c ++++ b/grub-core/commands/setpci.c +@@ -329,10 +329,10 @@ static grub_extcmd_t cmd; + + GRUB_MOD_INIT(setpci) + { +- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0, +- N_("[-s POSITION] [-d DEVICE] [-v VAR] " +- "REGISTER[=VALUE[:MASK]]"), +- N_("Manipulate PCI devices."), options); ++ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0, ++ N_("[-s POSITION] [-d DEVICE] [-v VAR] " ++ "REGISTER[=VALUE[:MASK]]"), ++ N_("Manipulate PCI devices."), options); + } + + GRUB_MOD_FINI(setpci) diff --git a/SOURCES/0345-commands-hdparm-Restrict-hdparm-command-when-locked-.patch b/SOURCES/0345-commands-hdparm-Restrict-hdparm-command-when-locked-.patch new file mode 100644 index 0000000..f5ec026 --- /dev/null +++ b/SOURCES/0345-commands-hdparm-Restrict-hdparm-command-when-locked-.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 24 Feb 2021 12:59:29 +0100 +Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down + +The command can be used to get/set ATA disk parameters. Some of these can +be dangerous since change the disk behavior. Restrict it when locked down. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/hdparm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c +index 3fb08912d82..809b89ea5ab 100644 +--- a/grub-core/commands/hdparm.c ++++ b/grub-core/commands/hdparm.c +@@ -434,9 +434,9 @@ static grub_extcmd_t cmd; + + GRUB_MOD_INIT(hdparm) + { +- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0, +- N_("[OPTIONS] DISK"), +- N_("Get/set ATA disk parameters."), options); ++ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0, ++ N_("[OPTIONS] DISK"), ++ N_("Get/set ATA disk parameters."), options); + } + + GRUB_MOD_FINI(hdparm) diff --git a/SOURCES/0346-gdb-Restrict-GDB-access-when-locked-down.patch b/SOURCES/0346-gdb-Restrict-GDB-access-when-locked-down.patch new file mode 100644 index 0000000..b392d22 --- /dev/null +++ b/SOURCES/0346-gdb-Restrict-GDB-access-when-locked-down.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 24 Feb 2021 15:03:26 +0100 +Subject: [PATCH] gdb: Restrict GDB access when locked down + +The gdbstub* commands allow to start and control a GDB stub running on +local host that can be used to connect from a remote debugger. Restrict +this functionality when the GRUB is locked down. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/gdb/gdb.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c +index 847a1e1e36f..1818cb6f8eb 100644 +--- a/grub-core/gdb/gdb.c ++++ b/grub-core/gdb/gdb.c +@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break; + GRUB_MOD_INIT (gdb) + { + grub_gdb_idtinit (); +- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub, +- N_("PORT"), +- /* TRANSLATORS: GDB stub is a small part of +- GDB functionality running on local host +- which allows remote debugger to +- connect to it. */ +- N_("Start GDB stub on given port")); +- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break, +- /* TRANSLATORS: this refers to triggering +- a breakpoint so that the user will land +- into GDB. */ +- 0, N_("Break into GDB")); +- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop, +- 0, N_("Stop GDB stub")); ++ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub, ++ N_("PORT"), ++ /* ++ * TRANSLATORS: GDB stub is a small part of ++ * GDB functionality running on local host ++ * which allows remote debugger to ++ * connect to it. ++ */ ++ N_("Start GDB stub on given port")); ++ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break, ++ /* ++ * TRANSLATORS: this refers to triggering ++ * a breakpoint so that the user will land ++ * into GDB. ++ */ ++ 0, N_("Break into GDB")); ++ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop, ++ 0, N_("Stop GDB stub")); + } + + GRUB_MOD_FINI (gdb) diff --git a/SOURCES/0347-loader-xnu-Don-t-allow-loading-extension-and-package.patch b/SOURCES/0347-loader-xnu-Don-t-allow-loading-extension-and-package.patch new file mode 100644 index 0000000..e153024 --- /dev/null +++ b/SOURCES/0347-loader-xnu-Don-t-allow-loading-extension-and-package.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 24 Feb 2021 14:44:38 +0100 +Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when + locked down + +The shim_lock verifier validates the XNU kernels but no its extensions +and packages. Prevent these to be loaded when the GRUB is locked down. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/loader/xnu.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index 66731d2528b..14e0d65cd27 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -1477,20 +1477,23 @@ GRUB_MOD_INIT(xnu) + N_("Load XNU image.")); + cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64, + 0, N_("Load 64-bit XNU image.")); +- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0, +- N_("Load XNU extension package.")); +- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0, +- N_("Load XNU extension.")); +- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir, +- /* TRANSLATORS: OSBundleRequired is a +- variable name in xnu extensions +- manifests. It behaves mostly like +- GNU/Linux runlevels. +- */ +- N_("DIRECTORY [OSBundleRequired]"), +- /* TRANSLATORS: There are many extensions +- in extension directory. */ +- N_("Load XNU extension directory.")); ++ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0, ++ N_("Load XNU extension package.")); ++ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0, ++ N_("Load XNU extension.")); ++ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir, ++ /* ++ * TRANSLATORS: OSBundleRequired is ++ * a variable name in xnu extensions ++ * manifests. It behaves mostly like ++ * GNU/Linux runlevels. ++ */ ++ N_("DIRECTORY [OSBundleRequired]"), ++ /* ++ * TRANSLATORS: There are many extensions ++ * in extension directory. ++ */ ++ N_("Load XNU extension directory.")); + cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0, + /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */ + N_("Load XNU ramdisk. " diff --git a/SOURCES/0348-docs-Document-the-cutmem-command.patch b/SOURCES/0348-docs-Document-the-cutmem-command.patch new file mode 100644 index 0000000..ec6aeb8 --- /dev/null +++ b/SOURCES/0348-docs-Document-the-cutmem-command.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Sat, 7 Nov 2020 01:03:18 +0100 +Subject: [PATCH] docs: Document the cutmem command + +The command is not present in the docs/grub.texi user documentation. + +Reported-by: Daniel Kiper +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Daniel Kiper +Reviewed-by: Javier Martinez Canillas +--- + docs/grub.texi | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/docs/grub.texi b/docs/grub.texi +index 432610991b7..446574f3ddb 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -3828,6 +3828,7 @@ you forget a command, you can run the command @command{help} + * cpuid:: Check for CPU features + * crc:: Compute or check CRC32 checksums + * cryptomount:: Mount a crypto device ++* cutmem:: Remove memory regions + * date:: Display or set current date and time + * devicetree:: Load a device tree blob + * distrust:: Remove a pubkey from trusted keys +@@ -3982,6 +3983,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns + that are often result of memory damage, due to physical distribution of memory + cells. + ++The command is similar to @command{cutmem} command. ++ + Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). + This prevents removing EFI memory regions to potentially subvert the + security mechanisms provided by the UEFI secure boot. +@@ -4142,6 +4145,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules + be used. + @end deffn + ++@node cutmem ++@subsection cutmem ++ ++@deffn Command cutmem from[K|M|G] to[K|M|G] ++Remove any memory regions in specified range. ++@end deffn ++ ++This command notifies the memory manager that specified regions of RAM ought to ++be filtered out. This remains in effect after a payload kernel has been loaded ++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels ++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot ++kernels in general. ++ ++The command is similar to @command{badram} command. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ This prevents removing EFI memory regions to potentially subvert the ++ security mechanisms provided by the UEFI secure boot. + + @node date + @subsection date diff --git a/SOURCES/0349-dl-Only-allow-unloading-modules-that-are-not-depende.patch b/SOURCES/0349-dl-Only-allow-unloading-modules-that-are-not-depende.patch new file mode 100644 index 0000000..51fc1a5 --- /dev/null +++ b/SOURCES/0349-dl-Only-allow-unloading-modules-that-are-not-depende.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 29 Sep 2020 14:08:55 +0200 +Subject: [PATCH] dl: Only allow unloading modules that are not dependencies + +When a module is attempted to be removed its reference counter is always +decremented. This means that repeated rmmod invocations will cause the +module to be unloaded even if another module depends on it. + +This may lead to a use-after-free scenario allowing an attacker to execute +arbitrary code and by-pass the UEFI Secure Boot protection. + +While being there, add the extern keyword to some function declarations in +that header file. + +Fixes: CVE-2020-25632 + +Reported-by: Chris Coulson +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/commands/minicmd.c | 7 +++++-- + grub-core/kern/dl.c | 9 +++++++++ + include/grub/dl.h | 8 +++++--- + 3 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c +index b25ca4b9f17..4660a020bda 100644 +--- a/grub-core/commands/minicmd.c ++++ b/grub-core/commands/minicmd.c +@@ -137,8 +137,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)), + if (! mod) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module"); + +- if (grub_dl_unref (mod) <= 0) +- grub_dl_unload (mod); ++ if (grub_dl_ref_count (mod) > 1) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module"); ++ ++ grub_dl_unref (mod); ++ grub_dl_unload (mod); + + return 0; + } +diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c +index c45afc64950..fb88894aba5 100644 +--- a/grub-core/kern/dl.c ++++ b/grub-core/kern/dl.c +@@ -557,6 +557,15 @@ grub_dl_unref (grub_dl_t mod) + return --mod->ref_count; + } + ++int ++grub_dl_ref_count (grub_dl_t mod) ++{ ++ if (mod == NULL) ++ return 0; ++ ++ return mod->ref_count; ++} ++ + static void + grub_dl_flush_cache (grub_dl_t mod) + { +diff --git a/include/grub/dl.h b/include/grub/dl.h +index 9562fa6634c..c0e2c55c8c7 100644 +--- a/include/grub/dl.h ++++ b/include/grub/dl.h +@@ -202,9 +202,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name); + grub_dl_t grub_dl_load_core (void *addr, grub_size_t size); + grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size); + int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod); +-void grub_dl_unload_unneeded (void); +-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); +-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); ++extern void grub_dl_unload_unneeded (void); ++extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); ++extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); ++extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod); ++ + extern grub_dl_t EXPORT_VAR(grub_dl_head); + + #ifndef GRUB_UTIL diff --git a/SOURCES/0350-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch b/SOURCES/0350-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch new file mode 100644 index 0000000..2ac3c27 --- /dev/null +++ b/SOURCES/0350-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch @@ -0,0 +1,112 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 11 Dec 2020 19:19:21 +0100 +Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious + devices + +The maximum number of configurations and interfaces are fixed but there is +no out-of-bound checking to prevent a malicious USB device to report large +values for these and cause accesses outside the arrays' memory. + +Fixes: CVE-2020-25647 + +Reported-by: Joseph Tartaro (IOActive) +Reported-by: Ilja Van Sprundel +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + grub-core/bus/usb/usb.c | 15 ++++++++++++--- + include/grub/usb.h | 10 +++++++--- + 2 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c +index 8da5e4c7491..7cb3cc230b2 100644 +--- a/grub-core/bus/usb/usb.c ++++ b/grub-core/bus/usb/usb.c +@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook, + grub_usb_err_t + grub_usb_clear_halt (grub_usb_device_t dev, int endpoint) + { ++ if (endpoint >= GRUB_USB_MAX_TOGGLE) ++ return GRUB_USB_ERR_BADDEVICE; ++ + dev->toggle[endpoint] = 0; + return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT + | GRUB_USB_REQTYPE_STANDARD +@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev) + return err; + descdev = &dev->descdev; + +- for (i = 0; i < 8; i++) ++ for (i = 0; i < GRUB_USB_MAX_CONF; i++) + dev->config[i].descconf = NULL; + +- if (descdev->configcnt == 0) ++ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF) + { + err = GRUB_USB_ERR_BADDEVICE; + goto fail; +@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev) + /* Skip the configuration descriptor. */ + pos = dev->config[i].descconf->length; + ++ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF) ++ { ++ err = GRUB_USB_ERR_BADDEVICE; ++ goto fail; ++ } ++ + /* Read all interfaces. */ + for (currif = 0; currif < dev->config[i].descconf->numif; currif++) + { +@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev) + + fail: + +- for (i = 0; i < 8; i++) ++ for (i = 0; i < GRUB_USB_MAX_CONF; i++) + grub_free (dev->config[i].descconf); + + return err; +diff --git a/include/grub/usb.h b/include/grub/usb.h +index 11d96481ff6..f26b89b7fd4 100644 +--- a/include/grub/usb.h ++++ b/include/grub/usb.h +@@ -23,6 +23,10 @@ + #include + #include + ++#define GRUB_USB_MAX_CONF 8 ++#define GRUB_USB_MAX_IF 32 ++#define GRUB_USB_MAX_TOGGLE 256 ++ + typedef struct grub_usb_device *grub_usb_device_t; + typedef struct grub_usb_controller *grub_usb_controller_t; + typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t; +@@ -167,7 +171,7 @@ struct grub_usb_configuration + struct grub_usb_desc_config *descconf; + + /* Interfaces associated to this configuration. */ +- struct grub_usb_interface interf[32]; ++ struct grub_usb_interface interf[GRUB_USB_MAX_IF]; + }; + + struct grub_usb_hub_port +@@ -191,7 +195,7 @@ struct grub_usb_device + struct grub_usb_controller controller; + + /* Device configurations (after opening the device). */ +- struct grub_usb_configuration config[8]; ++ struct grub_usb_configuration config[GRUB_USB_MAX_CONF]; + + /* Device address. */ + int addr; +@@ -203,7 +207,7 @@ struct grub_usb_device + int initialized; + + /* Data toggle values (used for bulk transfers only). */ +- int toggle[256]; ++ int toggle[GRUB_USB_MAX_TOGGLE]; + + /* Used by libusb wrapper. Schedulded for removal. */ + void *data; diff --git a/SOURCES/0351-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/SOURCES/0351-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch new file mode 100644 index 0000000..66e3744 --- /dev/null +++ b/SOURCES/0351-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 3 Dec 2020 14:39:45 +0000 +Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory + +When returning from grub_mmap_iterate() the memory allocated to present +is not being released causing it to leak. + +Fixes: CID 96655 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/mmap/mmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c +index 7ebf32e1e5e..8bf235f3400 100644 +--- a/grub-core/mmap/mmap.c ++++ b/grub-core/mmap/mmap.c +@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) + hook_data)) + { + grub_free (ctx.scanline_events); ++ grub_free (present); + return GRUB_ERR_NONE; + } + +@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) + } + + grub_free (ctx.scanline_events); ++ grub_free (present); + return GRUB_ERR_NONE; + } + diff --git a/SOURCES/0352-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/SOURCES/0352-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch new file mode 100644 index 0000000..ed8a408 --- /dev/null +++ b/SOURCES/0352-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 27 Nov 2020 15:10:26 +0000 +Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer + +It is always possible that grub_zalloc() could fail, so we should check for +a NULL return. Otherwise we run the risk of dereferencing a NULL pointer. + +Fixes: CID 296221 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/net/net.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 80310ff4e7a..1f62aa10f2f 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -104,8 +104,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card, + + /* Add sender to cache table. */ + if (card->link_layer_table == NULL) +- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE +- * sizeof (card->link_layer_table[0])); ++ { ++ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE ++ * sizeof (card->link_layer_table[0])); ++ if (card->link_layer_table == NULL) ++ return; ++ } ++ + entry = &(card->link_layer_table[card->new_ll_entry]); + entry->avail = 1; + grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address)); diff --git a/SOURCES/0353-net-tftp-Fix-dangling-memory-pointer.patch b/SOURCES/0353-net-tftp-Fix-dangling-memory-pointer.patch new file mode 100644 index 0000000..193d893 --- /dev/null +++ b/SOURCES/0353-net-tftp-Fix-dangling-memory-pointer.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 19 Feb 2021 17:12:23 +0000 +Subject: [PATCH] net/tftp: Fix dangling memory pointer + +The static code analysis tool, Parfait, reported that the valid of +file->data was left referencing memory that was freed by the call to +grub_free(data) where data was initialized from file->data. + +To ensure that there is no unintentional access to this memory +referenced by file->data we should set the pointer to NULL. + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/net/tftp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index b9a4b607a3d..aa0424dcee3 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -444,6 +444,7 @@ tftp_close (struct grub_file *file) + grub_net_udp_close (data->sock); + } + grub_free (data); ++ file->data = NULL; + return GRUB_ERR_NONE; + } + diff --git a/SOURCES/0354-kern-parser-Fix-resource-leak-if-argc-0.patch b/SOURCES/0354-kern-parser-Fix-resource-leak-if-argc-0.patch new file mode 100644 index 0000000..a422623 --- /dev/null +++ b/SOURCES/0354-kern-parser-Fix-resource-leak-if-argc-0.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 22 Jan 2021 12:32:41 +0000 +Subject: [PATCH] kern/parser: Fix resource leak if argc == 0 + +After processing the command-line yet arriving at the point where we are +setting argv, we are allocating memory, even if argc == 0, which makes +no sense since we never put anything into the allocated argv. + +The solution is to simply return that we've successfully processed the +arguments but that argc == 0, and also ensure that argv is NULL when +we're not allocating anything in it. + +There are only 2 callers of this function, and both are handling a zero +value in argc assuming nothing is allocated in argv. + +Fixes: CID 96680 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 5de8559e777..94e8728d59a 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline, + int i; + + *argc = 0; ++ *argv = NULL; + do + { + if (!rd || !*rd) +@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline, + (*argc)++; + } + ++ /* If there are no args, then we're done. */ ++ if (!*argc) ++ return 0; ++ + /* Reserve memory for the return values. */ + args = grub_malloc (bp - buffer); + if (!args) diff --git a/SOURCES/0355-kern-efi-Fix-memory-leak-on-failure.patch b/SOURCES/0355-kern-efi-Fix-memory-leak-on-failure.patch new file mode 100644 index 0000000..06b02e8 --- /dev/null +++ b/SOURCES/0355-kern-efi-Fix-memory-leak-on-failure.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 5 Nov 2020 10:15:25 +0000 +Subject: [PATCH] kern/efi: Fix memory leak on failure + +Free the memory allocated to name before returning on failure. + +Fixes: CID 296222 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/efi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c +index 6c4099a685d..fce4ca05c65 100644 +--- a/grub-core/kern/efi/efi.c ++++ b/grub-core/kern/efi/efi.c +@@ -381,6 +381,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, + "malformed EFI Device Path node has length=%d", len); ++ grub_free (name); + return NULL; + } + diff --git a/SOURCES/0356-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/SOURCES/0356-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000..7b92857 --- /dev/null +++ b/SOURCES/0356-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 11 Dec 2020 15:03:13 +0000 +Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference + +The model of grub_efi_get_memory_map() is that if memory_map is NULL, +then the purpose is to discover how much memory should be allocated to +it for the subsequent call. + +The problem here is that with grub_efi_is_finished set to 1, there is no +check at all that the function is being called with a non-NULL memory_map. + +While this MAY be true, we shouldn't assume it. + +The solution to this is to behave as expected, and if memory_map is NULL, +then don't try to use it and allow memory_map_size to be filled in, and +return 0 as is done later in the code if the buffer is too small (or NULL). + +Additionally, drop unneeded ret = 1. + +Fixes: CID 96632 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/mm.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c +index abe9c70557f..bb022f43e91 100644 +--- a/grub-core/kern/efi/mm.c ++++ b/grub-core/kern/efi/mm.c +@@ -334,16 +334,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size, + if (grub_efi_is_finished) + { + int ret = 1; +- if (*memory_map_size < finish_mmap_size) ++ ++ if (memory_map != NULL) + { +- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); ++ if (*memory_map_size < finish_mmap_size) ++ { ++ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); ++ ret = 0; ++ } ++ else ++ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); ++ } ++ else ++ { ++ /* ++ * Incomplete, no buffer to copy into, same as ++ * GRUB_EFI_BUFFER_TOO_SMALL below. ++ */ + ret = 0; + } +- else +- { +- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); +- ret = 1; +- } + *memory_map_size = finish_mmap_size; + if (map_key) + *map_key = finish_key; diff --git a/SOURCES/0357-gnulib-regexec-Resolve-unused-variable.patch b/SOURCES/0357-gnulib-regexec-Resolve-unused-variable.patch new file mode 100644 index 0000000..54c8148 --- /dev/null +++ b/SOURCES/0357-gnulib-regexec-Resolve-unused-variable.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Wed, 21 Oct 2020 14:41:27 +0000 +Subject: [PATCH] gnulib/regexec: Resolve unused variable + +This is a really minor issue where a variable is being assigned to but +not checked before it is overwritten again. + +The reason for this issue is that we are not building with DEBUG set and +this in turn means that the assert() that reads the value of the +variable match_last is being processed out. + +The solution, move the assignment to match_last in to an ifdef DEBUG too. + +Fixes: CID 292459 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gnulib/regexec.c | 4 ++++ + conf/Makefile.extra-dist | 1 + + grub-core/gnulib-fix-unused-value.patch | 14 ++++++++++++++ + 3 files changed, 19 insertions(+) + create mode 100644 grub-core/gnulib-fix-unused-value.patch + +diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c +index f632cd47b3a..fdc178e07a4 100644 +--- a/grub-core/gnulib/regexec.c ++++ b/grub-core/gnulib/regexec.c +@@ -879,7 +879,11 @@ re_search_internal (const regex_t *preg, + break; + if (BE (err != REG_NOMATCH, 0)) + goto free_return; ++#ifdef DEBUG ++ /* Only used for assertion below when DEBUG is set, otherwise ++ it will be over-written when we loop around. */ + match_last = REG_MISSING; ++#endif + } + else + break; /* We found a match. */ +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index e914dfd897e..7b305bce766 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -27,6 +27,7 @@ EXTRA_DIST += grub-core/genemuinit.sh + EXTRA_DIST += grub-core/genemuinitheader.sh + + EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff ++EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch + EXTRA_DIST += grub-core/gnulib-fix-width.diff + EXTRA_DIST += grub-core/gnulib-no-abort.diff + EXTRA_DIST += grub-core/gnulib-no-gets.diff +diff --git a/grub-core/gnulib-fix-unused-value.patch b/grub-core/gnulib-fix-unused-value.patch +new file mode 100644 +index 00000000000..452a8732922 +--- /dev/null ++++ b/grub-core/gnulib-fix-unused-value.patch +@@ -0,0 +1,14 @@ ++--- grub-core/gnulib/regexec.c 2020-10-21 14:25:35.310195912 +0000 +++++ grub-core/gnulib/regexec.c 2020-10-21 14:32:07.961765604 +0000 ++@@ -828,7 +828,11 @@ ++ break; ++ if (BE (err != REG_NOMATCH, 0)) ++ goto free_return; +++#ifdef DEBUG +++ /* Only used for assertion below when DEBUG is set, otherwise +++ it will be over-written when we loop around. */ ++ match_last = REG_MISSING; +++#endif ++ } ++ else ++ break; /* We found a match. */ diff --git a/SOURCES/0358-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/SOURCES/0358-gnulib-regcomp-Fix-uninitialized-token-structure.patch new file mode 100644 index 0000000..3a6beb6 --- /dev/null +++ b/SOURCES/0358-gnulib-regcomp-Fix-uninitialized-token-structure.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 22 Oct 2020 13:54:06 +0000 +Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure + +The code is assuming that the value of br_token.constraint was +initialized to zero when it wasn't. + +While some compilers will ensure that, not all do, so it is better to +fix this explicitly than leave it to chance. + +Fixes: CID 73749 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gnulib/regcomp.c | 2 +- + conf/Makefile.extra-dist | 1 + + grub-core/gnulib-fix-uninit-structure.patch | 11 +++++++++++ + 3 files changed, 13 insertions(+), 1 deletion(-) + create mode 100644 grub-core/gnulib-fix-uninit-structure.patch + +diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c +index 596e0cf3ef7..de9f622088f 100644 +--- a/grub-core/gnulib/regcomp.c ++++ b/grub-core/gnulib/regcomp.c +@@ -3641,7 +3641,7 @@ build_charclass_op (re_dfa_t *dfa, RE_TRANSLATE_TYPE trans, + Idx alloc = 0; + #endif /* not RE_ENABLE_I18N */ + reg_errcode_t ret; +- re_token_t br_token; ++ re_token_t br_token = {0}; + bin_tree_t *tree; + + sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1); +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index 7b305bce766..8baa6a831f7 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -27,6 +27,7 @@ EXTRA_DIST += grub-core/genemuinit.sh + EXTRA_DIST += grub-core/genemuinitheader.sh + + EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff ++EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch + EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch + EXTRA_DIST += grub-core/gnulib-fix-width.diff + EXTRA_DIST += grub-core/gnulib-no-abort.diff +diff --git a/grub-core/gnulib-fix-uninit-structure.patch b/grub-core/gnulib-fix-uninit-structure.patch +new file mode 100644 +index 00000000000..7b4d9f67af4 +--- /dev/null ++++ b/grub-core/gnulib-fix-uninit-structure.patch +@@ -0,0 +1,11 @@ ++--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000 +++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000 ++@@ -3662,7 +3662,7 @@ ++ Idx alloc = 0; ++ #endif /* not RE_ENABLE_I18N */ ++ reg_errcode_t ret; ++- re_token_t br_token; +++ re_token_t br_token = {0}; ++ bin_tree_t *tree; ++ ++ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1); diff --git a/SOURCES/0359-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/SOURCES/0359-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch new file mode 100644 index 0000000..c308833 --- /dev/null +++ b/SOURCES/0359-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Wed, 28 Oct 2020 14:43:01 +0000 +Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state + +All other instances of call to __argp_failure() where there is +a dgettext() call is first checking whether state is NULL before +attempting to dereference it to get the root_argp->argp_domain. + +Fixes: CID 292436 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gnulib/argp-help.c | 3 ++- + conf/Makefile.extra-dist | 1 + + grub-core/gnulib-fix-null-state-deref.patch | 12 ++++++++++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 grub-core/gnulib-fix-null-state-deref.patch + +diff --git a/grub-core/gnulib/argp-help.c b/grub-core/gnulib/argp-help.c +index 2914f4723c6..1b21c3500db 100644 +--- a/grub-core/gnulib/argp-help.c ++++ b/grub-core/gnulib/argp-help.c +@@ -145,7 +145,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr) + if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin) + { + __argp_failure (state, 0, 0, +- dgettext (state->root_argp->argp_domain, ++ dgettext (state == NULL ? NULL ++ : state->root_argp->argp_domain, + "\ + ARGP_HELP_FMT: %s value is less than or equal to %s"), + "rmargin", up->name); +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index 8baa6a831f7..c3506afe792 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -27,6 +27,7 @@ EXTRA_DIST += grub-core/genemuinit.sh + EXTRA_DIST += grub-core/genemuinitheader.sh + + EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff ++EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch + EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch + EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch + EXTRA_DIST += grub-core/gnulib-fix-width.diff +diff --git a/grub-core/gnulib-fix-null-state-deref.patch b/grub-core/gnulib-fix-null-state-deref.patch +new file mode 100644 +index 00000000000..813ec09c8a1 +--- /dev/null ++++ b/grub-core/gnulib-fix-null-state-deref.patch +@@ -0,0 +1,12 @@ ++--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000 +++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000 ++@@ -145,7 +145,8 @@ ++ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin) ++ { ++ __argp_failure (state, 0, 0, ++- dgettext (state->root_argp->argp_domain, +++ dgettext (state == NULL ? NULL +++ : state->root_argp->argp_domain, ++ "\ ++ ARGP_HELP_FMT: %s value is less than or equal to %s"), ++ "rmargin", up->name); diff --git a/SOURCES/0360-gnulib-regexec-Fix-possible-null-dereference.patch b/SOURCES/0360-gnulib-regexec-Fix-possible-null-dereference.patch new file mode 100644 index 0000000..de970a9 --- /dev/null +++ b/SOURCES/0360-gnulib-regexec-Fix-possible-null-dereference.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 5 Nov 2020 10:57:14 +0000 +Subject: [PATCH] gnulib/regexec: Fix possible null-dereference + +It appears to be possible that the mctx->state_log field may be NULL, +and the name of this function, clean_state_log_if_needed(), suggests +that it should be checking that it is valid to be cleaned before +assuming that it does. + +Fixes: CID 86720 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gnulib/regexec.c | 3 +++ + conf/Makefile.extra-dist | 1 + + grub-core/gnulib-fix-regexec-null-deref.patch | 12 ++++++++++++ + 3 files changed, 16 insertions(+) + create mode 100644 grub-core/gnulib-fix-regexec-null-deref.patch + +diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c +index fdc178e07a4..1e4cb2df4e3 100644 +--- a/grub-core/gnulib/regexec.c ++++ b/grub-core/gnulib/regexec.c +@@ -1754,6 +1754,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx) + { + Idx top = mctx->state_log_top; + ++ if (mctx->state_log == NULL) ++ return REG_NOERROR; ++ + if ((next_state_log_idx >= mctx->input.bufs_len + && mctx->input.bufs_len < mctx->input.len) + || (next_state_log_idx >= mctx->input.valid_len +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index c3506afe792..60d9f564236 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -28,6 +28,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh + + EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff + EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch ++EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch + EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch + EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch + EXTRA_DIST += grub-core/gnulib-fix-width.diff +diff --git a/grub-core/gnulib-fix-regexec-null-deref.patch b/grub-core/gnulib-fix-regexec-null-deref.patch +new file mode 100644 +index 00000000000..db6dac9c9e3 +--- /dev/null ++++ b/grub-core/gnulib-fix-regexec-null-deref.patch +@@ -0,0 +1,12 @@ ++--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000 +++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000 ++@@ -1692,6 +1692,9 @@ ++ { ++ Idx top = mctx->state_log_top; ++ +++ if (mctx->state_log == NULL) +++ return REG_NOERROR; +++ ++ if ((next_state_log_idx >= mctx->input.bufs_len ++ && mctx->input.bufs_len < mctx->input.len) ++ || (next_state_log_idx >= mctx->input.valid_len diff --git a/SOURCES/0361-gnulib-regcomp-Fix-uninitialized-re_token.patch b/SOURCES/0361-gnulib-regcomp-Fix-uninitialized-re_token.patch new file mode 100644 index 0000000..2820f25 --- /dev/null +++ b/SOURCES/0361-gnulib-regcomp-Fix-uninitialized-re_token.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 24 Nov 2020 18:04:22 +0000 +Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token + +This issue has been fixed in the latest version of gnulib, so to +maintain consistency, I've backported that change rather than doing +something different. + +Fixes: CID 73828 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gnulib/regcomp.c | 3 +-- + conf/Makefile.extra-dist | 1 + + grub-core/gnulib-fix-regcomp-uninit-token.patch | 12 ++++++++++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + create mode 100644 grub-core/gnulib-fix-regcomp-uninit-token.patch + +diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c +index de9f622088f..6d0830ac691 100644 +--- a/grub-core/gnulib/regcomp.c ++++ b/grub-core/gnulib/regcomp.c +@@ -3790,8 +3790,7 @@ static bin_tree_t * + create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right, + re_token_type_t type) + { +- re_token_t t; +- t.type = type; ++ re_token_t t = { .type = type }; + return create_token_tree (dfa, left, right, &t); + } + +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index 60d9f564236..68e5d0eda7b 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -28,6 +28,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh + + EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff + EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch ++EXTRA_DIST += grub-core/gnulib-fix-regcomp-uninit-token.patch + EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch + EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch + EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch +diff --git a/grub-core/gnulib-fix-regcomp-uninit-token.patch b/grub-core/gnulib-fix-regcomp-uninit-token.patch +new file mode 100644 +index 00000000000..d615745221b +--- /dev/null ++++ b/grub-core/gnulib-fix-regcomp-uninit-token.patch +@@ -0,0 +1,12 @@ ++--- grub-core/gnulib/regcomp.c +++++ grub-core/gnulib/regcomp.c ++@@ -3808,8 +3808,7 @@ static bin_tree_t * ++ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right, ++ re_token_type_t type) ++ { ++- re_token_t t; ++- t.type = type; +++ re_token_t t = { .type = type }; ++ return create_token_tree (dfa, left, right, &t); ++ } ++ diff --git a/SOURCES/0362-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/SOURCES/0362-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch new file mode 100644 index 0000000..40cfa4e --- /dev/null +++ b/SOURCES/0362-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Wed, 21 Oct 2020 14:44:10 +0000 +Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors + +These 2 assignments are unnecessary since they are just assigning +to themselves. + +Fixes: CID 73643 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/io/lzopio.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c +index de2ea6778e2..987485fa2dd 100644 +--- a/grub-core/io/lzopio.c ++++ b/grub-core/io/lzopio.c +@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio) + sizeof (lzopio->block.ucheck)) != + sizeof (lzopio->block.ucheck)) + return -1; +- +- lzopio->block.ucheck = lzopio->block.ucheck; + } + + /* Read checksum of compressed data. */ +@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio) + sizeof (lzopio->block.ccheck)) != + sizeof (lzopio->block.ccheck)) + return -1; +- +- lzopio->block.ccheck = lzopio->block.ccheck; + } + } + diff --git a/SOURCES/0363-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/SOURCES/0363-kern-partition-Check-for-NULL-before-dereferencing-i.patch new file mode 100644 index 0000000..373cae3 --- /dev/null +++ b/SOURCES/0363-kern-partition-Check-for-NULL-before-dereferencing-i.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 23 Oct 2020 09:49:59 +0000 +Subject: [PATCH] kern/partition: Check for NULL before dereferencing input + string + +There is the possibility that the value of str comes from an external +source and continuing to use it before ever checking its validity is +wrong. So, needs fixing. + +Additionally, drop unneeded part initialization. + +Fixes: CID 292444 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/kern/partition.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c +index e499147cbcb..b10a184e3fa 100644 +--- a/grub-core/kern/partition.c ++++ b/grub-core/kern/partition.c +@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap, + grub_partition_t + grub_partition_probe (struct grub_disk *disk, const char *str) + { +- grub_partition_t part = 0; ++ grub_partition_t part; + grub_partition_t curpart = 0; + grub_partition_t tail; + const char *ptr; + ++ if (str == NULL) ++ return 0; ++ + part = tail = disk->partition; + + for (ptr = str; *ptr;) diff --git a/SOURCES/0364-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/SOURCES/0364-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch new file mode 100644 index 0000000..f3bff82 --- /dev/null +++ b/SOURCES/0364-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch @@ -0,0 +1,125 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marco A Benatto +Date: Mon, 7 Dec 2020 11:53:03 -0300 +Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from + make_vg() + +Several error handling paths in make_vg() do not free comp data before +jumping to fail2 label and returning from the function. This will leak +memory. So, let's fix all issues of that kind. + +Fixes: CID 73804 + +Signed-off-by: Marco A Benatto +Reviewed-by: Daniel Kiper +--- + grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 44 insertions(+), 7 deletions(-) + +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index b1a57f2d2ad..34e1e4d72ff 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk, + comp->segments = grub_calloc (comp->segment_alloc, + sizeof (*comp->segments)); + if (!comp->segments) +- goto fail2; ++ { ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + } + else + { +@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk, + comp->segment_count = 1; + comp->segments = grub_malloc (sizeof (*comp->segments)); + if (!comp->segments) +- goto fail2; ++ { ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + comp->segments->start_extent = 0; + comp->segments->extent_count = lv->size; + comp->segments->layout = 0; +@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk, + comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK; + } + else +- goto fail2; ++ { ++ grub_free (comp->segments); ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + ptr += *ptr + 1; + ptr++; + if (!(vblk[i].flags & 0x10)) +- goto fail2; ++ { ++ grub_free (comp->segments); ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic) + || ptr + *ptr + 1 >= vblk[i].dynamic + + sizeof (vblk[i].dynamic)) + { ++ grub_free (comp->segments); + grub_free (comp->internal_id); + grub_free (comp); + goto fail2; +@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk, + if (ptr + *ptr + 1 >= vblk[i].dynamic + + sizeof (vblk[i].dynamic)) + { ++ grub_free (comp->segments); + grub_free (comp->internal_id); + grub_free (comp); + goto fail2; +@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk, + comp->segments->nodes = grub_calloc (comp->segments->node_alloc, + sizeof (*comp->segments->nodes)); + if (!lv->segments->nodes) +- goto fail2; ++ { ++ grub_free (comp->segments); ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + } + + if (lv->segments->node_alloc == lv->segments->node_count) +@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk, + + if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) || + grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz)) +- goto fail2; ++ { ++ grub_free (comp->segments->nodes); ++ grub_free (comp->segments); ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + + t = grub_realloc (lv->segments->nodes, sz); + if (!t) +- goto fail2; ++ { ++ grub_free (comp->segments->nodes); ++ grub_free (comp->segments); ++ grub_free (comp->internal_id); ++ grub_free (comp); ++ goto fail2; ++ } + lv->segments->nodes = t; + } + lv->segments->nodes[lv->segments->node_count].pv = 0; diff --git a/SOURCES/0365-disk-ldm-If-failed-then-free-vg-variable-too.patch b/SOURCES/0365-disk-ldm-If-failed-then-free-vg-variable-too.patch new file mode 100644 index 0000000..de01a6e --- /dev/null +++ b/SOURCES/0365-disk-ldm-If-failed-then-free-vg-variable-too.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paulo Flabiano Smorigo +Date: Mon, 7 Dec 2020 10:07:47 -0300 +Subject: [PATCH] disk/ldm: If failed then free vg variable too + +Fixes: CID 73809 + +Signed-off-by: Paulo Flabiano Smorigo +Reviewed-by: Daniel Kiper +--- + grub-core/disk/ldm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index 34e1e4d72ff..9c73d2217e9 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk, + { + grub_free (vg->uuid); + grub_free (vg->name); ++ grub_free (vg); + return NULL; + } + grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN); diff --git a/SOURCES/0366-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/SOURCES/0366-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch new file mode 100644 index 0000000..771411c --- /dev/null +++ b/SOURCES/0366-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 8 Dec 2020 10:00:51 +0000 +Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references + +The problem here is that the memory allocated to the variable lv is not +yet inserted into the list that is being processed at the label fail2. + +As we can already see at line 342, which correctly frees lv before going +to fail2, we should also be doing that at these earlier jumps to fail2. + +Fixes: CID 73824 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/disk/ldm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index 9c73d2217e9..2a953667986 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk, + lv->visible = 1; + lv->segments = grub_zalloc (sizeof (*lv->segments)); + if (!lv->segments) +- goto fail2; ++ { ++ grub_free (lv); ++ goto fail2; ++ } + lv->segments->start_extent = 0; + lv->segments->type = GRUB_DISKFILTER_MIRROR; + lv->segments->node_count = 0; +@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk, + lv->segments->nodes = grub_calloc (lv->segments->node_alloc, + sizeof (*lv->segments->nodes)); + if (!lv->segments->nodes) +- goto fail2; ++ { ++ grub_free (lv); ++ goto fail2; ++ } + ptr = vblk[i].dynamic; + if (ptr + *ptr + 1 >= vblk[i].dynamic + + sizeof (vblk[i].dynamic)) diff --git a/SOURCES/0367-disk-cryptodisk-Fix-potential-integer-overflow.patch b/SOURCES/0367-disk-cryptodisk-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000..ebe6687 --- /dev/null +++ b/SOURCES/0367-disk-cryptodisk-Fix-potential-integer-overflow.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 21 Jan 2021 11:38:31 +0000 +Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow + +The encrypt and decrypt functions expect a grub_size_t. So, we need to +ensure that the constant bit shift is using grub_size_t rather than +unsigned int when it is performing the shift. + +Fixes: CID 307788 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/disk/cryptodisk.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index f0e3a900ae3..9289acfc611 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -303,10 +303,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, + case GRUB_CRYPTODISK_MODE_CBC: + if (do_encrypt) + err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i, +- (1U << dev->log_sector_size), iv); ++ ((grub_size_t) 1 << dev->log_sector_size), iv); + else + err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i, +- (1U << dev->log_sector_size), iv); ++ ((grub_size_t) 1 << dev->log_sector_size), iv); + if (err) + return err; + break; +@@ -314,10 +314,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, + case GRUB_CRYPTODISK_MODE_PCBC: + if (do_encrypt) + err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i, +- (1U << dev->log_sector_size), iv); ++ ((grub_size_t) 1 << dev->log_sector_size), iv); + else + err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i, +- (1U << dev->log_sector_size), iv); ++ ((grub_size_t) 1 << dev->log_sector_size), iv); + if (err) + return err; + break; diff --git a/SOURCES/0368-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/SOURCES/0368-hfsplus-Check-that-the-volume-name-length-is-valid.patch new file mode 100644 index 0000000..055f927 --- /dev/null +++ b/SOURCES/0368-hfsplus-Check-that-the-volume-name-length-is-valid.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 23 Oct 2020 17:09:31 +0000 +Subject: [PATCH] hfsplus: Check that the volume name length is valid + +HFS+ documentation suggests that the maximum filename and volume name is +255 Unicode characters in length. + +So, when converting from big-endian to little-endian, we should ensure +that the name of the volume has a length that is between 0 and 255, +inclusive. + +Fixes: CID 73641 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/hfsplus.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index d9833f94414..7ae66967b3a 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -1002,6 +1002,15 @@ grub_hfsplus_label (grub_device_t device, char **label) + grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr); + + label_len = grub_be_to_cpu16 (catkey->namelen); ++ ++ /* Ensure that the length is >= 0. */ ++ if (label_len < 0) ++ label_len = 0; ++ ++ /* Ensure label length is at most 255 Unicode characters. */ ++ if (label_len > 255) ++ label_len = 255; ++ + label_name = grub_calloc (label_len, sizeof (*label_name)); + if (!label_name) + { diff --git a/SOURCES/0369-zfs-Fix-possible-negative-shift-operation.patch b/SOURCES/0369-zfs-Fix-possible-negative-shift-operation.patch new file mode 100644 index 0000000..bc2b098 --- /dev/null +++ b/SOURCES/0369-zfs-Fix-possible-negative-shift-operation.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 24 Nov 2020 16:41:49 +0000 +Subject: [PATCH] zfs: Fix possible negative shift operation + +While it is possible for the return value from zfs_log2() to be zero +(0), it is quite unlikely, given that the previous assignment to blksz +is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the +assignment to epbs. + +But, while unlikely during a normal operation, it may be that a carefully +crafted ZFS filesystem could result in a zero (0) value to the +dn_datalbkszsec field, which means that the shift left does nothing +and assigns zero (0) to blksz, resulting in a negative epbs value. + +Fixes: CID 73608 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/zfs/zfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c +index 6fd21f975f5..f607b9b56b9 100644 +--- a/grub-core/fs/zfs/zfs.c ++++ b/grub-core/fs/zfs/zfs.c +@@ -2602,6 +2602,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type, + blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec, + mdn->endian) << SPA_MINBLOCKSHIFT; + epbs = zfs_log2 (blksz) - DNODE_SHIFT; ++ ++ /* While this should never happen, we should check that epbs is not negative. */ ++ if (epbs < 0) ++ epbs = 0; ++ + blkid = objnum >> epbs; + idx = objnum & ((1 << epbs) - 1); + diff --git a/SOURCES/0370-zfs-Fix-resource-leaks-while-constructing-path.patch b/SOURCES/0370-zfs-Fix-resource-leaks-while-constructing-path.patch new file mode 100644 index 0000000..3cfef11 --- /dev/null +++ b/SOURCES/0370-zfs-Fix-resource-leaks-while-constructing-path.patch @@ -0,0 +1,114 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paulo Flabiano Smorigo +Date: Mon, 14 Dec 2020 18:54:49 -0300 +Subject: [PATCH] zfs: Fix resource leaks while constructing path + +There are several exit points in dnode_get_path() that are causing possible +memory leaks. + +In the while(1) the correct exit mechanism should not be to do a direct return, +but to instead break out of the loop, setting err first if it is not already set. + +The reason behind this is that the dnode_path is a linked list, and while doing +through this loop, it is being allocated and built up - the only way to +correctly unravel it is to traverse it, which is what is being done at the end +of the function outside of the loop. + +Several of the existing exit points correctly did a break, but not all so this +change makes that more consistent and should resolve the leaking of memory as +found by Coverity. + +Fixes: CID 73741 + +Signed-off-by: Paulo Flabiano Smorigo +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/zfs/zfs.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c +index f607b9b56b9..467fa7ee9ea 100644 +--- a/grub-core/fs/zfs/zfs.c ++++ b/grub-core/fs/zfs/zfs.c +@@ -2771,8 +2771,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + + if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS) + { +- grub_free (path_buf); +- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); ++ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); ++ break; + } + err = zap_lookup (&(dnode_path->dn), cname, &objnum, + data, subvol->case_insensitive); +@@ -2815,7 +2815,11 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + + sym_value = grub_malloc (sym_sz); + if (!sym_value) +- return grub_errno; ++ { ++ err = grub_errno; ++ break; ++ } ++ + for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++) + { + void *t; +@@ -2823,7 +2827,10 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + + err = dmu_read (&(dnode_path->dn), block, &t, 0, data); + if (err) +- return err; ++ { ++ grub_free (sym_value); ++ break; ++ } + + movesize = sym_sz - block * blksz; + if (movesize > blksz) +@@ -2832,13 +2839,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + grub_memcpy (sym_value + block * blksz, t, movesize); + grub_free (t); + } ++ if (err) ++ break; + free_symval = 1; + } + path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1); + if (!path_buf) + { + grub_free (oldpathbuf); +- return grub_errno; ++ if (free_symval) ++ grub_free (sym_value); ++ err = grub_errno; ++ break; + } + grub_memcpy (path, sym_value, sym_sz); + if (free_symval) +@@ -2876,11 +2888,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + + err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data); + if (err) +- return err; ++ break; + } + else + { +- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); ++ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); ++ break; + } + + hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp)); +@@ -2901,7 +2914,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, + if (!path_buf) + { + grub_free (oldpathbuf); +- return grub_errno; ++ err = grub_errno; ++ break; + } + grub_memcpy (path, sym_value, sym_sz); + path [sym_sz] = 0; diff --git a/SOURCES/0371-zfs-Fix-possible-integer-overflows.patch b/SOURCES/0371-zfs-Fix-possible-integer-overflows.patch new file mode 100644 index 0000000..0038019 --- /dev/null +++ b/SOURCES/0371-zfs-Fix-possible-integer-overflows.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 8 Dec 2020 22:17:04 +0000 +Subject: [PATCH] zfs: Fix possible integer overflows + +In all cases the problem is that the value being acted upon by +a left-shift is a 32-bit number which is then being used in the +context of a 64-bit number. + +To avoid overflow we ensure that the number being shifted is 64-bit +before the shift is done. + +Fixes: CID 73684, CID 73695, CID 73764 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/zfs/zfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c +index 467fa7ee9ea..4fe09b4c10c 100644 +--- a/grub-core/fs/zfs/zfs.c ++++ b/grub-core/fs/zfs/zfs.c +@@ -560,7 +560,7 @@ find_bestub (uberblock_phys_t * ub_array, + ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array + + ((i << ub_shift) + / sizeof (grub_properly_aligned_t))); +- err = uberblock_verify (ubptr, offset, 1 << ub_shift); ++ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift); + if (err) + { + grub_errno = GRUB_ERR_NONE; +@@ -1535,7 +1535,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, + + high = grub_divmod64 ((offset >> desc->ashift) + c, + desc->n_children, &devn); +- csize = bsize << desc->ashift; ++ csize = (grub_size_t) bsize << desc->ashift; + if (csize > len) + csize = len; + +@@ -1627,8 +1627,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, + + while (len > 0) + { +- grub_size_t csize; +- csize = ((s / (desc->n_children - desc->nparity)) ++ grub_size_t csize = s; ++ csize = ((csize / (desc->n_children - desc->nparity)) + << desc->ashift); + if (csize > len) + csize = len; diff --git a/SOURCES/0372-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/SOURCES/0372-zfsinfo-Correct-a-check-for-error-allocating-memory.patch new file mode 100644 index 0000000..7c40c48 --- /dev/null +++ b/SOURCES/0372-zfsinfo-Correct-a-check-for-error-allocating-memory.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 26 Nov 2020 10:56:45 +0000 +Subject: [PATCH] zfsinfo: Correct a check for error allocating memory + +While arguably the check for grub_errno is correct, we should really be +checking the return value from the function since it is always possible +that grub_errno was set elsewhere, making this code behave incorrectly. + +Fixes: CID 73668 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/zfs/zfsinfo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c +index c96bf2183c0..19562cf4720 100644 +--- a/grub-core/fs/zfs/zfsinfo.c ++++ b/grub-core/fs/zfs/zfsinfo.c +@@ -356,8 +356,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc, + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); + + devname = grub_file_get_device_name (args[0]); +- if (grub_errno) +- return grub_errno; ++ if (devname == NULL) ++ return GRUB_ERR_OUT_OF_MEMORY; + + dev = grub_device_open (devname); + grub_free (devname); diff --git a/SOURCES/0373-affs-Fix-memory-leaks.patch b/SOURCES/0373-affs-Fix-memory-leaks.patch new file mode 100644 index 0000000..57c42a0 --- /dev/null +++ b/SOURCES/0373-affs-Fix-memory-leaks.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 26 Nov 2020 12:48:07 +0000 +Subject: [PATCH] affs: Fix memory leaks + +The node structure reference is being allocated but not freed if it +reaches the end of the function. If any of the hooks had returned +a non-zero value, then node would have been copied in to the context +reference, but otherwise node is not stored and should be freed. + +Similarly, the call to grub_affs_create_node() replaces the allocated +memory in node with a newly allocated structure, leaking the existing +memory pointed by node. + +Finally, when dir->parent is set, then we again replace node with newly +allocated memory, which seems unnecessary when we copy in the values +from dir->parent immediately after. + +Fixes: CID 73759 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/affs.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c +index 91073795f90..e4615c74381 100644 +--- a/grub-core/fs/affs.c ++++ b/grub-core/fs/affs.c +@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, + { + unsigned int i; + struct grub_affs_file file; +- struct grub_fshelp_node *node = 0; ++ struct grub_fshelp_node *node, *orig_node; + struct grub_affs_data *data = dir->data; + grub_uint32_t *hashtable; + + /* Create the directory entries for `.' and `..'. */ +- node = grub_zalloc (sizeof (*node)); ++ node = orig_node = grub_zalloc (sizeof (*node)); + if (!node) + return 1; + +@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, + return 1; + if (dir->parent) + { +- node = grub_zalloc (sizeof (*node)); +- if (!node) +- return 1; + *node = *dir->parent; + if (hook ("..", GRUB_FSHELP_DIR, node, hook_data)) + return 1; +@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, + + if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable, + next, &file)) +- return 1; ++ { ++ /* Node has been replaced in function. */ ++ grub_free (orig_node); ++ return 1; ++ } + + next = grub_be_to_cpu32 (file.next); + } + } + +- grub_free (hashtable); +- return 0; +- + fail: +- grub_free (node); ++ grub_free (orig_node); + grub_free (hashtable); + return 0; + } diff --git a/SOURCES/0374-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/SOURCES/0374-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch new file mode 100644 index 0000000..c9f3a35 --- /dev/null +++ b/SOURCES/0374-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 3 Nov 2020 16:43:37 +0000 +Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension + +The array of unsigned char gets promoted to a signed 32-bit int before +it is finally promoted to a size_t. There is the possibility that this +may result in the signed-bit being set for the intermediate signed +32-bit int. We should ensure that the promotion is to the correct type +before we bitwise-OR the values. + +Fixes: CID 96697 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c +index a3435ed142a..7ecad27b23a 100644 +--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c ++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c +@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format, + if (len && len < 4) + return gcry_error (GPG_ERR_TOO_SHORT); + +- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]); ++ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]); + s += 4; + if (len) + len -= 4; diff --git a/SOURCES/0375-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/SOURCES/0375-libgcrypt-mpi-Fix-possible-NULL-dereference.patch new file mode 100644 index 0000000..89257f5 --- /dev/null +++ b/SOURCES/0375-libgcrypt-mpi-Fix-possible-NULL-dereference.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 26 Nov 2020 10:41:54 +0000 +Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference + +The code in gcry_mpi_scan() assumes that buffer is not NULL, but there +is no explicit check for that, so we add one. + +Fixes: CID 73757 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c +index 7ecad27b23a..6fe38916532 100644 +--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c ++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c +@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format, + unsigned int len; + int secure = (buffer && gcry_is_secure (buffer)); + ++ if (!buffer) ++ return gcry_error (GPG_ERR_INV_ARG); ++ + if (format == GCRYMPI_FMT_SSH) + len = 0; + else diff --git a/SOURCES/0376-syslinux-Fix-memory-leak-while-parsing.patch b/SOURCES/0376-syslinux-Fix-memory-leak-while-parsing.patch new file mode 100644 index 0000000..f987429 --- /dev/null +++ b/SOURCES/0376-syslinux-Fix-memory-leak-while-parsing.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 26 Nov 2020 15:31:53 +0000 +Subject: [PATCH] syslinux: Fix memory leak while parsing + +In syslinux_parse_real() the 2 points where return is being called +didn't release the memory stored in buf which is no longer required. + +Fixes: CID 176634 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/lib/syslinux_parse.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c +index 6bc504b7c58..1cc99619ac8 100644 +--- a/grub-core/lib/syslinux_parse.c ++++ b/grub-core/lib/syslinux_parse.c +@@ -734,7 +734,10 @@ syslinux_parse_real (struct syslinux_menu *menu) + && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0)) + { + if (helptext (ptr5, file, menu)) +- return 1; ++ { ++ grub_free (buf); ++ return 1; ++ } + continue; + } + +@@ -754,6 +757,7 @@ syslinux_parse_real (struct syslinux_menu *menu) + } + fail: + grub_file_close (file); ++ grub_free (buf); + return err; + } + diff --git a/SOURCES/0377-normal-completion-Fix-leaking-of-memory-when-process.patch b/SOURCES/0377-normal-completion-Fix-leaking-of-memory-when-process.patch new file mode 100644 index 0000000..984c608 --- /dev/null +++ b/SOURCES/0377-normal-completion-Fix-leaking-of-memory-when-process.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 4 Dec 2020 18:56:48 +0000 +Subject: [PATCH] normal/completion: Fix leaking of memory when processing a + completion + +It is possible for the code to reach the end of the function without +freeing the memory allocated to argv and argc still to be 0. + +We should always call grub_free(argv). The grub_free() will handle +a NULL argument correctly if it reaches that code without the memory +being allocated. + +Fixes: CID 96672 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/normal/completion.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c +index 93aa0d8eda8..5036bcf2d98 100644 +--- a/grub-core/normal/completion.c ++++ b/grub-core/normal/completion.c +@@ -401,8 +401,8 @@ char * + grub_normal_do_completion (char *buf, int *restore, + void (*hook) (const char *, grub_completion_type_t, int)) + { +- int argc; +- char **argv; ++ int argc = 0; ++ char **argv = NULL; + + /* Initialize variables. */ + match = 0; +@@ -517,10 +517,8 @@ grub_normal_do_completion (char *buf, int *restore, + + fail: + if (argc != 0) +- { +- grub_free (argv[0]); +- grub_free (argv); +- } ++ grub_free (argv[0]); ++ grub_free (argv); + grub_free (match); + grub_errno = GRUB_ERR_NONE; + diff --git a/SOURCES/0378-commands-hashsum-Fix-a-memory-leak.patch b/SOURCES/0378-commands-hashsum-Fix-a-memory-leak.patch new file mode 100644 index 0000000..5fe9eb6 --- /dev/null +++ b/SOURCES/0378-commands-hashsum-Fix-a-memory-leak.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Tue, 1 Dec 2020 23:41:24 +0000 +Subject: [PATCH] commands/hashsum: Fix a memory leak + +check_list() uses grub_file_getline(), which allocates a buffer. +If the hash list file contains invalid lines, the function leaks +this buffer when it returns an error. + +Fixes: CID 176635 + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/commands/hashsum.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c +index d18687351a5..282922bba1e 100644 +--- a/grub-core/commands/hashsum.c ++++ b/grub-core/commands/hashsum.c +@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename, + high = hextoval (*p++); + low = hextoval (*p++); + if (high < 0 || low < 0) +- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); ++ { ++ grub_free (buf); ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); ++ } + expected[i] = (high << 4) | low; + } + if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t')) +- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); ++ { ++ grub_free (buf); ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); ++ } + p += 2; + if (prefix) + { +@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename, + + filename = grub_xasprintf ("%s/%s", prefix, p); + if (!filename) +- return grub_errno; ++ { ++ grub_free (buf); ++ return grub_errno; ++ } + if (!uncompress) + grub_file_filter_disable_compression (); + file = grub_file_open (filename); diff --git a/SOURCES/0379-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/SOURCES/0379-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch new file mode 100644 index 0000000..fce5f99 --- /dev/null +++ b/SOURCES/0379-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch @@ -0,0 +1,91 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 8 Dec 2020 21:14:31 +0000 +Subject: [PATCH] video/efi_gop: Remove unnecessary return value of + grub_video_gop_fill_mode_info() + +The return value of grub_video_gop_fill_mode_info() is never able to be +anything other than GRUB_ERR_NONE. So, rather than continue to return +a value and checking it each time, it is more correct to redefine the +function to not return anything and remove checks of its return value +altogether. + +Fixes: CID 96701 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/video/efi_gop.c | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c +index c9e40e8d4e9..9fcc41ac03c 100644 +--- a/grub-core/video/efi_gop.c ++++ b/grub-core/video/efi_gop.c +@@ -229,7 +229,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode, + return GRUB_ERR_NONE; + } + +-static grub_err_t ++static void + grub_video_gop_fill_mode_info (unsigned mode, + struct grub_efi_gop_mode_info *in, + struct grub_video_mode_info *out) +@@ -254,8 +254,6 @@ grub_video_gop_fill_mode_info (unsigned mode, + out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888; + out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED + | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP); +- +- return GRUB_ERR_NONE; + } + + static int +@@ -268,7 +266,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo + grub_efi_uintn_t size; + grub_efi_status_t status; + struct grub_efi_gop_mode_info *info = NULL; +- grub_err_t err; + struct grub_video_mode_info mode_info; + + status = efi_call_4 (gop->query_mode, gop, mode, &size, &info); +@@ -279,12 +276,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo + continue; + } + +- err = grub_video_gop_fill_mode_info (mode, info, &mode_info); +- if (err) +- { +- grub_errno = GRUB_ERR_NONE; +- continue; +- } ++ grub_video_gop_fill_mode_info (mode, info, &mode_info); + if (hook (&mode_info, hook_arg)) + return 1; + } +@@ -468,13 +460,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height, + + info = gop->mode->info; + +- err = grub_video_gop_fill_mode_info (gop->mode->mode, info, +- &framebuffer.mode_info); +- if (err) +- { +- grub_dprintf ("video", "GOP: couldn't fill mode info\n"); +- return err; +- } ++ grub_video_gop_fill_mode_info (gop->mode->mode, info, ++ &framebuffer.mode_info); + + framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base; + framebuffer.offscreen +@@ -488,8 +475,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height, + { + grub_dprintf ("video", "GOP: couldn't allocate shadow\n"); + grub_errno = 0; +- err = grub_video_gop_fill_mode_info (gop->mode->mode, info, +- &framebuffer.mode_info); ++ grub_video_gop_fill_mode_info (gop->mode->mode, info, ++ &framebuffer.mode_info); + buffer = framebuffer.ptr; + } + diff --git a/SOURCES/0380-video-fb-fbfill-Fix-potential-integer-overflow.patch b/SOURCES/0380-video-fb-fbfill-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000..895fd9d --- /dev/null +++ b/SOURCES/0380-video-fb-fbfill-Fix-potential-integer-overflow.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Wed, 4 Nov 2020 15:10:51 +0000 +Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow + +The multiplication of 2 unsigned 32-bit integers may overflow before +promotion to unsigned 64-bit. We should ensure that the multiplication +is done with overflow detection. Additionally, use grub_sub() for +subtraction. + +Fixes: CID 73640, CID 73697, CID 73702, CID 73823 + +Signed-off-by: Darren Kenny +Signed-off-by: Marco A Benatto +Reviewed-by: Daniel Kiper +--- + grub-core/video/fb/fbfill.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c +index 11816d07a0b..a37acd1e293 100644 +--- a/grub-core/video/fb/fbfill.c ++++ b/grub-core/video/fb/fbfill.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + + /* Generic filler that works for every supported mode. */ +@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst, + + /* Calculate the number of bytes to advance from the end of one line + to the beginning of the next line. */ +- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; ++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || ++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) ++ return; + + /* Get the start address. */ + dstptr = grub_video_fb_get_video_ptr (dst, x, y); +@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst, + #endif + /* Calculate the number of bytes to advance from the end of one line + to the beginning of the next line. */ +- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; ++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || ++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) ++ return; + + /* Get the start address. */ + dstptr = grub_video_fb_get_video_ptr (dst, x, y); +@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst, + + /* Calculate the number of bytes to advance from the end of one line + to the beginning of the next line. */ +- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width); ++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || ++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) ++ return; + + /* Get the start address. */ + dstptr = grub_video_fb_get_video_ptr (dst, x, y); +@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst, + + /* Calculate the number of bytes to advance from the end of one line + to the beginning of the next line. */ +- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; ++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || ++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) ++ return; + + /* Get the start address. */ + dstptr = grub_video_fb_get_video_ptr (dst, x, y); diff --git a/SOURCES/0381-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/SOURCES/0381-video-fb-video_fb-Fix-multiple-integer-overflows.patch new file mode 100644 index 0000000..95bc962 --- /dev/null +++ b/SOURCES/0381-video-fb-video_fb-Fix-multiple-integer-overflows.patch @@ -0,0 +1,101 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Wed, 4 Nov 2020 14:43:44 +0000 +Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows + +The calculation of the unsigned 64-bit value is being generated by +multiplying 2, signed or unsigned, 32-bit integers which may overflow +before promotion to unsigned 64-bit. Fix all of them. + +Fixes: CID 73703, CID 73767, CID 73833 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 16 deletions(-) + +diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c +index 722bb3bb436..eae87bab1ea 100644 +--- a/grub-core/video/fb/video_fb.c ++++ b/grub-core/video/fb/video_fb.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void) + { + if (framebuffer.current_dirty.first_line + <= framebuffer.current_dirty.last_line) +- grub_memcpy ((char *) framebuffer.pages[0] +- + framebuffer.current_dirty.first_line +- * framebuffer.back_target->mode_info.pitch, +- (char *) framebuffer.back_target->data +- + framebuffer.current_dirty.first_line +- * framebuffer.back_target->mode_info.pitch, +- framebuffer.back_target->mode_info.pitch +- * (framebuffer.current_dirty.last_line +- - framebuffer.current_dirty.first_line)); ++ { ++ grub_size_t copy_size; ++ ++ if (grub_sub (framebuffer.current_dirty.last_line, ++ framebuffer.current_dirty.first_line, ©_size) || ++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) ++ { ++ /* Shouldn't happen, but if it does we've a bug. */ ++ return GRUB_ERR_BUG; ++ } ++ ++ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line * ++ framebuffer.back_target->mode_info.pitch, ++ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line * ++ framebuffer.back_target->mode_info.pitch, ++ copy_size); ++ } + framebuffer.current_dirty.first_line + = framebuffer.back_target->mode_info.height; + framebuffer.current_dirty.last_line = 0; +@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back, + volatile void *framebuf) + { + grub_err_t err; +- grub_size_t page_size = mode_info.pitch * mode_info.height; ++ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height; + + framebuffer.offscreen_buffer = grub_zalloc (page_size); + if (! framebuffer.offscreen_buffer) +@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void) + last_line = framebuffer.previous_dirty.last_line; + + if (first_line <= last_line) +- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] +- + first_line * framebuffer.back_target->mode_info.pitch, +- (char *) framebuffer.back_target->data +- + first_line * framebuffer.back_target->mode_info.pitch, +- framebuffer.back_target->mode_info.pitch +- * (last_line - first_line)); ++ { ++ grub_size_t copy_size; ++ ++ if (grub_sub (last_line, first_line, ©_size) || ++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) ++ { ++ /* Shouldn't happen, but if it does we've a bug. */ ++ return GRUB_ERR_BUG; ++ } ++ ++ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line * ++ framebuffer.back_target->mode_info.pitch, ++ (char *) framebuffer.back_target->data + first_line * ++ framebuffer.back_target->mode_info.pitch, ++ copy_size); ++ } ++ + framebuffer.previous_dirty = framebuffer.current_dirty; + framebuffer.current_dirty.first_line + = framebuffer.back_target->mode_info.height; diff --git a/SOURCES/0382-video-fb-video_fb-Fix-possible-integer-overflow.patch b/SOURCES/0382-video-fb-video_fb-Fix-possible-integer-overflow.patch new file mode 100644 index 0000000..164b926 --- /dev/null +++ b/SOURCES/0382-video-fb-video_fb-Fix-possible-integer-overflow.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 4 Dec 2020 14:51:30 +0000 +Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow + +It is minimal possibility that the values being used here will overflow. +So, change the code to use the safemath function grub_mul() to ensure +that doesn't happen. + +Fixes: CID 73761 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/video/fb/video_fb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c +index eae87bab1ea..33cf98f655b 100644 +--- a/grub-core/video/fb/video_fb.c ++++ b/grub-core/video/fb/video_fb.c +@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info, + volatile void *page1_ptr) + { + grub_err_t err; +- grub_size_t page_size = mode_info->pitch * mode_info->height; ++ grub_size_t page_size = 0; ++ ++ if (grub_mul (mode_info->pitch, mode_info->height, &page_size)) ++ { ++ /* Shouldn't happen, but if it does we've a bug. */ ++ return GRUB_ERR_BUG; ++ } + + framebuffer.offscreen_buffer = grub_malloc (page_size); + if (! framebuffer.offscreen_buffer) diff --git a/SOURCES/0383-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/SOURCES/0383-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch new file mode 100644 index 0000000..3394852 --- /dev/null +++ b/SOURCES/0383-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 4 Dec 2020 15:39:00 +0000 +Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference + from a jpeg file + +While it may never happen, and potentially could be caught at the end of +the function, it is worth checking up front for a bad reference to the +next marker just in case of a maliciously crafted file being provided. + +Fixes: CID 73694 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 2dc2ee10e54..ed6d9bfd160 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) + next_marker = data->file->offset; + next_marker += grub_jpeg_get_word (data); + ++ if (next_marker > data->file->size) ++ { ++ /* Should never be set beyond the size of the file. */ ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference"); ++ } ++ + while (data->file->offset + sizeof (data->quan_table[id]) + 1 + <= next_marker) + { diff --git a/SOURCES/0384-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/SOURCES/0384-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch new file mode 100644 index 0000000..4e1d94a --- /dev/null +++ b/SOURCES/0384-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Mon, 7 Dec 2020 14:44:47 +0000 +Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as + dead + +The test of value for NULL before calling grub_strdup() is not required, +since the if condition prior to this has already tested for value being +NULL and cannot reach this code if it is. + +Fixes: CID 73659 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/gfxmenu/gui_list.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c +index 5d26811f9d2..2a52a529247 100644 +--- a/grub-core/gfxmenu/gui_list.c ++++ b/grub-core/gfxmenu/gui_list.c +@@ -768,7 +768,7 @@ list_set_property (void *vself, const char *name, const char *value) + { + self->need_to_recreate_boxes = 1; + grub_free (self->selected_item_box_pattern); +- self->selected_item_box_pattern = value ? grub_strdup (value) : 0; ++ self->selected_item_box_pattern = grub_strdup (value); + self->selected_item_box_pattern_inherit = 0; + } + } diff --git a/SOURCES/0385-loader-bsd-Check-for-NULL-arg-up-front.patch b/SOURCES/0385-loader-bsd-Check-for-NULL-arg-up-front.patch new file mode 100644 index 0000000..f38c592 --- /dev/null +++ b/SOURCES/0385-loader-bsd-Check-for-NULL-arg-up-front.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 8 Dec 2020 21:47:13 +0000 +Subject: [PATCH] loader/bsd: Check for NULL arg up-front + +The code in the next block suggests that it is possible for .set to be +true but .arg may still be NULL. + +This code assumes that it is never NULL, yet later is testing if it is +NULL - that is inconsistent. + +So we should check first if .arg is not NULL, and remove this check that +is being flagged by Coverity since it is no longer required. + +Fixes: CID 292471 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/loader/i386/bsd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c +index dc62800df45..220fcb93033 100644 +--- a/grub-core/loader/i386/bsd.c ++++ b/grub-core/loader/i386/bsd.c +@@ -1599,7 +1599,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[]) + kernel_type = KERNEL_TYPE_OPENBSD; + bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags); + +- if (ctxt->state[OPENBSD_ROOT_ARG].set) ++ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL) + { + const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg; + unsigned type, unit, part; +@@ -1616,7 +1616,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[]) + "unknown disk type name"); + + unit = grub_strtoul (arg, (char **) &arg, 10); +- if (! (arg && *arg >= 'a' && *arg <= 'z')) ++ if (! (*arg >= 'a' && *arg <= 'z')) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + "only device specifications of form " + " are supported"); diff --git a/SOURCES/0386-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/SOURCES/0386-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch new file mode 100644 index 0000000..26f822c --- /dev/null +++ b/SOURCES/0386-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch @@ -0,0 +1,74 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marco A Benatto +Date: Mon, 30 Nov 2020 12:18:24 -0300 +Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in + grub_xnu_writetree_toheap() + +... to avoid memory leaks. + +Fixes: CID 96640 + +Signed-off-by: Marco A Benatto +Reviewed-by: Daniel Kiper +--- + grub-core/loader/xnu.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index 14e0d65cd27..f7f3a9d45c8 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -227,26 +227,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size) + if (! memorymap) + return grub_errno; + +- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey)); ++ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey)); + if (! driverkey) + return grub_errno; + driverkey->name = grub_strdup ("DeviceTree"); + if (! driverkey->name) +- return grub_errno; ++ { ++ err = grub_errno; ++ goto fail; ++ } ++ + driverkey->datasize = sizeof (*extdesc); + driverkey->next = memorymap->first_child; + memorymap->first_child = driverkey; + driverkey->data = extdesc + = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc)); + if (! driverkey->data) +- return grub_errno; ++ { ++ err = grub_errno; ++ goto fail; ++ } + + /* Allocate the space based on the size with dummy value. */ + *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/"); + err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE), + &src, target); + if (err) +- return err; ++ goto fail; + + /* Put real data in the dummy. */ + extdesc->addr = *target; +@@ -255,6 +262,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size) + /* Write the tree to heap. */ + grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/"); + return GRUB_ERR_NONE; ++ ++ fail: ++ memorymap->first_child = NULL; ++ ++ grub_free (driverkey->data); ++ grub_free (driverkey->name); ++ grub_free (driverkey); ++ ++ return err; + } + + /* Find a key or value in parent key. */ diff --git a/SOURCES/0387-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/SOURCES/0387-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch new file mode 100644 index 0000000..abbcea7 --- /dev/null +++ b/SOURCES/0387-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paulo Flabiano Smorigo +Date: Mon, 30 Nov 2020 10:36:00 -0300 +Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it + +Fixes: CID 73654 + +Signed-off-by: Paulo Flabiano Smorigo +Reviewed-by: Daniel Kiper +--- + grub-core/loader/xnu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index f7f3a9d45c8..804a097907f 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -662,6 +662,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile, + char *name, *nameend; + int namelen; + ++ if (infoplistname == NULL) ++ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename")); ++ + name = get_name_ptr (infoplistname); + nameend = grub_strchr (name, '/'); + +@@ -693,10 +696,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile, + else + macho = 0; + +- if (infoplistname) +- infoplist = grub_file_open (infoplistname); +- else +- infoplist = 0; ++ infoplist = grub_file_open (infoplistname); + grub_errno = GRUB_ERR_NONE; + if (infoplist) + { diff --git a/SOURCES/0388-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/SOURCES/0388-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch new file mode 100644 index 0000000..d351038 --- /dev/null +++ b/SOURCES/0388-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 5 Nov 2020 14:33:50 +0000 +Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value + +The return value of ftell() may be negative (-1) on error. While it is +probably unlikely to occur, we should not blindly cast to an unsigned +value without first testing that it is not negative. + +Fixes: CID 73856 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + util/grub-editenv.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/util/grub-editenv.c b/util/grub-editenv.c +index 118e89fe57f..9fff221b181 100644 +--- a/util/grub-editenv.c ++++ b/util/grub-editenv.c +@@ -125,6 +125,7 @@ open_envblk_file (const char *name) + { + FILE *fp; + char *buf; ++ long loc; + size_t size; + grub_envblk_t envblk; + +@@ -143,7 +144,12 @@ open_envblk_file (const char *name) + grub_util_error (_("cannot seek `%s': %s"), name, + strerror (errno)); + +- size = (size_t) ftell (fp); ++ loc = ftell (fp); ++ if (loc < 0) ++ grub_util_error (_("cannot get file location `%s': %s"), name, ++ strerror (errno)); ++ ++ size = (size_t) loc; + + if (fseek (fp, 0, SEEK_SET) < 0) + grub_util_error (_("cannot seek `%s': %s"), name, diff --git a/SOURCES/0389-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/SOURCES/0389-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch new file mode 100644 index 0000000..ad3a0d6 --- /dev/null +++ b/SOURCES/0389-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Fri, 4 Dec 2020 15:04:28 +0000 +Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value + +It is possible for the ftell() function to return a negative value, +although it is fairly unlikely here, we should be checking for +a negative value before we assign it to an unsigned value. + +Fixes: CID 73744 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + util/glue-efi.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/util/glue-efi.c b/util/glue-efi.c +index 68f53168b58..de0fa6d33d5 100644 +--- a/util/glue-efi.c ++++ b/util/glue-efi.c +@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename, + struct grub_macho_fat_header head; + struct grub_macho_fat_arch arch32, arch64; + grub_uint32_t size32, size64; ++ long size; + char *buf; + + fseek (in32, 0, SEEK_END); +- size32 = ftell (in32); ++ size = ftell (in32); ++ if (size < 0) ++ grub_util_error ("cannot get end of input file '%s': %s", ++ name32, strerror (errno)); ++ size32 = (grub_uint32_t) size; + fseek (in32, 0, SEEK_SET); ++ + fseek (in64, 0, SEEK_END); +- size64 = ftell (in64); ++ size = ftell (in64); ++ if (size < 0) ++ grub_util_error ("cannot get end of input file '%s': %s", ++ name64, strerror (errno)); ++ size64 = (grub_uint64_t) size; + fseek (in64, 0, SEEK_SET); + + head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC); diff --git a/SOURCES/0390-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/SOURCES/0390-script-execute-Fix-NULL-dereference-in-grub_script_e.patch new file mode 100644 index 0000000..a9642fa --- /dev/null +++ b/SOURCES/0390-script-execute-Fix-NULL-dereference-in-grub_script_e.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 3 Apr 2020 23:05:13 +1100 +Subject: [PATCH] script/execute: Fix NULL dereference in + grub_script_execute_cmdline() + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/script/execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index 52ccbd9965b..04ffb9b4740 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -960,7 +960,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd) + struct grub_script_argv argv = { 0, 0, 0 }; + + /* Lookup the command. */ +- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0]) ++ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0]) + return grub_errno; + + invert = 0; diff --git a/SOURCES/0391-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/SOURCES/0391-commands-ls-Require-device_name-is-not-NULL-before-p.patch new file mode 100644 index 0000000..011ee6d --- /dev/null +++ b/SOURCES/0391-commands-ls-Require-device_name-is-not-NULL-before-p.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 11 Jan 2021 16:57:37 +1100 +Subject: [PATCH] commands/ls: Require device_name is not NULL before printing + +This can be triggered with: + ls -l (0 0*) +and causes a NULL deref in grub_normal_print_device_info(). + +I'm not sure if there's any implication with the IEEE 1275 platform. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/commands/ls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c +index 0eaf8365279..7df04565561 100644 +--- a/grub-core/commands/ls.c ++++ b/grub-core/commands/ls.c +@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human) + goto fail; + } + +- if (! *path) ++ if (! *path && device_name) + { + if (grub_errno == GRUB_ERR_UNKNOWN_FS) + grub_errno = GRUB_ERR_NONE; diff --git a/SOURCES/0392-script-execute-Avoid-crash-when-using-outside-a-func.patch b/SOURCES/0392-script-execute-Avoid-crash-when-using-outside-a-func.patch new file mode 100644 index 0000000..7b77dc9 --- /dev/null +++ b/SOURCES/0392-script-execute-Avoid-crash-when-using-outside-a-func.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 11 Jan 2021 17:30:42 +1100 +Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a + function scope + +"$#" represents the number of arguments to a function. It is only +defined in a function scope, where "scope" is non-NULL. Currently, +if we attempt to evaluate "$#" outside a function scope, "scope" will +be NULL and we will crash with a NULL pointer dereference. + +Do not attempt to count arguments for "$#" if "scope" is NULL. This +will result in "$#" being interpreted as an empty string if evaluated +outside a function scope. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/script/execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index 04ffb9b4740..7c43f88ac51 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -518,7 +518,7 @@ gettext_putvar (const char *str, grub_size_t len, + return 0; + + /* Enough for any number. */ +- if (len == 1 && str[0] == '#') ++ if (len == 1 && str[0] == '#' && scope != NULL) + { + grub_snprintf (*ptr, 30, "%u", scope->argv.argc); + *ptr += grub_strlen (*ptr); diff --git a/SOURCES/0393-lib-arg-Block-repeated-short-options-that-require-an.patch b/SOURCES/0393-lib-arg-Block-repeated-short-options-that-require-an.patch new file mode 100644 index 0000000..63cf2af --- /dev/null +++ b/SOURCES/0393-lib-arg-Block-repeated-short-options-that-require-an.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 16:07:29 +1100 +Subject: [PATCH] lib/arg: Block repeated short options that require an + argument + +Fuzzing found the following crash: + + search -hhhhhhhhhhhhhf + +We didn't allocate enough option space for 13 hints because the +allocation code counts the number of discrete arguments (i.e. argc). +However, the shortopt parsing code will happily keep processing +a combination of short options without checking if those short +options require an argument. This means you can easily end writing +past the allocated option space. + +This fixes a OOB write which can cause heap corruption. + +Fixes: CVE-2021-20225 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/lib/arg.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c +index 3288609a5e1..537c5e94b83 100644 +--- a/grub-core/lib/arg.c ++++ b/grub-core/lib/arg.c +@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv, + it can have an argument value. */ + if (*curshort) + { ++ /* ++ * Only permit further short opts if this one doesn't ++ * require a value. ++ */ ++ if (opt->type != ARG_TYPE_NONE && ++ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL)) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("missing mandatory option for `%s'"), ++ opt->longarg); ++ goto fail; ++ } ++ + if (parse_option (cmd, opt, 0, usr) || grub_errno) + goto fail; + } diff --git a/SOURCES/0394-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch b/SOURCES/0394-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch new file mode 100644 index 0000000..b7064c7 --- /dev/null +++ b/SOURCES/0394-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 16:18:26 +1100 +Subject: [PATCH] script/execute: Don't crash on a "for" loop with no items + +The following crashes the parser: + + for x in; do + 0 + done + +This is because grub_script_arglist_to_argv() doesn't consider the +possibility that arglist is NULL. Catch that explicitly. + +This avoids a NULL pointer dereference. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/script/execute.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index 7c43f88ac51..fa20d32278d 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -657,6 +657,9 @@ grub_script_arglist_to_argv (struct grub_script_arglist *arglist, + struct grub_script_arg *arg = 0; + struct grub_script_argv result = { 0, 0, 0 }; + ++ if (arglist == NULL) ++ return 1; ++ + for (; arglist && arglist->arg; arglist = arglist->next) + { + if (grub_script_argv_next (&result)) diff --git a/SOURCES/0395-commands-menuentry-Fix-quoting-in-setparams_prefix.patch b/SOURCES/0395-commands-menuentry-Fix-quoting-in-setparams_prefix.patch new file mode 100644 index 0000000..45f6fb3 --- /dev/null +++ b/SOURCES/0395-commands-menuentry-Fix-quoting-in-setparams_prefix.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 17:10:48 +1100 +Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix() + +Commit 9acdcbf32542 (use single quotes in menuentry setparams command) +says that expressing a quoted single quote will require 3 characters. It +actually requires (and always did require!) 4 characters: + + str: a'b => a'\''b + len: 3 => 6 (2 for the letters + 4 for the quote) + +This leads to not allocating enough memory and thus out of bounds writes +that have been observed to cause heap corruption. + +Allocate 4 bytes for each single quote. + +Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same +quoting, but it adds 3 as extra overhead on top of the single byte that +the quote already needs. So it's correct. + +Fixes: CVE-2021-20233 +Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/commands/menuentry.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c +index 16c52ed00e8..4ad524afbc3 100644 +--- a/grub-core/commands/menuentry.c ++++ b/grub-core/commands/menuentry.c +@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args) + len += 3; /* 3 = 1 space + 2 quotes */ + p = args[i]; + while (*p) +- len += (*p++ == '\'' ? 3 : 1); ++ len += (*p++ == '\'' ? 4 : 1); + } + + result = grub_malloc (len + 2); diff --git a/SOURCES/0396-kern-misc-Always-set-end-in-grub_strtoull.patch b/SOURCES/0396-kern-misc-Always-set-end-in-grub_strtoull.patch new file mode 100644 index 0000000..cbbdb01 --- /dev/null +++ b/SOURCES/0396-kern-misc-Always-set-end-in-grub_strtoull.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 13 Jan 2021 22:19:01 +1100 +Subject: [PATCH] kern/misc: Always set *end in grub_strtoull() + +Currently, if there is an error in grub_strtoull(), *end is not set. +This differs from the usual behavior of strtoull(), and also means that +some callers may use an uninitialized value for *end. + +Set *end unconditionally. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/kern/misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c +index 8b4a78b35be..bd43b0f5f61 100644 +--- a/grub-core/kern/misc.c ++++ b/grub-core/kern/misc.c +@@ -451,6 +451,10 @@ grub_strtoull (const char *str, char **end, int base) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, + N_("overflow is detected")); ++ ++ if (end) ++ *end = (char *) str; ++ + return ~0ULL; + } + +@@ -462,6 +466,10 @@ grub_strtoull (const char *str, char **end, int base) + { + grub_error (GRUB_ERR_BAD_NUMBER, + N_("unrecognized number")); ++ ++ if (end) ++ *end = (char *) str; ++ + return 0; + } + diff --git a/SOURCES/0397-video-readers-jpeg-Catch-files-with-unsupported-quan.patch b/SOURCES/0397-video-readers-jpeg-Catch-files-with-unsupported-quan.patch new file mode 100644 index 0000000..9aaae14 --- /dev/null +++ b/SOURCES/0397-video-readers-jpeg-Catch-files-with-unsupported-quan.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 15 Jan 2021 12:57:04 +1100 +Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization + or Huffman tables + +Our decoder only supports 2 quantization tables. If a file asks for +a quantization table with index > 1, reject it. + +Similarly, our decoder only supports 4 Huffman tables. If a file asks +for a Huffman table with index > 3, reject it. + +This fixes some out of bounds reads. It's not clear what degree of control +over subsequent execution could be gained by someone who can carefully +set up the contents of memory before loading an invalid JPEG file. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index ed6d9bfd160..5d3fa4de37d 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -330,7 +330,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + else if (ss != JPEG_SAMPLING_1x1) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: sampling method not supported"); ++ + data->comp_index[id][0] = grub_jpeg_get_byte (data); ++ if (data->comp_index[id][0] > 1) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: too many quantization tables"); + } + + if (data->file->offset != next_marker) +@@ -599,6 +603,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) + ht = grub_jpeg_get_byte (data); + data->comp_index[id][1] = (ht >> 4); + data->comp_index[id][2] = (ht & 0xF) + 2; ++ ++ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) || ++ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index"); + } + + grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */ diff --git a/SOURCES/0398-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch b/SOURCES/0398-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch new file mode 100644 index 0000000..d035c95 --- /dev/null +++ b/SOURCES/0398-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 15 Jan 2021 13:29:53 +1100 +Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in + grub_jpeg_decode_du() + +The key line is: + + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; + +jpeg_zigzag_order is grub_uint8_t[64]. + +I don't understand JPEG decoders quite well enough to explain what's +going on here. However, I observe sometimes pos=64, which leads to an +OOB read of the jpeg_zigzag_order global then an OOB write to du. +That leads to various unpleasant memory corruption conditions. + +Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 5d3fa4de37d..2cbbb467ebb 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -523,6 +523,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) + val = grub_jpeg_get_number (data, num & 0xF); + num >>= 4; + pos += num; ++ ++ if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: invalid position in zigzag order!?"); ++ return; ++ } ++ + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; + pos++; + } diff --git a/SOURCES/0399-video-readers-jpeg-Don-t-decode-data-before-start-of.patch b/SOURCES/0399-video-readers-jpeg-Don-t-decode-data-before-start-of.patch new file mode 100644 index 0000000..a1429b8 --- /dev/null +++ b/SOURCES/0399-video-readers-jpeg-Don-t-decode-data-before-start-of.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 15 Jan 2021 14:06:46 +1100 +Subject: [PATCH] video/readers/jpeg: Don't decode data before start of stream + +When a start of stream marker is encountered, we call grub_jpeg_decode_sos() +which allocates space for a bitmap. + +When a restart marker is encountered, we call grub_jpeg_decode_data() which +then fills in that bitmap. + +If we get a restart marker before the start of stream marker, we will +attempt to write to a bitmap_ptr that hasn't been allocated. Catch this +and bail out. This fixes an attempt to write to NULL. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 2cbbb467ebb..a6742a96b13 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -643,6 +643,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + nr1 = (data->image_height + vb - 1) / vb; + nc1 = (data->image_width + hb - 1) / hb; + ++ if (data->bitmap_ptr == NULL) ++ return grub_error(GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: attempted to decode data before start of stream"); ++ + for (; data->r1 < nr1 && (!data->dri || rst); + data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) + for (c1 = 0; c1 < nc1 && (!data->dri || rst); diff --git a/SOURCES/0400-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch b/SOURCES/0400-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch new file mode 100644 index 0000000..3e4dd09 --- /dev/null +++ b/SOURCES/0400-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 15 Jan 2021 20:03:20 +1100 +Subject: [PATCH] term/gfxterm: Don't set up a font with glyphs that are too + big + +Catch the case where we have a font so big that it causes the number of +rows or columns to be 0. Currently we continue and allocate a +virtual_screen.text_buffer of size 0. We then try to use that for glpyhs +and things go badly. + +On the emu platform, malloc() may give us a valid pointer, in which case +we'll access heap memory which we shouldn't. Alternatively, it may give us +NULL, in which case we'll crash. For other platforms, if I understand +grub_memalign() correctly, we will receive a valid but small allocation +that we will very likely later overrun. + +Prevent the creation of a virtual screen that isn't at least 40 cols +by 12 rows. This is arbitrary, but it seems that if your width or height +is half a standard 80x24 terminal, you're probably going to struggle to +read anything anyway. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/term/gfxterm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/grub-core/term/gfxterm.c b/grub-core/term/gfxterm.c +index dc0669b354d..b68cce809d5 100644 +--- a/grub-core/term/gfxterm.c ++++ b/grub-core/term/gfxterm.c +@@ -230,6 +230,15 @@ grub_virtual_screen_setup (unsigned int x, unsigned int y, + virtual_screen.columns = virtual_screen.width / virtual_screen.normal_char_width; + virtual_screen.rows = virtual_screen.height / virtual_screen.normal_char_height; + ++ /* ++ * There must be a minimum number of rows and columns for the screen to ++ * make sense. Arbitrarily pick half of 80x24. If either dimensions is 0 ++ * we would allocate 0 bytes for the text_buffer. ++ */ ++ if (virtual_screen.columns < 40 || virtual_screen.rows < 12) ++ return grub_error (GRUB_ERR_BAD_FONT, ++ "font: glyphs too large to fit on screen"); ++ + /* Allocate memory for text buffer. */ + virtual_screen.text_buffer = + (struct grub_colored_char *) grub_malloc (virtual_screen.columns diff --git a/SOURCES/0401-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch b/SOURCES/0401-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch new file mode 100644 index 0000000..c0218af --- /dev/null +++ b/SOURCES/0401-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 11:46:39 +1100 +Subject: [PATCH] fs/fshelp: Catch impermissibly large block sizes in read + helper + +A fuzzed HFS+ filesystem had log2blocksize = 22. This gave +log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000, +which is -1 as an int. This caused some wacky behavior later on in +the function, leading to out-of-bounds writes on the destination buffer. + +Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter, +but this is the minimum that will prevent integer size weirdness. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/fshelp.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/grub-core/fs/fshelp.c b/grub-core/fs/fshelp.c +index 42bd542bbc3..7e7387e86e1 100644 +--- a/grub-core/fs/fshelp.c ++++ b/grub-core/fs/fshelp.c +@@ -252,6 +252,25 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node, + grub_disk_addr_t i, blockcnt; + int blocksize = 1 << (log2blocksize + GRUB_DISK_SECTOR_BITS); + ++ /* ++ * Catch blatantly invalid log2blocksize. We could be a lot stricter, but ++ * this is the most permissive we can be before we start to see integer ++ * overflow/underflow issues. ++ */ ++ if (log2blocksize + GRUB_DISK_SECTOR_BITS >= 31) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("blocksize too large")); ++ return -1; ++ } ++ ++ if (pos > filesize) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("attempt to read past the end of file")); ++ return -1; ++ } ++ + /* Adjust LEN so it we can't read past the end of the file. */ + if (pos + len > filesize) + len = filesize - pos; diff --git a/SOURCES/0402-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch b/SOURCES/0402-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch new file mode 100644 index 0000000..1b8ab48 --- /dev/null +++ b/SOURCES/0402-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 18:13:56 +1100 +Subject: [PATCH] fs/hfsplus: Don't fetch a key beyond the end of the node + +Otherwise you get a wild pointer, leading to a bunch of invalid reads. +Check it falls inside the given node. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/hfsplus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index 7ae66967b3a..d958c457e87 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -629,6 +629,10 @@ grub_hfsplus_btree_search (struct grub_hfsplus_btree *btree, + pointer = ((char *) currkey + + grub_be_to_cpu16 (currkey->keylen) + + 2); ++ ++ if ((char *) pointer > node + btree->nodesize - 2) ++ return grub_error (GRUB_ERR_BAD_FS, "HFS+ key beyond end of node"); ++ + currnode = grub_be_to_cpu32 (grub_get_unaligned32 (pointer)); + match = 1; + } diff --git a/SOURCES/0403-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch b/SOURCES/0403-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch new file mode 100644 index 0000000..79afdf4 --- /dev/null +++ b/SOURCES/0403-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch @@ -0,0 +1,104 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 2 Feb 2021 16:59:35 +1100 +Subject: [PATCH] fs/hfsplus: Don't use uninitialized data on corrupt + filesystems + +Valgrind identified the following use of uninitialized data: + + ==2782220== Conditional jump or move depends on uninitialised value(s) + ==2782220== at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566) + ==2782220== by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185) + ==2782220== by 0x42A693: grub_fshelp_read_file (fshelp.c:386) + ==2782220== by 0x42C598: grub_hfsplus_read_file (hfsplus.c:219) + ==2782220== by 0x42C598: grub_hfsplus_mount (hfsplus.c:330) + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) + ==2782220== by 0x4045A6: main (grub-fstest.c:772) + ==2782220== Uninitialised value was created by a heap allocation + ==2782220== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) + ==2782220== by 0x4C0305: grub_malloc (mm.c:42) + ==2782220== by 0x42C21D: grub_hfsplus_mount (hfsplus.c:239) + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) + ==2782220== by 0x4045A6: main (grub-fstest.c:772) + +This happens when the process of reading the catalog file goes sufficiently +wrong that there's an attempt to read the extent overflow file, which has +not yet been loaded. Keep track of when the extent overflow file is +fully loaded and refuse to use it before then. + +The load valgrind doesn't like is btree->nodesize, and that's then used +to allocate a data structure. It looks like there are subsequently a lot +of reads based on that pointer so OOB reads are likely, and indeed crashes +(albeit difficult-to-replicate ones) have been observed in fuzzing. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/hfsplus.c | 14 ++++++++++++++ + include/grub/hfsplus.h | 2 ++ + 2 files changed, 16 insertions(+) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index d958c457e87..a385182a46c 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -177,6 +177,17 @@ grub_hfsplus_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + break; + } + ++ /* ++ * If the extent overflow tree isn't ready yet, we can't look ++ * in it. This can happen where the catalog file is corrupted. ++ */ ++ if (!node->data->extoverflow_tree_ready) ++ { ++ grub_error (GRUB_ERR_BAD_FS, ++ "attempted to read extent overflow tree before loading"); ++ break; ++ } ++ + /* Set up the key to look for in the extent overflow file. */ + extoverflow.extkey.fileid = node->fileid; + extoverflow.extkey.type = 0; +@@ -241,6 +252,7 @@ grub_hfsplus_mount (grub_disk_t disk) + return 0; + + data->disk = disk; ++ data->extoverflow_tree_ready = 0; + + /* Read the bootblock. */ + grub_disk_read (disk, GRUB_HFSPLUS_SBLOCK, 0, sizeof (volheader), +@@ -351,6 +363,8 @@ grub_hfsplus_mount (grub_disk_t disk) + data->extoverflow_tree.root = grub_be_to_cpu32 (header.root); + data->extoverflow_tree.nodesize = grub_be_to_cpu16 (header.nodesize); + ++ data->extoverflow_tree_ready = 1; ++ + if (grub_hfsplus_read_file (&data->attr_tree.file, 0, 0, + sizeof (struct grub_hfsplus_btnode), + sizeof (header), (char *) &header) <= 0) +diff --git a/include/grub/hfsplus.h b/include/grub/hfsplus.h +index 8ba8f32468b..7277d565bce 100644 +--- a/include/grub/hfsplus.h ++++ b/include/grub/hfsplus.h +@@ -113,6 +113,8 @@ struct grub_hfsplus_data + struct grub_hfsplus_btree extoverflow_tree; + struct grub_hfsplus_btree attr_tree; + ++ int extoverflow_tree_ready; ++ + struct grub_hfsplus_file dirroot; + struct grub_hfsplus_file opened_file; + diff --git a/SOURCES/0404-fs-hfs-Disable-under-lockdown.patch b/SOURCES/0404-fs-hfs-Disable-under-lockdown.patch new file mode 100644 index 0000000..a7f6ae6 --- /dev/null +++ b/SOURCES/0404-fs-hfs-Disable-under-lockdown.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 12:19:07 +1100 +Subject: [PATCH] fs/hfs: Disable under lockdown + +HFS has issues such as infinite mutual recursion that are simply too +complex to fix for such a legacy format. So simply do not permit +it to be loaded under lockdown. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/hfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c +index 79f6845879a..6e9215a22f9 100644 +--- a/grub-core/fs/hfs.c ++++ b/grub-core/fs/hfs.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1433,11 +1434,13 @@ static struct grub_fs grub_hfs_fs = + + GRUB_MOD_INIT(hfs) + { +- grub_fs_register (&grub_hfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_register (&grub_hfs_fs); + my_mod = mod; + } + + GRUB_MOD_FINI(hfs) + { +- grub_fs_unregister (&grub_hfs_fs); ++ if (!grub_is_lockdown()) ++ grub_fs_unregister (&grub_hfs_fs); + } diff --git a/SOURCES/0405-fs-sfs-Fix-over-read-of-root-object-name.patch b/SOURCES/0405-fs-sfs-Fix-over-read-of-root-object-name.patch new file mode 100644 index 0000000..068fd80 --- /dev/null +++ b/SOURCES/0405-fs-sfs-Fix-over-read-of-root-object-name.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 14:34:58 +1100 +Subject: [PATCH] fs/sfs: Fix over-read of root object name + +There's a read of the name of the root object that assumes that the name +is nul-terminated within the root block. This isn't guaranteed - it seems +SFS would require you to read multiple blocks to get a full name in general, +but maybe that doesn't apply to the root object. + +Either way, figure out how much space is left in the root block and don't +over-read it. This fixes some OOB reads. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/sfs.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 4f68808a891..bba600429bb 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -368,6 +368,7 @@ grub_sfs_mount (grub_disk_t disk) + struct grub_sfs_objc *rootobjc; + char *rootobjc_data = 0; + grub_uint32_t blk; ++ unsigned int max_len; + + data = grub_malloc (sizeof (*data)); + if (!data) +@@ -416,7 +417,13 @@ grub_sfs_mount (grub_disk_t disk) + data->diropen.data = data; + data->diropen.cache = 0; + data->disk = disk; +- data->label = grub_strdup ((char *) (rootobjc->objects[0].filename)); ++ ++ /* We only read 1 block of data, so truncate the name if needed. */ ++ max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize) ++ - 24 /* offsetof (struct grub_sfs_objc, objects) */ ++ - 25); /* offsetof (struct grub_sfs_obj, filename) */ ++ data->label = grub_zalloc (max_len + 1); ++ grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len); + + grub_free (rootobjc_data); + return data; diff --git a/SOURCES/0406-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch b/SOURCES/0406-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch new file mode 100644 index 0000000..7c75a3b --- /dev/null +++ b/SOURCES/0406-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 14:51:11 +1100 +Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative + +Fuzzing JFS revealed crashes where a negative number would be passed +to le_to_cpu16_copy(). There it would be cast to a large positive number +and the copy would read and write off the end of the respective buffers. + +Catch this at the top as well as the bottom of the loop. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/jfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index aab3e8c7b7d..1819899bdec 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro) + + /* Move down to the leaf level. */ + nextent = leaf->next; +- if (leaf->next != 255) ++ if (leaf->next != 255 && len > 0) + do + { + next_leaf = &diro->next_leaf[nextent]; diff --git a/SOURCES/0407-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch b/SOURCES/0407-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch new file mode 100644 index 0000000..91ab8db --- /dev/null +++ b/SOURCES/0407-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 14:57:17 +1100 +Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider + +getblk() implicitly trusts that treehead->count is an accurate count of +the number of extents. However, that value is read from disk and is not +trustworthy, leading to OOB reads and crashes. I am not sure to what +extent the data read from OOB can influence subsequent program execution. + +Require callers to pass in the maximum number of extents for which +they have storage. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/jfs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index 1819899bdec..6e81f37da6c 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint + static grub_int64_t + getblk (struct grub_jfs_treehead *treehead, + struct grub_jfs_tree_extent *extents, ++ int max_extents, + struct grub_jfs_data *data, + grub_uint64_t blk) + { + int found = -1; + int i; + +- for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++) ++ for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 && ++ i < max_extents; i++) + { + if (treehead->flags & GRUB_JFS_TREE_LEAF) + { +@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead, + << (grub_le_to_cpu16 (data->sblock.log2_blksz) + - GRUB_DISK_SECTOR_BITS), 0, + sizeof (*tree), (char *) tree)) +- ret = getblk (&tree->treehead, &tree->extents[0], data, blk); ++ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); + grub_free (tree); + return ret; + } +@@ -316,7 +318,7 @@ static grub_int64_t + grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode, + grub_uint64_t blk) + { +- return getblk (&inode->file.tree, &inode->file.extents[0], data, blk); ++ return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk); + } + + diff --git a/SOURCES/0408-fs-jfs-Catch-infinite-recursion.patch b/SOURCES/0408-fs-jfs-Catch-infinite-recursion.patch new file mode 100644 index 0000000..dee5914 --- /dev/null +++ b/SOURCES/0408-fs-jfs-Catch-infinite-recursion.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 15:47:24 +1100 +Subject: [PATCH] fs/jfs: Catch infinite recursion + +It's possible with a fuzzed filesystem for JFS to keep getblk()-ing +the same data over and over again, leading to stack exhaustion. + +Check if we'd be calling the function with exactly the same data as +was passed in, and if so abort. + +I'm not sure what the performance impact of this is and am open to +better ideas. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/jfs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index 6e81f37da6c..20d966abfc0 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead, + << (grub_le_to_cpu16 (data->sblock.log2_blksz) + - GRUB_DISK_SECTOR_BITS), 0, + sizeof (*tree), (char *) tree)) +- ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); ++ { ++ if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) || ++ grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent))) ++ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk); ++ else ++ { ++ grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected"); ++ ret = -1; ++ } ++ } + grub_free (tree); + return ret; + } diff --git a/SOURCES/0409-fs-nilfs2-Reject-too-large-keys.patch b/SOURCES/0409-fs-nilfs2-Reject-too-large-keys.patch new file mode 100644 index 0000000..f55029d --- /dev/null +++ b/SOURCES/0409-fs-nilfs2-Reject-too-large-keys.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 16:49:09 +1100 +Subject: [PATCH] fs/nilfs2: Reject too-large keys + +NILFS2 has up to 7 keys, per the data structure. Do not permit array +indices in excess of that. + +This catches some OOB reads. I don't know how controllable the invalidly +read data is or if that could be used later in the program. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/nilfs2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index 388ee188edc..09e89f615bc 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data, + static inline grub_uint64_t + grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key) + { ++ if (1 + key > 6) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "key is too large"); ++ return 0xffffffffffffffff; ++ } + return grub_le_to_cpu64 (inode->i_bmap[1 + key]); + } + +@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data, + { + grub_uint64_t ptr; + ptr = grub_nilfs2_direct_lookup (inode, key); +- if (need_translate) ++ if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate) + ptr = grub_nilfs2_dat_translate (data, ptr); + return ptr; + } diff --git a/SOURCES/0410-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch b/SOURCES/0410-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch new file mode 100644 index 0000000..b24c2d0 --- /dev/null +++ b/SOURCES/0410-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch @@ -0,0 +1,96 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 16:49:44 +1100 +Subject: [PATCH] fs/nilfs2: Don't search children if provided number is too + large + +NILFS2 reads the number of children a node has from the node. Unfortunately, +that's not trustworthy. Check if it's beyond what the filesystem permits and +reject it if so. + +This blocks some OOB reads. I'm not sure how controllable the read is and what +could be done with invalidly read data later on. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/nilfs2.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index 09e89f615bc..896d2c22c81 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -416,14 +416,34 @@ grub_nilfs2_btree_node_get_key (struct grub_nilfs2_btree_node *node, + } + + static inline int +-grub_nilfs2_btree_node_lookup (struct grub_nilfs2_btree_node *node, ++grub_nilfs2_btree_node_nchildren_max (struct grub_nilfs2_data *data, ++ struct grub_nilfs2_btree_node *node) ++{ ++ int node_children_max = ((NILFS2_BLOCK_SIZE (data) - ++ sizeof (struct grub_nilfs2_btree_node) - ++ NILFS_BTREE_NODE_EXTRA_PAD_SIZE) / ++ (sizeof (grub_uint64_t) + sizeof (grub_uint64_t))); ++ ++ return (node->bn_flags & NILFS_BTREE_NODE_ROOT) ? 3 : node_children_max; ++} ++ ++static inline int ++grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data, ++ struct grub_nilfs2_btree_node *node, + grub_uint64_t key, int *indexp) + { + grub_uint64_t nkey; + int index, low, high, s; + + low = 0; ++ + high = grub_le_to_cpu16 (node->bn_nchildren) - 1; ++ if (high >= grub_nilfs2_btree_node_nchildren_max (data, node)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "too many children"); ++ return 0; ++ } ++ + index = 0; + s = 0; + while (low <= high) +@@ -459,18 +479,6 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_btree_node *node, + return s == 0; + } + +-static inline int +-grub_nilfs2_btree_node_nchildren_max (struct grub_nilfs2_data *data, +- struct grub_nilfs2_btree_node *node) +-{ +- int node_children_max = ((NILFS2_BLOCK_SIZE (data) - +- sizeof (struct grub_nilfs2_btree_node) - +- NILFS_BTREE_NODE_EXTRA_PAD_SIZE) / +- (sizeof (grub_uint64_t) + sizeof (grub_uint64_t))); +- +- return (node->bn_flags & NILFS_BTREE_NODE_ROOT) ? 3 : node_children_max; +-} +- + static inline grub_uint64_t * + grub_nilfs2_btree_node_dptrs (struct grub_nilfs2_data *data, + struct grub_nilfs2_btree_node *node) +@@ -517,7 +525,7 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data, + node = grub_nilfs2_btree_get_root (inode); + level = grub_nilfs2_btree_get_level (node); + +- found = grub_nilfs2_btree_node_lookup (node, key, &index); ++ found = grub_nilfs2_btree_node_lookup (data, node, key, &index); + ptr = grub_nilfs2_btree_node_get_ptr (data, node, index); + if (need_translate) + ptr = grub_nilfs2_dat_translate (data, ptr); +@@ -538,7 +546,7 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data, + } + + if (!found) +- found = grub_nilfs2_btree_node_lookup (node, key, &index); ++ found = grub_nilfs2_btree_node_lookup (data, node, key, &index); + else + index = 0; + diff --git a/SOURCES/0411-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch b/SOURCES/0411-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch new file mode 100644 index 0000000..de0fc8b --- /dev/null +++ b/SOURCES/0411-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 18 Jan 2021 17:06:19 +1100 +Subject: [PATCH] fs/nilfs2: Properly bail on errors in + grub_nilfs2_btree_node_lookup() + +We just introduced an error return in grub_nilfs2_btree_node_lookup(). +Make sure the callers catch it. + +At the same time, make sure that grub_nilfs2_btree_node_lookup() always +inits the index pointer passed to it. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/nilfs2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index 896d2c22c81..bdf395a093a 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -433,7 +433,7 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data, + grub_uint64_t key, int *indexp) + { + grub_uint64_t nkey; +- int index, low, high, s; ++ int index = 0, low, high, s; + + low = 0; + +@@ -441,10 +441,10 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data, + if (high >= grub_nilfs2_btree_node_nchildren_max (data, node)) + { + grub_error (GRUB_ERR_BAD_FS, "too many children"); ++ *indexp = index; + return 0; + } + +- index = 0; + s = 0; + while (low <= high) + { +@@ -526,6 +526,10 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data, + level = grub_nilfs2_btree_get_level (node); + + found = grub_nilfs2_btree_node_lookup (data, node, key, &index); ++ ++ if (grub_errno != GRUB_ERR_NONE) ++ goto fail; ++ + ptr = grub_nilfs2_btree_node_get_ptr (data, node, index); + if (need_translate) + ptr = grub_nilfs2_dat_translate (data, ptr); +@@ -550,7 +554,8 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data, + else + index = 0; + +- if (index < grub_nilfs2_btree_node_nchildren_max (data, node)) ++ if (index < grub_nilfs2_btree_node_nchildren_max (data, node) && ++ grub_errno == GRUB_ERR_NONE) + { + ptr = grub_nilfs2_btree_node_get_ptr (data, node, index); + if (need_translate) diff --git a/SOURCES/0412-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch b/SOURCES/0412-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch new file mode 100644 index 0000000..3bd30c5 --- /dev/null +++ b/SOURCES/0412-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 13 Jan 2021 20:59:09 +1100 +Subject: [PATCH] io/gzio: Bail if gzio->tl/td is NULL + +This is an ugly fix that doesn't address why gzio->tl comes to be NULL. +However, it seems to be sufficient to patch up a bunch of NULL derefs. + +It would be good to revisit this in future and see if we can have +a cleaner solution that addresses some of the causes of the unexpected +NULL pointers. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/io/gzio.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index daf514bc482..09e0e2842f2 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -657,6 +657,13 @@ inflate_codes_in_window (grub_gzio_t gzio) + { + if (! gzio->code_state) + { ++ ++ if (gzio->tl == NULL) ++ { ++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); ++ return 1; ++ } ++ + NEEDBITS ((unsigned) gzio->bl); + if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16) + do +@@ -695,6 +702,12 @@ inflate_codes_in_window (grub_gzio_t gzio) + n = t->v.n + ((unsigned) b & mask_bits[e]); + DUMPBITS (e); + ++ if (gzio->td == NULL) ++ { ++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td"); ++ return 1; ++ } ++ + /* decode distance of block to copy */ + NEEDBITS ((unsigned) gzio->bd); + if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16) +@@ -905,6 +918,13 @@ init_dynamic_block (grub_gzio_t gzio) + n = nl + nd; + m = mask_bits[gzio->bl]; + i = l = 0; ++ ++ if (gzio->tl == NULL) ++ { ++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); ++ return; ++ } ++ + while ((unsigned) i < n) + { + NEEDBITS ((unsigned) gzio->bl); diff --git a/SOURCES/0413-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch b/SOURCES/0413-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch new file mode 100644 index 0000000..0fd1fc1 --- /dev/null +++ b/SOURCES/0413-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 00:05:58 +1100 +Subject: [PATCH] io/gzio: Add init_dynamic_block() clean up if unpacking codes + fails + +init_dynamic_block() didn't clean up gzio->tl and td in some error +paths. This left td pointing to part of tl. Then in grub_gzio_close(), +when tl was freed the storage for td would also be freed. The code then +attempts to free td explicitly, performing a UAF and then a double free. + +Explicitly clean up tl and td in the error paths. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/io/gzio.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index 09e0e2842f2..d3b12a61e61 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -941,7 +941,7 @@ init_dynamic_block (grub_gzio_t gzio) + if ((unsigned) i + j > n) + { + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found"); +- return; ++ goto fail; + } + while (j--) + ll[i++] = l; +@@ -954,7 +954,7 @@ init_dynamic_block (grub_gzio_t gzio) + if ((unsigned) i + j > n) + { + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found"); +- return; ++ goto fail; + } + while (j--) + ll[i++] = 0; +@@ -969,7 +969,7 @@ init_dynamic_block (grub_gzio_t gzio) + if ((unsigned) i + j > n) + { + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found"); +- return; ++ goto fail; + } + while (j--) + ll[i++] = 0; +@@ -1007,6 +1007,12 @@ init_dynamic_block (grub_gzio_t gzio) + /* indicate we're now working on a block */ + gzio->code_state = 0; + gzio->block_len++; ++ return; ++ ++ fail: ++ huft_free (gzio->tl); ++ gzio->td = NULL; ++ gzio->tl = NULL; + } + + diff --git a/SOURCES/0414-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch b/SOURCES/0414-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch new file mode 100644 index 0000000..4302771 --- /dev/null +++ b/SOURCES/0414-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 12:20:49 +1100 +Subject: [PATCH] io/gzio: Catch missing values in huft_build() and bail + +In huft_build(), "v" is a table of values in order of bit length. +The code later (when setting up table entries in "r") assumes that all +elements of this array corresponding to a code are initialized and less +than N_MAX. However, it doesn't enforce this. + +With sufficiently manipulated inputs (e.g. from fuzzing), there can be +elements of "v" that are not filled. Therefore a lookup into "e" or "d" +will use an uninitialized value. This can lead to an invalid/OOB read on +those values, often leading to a crash. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/io/gzio.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index d3b12a61e61..3e14347827b 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -495,6 +495,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ + } + + /* Make a table of values in order of bit lengths */ ++ grub_memset (v, N_MAX, ARRAY_SIZE (v)); + p = b; + i = 0; + do +@@ -576,11 +577,18 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ + r.v.n = (ush) (*p); /* simple code is just the value */ + p++; /* one compiler does not like *p++ */ + } +- else ++ else if (*p < N_MAX) + { + r.e = (uch) e[*p - s]; /* non-simple--look up in lists */ + r.v.n = d[*p++ - s]; + } ++ else ++ { ++ /* Detected an uninitialised value, abort. */ ++ if (h) ++ huft_free (u[0]); ++ return 2; ++ } + + /* fill code-like entries with r */ + f = 1 << (k - w); diff --git a/SOURCES/0415-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch b/SOURCES/0415-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch new file mode 100644 index 0000000..e9bb063 --- /dev/null +++ b/SOURCES/0415-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 12:22:28 +1100 +Subject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if + huft_build() fails + +If huft_build() fails, gzio->tl or gzio->td could contain pointers that +are no longer valid. Zero them out. + +This prevents a double free when grub_gzio_close() comes through and +attempts to free them again. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/io/gzio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index 3e14347827b..070e8727698 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -998,6 +998,7 @@ init_dynamic_block (grub_gzio_t gzio) + gzio->bl = lbits; + if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0) + { ++ gzio->tl = 0; + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, + "failed in building a Huffman code table"); + return; +@@ -1007,6 +1008,7 @@ init_dynamic_block (grub_gzio_t gzio) + { + huft_free (gzio->tl); + gzio->tl = 0; ++ gzio->td = 0; + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, + "failed in building a Huffman code table"); + return; diff --git a/SOURCES/0416-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch b/SOURCES/0416-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch new file mode 100644 index 0000000..95c426e --- /dev/null +++ b/SOURCES/0416-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 17:59:14 +1100 +Subject: [PATCH] disk/lvm: Don't go beyond the end of the data we read from + disk + +We unconditionally trusted offset_xl from the LVM label header, even if +it told us that the PV header/disk locations were way off past the end +of the data we read from disk. + +Require that the offset be sane, fixing an OOB read and crash. + +Fixes: CID 314367, CID 314371 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 5fa9f562e4f..43e2f6ddf3c 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -142,6 +142,20 @@ grub_lvm_detect (grub_disk_t disk, + goto fail; + } + ++ /* ++ * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that ++ * immediately follow the PV header. Make sure we have space for both. ++ */ ++ if (grub_le_to_cpu32 (lh->offset_xl) >= ++ GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) - ++ 2 * sizeof (struct grub_lvm_disk_locn)) ++ { ++#ifdef GRUB_UTIL ++ grub_util_info ("LVM PV header/disk locations are beyond the end of the block"); ++#endif ++ goto fail; ++ } ++ + pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl)); + + for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++) diff --git a/SOURCES/0417-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch b/SOURCES/0417-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch new file mode 100644 index 0000000..525de2b --- /dev/null +++ b/SOURCES/0417-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 18:19:51 +1100 +Subject: [PATCH] disk/lvm: Don't blast past the end of the circular metadata + buffer + +This catches at least some OOB reads, and it's possible I suppose that +if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some +OOB writes too (although that hasn't showed up as a crash in fuzzing yet). + +It's a bit ugly and I'd appreciate better suggestions. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 43e2f6ddf3c..7a8d61ffb20 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -215,6 +215,16 @@ grub_lvm_detect (grub_disk_t disk, + if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) > + grub_le_to_cpu64 (mdah->size)) + { ++ if (2 * mda_size < GRUB_LVM_MDA_HEADER_SIZE || ++ (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) - ++ grub_le_to_cpu64 (mdah->size) > mda_size - GRUB_LVM_MDA_HEADER_SIZE)) ++ { ++#ifdef GRUB_UTIL ++ grub_util_info ("cannot copy metadata wrap in circular buffer"); ++#endif ++ goto fail2; ++ } ++ + /* Metadata is circular. Copy the wrap in place. */ + grub_memcpy (metadatabuf + mda_size, + metadatabuf + GRUB_LVM_MDA_HEADER_SIZE, diff --git a/SOURCES/0418-disk-lvm-Bail-on-missing-PV-list.patch b/SOURCES/0418-disk-lvm-Bail-on-missing-PV-list.patch new file mode 100644 index 0000000..e2d947c --- /dev/null +++ b/SOURCES/0418-disk-lvm-Bail-on-missing-PV-list.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 18:54:29 +1100 +Subject: [PATCH] disk/lvm: Bail on missing PV list + +There's an if block for the presence of "physical_volumes {", but if +that block is absent, then p remains NULL and a NULL-deref will result +when looking for logical volumes. + +It doesn't seem like LVM makes sense without physical volumes, so error +out rather than crashing. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 7a8d61ffb20..939afa17d28 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -371,6 +371,8 @@ error_parsing_metadata: + goto fail4; + } + } ++ else ++ goto fail4; + + p = grub_strstr (p, "logical_volumes {"); + if (p) diff --git a/SOURCES/0419-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch b/SOURCES/0419-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch new file mode 100644 index 0000000..b21f2ba --- /dev/null +++ b/SOURCES/0419-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 18:35:22 +1100 +Subject: [PATCH] disk/lvm: Do not crash if an expected string is not found + +Clean up a bunch of cases where we could have strstr() fail and lead to +us dereferencing NULL. + +We'll still leak memory in some cases (loops don't clean up allocations +from earlier iterations if a later iteration fails) but at least we're +not crashing. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 939afa17d28..7776a0a0a07 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -541,7 +541,16 @@ error_parsing_metadata: + } + + if (seg->node_count != 1) +- seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = "); ++ { ++ seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = "); ++ if (p == NULL) ++ { ++#ifdef GRUB_UTIL ++ grub_util_info ("unknown stripe_size"); ++#endif ++ goto lvs_segment_fail; ++ } ++ } + + seg->nodes = grub_calloc (seg->node_count, + sizeof (*stripe)); +@@ -561,7 +570,7 @@ error_parsing_metadata: + { + p = grub_strchr (p, '"'); + if (p == NULL) +- continue; ++ goto lvs_segment_fail2; + q = ++p; + while (*q != '"') + q++; +@@ -580,7 +589,10 @@ error_parsing_metadata: + stripe->start = grub_lvm_getvalue (&p, ",") + * vg->extent_size; + if (p == NULL) +- continue; ++ { ++ grub_free (stripe->name); ++ goto lvs_segment_fail2; ++ } + + stripe++; + } +@@ -617,7 +629,7 @@ error_parsing_metadata: + + p = grub_strchr (p, '"'); + if (p == NULL) +- continue; ++ goto lvs_segment_fail2; + q = ++p; + while (*q != '"') + q++; +@@ -699,7 +711,7 @@ error_parsing_metadata: + p = p ? grub_strchr (p + 1, '"') : 0; + p = p ? grub_strchr (p + 1, '"') : 0; + if (p == NULL) +- continue; ++ goto lvs_segment_fail2; + q = ++p; + while (*q != '"') + q++; diff --git a/SOURCES/0420-disk-lvm-Do-not-overread-metadata.patch b/SOURCES/0420-disk-lvm-Do-not-overread-metadata.patch new file mode 100644 index 0000000..be71eed --- /dev/null +++ b/SOURCES/0420-disk-lvm-Do-not-overread-metadata.patch @@ -0,0 +1,107 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 21 Jan 2021 18:35:22 +1100 +Subject: [PATCH] disk/lvm: Do not overread metadata + +We could reach the end of valid metadata and not realize, leading to +some buffer overreads. Check if we have reached the end and bail. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 7776a0a0a07..5fb1b69091c 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -314,17 +314,23 @@ error_parsing_metadata: + while (1) + { + grub_ssize_t s; +- while (grub_isspace (*p)) ++ while (grub_isspace (*p) && p < mda_end) + p++; + ++ if (p == mda_end) ++ goto fail4; ++ + if (*p == '}') + break; + + pv = grub_zalloc (sizeof (*pv)); + q = p; +- while (*q != ' ') ++ while (*q != ' ' && q < mda_end) + q++; + ++ if (q == mda_end) ++ goto pvs_fail_noname; ++ + s = q - p; + pv->name = grub_malloc (s + 1); + grub_memcpy (pv->name, p, s); +@@ -367,6 +373,7 @@ error_parsing_metadata: + continue; + pvs_fail: + grub_free (pv->name); ++ pvs_fail_noname: + grub_free (pv); + goto fail4; + } +@@ -388,18 +395,24 @@ error_parsing_metadata: + struct grub_diskfilter_segment *seg; + int is_pvmove; + +- while (grub_isspace (*p)) ++ while (grub_isspace (*p) && p < mda_end) + p++; + ++ if (p == mda_end) ++ goto fail4; ++ + if (*p == '}') + break; + + lv = grub_zalloc (sizeof (*lv)); + + q = p; +- while (*q != ' ') ++ while (*q != ' ' && q < mda_end) + q++; + ++ if (q == mda_end) ++ goto lvs_fail; ++ + s = q - p; + lv->name = grub_strndup (p, s); + if (!lv->name) +@@ -572,9 +585,12 @@ error_parsing_metadata: + if (p == NULL) + goto lvs_segment_fail2; + q = ++p; +- while (*q != '"') ++ while (q < mda_end && *q != '"') + q++; + ++ if (q == mda_end) ++ goto lvs_segment_fail2; ++ + s = q - p; + + stripe->name = grub_malloc (s + 1); +@@ -631,9 +647,12 @@ error_parsing_metadata: + if (p == NULL) + goto lvs_segment_fail2; + q = ++p; +- while (*q != '"') ++ while (q < mda_end && *q != '"') + q++; + ++ if (q == mda_end) ++ goto lvs_segment_fail2; ++ + s = q - p; + + lvname = grub_malloc (s + 1); diff --git a/SOURCES/0421-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch b/SOURCES/0421-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch new file mode 100644 index 0000000..bee39f6 --- /dev/null +++ b/SOURCES/0421-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 14:43:58 +1100 +Subject: [PATCH] disk/lvm: Sanitize rlocn->offset to prevent wild read + +rlocn->offset is read directly from disk and added to the metadatabuf +pointer to create a pointer to a block of metadata. It's a 64-bit +quantity so as long as you don't overflow you can set subsequent +pointers to point anywhere in memory. + +Require that rlocn->offset fits within the metadata buffer size. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 5fb1b69091c..7356ee83935 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -212,6 +212,14 @@ grub_lvm_detect (grub_disk_t disk, + } + + rlocn = mdah->raw_locns; ++ if (grub_le_to_cpu64 (rlocn->offset) >= grub_le_to_cpu64 (mda_size)) ++ { ++#ifdef GRUB_UTIL ++ grub_util_info ("metadata offset is beyond end of metadata area"); ++#endif ++ goto fail2; ++ } ++ + if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) > + grub_le_to_cpu64 (mdah->size)) + { diff --git a/SOURCES/0422-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch b/SOURCES/0422-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch new file mode 100644 index 0000000..33a6501 --- /dev/null +++ b/SOURCES/0422-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Jan 2021 14:42:21 +1100 +Subject: [PATCH] disk/lvm: Do not allow a LV to be it's own segment's node's + LV + +This prevents infinite recursion in the diskfilter verification code. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/lvm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 7356ee83935..937af0a48be 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -834,9 +834,13 @@ error_parsing_metadata: + } + if (lv1->segments[i].nodes[j].pv == NULL) + for (lv2 = vg->lvs; lv2; lv2 = lv2->next) +- if (grub_strcmp (lv2->name, +- lv1->segments[i].nodes[j].name) == 0) +- lv1->segments[i].nodes[j].lv = lv2; ++ { ++ if (lv1 == lv2) ++ continue; ++ if (grub_strcmp (lv2->name, ++ lv1->segments[i].nodes[j].name) == 0) ++ lv1->segments[i].nodes[j].lv = lv2; ++ } + } + + } diff --git a/SOURCES/0423-kern-parser-Fix-a-memory-leak.patch b/SOURCES/0423-kern-parser-Fix-a-memory-leak.patch new file mode 100644 index 0000000..66171e9 --- /dev/null +++ b/SOURCES/0423-kern-parser-Fix-a-memory-leak.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Wed, 18 Nov 2020 00:59:24 +0000 +Subject: [PATCH] kern/parser: Fix a memory leak + +The getline() function supplied to grub_parser_split_cmdline() returns +a newly allocated buffer and can be called multiple times, but the +returned buffer is never freed. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 94e8728d59a..23ebebf5ffa 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -140,6 +140,7 @@ grub_parser_split_cmdline (const char *cmdline, + char buffer[1024]; + char *bp = buffer; + char *rd = (char *) cmdline; ++ char *rp = rd; + char varname[200]; + char *vp = varname; + char *args; +@@ -149,10 +150,18 @@ grub_parser_split_cmdline (const char *cmdline, + *argv = NULL; + do + { +- if (!rd || !*rd) ++ if (rp == NULL || *rp == '\0') + { ++ if (rd != cmdline) ++ { ++ grub_free (rd); ++ rd = rp = NULL; ++ } + if (getline) +- getline (&rd, 1, getline_data); ++ { ++ getline (&rd, 1, getline_data); ++ rp = rd; ++ } + else + break; + } +@@ -160,12 +169,12 @@ grub_parser_split_cmdline (const char *cmdline, + if (!rd) + break; + +- for (; *rd; rd++) ++ for (; *rp != '\0'; rp++) + { + grub_parser_state_t newstate; + char use; + +- newstate = grub_parser_cmdline_state (state, *rd, &use); ++ newstate = grub_parser_cmdline_state (state, *rp, &use); + + /* If a variable was being processed and this character does + not describe the variable anymore, write the variable to +@@ -198,6 +207,9 @@ grub_parser_split_cmdline (const char *cmdline, + } + while (state != GRUB_PARSER_STATE_TEXT && !check_varstate (state)); + ++ if (rd != cmdline) ++ grub_free (rd); ++ + /* A special case for when the last character was part of a + variable. */ + add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT); diff --git a/SOURCES/0424-kern-parser-Introduce-process_char-helper.patch b/SOURCES/0424-kern-parser-Introduce-process_char-helper.patch new file mode 100644 index 0000000..3c59281 --- /dev/null +++ b/SOURCES/0424-kern-parser-Introduce-process_char-helper.patch @@ -0,0 +1,116 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Tue, 5 Jan 2021 22:17:28 +0000 +Subject: [PATCH] kern/parser: Introduce process_char() helper + +grub_parser_split_cmdline() iterates over each command line character. +In order to add error checking and to simplify the subsequent error +handling, split the character processing in to a separate function. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 74 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 28 deletions(-) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 23ebebf5ffa..db6e255834f 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -1,7 +1,7 @@ + /* parser.c - the part of the parser that can return partial tokens */ + /* + * GRUB -- GRand Unified Bootloader +- * Copyright (C) 2005,2007,2009 Free Software Foundation, Inc. ++ * Copyright (C) 2005,2007,2009,2021 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -129,6 +129,46 @@ add_var (char *varname, char **bp, char **vp, + *((*bp)++) = *val; + } + ++static grub_err_t ++process_char (char c, char *buffer, char **bp, char *varname, char **vp, ++ grub_parser_state_t state, int *argc, ++ grub_parser_state_t *newstate) ++{ ++ char use; ++ ++ *newstate = grub_parser_cmdline_state (state, c, &use); ++ ++ /* ++ * If a variable was being processed and this character does ++ * not describe the variable anymore, write the variable to ++ * the buffer. ++ */ ++ add_var (varname, bp, vp, state, *newstate); ++ ++ if (check_varstate (*newstate)) ++ { ++ if (use) ++ *((*vp)++) = use; ++ } ++ else if (*newstate == GRUB_PARSER_STATE_TEXT && ++ state != GRUB_PARSER_STATE_ESC && grub_isspace (use)) ++ { ++ /* ++ * Don't add more than one argument if multiple ++ * spaces are used. ++ */ ++ if (*bp != buffer && *((*bp) - 1) != '\0') ++ { ++ *((*bp)++) = '\0'; ++ (*argc)++; ++ } ++ } ++ else if (use) ++ *((*bp)++) = use; ++ ++ return GRUB_ERR_NONE; ++} ++ + grub_err_t + grub_parser_split_cmdline (const char *cmdline, + grub_reader_getline_t getline, void *getline_data, +@@ -172,35 +212,13 @@ grub_parser_split_cmdline (const char *cmdline, + for (; *rp != '\0'; rp++) + { + grub_parser_state_t newstate; +- char use; + +- newstate = grub_parser_cmdline_state (state, *rp, &use); +- +- /* If a variable was being processed and this character does +- not describe the variable anymore, write the variable to +- the buffer. */ +- add_var (varname, &bp, &vp, state, newstate); +- +- if (check_varstate (newstate)) +- { +- if (use) +- *(vp++) = use; +- } +- else ++ if (process_char (*rp, buffer, &bp, varname, &vp, state, argc, ++ &newstate) != GRUB_ERR_NONE) + { +- if (newstate == GRUB_PARSER_STATE_TEXT +- && state != GRUB_PARSER_STATE_ESC && grub_isspace (use)) +- { +- /* Don't add more than one argument if multiple +- spaces are used. */ +- if (bp != buffer && *(bp - 1)) +- { +- *(bp++) = '\0'; +- (*argc)++; +- } +- } +- else if (use) +- *(bp++) = use; ++ if (rd != cmdline) ++ grub_free (rd); ++ return grub_errno; + } + state = newstate; + } diff --git a/SOURCES/0425-kern-parser-Introduce-terminate_arg-helper.patch b/SOURCES/0425-kern-parser-Introduce-terminate_arg-helper.patch new file mode 100644 index 0000000..df7dbd6 --- /dev/null +++ b/SOURCES/0425-kern-parser-Introduce-terminate_arg-helper.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Thu, 7 Jan 2021 19:53:55 +0000 +Subject: [PATCH] kern/parser: Introduce terminate_arg() helper + +process_char() and grub_parser_split_cmdline() use similar code for +terminating the most recent argument. Add a helper function for this. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index db6e255834f..6ef90c82938 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -129,6 +129,16 @@ add_var (char *varname, char **bp, char **vp, + *((*bp)++) = *val; + } + ++static void ++terminate_arg (char *buffer, char **bp, int *argc) ++{ ++ if (*bp != buffer && *((*bp) - 1) != '\0') ++ { ++ *((*bp)++) = '\0'; ++ (*argc)++; ++ } ++} ++ + static grub_err_t + process_char (char c, char *buffer, char **bp, char *varname, char **vp, + grub_parser_state_t state, int *argc, +@@ -157,11 +167,7 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp, + * Don't add more than one argument if multiple + * spaces are used. + */ +- if (*bp != buffer && *((*bp) - 1) != '\0') +- { +- *((*bp)++) = '\0'; +- (*argc)++; +- } ++ terminate_arg (buffer, bp, argc); + } + else if (use) + *((*bp)++) = use; +@@ -232,11 +238,8 @@ grub_parser_split_cmdline (const char *cmdline, + variable. */ + add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT); + +- if (bp != buffer && *(bp - 1)) +- { +- *(bp++) = '\0'; +- (*argc)++; +- } ++ /* Ensure that the last argument is terminated. */ ++ terminate_arg (buffer, &bp, argc); + + /* If there are no args, then we're done. */ + if (!*argc) diff --git a/SOURCES/0426-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch b/SOURCES/0426-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch new file mode 100644 index 0000000..1f9cd6d --- /dev/null +++ b/SOURCES/0426-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch @@ -0,0 +1,88 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Wed, 6 Jan 2021 13:54:26 +0000 +Subject: [PATCH] kern/parser: Refactor grub_parser_split_cmdline() cleanup + +Introduce a common function epilogue used for cleaning up on all +return paths, which will simplify additional error handling to be +introduced in a subsequent commit. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 6ef90c82938..16879f072fe 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -221,19 +221,13 @@ grub_parser_split_cmdline (const char *cmdline, + + if (process_char (*rp, buffer, &bp, varname, &vp, state, argc, + &newstate) != GRUB_ERR_NONE) +- { +- if (rd != cmdline) +- grub_free (rd); +- return grub_errno; +- } ++ goto fail; ++ + state = newstate; + } + } + while (state != GRUB_PARSER_STATE_TEXT && !check_varstate (state)); + +- if (rd != cmdline) +- grub_free (rd); +- + /* A special case for when the last character was part of a + variable. */ + add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT); +@@ -243,20 +237,20 @@ grub_parser_split_cmdline (const char *cmdline, + + /* If there are no args, then we're done. */ + if (!*argc) +- return 0; ++ { ++ grub_errno = GRUB_ERR_NONE; ++ goto out; ++ } + + /* Reserve memory for the return values. */ + args = grub_malloc (bp - buffer); + if (!args) +- return grub_errno; ++ goto fail; + grub_memcpy (args, buffer, bp - buffer); + + *argv = grub_calloc (*argc + 1, sizeof (char *)); + if (!*argv) +- { +- grub_free (args); +- return grub_errno; +- } ++ goto fail; + + /* The arguments are separated with 0's, setup argv so it points to + the right values. */ +@@ -269,7 +263,18 @@ grub_parser_split_cmdline (const char *cmdline, + bp++; + } + +- return 0; ++ grub_errno = GRUB_ERR_NONE; ++ ++ out: ++ if (rd != cmdline) ++ grub_free (rd); ++ ++ return grub_errno; ++ ++ fail: ++ grub_free (*argv); ++ grub_free (args); ++ goto out; + } + + /* Helper for grub_parser_execute. */ diff --git a/SOURCES/0427-kern-buffer-Add-variable-sized-heap-buffer.patch b/SOURCES/0427-kern-buffer-Add-variable-sized-heap-buffer.patch new file mode 100644 index 0000000..b9ffa09 --- /dev/null +++ b/SOURCES/0427-kern-buffer-Add-variable-sized-heap-buffer.patch @@ -0,0 +1,304 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Thu, 7 Jan 2021 15:15:43 +0000 +Subject: [PATCH] kern/buffer: Add variable sized heap buffer + +Add a new variable sized heap buffer type (grub_buffer_t) with simple +operations for appending data, accessing the data and maintaining +a read cursor. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/Makefile.core.def | 1 + + grub-core/kern/buffer.c | 117 +++++++++++++++++++++++++++++++++++ + include/grub/buffer.h | 144 ++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 262 insertions(+) + create mode 100644 grub-core/kern/buffer.c + create mode 100644 include/grub/buffer.h + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 2beb1d83a63..5228d3d530d 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -114,6 +114,7 @@ kernel = { + arm_efi_startup = kern/arm/efi/startup.S; + arm64_efi_startup = kern/arm64/efi/startup.S; + ++ common = kern/buffer.c; + common = kern/command.c; + common = kern/corecmd.c; + common = kern/device.c; +diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c +new file mode 100644 +index 00000000000..9f5f8b86705 +--- /dev/null ++++ b/grub-core/kern/buffer.c +@@ -0,0 +1,117 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2021 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++grub_buffer_t ++grub_buffer_new (grub_size_t sz) ++{ ++ struct grub_buffer *ret; ++ ++ ret = (struct grub_buffer *) grub_malloc (sizeof (*ret)); ++ if (ret == NULL) ++ return NULL; ++ ++ ret->data = (grub_uint8_t *) grub_malloc (sz); ++ if (ret->data == NULL) ++ { ++ grub_free (ret); ++ return NULL; ++ } ++ ++ ret->sz = sz; ++ ret->pos = 0; ++ ret->used = 0; ++ ++ return ret; ++} ++ ++void ++grub_buffer_free (grub_buffer_t buf) ++{ ++ grub_free (buf->data); ++ grub_free (buf); ++} ++ ++grub_err_t ++grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req) ++{ ++ grub_uint8_t *d; ++ grub_size_t newsz = 1; ++ ++ /* Is the current buffer size adequate? */ ++ if (buf->sz >= req) ++ return GRUB_ERR_NONE; ++ ++ /* Find the smallest power-of-2 size that satisfies the request. */ ++ while (newsz < req) ++ { ++ if (newsz == 0) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("requested buffer size is too large")); ++ newsz <<= 1; ++ } ++ ++ d = (grub_uint8_t *) grub_realloc (buf->data, newsz); ++ if (d == NULL) ++ return grub_errno; ++ ++ buf->data = d; ++ buf->sz = newsz; ++ ++ return GRUB_ERR_NONE; ++} ++ ++void * ++grub_buffer_take_data (grub_buffer_t buf) ++{ ++ void *data = buf->data; ++ ++ buf->data = NULL; ++ buf->sz = buf->pos = buf->used = 0; ++ ++ return data; ++} ++ ++void ++grub_buffer_reset (grub_buffer_t buf) ++{ ++ buf->pos = buf->used = 0; ++} ++ ++grub_err_t ++grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n) ++{ ++ grub_size_t newpos; ++ ++ if (grub_add (buf->pos, n, &newpos)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ if (newpos > buf->used) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("new read is position beyond the end of the written data")); ++ ++ buf->pos = newpos; ++ ++ return GRUB_ERR_NONE; ++} +diff --git a/include/grub/buffer.h b/include/grub/buffer.h +new file mode 100644 +index 00000000000..f4b10cf2810 +--- /dev/null ++++ b/include/grub/buffer.h +@@ -0,0 +1,144 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2021 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#ifndef GRUB_BUFFER_H ++#define GRUB_BUFFER_H 1 ++ ++#include ++#include ++#include ++#include ++#include ++ ++struct grub_buffer ++{ ++ grub_uint8_t *data; ++ grub_size_t sz; ++ grub_size_t pos; ++ grub_size_t used; ++}; ++ ++/* ++ * grub_buffer_t represents a simple variable sized byte buffer with ++ * read and write cursors. It currently only implements ++ * functionality required by the only user in GRUB (append byte[s], ++ * peeking data at a specified position and updating the read cursor. ++ * Some things that this doesn't do yet are: ++ * - Reading a portion of the buffer by copying data from the current ++ * read position in to a caller supplied destination buffer and then ++ * automatically updating the read cursor. ++ * - Dropping the read part at the start of the buffer when an append ++ * requires more space. ++ */ ++typedef struct grub_buffer *grub_buffer_t; ++ ++/* Allocate a new buffer with the specified initial size. */ ++extern grub_buffer_t grub_buffer_new (grub_size_t sz); ++ ++/* Free the buffer and its resources. */ ++extern void grub_buffer_free (grub_buffer_t buf); ++ ++/* Return the number of unread bytes in this buffer. */ ++static inline grub_size_t ++grub_buffer_get_unread_bytes (grub_buffer_t buf) ++{ ++ return buf->used - buf->pos; ++} ++ ++/* ++ * Ensure that the buffer size is at least the requested ++ * number of bytes. ++ */ ++extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req); ++ ++/* ++ * Append the specified number of bytes from the supplied ++ * data to the buffer. ++ */ ++static inline grub_err_t ++grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len) ++{ ++ grub_size_t req; ++ ++ if (grub_add (buf->used, len, &req)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE) ++ return grub_errno; ++ ++ grub_memcpy (&buf->data[buf->used], data, len); ++ buf->used = req; ++ ++ return GRUB_ERR_NONE; ++} ++ ++/* Append the supplied character to the buffer. */ ++static inline grub_err_t ++grub_buffer_append_char (grub_buffer_t buf, char c) ++{ ++ return grub_buffer_append_data (buf, &c, 1); ++} ++ ++/* ++ * Forget and return the underlying data buffer. The caller ++ * becomes the owner of this buffer, and must free it when it ++ * is no longer required. ++ */ ++extern void *grub_buffer_take_data (grub_buffer_t buf); ++ ++/* Reset this buffer. Note that this does not deallocate any resources. */ ++void grub_buffer_reset (grub_buffer_t buf); ++ ++/* ++ * Return a pointer to the underlying data buffer at the specified ++ * offset from the current read position. Note that this pointer may ++ * become invalid if the buffer is mutated further. ++ */ ++static inline void * ++grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off) ++{ ++ if (grub_add (buf->pos, off, &off)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected.")); ++ return NULL; ++ } ++ ++ if (off >= buf->used) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range")); ++ return NULL; ++ } ++ ++ return &buf->data[off]; ++} ++ ++/* ++ * Return a pointer to the underlying data buffer at the current ++ * read position. Note that this pointer may become invalid if the ++ * buffer is mutated further. ++ */ ++static inline void * ++grub_buffer_peek_data (grub_buffer_t buf) ++{ ++ return grub_buffer_peek_data_at (buf, 0); ++} ++ ++/* Advance the read position by the specified number of bytes. */ ++extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n); ++ ++#endif /* GRUB_BUFFER_H */ diff --git a/SOURCES/0428-kern-parser-Fix-a-stack-buffer-overflow.patch b/SOURCES/0428-kern-parser-Fix-a-stack-buffer-overflow.patch new file mode 100644 index 0000000..40c1c37 --- /dev/null +++ b/SOURCES/0428-kern-parser-Fix-a-stack-buffer-overflow.patch @@ -0,0 +1,244 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Thu, 7 Jan 2021 19:21:03 +0000 +Subject: [PATCH] kern/parser: Fix a stack buffer overflow + +grub_parser_split_cmdline() expands variable names present in the supplied +command line in to their corresponding variable contents and uses a 1 kiB +stack buffer for temporary storage without sufficient bounds checking. If +the function is called with a command line that references a variable with +a sufficiently large payload, it is possible to overflow the stack +buffer via tab completion, corrupt the stack frame and potentially +control execution. + +Fixes: CVE-2020-27749 + +Reported-by: Chris Coulson +Signed-off-by: Chris Coulson +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/kern/parser.c | 110 +++++++++++++++++++++++++++++------------------- + 1 file changed, 67 insertions(+), 43 deletions(-) + +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 16879f072fe..068b6d0fe57 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -18,6 +18,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s) + } + + +-static void +-add_var (char *varname, char **bp, char **vp, ++static grub_err_t ++add_var (grub_buffer_t varname, grub_buffer_t buf, + grub_parser_state_t state, grub_parser_state_t newstate) + { + const char *val; +@@ -116,31 +117,41 @@ add_var (char *varname, char **bp, char **vp, + /* Check if a variable was being read in and the end of the name + was reached. */ + if (!(check_varstate (state) && !check_varstate (newstate))) +- return; ++ return GRUB_ERR_NONE; + +- *((*vp)++) = '\0'; +- val = grub_env_get (varname); +- *vp = varname; ++ if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE) ++ return grub_errno; ++ ++ val = grub_env_get ((const char *) grub_buffer_peek_data (varname)); ++ grub_buffer_reset (varname); + if (!val) +- return; ++ return GRUB_ERR_NONE; + + /* Insert the contents of the variable in the buffer. */ +- for (; *val; val++) +- *((*bp)++) = *val; ++ return grub_buffer_append_data (buf, val, grub_strlen (val)); + } + +-static void +-terminate_arg (char *buffer, char **bp, int *argc) ++static grub_err_t ++terminate_arg (grub_buffer_t buffer, int *argc) + { +- if (*bp != buffer && *((*bp) - 1) != '\0') +- { +- *((*bp)++) = '\0'; +- (*argc)++; +- } ++ grub_size_t unread = grub_buffer_get_unread_bytes (buffer); ++ ++ if (unread == 0) ++ return GRUB_ERR_NONE; ++ ++ if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0') ++ return GRUB_ERR_NONE; ++ ++ if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE) ++ return grub_errno; ++ ++ (*argc)++; ++ ++ return GRUB_ERR_NONE; + } + + static grub_err_t +-process_char (char c, char *buffer, char **bp, char *varname, char **vp, ++process_char (char c, grub_buffer_t buffer, grub_buffer_t varname, + grub_parser_state_t state, int *argc, + grub_parser_state_t *newstate) + { +@@ -153,12 +164,13 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp, + * not describe the variable anymore, write the variable to + * the buffer. + */ +- add_var (varname, bp, vp, state, *newstate); ++ if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE) ++ return grub_errno; + + if (check_varstate (*newstate)) + { + if (use) +- *((*vp)++) = use; ++ return grub_buffer_append_char (varname, use); + } + else if (*newstate == GRUB_PARSER_STATE_TEXT && + state != GRUB_PARSER_STATE_ESC && grub_isspace (use)) +@@ -167,10 +179,10 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp, + * Don't add more than one argument if multiple + * spaces are used. + */ +- terminate_arg (buffer, bp, argc); ++ return terminate_arg (buffer, argc); + } + else if (use) +- *((*bp)++) = use; ++ return grub_buffer_append_char (buffer, use); + + return GRUB_ERR_NONE; + } +@@ -181,19 +193,22 @@ grub_parser_split_cmdline (const char *cmdline, + int *argc, char ***argv) + { + grub_parser_state_t state = GRUB_PARSER_STATE_TEXT; +- /* XXX: Fixed size buffer, perhaps this buffer should be dynamically +- allocated. */ +- char buffer[1024]; +- char *bp = buffer; ++ grub_buffer_t buffer, varname; + char *rd = (char *) cmdline; + char *rp = rd; +- char varname[200]; +- char *vp = varname; +- char *args; + int i; + + *argc = 0; + *argv = NULL; ++ ++ buffer = grub_buffer_new (1024); ++ if (buffer == NULL) ++ return grub_errno; ++ ++ varname = grub_buffer_new (200); ++ if (varname == NULL) ++ goto fail; ++ + do + { + if (rp == NULL || *rp == '\0') +@@ -219,7 +234,7 @@ grub_parser_split_cmdline (const char *cmdline, + { + grub_parser_state_t newstate; + +- if (process_char (*rp, buffer, &bp, varname, &vp, state, argc, ++ if (process_char (*rp, buffer, varname, state, argc, + &newstate) != GRUB_ERR_NONE) + goto fail; + +@@ -230,10 +245,12 @@ grub_parser_split_cmdline (const char *cmdline, + + /* A special case for when the last character was part of a + variable. */ +- add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT); ++ if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE) ++ goto fail; + + /* Ensure that the last argument is terminated. */ +- terminate_arg (buffer, &bp, argc); ++ if (terminate_arg (buffer, argc) != GRUB_ERR_NONE) ++ goto fail; + + /* If there are no args, then we're done. */ + if (!*argc) +@@ -242,38 +259,45 @@ grub_parser_split_cmdline (const char *cmdline, + goto out; + } + +- /* Reserve memory for the return values. */ +- args = grub_malloc (bp - buffer); +- if (!args) +- goto fail; +- grub_memcpy (args, buffer, bp - buffer); +- + *argv = grub_calloc (*argc + 1, sizeof (char *)); + if (!*argv) + goto fail; + + /* The arguments are separated with 0's, setup argv so it points to + the right values. */ +- bp = args; + for (i = 0; i < *argc; i++) + { +- (*argv)[i] = bp; +- while (*bp) +- bp++; +- bp++; ++ char *arg; ++ ++ if (i > 0) ++ { ++ if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE) ++ goto fail; ++ } ++ ++ arg = (char *) grub_buffer_peek_data (buffer); ++ if (arg == NULL || ++ grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE) ++ goto fail; ++ ++ (*argv)[i] = arg; + } + ++ /* Keep memory for the return values. */ ++ grub_buffer_take_data (buffer); ++ + grub_errno = GRUB_ERR_NONE; + + out: + if (rd != cmdline) + grub_free (rd); ++ grub_buffer_free (buffer); ++ grub_buffer_free (varname); + + return grub_errno; + + fail: + grub_free (*argv); +- grub_free (args); + goto out; + } + diff --git a/SOURCES/0429-kern-efi-Add-initial-stack-protector-implementation.patch b/SOURCES/0429-kern-efi-Add-initial-stack-protector-implementation.patch new file mode 100644 index 0000000..4814e96 --- /dev/null +++ b/SOURCES/0429-kern-efi-Add-initial-stack-protector-implementation.patch @@ -0,0 +1,298 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Fri, 19 Feb 2021 13:53:45 +0100 +Subject: [PATCH] kern/efi: Add initial stack protector implementation + +It works only on UEFI platforms but can be quite easily extended to +others architectures and platforms if needed. + +Signed-off-by: Chris Coulson +Signed-off-by: Daniel Kiper +Reviewed-by: Marco A Benatto +Reviewed-by: Javier Martinez Canillas +--- + configure.ac | 44 ++++++++++++++++++++++++++++++---- + grub-core/kern/efi/init.c | 54 ++++++++++++++++++++++++++++++++++++++++++ + include/grub/efi/api.h | 19 +++++++++++++++ + include/grub/stack_protector.h | 30 +++++++++++++++++++++++ + acinclude.m4 | 38 +++++++++++++++++++++++++++-- + grub-core/Makefile.am | 1 + + 6 files changed, 179 insertions(+), 7 deletions(-) + create mode 100644 include/grub/stack_protector.h + +diff --git a/configure.ac b/configure.ac +index 936cfa0ce5a..0edae0f5926 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1006,12 +1006,41 @@ fi] + + CFLAGS="$TARGET_CFLAGS" + +-# Smashing stack protector. ++# Stack smashing protector. + grub_CHECK_STACK_PROTECTOR +-# Need that, because some distributions ship compilers that include +-# `-fstack-protector' in the default specs. +-if test "x$ssp_possible" = xyes; then +- TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector" ++AC_ARG_ENABLE([stack-protector], ++ AS_HELP_STRING([--enable-stack-protector], ++ [enable the stack protector]), ++ [], ++ [enable_stack_protector=no]) ++if test "x$enable_stack_protector" = xno; then ++ if test "x$ssp_possible" = xyes; then ++ # Need that, because some distributions ship compilers that include ++ # `-fstack-protector' in the default specs. ++ TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector" ++ fi ++elif test "x$platform" != xefi; then ++ AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms]) ++elif test "x$ssp_global_possible" != xyes; then ++ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)]) ++else ++ TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global" ++ if test "x$enable_stack_protector" = xyes; then ++ if test "x$ssp_possible" != xyes; then ++ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)]) ++ fi ++ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector" ++ elif test "x$enable_stack_protector" = xstrong; then ++ if test "x$ssp_strong_possible" != xyes; then ++ AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)]) ++ fi ++ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong" ++ else ++ # Note, -fstack-protector-all requires that the protector is disabled for ++ # functions that appear in the call stack when the canary is initialized. ++ AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector]) ++ fi ++ TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1" + fi + + CFLAGS="$TARGET_CFLAGS" +@@ -1912,5 +1941,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus + else + echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)" + fi ++if test "x$enable_stack_protector" != xno; then ++echo "With stack smashing protector: Yes" ++else ++echo "With stack smashing protector: No" ++fi + echo "*******************************************************" + ] +diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c +index ed33201f12a..2071eaa9997 100644 +--- a/grub-core/kern/efi/init.c ++++ b/grub-core/kern/efi/init.c +@@ -28,6 +28,58 @@ + #include + #include + #include ++#include ++ ++#ifdef GRUB_STACK_PROTECTOR ++ ++static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID; ++ ++/* ++ * Don't put this on grub_efi_init()'s local stack to avoid it ++ * getting a stack check. ++ */ ++static grub_efi_uint8_t stack_chk_guard_buf[32]; ++ ++grub_addr_t __stack_chk_guard; ++ ++void __attribute__ ((noreturn)) ++__stack_chk_fail (void) ++{ ++ /* ++ * Assume it's not safe to call into EFI Boot Services. Sorry, that ++ * means no console message here. ++ */ ++ do ++ { ++ /* Do not optimize out the loop. */ ++ asm volatile (""); ++ } ++ while (1); ++} ++ ++static void ++stack_protector_init (void) ++{ ++ grub_efi_rng_protocol_t *rng; ++ ++ /* Set up the stack canary. Make errors here non-fatal for now. */ ++ rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL); ++ if (rng != NULL) ++ { ++ grub_efi_status_t status; ++ ++ status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf), ++ stack_chk_guard_buf); ++ if (status == GRUB_EFI_SUCCESS) ++ grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard)); ++ } ++} ++#else ++static void ++stack_protector_init (void) ++{ ++} ++#endif + + grub_addr_t grub_modbase; + +@@ -69,6 +121,8 @@ grub_efi_init (void) + messages. */ + grub_console_init (); + ++ stack_protector_init (); ++ + /* Initialize the memory management system. */ + grub_efi_mm_init (); + +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index 9860fd16189..4a8d7031b70 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h +@@ -299,6 +299,11 @@ + { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \ + } + ++#define GRUB_EFI_RNG_PROTOCOL_GUID \ ++ { 0x3152bca5, 0xeade, 0x433d, \ ++ { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \ ++ } ++ + struct grub_efi_sal_system_table + { + grub_uint32_t signature; +@@ -2009,6 +2014,20 @@ struct grub_efi_ip6_config_manual_address { + }; + typedef struct grub_efi_ip6_config_manual_address grub_efi_ip6_config_manual_address_t; + ++typedef grub_efi_guid_t grub_efi_rng_algorithm_t; ++ ++struct grub_efi_rng_protocol ++{ ++ grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this, ++ grub_efi_uintn_t *rng_algorithm_list_size, ++ grub_efi_rng_algorithm_t *rng_algorithm_list); ++ grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this, ++ grub_efi_rng_algorithm_t *rng_algorithm, ++ grub_efi_uintn_t rng_value_length, ++ grub_efi_uint8_t *rng_value); ++}; ++typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t; ++ + #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \ + || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) + +diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h +new file mode 100644 +index 00000000000..c88dc00b5f9 +--- /dev/null ++++ b/include/grub/stack_protector.h +@@ -0,0 +1,30 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2021 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#ifndef GRUB_STACK_PROTECTOR_H ++#define GRUB_STACK_PROTECTOR_H 1 ++ ++#include ++#include ++ ++#ifdef GRUB_STACK_PROTECTOR ++extern grub_addr_t EXPORT_VAR (__stack_chk_guard); ++extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void); ++#endif ++ ++#endif /* GRUB_STACK_PROTECTOR_H */ +diff --git a/acinclude.m4 b/acinclude.m4 +index b2bb88d838e..ca720b0c453 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -379,9 +379,9 @@ fi + ]) + + +-dnl Check if the C compiler supports `-fstack-protector'. ++dnl Check if the C compiler supports the stack protector + AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[ +-[# Smashing stack protector. ++[# Stack smashing protector. + ssp_possible=yes] + AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector']) + # Is this a reliable test case? +@@ -398,6 +398,40 @@ else + ssp_possible=no] + AC_MSG_RESULT([no]) + [fi] ++[# Strong stack smashing protector. ++ssp_strong_possible=yes] ++AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong']) ++# Is this a reliable test case? ++AC_LANG_CONFTEST([AC_LANG_SOURCE([[ ++void foo (void) { volatile char a[8]; a[3]; } ++]])]) ++[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling ++# `ac_compile' like this correct, after all? ++if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then] ++ AC_MSG_RESULT([yes]) ++ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'? ++ rm -f conftest.s ++else ++ ssp_strong_possible=no] ++ AC_MSG_RESULT([no]) ++[fi] ++[# Global stack smashing protector. ++ssp_global_possible=yes] ++AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global']) ++# Is this a reliable test case? ++AC_LANG_CONFTEST([AC_LANG_SOURCE([[ ++void foo (void) { volatile char a[8]; a[3]; } ++]])]) ++[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling ++# `ac_compile' like this correct, after all? ++if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then] ++ AC_MSG_RESULT([yes]) ++ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'? ++ rm -f conftest.s ++else ++ ssp_global_possible=no] ++ AC_MSG_RESULT([no]) ++[fi] + ]) + + dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin). +diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am +index e15846ba75b..2acd02cd188 100644 +--- a/grub-core/Makefile.am ++++ b/grub-core/Makefile.am +@@ -85,6 +85,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h ++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h diff --git a/SOURCES/0430-util-mkimage-Remove-unused-code-to-add-BSS-section.patch b/SOURCES/0430-util-mkimage-Remove-unused-code-to-add-BSS-section.patch new file mode 100644 index 0000000..25d1d50 --- /dev/null +++ b/SOURCES/0430-util-mkimage-Remove-unused-code-to-add-BSS-section.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 11 Feb 2021 17:06:49 +0100 +Subject: [PATCH] util/mkimage: Remove unused code to add BSS section + +The code is compiled out so there is no reason to keep it. + +Additionally, don't set bss_size field since we do not add a BSS section. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index e6b799fd73c..55bfd1d8b9e 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1460,7 +1460,6 @@ grub_install_generate_image (const char *dir, const char *prefix, + o->code_size = grub_host_to_target32 (exec_size); + o->data_size = grub_cpu_to_le32 (reloc_addr - exec_size + - header_size); +- o->bss_size = grub_cpu_to_le32 (bss_size); + o->entry_addr = grub_cpu_to_le32 (start_address); + o->code_base = grub_cpu_to_le32 (header_size); + +@@ -1498,7 +1497,6 @@ grub_install_generate_image (const char *dir, const char *prefix, + o->code_size = grub_host_to_target32 (exec_size); + o->data_size = grub_cpu_to_le32 (reloc_addr - exec_size + - header_size); +- o->bss_size = grub_cpu_to_le32 (bss_size); + o->entry_addr = grub_cpu_to_le32 (start_address); + o->code_base = grub_cpu_to_le32 (header_size); + o->image_base = 0; +@@ -1543,21 +1541,6 @@ grub_install_generate_image (const char *dir, const char *prefix, + = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA + | GRUB_PE32_SCN_MEM_READ + | GRUB_PE32_SCN_MEM_WRITE); +- +-#if 0 +- bss_section = data_section + 1; +- strcpy (bss_section->name, ".bss"); +- bss_section->virtual_size = grub_cpu_to_le32 (bss_size); +- bss_section->virtual_address = grub_cpu_to_le32 (header_size + kernel_size); +- bss_section->raw_data_size = 0; +- bss_section->raw_data_offset = 0; +- bss_section->characteristics +- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_MEM_READ +- | GRUB_PE32_SCN_MEM_WRITE +- | GRUB_PE32_SCN_ALIGN_64BYTES +- | GRUB_PE32_SCN_CNT_INITIALIZED_DATA +- | 0x80); +-#endif + + mods_section = data_section + 1; + strcpy (mods_section->name, "mods"); diff --git a/SOURCES/0431-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch b/SOURCES/0431-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch new file mode 100644 index 0000000..93d2b70 --- /dev/null +++ b/SOURCES/0431-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Feb 2021 13:59:21 +0100 +Subject: [PATCH] util/mkimage: Use grub_host_to_target32() instead of + grub_cpu_to_le32() + +The latter doesn't take into account the target image endianness. There is +a grub_cpu_to_le32_compile_time() but no compile time variant for function +grub_host_to_target32(). So, let's keep using the other one for this case. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index 55bfd1d8b9e..f4f84dbecd0 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1458,10 +1458,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + sizeof (struct grub_pe32_coff_header)); + o->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC); + o->code_size = grub_host_to_target32 (exec_size); +- o->data_size = grub_cpu_to_le32 (reloc_addr - exec_size ++ o->data_size = grub_host_to_target32 (reloc_addr - exec_size + - header_size); +- o->entry_addr = grub_cpu_to_le32 (start_address); +- o->code_base = grub_cpu_to_le32 (header_size); ++ o->entry_addr = grub_host_to_target32 (start_address); ++ o->code_base = grub_host_to_target32 (header_size); + + o->data_base = grub_host_to_target32 (header_size + exec_size); + +@@ -1495,10 +1495,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + sizeof (struct grub_pe32_coff_header)); + o->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC); + o->code_size = grub_host_to_target32 (exec_size); +- o->data_size = grub_cpu_to_le32 (reloc_addr - exec_size ++ o->data_size = grub_host_to_target32 (reloc_addr - exec_size + - header_size); +- o->entry_addr = grub_cpu_to_le32 (start_address); +- o->code_base = grub_cpu_to_le32 (header_size); ++ o->entry_addr = grub_host_to_target32 (start_address); ++ o->code_base = grub_host_to_target32 (header_size); + o->image_base = 0; + o->section_alignment = grub_host_to_target32 (image_target->section_align); + o->file_alignment = grub_host_to_target32 (image_target->section_align); +@@ -1522,10 +1522,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + /* The sections. */ + text_section = sections; + strcpy (text_section->name, ".text"); +- text_section->virtual_size = grub_cpu_to_le32 (exec_size); +- text_section->virtual_address = grub_cpu_to_le32 (header_size); +- text_section->raw_data_size = grub_cpu_to_le32 (exec_size); +- text_section->raw_data_offset = grub_cpu_to_le32 (header_size); ++ text_section->virtual_size = grub_host_to_target32 (exec_size); ++ text_section->virtual_address = grub_host_to_target32 (header_size); ++ text_section->raw_data_size = grub_host_to_target32 (exec_size); ++ text_section->raw_data_offset = grub_host_to_target32 (header_size); + text_section->characteristics = grub_cpu_to_le32_compile_time ( + GRUB_PE32_SCN_CNT_CODE + | GRUB_PE32_SCN_MEM_EXECUTE +@@ -1533,10 +1533,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + data_section = text_section + 1; + strcpy (data_section->name, ".data"); +- data_section->virtual_size = grub_cpu_to_le32 (kernel_size - exec_size); +- data_section->virtual_address = grub_cpu_to_le32 (header_size + exec_size); +- data_section->raw_data_size = grub_cpu_to_le32 (kernel_size - exec_size); +- data_section->raw_data_offset = grub_cpu_to_le32 (header_size + exec_size); ++ data_section->virtual_size = grub_host_to_target32 (kernel_size - exec_size); ++ data_section->virtual_address = grub_host_to_target32 (header_size + exec_size); ++ data_section->raw_data_size = grub_host_to_target32 (kernel_size - exec_size); ++ data_section->raw_data_offset = grub_host_to_target32 (header_size + exec_size); + data_section->characteristics + = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA + | GRUB_PE32_SCN_MEM_READ +@@ -1544,10 +1544,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + mods_section = data_section + 1; + strcpy (mods_section->name, "mods"); +- mods_section->virtual_size = grub_cpu_to_le32 (reloc_addr - kernel_size - header_size); +- mods_section->virtual_address = grub_cpu_to_le32 (header_size + kernel_size + bss_size); +- mods_section->raw_data_size = grub_cpu_to_le32 (reloc_addr - kernel_size - header_size); +- mods_section->raw_data_offset = grub_cpu_to_le32 (header_size + kernel_size); ++ mods_section->virtual_size = grub_host_to_target32 (reloc_addr - kernel_size - header_size); ++ mods_section->virtual_address = grub_host_to_target32 (header_size + kernel_size + bss_size); ++ mods_section->raw_data_size = grub_host_to_target32 (reloc_addr - kernel_size - header_size); ++ mods_section->raw_data_offset = grub_host_to_target32 (header_size + kernel_size); + mods_section->characteristics + = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA + | GRUB_PE32_SCN_MEM_READ +@@ -1555,10 +1555,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + reloc_section = mods_section + 1; + strcpy (reloc_section->name, ".reloc"); +- reloc_section->virtual_size = grub_cpu_to_le32 (reloc_size); +- reloc_section->virtual_address = grub_cpu_to_le32 (reloc_addr + bss_size); +- reloc_section->raw_data_size = grub_cpu_to_le32 (reloc_size); +- reloc_section->raw_data_offset = grub_cpu_to_le32 (reloc_addr); ++ reloc_section->virtual_size = grub_host_to_target32 (reloc_size); ++ reloc_section->virtual_address = grub_host_to_target32 (reloc_addr + bss_size); ++ reloc_section->raw_data_size = grub_host_to_target32 (reloc_size); ++ reloc_section->raw_data_offset = grub_host_to_target32 (reloc_addr); + reloc_section->characteristics + = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA + | GRUB_PE32_SCN_MEM_DISCARDABLE diff --git a/SOURCES/0432-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch b/SOURCES/0432-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch new file mode 100644 index 0000000..b6f5f06 --- /dev/null +++ b/SOURCES/0432-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Feb 2021 14:14:24 +0100 +Subject: [PATCH] util/mkimage: Always use grub_host_to_target32() to + initialize PE stack and heap stuff + +This change does not impact final result of initialization itself. +However, it eases PE code unification in subsequent patches. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index f4f84dbecd0..f44675e867b 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1507,10 +1507,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION); + + /* Do these really matter? */ +- o->stack_reserve_size = grub_host_to_target64 (0x10000); +- o->stack_commit_size = grub_host_to_target64 (0x10000); +- o->heap_reserve_size = grub_host_to_target64 (0x10000); +- o->heap_commit_size = grub_host_to_target64 (0x10000); ++ o->stack_reserve_size = grub_host_to_target32 (0x10000); ++ o->stack_commit_size = grub_host_to_target32 (0x10000); ++ o->heap_reserve_size = grub_host_to_target32 (0x10000); ++ o->heap_commit_size = grub_host_to_target32 (0x10000); + + o->num_data_directories + = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); diff --git a/SOURCES/0433-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch b/SOURCES/0433-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch new file mode 100644 index 0000000..689b94e --- /dev/null +++ b/SOURCES/0433-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch @@ -0,0 +1,165 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 19 Feb 2021 14:22:13 +0100 +Subject: [PATCH] util/mkimage: Unify more of the PE32 and PE32+ header set-up + +There's quite a bit of code duplication in the code that sets the optional +header for PE32 and PE32+. The two are very similar with the exception of +a few fields that have type grub_uint64_t instead of grub_uint32_t. + +Factor out the common code and add a PE_OHDR() macro that simplifies the +set-up and make the code more readable. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 111 ++++++++++++++++++++++++++------------------------------- + 1 file changed, 51 insertions(+), 60 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index f44675e867b..47ff76fb14b 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -978,6 +978,21 @@ grub_install_get_image_targets_string (void) + return formats; + } + ++/* ++ * tmp_ is just here so the compiler knows we'll never derefernce a NULL. ++ * It should get fully optimized away. ++ */ ++#define PE_OHDR(o32, o64, field) (*( \ ++{ \ ++ __typeof__((o64)->field) tmp_; \ ++ __typeof__((o64)->field) *ret_ = &tmp_; \ ++ if (o32) \ ++ ret_ = (void *)(&((o32)->field)); \ ++ else if (o64) \ ++ ret_ = (void *)(&((o64)->field)); \ ++ ret_; \ ++})) ++ + void + grub_install_generate_image (const char *dir, const char *prefix, + FILE *out, const char *outname, char *mods[], +@@ -1409,6 +1424,8 @@ grub_install_generate_image (const char *dir, const char *prefix, + static const grub_uint8_t stub[] = GRUB_PE32_MSDOS_STUB; + int header_size; + int reloc_addr; ++ struct grub_pe32_optional_header *o32 = NULL; ++ struct grub_pe64_optional_header *o64 = NULL; + + if (image_target->voidp_sizeof == 4) + header_size = EFI32_HEADER_SIZE; +@@ -1449,76 +1466,50 @@ grub_install_generate_image (const char *dir, const char *prefix, + /* The PE Optional header. */ + if (image_target->voidp_sizeof == 4) + { +- struct grub_pe32_optional_header *o; +- + c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe32_optional_header)); + +- o = (struct grub_pe32_optional_header *) +- (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE +- + sizeof (struct grub_pe32_coff_header)); +- o->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC); +- o->code_size = grub_host_to_target32 (exec_size); +- o->data_size = grub_host_to_target32 (reloc_addr - exec_size +- - header_size); +- o->entry_addr = grub_host_to_target32 (start_address); +- o->code_base = grub_host_to_target32 (header_size); ++ o32 = (struct grub_pe32_optional_header *) ++ (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE + ++ sizeof (struct grub_pe32_coff_header)); ++ o32->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC); ++ o32->data_base = grub_host_to_target32 (header_size + exec_size); + +- o->data_base = grub_host_to_target32 (header_size + exec_size); +- +- o->image_base = 0; +- o->section_alignment = grub_host_to_target32 (image_target->section_align); +- o->file_alignment = grub_host_to_target32 (image_target->section_align); +- o->image_size = grub_host_to_target32 (pe_size); +- o->header_size = grub_host_to_target32 (header_size); +- o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION); +- +- /* Do these really matter? */ +- o->stack_reserve_size = grub_host_to_target32 (0x10000); +- o->stack_commit_size = grub_host_to_target32 (0x10000); +- o->heap_reserve_size = grub_host_to_target32 (0x10000); +- o->heap_commit_size = grub_host_to_target32 (0x10000); +- +- o->num_data_directories = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); +- +- o->base_relocation_table.rva = grub_host_to_target32 (reloc_addr); +- o->base_relocation_table.size = grub_host_to_target32 (reloc_size); +- sections = o + 1; ++ sections = o32 + 1; + } + else + { +- struct grub_pe64_optional_header *o; +- + c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe64_optional_header)); + +- o = (struct grub_pe64_optional_header *) +- (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE +- + sizeof (struct grub_pe32_coff_header)); +- o->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC); +- o->code_size = grub_host_to_target32 (exec_size); +- o->data_size = grub_host_to_target32 (reloc_addr - exec_size +- - header_size); +- o->entry_addr = grub_host_to_target32 (start_address); +- o->code_base = grub_host_to_target32 (header_size); +- o->image_base = 0; +- o->section_alignment = grub_host_to_target32 (image_target->section_align); +- o->file_alignment = grub_host_to_target32 (image_target->section_align); +- o->image_size = grub_host_to_target32 (pe_size); +- o->header_size = grub_host_to_target32 (header_size); +- o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION); ++ o64 = (struct grub_pe64_optional_header *) ++ (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE + ++ sizeof (struct grub_pe32_coff_header)); ++ o64->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC); + +- /* Do these really matter? */ +- o->stack_reserve_size = grub_host_to_target32 (0x10000); +- o->stack_commit_size = grub_host_to_target32 (0x10000); +- o->heap_reserve_size = grub_host_to_target32 (0x10000); +- o->heap_commit_size = grub_host_to_target32 (0x10000); +- +- o->num_data_directories +- = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); +- +- o->base_relocation_table.rva = grub_host_to_target32 (reloc_addr); +- o->base_relocation_table.size = grub_host_to_target32 (reloc_size); +- sections = o + 1; ++ sections = o64 + 1; + } ++ ++ PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (exec_size); ++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - exec_size - header_size); ++ PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (start_address); ++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size); ++ ++ PE_OHDR (o32, o64, image_base) = 0; ++ PE_OHDR (o32, o64, section_alignment) = grub_host_to_target32 (image_target->section_align); ++ PE_OHDR (o32, o64, file_alignment) = grub_host_to_target32 (GRUB_PE32_FILE_ALIGNMENT); ++ PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size); ++ PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size); ++ PE_OHDR (o32, o64, subsystem) = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION); ++ ++ /* Do these really matter? */ ++ PE_OHDR (o32, o64, stack_reserve_size) = grub_host_to_target32 (0x10000); ++ PE_OHDR (o32, o64, stack_commit_size) = grub_host_to_target32 (0x10000); ++ PE_OHDR (o32, o64, heap_reserve_size) = grub_host_to_target32 (0x10000); ++ PE_OHDR (o32, o64, heap_commit_size) = grub_host_to_target32 (0x10000); ++ ++ PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); ++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr); ++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (reloc_size); ++ + /* The sections. */ + text_section = sections; + strcpy (text_section->name, ".text"); diff --git a/SOURCES/0434-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch b/SOURCES/0434-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch new file mode 100644 index 0000000..318152e --- /dev/null +++ b/SOURCES/0434-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Feb 2021 14:21:48 +0100 +Subject: [PATCH] util/mkimage: Reorder PE optional header fields set-up + +This makes the PE32 and PE32+ header fields set-up easier to follow by +setting them closer to the initialization of their related sections. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index 47ff76fb14b..ca88b0ff96a 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1488,16 +1488,13 @@ grub_install_generate_image (const char *dir, const char *prefix, + sections = o64 + 1; + } + +- PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (exec_size); +- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - exec_size - header_size); ++ PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size); + PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (start_address); +- PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size); + + PE_OHDR (o32, o64, image_base) = 0; ++ PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size); + PE_OHDR (o32, o64, section_alignment) = grub_host_to_target32 (image_target->section_align); + PE_OHDR (o32, o64, file_alignment) = grub_host_to_target32 (GRUB_PE32_FILE_ALIGNMENT); +- PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size); +- PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size); + PE_OHDR (o32, o64, subsystem) = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION); + + /* Do these really matter? */ +@@ -1507,10 +1504,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + PE_OHDR (o32, o64, heap_commit_size) = grub_host_to_target32 (0x10000); + + PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); +- PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr); +- PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (reloc_size); + + /* The sections. */ ++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size); ++ PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (exec_size); + text_section = sections; + strcpy (text_section->name, ".text"); + text_section->virtual_size = grub_host_to_target32 (exec_size); +@@ -1522,6 +1519,8 @@ grub_install_generate_image (const char *dir, const char *prefix, + | GRUB_PE32_SCN_MEM_EXECUTE + | GRUB_PE32_SCN_MEM_READ); + ++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - exec_size - header_size); ++ + data_section = text_section + 1; + strcpy (data_section->name, ".data"); + data_section->virtual_size = grub_host_to_target32 (kernel_size - exec_size); +@@ -1544,6 +1543,8 @@ grub_install_generate_image (const char *dir, const char *prefix, + | GRUB_PE32_SCN_MEM_READ + | GRUB_PE32_SCN_MEM_WRITE); + ++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr); ++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (reloc_size); + reloc_section = mods_section + 1; + strcpy (reloc_section->name, ".reloc"); + reloc_section->virtual_size = grub_host_to_target32 (reloc_size); diff --git a/SOURCES/0435-util-mkimage-Improve-data_size-value-calculation.patch b/SOURCES/0435-util-mkimage-Improve-data_size-value-calculation.patch new file mode 100644 index 0000000..3e8e459 --- /dev/null +++ b/SOURCES/0435-util-mkimage-Improve-data_size-value-calculation.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 26 Feb 2021 01:27:42 +0100 +Subject: [PATCH] util/mkimage: Improve data_size value calculation + +According to "Microsoft Portable Executable and Common Object File Format +Specification", the Optional Header SizeOfInitializedData field contains: + + Size of the initialized data section, or the sum of all such sections if + there are multiple data sections. + +Make this explicit by adding the GRUB kernel data size to the sum of all +the modules sizes. The ALIGN_UP() is not required by the PE spec but do +it to avoid alignment issues. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index ca88b0ff96a..f23fceef8f7 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1417,6 +1417,7 @@ grub_install_generate_image (const char *dir, const char *prefix, + void *pe_img; + grub_uint8_t *header; + void *sections; ++ size_t scn_size; + size_t pe_size; + struct grub_pe32_coff_header *c; + struct grub_pe32_section_table *text_section, *data_section; +@@ -1519,7 +1520,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + | GRUB_PE32_SCN_MEM_EXECUTE + | GRUB_PE32_SCN_MEM_READ); + +- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - exec_size - header_size); ++ scn_size = ALIGN_UP (kernel_size - exec_size, GRUB_PE32_FILE_ALIGNMENT); ++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + ++ ALIGN_UP (total_module_size, ++ + + data_section = text_section + 1; + strcpy (data_section->name, ".data"); diff --git a/SOURCES/0436-util-mkimage-Refactor-section-setup-to-use-a-helper.patch b/SOURCES/0436-util-mkimage-Refactor-section-setup-to-use-a-helper.patch new file mode 100644 index 0000000..b575a25 --- /dev/null +++ b/SOURCES/0436-util-mkimage-Refactor-section-setup-to-use-a-helper.patch @@ -0,0 +1,216 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 26 Feb 2021 01:30:37 +0100 +Subject: [PATCH] util/mkimage: Refactor section setup to use a helper + +Add a init_pe_section() helper function to setup PE sections. This makes +the code simpler and easier to read. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/mkimage.c | 141 +++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 77 insertions(+), 64 deletions(-) + +diff --git a/util/mkimage.c b/util/mkimage.c +index f23fceef8f7..938a06a2d3f 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -978,6 +978,38 @@ grub_install_get_image_targets_string (void) + return formats; + } + ++/* ++ * The image_target parameter is used by the grub_host_to_target32() macro. ++ */ ++static struct grub_pe32_section_table * ++init_pe_section(const struct grub_install_image_target_desc *image_target, ++ struct grub_pe32_section_table *section, ++ const char * const name, ++ grub_uint32_t *vma, grub_uint32_t vsz, grub_uint32_t valign, ++ grub_uint32_t *rda, grub_uint32_t rsz, ++ grub_uint32_t characteristics) ++{ ++ size_t len = strlen (name); ++ ++ if (len > sizeof (section->name)) ++ grub_util_error (_("section name %s length is bigger than %lu"), ++ name, (unsigned long) sizeof (section->name)); ++ ++ memcpy (section->name, name, len); ++ ++ section->virtual_address = grub_host_to_target32 (*vma); ++ section->virtual_size = grub_host_to_target32 (vsz); ++ (*vma) = ALIGN_UP (*vma + vsz, valign); ++ ++ section->raw_data_offset = grub_host_to_target32 (*rda); ++ section->raw_data_size = grub_host_to_target32 (rsz); ++ (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT); ++ ++ section->characteristics = grub_host_to_target32 (characteristics); ++ ++ return section + 1; ++} ++ + /* + * tmp_ is just here so the compiler knows we'll never derefernce a NULL. + * It should get fully optimized away. +@@ -1414,17 +1446,13 @@ grub_install_generate_image (const char *dir, const char *prefix, + break; + case IMAGE_EFI: + { +- void *pe_img; +- grub_uint8_t *header; +- void *sections; ++ char *pe_img, *header; ++ struct grub_pe32_section_table *section; + size_t scn_size; +- size_t pe_size; ++ grub_uint32_t vma, raw_data; ++ size_t pe_size, header_size; + struct grub_pe32_coff_header *c; +- struct grub_pe32_section_table *text_section, *data_section; +- struct grub_pe32_section_table *mods_section, *reloc_section; + static const grub_uint8_t stub[] = GRUB_PE32_MSDOS_STUB; +- int header_size; +- int reloc_addr; + struct grub_pe32_optional_header *o32 = NULL; + struct grub_pe64_optional_header *o64 = NULL; + +@@ -1433,16 +1461,12 @@ grub_install_generate_image (const char *dir, const char *prefix, + else + header_size = EFI64_HEADER_SIZE; + +- reloc_addr = ALIGN_UP (header_size + core_size, +- image_target->section_align); ++ vma = raw_data = header_size; ++ pe_size = ALIGN_UP (header_size + core_size, GRUB_PE32_FILE_ALIGNMENT) + ++ ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT); ++ header = pe_img = xcalloc (1, pe_size); + +- pe_size = ALIGN_UP (reloc_addr + reloc_size, +- image_target->section_align); +- pe_img = xmalloc (reloc_addr + reloc_size); +- memset (pe_img, 0, header_size); +- memcpy ((char *) pe_img + header_size, core_img, core_size); +- memcpy ((char *) pe_img + reloc_addr, rel_section, reloc_size); +- header = pe_img; ++ memcpy (pe_img + raw_data, core_img, core_size); + + /* The magic. */ + memcpy (header, stub, GRUB_PE32_MSDOS_STUB_SIZE); +@@ -1475,18 +1499,17 @@ grub_install_generate_image (const char *dir, const char *prefix, + o32->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC); + o32->data_base = grub_host_to_target32 (header_size + exec_size); + +- sections = o32 + 1; ++ section = (struct grub_pe32_section_table *)(o32 + 1); + } + else + { + c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe64_optional_header)); +- + o64 = (struct grub_pe64_optional_header *) + (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE + + sizeof (struct grub_pe32_coff_header)); + o64->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC); + +- sections = o64 + 1; ++ section = (struct grub_pe32_section_table *)(o64 + 1); + } + + PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size); +@@ -1507,58 +1530,48 @@ grub_install_generate_image (const char *dir, const char *prefix, + PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES); + + /* The sections. */ +- PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size); ++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (vma); + PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (exec_size); +- text_section = sections; +- strcpy (text_section->name, ".text"); +- text_section->virtual_size = grub_host_to_target32 (exec_size); +- text_section->virtual_address = grub_host_to_target32 (header_size); +- text_section->raw_data_size = grub_host_to_target32 (exec_size); +- text_section->raw_data_offset = grub_host_to_target32 (header_size); +- text_section->characteristics = grub_cpu_to_le32_compile_time ( +- GRUB_PE32_SCN_CNT_CODE +- | GRUB_PE32_SCN_MEM_EXECUTE +- | GRUB_PE32_SCN_MEM_READ); ++ ++ section = init_pe_section (image_target, section, ".text", ++ &vma, exec_size, ++ image_target->section_align, ++ &raw_data, exec_size, ++ GRUB_PE32_SCN_CNT_CODE | ++ GRUB_PE32_SCN_MEM_EXECUTE | ++ GRUB_PE32_SCN_MEM_READ); + + scn_size = ALIGN_UP (kernel_size - exec_size, GRUB_PE32_FILE_ALIGNMENT); + PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + + ALIGN_UP (total_module_size, + + +- data_section = text_section + 1; +- strcpy (data_section->name, ".data"); +- data_section->virtual_size = grub_host_to_target32 (kernel_size - exec_size); +- data_section->virtual_address = grub_host_to_target32 (header_size + exec_size); +- data_section->raw_data_size = grub_host_to_target32 (kernel_size - exec_size); +- data_section->raw_data_offset = grub_host_to_target32 (header_size + exec_size); +- data_section->characteristics +- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA +- | GRUB_PE32_SCN_MEM_READ +- | GRUB_PE32_SCN_MEM_WRITE); +- +- mods_section = data_section + 1; +- strcpy (mods_section->name, "mods"); +- mods_section->virtual_size = grub_host_to_target32 (reloc_addr - kernel_size - header_size); +- mods_section->virtual_address = grub_host_to_target32 (header_size + kernel_size + bss_size); +- mods_section->raw_data_size = grub_host_to_target32 (reloc_addr - kernel_size - header_size); +- mods_section->raw_data_offset = grub_host_to_target32 (header_size + kernel_size); +- mods_section->characteristics +- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA +- | GRUB_PE32_SCN_MEM_READ +- | GRUB_PE32_SCN_MEM_WRITE); ++ section = init_pe_section (image_target, section, ".data", ++ &vma, scn_size, image_target->section_align, ++ &raw_data, scn_size, ++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA | ++ GRUB_PE32_SCN_MEM_READ | ++ GRUB_PE32_SCN_MEM_WRITE); ++ ++ scn_size = pe_size - reloc_size - raw_data; ++ section = init_pe_section (image_target, section, "mods", ++ &vma, scn_size, image_target->section_align, ++ &raw_data, scn_size, ++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA | ++ GRUB_PE32_SCN_MEM_READ | ++ GRUB_PE32_SCN_MEM_WRITE); ++ ++ scn_size = reloc_size; ++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma); ++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size); ++ memcpy (pe_img + raw_data, rel_section, scn_size); ++ init_pe_section (image_target, section, ".reloc", ++ &vma, scn_size, image_target->section_align, ++ &raw_data, scn_size, ++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA | ++ GRUB_PE32_SCN_MEM_DISCARDABLE | ++ GRUB_PE32_SCN_MEM_READ); + +- PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr); +- PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (reloc_size); +- reloc_section = mods_section + 1; +- strcpy (reloc_section->name, ".reloc"); +- reloc_section->virtual_size = grub_host_to_target32 (reloc_size); +- reloc_section->virtual_address = grub_host_to_target32 (reloc_addr + bss_size); +- reloc_section->raw_data_size = grub_host_to_target32 (reloc_size); +- reloc_section->raw_data_offset = grub_host_to_target32 (reloc_addr); +- reloc_section->characteristics +- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA +- | GRUB_PE32_SCN_MEM_DISCARDABLE +- | GRUB_PE32_SCN_MEM_READ); + free (core_img); + core_img = pe_img; + core_size = pe_size; diff --git a/SOURCES/0437-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch b/SOURCES/0437-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch new file mode 100644 index 0000000..b06f33b --- /dev/null +++ b/SOURCES/0437-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch @@ -0,0 +1,252 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 26 Feb 2021 01:43:30 +0100 +Subject: [PATCH] util/mkimage: Add an option to import SBAT metadata into a + .sbat section + +Add a --sbat option to the grub-mkimage tool which allows us to import +an SBAT metadata formatted as a CSV file into a .sbat section of the +EFI binary. + +Signed-off-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Kiper +--- + util/grub-install-common.c | 2 +- + util/grub-mkimage.c | 15 ++++++++++++++- + util/mkimage.c | 44 +++++++++++++++++++++++++++++++++++++------- + include/grub/util/install.h | 3 ++- + docs/grub.texi | 21 +++++++++++++++++++++ + 5 files changed, 75 insertions(+), 10 deletions(-) + +diff --git a/util/grub-install-common.c b/util/grub-install-common.c +index d49a93d4740..b4192cf47a3 100644 +--- a/util/grub-install-common.c ++++ b/util/grub-install-common.c +@@ -498,7 +498,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix, + grub_install_generate_image (dir, prefix, fp, outname, + modules.entries, memdisk_path, + pubkeys, npubkeys, config_path, tgt, +- note, compression); ++ note, compression, NULL); + while (dc--) + grub_install_pop_module (); + } +diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c +index 1e0bcf1bf4f..c674f76c42a 100644 +--- a/util/grub-mkimage.c ++++ b/util/grub-mkimage.c +@@ -80,6 +80,7 @@ static struct argp_option options[] = { + {"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0}, + {"format", 'O', N_("FORMAT"), 0, 0, 0}, + {"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0}, ++ {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0}, + {"verbose", 'v', 0, 0, N_("print verbose messages."), 0}, + { 0, 0, 0, 0, 0, 0 } + }; +@@ -121,6 +122,7 @@ struct arguments + size_t npubkeys; + char *font; + char *config; ++ char *sbat; + int note; + const struct grub_install_image_target_desc *image_target; + grub_compression_t comp; +@@ -215,6 +217,13 @@ argp_parser (int key, char *arg, struct argp_state *state) + arguments->prefix = xstrdup (arg); + break; + ++ case 's': ++ if (arguments->sbat) ++ free (arguments->sbat); ++ ++ arguments->sbat = xstrdup (arg); ++ break; ++ + case 'v': + verbosity++; + break; +@@ -299,7 +308,8 @@ main (int argc, char *argv[]) + arguments.memdisk, arguments.pubkeys, + arguments.npubkeys, arguments.config, + arguments.image_target, arguments.note, +- arguments.comp); ++ arguments.comp, ++ arguments.sbat); + + grub_util_file_sync (fp); + fclose (fp); +@@ -310,5 +320,8 @@ main (int argc, char *argv[]) + if (arguments.output) + free (arguments.output); + ++ if (arguments.sbat) ++ free (arguments.sbat); ++ + return 0; + } +diff --git a/util/mkimage.c b/util/mkimage.c +index 938a06a2d3f..44e2b8adfd8 100644 +--- a/util/mkimage.c ++++ b/util/mkimage.c +@@ -1032,12 +1032,14 @@ grub_install_generate_image (const char *dir, const char *prefix, + size_t npubkeys, char *config_path, + const struct grub_install_image_target_desc *image_target, + int note, +- grub_compression_t comp) ++ grub_compression_t comp, ++ const char *sbat_path) + { + char *kernel_img, *core_img; + size_t kernel_size, total_module_size, core_size, exec_size; + size_t memdisk_size = 0, config_size = 0, config_size_pure = 0; + size_t prefix_size = 0; ++ size_t sbat_size = 0; + char *kernel_path; + size_t offset; + struct grub_util_path_list *path_list, *p, *next; +@@ -1085,6 +1087,9 @@ grub_install_generate_image (const char *dir, const char *prefix, + total_module_size += memdisk_size + sizeof (struct grub_module_header); + } + ++ if (sbat_path != NULL && image_target->id != IMAGE_EFI) ++ grub_util_error (_(".sbat section can be embedded into EFI images only")); ++ + if (config_path) + { + config_size_pure = grub_util_get_image_size (config_path) + 1; +@@ -1446,8 +1451,9 @@ grub_install_generate_image (const char *dir, const char *prefix, + break; + case IMAGE_EFI: + { +- char *pe_img, *header; ++ char *pe_img, *pe_sbat, *header; + struct grub_pe32_section_table *section; ++ size_t n_sections = 4; + size_t scn_size; + grub_uint32_t vma, raw_data; + size_t pe_size, header_size; +@@ -1462,8 +1468,15 @@ grub_install_generate_image (const char *dir, const char *prefix, + header_size = EFI64_HEADER_SIZE; + + vma = raw_data = header_size; ++ ++ if (sbat_path != NULL) ++ { ++ sbat_size = ALIGN_ADDR (grub_util_get_image_size (sbat_path)); ++ sbat_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT); ++ } ++ + pe_size = ALIGN_UP (header_size + core_size, GRUB_PE32_FILE_ALIGNMENT) + +- ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT); ++ ALIGN_UP (reloc_size, GRUB_PE32_FILE_ALIGNMENT) + sbat_size; + header = pe_img = xcalloc (1, pe_size); + + memcpy (pe_img + raw_data, core_img, core_size); +@@ -1478,7 +1491,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + + GRUB_PE32_SIGNATURE_SIZE); + c->machine = grub_host_to_target16 (image_target->pe_target); + +- c->num_sections = grub_host_to_target16 (4); ++ if (sbat_path != NULL) ++ n_sections++; ++ ++ c->num_sections = grub_host_to_target16 (n_sections); + c->time = grub_host_to_target32 (time (0)); + c->characteristics = grub_host_to_target16 (GRUB_PE32_EXECUTABLE_IMAGE + | GRUB_PE32_LINE_NUMS_STRIPPED +@@ -1542,9 +1558,10 @@ grub_install_generate_image (const char *dir, const char *prefix, + GRUB_PE32_SCN_MEM_READ); + + scn_size = ALIGN_UP (kernel_size - exec_size, GRUB_PE32_FILE_ALIGNMENT); +- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + ++ /* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */ ++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size + + ALIGN_UP (total_module_size, +- ++ GRUB_PE32_FILE_ALIGNMENT)); + + section = init_pe_section (image_target, section, ".data", + &vma, scn_size, image_target->section_align, +@@ -1553,7 +1570,7 @@ grub_install_generate_image (const char *dir, const char *prefix, + GRUB_PE32_SCN_MEM_READ | + GRUB_PE32_SCN_MEM_WRITE); + +- scn_size = pe_size - reloc_size - raw_data; ++ scn_size = pe_size - reloc_size - sbat_size - raw_data; + section = init_pe_section (image_target, section, "mods", + &vma, scn_size, image_target->section_align, + &raw_data, scn_size, +@@ -1561,6 +1578,19 @@ grub_install_generate_image (const char *dir, const char *prefix, + GRUB_PE32_SCN_MEM_READ | + GRUB_PE32_SCN_MEM_WRITE); + ++ if (sbat_path != NULL) ++ { ++ pe_sbat = pe_img + raw_data; ++ grub_util_load_image (sbat_path, pe_sbat); ++ ++ section = init_pe_section (image_target, section, ".sbat", ++ &vma, sbat_size, ++ image_target->section_align, ++ &raw_data, sbat_size, ++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA | ++ GRUB_PE32_SCN_MEM_READ); ++ } ++ + scn_size = reloc_size; + PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma); + PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size); +diff --git a/include/grub/util/install.h b/include/grub/util/install.h +index aedcd29f905..02ae1c6425e 100644 +--- a/include/grub/util/install.h ++++ b/include/grub/util/install.h +@@ -176,7 +176,8 @@ grub_install_generate_image (const char *dir, const char *prefix, + char *config_path, + const struct grub_install_image_target_desc *image_target, + int note, +- grub_compression_t comp); ++ grub_compression_t comp, ++ const char *sbat_path); + + const struct grub_install_image_target_desc * + grub_install_get_image_target (const char *arg); +diff --git a/docs/grub.texi b/docs/grub.texi +index 446574f3ddb..24840d00cf7 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -5498,6 +5498,7 @@ environment variables and commands are listed in the same order. + @menu + * Authentication and authorisation:: Users and access control + * Using digital signatures:: Booting digitally signed code ++* Secure Boot Advanced Targeting:: Embedded information for generation number based revocation + * Lockdown:: Lockdown when booting on a secure setup + + @end menu +@@ -5660,6 +5661,26 @@ or BIOS) configuration to cause the machine to boot from a different + (attacker-controlled) device. GRUB is at best only one link in a + secure boot chain. + ++ ++@node Secure Boot Advanced Targeting ++@section Embedded information for generation number based revocation ++ ++The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation ++of components in the boot path by using generation numbers embedded into the EFI ++binaries. The SBAT metadata is located in an .sbat data section that has set of ++UTF-8 strings as comma-separated values (CSV). See ++@uref{https://github.com/rhboot/shim/blob/main/SBAT.md} for more details. ++ ++To add a data section containing the SBAT information into the binary, the ++@option{--sbat} option of @command{grub-mkimage} command should be used. The content ++of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into ++the generated EFI binary. The CSV file can be stored anywhere on the file system. ++ ++@example ++grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp ++@end example ++ ++ + @node Lockdown + @section Lockdown when booting on a secure setup + diff --git a/SOURCES/0438-kern-misc-Split-parse_printf_args-into-format-parsin.patch b/SOURCES/0438-kern-misc-Split-parse_printf_args-into-format-parsin.patch new file mode 100644 index 0000000..2fc2944 --- /dev/null +++ b/SOURCES/0438-kern-misc-Split-parse_printf_args-into-format-parsin.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Mon, 15 Feb 2021 13:40:16 +0100 +Subject: [PATCH] kern/misc: Split parse_printf_args() into format parsing and + va_list handling + +This patch is preparing for a follow up patch which will use +the format parsing part to compare the arguments in a printf() +format from an external source against a printf() format with +expected arguments. + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/kern/misc.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c +index bd43b0f5f61..28bbcd6d2b8 100644 +--- a/grub-core/kern/misc.c ++++ b/grub-core/kern/misc.c +@@ -823,8 +823,7 @@ grub_lltoa (char *str, int c, unsigned long long n) + } + + static void +-parse_printf_args (const char *fmt0, struct printf_args *args, +- va_list args_in) ++parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + { + const char *fmt; + char c; +@@ -976,6 +975,14 @@ parse_printf_args (const char *fmt0, struct printf_args *args, + break; + } + } ++} ++ ++static void ++parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in) ++{ ++ grub_size_t n; ++ ++ parse_printf_arg_fmt (fmt0, args); + + for (n = 0; n < args->count; n++) + switch (args->ptr[n].type) diff --git a/SOURCES/0439-kern-misc-Add-STRING-type-for-internal-printf-format.patch b/SOURCES/0439-kern-misc-Add-STRING-type-for-internal-printf-format.patch new file mode 100644 index 0000000..259edbe --- /dev/null +++ b/SOURCES/0439-kern-misc-Add-STRING-type-for-internal-printf-format.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Mon, 15 Feb 2021 14:04:26 +0100 +Subject: [PATCH] kern/misc: Add STRING type for internal printf() format + handling + +Set printf() argument type for "%s" to new type STRING. This is in +preparation for a follow up patch to compare a printf() format string +against an expected printf() format string. + +For "%s" the corresponding printf() argument is dereferenced as pointer +while all other argument types are defined as integer value. However, +when validating a printf() format it is necessary to differentiate "%s" +from "%p" and other integers. So, let's do that. + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/kern/misc.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c +index 28bbcd6d2b8..eddde0c65d3 100644 +--- a/grub-core/kern/misc.c ++++ b/grub-core/kern/misc.c +@@ -33,7 +33,8 @@ union printf_arg + enum + { + INT, LONG, LONGLONG, +- UNSIGNED_INT = 3, UNSIGNED_LONG, UNSIGNED_LONGLONG ++ UNSIGNED_INT = 3, UNSIGNED_LONG, UNSIGNED_LONGLONG, ++ STRING + } type; + long long ll; + }; +@@ -963,12 +964,14 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + args->ptr[curn].type = INT + longfmt; + break; + case 'p': +- case 's': + if (sizeof (void *) == sizeof (long long)) + args->ptr[curn].type = UNSIGNED_LONGLONG; + else + args->ptr[curn].type = UNSIGNED_INT; + break; ++ case 's': ++ args->ptr[curn].type = STRING; ++ break; + case 'C': + case 'c': + args->ptr[curn].type = INT; +@@ -1003,6 +1006,12 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in) + case UNSIGNED_LONGLONG: + args->ptr[n].ll = va_arg (args_in, long long); + break; ++ case STRING: ++ if (sizeof (void *) == sizeof (long long)) ++ args->ptr[n].ll = va_arg (args_in, long long); ++ else ++ args->ptr[n].ll = va_arg (args_in, unsigned int); ++ break; + } + } + diff --git a/SOURCES/0440-kern-misc-Add-function-to-check-printf-format-agains.patch b/SOURCES/0440-kern-misc-Add-function-to-check-printf-format-agains.patch new file mode 100644 index 0000000..902b8e2 --- /dev/null +++ b/SOURCES/0440-kern-misc-Add-function-to-check-printf-format-agains.patch @@ -0,0 +1,214 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Thu, 4 Feb 2021 19:02:33 +0100 +Subject: [PATCH] kern/misc: Add function to check printf() format against + expected format + +The grub_printf_fmt_check() function parses the arguments of an untrusted +printf() format and an expected printf() format and then compares the +arguments counts and arguments types. The arguments count in the untrusted +format string must be less or equal to the arguments count in the expected +format string and both arguments types must match. + +To do this the parse_printf_arg_fmt() helper function is extended in the +following way: + + 1. Add a return value to report errors to the grub_printf_fmt_check(). + + 2. Add the fmt_check argument to enable stricter format verification: + - the function expects that arguments definitions are always + terminated by a supported conversion specifier. + - positional parameters, "$", are not allowed, as they cannot be + validated correctly with the current implementation. For example + "%s%1$d" would assign the first args entry twice while leaving the + second one unchanged. + - Return an error if preallocated space in args is too small and + allocation fails for the needed size. The grub_printf_fmt_check() + should verify all arguments. So, if validation is not possible for + any reason it should return an error. + This also adds a case entry to handle "%%", which is the escape + sequence to print "%" character. + + 3. Add the max_args argument to check for the maximum allowed arguments + count in a printf() string. This should be set to the arguments count + of the expected format. Then the parse_printf_arg_fmt() function will + return an error if the arguments count is exceeded. + +The two additional arguments allow us to use parse_printf_arg_fmt() in +printf() and grub_printf_fmt_check() calls. + +When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the +function parse user provided untrusted format string too. So, in +that case it is better to be too strict than too lenient. + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/kern/misc.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++--- + include/grub/misc.h | 15 ++++++++++ + 2 files changed, 93 insertions(+), 4 deletions(-) + +diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c +index eddde0c65d3..0dc9f8b9465 100644 +--- a/grub-core/kern/misc.c ++++ b/grub-core/kern/misc.c +@@ -823,8 +823,26 @@ grub_lltoa (char *str, int c, unsigned long long n) + return p; + } + +-static void +-parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) ++/* ++ * Parse printf() fmt0 string into args arguments. ++ * ++ * The parsed arguments are either used by a printf() function to format the fmt0 ++ * string or they are used to compare a format string from an untrusted source ++ * against a format string with expected arguments. ++ * ++ * When the fmt_check is set to !0, e.g. 1, then this function is executed in ++ * printf() format check mode. This enforces stricter rules for parsing the ++ * fmt0 to limit exposure to possible errors in printf() handling. It also ++ * disables positional parameters, "$", because some formats, e.g "%s%1$d", ++ * cannot be validated with the current implementation. ++ * ++ * The max_args allows to set a maximum number of accepted arguments. If the fmt0 ++ * string defines more arguments than the max_args then the parse_printf_arg_fmt() ++ * function returns an error. This is currently used for format check only. ++ */ ++static grub_err_t ++parse_printf_arg_fmt (const char *fmt0, struct printf_args *args, ++ int fmt_check, grub_size_t max_args) + { + const char *fmt; + char c; +@@ -851,7 +869,12 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + fmt++; + + if (*fmt == '$') +- fmt++; ++ { ++ if (fmt_check) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ "positional arguments are not supported"); ++ fmt++; ++ } + + if (*fmt =='-') + fmt++; +@@ -883,9 +906,19 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + case 's': + args->count++; + break; ++ case '%': ++ /* "%%" is the escape sequence to output "%". */ ++ break; ++ default: ++ if (fmt_check) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "unexpected format"); ++ break; + } + } + ++ if (fmt_check && args->count > max_args) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "too many arguments"); ++ + if (args->count <= ARRAY_SIZE (args->prealloc)) + args->ptr = args->prealloc; + else +@@ -893,6 +926,9 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + args->ptr = grub_calloc (args->count, sizeof (args->ptr[0])); + if (!args->ptr) + { ++ if (fmt_check) ++ return grub_errno; ++ + grub_errno = GRUB_ERR_NONE; + args->ptr = args->prealloc; + args->count = ARRAY_SIZE (args->prealloc); +@@ -978,6 +1014,8 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args) + break; + } + } ++ ++ return GRUB_ERR_NONE; + } + + static void +@@ -985,7 +1023,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in) + { + grub_size_t n; + +- parse_printf_arg_fmt (fmt0, args); ++ parse_printf_arg_fmt (fmt0, args, 0, 0); + + for (n = 0; n < args->count; n++) + switch (args->ptr[n].type) +@@ -1292,6 +1330,42 @@ grub_xasprintf (const char *fmt, ...) + return ret; + } + ++grub_err_t ++grub_printf_fmt_check (const char *fmt, const char *fmt_expected) ++{ ++ struct printf_args args_expected, args_fmt; ++ grub_err_t ret; ++ grub_size_t n; ++ ++ if (fmt == NULL || fmt_expected == NULL) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid format"); ++ ++ ret = parse_printf_arg_fmt (fmt_expected, &args_expected, 1, GRUB_SIZE_MAX); ++ if (ret != GRUB_ERR_NONE) ++ return ret; ++ ++ /* Limit parsing to the number of expected arguments. */ ++ ret = parse_printf_arg_fmt (fmt, &args_fmt, 1, args_expected.count); ++ if (ret != GRUB_ERR_NONE) ++ { ++ free_printf_args (&args_expected); ++ return ret; ++ } ++ ++ for (n = 0; n < args_fmt.count; n++) ++ if (args_fmt.ptr[n].type != args_expected.ptr[n].type) ++ { ++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "arguments types do not match"); ++ break; ++ } ++ ++ free_printf_args (&args_expected); ++ free_printf_args (&args_fmt); ++ ++ return ret; ++} ++ ++ + /* Abort GRUB. This function does not return. */ + static void __attribute__ ((noreturn)) + grub_abort (void) +diff --git a/include/grub/misc.h b/include/grub/misc.h +index c6851fb9dcf..69da7f41efa 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -535,6 +535,21 @@ EXPORT_FUNC (__umoddi3) (grub_uint64_t a, grub_uint64_t b); + + #endif /* GRUB_UTIL */ + ++/* ++ * grub_printf_fmt_checks() a fmt string for printf() against an expected ++ * format. It is intended for cases where the fmt string could come from ++ * an outside source and cannot be trusted. ++ * ++ * While expected fmt accepts a printf() format string it should be kept ++ * as simple as possible. The printf() format strings with positional ++ * parameters are NOT accepted, neither for fmt nor for fmt_expected. ++ * ++ * The fmt is accepted if it has equal or less arguments than fmt_expected ++ * and if the type of all arguments match. ++ * ++ * Returns GRUB_ERR_NONE if fmt is acceptable. ++ */ ++grub_err_t EXPORT_FUNC (grub_printf_fmt_check) (const char *fmt, const char *fmt_expected); + + #if BOOT_TIME_STATS + struct grub_boot_time diff --git a/SOURCES/0441-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch b/SOURCES/0441-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch new file mode 100644 index 0000000..5eecce9 --- /dev/null +++ b/SOURCES/0441-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Tue, 4 Aug 2020 13:49:51 +0200 +Subject: [PATCH] gfxmenu/gui: Check printf() format in the gui_progress_bar + and gui_label + +The gui_progress_bar and gui_label components can display the timeout +value. The format string can be set through a theme file. This patch +adds a validation step to the format string. + +If a user loads a theme file into the GRUB without this patch then +a GUI label with the following settings + + + label { + ... + id = "__timeout__" + text = "%s" + } + +will interpret the current timeout value as string pointer and print the +memory at that position on the screen. It is not desired behavior. + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/gfxmenu/gui_label.c | 4 ++++ + grub-core/gfxmenu/gui_progress_bar.c | 3 +++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c +index a4c817891ee..1c190542a2b 100644 +--- a/grub-core/gfxmenu/gui_label.c ++++ b/grub-core/gfxmenu/gui_label.c +@@ -193,6 +193,10 @@ label_set_property (void *vself, const char *name, const char *value) + else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0) + value = _("enter: boot, `e': options, `c': cmd-line"); + /* FIXME: Add more templates here if needed. */ ++ ++ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE) ++ value = ""; /* Unsupported format. */ ++ + self->template = grub_strdup (value); + self->text = grub_xasprintf (value, self->value); + } +diff --git a/grub-core/gfxmenu/gui_progress_bar.c b/grub-core/gfxmenu/gui_progress_bar.c +index 3501b01724f..048275e036e 100644 +--- a/grub-core/gfxmenu/gui_progress_bar.c ++++ b/grub-core/gfxmenu/gui_progress_bar.c +@@ -342,6 +342,9 @@ progress_bar_set_property (void *vself, const char *name, const char *value) + Please use the shortest form available in you language. */ + value = _("%ds"); + ++ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE) ++ value = ""; /* Unsupported format. */ ++ + self->template = grub_strdup (value); + } + else if (grub_strcmp (name, "font") == 0) diff --git a/SOURCES/0442-kern-mm-Fix-grub_debug_calloc-compilation-error.patch b/SOURCES/0442-kern-mm-Fix-grub_debug_calloc-compilation-error.patch new file mode 100644 index 0000000..00c71c9 --- /dev/null +++ b/SOURCES/0442-kern-mm-Fix-grub_debug_calloc-compilation-error.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marco A Benatto +Date: Tue, 9 Feb 2021 12:33:06 -0300 +Subject: [PATCH] kern/mm: Fix grub_debug_calloc() compilation error + +Fix compilation error due to missing parameter to +grub_printf() when MM_DEBUG is defined. + +Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available) + +Signed-off-by: Marco A Benatto +Reviewed-by: Daniel Kiper +--- + grub-core/kern/mm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c +index a424b7d0943..952f3d53e6d 100644 +--- a/grub-core/kern/mm.c ++++ b/grub-core/kern/mm.c +@@ -585,7 +585,7 @@ grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t si + + if (grub_mm_debug) + grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ", +- file, line, size); ++ file, line, nmemb, size); + ptr = grub_calloc (nmemb, size); + if (grub_mm_debug) + grub_printf ("%p\n", ptr); diff --git a/SOURCES/0443-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch b/SOURCES/0443-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch new file mode 100644 index 0000000..270baeb --- /dev/null +++ b/SOURCES/0443-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch @@ -0,0 +1,74 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Tue, 4 Aug 2020 17:13:05 +0200 +Subject: [PATCH] efi/net: Fix malformed device path arithmetic errors in efi + net methods + +--- + grub-core/net/efi/net.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c +index 86bcae281a7..4a37523dd1f 100644 +--- a/grub-core/net/efi/net.c ++++ b/grub-core/net/efi/net.c +@@ -1318,11 +1318,18 @@ grub_efi_net_boot_from_https (void) + + dp = grub_efi_get_device_path (image->device_handle); + +- while (1) ++ while (dp) + { ++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); ++ if (len < 4) ++ { ++ grub_error(GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ break; ++ } ++ + grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); + grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); +- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); + + if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE) + && (subtype == GRUB_EFI_URI_DEVICE_PATH_SUBTYPE)) +@@ -1335,7 +1342,7 @@ grub_efi_net_boot_from_https (void) + + if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp)) + break; +- dp = (grub_efi_device_path_t *) ((char *) dp + len); ++ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp); + } + + return 0; +@@ -1353,11 +1360,18 @@ grub_efi_net_boot_from_opa (void) + + dp = grub_efi_get_device_path (image->device_handle); + +- while (1) ++ while (dp) + { ++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); ++ if (len < 4) ++ { ++ grub_error(GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ break; ++ } ++ + grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); + grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); +- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); + + if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE) + && (subtype == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE)) +@@ -1368,7 +1382,7 @@ grub_efi_net_boot_from_opa (void) + + if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp)) + break; +- dp = (grub_efi_device_path_t *) ((char *) dp + len); ++ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp); + } + + return 0; diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 294b05f..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,425 +0,0 @@ - - - - - - Tree - rpms/kernel - CentOS Git server - - - - - - - - - - - - - - - - -
- - -
-
-
-
-
-
-

-

-
-
-

-rpms / kernel -

-
-
-
-
-
-
- - - Clone - - - -
-
-
-
- - -
-
- -
-
- -
- -
-
- -
- -
-
-
- - -
- - Blob - - Blame - - Raw -
- -
Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b6:16:15:71:72:fb:31:7e
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
-        Validity
-            Not Before: Aug  1 11:47:30 2018 GMT
-            Not After : Dec 31 11:47:30 2037 GMT
-        Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
-                    76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
-                    cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
-                    4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
-                    24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
-                    bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
-                    00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
-                    a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
-                    6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
-                    6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
-                    aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
-                    53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
-                    f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
-                    6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
-                    76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
-                    94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
-                    4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
-                    94:0f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature
-            X509v3 Subject Key Identifier: 
-                F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
-            X509v3 Authority Key Identifier: 
-                keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
-    Signature Algorithm: sha256WithRSAEncryption
-        97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
-        dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
-        11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
-        2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
-        28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
-        b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
-        f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
-        0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
-        a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
-        17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
-        ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
-        58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
-        75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
-        da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
-        da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
-
-
-
- -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/SOURCES/centossecureboot202.crt b/SOURCES/centossecureboot202.crt deleted file mode 100644 index fba3730..0000000 --- a/SOURCES/centossecureboot202.crt +++ /dev/null @@ -1,84 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 93:c2:04:d8:bd:77:6b:12 - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org - Validity - Not Before: Jun 9 10:37:54 2020 GMT - Not After : Jan 18 10:37:54 2038 GMT - Subject: CN=CentOS Secure Boot Signing 202/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:d4:f0:32:4d:50:7a:c0:41:d6:61:68:59:5e:5b: - ce:65:e3:e9:7b:01:e4:53:94:c9:b7:c1:6b:b7:12: - 0b:bc:8f:d7:17:1b:c1:77:3a:08:17:ba:23:f1:bd: - 98:f0:7c:cb:96:70:2e:0e:2e:96:66:b7:9f:29:12: - 6f:ee:30:33:a1:a5:ee:f9:4b:a3:fb:52:45:d8:7e: - c2:e8:a9:20:a9:f2:2e:f4:44:b7:85:3f:34:7c:c0: - 73:1d:73:63:2f:11:a0:7d:df:e7:5a:20:b9:b9:ff: - 5d:0e:6d:90:86:1f:2e:fa:c7:b5:94:37:80:46:0d: - fb:5f:f8:26:f4:ce:2f:0d:5b:bf:e5:8d:a5:12:d7: - ba:cf:16:f2:5c:10:ae:a0:80:a8:dc:c4:6b:00:24: - f4:4b:f0:01:82:7e:4b:1c:b6:d6:ac:e1:72:32:07: - 5d:48:4a:cd:ba:5c:9c:09:72:89:b2:2e:60:f7:b7: - ed:ea:b6:0d:ae:63:f8:09:a1:8f:62:ee:09:d2:cb: - 0a:81:df:7c:72:4b:bf:bd:fb:59:24:84:1f:1d:ce: - 36:bc:4c:13:84:ca:c5:e0:81:bb:ec:61:8f:9f:78: - 88:43:8d:e0:16:b2:ab:90:14:23:29:ce:1d:e7:a1: - bb:4a:93:f9:f8:8d:b8:ff:2f:30:74:66:b2:31:89: - b1:7d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: critical - Digital Signature - X509v3 Extended Key Usage: critical - Code Signing - X509v3 Subject Key Identifier: - 1E:55:FF:FF:01:71:5F:F1:28:7F:C8:A9:7C:AF:83:9F:ED:7A:33:0B - X509v3 Authority Key Identifier: - keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA - - Signature Algorithm: sha256WithRSAEncryption - 6b:1b:fa:f3:a8:c0:1e:e7:55:49:f2:4e:16:1f:9a:1b:22:9c: - ff:c9:81:d0:5b:d6:28:3c:38:91:65:b5:ca:63:e6:9d:13:2d: - 5f:f5:cc:67:c2:82:55:73:8f:8b:0c:0c:a9:60:2a:a8:b2:19: - c1:a7:87:94:d8:69:5e:3c:88:e5:32:8a:4c:a6:6f:69:8b:c5: - f2:7e:8e:d2:af:37:2d:27:73:c7:ad:9d:bc:14:08:a8:aa:57: - 22:37:be:c6:d2:2d:a3:70:81:4a:88:8c:a3:44:89:6c:7d:9d: - 9f:db:ff:5c:c6:ec:6d:97:b0:08:8d:76:c6:14:d0:25:81:a3: - 09:b6:f2:89:32:12:b2:f2:71:71:b6:ac:c1:65:d1:9c:6b:e1: - a4:4e:74:d0:01:17:ad:38:0f:17:86:07:56:b3:a1:86:5d:99: - ef:d6:55:98:b9:ce:63:46:8b:37:c4:53:55:8b:7a:10:75:90: - fd:e6:62:f0:6c:af:89:91:17:34:f7:99:77:6d:29:fa:92:bb: - c3:45:77:fe:a3:15:da:54:7d:47:16:b6:6f:94:09:b8:5f:ca: - e9:34:a2:bf:18:cd:d3:f4:17:2c:98:e4:e4:ca:46:ad:4b:a4: - 34:77:47:ec:5d:21:a6:cf:5c:b9:5a:47:ca:04:a1:93:56:13: - 0a:cc:47:91 ------BEGIN CERTIFICATE----- -MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sSMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV -BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 -cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMzc1NFoXDTM4MDExODEwMzc1NFow -TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAyMSIwIAYJ -KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA1PAyTVB6wEHWYWhZXlvOZePpewHkU5TJt8FrtxILvI/X -FxvBdzoIF7oj8b2Y8HzLlnAuDi6WZrefKRJv7jAzoaXu+Uuj+1JF2H7C6KkgqfIu -9ES3hT80fMBzHXNjLxGgfd/nWiC5uf9dDm2Qhh8u+se1lDeARg37X/gm9M4vDVu/ -5Y2lEte6zxbyXBCuoICo3MRrACT0S/ABgn5LHLbWrOFyMgddSErNulycCXKJsi5g -97ft6rYNrmP4CaGPYu4J0ssKgd98cku/vftZJIQfHc42vEwThMrF4IG77GGPn3iI -Q43gFrKrkBQjKc4d56G7SpP5+I24/y8wdGayMYmxfQIDAQABo3gwdjAMBgNVHRMB -Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd -BgNVHQ4EFgQUHlX//wFxX/Eof8ipfK+Dn+16MwswHwYDVR0jBBgwFoAUcAB/mSCc -EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBAGsb+vOowB7nVUnyThYf -mhsinP/JgdBb1ig8OJFltcpj5p0TLV/1zGfCglVzj4sMDKlgKqiyGcGnh5TYaV48 -iOUyikymb2mLxfJ+jtKvNy0nc8etnbwUCKiqVyI3vsbSLaNwgUqIjKNEiWx9nZ/b -/1zG7G2XsAiNdsYU0CWBowm28okyErLycXG2rMFl0Zxr4aROdNABF604DxeGB1az -oYZdme/WVZi5zmNGizfEU1WLehB1kP3mYvBsr4mRFzT3mXdtKfqSu8NFd/6jFdpU -fUcWtm+UCbhfyuk0or8YzdP0FyyY5OTKRq1LpDR3R+xdIabPXLlaR8oEoZNWEwrM -R5E= ------END CERTIFICATE----- diff --git a/SOURCES/centossecurebootca2.crt b/SOURCES/centossecurebootca2.crt deleted file mode 100644 index ff4e981..0000000 --- a/SOURCES/centossecurebootca2.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV -BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 -cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow -RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B -CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU -WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i -vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp -aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh -aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da -SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z -IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN -yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs -Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8 -IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2 -t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70 -OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+ -ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG -zAVb3/m0 ------END CERTIFICATE----- diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index a78bda9..5da17c8 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -101,6 +101,16 @@ -e 's/-m64//g' \\\ ) %{nil} %endif +%ifarch %{ix86} +%global target_cpu_name %{_arch} +%global grub_target_name %{_arch}-pc + +%global legacy_target_cpu_name i386 +%global legacy_package_arch pc +%global platform pc + +%global with_legacy_arch 0 +%endif %ifarch aarch64 %global efiarch aa64 @@ -152,6 +162,14 @@ %global with_efi_common 1 %global with_legacy_common 0 %endif +%ifarch %{ix86} +%global with_efi_arch 0 +%global with_alt_efi_arch 0 +%global with_efi_common 0 +%global with_legacy_common 1 +%global with_legacy_utils 1 +%global with_legacy_arch 0 +%endif %if 0%{with_efi_common} %global common_srcdir grub-%{grubefiarch}-%{tarversion} @@ -306,9 +324,11 @@ done \ %ifarch x86_64 aarch64 %define mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p /EFI/%{efidir} -d grub-core ${GRUB_MODULES} \ + -p /EFI/%{efidir} -d grub-core ${GRUB_MODULES} \\\ + --sbat %{4}./sbat.csv \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ + -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ + --sbat %{4}./sbat.csv \ %{expand:%%{pesign -s -i %{2}.orig -o %{2}.one -a %{5} -c %{6} -n %{7}}} \ %{expand:%%{pesign -s -i %{3}.orig -o %{3}.one -a %{5} -c %{6} -n %{7}}} \ %{expand:%%{pesign -s -i %{2}.one -o %{2} -a %{8} -c %{9} -n %{10}}} \ @@ -329,7 +349,7 @@ GRUB_MODULES=" all_video boot btrfs cat chain configfile echo \\\ gzio halt hfsplus iso9660 jpeg loadenv loopback \\\ lvm mdraid09 mdraid1x minicmd normal part_apple \\\ part_msdos part_gpt password_pbkdf2 png reboot \\\ - search search_fs_uuid search_fs_file \\\ + regexp search search_fs_uuid search_fs_file \\\ search_label serial sleep syslinuxcfg test tftp \\\ video xfs" \ GRUB_MODULES+=%{efi_modules} \ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index b523951..4630461 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -333,3 +333,111 @@ Patch0332: 0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch0335: 0335-tftp-roll-over-block-counter-to-prevent-timeouts-with.patch +Patch0336: 0336-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch +Patch0337: 0337-kern-Add-lockdown-support.patch +Patch0338: 0338-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch +Patch0339: 0339-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch +Patch0340: 0340-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch +Patch0341: 0341-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch +Patch0342: 0342-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch +Patch0343: 0343-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch +Patch0344: 0344-commands-setpci-Restrict-setpci-command-when-locked-.patch +Patch0345: 0345-commands-hdparm-Restrict-hdparm-command-when-locked-.patch +Patch0346: 0346-gdb-Restrict-GDB-access-when-locked-down.patch +Patch0347: 0347-loader-xnu-Don-t-allow-loading-extension-and-package.patch +Patch0348: 0348-docs-Document-the-cutmem-command.patch +Patch0349: 0349-dl-Only-allow-unloading-modules-that-are-not-depende.patch +Patch0350: 0350-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch +Patch0351: 0351-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch +Patch0352: 0352-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch +Patch0353: 0353-net-tftp-Fix-dangling-memory-pointer.patch +Patch0354: 0354-kern-parser-Fix-resource-leak-if-argc-0.patch +Patch0355: 0355-kern-efi-Fix-memory-leak-on-failure.patch +Patch0356: 0356-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch +Patch0357: 0357-gnulib-regexec-Resolve-unused-variable.patch +Patch0358: 0358-gnulib-regcomp-Fix-uninitialized-token-structure.patch +Patch0359: 0359-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch +Patch0360: 0360-gnulib-regexec-Fix-possible-null-dereference.patch +Patch0361: 0361-gnulib-regcomp-Fix-uninitialized-re_token.patch +Patch0362: 0362-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch +Patch0363: 0363-kern-partition-Check-for-NULL-before-dereferencing-i.patch +Patch0364: 0364-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch +Patch0365: 0365-disk-ldm-If-failed-then-free-vg-variable-too.patch +Patch0366: 0366-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch +Patch0367: 0367-disk-cryptodisk-Fix-potential-integer-overflow.patch +Patch0368: 0368-hfsplus-Check-that-the-volume-name-length-is-valid.patch +Patch0369: 0369-zfs-Fix-possible-negative-shift-operation.patch +Patch0370: 0370-zfs-Fix-resource-leaks-while-constructing-path.patch +Patch0371: 0371-zfs-Fix-possible-integer-overflows.patch +Patch0372: 0372-zfsinfo-Correct-a-check-for-error-allocating-memory.patch +Patch0373: 0373-affs-Fix-memory-leaks.patch +Patch0374: 0374-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch +Patch0375: 0375-libgcrypt-mpi-Fix-possible-NULL-dereference.patch +Patch0376: 0376-syslinux-Fix-memory-leak-while-parsing.patch +Patch0377: 0377-normal-completion-Fix-leaking-of-memory-when-process.patch +Patch0378: 0378-commands-hashsum-Fix-a-memory-leak.patch +Patch0379: 0379-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch +Patch0380: 0380-video-fb-fbfill-Fix-potential-integer-overflow.patch +Patch0381: 0381-video-fb-video_fb-Fix-multiple-integer-overflows.patch +Patch0382: 0382-video-fb-video_fb-Fix-possible-integer-overflow.patch +Patch0383: 0383-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch +Patch0384: 0384-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch +Patch0385: 0385-loader-bsd-Check-for-NULL-arg-up-front.patch +Patch0386: 0386-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch +Patch0387: 0387-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch +Patch0388: 0388-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch +Patch0389: 0389-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch +Patch0390: 0390-script-execute-Fix-NULL-dereference-in-grub_script_e.patch +Patch0391: 0391-commands-ls-Require-device_name-is-not-NULL-before-p.patch +Patch0392: 0392-script-execute-Avoid-crash-when-using-outside-a-func.patch +Patch0393: 0393-lib-arg-Block-repeated-short-options-that-require-an.patch +Patch0394: 0394-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch +Patch0395: 0395-commands-menuentry-Fix-quoting-in-setparams_prefix.patch +Patch0396: 0396-kern-misc-Always-set-end-in-grub_strtoull.patch +Patch0397: 0397-video-readers-jpeg-Catch-files-with-unsupported-quan.patch +Patch0398: 0398-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch +Patch0399: 0399-video-readers-jpeg-Don-t-decode-data-before-start-of.patch +Patch0400: 0400-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch +Patch0401: 0401-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch +Patch0402: 0402-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch +Patch0403: 0403-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch +Patch0404: 0404-fs-hfs-Disable-under-lockdown.patch +Patch0405: 0405-fs-sfs-Fix-over-read-of-root-object-name.patch +Patch0406: 0406-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch +Patch0407: 0407-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch +Patch0408: 0408-fs-jfs-Catch-infinite-recursion.patch +Patch0409: 0409-fs-nilfs2-Reject-too-large-keys.patch +Patch0410: 0410-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch +Patch0411: 0411-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch +Patch0412: 0412-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch +Patch0413: 0413-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch +Patch0414: 0414-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch +Patch0415: 0415-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch +Patch0416: 0416-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch +Patch0417: 0417-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch +Patch0418: 0418-disk-lvm-Bail-on-missing-PV-list.patch +Patch0419: 0419-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch +Patch0420: 0420-disk-lvm-Do-not-overread-metadata.patch +Patch0421: 0421-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch +Patch0422: 0422-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch +Patch0423: 0423-kern-parser-Fix-a-memory-leak.patch +Patch0424: 0424-kern-parser-Introduce-process_char-helper.patch +Patch0425: 0425-kern-parser-Introduce-terminate_arg-helper.patch +Patch0426: 0426-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch +Patch0427: 0427-kern-buffer-Add-variable-sized-heap-buffer.patch +Patch0428: 0428-kern-parser-Fix-a-stack-buffer-overflow.patch +Patch0429: 0429-kern-efi-Add-initial-stack-protector-implementation.patch +Patch0430: 0430-util-mkimage-Remove-unused-code-to-add-BSS-section.patch +Patch0431: 0431-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch +Patch0432: 0432-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch +Patch0433: 0433-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch +Patch0434: 0434-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch +Patch0435: 0435-util-mkimage-Improve-data_size-value-calculation.patch +Patch0436: 0436-util-mkimage-Refactor-section-setup-to-use-a-helper.patch +Patch0437: 0437-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch +Patch0438: 0438-kern-misc-Split-parse_printf_args-into-format-parsin.patch +Patch0439: 0439-kern-misc-Add-STRING-type-for-internal-printf-format.patch +Patch0440: 0440-kern-misc-Add-function-to-check-printf-format-agains.patch +Patch0441: 0441-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch +Patch0442: 0442-kern-mm-Fix-grub_debug_calloc-compilation-error.patch +Patch0443: 0443-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in new file mode 100755 index 0000000..33d1d27 --- /dev/null +++ b/SOURCES/sbat.csv.in @@ -0,0 +1,3 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/ +grub.rhel7,1,Red Hat Enterprise Linux 7,grub2,@@VERSION@@,mail:secalert@redhat.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index fc57a7d..542a0c8 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -1,22 +1,12 @@ %undefine _hardened_build -%global flagday 1:2.02-0.86.el7.centos + %global tarversion 2.02~beta2 %undefine _missing_build_ids_terminate_build -%ifarch i686 -%define platform pc -%define legacy_package_arch i386 -%define legacy_target_cpu_name i386 -%define target_cpu_name i386 -%endif -%ifarch x86_64 -%define mock 1 -%endif - Name: grub2 Epoch: 1 Version: 2.02 -Release: 0.87%{?dist}%{?buildid} +Release: 0.87%{?dist}%{?buildid}.2 Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -27,10 +17,11 @@ Source1: grub.macros Source2: grub.patches Source3: http://unifoundry.com/unifont-5.1.20080820.pcf.gz Source4: gitignore -Source5: centos-ca-secureboot.der -Source6: centossecureboot001.crt -Source7: centossecurebootca2.crt -Source8: centossecureboot202.crt +Source5: redhatsecurebootca3.cer +Source6: redhatsecureboot301.cer +Source7: redhatsecurebootca5.cer +Source8: redhatsecureboot502.cer +Source9: sbat.csv.in %include %{SOURCE1} @@ -63,11 +54,8 @@ BuildRequires: pesign >= 0.99-8 %if %{?_with_ccache: 1}%{?!_with_ccache: 0} BuildRequires: ccache %endif -%if 0%{?centos} -%global efidir centos -%endif -ExcludeArch: s390 s390x %{arm} +ExcludeArch: s390 s390x %{arm} %{?ix86} Obsoletes: %{name} <= %{flagday} %if 0%{with_legacy_arch} @@ -152,13 +140,10 @@ This subpackage provides tools for support of all platforms. %prep %setup -T -c -n grub-%{tarversion} %do_common_setup -sed -i.orig -e 's@/efi/EFI/redhat/@/efi/EFI/%{efidir}/@' \ - grub-%{tarversion}/util/grub-setpassword.in -touch --reference=grub-%{tarversion}/util/grub-setpassword.in.orig \ - grub-%{tarversion}/util/grub-setpassword.in -rm -f grub-%{tarversion}/util/grub-setpassword.in.orig %if 0%{with_efi_arch} %do_setup %{grubefiarch} +sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE9} \ + > grub-%{grubefiarch}-%{tarversion}/sbat.csv %endif %if 0%{with_alt_efi_arch} %do_setup %{grubaltefiarch} @@ -169,10 +154,10 @@ rm -f grub-%{tarversion}/util/grub-setpassword.in.orig %build %if 0%{with_efi_arch} -%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202 +%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502 %endif %if 0%{with_alt_efi_arch} -%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202 +%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502 %endif %if 0%{with_legacy_arch}%{with_legacy_utils} %do_legacy_build %{grublegacyarch} @@ -484,6 +469,20 @@ fi %endif %changelog +* Fri Feb 26 2021 Javier Martinez Canillas - 2.02-0.87.e7.2 +- Fix another batch of CVEs + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Wed Nov 18 2020 Javier Martinez Canillas - 2.02-0.87.e7.1 +- Fix keyboards that report IBM PC AT scan codes + Resolves: rhbz#1892240 + * Mon Aug 24 2020 Javier Martinez Canillas - 2.02-0.87 - Fix TFTP timeouts when trying to fetch files larger than 65535 KiB Resolves: rhbz#1869987