diff --git a/SOURCES/0449-ieee1275-ofdisk-retry-on-open-failure.patch b/SOURCES/0449-ieee1275-ofdisk-retry-on-open-failure.patch
index dc4aa2a..cdc08c1 100644
--- a/SOURCES/0449-ieee1275-ofdisk-retry-on-open-failure.patch
+++ b/SOURCES/0449-ieee1275-ofdisk-retry-on-open-failure.patch
@@ -1,4 +1,4 @@
-From c23e77a9abea3402e29062fdc4dd60d10c9f3c07 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Diego Domingos <diegodo@br.ibm.com>
Date: Mon, 17 May 2021 16:59:04 +0200
Subject: [PATCH] ieee1275/ofdisk: retry on open failure
@@ -15,7 +15,7 @@ Signed-off-by: Diego Domingos <diegodo@br.ibm.com>
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
-index 5fabe365eca..578d2833273 100644
+index 5fabe365ec..578d283327 100644
--- a/grub-core/disk/ieee1275/ofdisk.c
+++ b/grub-core/disk/ieee1275/ofdisk.c
@@ -220,7 +220,9 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
@@ -79,7 +79,7 @@ index 5fabe365eca..578d2833273 100644
return 0;
}
diff --git a/include/grub/ieee1275/ofdisk.h b/include/grub/ieee1275/ofdisk.h
-index 3f583178748..7446b670213 100644
+index 3f58317874..7446b67021 100644
--- a/include/grub/ieee1275/ofdisk.h
+++ b/include/grub/ieee1275/ofdisk.h
@@ -25,4 +25,12 @@ extern void grub_ofdisk_fini (void);
@@ -95,6 +95,3 @@ index 3f583178748..7446b670213 100644
+ grub_dprintf("ofdisk","Opening disk %s failed. Retrying...\n",device); }
+
#endif /* ! GRUB_INIT_HEADER */
---
-2.31.1
-
diff --git a/SOURCES/0450-loader-efi-chainloader-grub_load_and_start_image-doe.patch b/SOURCES/0450-loader-efi-chainloader-grub_load_and_start_image-doe.patch
new file mode 100644
index 0000000..ca35bcc
--- /dev/null
+++ b/SOURCES/0450-loader-efi-chainloader-grub_load_and_start_image-doe.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 28 Apr 2022 21:53:36 +0100
+Subject: [PATCH] loader/efi/chainloader: grub_load_and_start_image doesn't
+ load and start
+
+grub_load_and_start_image only loads an image - it still requires the
+caller to start it. This renames it to grub_load_image.
+
+It's called from 2 places:
+- grub_cmd_chainloader when not using the shim protocol.
+- grub_secureboot_chainloader_boot if handle_image returns an error.
+In this case, the image is loaded and then nothing else happens which
+seems strange. I assume the intention is that it falls back to LoadImage
+and StartImage if handle_image fails, so I've made it do that.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+(cherry picked from commit b4d70820a65c00561045856b7b8355461a9545f6)
+(cherry picked from commit 05b16a6be50b1910609740a66b561276fa490538)
+(cherry picked from commit 16486a34f3aa41a94e334e86db1a1e21e9b0a45f)
+(cherry picked from commit 0bbd693019567b2c55e8be121378d4875f44369a)
+[rharwood: chainloader handle_image casting]
+---
+ grub-core/loader/efi/chainloader.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 001766bdf6..eeef52acde 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -840,7 +840,7 @@ grub_secureboot_chainloader_unload (void)
+ }
+
+ static grub_err_t
+-grub_load_and_start_image(void *boot_image)
++grub_load_image(void *boot_image)
+ {
+ grub_efi_boot_services_t *b;
+ grub_efi_status_t status;
+@@ -882,13 +882,23 @@ grub_load_and_start_image(void *boot_image)
+ static grub_err_t
+ grub_secureboot_chainloader_boot (void)
+ {
++ grub_efi_boot_services_t *b;
+ int rc;
+- rc = handle_image ((void *)address, fsize);
++
++ rc = handle_image ((void *)(unsigned long)address, fsize);
+ if (rc == 0)
+ {
+- grub_load_and_start_image((void *)address);
++ /* We weren't able to attempt to execute the image, so fall back
++ * to LoadImage / StartImage.
++ */
++ rc = grub_load_image((void *)(unsigned long)address);
++ if (rc == 0)
++ grub_chainloader_boot ();
+ }
+
++ b = grub_efi_system_table->boot_services;
++ efi_call_1 (b->unload_image, image_handle);
++
+ grub_loader_unset ();
+ return grub_errno;
+ }
+@@ -1076,7 +1086,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ }
+ else if (rc == 0)
+ {
+- grub_load_and_start_image(boot_image);
++ grub_load_image(boot_image);
+ grub_file_close (file);
+ grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
+
diff --git a/SOURCES/0451-loader-efi-chainloader-simplify-the-loader-state.patch b/SOURCES/0451-loader-efi-chainloader-simplify-the-loader-state.patch
new file mode 100644
index 0000000..753a090
--- /dev/null
+++ b/SOURCES/0451-loader-efi-chainloader-simplify-the-loader-state.patch
@@ -0,0 +1,339 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 29 Apr 2022 21:13:08 +0100
+Subject: [PATCH] loader/efi/chainloader: simplify the loader state
+
+When not using the shim lock protocol, the chainloader command retains
+the source buffer and device path passed to LoadImage, requiring the
+unload hook passed to grub_loader_set to free them. It isn't required
+to retain this state though - they aren't required by StartImage or
+anything else in the boot hook, so clean them up before
+grub_cmd_chainloader finishes.
+
+This also wraps the loader state when using the shim lock protocol
+inside a struct.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+(cherry picked from commit fa39862933b3be1553a580a3a5c28073257d8046)
+(cherry picked from commit 0333343ee99c4e88f062789263c94291c057251b)
+[rharwood: verifying twice]
+(cherry picked from commit 6080ad5d91d6a80d5f67c592dd33b6dd413e9453)
+[rharwood: double frees and unintialized, context fuzz - orig_dp]
+(cherry picked from commit b44b88ae45008611ec0469fb47139f4c0d1ee233)
+[rharwood: missing sb support in chainloader]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/loader/efi/chainloader.c | 163 +++++++++++++++++++++++--------------
+ 1 file changed, 102 insertions(+), 61 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index eeef52acde..8d7072ee1a 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -47,38 +47,21 @@ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+
+-static grub_efi_physical_address_t address;
+-static grub_efi_uintn_t pages;
+-static grub_ssize_t fsize;
+-static grub_efi_device_path_t *file_path;
+ static grub_efi_handle_t image_handle;
+-static grub_efi_char16_t *cmdline;
+-static grub_ssize_t cmdline_len;
+-static grub_efi_handle_t dev_handle;
+
+-static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
++struct grub_secureboot_chainloader_context {
++ grub_efi_physical_address_t address;
++ grub_efi_uintn_t pages;
++ grub_ssize_t fsize;
++ grub_efi_device_path_t *file_path;
++ grub_efi_char16_t *cmdline;
++ grub_ssize_t cmdline_len;
++ grub_efi_handle_t dev_handle;
++};
++static struct grub_secureboot_chainloader_context *sb_context;
+
+ static grub_err_t
+-grub_chainloader_unload (void)
+-{
+- grub_efi_boot_services_t *b;
+-
+- b = grub_efi_system_table->boot_services;
+- efi_call_1 (b->unload_image, image_handle);
+- efi_call_2 (b->free_pages, address, pages);
+-
+- grub_free (file_path);
+- grub_free (cmdline);
+- cmdline = 0;
+- file_path = 0;
+- dev_handle = 0;
+-
+- grub_dl_unref (my_mod);
+- return GRUB_ERR_NONE;
+-}
+-
+-static grub_err_t
+-grub_chainloader_boot (void)
++grub_start_image (grub_efi_handle_t handle)
+ {
+ grub_efi_boot_services_t *b;
+ grub_efi_status_t status;
+@@ -86,7 +69,7 @@ grub_chainloader_boot (void)
+ grub_efi_char16_t *exit_data = NULL;
+
+ b = grub_efi_system_table->boot_services;
+- status = efi_call_3 (b->start_image, image_handle, &exit_data_size, &exit_data);
++ status = efi_call_3 (b->start_image, handle, &exit_data_size, &exit_data);
+ if (status != GRUB_EFI_SUCCESS)
+ {
+ if (exit_data)
+@@ -110,11 +93,37 @@ grub_chainloader_boot (void)
+ if (exit_data)
+ efi_call_1 (b->free_pool, exit_data);
+
+- grub_loader_unset ();
+-
+ return grub_errno;
+ }
+
++static grub_err_t
++grub_chainloader_unload (void)
++{
++ grub_efi_loaded_image_t *loaded_image;
++ grub_efi_boot_services_t *b;
++
++ loaded_image = grub_efi_get_loaded_image (image_handle);
++ if (loaded_image != NULL)
++ grub_free (loaded_image->load_options);
++
++ b = grub_efi_system_table->boot_services;
++ efi_call_1 (b->unload_image, image_handle);
++
++ grub_dl_unref (my_mod);
++ return GRUB_ERR_NONE;
++}
++
++static grub_err_t
++grub_chainloader_boot (void)
++{
++ grub_err_t err;
++
++ err = grub_start_image (image_handle);
++
++ grub_loader_unset ();
++ return err;
++}
++
+ static grub_err_t
+ copy_file_path (grub_efi_file_path_device_path_t *fp,
+ const char *str, grub_efi_uint16_t len)
+@@ -149,7 +158,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+ char *dir_start;
+ char *dir_end;
+ grub_size_t size;
+- grub_efi_device_path_t *d;
++ grub_efi_device_path_t *d, *file_path;
+
+ dir_start = grub_strchr (filename, ')');
+ if (! dir_start)
+@@ -520,12 +529,14 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
+ }
+
+ static grub_efi_boolean_t
+-handle_image (void *data, grub_efi_uint32_t datasize)
++handle_image (struct grub_secureboot_chainloader_context *load_context)
+ {
+ grub_efi_boot_services_t *b;
+ grub_efi_loaded_image_t *li, li_bak;
+ grub_efi_status_t efi_status;
+- char *buffer = NULL;
++ void *data = (void *)(unsigned long)load_context->address;
++ grub_efi_uint32_t datasize = load_context->fsize;
++ void *buffer = NULL;
+ char *buffer_aligned = NULL;
+ grub_efi_uint32_t i;
+ struct grub_pe32_section_table *section;
+@@ -535,6 +546,7 @@ handle_image (void *data, grub_efi_uint32_t datasize)
+ grub_uint32_t buffer_size;
+ int found_entry_point = 0;
+ int rc;
++ grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
+
+ b = grub_efi_system_table->boot_services;
+
+@@ -794,10 +806,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)
+ grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
+ li->image_base = buffer_aligned;
+ li->image_size = context.image_size;
+- li->load_options = cmdline;
+- li->load_options_size = cmdline_len;
+- li->file_path = grub_efi_get_media_file_path (file_path);
+- li->device_handle = dev_handle;
++ li->load_options = load_context->cmdline;
++ li->load_options_size = load_context->cmdline_len;
++ li->file_path = grub_efi_get_media_file_path (load_context->file_path);
++ li->device_handle = load_context->dev_handle;
+ if (!li->file_path)
+ {
+ grub_error (GRUB_ERR_UNKNOWN_DEVICE, "no matching file path found");
+@@ -825,22 +837,22 @@ error_exit:
+ static grub_err_t
+ grub_secureboot_chainloader_unload (void)
+ {
+- grub_efi_boot_services_t *b;
++ grub_efi_free_pages (sb_context->address, sb_context->pages);
++ grub_free (sb_context->file_path);
++ grub_free (sb_context->cmdline);
++ grub_free (sb_context);
+
+- b = grub_efi_system_table->boot_services;
+- efi_call_2 (b->free_pages, address, pages);
+- grub_free (file_path);
+- grub_free (cmdline);
+- cmdline = 0;
+- file_path = 0;
+- dev_handle = 0;
++ sb_context = 0;
+
+ grub_dl_unref (my_mod);
+ return GRUB_ERR_NONE;
+ }
+
+ static grub_err_t
+-grub_load_image(void *boot_image)
++grub_load_image(grub_efi_device_path_t *file_path, void *boot_image,
++ grub_efi_uintn_t image_size, grub_efi_handle_t dev_handle,
++ grub_efi_char16_t *cmdline, grub_ssize_t cmdline_len,
++ grub_efi_handle_t *image_handle_out)
+ {
+ grub_efi_boot_services_t *b;
+ grub_efi_status_t status;
+@@ -849,7 +861,7 @@ grub_load_image(void *boot_image)
+ b = grub_efi_system_table->boot_services;
+
+ status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
+- boot_image, fsize, &image_handle);
++ boot_image, image_size, image_handle_out);
+ if (status != GRUB_EFI_SUCCESS)
+ {
+ if (status == GRUB_EFI_OUT_OF_RESOURCES)
+@@ -862,7 +874,7 @@ grub_load_image(void *boot_image)
+ /* LoadImage does not set a device handler when the image is
+ loaded from memory, so it is necessary to set it explicitly here.
+ This is a mess. */
+- loaded_image = grub_efi_get_loaded_image (image_handle);
++ loaded_image = grub_efi_get_loaded_image (*image_handle_out);
+ if (! loaded_image)
+ {
+ grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
+@@ -884,20 +896,25 @@ grub_secureboot_chainloader_boot (void)
+ {
+ grub_efi_boot_services_t *b;
+ int rc;
++ grub_efi_handle_t handle = 0;
+
+- rc = handle_image ((void *)(unsigned long)address, fsize);
++ rc = handle_image (sb_context);
+ if (rc == 0)
+ {
+ /* We weren't able to attempt to execute the image, so fall back
+ * to LoadImage / StartImage.
+ */
+- rc = grub_load_image((void *)(unsigned long)address);
++ rc = grub_load_image(sb_context->file_path,
++ (void *)(unsigned long)sb_context->address,
++ sb_context->fsize, sb_context->dev_handle,
++ sb_context->cmdline, sb_context->cmdline_len,
++ &handle);
+ if (rc == 0)
+- grub_chainloader_boot ();
++ grub_start_image (handle);
+ }
+
+ b = grub_efi_system_table->boot_services;
+- efi_call_1 (b->unload_image, image_handle);
++ efi_call_1 (b->unload_image, handle);
+
+ grub_loader_unset ();
+ return grub_errno;
+@@ -911,10 +928,16 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_status_t status;
+ grub_efi_boot_services_t *b;
+ grub_device_t dev = 0;
+- grub_efi_device_path_t *dp = 0;
++ grub_efi_device_path_t *dp = 0, *file_path = 0;
+ char *filename;
+ void *boot_image = 0;
+ int rc;
++ grub_efi_physical_address_t address = 0;
++ grub_ssize_t fsize;
++ grub_efi_uintn_t pages = 0;
++ grub_efi_char16_t *cmdline = 0;
++ grub_ssize_t cmdline_len = 0;
++ grub_efi_handle_t dev_handle = 0;
+
+ if (argc == 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -922,12 +945,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+
+ grub_dl_ref (my_mod);
+
+- /* Initialize some global variables. */
+- address = 0;
+- image_handle = 0;
+- file_path = 0;
+- dev_handle = 0;
+-
+ b = grub_efi_system_table->boot_services;
+
+ if (argc > 1)
+@@ -1079,15 +1096,33 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
+ if (rc > 0)
+ {
++ sb_context = grub_malloc (sizeof (*sb_context));
++ if (sb_context == NULL)
++ goto fail;
++ sb_context->address = address;
++ sb_context->fsize = fsize;
++ sb_context->pages = pages;
++ sb_context->file_path = file_path;
++ sb_context->cmdline = cmdline;
++ sb_context->cmdline_len = cmdline_len;
++ sb_context->dev_handle = dev_handle;
++
+ grub_file_close (file);
++
+ grub_loader_set (grub_secureboot_chainloader_boot,
+ grub_secureboot_chainloader_unload, 0);
+ return 0;
+ }
+ else if (rc == 0)
+ {
+- grub_load_image(boot_image);
++ grub_load_image(file_path, boot_image, fsize, dev_handle, cmdline,
++ cmdline_len, &image_handle);
+ grub_file_close (file);
++
++ /* We're finished with the source image buffer and file path now */
++ efi_call_2 (b->free_pages, address, pages);
++ grub_free (file_path);
++
+ grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
+
+ return 0;
+@@ -1109,6 +1144,12 @@ fail:
+ if (cmdline)
+ grub_free (cmdline);
+
++ if (image_handle != 0)
++ {
++ efi_call_1 (b->unload_image, image_handle);
++ image_handle = 0;
++ }
++
+ grub_dl_unref (my_mod);
+
+ return grub_errno;
diff --git a/SOURCES/0452-commands-boot-Add-API-to-pass-context-to-loader.patch b/SOURCES/0452-commands-boot-Add-API-to-pass-context-to-loader.patch
new file mode 100644
index 0000000..24c6a97
--- /dev/null
+++ b/SOURCES/0452-commands-boot-Add-API-to-pass-context-to-loader.patch
@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 29 Apr 2022 21:16:02 +0100
+Subject: [PATCH] commands/boot: Add API to pass context to loader
+
+Loaders rely on global variables for saving context which is consumed
+in the boot hook and freed in the unload hook. In the case where a loader
+command is executed twice, calling grub_loader_set a second time executes
+the unload hook, but in some cases this runs when the loader's global
+context has already been updated, resulting in the updated context being
+freed and potential use-after-free bugs when the boot hook is subsequently
+called.
+
+This adds a new API (grub_loader_set_ex) which allows a loader to specify
+context that is passed to its boot and unload hooks. This is an alternative
+to requiring that loaders call grub_loader_unset before mutating their
+global context.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+(cherry picked from commit 4322a64dde7e8fedb58e50b79408667129d45dd3)
+(cherry picked from commit 937ad0e2159b6b8cb0d2ce3515da3a8b797c7927)
+(cherry picked from commit 873038ae7048f6cae8a3ebb2f97a8d361a080e13)
+(cherry picked from commit 32ca6dd0281503696f003ba259bfcdad708f6314)
+---
+ grub-core/commands/boot.c | 66 +++++++++++++++++++++++++++++++++++++++++------
+ include/grub/loader.h | 5 ++++
+ 2 files changed, 63 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
+index bbca81e947..53691a62d9 100644
+--- a/grub-core/commands/boot.c
++++ b/grub-core/commands/boot.c
+@@ -27,10 +27,20 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+-static grub_err_t (*grub_loader_boot_func) (void);
+-static grub_err_t (*grub_loader_unload_func) (void);
++static grub_err_t (*grub_loader_boot_func) (void *);
++static grub_err_t (*grub_loader_unload_func) (void *);
++static void *grub_loader_context;
+ static int grub_loader_flags;
+
++struct grub_simple_loader_hooks
++{
++ grub_err_t (*boot) (void);
++ grub_err_t (*unload) (void);
++};
++
++/* Don't heap allocate this to avoid making grub_loader_set fallible. */
++static struct grub_simple_loader_hooks simple_loader_hooks;
++
+ struct grub_preboot
+ {
+ grub_err_t (*preboot_func) (int);
+@@ -44,6 +54,29 @@ static int grub_loader_loaded;
+ static struct grub_preboot *preboots_head = 0,
+ *preboots_tail = 0;
+
++static grub_err_t
++grub_simple_boot_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++ return hooks->boot ();
++}
++
++static grub_err_t
++grub_simple_unload_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++ grub_err_t ret;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++
++ ret = hooks->unload ();
++ grub_memset (hooks, 0, sizeof (*hooks));
++
++ return ret;
++}
++
+ int
+ grub_loader_is_loaded (void)
+ {
+@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
+ }
+
+ void
+-grub_loader_set (grub_err_t (*boot) (void),
+- grub_err_t (*unload) (void),
+- int flags)
++grub_loader_set_ex (grub_err_t (*boot) (void *),
++ grub_err_t (*unload) (void *),
++ void *context,
++ int flags)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = boot;
+ grub_loader_unload_func = unload;
++ grub_loader_context = context;
+ grub_loader_flags = flags;
+
+ grub_loader_loaded = 1;
+ }
+
++void
++grub_loader_set (grub_err_t (*boot) (void),
++ grub_err_t (*unload) (void),
++ int flags)
++{
++ grub_loader_set_ex (grub_simple_boot_hook,
++ grub_simple_unload_hook,
++ &simple_loader_hooks,
++ flags);
++
++ simple_loader_hooks.boot = boot;
++ simple_loader_hooks.unload = unload;
++}
++
+ void
+ grub_loader_unset(void)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = 0;
+ grub_loader_unload_func = 0;
++ grub_loader_context = 0;
+
+ grub_loader_loaded = 0;
+ }
+@@ -158,7 +208,7 @@ grub_loader_boot (void)
+ return err;
+ }
+ }
+- err = (grub_loader_boot_func) ();
++ err = (grub_loader_boot_func) (grub_loader_context);
+
+ for (cur = preboots_tail; cur; cur = cur->prev)
+ if (! err)
+diff --git a/include/grub/loader.h b/include/grub/loader.h
+index b208642821..1846fa6c5f 100644
+--- a/include/grub/loader.h
++++ b/include/grub/loader.h
+@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
+ grub_err_t (*unload) (void),
+ int flags);
+
++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *),
++ grub_err_t (*unload) (void *),
++ void *context,
++ int flags);
++
+ /* Unset current loader, if any. */
+ void EXPORT_FUNC (grub_loader_unset) (void);
+
diff --git a/SOURCES/0453-loader-efi-chainloader-Use-grub_loader_set_ex.patch b/SOURCES/0453-loader-efi-chainloader-Use-grub_loader_set_ex.patch
new file mode 100644
index 0000000..2ce96a6
--- /dev/null
+++ b/SOURCES/0453-loader-efi-chainloader-Use-grub_loader_set_ex.patch
@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 29 Apr 2022 21:30:56 +0100
+Subject: [PATCH] loader/efi/chainloader: Use grub_loader_set_ex
+
+This ports the EFI chainloader to use grub_loader_set_ex in order to fix
+a use-after-free bug that occurs when grub_cmd_chainloader is executed
+more than once before a boot attempt is performed.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+(cherry picked from commit 4b7f0402b7cb0f67a93be736f2b75b818d7f44c9)
+(cherry picked from commit fc1a79bf0e0bc019362ace46d908a92b48dcd55b)
+(cherry picked from commit f5b653dfe00271384ff7fbd82db926ab95dbd80e)
+[rharwood: context sludge from previous commit]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 058d2bccb637ad618d1a23ecf7c9528b766966f6)
+---
+ grub-core/loader/efi/chainloader.c | 38 ++++++++++++++++++++++----------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 8d7072ee1a..3185a7a1c2 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -47,8 +47,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+
+-static grub_efi_handle_t image_handle;
+-
+ struct grub_secureboot_chainloader_context {
+ grub_efi_physical_address_t address;
+ grub_efi_uintn_t pages;
+@@ -58,7 +56,6 @@ struct grub_secureboot_chainloader_context {
+ grub_ssize_t cmdline_len;
+ grub_efi_handle_t dev_handle;
+ };
+-static struct grub_secureboot_chainloader_context *sb_context;
+
+ static grub_err_t
+ grub_start_image (grub_efi_handle_t handle)
+@@ -97,11 +94,14 @@ grub_start_image (grub_efi_handle_t handle)
+ }
+
+ static grub_err_t
+-grub_chainloader_unload (void)
++grub_chainloader_unload (void *context)
+ {
++ grub_efi_handle_t image_handle;
+ grub_efi_loaded_image_t *loaded_image;
+ grub_efi_boot_services_t *b;
+
++ image_handle = (grub_efi_handle_t) context;
++
+ loaded_image = grub_efi_get_loaded_image (image_handle);
+ if (loaded_image != NULL)
+ grub_free (loaded_image->load_options);
+@@ -114,10 +114,12 @@ grub_chainloader_unload (void)
+ }
+
+ static grub_err_t
+-grub_chainloader_boot (void)
++grub_chainloader_boot (void *context)
+ {
++ grub_efi_handle_t image_handle;
+ grub_err_t err;
+
++ image_handle = (grub_efi_handle_t) context;
+ err = grub_start_image (image_handle);
+
+ grub_loader_unset ();
+@@ -835,15 +837,17 @@ error_exit:
+ }
+
+ static grub_err_t
+-grub_secureboot_chainloader_unload (void)
++grub_secureboot_chainloader_unload (void *context)
+ {
++ struct grub_secureboot_chainloader_context *sb_context;
++
++ sb_context = (struct grub_secureboot_chainloader_context *) context;
++
+ grub_efi_free_pages (sb_context->address, sb_context->pages);
+ grub_free (sb_context->file_path);
+ grub_free (sb_context->cmdline);
+ grub_free (sb_context);
+
+- sb_context = 0;
+-
+ grub_dl_unref (my_mod);
+ return GRUB_ERR_NONE;
+ }
+@@ -892,12 +896,15 @@ grub_load_image(grub_efi_device_path_t *file_path, void *boot_image,
+ }
+
+ static grub_err_t
+-grub_secureboot_chainloader_boot (void)
++grub_secureboot_chainloader_boot (void *context)
+ {
++ struct grub_secureboot_chainloader_context *sb_context;
+ grub_efi_boot_services_t *b;
+ int rc;
+ grub_efi_handle_t handle = 0;
+
++ sb_context = (struct grub_secureboot_chainloader_context *) context;
++
+ rc = handle_image (sb_context);
+ if (rc == 0)
+ {
+@@ -938,6 +945,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_char16_t *cmdline = 0;
+ grub_ssize_t cmdline_len = 0;
+ grub_efi_handle_t dev_handle = 0;
++ grub_efi_handle_t image_handle = 0;
++ struct grub_secureboot_chainloader_context *sb_context = 0;
+
+ if (argc == 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -1109,8 +1118,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+
+ grub_file_close (file);
+
+- grub_loader_set (grub_secureboot_chainloader_boot,
+- grub_secureboot_chainloader_unload, 0);
++ grub_loader_set_ex (grub_secureboot_chainloader_boot,
++ grub_secureboot_chainloader_unload, sb_context, 0);
+ return 0;
+ }
+ else if (rc == 0)
+@@ -1123,7 +1132,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ efi_call_2 (b->free_pages, address, pages);
+ grub_free (file_path);
+
+- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
++ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
+
+ return 0;
+ }
+@@ -1145,10 +1154,7 @@ fail:
+ grub_free (cmdline);
+
+ if (image_handle != 0)
+- {
+- efi_call_1 (b->unload_image, image_handle);
+- image_handle = 0;
+- }
++ efi_call_1 (b->unload_image, image_handle);
+
+ grub_dl_unref (my_mod);
+
diff --git a/SOURCES/0454-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch b/SOURCES/0454-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch
new file mode 100644
index 0000000..61f9753
--- /dev/null
+++ b/SOURCES/0454-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Mon, 2 May 2022 14:39:31 +0200
+Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
+ loader
+
+In some error paths in grub_cmd_linux, the pointer to lh may be
+dereferenced after the buffer it points to has been freed. There aren't
+any security implications from this because nothing else uses the
+allocator after the buffer is freed and before the pointer is
+dereferenced, but fix it anyway.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
+(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
+(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
+(cherry picked from commit c74456404adfb1ed0043c1de0b475e0d84c5c480)
+---
+ grub-core/loader/i386/efi/linux.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index c146bc58e3..bafee49852 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -343,9 +343,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ if (file)
+ grub_file_close (file);
+
+- if (kernel)
+- grub_free (kernel);
+-
+ if (grub_errno != GRUB_ERR_NONE)
+ {
+ grub_dl_unref (my_mod);
+@@ -365,6 +362,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
+ BYTES_TO_PAGES(16384));
+
++ grub_free (kernel);
++
+ return grub_errno;
+ }
+
diff --git a/SOURCES/0455-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch b/SOURCES/0455-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
new file mode 100644
index 0000000..ddcbff1
--- /dev/null
+++ b/SOURCES/0455-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 25 Jun 2021 02:19:05 +1000
+Subject: [PATCH] kern/file: Do not leak device_name on error in
+ grub_file_open()
+
+If we have an error in grub_file_open() before we free device_name, we
+will leak it.
+
+Free device_name in the error path and null out the pointer in the good
+path once we free it there.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 1499a5068839fa37cb77ecef4b5bdacbd1ed12ea)
+(cherry picked from commit 2ec50b289d8b24922433439533113087f111f110)
+(cherry picked from commit 17c36ae88d7d6040cabc01cd4a21e71ff4731668)
+(cherry picked from commit 9c2f4b2da5ce570d5614a0849bdae9a95ed1f311)
+---
+ grub-core/kern/file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index 24da12bb99..ec8c0265bc 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -80,6 +80,7 @@ grub_file_open (const char *name)
+
+ device = grub_device_open (device_name);
+ grub_free (device_name);
++ device_name = NULL;
+ if (! device)
+ goto fail;
+
+@@ -121,6 +122,7 @@ grub_file_open (const char *name)
+ return file;
+
+ fail:
++ grub_free (device_name);
+ if (device)
+ grub_device_close (device);
+
diff --git a/SOURCES/0456-video-readers-png-Abort-sooner-if-a-read-operation-f.patch b/SOURCES/0456-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
new file mode 100644
index 0000000..a465005
--- /dev/null
+++ b/SOURCES/0456-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
@@ -0,0 +1,201 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 14:02:55 +1000
+Subject: [PATCH] video/readers/png: Abort sooner if a read operation fails
+
+Fuzzing revealed some inputs that were taking a long time, potentially
+forever, because they did not bail quickly upon encountering an I/O error.
+
+Try to catch I/O errors sooner and bail out.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 882be97d1df6449b9fd4d593f0cb70005fde3494)
+(cherry picked from commit 3f6fc3ebfd58fcdb3fe6c2f7a5a4fa05772ae786)
+(cherry picked from commit aac5b8257d4078c3f764216aeae3367bdc19043f)
+(cherry picked from commit 3cdacdadbe289d3e73a8f58df5db05d8fe4d30c4)
+---
+ grub-core/video/readers/png.c | 55 ++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 39560f56fd..70beff905e 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -142,6 +142,7 @@ static grub_uint8_t
+ grub_png_get_byte (struct grub_png_data *data)
+ {
+ grub_uint8_t r;
++ grub_ssize_t bytes_read = 0;
+
+ if ((data->inside_idat) && (data->idat_remain == 0))
+ {
+@@ -175,7 +176,14 @@ grub_png_get_byte (struct grub_png_data *data)
+ }
+
+ r = 0;
+- grub_file_read (data->file, &r, 1);
++ bytes_read = grub_file_read (data->file, &r, 1);
++
++ if (bytes_read != 1)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: unexpected end of data");
++ return 0;
++ }
+
+ if (data->inside_idat)
+ data->idat_remain--;
+@@ -231,15 +239,16 @@ grub_png_decode_image_palette (struct grub_png_data *data,
+ if (len == 0 || len % 3 != 0)
+ return GRUB_ERR_NONE;
+
+- for (i = 0; 3 * i < len && i < 256; i++)
++ grub_errno = GRUB_ERR_NONE;
++ for (i = 0; 3 * i < len && i < 256 && grub_errno == GRUB_ERR_NONE; i++)
+ for (j = 0; j < 3; j++)
+ data->palette[i][j] = grub_png_get_byte (data);
+- for (i *= 3; i < len; i++)
++ for (i *= 3; i < len && grub_errno == GRUB_ERR_NONE; i++)
+ grub_png_get_byte (data);
+
+ grub_png_get_dword (data);
+
+- return GRUB_ERR_NONE;
++ return grub_errno;
+ }
+
+ static grub_err_t
+@@ -256,9 +265,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size");
+
+ color_bits = grub_png_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ data->is_16bit = (color_bits == 16);
+
+ color_type = grub_png_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ /* According to PNG spec, no other types are valid. */
+ if ((color_type & ~(PNG_COLOR_MASK_ALPHA | PNG_COLOR_MASK_COLOR))
+@@ -340,14 +353,20 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ if (grub_png_get_byte (data) != PNG_COMPRESSION_BASE)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: compression method not supported");
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if (grub_png_get_byte (data) != PNG_FILTER_TYPE_BASE)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: filter method not supported");
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if (grub_png_get_byte (data) != PNG_INTERLACE_NONE)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: interlace method not supported");
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ /* Skip crc checksum. */
+ grub_png_get_dword (data);
+@@ -449,7 +468,7 @@ grub_png_get_huff_code (struct grub_png_data *data, struct huff_table *ht)
+ int code, i;
+
+ code = 0;
+- for (i = 0; i < ht->max_length; i++)
++ for (i = 0; i < ht->max_length && grub_errno == GRUB_ERR_NONE; i++)
+ {
+ code = (code << 1) + grub_png_get_bits (data, 1);
+ if (code < ht->maxval[i])
+@@ -504,8 +523,14 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
+ grub_uint8_t lens[DEFLATE_HCLEN_MAX];
+
+ nl = DEFLATE_HLIT_BASE + grub_png_get_bits (data, 5);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ nd = DEFLATE_HDIST_BASE + grub_png_get_bits (data, 5);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ nb = DEFLATE_HCLEN_BASE + grub_png_get_bits (data, 4);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if ((nl > DEFLATE_HLIT_MAX) || (nd > DEFLATE_HDIST_MAX) ||
+ (nb > DEFLATE_HCLEN_MAX))
+@@ -533,7 +558,7 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
+ data->dist_offset);
+
+ prev = 0;
+- for (i = 0; i < nl + nd; i++)
++ for (i = 0; i < nl + nd && grub_errno == GRUB_ERR_NONE; i++)
+ {
+ int n, code;
+ struct huff_table *ht;
+@@ -721,17 +746,21 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
+ len = cplens[n];
+ if (cplext[n])
+ len += grub_png_get_bits (data, cplext[n]);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ n = grub_png_get_huff_code (data, &data->dist_table);
+ dist = cpdist[n];
+ if (cpdext[n])
+ dist += grub_png_get_bits (data, cpdext[n]);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ pos = data->wp - dist;
+ if (pos < 0)
+ pos += WSIZE;
+
+- while (len > 0)
++ while (len > 0 && grub_errno == GRUB_ERR_NONE)
+ {
+ data->slide[data->wp] = data->slide[pos];
+ grub_png_output_byte (data, data->slide[data->wp]);
+@@ -759,7 +788,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
+ int final;
+
+ cmf = grub_png_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ flg = grub_png_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if ((cmf & 0xF) != Z_DEFLATED)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+@@ -774,7 +807,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
+ int block_type;
+
+ final = grub_png_get_bits (data, 1);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ block_type = grub_png_get_bits (data, 2);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ switch (block_type)
+ {
+@@ -790,7 +827,7 @@ grub_png_decode_image_data (struct grub_png_data *data)
+ grub_png_get_byte (data);
+ grub_png_get_byte (data);
+
+- for (i = 0; i < len; i++)
++ for (i = 0; i < len && grub_errno == GRUB_ERR_NONE; i++)
+ grub_png_output_byte (data, grub_png_get_byte (data));
+
+ break;
+@@ -1034,6 +1071,8 @@ grub_png_decode_png (struct grub_png_data *data)
+
+ len = grub_png_get_dword (data);
+ type = grub_png_get_dword (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ break;
+ data->next_offset = data->file->offset + len + 4;
+
+ switch (type)
diff --git a/SOURCES/0457-video-readers-png-Refuse-to-handle-multiple-image-he.patch b/SOURCES/0457-video-readers-png-Refuse-to-handle-multiple-image-he.patch
new file mode 100644
index 0000000..748b978
--- /dev/null
+++ b/SOURCES/0457-video-readers-png-Refuse-to-handle-multiple-image-he.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 14:13:40 +1000
+Subject: [PATCH] video/readers/png: Refuse to handle multiple image headers
+
+This causes the bitmap to be leaked. Do not permit multiple image headers.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 8ce433557adeadbc46429aabb9f850b02ad2bdfb)
+(cherry picked from commit 6e10bba6a4cbfd6c7bf116f41fd4e037465e19d8)
+(cherry picked from commit 812272d919ecfd368c008f15b677d369616ada54)
+(cherry picked from commit 571397816409f36f3d8ff0fad1695fe54e6926a4)
+---
+ grub-core/video/readers/png.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 70beff905e..a9066658f2 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -258,6 +258,9 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ int color_bits;
+ enum grub_video_blit_format blt;
+
++ if (data->image_width || data->image_height)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: two image headers found");
++
+ data->image_width = grub_png_get_dword (data);
+ data->image_height = grub_png_get_dword (data);
+
diff --git a/SOURCES/0458-png-Optimize-by-avoiding-divisions.patch b/SOURCES/0458-png-Optimize-by-avoiding-divisions.patch
new file mode 100644
index 0000000..b64fedb
--- /dev/null
+++ b/SOURCES/0458-png-Optimize-by-avoiding-divisions.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Serbinenko <phcoder@gmail.com>
+Date: Thu, 26 Feb 2015 18:27:43 +0100
+Subject: [PATCH] png: Optimize by avoiding divisions.
+
+(cherry picked from commit 18125877eec4e6d7b0b6567b6c92eab1df946f47)
+---
+ grub-core/video/readers/png.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index a9066658f2..71bb76f9c4 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -236,7 +236,7 @@ grub_png_decode_image_palette (struct grub_png_data *data,
+ {
+ unsigned i = 0, j;
+
+- if (len == 0 || len % 3 != 0)
++ if (len == 0)
+ return GRUB_ERR_NONE;
+
+ grub_errno = GRUB_ERR_NONE;
+@@ -900,15 +900,26 @@ grub_png_convert_image (struct grub_png_data *data)
+ int mask = (1 << data->color_bits) - 1;
+ unsigned j;
+ if (data->is_gray)
+- for (i = 0; i < (1U << data->color_bits); i++)
+- {
+- grub_uint8_t col = (0xff * i) / ((1U << data->color_bits) - 1);
+- palette[i][0] = col;
+- palette[i][1] = col;
+- palette[i][2] = col;
+- }
++ {
++ /* Generic formula is
++ (0xff * i) / ((1U << data->color_bits) - 1)
++ but for allowed bit depth of 1, 2 and for it's
++ equivalent to
++ (0xff / ((1U << data->color_bits) - 1)) * i
++ Precompute the multipliers to avoid division.
++ */
++
++ const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
++ for (i = 0; i < (1U << data->color_bits); i++)
++ {
++ grub_uint8_t col = multipliers[data->color_bits] * i;
++ palette[i][0] = col;
++ palette[i][1] = col;
++ palette[i][2] = col;
++ }
++ }
+ else
+- grub_memcpy (palette, data->palette, 16 * 3);
++ grub_memcpy (palette, data->palette, 3 << data->color_bits);
+ d1c = d1;
+ d2c = d2;
+ for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
diff --git a/SOURCES/0459-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/SOURCES/0459-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
new file mode 100644
index 0000000..bce235c
--- /dev/null
+++ b/SOURCES/0459-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
@@ -0,0 +1,173 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 18:51:35 +1000
+Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
+ out-of-bounds write
+
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+
+ for (i = 0; i < (data->image_width * data->image_height);
+ i++, d1 += 4, d2 += 2)
+ {
+ d1[R3] = d2[1];
+ d1[G3] = d2[1];
+ d1[B3] = d2[1];
+ }
+
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+
+Delete all PNG greyscale support.
+
+Fixes: CVE-2021-3695
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 0e1d163382669bd734439d8864ee969616d971d9)
+[rharwood: context conflict]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 4c631c8119206b3178912df2905434d967661c3d)
+(cherry picked from commit 6d5d5f51266b8113c6ba560835500e3c135f3722)
+(cherry picked from commit b134798cc28f7989e729d8c3fc83734444cdd00a)
+---
+ grub-core/video/readers/png.c | 85 +++----------------------------------------
+ 1 file changed, 6 insertions(+), 79 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 71bb76f9c4..dcfdaa8596 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+
+ unsigned image_width, image_height;
+ int bpp, is_16bit;
+- int raw_bytes, is_gray, is_alpha, is_palette;
++ int raw_bytes, is_alpha, is_palette;
+ int row_bytes, color_bits;
+ grub_uint8_t *image_data;
+
+@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp = 3;
+ else
+ {
+- data->is_gray = 1;
+- data->bpp = 1;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: color type not supported");
+ }
+
+ if ((color_bits != 8) && (color_bits != 16)
+ && (color_bits != 4
+- || !(data->is_gray || data->is_palette)))
++ || !data->is_palette))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: bit depth must be 8 or 16");
+
+@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+- if (data->is_16bit || data->is_gray || data->is_palette)
++ if (data->is_16bit || data->is_palette)
+ #endif
+ {
+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
+ int shift;
+ int mask = (1 << data->color_bits) - 1;
+ unsigned j;
+- if (data->is_gray)
+- {
+- /* Generic formula is
+- (0xff * i) / ((1U << data->color_bits) - 1)
+- but for allowed bit depth of 1, 2 and for it's
+- equivalent to
+- (0xff / ((1U << data->color_bits) - 1)) * i
+- Precompute the multipliers to avoid division.
+- */
+
+- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+- for (i = 0; i < (1U << data->color_bits); i++)
+- {
+- grub_uint8_t col = multipliers[data->color_bits] * i;
+- palette[i][0] = col;
+- palette[i][1] = col;
+- palette[i][2] = col;
+- }
+- }
+- else
+- grub_memcpy (palette, data->palette, 3 << data->color_bits);
++ grub_memcpy (palette, data->palette, 3 << data->color_bits);
+ d1c = d1;
+ d2c = d2;
+ for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -956,60 +937,6 @@ grub_png_convert_image (struct grub_png_data *data)
+ }
+ return;
+ }
+-
+- if (data->is_gray)
+- {
+- switch (data->bpp)
+- {
+- case 4:
+- /* 16-bit gray with alpha. */
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 4)
+- {
+- d1[R4] = d2[3];
+- d1[G4] = d2[3];
+- d1[B4] = d2[3];
+- d1[A4] = d2[1];
+- }
+- break;
+- case 2:
+- if (data->is_16bit)
+- /* 16-bit gray without alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R3] = d2[1];
+- d1[G3] = d2[1];
+- d1[B3] = d2[1];
+- }
+- }
+- else
+- /* 8-bit gray with alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R4] = d2[1];
+- d1[G4] = d2[1];
+- d1[B4] = d2[1];
+- d1[A4] = d2[0];
+- }
+- }
+- break;
+- /* 8-bit gray without alpha. */
+- case 1:
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 3, d2++)
+- {
+- d1[R3] = d2[0];
+- d1[G3] = d2[0];
+- d1[B3] = d2[0];
+- }
+- break;
+- }
+- return;
+- }
+
+ {
+ /* Only copy the upper 8 bit. */
diff --git a/SOURCES/0460-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch b/SOURCES/0460-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
new file mode 100644
index 0000000..4b70554
--- /dev/null
+++ b/SOURCES/0460-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 23:25:07 +1000
+Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
+ items
+
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+
+Catch the case where we would underflow the array and bail.
+
+Fixes: CVE-2021-3696
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
+(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
+(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
+(cherry picked from commit 9990cee64b053a1593cf9883d73b630405519be2)
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index dcfdaa8596..24e972d1ba 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+ for (i = len; i < ht->max_length; i++)
+ n += ht->maxval[i];
+
++ if (n > ht->num_values)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: out of range inserting huffman table item");
++ return;
++ }
++
+ for (i = 0; i < n; i++)
+ ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+
diff --git a/SOURCES/0461-video-readers-png-Sanity-check-some-huffman-codes.patch b/SOURCES/0461-video-readers-png-Sanity-check-some-huffman-codes.patch
new file mode 100644
index 0000000..1a9f178
--- /dev/null
+++ b/SOURCES/0461-video-readers-png-Sanity-check-some-huffman-codes.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 19:19:11 +1000
+Subject: [PATCH] video/readers/png: Sanity check some huffman codes
+
+ASAN picked up two OOB global reads: we weren't checking if some code
+values fit within the cplens or cpdext arrays. Check and throw an error
+if not.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit c3a8ab0cbd24153ec7b1f84a96ddfdd72ef8d117)
+(cherry picked from commit 5d09addf58086aa11d5f9a91af5632ff87c2d2ee)
+(cherry picked from commit ff12584f9376a472f37d4ec14213fd29bf3b233a)
+(cherry picked from commit e953feb46429355bb09f2cd01886296068d48a7c)
+---
+ grub-core/video/readers/png.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 24e972d1ba..6c37678c40 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
+ int len, dist, pos;
+
+ n -= 257;
++ if (((unsigned int) n) >= ARRAY_SIZE (cplens))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: invalid huff code");
+ len = cplens[n];
+ if (cplext[n])
+ len += grub_png_get_bits (data, cplext[n]);
+@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
+ return grub_errno;
+
+ n = grub_png_get_huff_code (data, &data->dist_table);
++ if (((unsigned int) n) >= ARRAY_SIZE (cpdist))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: invalid huff code");
+ dist = cpdist[n];
+ if (cpdext[n])
+ dist += grub_png_get_bits (data, cpdext[n]);
diff --git a/SOURCES/0462-grub-core-video-readers-jpeg.c-Avoid-division-by-zer.patch b/SOURCES/0462-grub-core-video-readers-jpeg.c-Avoid-division-by-zer.patch
new file mode 100644
index 0000000..34ae800
--- /dev/null
+++ b/SOURCES/0462-grub-core-video-readers-jpeg.c-Avoid-division-by-zer.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Serbinenko <phcoder@gmail.com>
+Date: Tue, 20 Jan 2015 19:35:49 +0100
+Subject: [PATCH] * grub-core/video/readers/jpeg.c: Avoid division by
+ zero.
+
+(cherry picked from commit 4816dcac19a05a1209822015d88903faef3d6f44)
+[rharwood: drop ChangeLog]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/video/readers/jpeg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index a6742a96b1..84cf5ceec9 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -323,7 +323,7 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ {
+ data->vs = ss & 0xF; /* Vertical sampling. */
+ data->hs = ss >> 4; /* Horizontal sampling. */
+- if ((data->vs > 2) || (data->hs > 2))
++ if ((data->vs > 2) || (data->hs > 2) || (data->vs == 0) || (data->hs == 0))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: sampling method not supported");
+ }
diff --git a/SOURCES/0463-jpeg-Optimise-by-replacing-division-with-shifts.patch b/SOURCES/0463-jpeg-Optimise-by-replacing-division-with-shifts.patch
new file mode 100644
index 0000000..48c7249
--- /dev/null
+++ b/SOURCES/0463-jpeg-Optimise-by-replacing-division-with-shifts.patch
@@ -0,0 +1,76 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Serbinenko <phcoder@gmail.com>
+Date: Thu, 26 Feb 2015 21:27:32 +0100
+Subject: [PATCH] jpeg: Optimise by replacing division with shifts.
+
+(cherry picked from commit 7213c1e02807e760febec06a0f19b11173abc55a)
+---
+ grub-core/video/readers/jpeg.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 84cf5ceec9..55bd95b797 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -94,7 +94,7 @@ struct grub_jpeg_data
+ jpeg_data_unit_t crdu;
+ jpeg_data_unit_t cbdu;
+
+- unsigned vs, hs;
++ unsigned log_vs, log_hs;
+ int dri;
+ unsigned r1;
+
+@@ -321,11 +321,14 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ ss = grub_jpeg_get_byte (data); /* Sampling factor. */
+ if (!id)
+ {
+- data->vs = ss & 0xF; /* Vertical sampling. */
+- data->hs = ss >> 4; /* Horizontal sampling. */
+- if ((data->vs > 2) || (data->hs > 2) || (data->vs == 0) || (data->hs == 0))
++ grub_uint8_t vs, hs;
++ vs = ss & 0xF; /* Vertical sampling. */
++ hs = ss >> 4; /* Horizontal sampling. */
++ if ((vs > 2) || (hs > 2) || (vs == 0) || (hs == 0))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: sampling method not supported");
++ data->log_vs = (vs == 2);
++ data->log_hs = (hs == 2);
+ }
+ else if (ss != JPEG_SAMPLING_1x1)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+@@ -638,10 +641,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ unsigned c1, vb, hb, nr1, nc1;
+ int rst = data->dri;
+
+- vb = data->vs * 8;
+- hb = data->hs * 8;
+- nr1 = (data->image_height + vb - 1) / vb;
+- nc1 = (data->image_width + hb - 1) / hb;
++ vb = 8 << data->log_vs;
++ hb = 8 << data->log_hs;
++ nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
++ nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+
+ if (data->bitmap_ptr == NULL)
+ return grub_error(GRUB_ERR_BAD_FILE_TYPE,
+@@ -655,8 +658,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ unsigned r2, c2, nr2, nc2;
+ grub_uint8_t *ptr2;
+
+- for (r2 = 0; r2 < data->vs; r2++)
+- for (c2 = 0; c2 < data->hs; c2++)
++ for (r2 = 0; r2 < (1U << data->log_vs); r2++)
++ for (c2 = 0; c2 < (1U << data->log_hs); c2++)
+ grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
+
+ if (data->color_components >= 3)
+@@ -678,7 +681,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ unsigned i0;
+ int yy;
+
+- i0 = (r2 / data->vs) * 8 + (c2 / data->hs);
++ i0 = (r2 >> data->log_vs) * 8 + (c2 >> data->log_hs);
+ yy = data->ydu[(r2 / 8) * 2 + (c2 / 8)][(r2 % 8) * 8 + (c2 % 8)];
+
+ if (data->color_components >= 3)
diff --git a/SOURCES/0464-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch b/SOURCES/0464-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
new file mode 100644
index 0000000..75ce1a3
--- /dev/null
+++ b/SOURCES/0464-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
@@ -0,0 +1,258 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 28 Jun 2021 14:16:14 +1000
+Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails
+
+Fuzzing revealed some inputs that were taking a long time, potentially
+forever, because they did not bail quickly upon encountering an I/O error.
+
+Try to catch I/O errors sooner and bail out.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit ab2e5d2e4bff488bbb557ed435a61ae102ef9f0c)
+(cherry picked from commit 1ff8df0d2dea8ec7c8575241d5e7d6622c204ec3)
+(cherry picked from commit b07767383b74a0ce7135c09ba8701510d4ad32f0)
+(cherry picked from commit 4f07a3be4499e569ba8f261c0c53e81012afa003)
+---
+ grub-core/video/readers/jpeg.c | 86 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 70 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 55bd95b797..5cea6ba894 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -109,9 +109,17 @@ static grub_uint8_t
+ grub_jpeg_get_byte (struct grub_jpeg_data *data)
+ {
+ grub_uint8_t r;
++ grub_ssize_t bytes_read;
+
+ r = 0;
+- grub_file_read (data->file, &r, 1);
++ bytes_read = grub_file_read (data->file, &r, 1);
++
++ if (bytes_read != 1)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: unexpected end of data");
++ return 0;
++ }
+
+ return r;
+ }
+@@ -120,9 +128,17 @@ static grub_uint16_t
+ grub_jpeg_get_word (struct grub_jpeg_data *data)
+ {
+ grub_uint16_t r;
++ grub_ssize_t bytes_read;
+
+ r = 0;
+- grub_file_read (data->file, &r, sizeof (grub_uint16_t));
++ bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
++
++ if (bytes_read != sizeof (grub_uint16_t))
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: unexpected end of data");
++ return 0;
++ }
+
+ return grub_be_to_cpu16 (r);
+ }
+@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
+ if (data->bit_mask == 0)
+ {
+ data->bit_save = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE) {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: file read error");
++ return 0;
++ }
+ if (data->bit_save == JPEG_ESC_CHAR)
+ {
+ if (grub_jpeg_get_byte (data) != 0)
+@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
+ "jpeg: invalid 0xFF in data stream");
+ return 0;
+ }
++ if (grub_errno != GRUB_ERR_NONE)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
++ return 0;
++ }
+ }
+ data->bit_mask = 0x80;
+ }
+@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
+ return 0;
+
+ msb = value = grub_jpeg_get_bit (data);
+- for (i = 1; i < num; i++)
++ for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
+ value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
+ if (!msb)
+ value += 1 - (1 << num);
+@@ -202,6 +228,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
+ while (data->file->offset + sizeof (count) + 1 <= next_marker)
+ {
+ id = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ ac = (id >> 4) & 1;
+ id &= 0xF;
+ if (id > 1)
+@@ -252,6 +280,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if (next_marker > data->file->size)
+ {
+@@ -263,6 +293,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+ <= next_marker)
+ {
+ id = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (id >= 0x10) /* Upper 4-bit is precision. */
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: only 8-bit precision is supported");
+@@ -294,6 +326,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ if (grub_jpeg_get_byte (data) != 8)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: only 8-bit precision is supported");
+@@ -319,6 +354,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
+
+ ss = grub_jpeg_get_byte (data); /* Sampling factor. */
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (!id)
+ {
+ grub_uint8_t vs, hs;
+@@ -498,7 +535,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
+ }
+ }
+
+-static void
++static grub_err_t
+ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ {
+ int h1, h2, qt;
+@@ -513,6 +550,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ data->dc_value[id] +=
+ grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
+ pos = 1;
+ while (pos < ARRAY_SIZE (data->quan_table[qt]))
+@@ -527,11 +567,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ num >>= 4;
+ pos += num;
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
+ {
+- grub_error (GRUB_ERR_BAD_FILE_TYPE,
+- "jpeg: invalid position in zigzag order!?");
+- return;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: invalid position in zigzag order!?");
+ }
+
+ du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
+@@ -539,6 +581,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ }
+
+ grub_jpeg_idct_transform (du);
++ return GRUB_ERR_NONE;
+ }
+
+ static void
+@@ -597,7 +640,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ data_offset += grub_jpeg_get_word (data);
+
+ cc = grub_jpeg_get_byte (data);
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (cc != 3 && cc != 1)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: component count must be 1 or 3");
+@@ -610,7 +654,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ id = grub_jpeg_get_byte (data) - 1;
+ if ((id < 0) || (id >= 3))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ ht = grub_jpeg_get_byte (data);
+ data->comp_index[id][1] = (ht >> 4);
+ data->comp_index[id][2] = (ht & 0xF) + 2;
+@@ -618,11 +663,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ }
+
+ grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
+ grub_jpeg_get_word (data);
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (data->file->offset != data_offset)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
+
+@@ -640,6 +688,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+ unsigned c1, vb, hb, nr1, nc1;
+ int rst = data->dri;
++ grub_err_t err = GRUB_ERR_NONE;
+
+ vb = 8 << data->log_vs;
+ hb = 8 << data->log_hs;
+@@ -660,17 +709,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+
+ for (r2 = 0; r2 < (1U << data->log_vs); r2++)
+ for (c2 = 0; c2 < (1U << data->log_hs); c2++)
+- grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
++ {
++ err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
++ if (err != GRUB_ERR_NONE)
++ return err;
++ }
+
+ if (data->color_components >= 3)
+ {
+- grub_jpeg_decode_du (data, 1, data->cbdu);
+- grub_jpeg_decode_du (data, 2, data->crdu);
++ err = grub_jpeg_decode_du (data, 1, data->cbdu);
++ if (err != GRUB_ERR_NONE)
++ return err;
++ err = grub_jpeg_decode_du (data, 2, data->crdu);
++ if (err != GRUB_ERR_NONE)
++ return err;
+ }
+
+- if (grub_errno)
+- return grub_errno;
+-
+ nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
+ nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
+
diff --git a/SOURCES/0465-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch b/SOURCES/0465-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
new file mode 100644
index 0000000..e7a8e89
--- /dev/null
+++ b/SOURCES/0465-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 28 Jun 2021 14:16:58 +1000
+Subject: [PATCH] video/readers/jpeg: Do not reallocate a given huff table
+
+Fix a memory leak where an invalid file could cause us to reallocate
+memory for a huffman table we had already allocated memory for.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit bc06e12b4de55cc6f926af9f064170c82b1403e9)
+(cherry picked from commit 5298bf758ea39a90537f9a1c76541ff2f21b970b)
+(cherry picked from commit aae6bac7f26c6b848156ed7adcff83309b833664)
+(cherry picked from commit 9e1e766d635fa473dcc4178549a2ab15d5867ec1)
+---
+ grub-core/video/readers/jpeg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 5cea6ba894..03b56ea91c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -245,6 +245,9 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
+ n += count[i];
+
+ id += ac * 2;
++ if (data->huff_value[id] != NULL)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: attempt to reallocate huffman table");
+ data->huff_value[id] = grub_malloc (n);
+ if (grub_errno)
+ return grub_errno;
diff --git a/SOURCES/0466-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch b/SOURCES/0466-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
new file mode 100644
index 0000000..3dca964
--- /dev/null
+++ b/SOURCES/0466-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 28 Jun 2021 14:25:17 +1000
+Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
+ streams
+
+An invalid file could contain multiple start of stream blocks, which
+would cause us to reallocate and leak our bitmap. Refuse to handle
+multiple start of streams.
+
+Additionally, fix a grub_error() call formatting.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
+(cherry picked from commit db0154828989a0a52ee59a4dda8c3803752bc827)
+(cherry picked from commit 75afb375ef46bc99a7faf5879d0283934e34db97)
+(cherry picked from commit 9d39f2826e0244858a1b531a839a3130a476ecf2)
+---
+ grub-core/video/readers/jpeg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 03b56ea91c..5e46a55710 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ if (data->file->offset != data_offset)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
+
++ if (*data->bitmap)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
++
+ if (grub_video_bitmap_create (data->bitmap, data->image_width,
+ data->image_height,
+ GRUB_VIDEO_BLIT_FORMAT_RGB_888))
+@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+
+ if (data->bitmap_ptr == NULL)
+- return grub_error(GRUB_ERR_BAD_FILE_TYPE,
+- "jpeg: attempted to decode data before start of stream");
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: attempted to decode data before start of stream");
+
+ for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
diff --git a/SOURCES/0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch b/SOURCES/0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
new file mode 100644
index 0000000..097dbef
--- /dev/null
+++ b/SOURCES/0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 7 Jul 2021 15:38:19 +1000
+Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
+
+Certain 1 px wide images caused a wild pointer write in
+grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
+we have the following loop:
+
+for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+
+We did not check if vb * width >= hb * nc1.
+
+On a 64-bit platform, if that turns out to be negative, it will underflow,
+be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
+we see data->bitmap_ptr jump, e.g.:
+
+0x6180_0000_0480 to
+0x6181_0000_0498
+ ^
+ ~--- carry has occurred and this pointer is now far away from
+ any object.
+
+On a 32-bit platform, it will decrement the pointer, creating a pointer
+that won't crash but will overwrite random data.
+
+Catch the underflow and error out.
+
+Fixes: CVE-2021-3697
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)
+(cherry picked from commit 5f9582490792108306d047379fed2371bee286f8)
+(cherry picked from commit 7e4bf25d9bb5219fbf11c523296dc3bd78b80698)
+(cherry picked from commit a062059a004c9b3c7409ea29e721a08f64d7413b)
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 5e46a55710..572250ae68 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -705,6 +705,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: attempted to decode data before start of stream");
+
++ if (vb * data->image_width <= hb * nc1)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: cannot decode image with these dimensions");
++
+ for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+ for (c1 = 0; c1 < nc1 && (!data->dri || rst);
diff --git a/SOURCES/0468-normal-charset-Fix-array-out-of-bounds-formatting-un.patch b/SOURCES/0468-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
new file mode 100644
index 0000000..8cf46fa
--- /dev/null
+++ b/SOURCES/0468-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 13 Jul 2021 13:24:38 +1000
+Subject: [PATCH] normal/charset: Fix array out-of-bounds formatting unicode
+ for display
+
+In some cases attempting to display arbitrary binary strings leads
+to ASAN splats reading the widthspec array out of bounds.
+
+Check the index. If it would be out of bounds, return a width of 1.
+I don't know if that's strictly correct, but we're not really expecting
+great display of arbitrary binary data, and it's certainly not worse than
+an OOB read.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit fdf32abc7a3928852422c0f291d8cd1dd6b34a8d)
+(cherry picked from commit f2c10aaf335b88a69885375c4d68ffab2429df77)
+(cherry picked from commit 4c942e1ba8d1f1199a58d2eb139022ae22f75cb2)
+(cherry picked from commit f39239401ac1d8a54086376ca9e62682873342cd)
+---
+ grub-core/normal/charset.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index d89c0dafd5..d228caa643 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -395,6 +395,8 @@ grub_unicode_estimate_width (const struct grub_unicode_glyph *c)
+ {
+ if (grub_unicode_get_comb_type (c->base))
+ return 0;
++ if (((unsigned long) (c->base >> 3)) >= ARRAY_SIZE (widthspec))
++ return 1;
+ if (widthspec[c->base >> 3] & (1 << (c->base & 7)))
+ return 2;
+ else
diff --git a/SOURCES/0469-net-netbuff-Block-overly-large-netbuff-allocs.patch b/SOURCES/0469-net-netbuff-Block-overly-large-netbuff-allocs.patch
new file mode 100644
index 0000000..c79b3bc
--- /dev/null
+++ b/SOURCES/0469-net-netbuff-Block-overly-large-netbuff-allocs.patch
@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 23:47:46 +1100
+Subject: [PATCH] net/netbuff: Block overly large netbuff allocs
+
+A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
+reassembly.
+
+This helps avoid some bugs (and provides a spot to instrument to catch
+them at their source).
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit ee9591103004cd13b4efadda671536090ca7fd57)
+(cherry picked from commit acde668bb9d9fa862a1a63e3bbd5fa47fdfa9183)
+(cherry picked from commit e47ad2eb4fe38ef2bdcab52245286f31170e73e3)
+(cherry picked from commit e763a37047e8b684f412ecbef32de2e997ee0b63)
+---
+ grub-core/net/netbuff.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
+index dbeeefe478..d5e9e9a0d7 100644
+--- a/grub-core/net/netbuff.c
++++ b/grub-core/net/netbuff.c
+@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len)
+
+ COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0);
+
++ /*
++ * The largest size of a TCP packet is 64 KiB, and everything else
++ * should be a lot smaller - most MTUs are 1500 or less. Cap data
++ * size at 64 KiB + a buffer.
++ */
++ if (len > 0xffffUL + 0x1000UL)
++ {
++ grub_error (GRUB_ERR_BUG,
++ "attempted to allocate a packet that is too big");
++ return NULL;
++ }
++
+ if (len < NETBUFFMINLEN)
+ len = NETBUFFMINLEN;
+
+ len = ALIGN_UP (len, NETBUFF_ALIGN);
++
+ #ifdef GRUB_MACHINE_EMU
+ data = grub_malloc (len + sizeof (*nb));
+ #else
diff --git a/SOURCES/0470-net-ip-Do-IP-fragment-maths-safely.patch b/SOURCES/0470-net-ip-Do-IP-fragment-maths-safely.patch
new file mode 100644
index 0000000..5315fc3
--- /dev/null
+++ b/SOURCES/0470-net-ip-Do-IP-fragment-maths-safely.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Dec 2021 19:41:21 +1100
+Subject: [PATCH] net/ip: Do IP fragment maths safely
+
+This avoids an underflow and subsequent unpleasantness.
+
+Fixes: CVE-2022-28733
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
+(cherry picked from commit 552ad34583e788542e9ca08524a0d4bc8f98c297)
+(cherry picked from commit 2c8cb7e3b8b48b136a950e5692fa6251b76df90e)
+(cherry picked from commit ec7f66954d81f3bb28f4c93581e0c562c8608fa1)
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index daa5b03516..bca6504c2e 100644
+--- a/grub-core/net/ip.c
++++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
++#include <grub/safemath.h>
+ #include <grub/time.h>
+
+ struct iphdr {
+@@ -536,7 +537,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+ {
+ rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ + (nb->tail - nb->data));
+- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
++
++ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
++ &rsm->total_len))
++ {
++ grub_dprintf ("net", "IP reassembly size underflow\n");
++ return GRUB_ERR_NONE;
++ }
++
+ rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+ if (!rsm->asm_netbuff)
+ {
diff --git a/SOURCES/0471-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch b/SOURCES/0471-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
new file mode 100644
index 0000000..ed3665e
--- /dev/null
+++ b/SOURCES/0471-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 16 Sep 2021 01:29:54 +1000
+Subject: [PATCH] net/dns: Fix double-free addresses on corrupt DNS response
+
+grub_net_dns_lookup() takes as inputs a pointer to an array of addresses
+("addresses") for the given name, and pointer to a number of addresses
+("naddresses"). grub_net_dns_lookup() is responsible for allocating
+"addresses", and the caller is responsible for freeing it if
+"naddresses" > 0.
+
+The DNS recv_hook will sometimes set and free the addresses array,
+for example if the packet is too short:
+
+ if (ptr + 10 >= nb->tail)
+ {
+ if (!*data->naddresses)
+ grub_free (*data->addresses);
+ grub_netbuff_free (nb);
+ return GRUB_ERR_NONE;
+ }
+
+Later on the nslookup command code unconditionally frees the "addresses"
+array. Normally this is fine: the array is either populated with valid
+data or is NULL. But in these sorts of error cases it is neither NULL
+nor valid and we get a double-free.
+
+Only free "addresses" if "naddresses" > 0.
+
+It looks like the other use of grub_net_dns_lookup() is not affected.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit eb2e69fcf51307757e43f55ee8c9354d1ee42dd1)
+(cherry picked from commit d801a27e7acec6c1a83067fab0bb975877eaf704)
+(cherry picked from commit 4d8b6e36ddfda4084e370b3b08c432e8a462e9be)
+(cherry picked from commit 6e1ece695de550ed1a00b92afae5c980630aca29)
+---
+ grub-core/net/dns.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index bded12f22e..0ea823078b 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -661,9 +661,11 @@ grub_cmd_nslookup (struct grub_command *cmd __attribute__ ((unused)),
+ grub_net_addr_to_str (&addresses[i], buf);
+ grub_printf ("%s\n", buf);
+ }
+- grub_free (addresses);
+ if (naddresses)
+- return GRUB_ERR_NONE;
++ {
++ grub_free (addresses);
++ return GRUB_ERR_NONE;
++ }
+ return grub_error (GRUB_ERR_NET_NO_DOMAIN, N_("no DNS record found"));
+ }
+
diff --git a/SOURCES/0472-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch b/SOURCES/0472-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
new file mode 100644
index 0000000..20baf0d
--- /dev/null
+++ b/SOURCES/0472-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Dec 2021 21:55:43 +1100
+Subject: [PATCH] net/dns: Don't read past the end of the string we're checking
+ against
+
+I don't really understand what's going on here but fuzzing found
+a bug where we read past the end of check_with. That's a C string,
+so use grub_strlen() to make sure we don't overread it.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 6a97b3f4b1d5173aa516edc6dedbc63de7306d21)
+(cherry picked from commit e0589624e86bc96666cbdb62f6e55cafec2871b3)
+(cherry picked from commit 95ecbc0b9aacfd43ba96cccc50daaf39eccd9f7f)
+(cherry picked from commit 38b008ce855f818e36dfeeea83871659e1c6b083)
+---
+ grub-core/net/dns.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index 0ea823078b..2cbc114913 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
+ int *length, char *set)
+ {
+ const char *readable_ptr = check_with;
++ int readable_len;
+ const grub_uint8_t *ptr;
+ char *optr = set;
+ int bytes_processed = 0;
+ if (length)
+ *length = 0;
++
++ if (readable_ptr != NULL)
++ readable_len = grub_strlen (readable_ptr);
++ else
++ readable_len = 0;
++
+ for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; )
+ {
+ /* End marker. */
+@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
+ ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]);
+ continue;
+ }
+- if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)
++ if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0))
+ return 0;
+ if (grub_memchr (ptr + 1, 0, *ptr)
+ || grub_memchr (ptr + 1, '.', *ptr))
+ return 0;
+ if (readable_ptr)
+- readable_ptr += *ptr;
++ {
++ readable_ptr += *ptr;
++ readable_len -= *ptr;
++ }
+ if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0)
+ return 0;
+ bytes_processed += *ptr + 1;
+@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
+ if (optr)
+ *optr++ = '.';
+ if (readable_ptr && *readable_ptr)
+- readable_ptr++;
++ {
++ readable_ptr++;
++ readable_len--;
++ }
+ ptr += *ptr + 1;
+ }
+ return 0;
diff --git a/SOURCES/0473-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch b/SOURCES/0473-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
new file mode 100644
index 0000000..be15aa5
--- /dev/null
+++ b/SOURCES/0473-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Sep 2021 01:12:24 +1000
+Subject: [PATCH] net/tftp: Prevent a UAF and double-free from a failed seek
+
+A malicious tftp server can cause UAFs and a double free.
+
+An attempt to read from a network file is handled by grub_net_fs_read(). If
+the read is at an offset other than the current offset, grub_net_seek_real()
+is invoked.
+
+In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
+currently received packets, and the underlying transport does not provide
+a seek method, then grub_net_seek_real() will close and reopen the network
+protocol layer.
+
+For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
+file->data. The file->data pointer is not nulled out after the free.
+
+If the ->open() call fails, the file->data will not be reallocated and will
+continue point to a freed memory block. This could happen from a server
+refusing to send the requisite ack to the new tftp request, for example.
+
+The seek and the read will then fail, but the grub_file continues to exist:
+the failed seek does not necessarily cause the entire file to be thrown
+away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
+a read failure is interpreted as a decompressor passing on the file, not as
+an invalidation of the entire grub_file_t structure).
+
+This means subsequent attempts to read or seek the file will use the old
+file->data after free. Eventually, the file will be close()d again and
+file->data will be freed again.
+
+Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
+close() on a broken file (seek is not exposed directly to the file API -
+it is only called as part of read, so this blocks seeks as well).
+
+As an additional defence, null out the ->data pointer if tftp_open() fails.
+That would have lead to a simple null pointer dereference rather than
+a mess of UAFs.
+
+This may affect other protocols, I haven't checked.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit dada1dda695439bb55b2848dddc2d89843552f81)
+(cherry picked from commit 352c5ae8a9fc715712e6ecbd7ccb6218122c748f)
+(cherry picked from commit 61a010085ab9f0ecf42677773a6fc212f1579b0a)
+(cherry picked from commit 14e15ef7b027c39528b19bfe69145c29f9795566)
+---
+ grub-core/net/net.c | 11 +++++++++--
+ grub-core/net/tftp.c | 1 +
+ include/grub/net.h | 1 +
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 1f62aa10f2..7e7f79143c 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1590,7 +1590,8 @@ grub_net_fs_close (grub_file_t file)
+ grub_netbuff_free (file->device->net->packs.first->nb);
+ grub_net_remove_packet (file->device->net->packs.first);
+ }
+- file->device->net->protocol->close (file);
++ if (!file->device->net->broken)
++ file->device->net->protocol->close (file);
+ grub_free (file->device->net->name);
+ return GRUB_ERR_NONE;
+ }
+@@ -1811,7 +1812,10 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
+ file->device->net->eof = 0;
+ err = file->device->net->protocol->open (file, file->device->net->name);
+ if (err)
+- return err;
++ {
++ file->device->net->broken = 1;
++ return err;
++ }
+ grub_net_fs_read_real (file, NULL, offset);
+ return grub_errno;
+ }
+@@ -1820,6 +1824,9 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
+ static grub_ssize_t
+ grub_net_fs_read (grub_file_t file, char *buf, grub_size_t len)
+ {
++ if (file->device->net->broken)
++ return -1;
++
+ if (file->offset != file->device->net->offset)
+ {
+ grub_err_t err;
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index aa0424dcee..85be965470 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -402,6 +402,7 @@ tftp_open (struct grub_file *file, const char *filename)
+ {
+ grub_net_udp_close (data->sock);
+ grub_free (data);
++ file->data = NULL;
+ return grub_errno;
+ }
+
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 1ec827b9bf..50578c3ce3 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -268,6 +268,7 @@ typedef struct grub_net
+ grub_fs_t fs;
+ int eof;
+ int stall;
++ int broken;
+ } *grub_net_t;
+
+ extern grub_net_t (*EXPORT_VAR (grub_net_open)) (const char *name);
diff --git a/SOURCES/0474-misc-Format-string-for-grub_error-should-be-a-litera.patch b/SOURCES/0474-misc-Format-string-for-grub_error-should-be-a-litera.patch
new file mode 100644
index 0000000..8f7a430
--- /dev/null
+++ b/SOURCES/0474-misc-Format-string-for-grub_error-should-be-a-litera.patch
@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Glenn Washburn <development@efficientek.com>
+Date: Thu, 4 Mar 2021 18:22:32 -0600
+Subject: [PATCH] misc: Format string for grub_error() should be a literal
+
+Signed-off-by: Glenn Washburn <development@efficientek.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry-picked from commit 60875f4e15d704b875969b415501802b531c4db3)
+(cherry picked from commit 9103b9e99e3541dea7a131cb1fbfb904c2ab249e)
+---
+ grub-core/loader/efi/chainloader.c | 2 +-
+ grub-core/net/tftp.c | 2 +-
+ grub-core/script/lexer.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 3185a7a1c2..bfb4aa34cb 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -79,7 +79,7 @@ grub_start_image (grub_efi_handle_t handle)
+ *grub_utf16_to_utf8 ((grub_uint8_t *) buf,
+ exit_data, exit_data_size) = 0;
+
+- grub_error (GRUB_ERR_BAD_OS, buf);
++ grub_error (GRUB_ERR_BAD_OS, "%s", buf);
+ grub_free (buf);
+ }
+ }
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 85be965470..69a9ba6979 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -253,7 +253,7 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ case TFTP_ERROR:
+ data->have_oack = 1;
+ grub_netbuff_free (nb);
+- grub_error (GRUB_ERR_IO, (char *) tftph->u.err.errmsg);
++ grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
+ grub_error_save (&data->save_err);
+ return GRUB_ERR_NONE;
+ default:
+diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
+index 1c8bca0a32..71d0acf9d4 100644
+--- a/grub-core/script/lexer.c
++++ b/grub-core/script/lexer.c
+@@ -349,7 +349,7 @@ void
+ grub_script_yyerror (struct grub_parser_param *state, char const *err)
+ {
+ if (err)
+- grub_error (GRUB_ERR_INVALID_COMMAND, err);
++ grub_error (GRUB_ERR_INVALID_COMMAND, "%s", err);
+
+ grub_print_error ();
+ state->err++;
diff --git a/SOURCES/0475-net-tftp-Avoid-a-trivial-UAF.patch b/SOURCES/0475-net-tftp-Avoid-a-trivial-UAF.patch
new file mode 100644
index 0000000..c05798f
--- /dev/null
+++ b/SOURCES/0475-net-tftp-Avoid-a-trivial-UAF.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 18 Jan 2022 14:29:20 +1100
+Subject: [PATCH] net/tftp: Avoid a trivial UAF
+
+Under tftp errors, we print a tftp error message from the tftp header.
+However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
+we were freeing the nb and then dereferencing it. Don't do that, use it
+and then free it later.
+
+This isn't really _bad_ per se, especially as we're single-threaded, but
+it trips up fuzzers.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
+(cherry picked from commit dbe9abcdee6ce796811111b67e3f24eefe2135d1)
+(cherry picked from commit 72ae9c5d389d2c0337c44edead6e00db0bb84039)
+(cherry picked from commit e98cfb24fb3c80b0ccc8ca10c521456b4ae8c535)
+---
+ grub-core/net/tftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 69a9ba6979..09e1511ccf 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -252,9 +252,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ return GRUB_ERR_NONE;
+ case TFTP_ERROR:
+ data->have_oack = 1;
+- grub_netbuff_free (nb);
+ grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
+ grub_error_save (&data->save_err);
++ grub_netbuff_free (nb);
+ return GRUB_ERR_NONE;
+ default:
+ grub_netbuff_free (nb);
diff --git a/SOURCES/0476-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch b/SOURCES/0476-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
new file mode 100644
index 0000000..1ac21a3
--- /dev/null
+++ b/SOURCES/0476-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Mar 2022 23:14:15 +1100
+Subject: [PATCH] net/http: Do not tear down socket if it's already been torn
+ down
+
+It's possible for data->sock to get torn down in tcp error handling.
+If we unconditionally tear it down again we will end up doing writes
+to an offset of the NULL pointer when we go to tear it down again.
+
+Detect if it has been torn down and don't do it again.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit ec233d3ecf995293304de443579aab5c46c49e85)
+(cherry picked from commit d39cf87ed701b9f0900daed7f672e07994d37ce8)
+(cherry picked from commit e0aa5c3acec70eac3489d6df1893a93726cbce3a)
+(cherry picked from commit b417892b907ad5e22f0a81f142a2e186bcad9f1a)
+---
+ grub-core/net/http.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 82515f352d..4d787a52cd 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -428,7 +428,7 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
+ return err;
+ }
+
+- for (i = 0; !data->headers_recv && i < 100; i++)
++ for (i = 0; data->sock && !data->headers_recv && i < 100; i++)
+ {
+ grub_net_tcp_retransmit ();
+ grub_net_poll_cards (300, &data->headers_recv);
+@@ -436,7 +436,8 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
+
+ if (!data->headers_recv)
+ {
+- grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
++ if (data->sock)
++ grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
+ if (data->err)
+ {
+ char *str = data->errmsg;
diff --git a/SOURCES/0477-net-http-Fix-OOB-write-for-split-http-headers.patch b/SOURCES/0477-net-http-Fix-OOB-write-for-split-http-headers.patch
new file mode 100644
index 0000000..3e7cb1f
--- /dev/null
+++ b/SOURCES/0477-net-http-Fix-OOB-write-for-split-http-headers.patch
@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 18:17:03 +1100
+Subject: [PATCH] net/http: Fix OOB write for split http headers
+
+GRUB has special code for handling an http header that is split
+across two packets.
+
+The code tracks the end of line by looking for a "\n" byte. The
+code for split headers has always advanced the pointer just past the
+end of the line, whereas the code that handles unsplit headers does
+not advance the pointer. This extra advance causes the length to be
+one greater, which breaks an assumption in parse_line(), leading to
+it writing a NUL byte one byte past the end of the buffer where we
+reconstruct the line from the two packets.
+
+It's conceivable that an attacker controlled set of packets could
+cause this to zero out the first byte of the "next" pointer of the
+grub_mm_region structure following the current_line buffer.
+
+Do not advance the pointer in the split header case.
+
+Fixes: CVE-2022-28734
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
+(cherry picked from commit b604916beb6c39e8ed27f72851eb16f3eaa293c5)
+(cherry picked from commit c3c6b1167a43275991efd6847160a46ce3839fae)
+(cherry picked from commit 33f4f314fa4ba2d0bec9f95dc77f93395b742fdd)
+---
+ grub-core/net/http.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 4d787a52cd..443b8ffe87 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -193,9 +193,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
+ int have_line = 1;
+ char *t;
+ ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
+- if (ptr)
+- ptr++;
+- else
++ if (ptr == NULL)
+ {
+ have_line = 0;
+ ptr = (char *) nb->tail;
diff --git a/SOURCES/0478-net-http-Error-out-on-headers-with-LF-without-CR.patch b/SOURCES/0478-net-http-Error-out-on-headers-with-LF-without-CR.patch
new file mode 100644
index 0000000..e509215
--- /dev/null
+++ b/SOURCES/0478-net-http-Error-out-on-headers-with-LF-without-CR.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 19:04:40 +1100
+Subject: [PATCH] net/http: Error out on headers with LF without CR
+
+In a similar vein to the previous patch, parse_line() would write
+a NUL byte past the end of the buffer if there was an HTTP header
+with a LF rather than a CRLF.
+
+RFC-2616 says:
+
+ Many HTTP/1.1 header field values consist of words separated by LWS
+ or special characters. These special characters MUST be in a quoted
+ string to be used within a parameter value (as defined in section 3.6).
+
+We don't support quoted sections or continuation lines, etc.
+
+If we see an LF that's not part of a CRLF, bail out.
+
+Fixes: CVE-2022-28734
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit d232ad41ac4979a9de4d746e5fdff9caf0e303de)
+(cherry picked from commit 8960e6d6137090a7e8c6592077da6e387a4ef972)
+(cherry picked from commit 9b6b9398c90dd76ce0b935d21c4ecb8954c4b2b7)
+(cherry picked from commit 939f44bae027c2f11fad5e730f1fda34b07a43a4)
+---
+ grub-core/net/http.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 443b8ffe87..e260e2defe 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -69,7 +69,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+ char *end = ptr + len;
+ while (end > ptr && *(end - 1) == '\r')
+ end--;
++
++ /* LF without CR. */
++ if (end == ptr + len)
++ {
++ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
++ return GRUB_ERR_NONE;
++ }
+ *end = 0;
++
+ /* Trailing CRLF. */
+ if (data->in_chunk_len == 1)
+ {
diff --git a/SOURCES/0479-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch b/SOURCES/0479-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
new file mode 100644
index 0000000..a2f929d
--- /dev/null
+++ b/SOURCES/0479-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 29 Mar 2022 10:49:56 +0000
+Subject: [PATCH] fs/btrfs: Fix several fuzz issues with invalid dir item
+ sizing
+
+According to the btrfs code in Linux, the structure of a directory item
+leaf should be of the form:
+
+ |struct btrfs_dir_item|name|data|
+
+in GRUB the name len and data len are in the grub_btrfs_dir_item
+structure's n and m fields respectively.
+
+The combined size of the structure, name and data should be less than
+the allocated memory, a difference to the Linux kernel's struct
+btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for
+where the name is stored, so we adjust for that too.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 6d3f06c0b6a8992b9b1bb0e62af93ac5ff2781f0)
+[rharwood: we've an extra variable here]
+(cherry picked from commit e3e21b9a81aea09dd43368cf097c1029a8380d82)
+(cherry picked from commit ab14a39777edb60c99751d4fdf1cc254a4faebf5)
+(cherry picked from commit b9944efba5b8a232ad1e07b4582fc371de138f1a)
+[rharwood: remove the extra variable]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/fs/btrfs.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 918f7b7b22..d8d71226ac 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -1534,6 +1534,7 @@ grub_btrfs_dir (grub_device_t device, const char *path,
+ int r = 0;
+ grub_uint64_t tree;
+ grub_uint8_t type;
++ grub_size_t est_size = 0;
+
+ if (!data)
+ return grub_errno;
+@@ -1592,6 +1593,18 @@ grub_btrfs_dir (grub_device_t device, const char *path,
+ break;
+ }
+
++ if (direl == NULL ||
++ grub_add (grub_le_to_cpu16 (direl->n),
++ grub_le_to_cpu16 (direl->m), &est_size) ||
++ grub_add (est_size, sizeof (*direl), &est_size) ||
++ grub_sub (est_size, sizeof (direl->name), &est_size) ||
++ est_size > allocated)
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ r = -grub_errno;
++ goto out;
++ }
++
+ for (cdirel = direl;
+ (grub_uint8_t *) cdirel - (grub_uint8_t *) direl
+ < (grub_ssize_t) elemsize;
+@@ -1602,6 +1615,19 @@ grub_btrfs_dir (grub_device_t device, const char *path,
+ char c;
+ struct grub_btrfs_inode inode;
+ struct grub_dirhook_info info;
++
++ if (cdirel == NULL ||
++ grub_add (grub_le_to_cpu16 (cdirel->n),
++ grub_le_to_cpu16 (cdirel->m), &est_size) ||
++ grub_add (est_size, sizeof (*cdirel), &est_size) ||
++ grub_sub (est_size, sizeof (cdirel->name), &est_size) ||
++ est_size > allocated)
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ r = -grub_errno;
++ goto out;
++ }
++
+ err = grub_btrfs_read_inode (data, &inode, cdirel->key.object_id,
+ tree);
+ grub_memset (&info, 0, sizeof (info));
diff --git a/SOURCES/0480-grub-core-fs-btrfs.c-Avoid-divisions-by-zero.patch b/SOURCES/0480-grub-core-fs-btrfs.c-Avoid-divisions-by-zero.patch
new file mode 100644
index 0000000..b36b91d
--- /dev/null
+++ b/SOURCES/0480-grub-core-fs-btrfs.c-Avoid-divisions-by-zero.patch
@@ -0,0 +1,103 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Serbinenko <phcoder@gmail.com>
+Date: Tue, 20 Jan 2015 17:36:29 +0100
+Subject: [PATCH] * grub-core/fs/btrfs.c: Avoid divisions by zero.
+
+(cherry picked from commit 9deb46e363a341d8c243e4c85754e673b4b68571)
+[rharwood: drop ChangeLog]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/fs/btrfs.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index d8d71226ac..a401374690 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -701,6 +701,8 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ grub_uint64_t stripen;
+ grub_uint64_t stripe_offset;
+ grub_uint64_t off = addr - grub_le_to_cpu64 (key->offset);
++ grub_uint64_t chunk_stripe_length;
++ grub_uint16_t nstripes;
+ unsigned redundancy = 1;
+ unsigned i, j;
+
+@@ -711,15 +713,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ "couldn't find the chunk descriptor");
+ }
+
++ nstripes = grub_le_to_cpu16 (chunk->nstripes) ? : 1;
++ chunk_stripe_length = grub_le_to_cpu64 (chunk->stripe_length) ? : 512;
+ grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T
+ "+0x%" PRIxGRUB_UINT64_T
+ " (%d stripes (%d substripes) of %"
+ PRIxGRUB_UINT64_T ")\n",
+ grub_le_to_cpu64 (key->offset),
+ grub_le_to_cpu64 (chunk->size),
+- grub_le_to_cpu16 (chunk->nstripes),
++ nstripes,
+ grub_le_to_cpu16 (chunk->nsubstripes),
+- grub_le_to_cpu64 (chunk->stripe_length));
++ chunk_stripe_length);
+
+ switch (grub_le_to_cpu64 (chunk->type)
+ & ~GRUB_BTRFS_CHUNK_TYPE_BITS_DONTCARE)
+@@ -729,8 +733,10 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ grub_uint64_t stripe_length;
+ grub_dprintf ("btrfs", "single\n");
+ stripe_length = grub_divmod64 (grub_le_to_cpu64 (chunk->size),
+- grub_le_to_cpu16 (chunk->nstripes),
++ nstripes,
+ NULL);
++ if (stripe_length == 0)
++ stripe_length = 512;
+ stripen = grub_divmod64 (off, stripe_length, &stripe_offset);
+ csize = (stripen + 1) * stripe_length - off;
+ break;
+@@ -751,33 +757,34 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ grub_uint64_t low;
+ grub_dprintf ("btrfs", "RAID0\n");
+ middle = grub_divmod64 (off,
+- grub_le_to_cpu64 (chunk->stripe_length),
++ chunk_stripe_length,
+ &low);
+
+- high = grub_divmod64 (middle, grub_le_to_cpu16 (chunk->nstripes),
++ high = grub_divmod64 (middle, nstripes,
+ &stripen);
+ stripe_offset =
+- low + grub_le_to_cpu64 (chunk->stripe_length) * high;
+- csize = grub_le_to_cpu64 (chunk->stripe_length) - low;
++ low + chunk_stripe_length * high;
++ csize = chunk_stripe_length - low;
+ break;
+ }
+ case GRUB_BTRFS_CHUNK_TYPE_RAID10:
+ {
+ grub_uint64_t middle, high;
+ grub_uint64_t low;
++ grub_uint16_t nsubstripes;
++ nsubstripes = grub_le_to_cpu16 (chunk->nsubstripes) ? : 1;
+ middle = grub_divmod64 (off,
+- grub_le_to_cpu64 (chunk->stripe_length),
++ chunk_stripe_length,
+ &low);
+
+ high = grub_divmod64 (middle,
+- grub_le_to_cpu16 (chunk->nstripes)
+- / grub_le_to_cpu16 (chunk->nsubstripes),
++ nstripes / nsubstripes ? : 1,
+ &stripen);
+- stripen *= grub_le_to_cpu16 (chunk->nsubstripes);
+- redundancy = grub_le_to_cpu16 (chunk->nsubstripes);
+- stripe_offset = low + grub_le_to_cpu64 (chunk->stripe_length)
++ stripen *= nsubstripes;
++ redundancy = nsubstripes;
++ stripe_offset = low + chunk_stripe_length
+ * high;
+- csize = grub_le_to_cpu64 (chunk->stripe_length) - low;
++ csize = chunk_stripe_length - low;
+ break;
+ }
+ default:
diff --git a/SOURCES/0481-btrfs-Add-support-for-reading-a-filesystem-with-a-RA.patch b/SOURCES/0481-btrfs-Add-support-for-reading-a-filesystem-with-a-RA.patch
new file mode 100644
index 0000000..3cd2908
--- /dev/null
+++ b/SOURCES/0481-btrfs-Add-support-for-reading-a-filesystem-with-a-RA.patch
@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Goffredo Baroncelli <kreijack@inwind.it>
+Date: Mon, 22 Oct 2018 19:29:31 +0200
+Subject: [PATCH] btrfs: Add support for reading a filesystem with a RAID 5 or
+ RAID 6 profile
+
+Signed-off-by: Goffredo Baroncelli <kreijack@inwind.it>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 81e2673fb60a200a33bb064fbffe9e3956f37974)
+---
+ grub-core/fs/btrfs.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 73 insertions(+)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index a401374690..6f17f5d0eb 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -120,6 +120,8 @@ struct grub_btrfs_chunk_item
+ #define GRUB_BTRFS_CHUNK_TYPE_RAID1 0x10
+ #define GRUB_BTRFS_CHUNK_TYPE_DUPLICATED 0x20
+ #define GRUB_BTRFS_CHUNK_TYPE_RAID10 0x40
++#define GRUB_BTRFS_CHUNK_TYPE_RAID5 0x80
++#define GRUB_BTRFS_CHUNK_TYPE_RAID6 0x100
+ grub_uint8_t dummy2[0xc];
+ grub_uint16_t nstripes;
+ grub_uint16_t nsubstripes;
+@@ -785,6 +787,77 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ stripe_offset = low + chunk_stripe_length
+ * high;
+ csize = chunk_stripe_length - low;
++ break;
++ }
++ case GRUB_BTRFS_CHUNK_TYPE_RAID5:
++ case GRUB_BTRFS_CHUNK_TYPE_RAID6:
++ {
++ grub_uint64_t nparities, stripe_nr, high, low;
++
++ redundancy = 1; /* no redundancy for now */
++
++ if (grub_le_to_cpu64 (chunk->type) & GRUB_BTRFS_CHUNK_TYPE_RAID5)
++ {
++ grub_dprintf ("btrfs", "RAID5\n");
++ nparities = 1;
++ }
++ else
++ {
++ grub_dprintf ("btrfs", "RAID6\n");
++ nparities = 2;
++ }
++
++ /*
++ * RAID 6 layout consists of several stripes spread over
++ * the disks, e.g.:
++ *
++ * Disk_0 Disk_1 Disk_2 Disk_3
++ * A0 B0 P0 Q0
++ * Q1 A1 B1 P1
++ * P2 Q2 A2 B2
++ *
++ * Note: placement of the parities depend on row number.
++ *
++ * Pay attention that the btrfs terminology may differ from
++ * terminology used in other RAID implementations, e.g. LVM,
++ * dm or md. The main difference is that btrfs calls contiguous
++ * block of data on a given disk, e.g. A0, stripe instead of chunk.
++ *
++ * The variables listed below have following meaning:
++ * - stripe_nr is the stripe number excluding the parities
++ * (A0 = 0, B0 = 1, A1 = 2, B1 = 3, etc.),
++ * - high is the row number (0 for A0...Q0, 1 for Q1...P1, etc.),
++ * - stripen is the disk number in a row (0 for A0, Q1, P2,
++ * 1 for B0, A1, Q2, etc.),
++ * - off is the logical address to read,
++ * - chunk_stripe_length is the size of a stripe (typically 64 KiB),
++ * - nstripes is the number of disks in a row,
++ * - low is the offset of the data inside a stripe,
++ * - stripe_offset is the data offset in an array,
++ * - csize is the "potential" data to read; it will be reduced
++ * to size if the latter is smaller,
++ * - nparities is the number of parities (1 for RAID 5, 2 for
++ * RAID 6); used only in RAID 5/6 code.
++ */
++ stripe_nr = grub_divmod64 (off, chunk_stripe_length, &low);
++
++ /*
++ * stripen is computed without the parities
++ * (0 for A0, A1, A2, 1 for B0, B1, B2, etc.).
++ */
++ high = grub_divmod64 (stripe_nr, nstripes - nparities, &stripen);
++
++ /*
++ * The stripes are spread over the disks. Every each row their
++ * positions are shifted by 1 place. So, the real disks number
++ * change. Hence, we have to take into account current row number
++ * modulo nstripes (0 for A0, 1 for A1, 2 for A2, etc.).
++ */
++ grub_divmod64 (high + stripen, nstripes, &stripen);
++
++ stripe_offset = chunk_stripe_length * high + low;
++ csize = chunk_stripe_length - low;
++
+ break;
+ }
+ default:
diff --git a/SOURCES/0482-btrfs-Add-support-for-new-RAID1C34-profiles.patch b/SOURCES/0482-btrfs-Add-support-for-new-RAID1C34-profiles.patch
new file mode 100644
index 0000000..1704abc
--- /dev/null
+++ b/SOURCES/0482-btrfs-Add-support-for-new-RAID1C34-profiles.patch
@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Sterba <dave@jikos.cz>
+Date: Mon, 4 Nov 2019 17:23:22 +0100
+Subject: [PATCH] btrfs: Add support for new RAID1C34 profiles
+
+New 3- and 4-copy variants of RAID1 were merged into Linux kernel 5.5.
+Add the two new profiles to the list of recognized ones. As this builds
+on the same code as RAID1, only the redundancy level needs to be
+adjusted, the rest is done by the existing code.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 495781f5ed1b48bf27f16c53940d6700c181c74c)
+---
+ grub-core/fs/btrfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 6f17f5d0eb..2d92d9c1b2 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -122,6 +122,8 @@ struct grub_btrfs_chunk_item
+ #define GRUB_BTRFS_CHUNK_TYPE_RAID10 0x40
+ #define GRUB_BTRFS_CHUNK_TYPE_RAID5 0x80
+ #define GRUB_BTRFS_CHUNK_TYPE_RAID6 0x100
++#define GRUB_BTRFS_CHUNK_TYPE_RAID1C3 0x200
++#define GRUB_BTRFS_CHUNK_TYPE_RAID1C4 0x400
+ grub_uint8_t dummy2[0xc];
+ grub_uint16_t nstripes;
+ grub_uint16_t nsubstripes;
+@@ -743,14 +745,19 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ csize = (stripen + 1) * stripe_length - off;
+ break;
+ }
++ case GRUB_BTRFS_CHUNK_TYPE_RAID1C4:
++ redundancy++;
++ /* fall through */
++ case GRUB_BTRFS_CHUNK_TYPE_RAID1C3:
++ redundancy++;
++ /* fall through */
+ case GRUB_BTRFS_CHUNK_TYPE_DUPLICATED:
+ case GRUB_BTRFS_CHUNK_TYPE_RAID1:
+ {
+- grub_dprintf ("btrfs", "RAID1\n");
++ grub_dprintf ("btrfs", "RAID1 (copies: %d)\n", ++redundancy);
+ stripen = 0;
+ stripe_offset = off;
+ csize = grub_le_to_cpu64 (chunk->size) - off;
+- redundancy = 2;
+ break;
+ }
+ case GRUB_BTRFS_CHUNK_TYPE_RAID0:
diff --git a/SOURCES/0483-btrfs-Move-logging-code-in-grub_btrfs_read_logical.patch b/SOURCES/0483-btrfs-Move-logging-code-in-grub_btrfs_read_logical.patch
new file mode 100644
index 0000000..0ec0406
--- /dev/null
+++ b/SOURCES/0483-btrfs-Move-logging-code-in-grub_btrfs_read_logical.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Goffredo Baroncelli <kreijack@inwind.it>
+Date: Mon, 22 Oct 2018 19:29:35 +0200
+Subject: [PATCH] btrfs: Move logging code in grub_btrfs_read_logical()
+
+A portion of the logging code is moved outside of internal for(;;). The part
+that is left inside is the one which depends on the internal for(;;) index.
+
+This is a preparatory patch. The next one will refactor the code inside
+the for(;;) into an another function.
+
+Signed-off-by: Goffredo Baroncelli <kreijack@inwind.it>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit c6f79aca8030689ab2087686654ac431db411fa3)
+---
+ grub-core/fs/btrfs.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 2d92d9c1b2..671dbd8918 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -881,6 +881,18 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+
+ for (j = 0; j < 2; j++)
+ {
++ grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T
++ "+0x%" PRIxGRUB_UINT64_T
++ " (%d stripes (%d substripes) of %"
++ PRIxGRUB_UINT64_T ")\n",
++ grub_le_to_cpu64 (key->offset),
++ grub_le_to_cpu64 (chunk->size),
++ grub_le_to_cpu16 (chunk->nstripes),
++ grub_le_to_cpu16 (chunk->nsubstripes),
++ grub_le_to_cpu64 (chunk->stripe_length));
++ grub_dprintf ("btrfs", "reading laddr 0x%" PRIxGRUB_UINT64_T "\n",
++ addr);
++
+ for (i = 0; i < redundancy; i++)
+ {
+ struct grub_btrfs_chunk_stripe *stripe;
+@@ -893,20 +905,11 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+
+ paddr = grub_le_to_cpu64 (stripe->offset) + stripe_offset;
+
+- grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T
+- "+0x%" PRIxGRUB_UINT64_T
+- " (%d stripes (%d substripes) of %"
+- PRIxGRUB_UINT64_T ") stripe %" PRIxGRUB_UINT64_T
++ grub_dprintf ("btrfs", "stripe %" PRIxGRUB_UINT64_T
+ " maps to 0x%" PRIxGRUB_UINT64_T "\n",
+- grub_le_to_cpu64 (key->offset),
+- grub_le_to_cpu64 (chunk->size),
+- grub_le_to_cpu16 (chunk->nstripes),
+- grub_le_to_cpu16 (chunk->nsubstripes),
+- grub_le_to_cpu64 (chunk->stripe_length),
+ stripen, stripe->offset);
+- grub_dprintf ("btrfs", "reading paddr 0x%" PRIxGRUB_UINT64_T
+- " for laddr 0x%" PRIxGRUB_UINT64_T "\n", paddr,
+- addr);
++ grub_dprintf ("btrfs", "reading paddr 0x%" PRIxGRUB_UINT64_T "\n",
++ paddr);
+
+ dev = find_device (data, stripe->device_id, j);
+ if (!dev)
diff --git a/SOURCES/0484-btrfs-Move-the-error-logging-from-find_device-to-its.patch b/SOURCES/0484-btrfs-Move-the-error-logging-from-find_device-to-its.patch
new file mode 100644
index 0000000..08965be
--- /dev/null
+++ b/SOURCES/0484-btrfs-Move-the-error-logging-from-find_device-to-its.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Goffredo Baroncelli <kreijack@inwind.it>
+Date: Mon, 22 Oct 2018 19:29:33 +0200
+Subject: [PATCH] btrfs: Move the error logging from find_device() to its
+ caller
+
+The caller knows better if this error is fatal or not, i.e. another disk is
+available or not.
+
+This is a preparatory patch.
+
+Signed-off-by: Goffredo Baroncelli <kreijack@inwind.it>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 908cdb1d029e27f8059f9e3571e8dcbd67f74d8a)
+---
+ grub-core/fs/btrfs.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 671dbd8918..2fb8fb323b 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -593,12 +593,7 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id, int do_rescan)
+ if (do_rescan)
+ grub_device_iterate (find_device_iter, &ctx);
+ if (!ctx.dev_found)
+- {
+- grub_error (GRUB_ERR_BAD_FS,
+- N_("couldn't find a necessary member device "
+- "of multi-device filesystem"));
+- return NULL;
+- }
++ return NULL;
+ data->n_devices_attached++;
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+@@ -914,6 +909,9 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ dev = find_device (data, stripe->device_id, j);
+ if (!dev)
+ {
++ grub_dprintf ("btrfs",
++ "couldn't find a necessary member device "
++ "of multi-device filesystem\n");
+ err = grub_errno;
+ grub_errno = GRUB_ERR_NONE;
+ continue;
diff --git a/SOURCES/0485-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch b/SOURCES/0485-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
new file mode 100644
index 0000000..7a82ff9
--- /dev/null
+++ b/SOURCES/0485-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
@@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 29 Mar 2022 15:52:46 +0000
+Subject: [PATCH] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
+
+The fuzzer is generating btrfs file systems that have chunks with
+invalid combinations of stripes and substripes for the given RAID
+configurations.
+
+After examining the Linux kernel fs/btrfs/tree-checker.c code, it
+appears that sub-stripes should only be applied to RAID10, and in that
+case there should only ever be 2 of them.
+
+Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4
+should have 2. 3 or 4 stripes respectively, which is what redundancy
+corresponds.
+
+Some of the chunks ended up with a size of 0, which grub_malloc() still
+returned memory for and in turn generated ASAN errors later when
+accessed.
+
+While it would be possible to specifically limit the number of stripes,
+a more correct test was on the combination of the chunk item, and the
+number of stripes by the size of the chunk stripe structure in
+comparison to the size of the chunk itself.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 3849647b4b98a4419366708fc4b7f339c6f55ec7)
+(cherry picked from commit fa5a02a8930bbd8a3b5ae6ed9612307611f18500)
+(cherry picked from commit cf2f58925dbe069d23fa1068ac3634c6a2cf2d51)
+[rharwood: don't want to backport raid56 and all its deps]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/fs/btrfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 2fb8fb323b..038da07020 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -682,6 +682,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ return grub_error (GRUB_ERR_BAD_FS,
+ "couldn't find the chunk descriptor");
+
++ if (!chsize)
++ {
++ grub_dprintf ("btrfs", "zero-size chunk\n");
++ return grub_error (GRUB_ERR_BAD_FS,
++ "got an invalid zero-size chunk");
++ }
+ chunk = grub_malloc (chsize);
+ if (!chunk)
+ return grub_errno;
+@@ -734,6 +740,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ stripe_length = grub_divmod64 (grub_le_to_cpu64 (chunk->size),
+ nstripes,
+ NULL);
++
++ /* For single, there should be exactly 1 stripe. */
++ if (grub_le_to_cpu16 (chunk->nstripes) != 1)
++ {
++ grub_dprintf ("btrfs", "invalid RAID_SINGLE: nstripes != 1 (%u)\n",
++ grub_le_to_cpu16 (chunk->nstripes));
++ return grub_error (GRUB_ERR_BAD_FS,
++ "invalid RAID_SINGLE: nstripes != 1 (%u)",
++ grub_le_to_cpu16 (chunk->nstripes));
++ }
+ if (stripe_length == 0)
+ stripe_length = 512;
+ stripen = grub_divmod64 (off, stripe_length, &stripe_offset);
+@@ -753,6 +769,19 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ stripen = 0;
+ stripe_offset = off;
+ csize = grub_le_to_cpu64 (chunk->size) - off;
++
++ /*
++ * Redundancy, and substripes only apply to RAID10, and there
++ * should be exactly 2 sub-stripes.
++ */
++ if (grub_le_to_cpu16 (chunk->nstripes) != redundancy)
++ {
++ grub_dprintf ("btrfs", "invalid RAID1: nstripes != %u (%u)\n",
++ redundancy, grub_le_to_cpu16 (chunk->nstripes));
++ return grub_error (GRUB_ERR_BAD_FS,
++ "invalid RAID1: nstripes != %u (%u)",
++ redundancy, grub_le_to_cpu16 (chunk->nstripes));
++ }
+ break;
+ }
+ case GRUB_BTRFS_CHUNK_TYPE_RAID0:
+@@ -789,6 +818,20 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ stripe_offset = low + chunk_stripe_length
+ * high;
+ csize = chunk_stripe_length - low;
++
++ /*
++ * Substripes only apply to RAID10, and there
++ * should be exactly 2 sub-stripes.
++ */
++ if (grub_le_to_cpu16 (chunk->nsubstripes) != 2)
++ {
++ grub_dprintf ("btrfs", "invalid RAID10: nsubstripes != 2 (%u)",
++ grub_le_to_cpu16 (chunk->nsubstripes));
++ return grub_error (GRUB_ERR_BAD_FS,
++ "invalid RAID10: nsubstripes != 2 (%u)",
++ grub_le_to_cpu16 (chunk->nsubstripes));
++ }
++
+ break;
+ }
+ case GRUB_BTRFS_CHUNK_TYPE_RAID5:
+@@ -876,6 +919,8 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+
+ for (j = 0; j < 2; j++)
+ {
++ grub_size_t est_chunk_alloc = 0;
++
+ grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T
+ "+0x%" PRIxGRUB_UINT64_T
+ " (%d stripes (%d substripes) of %"
+@@ -888,6 +933,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ grub_dprintf ("btrfs", "reading laddr 0x%" PRIxGRUB_UINT64_T "\n",
+ addr);
+
++ if (grub_mul (sizeof (struct grub_btrfs_chunk_stripe),
++ grub_le_to_cpu16 (chunk->nstripes), &est_chunk_alloc) ||
++ grub_add (est_chunk_alloc,
++ sizeof (struct grub_btrfs_chunk_item), &est_chunk_alloc) ||
++ est_chunk_alloc > chunk->size)
++ {
++ err = GRUB_ERR_BAD_FS;
++ break;
++ }
++
+ for (i = 0; i < redundancy; i++)
+ {
+ struct grub_btrfs_chunk_stripe *stripe;
diff --git a/SOURCES/0486-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch b/SOURCES/0486-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
new file mode 100644
index 0000000..767e091
--- /dev/null
+++ b/SOURCES/0486-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 7 Apr 2022 15:18:12 +0000
+Subject: [PATCH] fs/btrfs: Fix more fuzz issues related to chunks
+
+The corpus we generating issues in grub_btrfs_read_logical() when
+attempting to iterate over nstripes entries in the boot mapping.
+
+In most cases the reason for the failure was that the number of strips
+exceeded the possible space statically allocated in superblock bootmapping
+space. Each stripe entry in the bootmapping block consists of
+a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.
+
+Another issue that came up was that while calculating the chunk size,
+in an earlier piece of code in that function, depending on the data
+provided in the btrfs file system, it would end up calculating a size
+that was too small to contain even 1 grub_btrfs_chunk_item, which is
+obviously invalid too.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit e00cd76cbadcc897a9cc4087cb2fcb5dbe15e596)
+(cherry picked from commit b74a6fc95b0839937acf4f2b7445ae9d179f49ec)
+(cherry picked from commit fe06e6c9f97be3550fe36a01a9f9795d7530a01a)
+[rharwood: didn't want to backport raid56 and all it deps]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/fs/btrfs.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 038da07020..d8102506a7 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -688,6 +688,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ return grub_error (GRUB_ERR_BAD_FS,
+ "got an invalid zero-size chunk");
+ }
++
++ /*
++ * The space being allocated for a chunk should at least be able to
++ * contain one chunk item.
++ */
++ if (chsize < sizeof (struct grub_btrfs_chunk_item))
++ {
++ grub_dprintf ("btrfs", "chunk-size too small\n");
++ return grub_error (GRUB_ERR_BAD_FS,
++ "got an invalid chunk size");
++ }
+ chunk = grub_malloc (chsize);
+ if (!chunk)
+ return grub_errno;
+@@ -917,6 +928,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ if (csize > (grub_uint64_t) size)
+ csize = size;
+
++ /*
++ * The space for a chunk stripe is limited to the space provide in the super-block's
++ * bootstrap mapping with an initial btrfs key at the start of each chunk.
++ */
++ grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) /
++ (sizeof (struct grub_btrfs_key) + sizeof (struct grub_btrfs_chunk_stripe));
++
+ for (j = 0; j < 2; j++)
+ {
+ grub_size_t est_chunk_alloc = 0;
+@@ -943,6 +961,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
+ break;
+ }
+
++ if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes)
++ {
++ err = GRUB_ERR_BAD_FS;
++ break;
++ }
++
+ for (i = 0; i < redundancy; i++)
+ {
+ struct grub_btrfs_chunk_stripe *stripe;
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 294b05f..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,425 +0,0 @@
-
-<!DOCTYPE html>
-<html lang='en'>
-<head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
- <title>Tree - rpms/kernel - CentOS Git server</title>
- <link rel="shortcut icon" type="image/vnd.microsoft.icon"
-href="/theme/static/favicon.ico"/>
-<link rel="stylesheet" href="/static/vendor/bootstrap/bootstrap.min.css" />
-<link href="/theme/static/theme.css" rel="stylesheet" type="text/css" />
-
- <link type="text/css" rel="stylesheet" nonce="zU2361P7dte9FXpc7MWuyPXgo" href="/static/vendor/font-awesome/font-awesome.css?version=5.8.1"/>
- <link type="text/css" rel="stylesheet" nonce="zU2361P7dte9FXpc7MWuyPXgo" href="/static/pagure.css?version=5.8.1"/>
-<link nonce="zU2361P7dte9FXpc7MWuyPXgo" rel="stylesheet" href="/static/vendor/highlight.js/styles/github.css?version=5.8.1"/>
-<link nonce="zU2361P7dte9FXpc7MWuyPXgo" rel="stylesheet" href="/static/vendor/highlightjs-line-numbers/highlightjs-line-numbers.min.css?version=5.8.1"/>
-<style nonce="zU2361P7dte9FXpc7MWuyPXgo">
- .hljs {
- background: #fff;
- }
-</style>
- </head>
- <body id="home">
-
- <!-- start masthead -->
- <nav class="navbar navbar-dark bg-dark p-0 navbar-expand">
- <div class="container">
- <a href="/" class="navbar-brand">
- <img height=40px src="/theme/static/pagure-logo.png?version=5.8.1"
- alt="pagure Logo" id="pagureLogo"/>
- </a>
- <ul class="navbar-nav ml-auto">
- <li class="nav-item">
- <a class="btn btn-primary" href="/login/?next=https://git.centos.org/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt">Log In</a>
- </li>
- </ul>
- </div>
- </nav>
- <!-- close masthead-->
-
- <div class="bodycontent">
-
-
-<div class="bg-light border border-bottom pt-3">
- <div class="container">
- <div class="row mb-3">
- <div class="col-6">
- <div class="row">
- <div class="col-auto pr-0">
- <h3>
-<i class="fa fa-calendar-o fa-rotate-270 text-muted"></i></h3>
- </div>
- <div class="col-auto pl-2">
- <h3 class="mb-0">
-<a href="/projects/rpms/%2A">rpms</a> / <a href="/rpms/kernel"><strong>kernel</strong></a>
- </h3>
- </div>
- </div>
- </div>
- <div class="col-6 text-right">
- <div class="btn-group">
- <div class="btn-group">
- <a href="#"
- class="btn btn-sm dropdown-toggle btn-outline-primary"
- data-toggle="dropdown" id="watch-button">
- <i class="fa fa-clone fa-fw"></i>
- <span>Clone</span>
- </a>
- <div class="dropdown-menu dropdown-menu-right">
- <div class="m-3" id="source-dropdown" class="pointer">
- <div>
- <h5><strong>Source Code</strong></h5>
-
- <div class="form-group">
- <div class="input-group input-group-sm">
- <div class="input-group-prepend"><span class="input-group-text">GIT</span></div>
- <input class="form-control bg-white select-on-focus" type="text" value="https://git.centos.org/rpms/kernel.git" readonly>
- </div>
- </div>
- </div>
- </div>
- </div>
-
- </div>
- </div>
- </div>
-</div>
-
-<ul class="nav nav-tabs nav-small border-bottom-0">
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link active" href="/rpms/kernel">
- <i class="fa fa-code fa-fw text-muted"></i>
- <span class="d-none d-md-inline">Source</span>
- </a>
- </li>
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/issues">
- <i class="fa fa-fw text-muted fa-exclamation-circle"></i>
- <span class="d-none d-md-inline">Issues </span>
- <span class="badge badge-secondary py-0 d-none d-md-inline">
- 0
- </span>
- </a>
- </li>
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/pull-requests">
- <i class="fa fa-fw text-muted fa-arrow-circle-down"></i>
- <span class="d-none d-md-inline">Pull Requests </span>
- <span class="badge badge-secondary py-0 d-none d-md-inline">
- 0
- </span>
- </a>
- </li>
-
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/stats">
- <i class="fa fa-line-chart fa-fw text-muted"></i>
- <span class="d-none d-md-inline">Stats</span>
- </a>
- </li>
-
-
-</ul>
- </div>
-</div>
-
-<div class="container pt-5 repo-body-container">
- <div class="row">
- <div class="col-2">
-<nav class="nav nav-tabs nav-sidetabs flex-column">
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel">
- <i class="fa fa-home text-muted fa-fw"></i> <span class="d-none d-md-inline">Overview</span>
- </a>
- <a class=
- "nav-link nowrap
- active"
- href="/rpms/kernel/tree/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-file-code-o text-muted fa-fw"></i> Files
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/commits/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-list-alt text-muted fa-fw" data-glyph="spreadsheet"></i> Commits
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/branches?branchname=ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-random text-muted fa-fw"></i> Branches
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/forks">
- <i class="fa fa-code-fork text-muted fa-fw"></i> Forks
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/releases">
- <i class="fa fa-tags text-muted fa-fw"></i> Releases
- </a>
-</nav> </div>
- <div class="col-10">
- <div class="row mb-1">
- <div class="col-sm-6">
- <h3>
- Files
- </h3>
- </div>
-
- <div class="col-sm-6">
- <div class="float-right">
- <a href="#" class="btn btn-outline-light border-secondary text-dark btn-sm"
- aria-haspopup="true" aria-expanded="false">
- Commit: <span class="font-weight-bold">ed0e597ee2d605d93e246185acb1e5cf68f72f5e</span>
- </a>
- </div>
- </div>
- </div>
- <div class="card mb-3">
- <div class="card-header">
- <ol class="breadcrumb p-0 bg-transparent mb-0">
- <li class="breadcrumb-item">
- <a href="/rpms/kernel/tree/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <span class="fa fa-random">
- </span> ed0e597ee2d605d93e246185acb1e5cf68f72f5e
- </a>
- </li>
-<li class="breadcrumb-item"><a href="/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES">
- <span class="fa fa-folder"></span> SOURCES</a>
- </li>
- <li class="active breadcrumb-item">
- <span class="fa fa-file" data-glyph="">
- </span> centossecureboot001.crt
- </li>
- </ol>
- </div>
-
- <div class="card-body p-0">
- <div class="bg-light border text-right pr-2">
- <form class="btn btn-sm" method="POST" name="fork_project"
- action="/fork_edit/rpms/kernel/edit/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt">
- <button class="btn btn-sm btn-secondary fork_project_btn">
- Fork and Edit
- </button>
-
- </form>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt" title="View as blob">Blob</a>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/blame/SOURCES/centossecureboot001.crt?identifier=ed0e597ee2d605d93e246185acb1e5cf68f72f5e" title="View git blame">Blame</a>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/raw/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt" title="View as raw">Raw</a>
- </div>
-
- <pre class="syntaxhighlightblock"><code class="">Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
-</code></pre>
- </div>
- </div> <!-- end .card-->
-
-</div>
-</div>
-</div>
- </div>
-
- <div class="footer py-3 bg-light border-top text-center">
- <div class="container">
- <p class="text-muted credit">
- Powered by
- <a href="https://pagure.io/pagure">Pagure</a>
- 5.8.1
- </p>
- <p><a href="/ssh_info">SSH Hostkey/Fingerprint</a> | <a href="https://docs.pagure.org/pagure/usage/index.html">Documentation</a></p>
- </div>
- </div>
-
-
- <script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/jquery/jquery.min.js?version=5.8.1"></script>
-
- <script src="/static/vendor/bootstrap/bootstrap.bundle.min.js"></script>
-
- <script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
- $('[data-toggle="tooltip"]').tooltip({placement : 'bottom'});
- $(".cancel_btn").click(function() {
- history.back();
- });
- </script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/lazyload/lazyload.min.js?version=5.8.1"></script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-window.addEventListener("load", function(event) {
- lazyload();
-});
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-$("#giturl-toggle").on('click', function(event){
- event.stopPropagation();
- $("#giturl-more").toggle();
- $("#giturl-toggle").hide();
-})
-
-$(".fork_project_btn").click(function() {
- $('#fork_project').submit();
-});
-
-$(".select-on-focus").on("focus", function() {
- $(this).select();
-});
-
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlight.js/highlight.pack.js?version=5.8.1"></script>
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlightjs-line-numbers/highlightjs-line-numbers.min.js?version=5.8.1"></script>
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlight.js/spec.js?version=5.8.1"></script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
- $(document).ready(function() {
- $('.fork_project_btn').click($("[name=fork_project]").submit);
-
- $('pre.syntaxhighlightblock code').each(function(i, block) {
- hljs.highlightBlock(block);
- hljs.lineNumbersBlock(block);
- });
-
- var cls = "highlighted-line";
- var lines = location.hash.substr(2).split('-').map(function (x) { return parseInt(x, 10) });
- if (! isNaN(lines[0]))
- {
- for (var i = lines[lines.length - 1]; i >= lines[0]; i--) {
- $('#_' + i).parent().parent().addClass(cls);
- }
- setTimeout(function(){
- $("#_" + lines[0]).get(0).scrollIntoView({behavior: "instant", block: "start", inline: "nearest"});
- }, 50);
- }
-});
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-
- function updateHighlight() {
- var cls = "highlighted-line";
- $('.' + cls).removeClass(cls)
- if (location.hash !== '') {
- var lines = location.hash.substr(2).split('-').map(function (x) { return parseInt(x, 10) });
- for (var i = lines[lines.length - 1]; i >= lines[0]; i--) {
- $('[data-line-number=' + i + ']').closest('tr').addClass(cls);
- }
- return lines;
- }
- return [];
- }
- $(window).on('hashchange', updateHighlight);
- var selected = [];
- $("[data-line-number]").click(function (ev) {
- var line = $(this).attr('data-line-number');
- if (ev.shiftKey) {
- selected = selected.slice(-1).concat(line);
- } else {
- selected = [line];
- }
-
- var hash = '_' + selected[0];
- if (selected.length === 2) {
- hash = '_' + Math.min(selected[0], selected[1]) + '-' + Math.max(selected[0], selected[1]);
- }
- window.location.hash = hash;
- return false;
- });
-
-</script>
-
-
-
-</body>
-</html>
\ No newline at end of file
diff --git a/SOURCES/centossecureboot202.crt b/SOURCES/centossecureboot202.crt
deleted file mode 100644
index fba3730..0000000
--- a/SOURCES/centossecureboot202.crt
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 93:c2:04:d8:bd:77:6b:12
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
- Validity
- Not Before: Jun 9 10:37:54 2020 GMT
- Not After : Jan 18 10:37:54 2038 GMT
- Subject: CN=CentOS Secure Boot Signing 202/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:d4:f0:32:4d:50:7a:c0:41:d6:61:68:59:5e:5b:
- ce:65:e3:e9:7b:01:e4:53:94:c9:b7:c1:6b:b7:12:
- 0b:bc:8f:d7:17:1b:c1:77:3a:08:17:ba:23:f1:bd:
- 98:f0:7c:cb:96:70:2e:0e:2e:96:66:b7:9f:29:12:
- 6f:ee:30:33:a1:a5:ee:f9:4b:a3:fb:52:45:d8:7e:
- c2:e8:a9:20:a9:f2:2e:f4:44:b7:85:3f:34:7c:c0:
- 73:1d:73:63:2f:11:a0:7d:df:e7:5a:20:b9:b9:ff:
- 5d:0e:6d:90:86:1f:2e:fa:c7:b5:94:37:80:46:0d:
- fb:5f:f8:26:f4:ce:2f:0d:5b:bf:e5:8d:a5:12:d7:
- ba:cf:16:f2:5c:10:ae:a0:80:a8:dc:c4:6b:00:24:
- f4:4b:f0:01:82:7e:4b:1c:b6:d6:ac:e1:72:32:07:
- 5d:48:4a:cd:ba:5c:9c:09:72:89:b2:2e:60:f7:b7:
- ed:ea:b6:0d:ae:63:f8:09:a1:8f:62:ee:09:d2:cb:
- 0a:81:df:7c:72:4b:bf:bd:fb:59:24:84:1f:1d:ce:
- 36:bc:4c:13:84:ca:c5:e0:81:bb:ec:61:8f:9f:78:
- 88:43:8d:e0:16:b2:ab:90:14:23:29:ce:1d:e7:a1:
- bb:4a:93:f9:f8:8d:b8:ff:2f:30:74:66:b2:31:89:
- b1:7d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage: critical
- Digital Signature
- X509v3 Extended Key Usage: critical
- Code Signing
- X509v3 Subject Key Identifier:
- 1E:55:FF:FF:01:71:5F:F1:28:7F:C8:A9:7C:AF:83:9F:ED:7A:33:0B
- X509v3 Authority Key Identifier:
- keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
-
- Signature Algorithm: sha256WithRSAEncryption
- 6b:1b:fa:f3:a8:c0:1e:e7:55:49:f2:4e:16:1f:9a:1b:22:9c:
- ff:c9:81:d0:5b:d6:28:3c:38:91:65:b5:ca:63:e6:9d:13:2d:
- 5f:f5:cc:67:c2:82:55:73:8f:8b:0c:0c:a9:60:2a:a8:b2:19:
- c1:a7:87:94:d8:69:5e:3c:88:e5:32:8a:4c:a6:6f:69:8b:c5:
- f2:7e:8e:d2:af:37:2d:27:73:c7:ad:9d:bc:14:08:a8:aa:57:
- 22:37:be:c6:d2:2d:a3:70:81:4a:88:8c:a3:44:89:6c:7d:9d:
- 9f:db:ff:5c:c6:ec:6d:97:b0:08:8d:76:c6:14:d0:25:81:a3:
- 09:b6:f2:89:32:12:b2:f2:71:71:b6:ac:c1:65:d1:9c:6b:e1:
- a4:4e:74:d0:01:17:ad:38:0f:17:86:07:56:b3:a1:86:5d:99:
- ef:d6:55:98:b9:ce:63:46:8b:37:c4:53:55:8b:7a:10:75:90:
- fd:e6:62:f0:6c:af:89:91:17:34:f7:99:77:6d:29:fa:92:bb:
- c3:45:77:fe:a3:15:da:54:7d:47:16:b6:6f:94:09:b8:5f:ca:
- e9:34:a2:bf:18:cd:d3:f4:17:2c:98:e4:e4:ca:46:ad:4b:a4:
- 34:77:47:ec:5d:21:a6:cf:5c:b9:5a:47:ca:04:a1:93:56:13:
- 0a:cc:47:91
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sSMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
-BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
-cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMzc1NFoXDTM4MDExODEwMzc1NFow
-TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAyMSIwIAYJ
-KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA1PAyTVB6wEHWYWhZXlvOZePpewHkU5TJt8FrtxILvI/X
-FxvBdzoIF7oj8b2Y8HzLlnAuDi6WZrefKRJv7jAzoaXu+Uuj+1JF2H7C6KkgqfIu
-9ES3hT80fMBzHXNjLxGgfd/nWiC5uf9dDm2Qhh8u+se1lDeARg37X/gm9M4vDVu/
-5Y2lEte6zxbyXBCuoICo3MRrACT0S/ABgn5LHLbWrOFyMgddSErNulycCXKJsi5g
-97ft6rYNrmP4CaGPYu4J0ssKgd98cku/vftZJIQfHc42vEwThMrF4IG77GGPn3iI
-Q43gFrKrkBQjKc4d56G7SpP5+I24/y8wdGayMYmxfQIDAQABo3gwdjAMBgNVHRMB
-Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
-BgNVHQ4EFgQUHlX//wFxX/Eof8ipfK+Dn+16MwswHwYDVR0jBBgwFoAUcAB/mSCc
-EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBAGsb+vOowB7nVUnyThYf
-mhsinP/JgdBb1ig8OJFltcpj5p0TLV/1zGfCglVzj4sMDKlgKqiyGcGnh5TYaV48
-iOUyikymb2mLxfJ+jtKvNy0nc8etnbwUCKiqVyI3vsbSLaNwgUqIjKNEiWx9nZ/b
-/1zG7G2XsAiNdsYU0CWBowm28okyErLycXG2rMFl0Zxr4aROdNABF604DxeGB1az
-oYZdme/WVZi5zmNGizfEU1WLehB1kP3mYvBsr4mRFzT3mXdtKfqSu8NFd/6jFdpU
-fUcWtm+UCbhfyuk0or8YzdP0FyyY5OTKRq1LpDR3R+xdIabPXLlaR8oEoZNWEwrM
-R5E=
------END CERTIFICATE-----
diff --git a/SOURCES/centossecurebootca2.crt b/SOURCES/centossecurebootca2.crt
deleted file mode 100644
index ff4e981..0000000
--- a/SOURCES/centossecurebootca2.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
-BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
-cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow
-RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B
-CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU
-WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i
-vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp
-aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh
-aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da
-SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z
-IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN
-yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs
-Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8
-IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2
-t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70
-OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+
-ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG
-zAVb3/m0
------END CERTIFICATE-----
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index a4291b2..0dade27 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -101,6 +101,16 @@
-e 's/-m64//g' \\\
) %{nil}
%endif
+%ifarch %{ix86}
+%global target_cpu_name %{_arch}
+%global grub_target_name %{_arch}-pc
+
+%global legacy_target_cpu_name i386
+%global legacy_package_arch pc
+%global platform pc
+
+%global with_legacy_arch 0
+%endif
%ifarch aarch64
%global efiarch aa64
@@ -152,6 +162,14 @@
%global with_efi_common 1
%global with_legacy_common 0
%endif
+%ifarch %{ix86}
+%global with_efi_arch 0
+%global with_alt_efi_arch 0
+%global with_efi_common 0
+%global with_legacy_common 1
+%global with_legacy_utils 1
+%global with_legacy_arch 0
+%endif
%if 0%{with_efi_common}
%global common_srcdir grub-%{grubefiarch}-%{tarversion}
@@ -331,7 +349,7 @@ GRUB_MODULES=" all_video boot btrfs cat chain configfile echo \\\
gzio halt hfsplus iso9660 jpeg loadenv loopback \\\
lvm mdraid09 mdraid1x minicmd normal part_apple \\\
part_msdos part_gpt password_pbkdf2 png reboot \\\
- search search_fs_uuid search_fs_file \\\
+ regexp search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg test tftp \\\
video xfs" \
GRUB_MODULES+=%{efi_modules} \
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 4937bc1..191482a 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -447,3 +447,40 @@ Patch0446: 0446-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
Patch0447: 0447-ieee1275-powerpc-enables-device-mapper-discovery.patch
Patch0448: 0448-ieee1275-Avoiding-many-unecessary-open-close.patch
Patch0449: 0449-ieee1275-ofdisk-retry-on-open-failure.patch
+Patch0450: 0450-loader-efi-chainloader-grub_load_and_start_image-doe.patch
+Patch0451: 0451-loader-efi-chainloader-simplify-the-loader-state.patch
+Patch0452: 0452-commands-boot-Add-API-to-pass-context-to-loader.patch
+Patch0453: 0453-loader-efi-chainloader-Use-grub_loader_set_ex.patch
+Patch0454: 0454-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch
+Patch0455: 0455-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
+Patch0456: 0456-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
+Patch0457: 0457-video-readers-png-Refuse-to-handle-multiple-image-he.patch
+Patch0458: 0458-png-Optimize-by-avoiding-divisions.patch
+Patch0459: 0459-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
+Patch0460: 0460-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
+Patch0461: 0461-video-readers-png-Sanity-check-some-huffman-codes.patch
+Patch0462: 0462-grub-core-video-readers-jpeg.c-Avoid-division-by-zer.patch
+Patch0463: 0463-jpeg-Optimise-by-replacing-division-with-shifts.patch
+Patch0464: 0464-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
+Patch0465: 0465-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
+Patch0466: 0466-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
+Patch0467: 0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
+Patch0468: 0468-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
+Patch0469: 0469-net-netbuff-Block-overly-large-netbuff-allocs.patch
+Patch0470: 0470-net-ip-Do-IP-fragment-maths-safely.patch
+Patch0471: 0471-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
+Patch0472: 0472-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
+Patch0473: 0473-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
+Patch0474: 0474-misc-Format-string-for-grub_error-should-be-a-litera.patch
+Patch0475: 0475-net-tftp-Avoid-a-trivial-UAF.patch
+Patch0476: 0476-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
+Patch0477: 0477-net-http-Fix-OOB-write-for-split-http-headers.patch
+Patch0478: 0478-net-http-Error-out-on-headers-with-LF-without-CR.patch
+Patch0479: 0479-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
+Patch0480: 0480-grub-core-fs-btrfs.c-Avoid-divisions-by-zero.patch
+Patch0481: 0481-btrfs-Add-support-for-reading-a-filesystem-with-a-RA.patch
+Patch0482: 0482-btrfs-Add-support-for-new-RAID1C34-profiles.patch
+Patch0483: 0483-btrfs-Move-logging-code-in-grub_btrfs_read_logical.patch
+Patch0484: 0484-btrfs-Move-the-error-logging-from-find_device-to-its.patch
+Patch0485: 0485-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
+Patch0486: 0486-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in
index 33d1d27..fdc0e9f 100755
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@@ -1,3 +1,3 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
-grub.rhel7,1,Red Hat Enterprise Linux 7,grub2,@@VERSION@@,mail:secalert@redhat.com
+grub,2,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
+grub.rhel7,2,Red Hat Enterprise Linux 7,grub2,@@VERSION@@,mail:secalert@redhat.com
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index a98f8c3..6f30f20 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -1,22 +1,12 @@
%undefine _hardened_build
-%global flagday 1:2.02-0.87.el7.centos.2
+
%global tarversion 2.02~beta2
%undefine _missing_build_ids_terminate_build
-%ifarch i686
-%define platform pc
-%define legacy_package_arch i386
-%define legacy_target_cpu_name i386
-%define target_cpu_name i386
-%endif
-%ifarch x86_64
-%define mock 1
-%endif
-
Name: grub2
Epoch: 1
Version: 2.02
-Release: 0.87.0.1%{?dist}%{?buildid}.9
+Release: 0.87%{?dist}%{?buildid}.11
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -27,10 +17,10 @@ Source1: grub.macros
Source2: grub.patches
Source3: http://unifoundry.com/unifont-5.1.20080820.pcf.gz
Source4: gitignore
-Source5: centos-ca-secureboot.der
-Source6: centossecureboot001.crt
-Source7: centossecurebootca2.crt
-Source8: centossecureboot202.crt
+Source5: redhatsecurebootca3.cer
+Source6: redhatsecureboot301.cer
+Source7: redhatsecurebootca5.cer
+Source8: redhatsecureboot502.cer
Source9: sbat.csv.in
%include %{SOURCE1}
@@ -64,11 +54,8 @@ BuildRequires: pesign >= 0.99-8
%if %{?_with_ccache: 1}%{?!_with_ccache: 0}
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-ExcludeArch: s390 s390x %{arm}
+ExcludeArch: s390 s390x %{arm} %{?ix86}
Obsoletes: %{name} <= %{flagday}
%if 0%{with_legacy_arch}
@@ -153,10 +140,6 @@ This subpackage provides tools for support of all platforms.
%prep
%setup -T -c -n grub-%{tarversion}
%do_common_setup
-sed -i.orig -e 's@/efi/EFI/redhat/@/efi/EFI/%{efidir}/@' \
- grub-%{tarversion}/util/grub-setpassword.in
-touch --reference=grub-%{tarversion}/util/grub-setpassword.in.orig \
- grub-%{tarversion}/util/grub-setpassword.in
%if 0%{with_efi_arch}
%do_setup %{grubefiarch}
sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE9} \
@@ -171,10 +154,10 @@ sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE9} \
%build
%if 0%{with_efi_arch}
-%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202
+%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502
%endif
%if 0%{with_alt_efi_arch}
-%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202
+%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502
%endif
%if 0%{with_legacy_arch}%{with_legacy_utils}
%do_legacy_build %{grublegacyarch}
@@ -486,35 +469,43 @@ fi
%endif
%changelog
-* Tue Mar 29 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-087.e7.9
+* Wed Nov 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-087.el7.11
+- Bump sbat
+- Resolves: CVE-2022-28733
+
+* Thu Sep 15 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-087.el7.10
+- Backport the relevant CVE fixes from the 2022-05-24 drop
+- Resolves: CVE-2022-28733
+
+* Tue Mar 29 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-087.el7.9
- Bump for signing
- Resolves: #1892860
-* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-0.87.e7.8
+* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-0.87.el7.8
- Fix accidental reboot in grub_exit
- Resolves: #1892860
-* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.7
+* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.7
- Fix boot failures in ppc64le caused by storage race condition (diegodo)
Resolves: rhbz#1942148
-* Fri Mar 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.6
+* Fri Mar 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.6
- Fix ppc64le performance issues (diegodo)
Resolves: rhbz#1759298
-* Thu Mar 04 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.5
+* Thu Mar 04 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.5
- Add the at keyboard patches that weren't included
Resolves: rhbz#1892240
-* Thu Mar 04 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.4
+* Thu Mar 04 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.4
- add keylayouts and at_keyboard modules to EFI binary
Resolves: rhbz#1892240
-* Wed Mar 03 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.3
+* Wed Mar 03 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.3
- at_keyboard: use set 1 when keyboard is in Translate mode (rmetrich)
Resolves: rhbz#1892240
-* Fri Feb 26 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.e7.2
+* Fri Feb 26 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-0.87.el7.2
- Fix another batch of CVEs
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632