diff --git a/SOURCES/0349-Add-suport-for-signing-grub-with-an-appended-signatu.patch b/SOURCES/0349-Add-suport-for-signing-grub-with-an-appended-signatu.patch
index fada0a9..538e916 100644
--- a/SOURCES/0349-Add-suport-for-signing-grub-with-an-appended-signatu.patch
+++ b/SOURCES/0349-Add-suport-for-signing-grub-with-an-appended-signatu.patch
@@ -106,14 +106,14 @@ index cf993c059ad..561e671ff34 100644
grub_install_pop_module ();
}
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
-index 98d24cc06ea..9cc767088d3 100644
+index 98d24cc06ea..65a015d8a04 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -82,6 +82,7 @@ static struct argp_option options[] = {
{"format", 'O', N_("FORMAT"), 0, 0, 0},
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
-+ {"appended-signature-size", 's', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
++ {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
{ 0, 0, 0, 0, 0, 0 }
};
@@ -137,7 +137,7 @@ index 98d24cc06ea..9cc767088d3 100644
arguments->note = 1;
break;
-+ case 's':
++ case 'S':
+ grub_errno = 0;
+ arguments->appsig_size = grub_strtol(arg, &end, 10);
+ if (grub_errno)
diff --git a/SOURCES/0364-grub-install-support-embedding-x509-certificates.patch b/SOURCES/0364-grub-install-support-embedding-x509-certificates.patch
index d8f73c2..3413d7e 100644
--- a/SOURCES/0364-grub-install-support-embedding-x509-certificates.patch
+++ b/SOURCES/0364-grub-install-support-embedding-x509-certificates.patch
@@ -95,7 +95,7 @@ index 561e671ff34..fa6b65347ea 100644
while (dc--)
grub_install_pop_module ();
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
-index 9cc767088d3..b05fb827656 100644
+index 65a015d8a04..394d2dc5fc9 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
diff --git a/SOURCES/0373-kern-Add-lockdown-support.patch b/SOURCES/0373-kern-Add-lockdown-support.patch
new file mode 100644
index 0000000..b1d5013
--- /dev/null
+++ b/SOURCES/0373-kern-Add-lockdown-support.patch
@@ -0,0 +1,440 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 19 Feb 2021 10:33:54 +0100
+Subject: [PATCH] kern: Add lockdown support
+
+When the GRUB starts on a secure boot platform, some commands can be
+used to subvert the protections provided by the verification mechanism and
+could lead to booting untrusted system.
+
+To prevent that situation, allow GRUB to be locked down. That way the code
+may check if GRUB has been locked down and further restrict the commands
+that are registered or what subset of their functionality could be used.
+
+The lockdown support adds the following components:
+
+* The grub_lockdown() function which can be used to lockdown GRUB if,
+ e.g., UEFI Secure Boot is enabled.
+
+* The grub_is_lockdown() function which can be used to check if the GRUB
+ was locked down.
+
+* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
+ tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
+ verifiers. These files are only successfully verified if another registered
+ verifier returns success. Otherwise, the whole verification process fails.
+
+ For example, PE/COFF binaries verification can be done by the shim_lock
+ verifier which validates the signatures using the shim_lock protocol.
+ However, the verification is not deferred directly to the shim_lock verifier.
+ The shim_lock verifier is hooked into the verification process instead.
+
+* A set of grub_{command,extcmd}_lockdown functions that can be used by
+ code registering command handlers, to only register unsafe commands if
+ the GRUB has not been locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/Makefile.core.def | 1 +
+ grub-core/commands/extcmd.c | 23 +++++++++++
+ grub-core/kern/command.c | 24 ++++++++++++
+ grub-core/kern/lockdown.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
+ include/grub/command.h | 5 +++
+ include/grub/extcmd.h | 7 ++++
+ include/grub/lockdown.h | 44 +++++++++++++++++++++
+ conf/Makefile.common | 2 +
+ docs/grub-dev.texi | 27 +++++++++++++
+ docs/grub.texi | 8 ++++
+ grub-core/Makefile.am | 5 ++-
+ 11 files changed, 238 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/kern/lockdown.c
+ create mode 100644 include/grub/lockdown.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 8914083d13f..02fbecd4b81 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -197,6 +197,7 @@ kernel = {
+ efi = term/efi/console.c;
+ efi = kern/acpi.c;
+ efi = kern/efi/acpi.c;
++ efi = kern/lockdown.c;
+ efi = lib/envblk.c;
+ efi = kern/efi/tpm.c;
+ i386_coreboot = kern/i386/pc/acpi.c;
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 69574e2b05b..90a5ca24a64 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -19,6 +19,7 @@
+
+ #include <grub/mm.h>
+ #include <grub/list.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/extcmd.h>
+ #include <grub/script_sh.h>
+@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
+ summary, description, parser, 1);
+ }
+
++static grub_err_t
++grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
++ int argc __attribute__ ((unused)),
++ char **argv __attribute__ ((unused)))
++{
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ N_("%s: the command is not allowed when lockdown is enforced"),
++ ctxt->extcmd->cmd->name);
++}
++
++grub_extcmd_t
++grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
++ grub_command_flags_t flags, const char *summary,
++ const char *description,
++ const struct grub_arg_option *parser)
++{
++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++ func = grub_extcmd_lockdown;
++
++ return grub_register_extcmd (name, func, flags, summary, description, parser);
++}
++
+ void
+ grub_unregister_extcmd (grub_extcmd_t ext)
+ {
+diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
+index acd72187992..4aabcd4b5f9 100644
+--- a/grub-core/kern/command.c
++++ b/grub-core/kern/command.c
+@@ -17,6 +17,7 @@
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
++#include <grub/lockdown.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+
+@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
+ return cmd;
+ }
+
++static grub_err_t
++grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
++ int argc __attribute__ ((unused)),
++ char **argv __attribute__ ((unused)))
++
++{
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ N_("%s: the command is not allowed when lockdown is enforced"),
++ cmd->name);
++}
++
++grub_command_t
++grub_register_command_lockdown (const char *name,
++ grub_command_func_t func,
++ const char *summary,
++ const char *description)
++{
++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++ func = grub_cmd_lockdown;
++
++ return grub_register_command_prio (name, func, summary, description, 0);
++}
++
+ void
+ grub_unregister_command (grub_command_t cmd)
+ {
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+new file mode 100644
+index 00000000000..f87ddaeb1ee
+--- /dev/null
++++ b/grub-core/kern/lockdown.c
+@@ -0,0 +1,93 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include <grub/dl.h>
++#include <grub/file.h>
++#include <grub/lockdown.h>
++
++/* There is no verifier framework in grub 2.02 */
++#if 0
++#include <grub/verify.h>
++#endif
++
++static int lockdown = GRUB_LOCKDOWN_DISABLED;
++
++/* There is no verifier framework in grub 2.02 */
++#if 0
++static grub_err_t
++lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
++ enum grub_file_type type,
++ void **context __attribute__ ((unused)),
++ enum grub_verify_flags *flags)
++{
++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++
++ switch (type & GRUB_FILE_TYPE_MASK)
++ {
++ case GRUB_FILE_TYPE_GRUB_MODULE:
++ case GRUB_FILE_TYPE_LINUX_KERNEL:
++ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
++ case GRUB_FILE_TYPE_BSD_KERNEL:
++ case GRUB_FILE_TYPE_XNU_KERNEL:
++ case GRUB_FILE_TYPE_PLAN9_KERNEL:
++ case GRUB_FILE_TYPE_NTLDR:
++ case GRUB_FILE_TYPE_TRUECRYPT:
++ case GRUB_FILE_TYPE_FREEDOS:
++ case GRUB_FILE_TYPE_PXECHAINLOADER:
++ case GRUB_FILE_TYPE_PCCHAINLOADER:
++ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++ case GRUB_FILE_TYPE_ACPI_TABLE:
++ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
++ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
++
++ /* Fall through. */
++
++ default:
++ return GRUB_ERR_NONE;
++ }
++}
++
++struct grub_file_verifier lockdown_verifier =
++ {
++ .name = "lockdown_verifier",
++ .init = lockdown_verifier_init,
++ };
++#endif
++
++void
++grub_lockdown (void)
++{
++ lockdown = GRUB_LOCKDOWN_ENABLED;
++
++ /*
++ * XXX: The lockdown verifier doesn't make sense until
++ * GRUB has moved to the shim_lock verifier.
++ */
++#if 0
++ grub_verifier_register (&lockdown_verifier);
++#endif
++}
++
++int
++grub_is_lockdown (void)
++{
++ return lockdown;
++}
+diff --git a/include/grub/command.h b/include/grub/command.h
+index eee4e847ee4..2a6f7f84697 100644
+--- a/include/grub/command.h
++++ b/include/grub/command.h
+@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
+ const char *summary,
+ const char *description,
+ int prio);
++grub_command_t
++EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
++ grub_command_func_t func,
++ const char *summary,
++ const char *description);
+ void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
+
+ static inline grub_command_t
+diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
+index 19fe592669e..fe9248b8bb6 100644
+--- a/include/grub/extcmd.h
++++ b/include/grub/extcmd.h
+@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
+ const char *description,
+ const struct grub_arg_option *parser);
+
++grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
++ grub_extcmd_func_t func,
++ grub_command_flags_t flags,
++ const char *summary,
++ const char *description,
++ const struct grub_arg_option *parser);
++
+ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
+ grub_extcmd_func_t func,
+ grub_command_flags_t flags,
+diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
+new file mode 100644
+index 00000000000..40531fa823b
+--- /dev/null
++++ b/include/grub/lockdown.h
+@@ -0,0 +1,44 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_LOCKDOWN_H
++#define GRUB_LOCKDOWN_H 1
++
++#include <grub/symbol.h>
++
++#define GRUB_LOCKDOWN_DISABLED 0
++#define GRUB_LOCKDOWN_ENABLED 1
++
++#ifdef GRUB_MACHINE_EFI
++extern void
++EXPORT_FUNC (grub_lockdown) (void);
++extern int
++EXPORT_FUNC (grub_is_lockdown) (void);
++#else
++static inline void
++grub_lockdown (void)
++{
++}
++
++static inline int
++grub_is_lockdown (void)
++{
++ return GRUB_LOCKDOWN_DISABLED;
++}
++#endif
++#endif /* ! GRUB_LOCKDOWN_H */
+diff --git a/conf/Makefile.common b/conf/Makefile.common
+index b93879804c0..521cdda1f5a 100644
+--- a/conf/Makefile.common
++++ b/conf/Makefile.common
+@@ -85,7 +85,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index 3ce827ab726..421dd410e50 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -84,6 +84,7 @@ This edition documents version @value{VERSION}.
+ * Video Subsystem::
+ * PFF2 Font File Format::
+ * Graphical Menu Software Design::
++* Lockdown framework::
+ * Copying This Manual:: Copying This Manual
+ * Index::
+ @end menu
+@@ -1949,6 +1950,32 @@ the graphics mode that was in use before @code{grub_video_setup()} was called
+ might fix some of the problems.
+
+
++@node Lockdown framework
++@chapter Lockdown framework
++
++The GRUB can be locked down, which is a restricted mode where some operations
++are not allowed. For instance, some commands cannot be used when the GRUB is
++locked down.
++
++The function
++@code{grub_lockdown()} is used to lockdown GRUB and the function
++@code{grub_is_lockdown()} function can be used to check whether lockdown is
++enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
++and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
++
++The following functions can be used to register the commands that can only be
++used when lockdown is disabled:
++
++@itemize
++
++@item @code{grub_cmd_lockdown()} registers command which should not run when the
++GRUB is in lockdown mode.
++
++@item @code{grub_cmd_lockdown()} registers extended command which should not run
++when the GRUB is in lockdown mode.
++
++@end itemize
++
+ @node Copying This Manual
+ @appendix Copying This Manual
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 97f0f47e082..f957535dbea 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5687,6 +5687,7 @@ environment variables and commands are listed in the same order.
+ * Using GPG-style digital signatures:: Booting digitally signed code
+ * Using appended signatures:: An alternative approach to booting digitally signed code
+ * Signing GRUB itself:: Ensuring the integrity of the GRUB core image
++* Lockdown:: Lockdown when booting on a secure setup
+ @end menu
+
+ @node Authentication and authorisation
+@@ -5977,6 +5978,13 @@ As with UEFI secure boot, it is necessary to build in the required modules,
+ or sign them separately.
+
+
++@node Lockdown
++@section Lockdown when booting on a secure setup
++
++The GRUB can be locked down when booted on a secure boot environment, for example
++if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
++be restricted and some operations/commands cannot be executed.
++
+ @node Platform limitations
+ @chapter Platform limitations
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 4062652506d..a6f1b0dcd06 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -82,6 +82,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
+ if COND_emu
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
+@@ -350,8 +351,10 @@ command.lst: $(MARKER_FILES)
+ b=`basename $$pp .marker`; \
+ sed -n \
+ -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
++ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
++ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
++ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ done) | sort -u > $@
+ platform_DATA += command.lst
+ CLEANFILES += command.lst
diff --git a/SOURCES/0374-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch b/SOURCES/0374-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
new file mode 100644
index 0000000..cccd213
--- /dev/null
+++ b/SOURCES/0374-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 2 Feb 2021 19:59:48 +0100
+Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
+
+It may be useful for scripts to determine whether the GRUB is locked
+down or not. Add the lockdown variable which is set to "y" when the GRUB
+is locked down.
+
+Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/lockdown.c | 4 ++++
+ docs/grub.texi | 3 +++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+index f87ddaeb1ee..30cba7f5ea2 100644
+--- a/grub-core/kern/lockdown.c
++++ b/grub-core/kern/lockdown.c
+@@ -18,6 +18,7 @@
+ */
+
+ #include <grub/dl.h>
++#include <grub/env.h>
+ #include <grub/file.h>
+ #include <grub/lockdown.h>
+
+@@ -84,6 +85,9 @@ grub_lockdown (void)
+ #if 0
+ grub_verifier_register (&lockdown_verifier);
+ #endif
++
++ grub_env_set ("lockdown", "y");
++ grub_env_export ("lockdown");
+ }
+
+ int
+diff --git a/docs/grub.texi b/docs/grub.texi
+index f957535dbea..755de88d7d8 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5985,6 +5985,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
+ if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+ be restricted and some operations/commands cannot be executed.
+
++The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
++Otherwise it does not exit.
++
+ @node Platform limitations
+ @chapter Platform limitations
+
diff --git a/SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch b/SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
new file mode 100644
index 0000000..d1fb42c
--- /dev/null
+++ b/SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:29 +0200
+Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
+
+If the UEFI Secure Boot is enabled then the GRUB must be locked down
+to prevent executing code that can potentially be used to subvert its
+verification mechanisms.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/init.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 79243b364a1..97bf36906a4 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -20,6 +20,8 @@
+ #include <grub/efi/efi.h>
+ #include <grub/efi/console.h>
+ #include <grub/efi/disk.h>
++#include <grub/efi/sb.h>
++#include <grub/lockdown.h>
+ #include <grub/term.h>
+ #include <grub/misc.h>
+ #include <grub/env.h>
+@@ -93,6 +95,23 @@ grub_efi_init (void)
+ /* Initialize the memory management system. */
+ grub_efi_mm_init ();
+
++ /*
++ * Lockdown the GRUB and register the shim_lock verifier
++ * if the UEFI Secure Boot is enabled.
++ */
++ if (grub_efi_secure_boot ())
++ {
++ grub_lockdown ();
++
++ /*
++ * TODO: Move GRUB to using the shim_lock verifier and
++ * enable the lockdown verifier.
++ */
++#if 0
++ grub_shim_lock_verifier_setup ();
++#endif
++ }
++
+ efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+ 0, 0, 0, NULL);
+
diff --git a/SOURCES/0376-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch b/SOURCES/0376-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
new file mode 100644
index 0000000..a902271
--- /dev/null
+++ b/SOURCES/0376-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:33 +0200
+Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
+ modules list
+
+Now the GRUB can check if it has been locked down and this can be used to
+prevent executing commands that can be utilized to circumvent the UEFI
+Secure Boot mechanisms. So, instead of hardcoding a list of modules that
+have to be disabled, prevent the usage of commands that can be dangerous.
+
+This not only allows the commands to be disabled on other platforms, but
+also properly separate the concerns. Since the shim_lock verifier logic
+should be only about preventing to run untrusted binaries and not about
+defining these kind of policies.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/iorw.c | 26 ++++++++++----------------
+ grub-core/commands/memrw.c | 26 ++++++++++----------------
+ 2 files changed, 20 insertions(+), 32 deletions(-)
+
+diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
+index 41a7f3f0466..584baec8f91 100644
+--- a/grub-core/commands/iorw.c
++++ b/grub-core/commands/iorw.c
+@@ -23,7 +23,7 @@
+ #include <grub/env.h>
+ #include <grub/cpu/io.h>
+ #include <grub/i18n.h>
+-#include <grub/efi/sb.h>
++#include <grub/lockdown.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -119,9 +119,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
+
+ GRUB_MOD_INIT(memrw)
+ {
+- if (grub_efi_secure_boot())
+- return;
+-
+ cmd_read_byte =
+ grub_register_extcmd ("inb", grub_cmd_read, 0,
+ N_("PORT"), N_("Read 8-bit value from PORT."),
+@@ -135,24 +132,21 @@ GRUB_MOD_INIT(memrw)
+ N_("PORT"), N_("Read 32-bit value from PORT."),
+ options);
+ cmd_write_byte =
+- grub_register_command ("outb", grub_cmd_write,
+- N_("PORT VALUE [MASK]"),
+- N_("Write 8-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outb", grub_cmd_write,
++ N_("PORT VALUE [MASK]"),
++ N_("Write 8-bit VALUE to PORT."));
+ cmd_write_word =
+- grub_register_command ("outw", grub_cmd_write,
+- N_("PORT VALUE [MASK]"),
+- N_("Write 16-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outw", grub_cmd_write,
++ N_("PORT VALUE [MASK]"),
++ N_("Write 16-bit VALUE to PORT."));
+ cmd_write_dword =
+- grub_register_command ("outl", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 32-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outl", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 32-bit VALUE to PORT."));
+ }
+
+ GRUB_MOD_FINI(memrw)
+ {
+- if (grub_efi_secure_boot())
+- return;
+-
+ grub_unregister_extcmd (cmd_read_byte);
+ grub_unregister_extcmd (cmd_read_word);
+ grub_unregister_extcmd (cmd_read_dword);
+diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
+index 088cbe9e2bc..d401a6db0ef 100644
+--- a/grub-core/commands/memrw.c
++++ b/grub-core/commands/memrw.c
+@@ -22,7 +22,7 @@
+ #include <grub/extcmd.h>
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+-#include <grub/efi/sb.h>
++#include <grub/lockdown.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -121,9 +121,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
+
+ GRUB_MOD_INIT(memrw)
+ {
+- if (grub_efi_secure_boot())
+- return;
+-
+ cmd_read_byte =
+ grub_register_extcmd ("read_byte", grub_cmd_read, 0,
+ N_("ADDR"), N_("Read 8-bit value from ADDR."),
+@@ -137,24 +134,21 @@ GRUB_MOD_INIT(memrw)
+ N_("ADDR"), N_("Read 32-bit value from ADDR."),
+ options);
+ cmd_write_byte =
+- grub_register_command ("write_byte", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 8-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_byte", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 8-bit VALUE to ADDR."));
+ cmd_write_word =
+- grub_register_command ("write_word", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 16-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_word", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 16-bit VALUE to ADDR."));
+ cmd_write_dword =
+- grub_register_command ("write_dword", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 32-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_dword", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 32-bit VALUE to ADDR."));
+ }
+
+ GRUB_MOD_FINI(memrw)
+ {
+- if (grub_efi_secure_boot())
+- return;
+-
+ grub_unregister_extcmd (cmd_read_byte);
+ grub_unregister_extcmd (cmd_read_word);
+ grub_unregister_extcmd (cmd_read_dword);
diff --git a/SOURCES/0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch b/SOURCES/0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
new file mode 100644
index 0000000..603796c
--- /dev/null
+++ b/SOURCES/0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:41 +0200
+Subject: [PATCH] acpi: Don't register the acpi command when locked down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The command is not allowed when lockdown is enforced. Otherwise an
+attacker can instruct the GRUB to load an SSDT table to overwrite
+the kernel lockdown configuration and later load and execute
+unsigned code.
+
+Fixes: CVE-2020-14372
+
+Reported-by: Máté Kukri <km@mkukri.xyz>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/acpi.c | 15 ++++++++-------
+ docs/grub.texi | 5 +++++
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index 5a1499aa0e3..1215f2a62ef 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -27,6 +27,7 @@
+ #include <grub/mm.h>
+ #include <grub/memory.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+
+ #ifdef GRUB_MACHINE_EFI
+ #include <grub/efi/efi.h>
+@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(acpi)
+ {
+- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
+- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+- "--load-only=TABLE1,TABLE2] FILE1"
+- " [FILE2] [...]"),
+- N_("Load host ACPI tables and tables "
+- "specified by arguments."),
+- options);
++ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
++ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
++ "--load-only=TABLE1,TABLE2] FILE1"
++ " [FILE2] [...]"),
++ N_("Load host ACPI tables and tables "
++ "specified by arguments."),
++ options);
+ }
+
+ GRUB_MOD_FINI(acpi)
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 755de88d7d8..01acf672b80 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
+ (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
+ @option{--no-ebda} option is used, the new tables will be known only to
+ GRUB, but may be used by GRUB's EFI emulation.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ Otherwise an attacker can instruct the GRUB to load an SSDT table to
++ overwrite the kernel lockdown configuration and later load and execute
++ unsigned code.
+ @end deffn
+
+
diff --git a/SOURCES/0378-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch b/SOURCES/0378-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
new file mode 100644
index 0000000..2781cd9
--- /dev/null
+++ b/SOURCES/0378-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 14 Oct 2020 16:33:42 +0200
+Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
+ is enforced
+
+The cutmem and badram commands can be used to remove EFI memory regions
+and potentially disable the UEFI Secure Boot. Prevent the commands to be
+registered if the GRUB is locked down.
+
+Fixes: CVE-2020-27779
+
+Reported-by: Teddy Reed <teddy.reed@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/mmap/mmap.c | 13 +++++++------
+ docs/grub.texi | 4 ++++
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 57b4e9a72a9..7ebf32e1e5e 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -20,6 +20,7 @@
+ #include <grub/memory.h>
+ #include <grub/machine/memory.h>
+ #include <grub/err.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
+ �
+ GRUB_MOD_INIT(mmap)
+ {
+- cmd = grub_register_command ("badram", grub_cmd_badram,
+- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+- N_("Declare memory regions as faulty (badram)."));
+- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
+- N_("FROM[K|M|G] TO[K|M|G]"),
+- N_("Remove any memory regions in specified range."));
++ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
++ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
++ N_("Declare memory regions as faulty (badram)."));
++ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
++ N_("FROM[K|M|G] TO[K|M|G]"),
++ N_("Remove any memory regions in specified range."));
+
+ }
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 01acf672b80..f1675b6140c 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4103,6 +4103,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This prevents removing EFI memory regions to potentially subvert the
++ security mechanisms provided by the UEFI secure boot.
++
+ @node blocklist
+ @subsection blocklist
+
diff --git a/SOURCES/0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch b/SOURCES/0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
new file mode 100644
index 0000000..ae197cb
--- /dev/null
+++ b/SOURCES/0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
@@ -0,0 +1,108 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 09:00:05 +0100
+Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
+ when locked down
+
+There are some more commands that should be restricted when the GRUB is
+locked down. Following is the list of commands and reasons to restrict:
+
+ * fakebios: creates BIOS-like structures for backward compatibility with
+ existing OSes. This should not be allowed when locked down.
+
+ * loadbios: reads a BIOS dump from storage and loads it. This action
+ should not be allowed when locked down.
+
+ * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
+ any Device Tree provided by the firmware. This also should
+ not be allowed when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/efi/loadbios.c | 14 +++++++-------
+ grub-core/loader/arm/linux.c | 6 +++---
+ grub-core/loader/efi/fdt.c | 4 ++--
+ docs/grub.texi | 6 ++++--
+ 4 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
+index d41d521a4ae..5c7725f8bd8 100644
+--- a/grub-core/commands/efi/loadbios.c
++++ b/grub-core/commands/efi/loadbios.c
+@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
+
+ GRUB_MOD_INIT(loadbios)
+ {
+- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+- 0, N_("Create BIOS-like structures for"
+- " backward compatibility with"
+- " existing OS."));
++ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
++ 0, N_("Create BIOS-like structures for"
++ " backward compatibility with"
++ " existing OS."));
+
+- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+- N_("BIOS_DUMP [INT10_DUMP]"),
+- N_("Load BIOS dump."));
++ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
++ N_("BIOS_DUMP [INT10_DUMP]"),
++ N_("Load BIOS dump."));
+ }
+
+ GRUB_MOD_FINI(loadbios)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index 1e944a2b671..653f2e07692 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
+ 0, N_("Load Linux."));
+ cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
+ 0, N_("Load initrd."));
+- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
+- /* TRANSLATORS: DTB stands for device tree blob. */
+- 0, N_("Load DTB file."));
++ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
++ /* TRANSLATORS: DTB stands for device tree blob. */
++ 0, N_("Load DTB file."));
+ my_mod = mod;
+ current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
+ machine_type = grub_arm_firmware_get_machine_type ();
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index e3ee3ad79d6..64c560f5610 100644
+--- a/grub-core/loader/efi/fdt.c
++++ b/grub-core/loader/efi/fdt.c
+@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
+ GRUB_MOD_INIT (fdt)
+ {
+ cmd_devicetree =
+- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
+- N_("Load DTB file."));
++ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
++ N_("Load DTB file."));
+ }
+
+ GRUB_MOD_FINI (fdt)
+diff --git a/docs/grub.texi b/docs/grub.texi
+index f1675b6140c..c55452307dc 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
+
+
+ @node devicetree
+-@subsection linux
++@subsection devicetree
+
+ @deffn Command devicetree file
+ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
+ kernel. Does not perform merging with any device tree supplied by firmware,
+ but rather replaces it completely.
+-@ref{GNU/Linux}.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This is done to prevent subverting various security mechanisms.
+ @end deffn
+
+ @node distrust
diff --git a/SOURCES/0380-commands-setpci-Restrict-setpci-command-when-locked-.patch b/SOURCES/0380-commands-setpci-Restrict-setpci-command-when-locked-.patch
new file mode 100644
index 0000000..1bb09d4
--- /dev/null
+++ b/SOURCES/0380-commands-setpci-Restrict-setpci-command-when-locked-.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 22:59:59 +0100
+Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
+
+This command can set PCI devices register values, which makes it dangerous
+in a locked down configuration. Restrict it so can't be used on this setup.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/setpci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
+index d5bc97d60b2..fa2ba7d8919 100644
+--- a/grub-core/commands/setpci.c
++++ b/grub-core/commands/setpci.c
+@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(setpci)
+ {
+- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
+- N_("[-s POSITION] [-d DEVICE] [-v VAR] "
+- "REGISTER[=VALUE[:MASK]]"),
+- N_("Manipulate PCI devices."), options);
++ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
++ N_("[-s POSITION] [-d DEVICE] [-v VAR] "
++ "REGISTER[=VALUE[:MASK]]"),
++ N_("Manipulate PCI devices."), options);
+ }
+
+ GRUB_MOD_FINI(setpci)
diff --git a/SOURCES/0381-commands-hdparm-Restrict-hdparm-command-when-locked-.patch b/SOURCES/0381-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
new file mode 100644
index 0000000..04129ca
--- /dev/null
+++ b/SOURCES/0381-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 12:59:29 +0100
+Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
+
+The command can be used to get/set ATA disk parameters. Some of these can
+be dangerous since change the disk behavior. Restrict it when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/hdparm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
+index d3fa9661e5f..2e2319e645a 100644
+--- a/grub-core/commands/hdparm.c
++++ b/grub-core/commands/hdparm.c
+@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(hdparm)
+ {
+- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
+- N_("[OPTIONS] DISK"),
+- N_("Get/set ATA disk parameters."), options);
++ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
++ N_("[OPTIONS] DISK"),
++ N_("Get/set ATA disk parameters."), options);
+ }
+
+ GRUB_MOD_FINI(hdparm)
diff --git a/SOURCES/0382-gdb-Restrict-GDB-access-when-locked-down.patch b/SOURCES/0382-gdb-Restrict-GDB-access-when-locked-down.patch
new file mode 100644
index 0000000..b392d22
--- /dev/null
+++ b/SOURCES/0382-gdb-Restrict-GDB-access-when-locked-down.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 15:03:26 +0100
+Subject: [PATCH] gdb: Restrict GDB access when locked down
+
+The gdbstub* commands allow to start and control a GDB stub running on
+local host that can be used to connect from a remote debugger. Restrict
+this functionality when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
+index 847a1e1e36f..1818cb6f8eb 100644
+--- a/grub-core/gdb/gdb.c
++++ b/grub-core/gdb/gdb.c
+@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
+ GRUB_MOD_INIT (gdb)
+ {
+ grub_gdb_idtinit ();
+- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
+- N_("PORT"),
+- /* TRANSLATORS: GDB stub is a small part of
+- GDB functionality running on local host
+- which allows remote debugger to
+- connect to it. */
+- N_("Start GDB stub on given port"));
+- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
+- /* TRANSLATORS: this refers to triggering
+- a breakpoint so that the user will land
+- into GDB. */
+- 0, N_("Break into GDB"));
+- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
+- 0, N_("Stop GDB stub"));
++ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
++ N_("PORT"),
++ /*
++ * TRANSLATORS: GDB stub is a small part of
++ * GDB functionality running on local host
++ * which allows remote debugger to
++ * connect to it.
++ */
++ N_("Start GDB stub on given port"));
++ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
++ /*
++ * TRANSLATORS: this refers to triggering
++ * a breakpoint so that the user will land
++ * into GDB.
++ */
++ 0, N_("Break into GDB"));
++ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
++ 0, N_("Stop GDB stub"));
+ }
+
+ GRUB_MOD_FINI (gdb)
diff --git a/SOURCES/0383-loader-xnu-Don-t-allow-loading-extension-and-package.patch b/SOURCES/0383-loader-xnu-Don-t-allow-loading-extension-and-package.patch
new file mode 100644
index 0000000..fe39c33
--- /dev/null
+++ b/SOURCES/0383-loader-xnu-Don-t-allow-loading-extension-and-package.patch
@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:38 +0100
+Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
+ locked down
+
+The shim_lock verifier validates the XNU kernels but no its extensions
+and packages. Prevent these to be loaded when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 5944dc5eafc..b33a384321c 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1489,20 +1489,23 @@ GRUB_MOD_INIT(xnu)
+ N_("Load XNU image."));
+ cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
+ 0, N_("Load 64-bit XNU image."));
+- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+- N_("Load XNU extension package."));
+- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
+- N_("Load XNU extension."));
+- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
+- /* TRANSLATORS: OSBundleRequired is a
+- variable name in xnu extensions
+- manifests. It behaves mostly like
+- GNU/Linux runlevels.
+- */
+- N_("DIRECTORY [OSBundleRequired]"),
+- /* TRANSLATORS: There are many extensions
+- in extension directory. */
+- N_("Load XNU extension directory."));
++ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
++ N_("Load XNU extension package."));
++ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
++ N_("Load XNU extension."));
++ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
++ /*
++ * TRANSLATORS: OSBundleRequired is
++ * a variable name in xnu extensions
++ * manifests. It behaves mostly like
++ * GNU/Linux runlevels.
++ */
++ N_("DIRECTORY [OSBundleRequired]"),
++ /*
++ * TRANSLATORS: There are many extensions
++ * in extension directory.
++ */
++ N_("Load XNU extension directory."));
+ cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
+ /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
+ N_("Load XNU ramdisk. "
diff --git a/SOURCES/0384-docs-Document-the-cutmem-command.patch b/SOURCES/0384-docs-Document-the-cutmem-command.patch
new file mode 100644
index 0000000..fd37e8f
--- /dev/null
+++ b/SOURCES/0384-docs-Document-the-cutmem-command.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 7 Nov 2020 01:03:18 +0100
+Subject: [PATCH] docs: Document the cutmem command
+
+The command is not present in the docs/grub.texi user documentation.
+
+Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ docs/grub.texi | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index c55452307dc..314bbeb8471 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3942,6 +3942,7 @@ you forget a command, you can run the command @command{help}
+ * cpuid:: Check for CPU features
+ * crc:: Compute or check CRC32 checksums
+ * cryptomount:: Mount a crypto device
++* cutmem:: Remove memory regions
+ * date:: Display or set current date and time
+ * devicetree:: Load a device tree blob
+ * distrust:: Remove a pubkey from trusted keys
+@@ -4103,6 +4104,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+
++The command is similar to @command{cutmem} command.
++
+ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This prevents removing EFI memory regions to potentially subvert the
+ security mechanisms provided by the UEFI secure boot.
+@@ -4266,6 +4269,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
+ be used.
+ @end deffn
+
++@node cutmem
++@subsection cutmem
++
++@deffn Command cutmem from[K|M|G] to[K|M|G]
++Remove any memory regions in specified range.
++@end deffn
++
++This command notifies the memory manager that specified regions of RAM ought to
++be filtered out. This remains in effect after a payload kernel has been loaded
++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
++kernels in general.
++
++The command is similar to @command{badram} command.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This prevents removing EFI memory regions to potentially subvert the
++ security mechanisms provided by the UEFI secure boot.
+
+ @node date
+ @subsection date
diff --git a/SOURCES/0385-dl-Only-allow-unloading-modules-that-are-not-depende.patch b/SOURCES/0385-dl-Only-allow-unloading-modules-that-are-not-depende.patch
new file mode 100644
index 0000000..b482bba
--- /dev/null
+++ b/SOURCES/0385-dl-Only-allow-unloading-modules-that-are-not-depende.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 29 Sep 2020 14:08:55 +0200
+Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
+
+When a module is attempted to be removed its reference counter is always
+decremented. This means that repeated rmmod invocations will cause the
+module to be unloaded even if another module depends on it.
+
+This may lead to a use-after-free scenario allowing an attacker to execute
+arbitrary code and by-pass the UEFI Secure Boot protection.
+
+While being there, add the extern keyword to some function declarations in
+that header file.
+
+Fixes: CVE-2020-25632
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/minicmd.c | 7 +++++--
+ grub-core/kern/dl.c | 9 +++++++++
+ include/grub/dl.h | 8 +++++---
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 6d66b7c453a..2bd3ac76f2d 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
+ if (grub_dl_is_persistent (mod))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
+
+- if (grub_dl_unref (mod) <= 0)
+- grub_dl_unload (mod);
++ if (grub_dl_ref_count (mod) > 1)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
++
++ grub_dl_unref (mod);
++ grub_dl_unload (mod);
+
+ return 0;
+ }
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index d7a7c8f97b0..520126beab7 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -621,6 +621,15 @@ grub_dl_unref (grub_dl_t mod)
+ return --mod->ref_count;
+ }
+
++int
++grub_dl_ref_count (grub_dl_t mod)
++{
++ if (mod == NULL)
++ return 0;
++
++ return mod->ref_count;
++}
++
+ static void
+ grub_dl_flush_cache (grub_dl_t mod)
+ {
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index 877821dcb04..6a3e251b455 100644
+--- a/include/grub/dl.h
++++ b/include/grub/dl.h
+@@ -205,9 +205,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
+ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+-void grub_dl_unload_unneeded (void);
+-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern void grub_dl_unload_unneeded (void);
++extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
++
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+
+ #ifndef GRUB_UTIL
diff --git a/SOURCES/0386-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch b/SOURCES/0386-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
new file mode 100644
index 0000000..1b04633
--- /dev/null
+++ b/SOURCES/0386-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 11 Dec 2020 19:19:21 +0100
+Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
+ devices
+
+The maximum number of configurations and interfaces are fixed but there is
+no out-of-bound checking to prevent a malicious USB device to report large
+values for these and cause accesses outside the arrays' memory.
+
+Fixes: CVE-2020-25647
+
+Reported-by: Joseph Tartaro (IOActive)
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/bus/usb/usb.c | 15 ++++++++++++---
+ include/grub/usb.h | 10 +++++++---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
+index 8da5e4c7491..7cb3cc230b2 100644
+--- a/grub-core/bus/usb/usb.c
++++ b/grub-core/bus/usb/usb.c
+@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
+ grub_usb_err_t
+ grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
+ {
++ if (endpoint >= GRUB_USB_MAX_TOGGLE)
++ return GRUB_USB_ERR_BADDEVICE;
++
+ dev->toggle[endpoint] = 0;
+ return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
+ | GRUB_USB_REQTYPE_STANDARD
+@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ return err;
+ descdev = &dev->descdev;
+
+- for (i = 0; i < 8; i++)
++ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+ dev->config[i].descconf = NULL;
+
+- if (descdev->configcnt == 0)
++ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
+ {
+ err = GRUB_USB_ERR_BADDEVICE;
+ goto fail;
+@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ /* Skip the configuration descriptor. */
+ pos = dev->config[i].descconf->length;
+
++ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
++ {
++ err = GRUB_USB_ERR_BADDEVICE;
++ goto fail;
++ }
++
+ /* Read all interfaces. */
+ for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
+ {
+@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+
+ fail:
+
+- for (i = 0; i < 8; i++)
++ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+ grub_free (dev->config[i].descconf);
+
+ return err;
+diff --git a/include/grub/usb.h b/include/grub/usb.h
+index 512ae1dd0e6..6475c552fc6 100644
+--- a/include/grub/usb.h
++++ b/include/grub/usb.h
+@@ -23,6 +23,10 @@
+ #include <grub/usbdesc.h>
+ #include <grub/usbtrans.h>
+
++#define GRUB_USB_MAX_CONF 8
++#define GRUB_USB_MAX_IF 32
++#define GRUB_USB_MAX_TOGGLE 256
++
+ typedef struct grub_usb_device *grub_usb_device_t;
+ typedef struct grub_usb_controller *grub_usb_controller_t;
+ typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
+@@ -167,7 +171,7 @@ struct grub_usb_configuration
+ struct grub_usb_desc_config *descconf;
+
+ /* Interfaces associated to this configuration. */
+- struct grub_usb_interface interf[32];
++ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
+ };
+
+ struct grub_usb_hub_port
+@@ -191,7 +195,7 @@ struct grub_usb_device
+ struct grub_usb_controller controller;
+
+ /* Device configurations (after opening the device). */
+- struct grub_usb_configuration config[8];
++ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
+
+ /* Device address. */
+ int addr;
+@@ -203,7 +207,7 @@ struct grub_usb_device
+ int initialized;
+
+ /* Data toggle values (used for bulk transfers only). */
+- int toggle[256];
++ int toggle[GRUB_USB_MAX_TOGGLE];
+
+ /* Used by libusb wrapper. Schedulded for removal. */
+ void *data;
diff --git a/SOURCES/0387-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/SOURCES/0387-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
new file mode 100644
index 0000000..66e3744
--- /dev/null
+++ b/SOURCES/0387-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 3 Dec 2020 14:39:45 +0000
+Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
+
+When returning from grub_mmap_iterate() the memory allocated to present
+is not being released causing it to leak.
+
+Fixes: CID 96655
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/mmap/mmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 7ebf32e1e5e..8bf235f3400 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ hook_data))
+ {
+ grub_free (ctx.scanline_events);
++ grub_free (present);
+ return GRUB_ERR_NONE;
+ }
+
+@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ }
+
+ grub_free (ctx.scanline_events);
++ grub_free (present);
+ return GRUB_ERR_NONE;
+ }
+
diff --git a/SOURCES/0388-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/SOURCES/0388-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
new file mode 100644
index 0000000..0f50d98
--- /dev/null
+++ b/SOURCES/0388-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 27 Nov 2020 15:10:26 +0000
+Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
+
+It is always possible that grub_zalloc() could fail, so we should check for
+a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
+
+Fixes: CID 296221
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 1fd104aeaf2..a27c53eee1c 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -89,8 +89,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
+
+ /* Add sender to cache table. */
+ if (card->link_layer_table == NULL)
+- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
+- * sizeof (card->link_layer_table[0]));
++ {
++ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
++ * sizeof (card->link_layer_table[0]));
++ if (card->link_layer_table == NULL)
++ return;
++ }
++
+ entry = &(card->link_layer_table[card->new_ll_entry]);
+ entry->avail = 1;
+ grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
diff --git a/SOURCES/0389-net-tftp-Fix-dangling-memory-pointer.patch b/SOURCES/0389-net-tftp-Fix-dangling-memory-pointer.patch
new file mode 100644
index 0000000..193d893
--- /dev/null
+++ b/SOURCES/0389-net-tftp-Fix-dangling-memory-pointer.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 19 Feb 2021 17:12:23 +0000
+Subject: [PATCH] net/tftp: Fix dangling memory pointer
+
+The static code analysis tool, Parfait, reported that the valid of
+file->data was left referencing memory that was freed by the call to
+grub_free(data) where data was initialized from file->data.
+
+To ensure that there is no unintentional access to this memory
+referenced by file->data we should set the pointer to NULL.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/tftp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index b9a4b607a3d..aa0424dcee3 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -444,6 +444,7 @@ tftp_close (struct grub_file *file)
+ grub_net_udp_close (data->sock);
+ }
+ grub_free (data);
++ file->data = NULL;
+ return GRUB_ERR_NONE;
+ }
+
diff --git a/SOURCES/0390-kern-parser-Fix-resource-leak-if-argc-0.patch b/SOURCES/0390-kern-parser-Fix-resource-leak-if-argc-0.patch
new file mode 100644
index 0000000..87d3140
--- /dev/null
+++ b/SOURCES/0390-kern-parser-Fix-resource-leak-if-argc-0.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 22 Jan 2021 12:32:41 +0000
+Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
+
+After processing the command-line yet arriving at the point where we are
+setting argv, we are allocating memory, even if argc == 0, which makes
+no sense since we never put anything into the allocated argv.
+
+The solution is to simply return that we've successfully processed the
+arguments but that argc == 0, and also ensure that argv is NULL when
+we're not allocating anything in it.
+
+There are only 2 callers of this function, and both are handling a zero
+value in argc assuming nothing is allocated in argv.
+
+Fixes: CID 96680
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 619db3122a0..d1cf061ad68 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
+ int i;
+
+ *argc = 0;
++ *argv = NULL;
+ do
+ {
+ if (!rd || !*rd)
+@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
+ (*argc)++;
+ }
+
++ /* If there are no args, then we're done. */
++ if (!*argc)
++ return 0;
++
+ /* Reserve memory for the return values. */
+ args = grub_malloc (bp - buffer);
+ if (!args)
diff --git a/SOURCES/0391-kern-efi-Fix-memory-leak-on-failure.patch b/SOURCES/0391-kern-efi-Fix-memory-leak-on-failure.patch
new file mode 100644
index 0000000..1aa52d6
--- /dev/null
+++ b/SOURCES/0391-kern-efi-Fix-memory-leak-on-failure.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:15:25 +0000
+Subject: [PATCH] kern/efi: Fix memory leak on failure
+
+Free the memory allocated to name before returning on failure.
+
+Fixes: CID 296222
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 5dfcf943322..4b95a400490 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -400,6 +400,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
++ grub_free (name);
+ return NULL;
+ }
+
diff --git a/SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000..5fb25a3
--- /dev/null
+++ b/SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 11 Dec 2020 15:03:13 +0000
+Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
+
+The model of grub_efi_get_memory_map() is that if memory_map is NULL,
+then the purpose is to discover how much memory should be allocated to
+it for the subsequent call.
+
+The problem here is that with grub_efi_is_finished set to 1, there is no
+check at all that the function is being called with a non-NULL memory_map.
+
+While this MAY be true, we shouldn't assume it.
+
+The solution to this is to behave as expected, and if memory_map is NULL,
+then don't try to use it and allow memory_map_size to be filled in, and
+return 0 as is done later in the code if the buffer is too small (or NULL).
+
+Additionally, drop unneeded ret = 1.
+
+Fixes: CID 96632
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index 306924f73a4..2d9c9032b2a 100644
+--- a/grub-core/kern/efi/mm.c
++++ b/grub-core/kern/efi/mm.c
+@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
+ if (grub_efi_is_finished)
+ {
+ int ret = 1;
+- if (*memory_map_size < finish_mmap_size)
++
++ if (memory_map != NULL)
+ {
+- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
++ if (*memory_map_size < finish_mmap_size)
++ {
++ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
++ ret = 0;
++ }
++ else
++ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
++ }
++ else
++ {
++ /*
++ * Incomplete, no buffer to copy into, same as
++ * GRUB_EFI_BUFFER_TOO_SMALL below.
++ */
+ ret = 0;
+ }
+- else
+- {
+- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+- ret = 1;
+- }
+ *memory_map_size = finish_mmap_size;
+ if (map_key)
+ *map_key = finish_key;
diff --git a/SOURCES/0393-gnulib-regexec-Resolve-unused-variable.patch b/SOURCES/0393-gnulib-regexec-Resolve-unused-variable.patch
new file mode 100644
index 0000000..226abc8
--- /dev/null
+++ b/SOURCES/0393-gnulib-regexec-Resolve-unused-variable.patch
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:41:27 +0000
+Subject: [PATCH] gnulib/regexec: Resolve unused variable
+
+This is a really minor issue where a variable is being assigned to but
+not checked before it is overwritten again.
+
+The reason for this issue is that we are not building with DEBUG set and
+this in turn means that the assert() that reads the value of the
+variable match_last is being processed out.
+
+The solution, move the assignment to match_last in to an ifdef DEBUG too.
+
+Fixes: CID 292459
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gnulib/regexec.c | 4 ++++
+ conf/Makefile.extra-dist | 1 +
+ grub-core/gnulib-fix-unused-value.patch | 14 ++++++++++++++
+ 3 files changed, 19 insertions(+)
+ create mode 100644 grub-core/gnulib-fix-unused-value.patch
+
+diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
+index a7776f088f2..9264f262893 100644
+--- a/grub-core/gnulib/regexec.c
++++ b/grub-core/gnulib/regexec.c
+@@ -879,7 +879,11 @@ re_search_internal (const regex_t *preg,
+ break;
+ if (BE (err != REG_NOMATCH, 0))
+ goto free_return;
++#ifdef DEBUG
++ /* Only used for assertion below when DEBUG is set, otherwise
++ it will be over-written when we loop around. */
+ match_last = REG_MISSING;
++#endif
+ }
+ else
+ break; /* We found a match. */
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 5946ec24a65..b53fe6dfdcc 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
++EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
+ EXTRA_DIST += grub-core/gnulib-fix-width.diff
+ EXTRA_DIST += grub-core/gnulib-no-abort.diff
+ EXTRA_DIST += grub-core/gnulib-no-gets.diff
+diff --git a/grub-core/gnulib-fix-unused-value.patch b/grub-core/gnulib-fix-unused-value.patch
+new file mode 100644
+index 00000000000..452a8732922
+--- /dev/null
++++ b/grub-core/gnulib-fix-unused-value.patch
+@@ -0,0 +1,14 @@
++--- grub-core/gnulib/regexec.c 2020-10-21 14:25:35.310195912 +0000
+++++ grub-core/gnulib/regexec.c 2020-10-21 14:32:07.961765604 +0000
++@@ -828,7 +828,11 @@
++ break;
++ if (BE (err != REG_NOMATCH, 0))
++ goto free_return;
+++#ifdef DEBUG
+++ /* Only used for assertion below when DEBUG is set, otherwise
+++ it will be over-written when we loop around. */
++ match_last = REG_MISSING;
+++#endif
++ }
++ else
++ break; /* We found a match. */
diff --git a/SOURCES/0394-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/SOURCES/0394-gnulib-regcomp-Fix-uninitialized-token-structure.patch
new file mode 100644
index 0000000..b18be72
--- /dev/null
+++ b/SOURCES/0394-gnulib-regcomp-Fix-uninitialized-token-structure.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 22 Oct 2020 13:54:06 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
+
+The code is assuming that the value of br_token.constraint was
+initialized to zero when it wasn't.
+
+While some compilers will ensure that, not all do, so it is better to
+fix this explicitly than leave it to chance.
+
+Fixes: CID 73749
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gnulib/regcomp.c | 2 +-
+ conf/Makefile.extra-dist | 1 +
+ grub-core/gnulib-fix-uninit-structure.patch | 11 +++++++++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/gnulib-fix-uninit-structure.patch
+
+diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
+index 596e0cf3ef7..de9f622088f 100644
+--- a/grub-core/gnulib/regcomp.c
++++ b/grub-core/gnulib/regcomp.c
+@@ -3641,7 +3641,7 @@ build_charclass_op (re_dfa_t *dfa, RE_TRANSLATE_TYPE trans,
+ Idx alloc = 0;
+ #endif /* not RE_ENABLE_I18N */
+ reg_errcode_t ret;
+- re_token_t br_token;
++ re_token_t br_token = {0};
+ bin_tree_t *tree;
+
+ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index b53fe6dfdcc..883baba56d5 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
++EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
+ EXTRA_DIST += grub-core/gnulib-fix-width.diff
+ EXTRA_DIST += grub-core/gnulib-no-abort.diff
+diff --git a/grub-core/gnulib-fix-uninit-structure.patch b/grub-core/gnulib-fix-uninit-structure.patch
+new file mode 100644
+index 00000000000..7b4d9f67af4
+--- /dev/null
++++ b/grub-core/gnulib-fix-uninit-structure.patch
+@@ -0,0 +1,11 @@
++--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000
+++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000
++@@ -3662,7 +3662,7 @@
++ Idx alloc = 0;
++ #endif /* not RE_ENABLE_I18N */
++ reg_errcode_t ret;
++- re_token_t br_token;
+++ re_token_t br_token = {0};
++ bin_tree_t *tree;
++
++ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
diff --git a/SOURCES/0395-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/SOURCES/0395-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
new file mode 100644
index 0000000..97f127c
--- /dev/null
+++ b/SOURCES/0395-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 28 Oct 2020 14:43:01 +0000
+Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
+
+All other instances of call to __argp_failure() where there is
+a dgettext() call is first checking whether state is NULL before
+attempting to dereference it to get the root_argp->argp_domain.
+
+Fixes: CID 292436
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gnulib/argp-help.c | 3 ++-
+ conf/Makefile.extra-dist | 1 +
+ grub-core/gnulib-fix-null-state-deref.patch | 12 ++++++++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/gnulib-fix-null-state-deref.patch
+
+diff --git a/grub-core/gnulib/argp-help.c b/grub-core/gnulib/argp-help.c
+index b9be63f40d2..8af8be07341 100644
+--- a/grub-core/gnulib/argp-help.c
++++ b/grub-core/gnulib/argp-help.c
+@@ -145,7 +145,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr)
+ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
+ {
+ __argp_failure (state, 0, 0,
+- dgettext (state->root_argp->argp_domain,
++ dgettext (state == NULL ? NULL
++ : state->root_argp->argp_domain,
+ "\
+ ARGP_HELP_FMT: %s value is less than or equal to %s"),
+ "rmargin", up->name);
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 883baba56d5..06606de8d19 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
++EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
+ EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
+ EXTRA_DIST += grub-core/gnulib-fix-width.diff
+diff --git a/grub-core/gnulib-fix-null-state-deref.patch b/grub-core/gnulib-fix-null-state-deref.patch
+new file mode 100644
+index 00000000000..813ec09c8a1
+--- /dev/null
++++ b/grub-core/gnulib-fix-null-state-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000
+++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000
++@@ -145,7 +145,8 @@
++ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
++ {
++ __argp_failure (state, 0, 0,
++- dgettext (state->root_argp->argp_domain,
+++ dgettext (state == NULL ? NULL
+++ : state->root_argp->argp_domain,
++ "\
++ ARGP_HELP_FMT: %s value is less than or equal to %s"),
++ "rmargin", up->name);
diff --git a/SOURCES/0396-gnulib-regexec-Fix-possible-null-dereference.patch b/SOURCES/0396-gnulib-regexec-Fix-possible-null-dereference.patch
new file mode 100644
index 0000000..78ae2b9
--- /dev/null
+++ b/SOURCES/0396-gnulib-regexec-Fix-possible-null-dereference.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:57:14 +0000
+Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
+
+It appears to be possible that the mctx->state_log field may be NULL,
+and the name of this function, clean_state_log_if_needed(), suggests
+that it should be checking that it is valid to be cleaned before
+assuming that it does.
+
+Fixes: CID 86720
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gnulib/regexec.c | 3 +++
+ conf/Makefile.extra-dist | 1 +
+ grub-core/gnulib-fix-regexec-null-deref.patch | 12 ++++++++++++
+ 3 files changed, 16 insertions(+)
+ create mode 100644 grub-core/gnulib-fix-regexec-null-deref.patch
+
+diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
+index 9264f262893..fdacff12ce3 100644
+--- a/grub-core/gnulib/regexec.c
++++ b/grub-core/gnulib/regexec.c
+@@ -1754,6 +1754,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx)
+ {
+ Idx top = mctx->state_log_top;
+
++ if (mctx->state_log == NULL)
++ return REG_NOERROR;
++
+ if ((next_state_log_idx >= mctx->input.bufs_len
+ && mctx->input.bufs_len < mctx->input.len)
+ || (next_state_log_idx >= mctx->input.valid_len
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 06606de8d19..edbe7846eb1 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
+ EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
++EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
+ EXTRA_DIST += grub-core/gnulib-fix-width.diff
+diff --git a/grub-core/gnulib-fix-regexec-null-deref.patch b/grub-core/gnulib-fix-regexec-null-deref.patch
+new file mode 100644
+index 00000000000..db6dac9c9e3
+--- /dev/null
++++ b/grub-core/gnulib-fix-regexec-null-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000
++@@ -1692,6 +1692,9 @@
++ {
++ Idx top = mctx->state_log_top;
++
+++ if (mctx->state_log == NULL)
+++ return REG_NOERROR;
+++
++ if ((next_state_log_idx >= mctx->input.bufs_len
++ && mctx->input.bufs_len < mctx->input.len)
++ || (next_state_log_idx >= mctx->input.valid_len
diff --git a/SOURCES/0397-gnulib-regcomp-Fix-uninitialized-re_token.patch b/SOURCES/0397-gnulib-regcomp-Fix-uninitialized-re_token.patch
new file mode 100644
index 0000000..342a020
--- /dev/null
+++ b/SOURCES/0397-gnulib-regcomp-Fix-uninitialized-re_token.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 18:04:22 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
+
+This issue has been fixed in the latest version of gnulib, so to
+maintain consistency, I've backported that change rather than doing
+something different.
+
+Fixes: CID 73828
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gnulib/regcomp.c | 3 +--
+ conf/Makefile.extra-dist | 1 +
+ grub-core/gnulib-fix-regcomp-uninit-token.patch | 12 ++++++++++++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 grub-core/gnulib-fix-regcomp-uninit-token.patch
+
+diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
+index de9f622088f..6d0830ac691 100644
+--- a/grub-core/gnulib/regcomp.c
++++ b/grub-core/gnulib/regcomp.c
+@@ -3790,8 +3790,7 @@ static bin_tree_t *
+ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
+ re_token_type_t type)
+ {
+- re_token_t t;
+- t.type = type;
++ re_token_t t = { .type = type };
+ return create_token_tree (dfa, left, right, &t);
+ }
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index edbe7846eb1..ee276a87764 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
+ EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
++EXTRA_DIST += grub-core/gnulib-fix-regcomp-uninit-token.patch
+ EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
+diff --git a/grub-core/gnulib-fix-regcomp-uninit-token.patch b/grub-core/gnulib-fix-regcomp-uninit-token.patch
+new file mode 100644
+index 00000000000..d615745221b
+--- /dev/null
++++ b/grub-core/gnulib-fix-regcomp-uninit-token.patch
+@@ -0,0 +1,12 @@
++--- grub-core/gnulib/regcomp.c
+++++ grub-core/gnulib/regcomp.c
++@@ -3808,8 +3808,7 @@ static bin_tree_t *
++ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
++ re_token_type_t type)
++ {
++- re_token_t t;
++- t.type = type;
+++ re_token_t t = { .type = type };
++ return create_token_tree (dfa, left, right, &t);
++ }
++
diff --git a/SOURCES/0398-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/SOURCES/0398-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
new file mode 100644
index 0000000..d7affbd
--- /dev/null
+++ b/SOURCES/0398-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:44:10 +0000
+Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
+
+These 2 assignments are unnecessary since they are just assigning
+to themselves.
+
+Fixes: CID 73643
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/io/lzopio.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
+index 84edf6dd2dc..6bf14daf474 100644
+--- a/grub-core/io/lzopio.c
++++ b/grub-core/io/lzopio.c
+@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ sizeof (lzopio->block.ucheck)) !=
+ sizeof (lzopio->block.ucheck))
+ return -1;
+-
+- lzopio->block.ucheck = lzopio->block.ucheck;
+ }
+
+ /* Read checksum of compressed data. */
+@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ sizeof (lzopio->block.ccheck)) !=
+ sizeof (lzopio->block.ccheck))
+ return -1;
+-
+- lzopio->block.ccheck = lzopio->block.ccheck;
+ }
+ }
+
diff --git a/SOURCES/0399-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/SOURCES/0399-kern-partition-Check-for-NULL-before-dereferencing-i.patch
new file mode 100644
index 0000000..35c4c01
--- /dev/null
+++ b/SOURCES/0399-kern-partition-Check-for-NULL-before-dereferencing-i.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 09:49:59 +0000
+Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
+ string
+
+There is the possibility that the value of str comes from an external
+source and continuing to use it before ever checking its validity is
+wrong. So, needs fixing.
+
+Additionally, drop unneeded part initialization.
+
+Fixes: CID 292444
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/partition.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
+index 2c401b866c4..3068c4dcac0 100644
+--- a/grub-core/kern/partition.c
++++ b/grub-core/kern/partition.c
+@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
+ grub_partition_t
+ grub_partition_probe (struct grub_disk *disk, const char *str)
+ {
+- grub_partition_t part = 0;
++ grub_partition_t part;
+ grub_partition_t curpart = 0;
+ grub_partition_t tail;
+ const char *ptr;
+
++ if (str == NULL)
++ return 0;
++
+ part = tail = disk->partition;
+
+ for (ptr = str; *ptr;)
diff --git a/SOURCES/0400-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/SOURCES/0400-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
new file mode 100644
index 0000000..7d4ea0e
--- /dev/null
+++ b/SOURCES/0400-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
@@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 7 Dec 2020 11:53:03 -0300
+Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
+ make_vg()
+
+Several error handling paths in make_vg() do not free comp data before
+jumping to fail2 label and returning from the function. This will leak
+memory. So, let's fix all issues of that kind.
+
+Fixes: CID 73804
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 58f8a53e1ab..428415fac24 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
+ comp->segments = grub_calloc (comp->segment_alloc,
+ sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+ else
+ {
+@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
+ comp->segment_count = 1;
+ comp->segments = grub_malloc (sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ comp->segments->start_extent = 0;
+ comp->segments->extent_count = lv->size;
+ comp->segments->layout = 0;
+@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
+ comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
+ }
+ else
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ ptr += *ptr + 1;
+ ptr++;
+ if (!(vblk[i].flags & 0x10))
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
+ || ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+ sizeof (*comp->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+
+ if (lv->segments->node_alloc == lv->segments->node_count)
+@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
+
+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+
+ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ lv->segments->nodes = t;
+ }
+ lv->segments->nodes[lv->segments->node_count].pv = 0;
diff --git a/SOURCES/0401-disk-ldm-If-failed-then-free-vg-variable-too.patch b/SOURCES/0401-disk-ldm-If-failed-then-free-vg-variable-too.patch
new file mode 100644
index 0000000..6b8903a
--- /dev/null
+++ b/SOURCES/0401-disk-ldm-If-failed-then-free-vg-variable-too.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 7 Dec 2020 10:07:47 -0300
+Subject: [PATCH] disk/ldm: If failed then free vg variable too
+
+Fixes: CID 73809
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/ldm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 428415fac24..54713f45a12 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
+ {
+ grub_free (vg->uuid);
+ grub_free (vg->name);
++ grub_free (vg);
+ return NULL;
+ }
+ grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
diff --git a/SOURCES/0402-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/SOURCES/0402-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
new file mode 100644
index 0000000..3b0add6
--- /dev/null
+++ b/SOURCES/0402-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 10:00:51 +0000
+Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
+
+The problem here is that the memory allocated to the variable lv is not
+yet inserted into the list that is being processed at the label fail2.
+
+As we can already see at line 342, which correctly frees lv before going
+to fail2, we should also be doing that at these earlier jumps to fail2.
+
+Fixes: CID 73824
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/ldm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 54713f45a12..e82e9899f96 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
+ lv->visible = 1;
+ lv->segments = grub_zalloc (sizeof (*lv->segments));
+ if (!lv->segments)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ lv->segments->start_extent = 0;
+ lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ lv->segments->node_count = 0;
+@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+ sizeof (*lv->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ ptr = vblk[i].dynamic;
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
diff --git a/SOURCES/0403-disk-cryptodisk-Fix-potential-integer-overflow.patch b/SOURCES/0403-disk-cryptodisk-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000..2470dc5
--- /dev/null
+++ b/SOURCES/0403-disk-cryptodisk-Fix-potential-integer-overflow.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 21 Jan 2021 11:38:31 +0000
+Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
+
+The encrypt and decrypt functions expect a grub_size_t. So, we need to
+ensure that the constant bit shift is using grub_size_t rather than
+unsigned int when it is performing the shift.
+
+Fixes: CID 307788
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/cryptodisk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index bd60a66b384..78a902515e9 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_CBC:
+ if (do_encrypt)
+ err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
+@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_PCBC:
+ if (do_encrypt)
+ err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
diff --git a/SOURCES/0404-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/SOURCES/0404-hfsplus-Check-that-the-volume-name-length-is-valid.patch
new file mode 100644
index 0000000..c32f6e8
--- /dev/null
+++ b/SOURCES/0404-hfsplus-Check-that-the-volume-name-length-is-valid.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 17:09:31 +0000
+Subject: [PATCH] hfsplus: Check that the volume name length is valid
+
+HFS+ documentation suggests that the maximum filename and volume name is
+255 Unicode characters in length.
+
+So, when converting from big-endian to little-endian, we should ensure
+that the name of the volume has a length that is between 0 and 255,
+inclusive.
+
+Fixes: CID 73641
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/hfsplus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index e06bcbb9ba3..03a33ea2477 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1012,6 +1012,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+
+ label_len = grub_be_to_cpu16 (catkey->namelen);
++
++ /* Ensure that the length is >= 0. */
++ if (label_len < 0)
++ label_len = 0;
++
++ /* Ensure label length is at most 255 Unicode characters. */
++ if (label_len > 255)
++ label_len = 255;
++
+ label_name = grub_calloc (label_len, sizeof (*label_name));
+ if (!label_name)
+ {
diff --git a/SOURCES/0405-zfs-Fix-possible-negative-shift-operation.patch b/SOURCES/0405-zfs-Fix-possible-negative-shift-operation.patch
new file mode 100644
index 0000000..dd9d90f
--- /dev/null
+++ b/SOURCES/0405-zfs-Fix-possible-negative-shift-operation.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 16:41:49 +0000
+Subject: [PATCH] zfs: Fix possible negative shift operation
+
+While it is possible for the return value from zfs_log2() to be zero
+(0), it is quite unlikely, given that the previous assignment to blksz
+is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
+assignment to epbs.
+
+But, while unlikely during a normal operation, it may be that a carefully
+crafted ZFS filesystem could result in a zero (0) value to the
+dn_datalbkszsec field, which means that the shift left does nothing
+and assigns zero (0) to blksz, resulting in a negative epbs value.
+
+Fixes: CID 73608
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/zfs/zfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index c6204367e78..3dfde080750 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
+ blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
+ mdn->endian) << SPA_MINBLOCKSHIFT;
+ epbs = zfs_log2 (blksz) - DNODE_SHIFT;
++
++ /* While this should never happen, we should check that epbs is not negative. */
++ if (epbs < 0)
++ epbs = 0;
++
+ blkid = objnum >> epbs;
+ idx = objnum & ((1 << epbs) - 1);
+
diff --git a/SOURCES/0406-zfs-Fix-resource-leaks-while-constructing-path.patch b/SOURCES/0406-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000..3c37522
--- /dev/null
+++ b/SOURCES/0406-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,118 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+
+Fixes: CID 73741
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 3dfde080750..44d8bde6b33 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+ {
+- grub_free (path_buf);
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ break;
+ }
+ err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+ data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ << SPA_MINBLOCKSHIFT);
+
+ if (blksz == 0)
+- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
++ {
++ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
++ break;
++ }
+
+ sym_value = grub_malloc (sym_sz);
+ if (!sym_value)
+- return grub_errno;
++ {
++ err = grub_errno;
++ break;
++ }
++
+ for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+ {
+ void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (err)
+ {
+ grub_free (sym_value);
+- return err;
++ break;
+ }
+
+ movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_memcpy (sym_value + block * blksz, t, movesize);
+ grub_free (t);
+ }
++ if (err)
++ break;
+ free_symval = 1;
+ }
+ path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_free (oldpathbuf);
+ if (free_symval)
+ grub_free (sym_value);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+ if (err)
+- return err;
++ break;
+ }
+ else
+ {
+- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ break;
+ }
+
+ hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (!path_buf)
+ {
+ grub_free (oldpathbuf);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ path [sym_sz] = 0;
diff --git a/SOURCES/0407-zfs-Fix-possible-integer-overflows.patch b/SOURCES/0407-zfs-Fix-possible-integer-overflows.patch
new file mode 100644
index 0000000..1017056
--- /dev/null
+++ b/SOURCES/0407-zfs-Fix-possible-integer-overflows.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 22:17:04 +0000
+Subject: [PATCH] zfs: Fix possible integer overflows
+
+In all cases the problem is that the value being acted upon by
+a left-shift is a 32-bit number which is then being used in the
+context of a 64-bit number.
+
+To avoid overflow we ensure that the number being shifted is 64-bit
+before the shift is done.
+
+Fixes: CID 73684, CID 73695, CID 73764
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/zfs/zfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 44d8bde6b33..0d8c08eec92 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
+ ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ + ((i << ub_shift)
+ / sizeof (grub_properly_aligned_t)));
+- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
++ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
+ if (err)
+ {
+ grub_errno = GRUB_ERR_NONE;
+@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ high = grub_divmod64 ((offset >> desc->ashift) + c,
+ desc->n_children, &devn);
+- csize = bsize << desc->ashift;
++ csize = (grub_size_t) bsize << desc->ashift;
+ if (csize > len)
+ csize = len;
+
+@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ while (len > 0)
+ {
+- grub_size_t csize;
+- csize = ((s / (desc->n_children - desc->nparity))
++ grub_size_t csize = s;
++ csize = ((csize / (desc->n_children - desc->nparity))
+ << desc->ashift);
+ if (csize > len)
+ csize = len;
diff --git a/SOURCES/0408-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/SOURCES/0408-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
new file mode 100644
index 0000000..4951204
--- /dev/null
+++ b/SOURCES/0408-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:56:45 +0000
+Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
+
+While arguably the check for grub_errno is correct, we should really be
+checking the return value from the function since it is always possible
+that grub_errno was set elsewhere, making this code behave incorrectly.
+
+Fixes: CID 73668
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/zfs/zfsinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
+index c8a28acf52b..bf2918018e7 100644
+--- a/grub-core/fs/zfs/zfsinfo.c
++++ b/grub-core/fs/zfs/zfsinfo.c
+@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+
+ devname = grub_file_get_device_name (args[0]);
+- if (grub_errno)
+- return grub_errno;
++ if (devname == NULL)
++ return GRUB_ERR_OUT_OF_MEMORY;
+
+ dev = grub_device_open (devname);
+ grub_free (devname);
diff --git a/SOURCES/0409-affs-Fix-memory-leaks.patch b/SOURCES/0409-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000..57c42a0
--- /dev/null
+++ b/SOURCES/0409-affs-Fix-memory-leaks.patch
@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+
+Fixes: CID 73759
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 91073795f90..e4615c74381 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+ unsigned int i;
+ struct grub_affs_file file;
+- struct grub_fshelp_node *node = 0;
++ struct grub_fshelp_node *node, *orig_node;
+ struct grub_affs_data *data = dir->data;
+ grub_uint32_t *hashtable;
+
+ /* Create the directory entries for `.' and `..'. */
+- node = grub_zalloc (sizeof (*node));
++ node = orig_node = grub_zalloc (sizeof (*node));
+ if (!node)
+ return 1;
+
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ return 1;
+ if (dir->parent)
+ {
+- node = grub_zalloc (sizeof (*node));
+- if (!node)
+- return 1;
+ *node = *dir->parent;
+ if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+
+ if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+ next, &file))
+- return 1;
++ {
++ /* Node has been replaced in function. */
++ grub_free (orig_node);
++ return 1;
++ }
+
+ next = grub_be_to_cpu32 (file.next);
+ }
+ }
+
+- grub_free (hashtable);
+- return 0;
+-
+ fail:
+- grub_free (node);
++ grub_free (orig_node);
+ grub_free (hashtable);
+ return 0;
+ }
diff --git a/SOURCES/0410-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/SOURCES/0410-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
new file mode 100644
index 0000000..c9f3a35
--- /dev/null
+++ b/SOURCES/0410-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 3 Nov 2020 16:43:37 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
+
+The array of unsigned char gets promoted to a signed 32-bit int before
+it is finally promoted to a size_t. There is the possibility that this
+may result in the signed-bit being set for the intermediate signed
+32-bit int. We should ensure that the promotion is to the correct type
+before we bitwise-OR the values.
+
+Fixes: CID 96697
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index a3435ed142a..7ecad27b23a 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ if (len && len < 4)
+ return gcry_error (GPG_ERR_TOO_SHORT);
+
+- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+ s += 4;
+ if (len)
+ len -= 4;
diff --git a/SOURCES/0411-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/SOURCES/0411-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
new file mode 100644
index 0000000..89257f5
--- /dev/null
+++ b/SOURCES/0411-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:41:54 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
+
+The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
+is no explicit check for that, so we add one.
+
+Fixes: CID 73757
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index 7ecad27b23a..6fe38916532 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ unsigned int len;
+ int secure = (buffer && gcry_is_secure (buffer));
+
++ if (!buffer)
++ return gcry_error (GPG_ERR_INV_ARG);
++
+ if (format == GCRYMPI_FMT_SSH)
+ len = 0;
+ else
diff --git a/SOURCES/0412-syslinux-Fix-memory-leak-while-parsing.patch b/SOURCES/0412-syslinux-Fix-memory-leak-while-parsing.patch
new file mode 100644
index 0000000..f85cc51
--- /dev/null
+++ b/SOURCES/0412-syslinux-Fix-memory-leak-while-parsing.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 15:31:53 +0000
+Subject: [PATCH] syslinux: Fix memory leak while parsing
+
+In syslinux_parse_real() the 2 points where return is being called
+didn't release the memory stored in buf which is no longer required.
+
+Fixes: CID 176634
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/syslinux_parse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
+index 83e7bdb9161..f477feff1c3 100644
+--- a/grub-core/lib/syslinux_parse.c
++++ b/grub-core/lib/syslinux_parse.c
+@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
+ {
+ if (helptext (ptr5, file, menu))
+- return 1;
++ {
++ grub_free (buf);
++ return 1;
++ }
+ continue;
+ }
+
+@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ }
+ fail:
+ grub_file_close (file);
++ grub_free (buf);
+ return err;
+ }
+
diff --git a/SOURCES/0413-normal-completion-Fix-leaking-of-memory-when-process.patch b/SOURCES/0413-normal-completion-Fix-leaking-of-memory-when-process.patch
new file mode 100644
index 0000000..984c608
--- /dev/null
+++ b/SOURCES/0413-normal-completion-Fix-leaking-of-memory-when-process.patch
@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 18:56:48 +0000
+Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
+ completion
+
+It is possible for the code to reach the end of the function without
+freeing the memory allocated to argv and argc still to be 0.
+
+We should always call grub_free(argv). The grub_free() will handle
+a NULL argument correctly if it reaches that code without the memory
+being allocated.
+
+Fixes: CID 96672
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/completion.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
+index 93aa0d8eda8..5036bcf2d98 100644
+--- a/grub-core/normal/completion.c
++++ b/grub-core/normal/completion.c
+@@ -401,8 +401,8 @@ char *
+ grub_normal_do_completion (char *buf, int *restore,
+ void (*hook) (const char *, grub_completion_type_t, int))
+ {
+- int argc;
+- char **argv;
++ int argc = 0;
++ char **argv = NULL;
+
+ /* Initialize variables. */
+ match = 0;
+@@ -517,10 +517,8 @@ grub_normal_do_completion (char *buf, int *restore,
+
+ fail:
+ if (argc != 0)
+- {
+- grub_free (argv[0]);
+- grub_free (argv);
+- }
++ grub_free (argv[0]);
++ grub_free (argv);
+ grub_free (match);
+ grub_errno = GRUB_ERR_NONE;
+
diff --git a/SOURCES/0414-commands-hashsum-Fix-a-memory-leak.patch b/SOURCES/0414-commands-hashsum-Fix-a-memory-leak.patch
new file mode 100644
index 0000000..3508882
--- /dev/null
+++ b/SOURCES/0414-commands-hashsum-Fix-a-memory-leak.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 1 Dec 2020 23:41:24 +0000
+Subject: [PATCH] commands/hashsum: Fix a memory leak
+
+check_list() uses grub_file_getline(), which allocates a buffer.
+If the hash list file contains invalid lines, the function leaks
+this buffer when it returns an error.
+
+Fixes: CID 176635
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/hashsum.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
+index 456ba908b6f..b8a22b0c8bb 100644
+--- a/grub-core/commands/hashsum.c
++++ b/grub-core/commands/hashsum.c
+@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+ high = hextoval (*p++);
+ low = hextoval (*p++);
+ if (high < 0 || low < 0)
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ expected[i] = (high << 4) | low;
+ }
+ if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ p += 2;
+ if (prefix)
+ {
+@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+
+ filename = grub_xasprintf ("%s/%s", prefix, p);
+ if (!filename)
+- return grub_errno;
++ {
++ grub_free (buf);
++ return grub_errno;
++ }
+ file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
+ | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
+ : GRUB_FILE_TYPE_NONE));
diff --git a/SOURCES/0415-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/SOURCES/0415-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
new file mode 100644
index 0000000..fce5f99
--- /dev/null
+++ b/SOURCES/0415-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:14:31 +0000
+Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
+ grub_video_gop_fill_mode_info()
+
+The return value of grub_video_gop_fill_mode_info() is never able to be
+anything other than GRUB_ERR_NONE. So, rather than continue to return
+a value and checking it each time, it is more correct to redefine the
+function to not return anything and remove checks of its return value
+altogether.
+
+Fixes: CID 96701
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/efi_gop.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index c9e40e8d4e9..9fcc41ac03c 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -229,7 +229,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
+ return GRUB_ERR_NONE;
+ }
+
+-static grub_err_t
++static void
+ grub_video_gop_fill_mode_info (unsigned mode,
+ struct grub_efi_gop_mode_info *in,
+ struct grub_video_mode_info *out)
+@@ -254,8 +254,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
+ out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
+ out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
+ | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
+-
+- return GRUB_ERR_NONE;
+ }
+
+ static int
+@@ -268,7 +266,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ grub_efi_uintn_t size;
+ grub_efi_status_t status;
+ struct grub_efi_gop_mode_info *info = NULL;
+- grub_err_t err;
+ struct grub_video_mode_info mode_info;
+
+ status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+@@ -279,12 +276,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ continue;
+ }
+
+- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
+- if (err)
+- {
+- grub_errno = GRUB_ERR_NONE;
+- continue;
+- }
++ grub_video_gop_fill_mode_info (mode, info, &mode_info);
+ if (hook (&mode_info, hook_arg))
+ return 1;
+ }
+@@ -468,13 +460,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+
+ info = gop->mode->info;
+
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
+- if (err)
+- {
+- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
+- return err;
+- }
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+
+ framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
+ framebuffer.offscreen
+@@ -488,8 +475,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ {
+ grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
+ grub_errno = 0;
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+ buffer = framebuffer.ptr;
+ }
+
diff --git a/SOURCES/0416-video-fb-fbfill-Fix-potential-integer-overflow.patch b/SOURCES/0416-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000..895fd9d
--- /dev/null
+++ b/SOURCES/0416-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 15:10:51 +0000
+Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
+
+The multiplication of 2 unsigned 32-bit integers may overflow before
+promotion to unsigned 64-bit. We should ensure that the multiplication
+is done with overflow detection. Additionally, use grub_sub() for
+subtraction.
+
+Fixes: CID 73640, CID 73697, CID 73702, CID 73823
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/fb/fbfill.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
+index 11816d07a0b..a37acd1e293 100644
+--- a/grub-core/video/fb/fbfill.c
++++ b/grub-core/video/fb/fbfill.c
+@@ -31,6 +31,7 @@
+ #include <grub/fbfill.h>
+ #include <grub/fbutil.h>
+ #include <grub/types.h>
++#include <grub/safemath.h>
+ #include <grub/video.h>
+
+ /* Generic filler that works for every supported mode. */
+@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
+ #endif
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/SOURCES/0417-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/SOURCES/0417-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000..fa61935
--- /dev/null
+++ b/SOURCES/0417-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 14:43:44 +0000
+Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
+
+The calculation of the unsigned 64-bit value is being generated by
+multiplying 2, signed or unsigned, 32-bit integers which may overflow
+before promotion to unsigned 64-bit. Fix all of them.
+
+Fixes: CID 73703, CID 73767, CID 73833
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1a602c8b251..1c9a138dcdc 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -25,6 +25,7 @@
+ #include <grub/fbutil.h>
+ #include <grub/bitmap.h>
+ #include <grub/dl.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
+ {
+ if (framebuffer.current_dirty.first_line
+ <= framebuffer.current_dirty.last_line)
+- grub_memcpy ((char *) framebuffer.pages[0]
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (framebuffer.current_dirty.last_line
+- - framebuffer.current_dirty.first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (framebuffer.current_dirty.last_line,
++ framebuffer.current_dirty.first_line, ©_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
+ framebuffer.current_dirty.last_line = 0;
+@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
+ volatile void *framebuf)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info.pitch * mode_info.height;
++ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
+
+ framebuffer.offscreen_buffer = grub_zalloc (page_size);
+ if (! framebuffer.offscreen_buffer)
+@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
+ last_line = framebuffer.previous_dirty.last_line;
+
+ if (first_line <= last_line)
+- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (last_line - first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (last_line, first_line, ©_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
++
+ framebuffer.previous_dirty = framebuffer.current_dirty;
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
diff --git a/SOURCES/0418-video-fb-video_fb-Fix-possible-integer-overflow.patch b/SOURCES/0418-video-fb-video_fb-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000..ce9204f
--- /dev/null
+++ b/SOURCES/0418-video-fb-video_fb-Fix-possible-integer-overflow.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 14:51:30 +0000
+Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
+
+It is minimal possibility that the values being used here will overflow.
+So, change the code to use the safemath function grub_mul() to ensure
+that doesn't happen.
+
+Fixes: CID 73761
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/fb/video_fb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1c9a138dcdc..ae6b89f9aea 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
+ volatile void *page1_ptr)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info->pitch * mode_info->height;
++ grub_size_t page_size = 0;
++
++ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
+
+ framebuffer.offscreen_buffer = grub_malloc (page_size);
+ if (! framebuffer.offscreen_buffer)
diff --git a/SOURCES/0419-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/SOURCES/0419-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
new file mode 100644
index 0000000..f9a514a
--- /dev/null
+++ b/SOURCES/0419-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:39:00 +0000
+Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
+ from a jpeg file
+
+While it may never happen, and potentially could be caught at the end of
+the function, it is worth checking up front for a bad reference to the
+next marker just in case of a maliciously crafted file being provided.
+
+Fixes: CID 73694
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4c9c8..0b6ce3cee64 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
+
++ if (next_marker > data->file->size)
++ {
++ /* Should never be set beyond the size of the file. */
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
++ }
++
+ while (data->file->offset + sizeof (data->quan_table[id]) + 1
+ <= next_marker)
+ {
diff --git a/SOURCES/0420-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/SOURCES/0420-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
new file mode 100644
index 0000000..c9caf70
--- /dev/null
+++ b/SOURCES/0420-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Mon, 7 Dec 2020 14:44:47 +0000
+Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
+ dead
+
+The test of value for NULL before calling grub_strdup() is not required,
+since the if condition prior to this has already tested for value being
+NULL and cannot reach this code if it is.
+
+Fixes: CID 73659
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gfxmenu/gui_list.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
+index 01477cdf2b3..df334a6c56f 100644
+--- a/grub-core/gfxmenu/gui_list.c
++++ b/grub-core/gfxmenu/gui_list.c
+@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
+ {
+ self->need_to_recreate_boxes = 1;
+ grub_free (self->selected_item_box_pattern);
+- self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
++ self->selected_item_box_pattern = grub_strdup (value);
+ self->selected_item_box_pattern_inherit = 0;
+ }
+ }
diff --git a/SOURCES/0421-loader-bsd-Check-for-NULL-arg-up-front.patch b/SOURCES/0421-loader-bsd-Check-for-NULL-arg-up-front.patch
new file mode 100644
index 0000000..f4c63b3
--- /dev/null
+++ b/SOURCES/0421-loader-bsd-Check-for-NULL-arg-up-front.patch
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:47:13 +0000
+Subject: [PATCH] loader/bsd: Check for NULL arg up-front
+
+The code in the next block suggests that it is possible for .set to be
+true but .arg may still be NULL.
+
+This code assumes that it is never NULL, yet later is testing if it is
+NULL - that is inconsistent.
+
+So we should check first if .arg is not NULL, and remove this check that
+is being flagged by Coverity since it is no longer required.
+
+Fixes: CID 292471
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/i386/bsd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index 45a71509956..b5ab848ee44 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -1606,7 +1606,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+ kernel_type = KERNEL_TYPE_OPENBSD;
+ bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
+
+- if (ctxt->state[OPENBSD_ROOT_ARG].set)
++ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
+ {
+ const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
+ unsigned type, unit, part;
+@@ -1623,7 +1623,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+ "unknown disk type name");
+
+ unit = grub_strtoul (arg, (char **) &arg, 10);
+- if (! (arg && *arg >= 'a' && *arg <= 'z'))
++ if (! (*arg >= 'a' && *arg <= 'z'))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ "only device specifications of form "
+ "<type><number><lowercase letter> are supported");
diff --git a/SOURCES/0422-loader-xnu-Fix-memory-leak.patch b/SOURCES/0422-loader-xnu-Fix-memory-leak.patch
new file mode 100644
index 0000000..76d9711
--- /dev/null
+++ b/SOURCES/0422-loader-xnu-Fix-memory-leak.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:53:10 +0000
+Subject: [PATCH] loader/xnu: Fix memory leak
+
+The code here is finished with the memory stored in name, but it only
+frees it if there curvalue is valid, while it could actually free it
+regardless.
+
+The fix is a simple relocation of the grub_free() to before the test
+of curvalue.
+
+Fixes: CID 96646
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/xnu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index b33a384321c..16bfa7cec72 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1392,9 +1392,9 @@ grub_xnu_fill_devicetree (void)
+ name[len] = 0;
+
+ curvalue = grub_xnu_create_value (curkey, name);
+- if (!curvalue)
+- return grub_errno;
+ grub_free (name);
++ if (!curvalue)
++ return grub_errno;
+
+ data = grub_malloc (grub_strlen (var->value) + 1);
+ if (!data)
diff --git a/SOURCES/0423-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/SOURCES/0423-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
new file mode 100644
index 0000000..d4c945c
--- /dev/null
+++ b/SOURCES/0423-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 30 Nov 2020 12:18:24 -0300
+Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
+ grub_xnu_writetree_toheap()
+
+... to avoid memory leaks.
+
+Fixes: CID 96640
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 16bfa7cec72..af885a648c6 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -228,26 +228,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+ if (! memorymap)
+ return grub_errno;
+
+- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
++ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
+ if (! driverkey)
+ return grub_errno;
+ driverkey->name = grub_strdup ("DeviceTree");
+ if (! driverkey->name)
+- return grub_errno;
++ {
++ err = grub_errno;
++ goto fail;
++ }
++
+ driverkey->datasize = sizeof (*extdesc);
+ driverkey->next = memorymap->first_child;
+ memorymap->first_child = driverkey;
+ driverkey->data = extdesc
+ = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
+ if (! driverkey->data)
+- return grub_errno;
++ {
++ err = grub_errno;
++ goto fail;
++ }
+
+ /* Allocate the space based on the size with dummy value. */
+ *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
+ err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
+ &src, target);
+ if (err)
+- return err;
++ goto fail;
+
+ /* Put real data in the dummy. */
+ extdesc->addr = *target;
+@@ -256,6 +263,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+ /* Write the tree to heap. */
+ grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
+ return GRUB_ERR_NONE;
++
++ fail:
++ memorymap->first_child = NULL;
++
++ grub_free (driverkey->data);
++ grub_free (driverkey->name);
++ grub_free (driverkey);
++
++ return err;
+ }
+
+ /* Find a key or value in parent key. */
diff --git a/SOURCES/0424-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/SOURCES/0424-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
new file mode 100644
index 0000000..ba24db2
--- /dev/null
+++ b/SOURCES/0424-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 30 Nov 2020 10:36:00 -0300
+Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
+
+Fixes: CID 73654
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/xnu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index af885a648c6..49641b8bbc2 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -671,6 +671,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+ char *name, *nameend;
+ int namelen;
+
++ if (infoplistname == NULL)
++ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
++
+ name = get_name_ptr (infoplistname);
+ nameend = grub_strchr (name, '/');
+
+@@ -702,10 +705,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+ else
+ macho = 0;
+
+- if (infoplistname)
+- infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+- else
+- infoplist = 0;
++ infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+ grub_errno = GRUB_ERR_NONE;
+ if (infoplist)
+ {
diff --git a/SOURCES/0425-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/SOURCES/0425-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
new file mode 100644
index 0000000..c90ca09
--- /dev/null
+++ b/SOURCES/0425-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 14:33:50 +0000
+Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
+
+The return value of ftell() may be negative (-1) on error. While it is
+probably unlikely to occur, we should not blindly cast to an unsigned
+value without first testing that it is not negative.
+
+Fixes: CID 73856
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/grub-editenv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-editenv.c b/util/grub-editenv.c
+index 2918bb71cfe..e9011e0fbde 100644
+--- a/util/grub-editenv.c
++++ b/util/grub-editenv.c
+@@ -128,6 +128,7 @@ open_envblk_file (const char *name)
+ {
+ FILE *fp;
+ char *buf;
++ long loc;
+ size_t size;
+ grub_envblk_t envblk;
+
+@@ -146,7 +147,12 @@ open_envblk_file (const char *name)
+ grub_util_error (_("cannot seek `%s': %s"), name,
+ strerror (errno));
+
+- size = (size_t) ftell (fp);
++ loc = ftell (fp);
++ if (loc < 0)
++ grub_util_error (_("cannot get file location `%s': %s"), name,
++ strerror (errno));
++
++ size = (size_t) loc;
+
+ if (fseek (fp, 0, SEEK_SET) < 0)
+ grub_util_error (_("cannot seek `%s': %s"), name,
diff --git a/SOURCES/0426-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/SOURCES/0426-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
new file mode 100644
index 0000000..ad3a0d6
--- /dev/null
+++ b/SOURCES/0426-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:04:28 +0000
+Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
+
+It is possible for the ftell() function to return a negative value,
+although it is fairly unlikely here, we should be checking for
+a negative value before we assign it to an unsigned value.
+
+Fixes: CID 73744
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/glue-efi.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/util/glue-efi.c b/util/glue-efi.c
+index 68f53168b58..de0fa6d33d5 100644
+--- a/util/glue-efi.c
++++ b/util/glue-efi.c
+@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
+ struct grub_macho_fat_header head;
+ struct grub_macho_fat_arch arch32, arch64;
+ grub_uint32_t size32, size64;
++ long size;
+ char *buf;
+
+ fseek (in32, 0, SEEK_END);
+- size32 = ftell (in32);
++ size = ftell (in32);
++ if (size < 0)
++ grub_util_error ("cannot get end of input file '%s': %s",
++ name32, strerror (errno));
++ size32 = (grub_uint32_t) size;
+ fseek (in32, 0, SEEK_SET);
++
+ fseek (in64, 0, SEEK_END);
+- size64 = ftell (in64);
++ size = ftell (in64);
++ if (size < 0)
++ grub_util_error ("cannot get end of input file '%s': %s",
++ name64, strerror (errno));
++ size64 = (grub_uint64_t) size;
+ fseek (in64, 0, SEEK_SET);
+
+ head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);
diff --git a/SOURCES/0427-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/SOURCES/0427-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
new file mode 100644
index 0000000..88c7951
--- /dev/null
+++ b/SOURCES/0427-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 3 Apr 2020 23:05:13 +1100
+Subject: [PATCH] script/execute: Fix NULL dereference in
+ grub_script_execute_cmdline()
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index a1aadb9ee05..2e47c046741 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -978,7 +978,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
+ struct grub_script_argv argv = { 0, 0, 0 };
+
+ /* Lookup the command. */
+- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
++ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
+ return grub_errno;
+
+ for (i = 0; i < argv.argc; i++) {
diff --git a/SOURCES/0428-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/SOURCES/0428-commands-ls-Require-device_name-is-not-NULL-before-p.patch
new file mode 100644
index 0000000..b916cb1
--- /dev/null
+++ b/SOURCES/0428-commands-ls-Require-device_name-is-not-NULL-before-p.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 16:57:37 +1100
+Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
+
+This can be triggered with:
+ ls -l (0 0*)
+and causes a NULL deref in grub_normal_print_device_info().
+
+I'm not sure if there's any implication with the IEEE 1275 platform.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/ls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
+index 2cdb2acc552..d4dcffd3168 100644
+--- a/grub-core/commands/ls.c
++++ b/grub-core/commands/ls.c
+@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
+ goto fail;
+ }
+
+- if (! *path)
++ if (! *path && device_name)
+ {
+ if (grub_errno == GRUB_ERR_UNKNOWN_FS)
+ grub_errno = GRUB_ERR_NONE;
diff --git a/SOURCES/0429-script-execute-Avoid-crash-when-using-outside-a-func.patch b/SOURCES/0429-script-execute-Avoid-crash-when-using-outside-a-func.patch
new file mode 100644
index 0000000..08fa625
--- /dev/null
+++ b/SOURCES/0429-script-execute-Avoid-crash-when-using-outside-a-func.patch
@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 17:30:42 +1100
+Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
+ function scope
+
+"$#" represents the number of arguments to a function. It is only
+defined in a function scope, where "scope" is non-NULL. Currently,
+if we attempt to evaluate "$#" outside a function scope, "scope" will
+be NULL and we will crash with a NULL pointer dereference.
+
+Do not attempt to count arguments for "$#" if "scope" is NULL. This
+will result in "$#" being interpreted as an empty string if evaluated
+outside a function scope.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 2e47c046741..17f4dcab2c6 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -519,7 +519,7 @@ gettext_putvar (const char *str, grub_size_t len,
+ return 0;
+
+ /* Enough for any number. */
+- if (len == 1 && str[0] == '#')
++ if (len == 1 && str[0] == '#' && scope != NULL)
+ {
+ grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
+ *ptr += grub_strlen (*ptr);
diff --git a/SOURCES/0430-lib-arg-Block-repeated-short-options-that-require-an.patch b/SOURCES/0430-lib-arg-Block-repeated-short-options-that-require-an.patch
new file mode 100644
index 0000000..63cf2af
--- /dev/null
+++ b/SOURCES/0430-lib-arg-Block-repeated-short-options-that-require-an.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: [PATCH] lib/arg: Block repeated short options that require an
+ argument
+
+Fuzzing found the following crash:
+
+ search -hhhhhhhhhhhhhf
+
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+
+This fixes a OOB write which can cause heap corruption.
+
+Fixes: CVE-2021-20225
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609a5e1..537c5e94b83 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+ it can have an argument value. */
+ if (*curshort)
+ {
++ /*
++ * Only permit further short opts if this one doesn't
++ * require a value.
++ */
++ if (opt->type != ARG_TYPE_NONE &&
++ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("missing mandatory option for `%s'"),
++ opt->longarg);
++ goto fail;
++ }
++
+ if (parse_option (cmd, opt, 0, usr) || grub_errno)
+ goto fail;
+ }
diff --git a/SOURCES/0431-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch b/SOURCES/0431-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch
new file mode 100644
index 0000000..4e61d40
--- /dev/null
+++ b/SOURCES/0431-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:18:26 +1100
+Subject: [PATCH] script/execute: Don't crash on a "for" loop with no items
+
+The following crashes the parser:
+
+ for x in; do
+ 0
+ done
+
+This is because grub_script_arglist_to_argv() doesn't consider the
+possibility that arglist is NULL. Catch that explicitly.
+
+This avoids a NULL pointer dereference.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/script/execute.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 17f4dcab2c6..266d99ed337 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -658,6 +658,9 @@ grub_script_arglist_to_argv (struct grub_script_arglist *arglist,
+ struct grub_script_arg *arg = 0;
+ struct grub_script_argv result = { 0, 0, 0 };
+
++ if (arglist == NULL)
++ return 1;
++
+ for (; arglist && arglist->arg; arglist = arglist->next)
+ {
+ if (grub_script_argv_next (&result))
diff --git a/SOURCES/0432-commands-menuentry-Fix-quoting-in-setparams_prefix.patch b/SOURCES/0432-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
new file mode 100644
index 0000000..523dfb1
--- /dev/null
+++ b/SOURCES/0432-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 17:10:48 +1100
+Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix()
+
+Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
+says that expressing a quoted single quote will require 3 characters. It
+actually requires (and always did require!) 4 characters:
+
+ str: a'b => a'\''b
+ len: 3 => 6 (2 for the letters + 4 for the quote)
+
+This leads to not allocating enough memory and thus out of bounds writes
+that have been observed to cause heap corruption.
+
+Allocate 4 bytes for each single quote.
+
+Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
+quoting, but it adds 3 as extra overhead on top of the single byte that
+the quote already needs. So it's correct.
+
+Fixes: CVE-2021-20233
+Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/menuentry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 4b5fcf2ce9a..7a533b9741b 100644
+--- a/grub-core/commands/menuentry.c
++++ b/grub-core/commands/menuentry.c
+@@ -239,7 +239,7 @@ setparams_prefix (int argc, char **args)
+ len += 3; /* 3 = 1 space + 2 quotes */
+ p = args[i];
+ while (*p)
+- len += (*p++ == '\'' ? 3 : 1);
++ len += (*p++ == '\'' ? 4 : 1);
+ }
+
+ result = grub_malloc (len + 2);
diff --git a/SOURCES/0433-kern-misc-Always-set-end-in-grub_strtoull.patch b/SOURCES/0433-kern-misc-Always-set-end-in-grub_strtoull.patch
new file mode 100644
index 0000000..8bcb715
--- /dev/null
+++ b/SOURCES/0433-kern-misc-Always-set-end-in-grub_strtoull.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 13 Jan 2021 22:19:01 +1100
+Subject: [PATCH] kern/misc: Always set *end in grub_strtoull()
+
+Currently, if there is an error in grub_strtoull(), *end is not set.
+This differs from the usual behavior of strtoull(), and also means that
+some callers may use an uninitialized value for *end.
+
+Set *end unconditionally.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 97378c48b22..475f3e0ef05 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -485,6 +485,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("overflow is detected"));
++
++ if (end)
++ *end = (char *) str;
++
+ return ~0ULL;
+ }
+
+@@ -496,6 +500,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
+ {
+ grub_error (GRUB_ERR_BAD_NUMBER,
+ N_("unrecognized number"));
++
++ if (end)
++ *end = (char *) str;
++
+ return 0;
+ }
+
diff --git a/SOURCES/0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch b/SOURCES/0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
new file mode 100644
index 0000000..23e9f3e
--- /dev/null
+++ b/SOURCES/0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 15 Jan 2021 12:57:04 +1100
+Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
+ or Huffman tables
+
+Our decoder only supports 2 quantization tables. If a file asks for
+a quantization table with index > 1, reject it.
+
+Similarly, our decoder only supports 4 Huffman tables. If a file asks
+for a Huffman table with index > 3, reject it.
+
+This fixes some out of bounds reads. It's not clear what degree of control
+over subsequent execution could be gained by someone who can carefully
+set up the contents of memory before loading an invalid JPEG file.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 0b6ce3cee64..23f919aa070 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ else if (ss != JPEG_SAMPLING_1x1)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: sampling method not supported");
++
+ data->comp_index[id][0] = grub_jpeg_get_byte (data);
++ if (data->comp_index[id][0] > 1)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: too many quantization tables");
+ }
+
+ if (data->file->offset != next_marker)
+@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ ht = grub_jpeg_get_byte (data);
+ data->comp_index[id][1] = (ht >> 4);
+ data->comp_index[id][2] = (ht & 0xF) + 2;
++
++ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
++ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
+ }
+
+ grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
diff --git a/SOURCES/0435-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch b/SOURCES/0435-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
new file mode 100644
index 0000000..9cd6519
--- /dev/null
+++ b/SOURCES/0435-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 15 Jan 2021 13:29:53 +1100
+Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in
+ grub_jpeg_decode_du()
+
+The key line is:
+
+ du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
+
+jpeg_zigzag_order is grub_uint8_t[64].
+
+I don't understand JPEG decoders quite well enough to explain what's
+going on here. However, I observe sometimes pos=64, which leads to an
+OOB read of the jpeg_zigzag_order global then an OOB write to du.
+That leads to various unpleasant memory corruption conditions.
+
+Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 23f919aa070..e5148120f69 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ val = grub_jpeg_get_number (data, num & 0xF);
+ num >>= 4;
+ pos += num;
++
++ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: invalid position in zigzag order!?");
++ return;
++ }
++
+ du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
+ pos++;
+ }
diff --git a/SOURCES/0436-video-readers-jpeg-Don-t-decode-data-before-start-of.patch b/SOURCES/0436-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
new file mode 100644
index 0000000..8fc6b13
--- /dev/null
+++ b/SOURCES/0436-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 15 Jan 2021 14:06:46 +1100
+Subject: [PATCH] video/readers/jpeg: Don't decode data before start of stream
+
+When a start of stream marker is encountered, we call grub_jpeg_decode_sos()
+which allocates space for a bitmap.
+
+When a restart marker is encountered, we call grub_jpeg_decode_data() which
+then fills in that bitmap.
+
+If we get a restart marker before the start of stream marker, we will
+attempt to write to a bitmap_ptr that hasn't been allocated. Catch this
+and bail out. This fixes an attempt to write to NULL.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index e5148120f69..e31602f766a 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -646,6 +646,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
+ nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+
++ if (data->bitmap_ptr == NULL)
++ return grub_error(GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: attempted to decode data before start of stream");
++
+ for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+ for (c1 = 0; c1 < nc1 && (!data->dri || rst);
diff --git a/SOURCES/0437-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch b/SOURCES/0437-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch
new file mode 100644
index 0000000..533481d
--- /dev/null
+++ b/SOURCES/0437-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 15 Jan 2021 20:03:20 +1100
+Subject: [PATCH] term/gfxterm: Don't set up a font with glyphs that are too
+ big
+
+Catch the case where we have a font so big that it causes the number of
+rows or columns to be 0. Currently we continue and allocate a
+virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
+and things go badly.
+
+On the emu platform, malloc() may give us a valid pointer, in which case
+we'll access heap memory which we shouldn't. Alternatively, it may give us
+NULL, in which case we'll crash. For other platforms, if I understand
+grub_memalign() correctly, we will receive a valid but small allocation
+that we will very likely later overrun.
+
+Prevent the creation of a virtual screen that isn't at least 40 cols
+by 12 rows. This is arbitrary, but it seems that if your width or height
+is half a standard 80x24 terminal, you're probably going to struggle to
+read anything anyway.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/term/gfxterm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/term/gfxterm.c b/grub-core/term/gfxterm.c
+index af7c090a3e7..b40fcce9151 100644
+--- a/grub-core/term/gfxterm.c
++++ b/grub-core/term/gfxterm.c
+@@ -232,6 +232,15 @@ grub_virtual_screen_setup (unsigned int x, unsigned int y,
+ virtual_screen.columns = virtual_screen.width / virtual_screen.normal_char_width;
+ virtual_screen.rows = virtual_screen.height / virtual_screen.normal_char_height;
+
++ /*
++ * There must be a minimum number of rows and columns for the screen to
++ * make sense. Arbitrarily pick half of 80x24. If either dimensions is 0
++ * we would allocate 0 bytes for the text_buffer.
++ */
++ if (virtual_screen.columns < 40 || virtual_screen.rows < 12)
++ return grub_error (GRUB_ERR_BAD_FONT,
++ "font: glyphs too large to fit on screen");
++
+ /* Allocate memory for text buffer. */
+ virtual_screen.text_buffer =
+ (struct grub_colored_char *) grub_malloc (virtual_screen.columns
diff --git a/SOURCES/0438-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch b/SOURCES/0438-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch
new file mode 100644
index 0000000..67c4b55
--- /dev/null
+++ b/SOURCES/0438-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 11:46:39 +1100
+Subject: [PATCH] fs/fshelp: Catch impermissibly large block sizes in read
+ helper
+
+A fuzzed HFS+ filesystem had log2blocksize = 22. This gave
+log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000,
+which is -1 as an int. This caused some wacky behavior later on in
+the function, leading to out-of-bounds writes on the destination buffer.
+
+Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter,
+but this is the minimum that will prevent integer size weirdness.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/fshelp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/grub-core/fs/fshelp.c b/grub-core/fs/fshelp.c
+index 4c902adf381..a2d0d297a52 100644
+--- a/grub-core/fs/fshelp.c
++++ b/grub-core/fs/fshelp.c
+@@ -362,6 +362,18 @@ grub_fshelp_read_file (grub_disk_t disk, grub_fshelp_node_t node,
+ grub_disk_addr_t i, blockcnt;
+ int blocksize = 1 << (log2blocksize + GRUB_DISK_SECTOR_BITS);
+
++ /*
++ * Catch blatantly invalid log2blocksize. We could be a lot stricter, but
++ * this is the most permissive we can be before we start to see integer
++ * overflow/underflow issues.
++ */
++ if (log2blocksize + GRUB_DISK_SECTOR_BITS >= 31)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("blocksize too large"));
++ return -1;
++ }
++
+ if (pos > filesize)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
diff --git a/SOURCES/0439-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch b/SOURCES/0439-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch
new file mode 100644
index 0000000..6d15b85
--- /dev/null
+++ b/SOURCES/0439-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 18:13:56 +1100
+Subject: [PATCH] fs/hfsplus: Don't fetch a key beyond the end of the node
+
+Otherwise you get a wild pointer, leading to a bunch of invalid reads.
+Check it falls inside the given node.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/hfsplus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 03a33ea2477..423f4b956ba 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -635,6 +635,10 @@ grub_hfsplus_btree_search (struct grub_hfsplus_btree *btree,
+ pointer = ((char *) currkey
+ + grub_be_to_cpu16 (currkey->keylen)
+ + 2);
++
++ if ((char *) pointer > node + btree->nodesize - 2)
++ return grub_error (GRUB_ERR_BAD_FS, "HFS+ key beyond end of node");
++
+ currnode = grub_be_to_cpu32 (grub_get_unaligned32 (pointer));
+ match = 1;
+ }
diff --git a/SOURCES/0440-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch b/SOURCES/0440-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch
new file mode 100644
index 0000000..6418541
--- /dev/null
+++ b/SOURCES/0440-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch
@@ -0,0 +1,104 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 2 Feb 2021 16:59:35 +1100
+Subject: [PATCH] fs/hfsplus: Don't use uninitialized data on corrupt
+ filesystems
+
+Valgrind identified the following use of uninitialized data:
+
+ ==2782220== Conditional jump or move depends on uninitialised value(s)
+ ==2782220== at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566)
+ ==2782220== by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185)
+ ==2782220== by 0x42A693: grub_fshelp_read_file (fshelp.c:386)
+ ==2782220== by 0x42C598: grub_hfsplus_read_file (hfsplus.c:219)
+ ==2782220== by 0x42C598: grub_hfsplus_mount (hfsplus.c:330)
+ ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958)
+ ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73)
+ ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186)
+ ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284)
+ ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55)
+ ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59)
+ ==2782220== by 0x4045A6: fstest (grub-fstest.c:433)
+ ==2782220== by 0x4045A6: main (grub-fstest.c:772)
+ ==2782220== Uninitialised value was created by a heap allocation
+ ==2782220== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==2782220== by 0x4C0305: grub_malloc (mm.c:42)
+ ==2782220== by 0x42C21D: grub_hfsplus_mount (hfsplus.c:239)
+ ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958)
+ ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73)
+ ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186)
+ ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284)
+ ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55)
+ ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59)
+ ==2782220== by 0x4045A6: fstest (grub-fstest.c:433)
+ ==2782220== by 0x4045A6: main (grub-fstest.c:772)
+
+This happens when the process of reading the catalog file goes sufficiently
+wrong that there's an attempt to read the extent overflow file, which has
+not yet been loaded. Keep track of when the extent overflow file is
+fully loaded and refuse to use it before then.
+
+The load valgrind doesn't like is btree->nodesize, and that's then used
+to allocate a data structure. It looks like there are subsequently a lot
+of reads based on that pointer so OOB reads are likely, and indeed crashes
+(albeit difficult-to-replicate ones) have been observed in fuzzing.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/hfsplus.c | 14 ++++++++++++++
+ include/grub/hfsplus.h | 2 ++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 423f4b956ba..8c0c804735d 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -177,6 +177,17 @@ grub_hfsplus_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ break;
+ }
+
++ /*
++ * If the extent overflow tree isn't ready yet, we can't look
++ * in it. This can happen where the catalog file is corrupted.
++ */
++ if (!node->data->extoverflow_tree_ready)
++ {
++ grub_error (GRUB_ERR_BAD_FS,
++ "attempted to read extent overflow tree before loading");
++ break;
++ }
++
+ /* Set up the key to look for in the extent overflow file. */
+ extoverflow.extkey.fileid = node->fileid;
+ extoverflow.extkey.type = 0;
+@@ -241,6 +252,7 @@ grub_hfsplus_mount (grub_disk_t disk)
+ return 0;
+
+ data->disk = disk;
++ data->extoverflow_tree_ready = 0;
+
+ /* Read the bootblock. */
+ grub_disk_read (disk, GRUB_HFSPLUS_SBLOCK, 0, sizeof (volheader),
+@@ -357,6 +369,8 @@ grub_hfsplus_mount (grub_disk_t disk)
+ if (data->extoverflow_tree.nodesize < 2)
+ goto fail;
+
++ data->extoverflow_tree_ready = 1;
++
+ if (grub_hfsplus_read_file (&data->attr_tree.file, 0, 0,
+ sizeof (struct grub_hfsplus_btnode),
+ sizeof (header), (char *) &header) <= 0)
+diff --git a/include/grub/hfsplus.h b/include/grub/hfsplus.h
+index 117740ae269..e14dd31ff54 100644
+--- a/include/grub/hfsplus.h
++++ b/include/grub/hfsplus.h
+@@ -113,6 +113,8 @@ struct grub_hfsplus_data
+ struct grub_hfsplus_btree extoverflow_tree;
+ struct grub_hfsplus_btree attr_tree;
+
++ int extoverflow_tree_ready;
++
+ struct grub_hfsplus_file dirroot;
+ struct grub_hfsplus_file opened_file;
+
diff --git a/SOURCES/0441-fs-hfs-Disable-under-lockdown.patch b/SOURCES/0441-fs-hfs-Disable-under-lockdown.patch
new file mode 100644
index 0000000..e2971f0
--- /dev/null
+++ b/SOURCES/0441-fs-hfs-Disable-under-lockdown.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 12:19:07 +1100
+Subject: [PATCH] fs/hfs: Disable under lockdown
+
+HFS has issues such as infinite mutual recursion that are simply too
+complex to fix for such a legacy format. So simply do not permit
+it to be loaded under lockdown.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/hfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index 3fd4eec202c..49d1831c808 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -30,6 +30,7 @@
+ #include <grub/hfs.h>
+ #include <grub/i18n.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -1433,11 +1434,13 @@ static struct grub_fs grub_hfs_fs =
+
+ GRUB_MOD_INIT(hfs)
+ {
+- grub_fs_register (&grub_hfs_fs);
++ if (!grub_is_lockdown ())
++ grub_fs_register (&grub_hfs_fs);
+ my_mod = mod;
+ }
+
+ GRUB_MOD_FINI(hfs)
+ {
+- grub_fs_unregister (&grub_hfs_fs);
++ if (!grub_is_lockdown())
++ grub_fs_unregister (&grub_hfs_fs);
+ }
diff --git a/SOURCES/0442-fs-sfs-Fix-over-read-of-root-object-name.patch b/SOURCES/0442-fs-sfs-Fix-over-read-of-root-object-name.patch
new file mode 100644
index 0000000..dddbe7f
--- /dev/null
+++ b/SOURCES/0442-fs-sfs-Fix-over-read-of-root-object-name.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 14:34:58 +1100
+Subject: [PATCH] fs/sfs: Fix over-read of root object name
+
+There's a read of the name of the root object that assumes that the name
+is nul-terminated within the root block. This isn't guaranteed - it seems
+SFS would require you to read multiple blocks to get a full name in general,
+but maybe that doesn't apply to the root object.
+
+Either way, figure out how much space is left in the root block and don't
+over-read it. This fixes some OOB reads.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/sfs.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 3ddc6b5e287..61d6c303cb3 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -373,6 +373,7 @@ grub_sfs_mount (grub_disk_t disk)
+ struct grub_sfs_objc *rootobjc;
+ char *rootobjc_data = 0;
+ grub_uint32_t blk;
++ unsigned int max_len;
+
+ data = grub_malloc (sizeof (*data));
+ if (!data)
+@@ -421,7 +422,13 @@ grub_sfs_mount (grub_disk_t disk)
+ data->diropen.data = data;
+ data->diropen.cache = 0;
+ data->disk = disk;
+- data->label = grub_strdup ((char *) (rootobjc->objects[0].filename));
++
++ /* We only read 1 block of data, so truncate the name if needed. */
++ max_len = ((GRUB_DISK_SECTOR_SIZE << data->log_blocksize)
++ - 24 /* offsetof (struct grub_sfs_objc, objects) */
++ - 25); /* offsetof (struct grub_sfs_obj, filename) */
++ data->label = grub_zalloc (max_len + 1);
++ grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);
+
+ grub_free (rootobjc_data);
+ return data;
diff --git a/SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch b/SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch
new file mode 100644
index 0000000..7c75a3b
--- /dev/null
+++ b/SOURCES/0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 14:51:11 +1100
+Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative
+
+Fuzzing JFS revealed crashes where a negative number would be passed
+to le_to_cpu16_copy(). There it would be cast to a large positive number
+and the copy would read and write off the end of the respective buffers.
+
+Catch this at the top as well as the bottom of the loop.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/jfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index aab3e8c7b7d..1819899bdec 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
+
+ /* Move down to the leaf level. */
+ nextent = leaf->next;
+- if (leaf->next != 255)
++ if (leaf->next != 255 && len > 0)
+ do
+ {
+ next_leaf = &diro->next_leaf[nextent];
diff --git a/SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch b/SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch
new file mode 100644
index 0000000..91ab8db
--- /dev/null
+++ b/SOURCES/0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 14:57:17 +1100
+Subject: [PATCH] fs/jfs: Limit the extents that getblk() can consider
+
+getblk() implicitly trusts that treehead->count is an accurate count of
+the number of extents. However, that value is read from disk and is not
+trustworthy, leading to OOB reads and crashes. I am not sure to what
+extent the data read from OOB can influence subsequent program execution.
+
+Require callers to pass in the maximum number of extents for which
+they have storage.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/jfs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 1819899bdec..6e81f37da6c 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -261,13 +261,15 @@ static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint
+ static grub_int64_t
+ getblk (struct grub_jfs_treehead *treehead,
+ struct grub_jfs_tree_extent *extents,
++ int max_extents,
+ struct grub_jfs_data *data,
+ grub_uint64_t blk)
+ {
+ int found = -1;
+ int i;
+
+- for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2; i++)
++ for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&
++ i < max_extents; i++)
+ {
+ if (treehead->flags & GRUB_JFS_TREE_LEAF)
+ {
+@@ -302,7 +304,7 @@ getblk (struct grub_jfs_treehead *treehead,
+ << (grub_le_to_cpu16 (data->sblock.log2_blksz)
+ - GRUB_DISK_SECTOR_BITS), 0,
+ sizeof (*tree), (char *) tree))
+- ret = getblk (&tree->treehead, &tree->extents[0], data, blk);
++ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
+ grub_free (tree);
+ return ret;
+ }
+@@ -316,7 +318,7 @@ static grub_int64_t
+ grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,
+ grub_uint64_t blk)
+ {
+- return getblk (&inode->file.tree, &inode->file.extents[0], data, blk);
++ return getblk (&inode->file.tree, &inode->file.extents[0], 16, data, blk);
+ }
+
+
diff --git a/SOURCES/0445-fs-jfs-Catch-infinite-recursion.patch b/SOURCES/0445-fs-jfs-Catch-infinite-recursion.patch
new file mode 100644
index 0000000..dee5914
--- /dev/null
+++ b/SOURCES/0445-fs-jfs-Catch-infinite-recursion.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 15:47:24 +1100
+Subject: [PATCH] fs/jfs: Catch infinite recursion
+
+It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
+the same data over and over again, leading to stack exhaustion.
+
+Check if we'd be calling the function with exactly the same data as
+was passed in, and if so abort.
+
+I'm not sure what the performance impact of this is and am open to
+better ideas.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/jfs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 6e81f37da6c..20d966abfc0 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
+ << (grub_le_to_cpu16 (data->sblock.log2_blksz)
+ - GRUB_DISK_SECTOR_BITS), 0,
+ sizeof (*tree), (char *) tree))
+- ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
++ {
++ if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
++ grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
++ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
++ else
++ {
++ grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
++ ret = -1;
++ }
++ }
+ grub_free (tree);
+ return ret;
+ }
diff --git a/SOURCES/0446-fs-nilfs2-Reject-too-large-keys.patch b/SOURCES/0446-fs-nilfs2-Reject-too-large-keys.patch
new file mode 100644
index 0000000..76c864f
--- /dev/null
+++ b/SOURCES/0446-fs-nilfs2-Reject-too-large-keys.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 16:49:09 +1100
+Subject: [PATCH] fs/nilfs2: Reject too-large keys
+
+NILFS2 has up to 7 keys, per the data structure. Do not permit array
+indices in excess of that.
+
+This catches some OOB reads. I don't know how controllable the invalidly
+read data is or if that could be used later in the program.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/nilfs2.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index 598a2a55baf..61e8af9ff7b 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
+ static inline grub_uint64_t
+ grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key)
+ {
++ if (1 + key > 6)
++ {
++ grub_error (GRUB_ERR_BAD_FS, "key is too large");
++ return 0xffffffffffffffff;
++ }
+ return grub_le_to_cpu64 (inode->i_bmap[1 + key]);
+ }
+
+@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data,
+ {
+ grub_uint64_t ptr;
+ ptr = grub_nilfs2_direct_lookup (inode, key);
+- if (need_translate)
++ if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate)
+ ptr = grub_nilfs2_dat_translate (data, ptr);
+ return ptr;
+ }
diff --git a/SOURCES/0447-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch b/SOURCES/0447-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch
new file mode 100644
index 0000000..a46141a
--- /dev/null
+++ b/SOURCES/0447-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch
@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 16:49:44 +1100
+Subject: [PATCH] fs/nilfs2: Don't search children if provided number is too
+ large
+
+NILFS2 reads the number of children a node has from the node. Unfortunately,
+that's not trustworthy. Check if it's beyond what the filesystem permits and
+reject it if so.
+
+This blocks some OOB reads. I'm not sure how controllable the read is and what
+could be done with invalidly read data later on.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/nilfs2.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index 61e8af9ff7b..054ad3dc18a 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -416,14 +416,34 @@ grub_nilfs2_btree_node_get_key (struct grub_nilfs2_btree_node *node,
+ }
+
+ static inline int
+-grub_nilfs2_btree_node_lookup (struct grub_nilfs2_btree_node *node,
++grub_nilfs2_btree_node_nchildren_max (struct grub_nilfs2_data *data,
++ struct grub_nilfs2_btree_node *node)
++{
++ int node_children_max = ((NILFS2_BLOCK_SIZE (data) -
++ sizeof (struct grub_nilfs2_btree_node) -
++ NILFS_BTREE_NODE_EXTRA_PAD_SIZE) /
++ (sizeof (grub_uint64_t) + sizeof (grub_uint64_t)));
++
++ return (node->bn_flags & NILFS_BTREE_NODE_ROOT) ? 3 : node_children_max;
++}
++
++static inline int
++grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data,
++ struct grub_nilfs2_btree_node *node,
+ grub_uint64_t key, int *indexp)
+ {
+ grub_uint64_t nkey;
+ int index, low, high, s;
+
+ low = 0;
++
+ high = grub_le_to_cpu16 (node->bn_nchildren) - 1;
++ if (high >= grub_nilfs2_btree_node_nchildren_max (data, node))
++ {
++ grub_error (GRUB_ERR_BAD_FS, "too many children");
++ return 0;
++ }
++
+ index = 0;
+ s = 0;
+ while (low <= high)
+@@ -459,18 +479,6 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_btree_node *node,
+ return s == 0;
+ }
+
+-static inline int
+-grub_nilfs2_btree_node_nchildren_max (struct grub_nilfs2_data *data,
+- struct grub_nilfs2_btree_node *node)
+-{
+- int node_children_max = ((NILFS2_BLOCK_SIZE (data) -
+- sizeof (struct grub_nilfs2_btree_node) -
+- NILFS_BTREE_NODE_EXTRA_PAD_SIZE) /
+- (sizeof (grub_uint64_t) + sizeof (grub_uint64_t)));
+-
+- return (node->bn_flags & NILFS_BTREE_NODE_ROOT) ? 3 : node_children_max;
+-}
+-
+ static inline grub_uint64_t *
+ grub_nilfs2_btree_node_dptrs (struct grub_nilfs2_data *data,
+ struct grub_nilfs2_btree_node *node)
+@@ -517,7 +525,7 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
+ node = grub_nilfs2_btree_get_root (inode);
+ level = grub_nilfs2_btree_get_level (node);
+
+- found = grub_nilfs2_btree_node_lookup (node, key, &index);
++ found = grub_nilfs2_btree_node_lookup (data, node, key, &index);
+ ptr = grub_nilfs2_btree_node_get_ptr (data, node, index);
+ if (need_translate)
+ ptr = grub_nilfs2_dat_translate (data, ptr);
+@@ -538,7 +546,7 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
+ }
+
+ if (!found)
+- found = grub_nilfs2_btree_node_lookup (node, key, &index);
++ found = grub_nilfs2_btree_node_lookup (data, node, key, &index);
+ else
+ index = 0;
+
diff --git a/SOURCES/0448-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch b/SOURCES/0448-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch
new file mode 100644
index 0000000..4f90e76
--- /dev/null
+++ b/SOURCES/0448-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 18 Jan 2021 17:06:19 +1100
+Subject: [PATCH] fs/nilfs2: Properly bail on errors in
+ grub_nilfs2_btree_node_lookup()
+
+We just introduced an error return in grub_nilfs2_btree_node_lookup().
+Make sure the callers catch it.
+
+At the same time, make sure that grub_nilfs2_btree_node_lookup() always
+inits the index pointer passed to it.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/nilfs2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index 054ad3dc18a..c4c4610bec0 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -433,7 +433,7 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data,
+ grub_uint64_t key, int *indexp)
+ {
+ grub_uint64_t nkey;
+- int index, low, high, s;
++ int index = 0, low, high, s;
+
+ low = 0;
+
+@@ -441,10 +441,10 @@ grub_nilfs2_btree_node_lookup (struct grub_nilfs2_data *data,
+ if (high >= grub_nilfs2_btree_node_nchildren_max (data, node))
+ {
+ grub_error (GRUB_ERR_BAD_FS, "too many children");
++ *indexp = index;
+ return 0;
+ }
+
+- index = 0;
+ s = 0;
+ while (low <= high)
+ {
+@@ -526,6 +526,10 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
+ level = grub_nilfs2_btree_get_level (node);
+
+ found = grub_nilfs2_btree_node_lookup (data, node, key, &index);
++
++ if (grub_errno != GRUB_ERR_NONE)
++ goto fail;
++
+ ptr = grub_nilfs2_btree_node_get_ptr (data, node, index);
+ if (need_translate)
+ ptr = grub_nilfs2_dat_translate (data, ptr);
+@@ -550,7 +554,8 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
+ else
+ index = 0;
+
+- if (index < grub_nilfs2_btree_node_nchildren_max (data, node))
++ if (index < grub_nilfs2_btree_node_nchildren_max (data, node) &&
++ grub_errno == GRUB_ERR_NONE)
+ {
+ ptr = grub_nilfs2_btree_node_get_ptr (data, node, index);
+ if (need_translate)
diff --git a/SOURCES/0449-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch b/SOURCES/0449-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch
new file mode 100644
index 0000000..d50a182
--- /dev/null
+++ b/SOURCES/0449-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch
@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 13 Jan 2021 20:59:09 +1100
+Subject: [PATCH] io/gzio: Bail if gzio->tl/td is NULL
+
+This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
+However, it seems to be sufficient to patch up a bunch of NULL derefs.
+
+It would be good to revisit this in future and see if we can have
+a cleaner solution that addresses some of the causes of the unexpected
+NULL pointers.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/io/gzio.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index 2ecf076dd5e..6e9b9c9361a 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -669,6 +669,13 @@ inflate_codes_in_window (grub_gzio_t gzio)
+ {
+ if (! gzio->code_state)
+ {
++
++ if (gzio->tl == NULL)
++ {
++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
++ return 1;
++ }
++
+ NEEDBITS ((unsigned) gzio->bl);
+ if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16)
+ do
+@@ -707,6 +714,12 @@ inflate_codes_in_window (grub_gzio_t gzio)
+ n = t->v.n + ((unsigned) b & mask_bits[e]);
+ DUMPBITS (e);
+
++ if (gzio->td == NULL)
++ {
++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td");
++ return 1;
++ }
++
+ /* decode distance of block to copy */
+ NEEDBITS ((unsigned) gzio->bd);
+ if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16)
+@@ -917,6 +930,13 @@ init_dynamic_block (grub_gzio_t gzio)
+ n = nl + nd;
+ m = mask_bits[gzio->bl];
+ i = l = 0;
++
++ if (gzio->tl == NULL)
++ {
++ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
++ return;
++ }
++
+ while ((unsigned) i < n)
+ {
+ NEEDBITS ((unsigned) gzio->bl);
diff --git a/SOURCES/0450-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch b/SOURCES/0450-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch
new file mode 100644
index 0000000..9e33dee
--- /dev/null
+++ b/SOURCES/0450-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch
@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 00:05:58 +1100
+Subject: [PATCH] io/gzio: Add init_dynamic_block() clean up if unpacking codes
+ fails
+
+init_dynamic_block() didn't clean up gzio->tl and td in some error
+paths. This left td pointing to part of tl. Then in grub_gzio_close(),
+when tl was freed the storage for td would also be freed. The code then
+attempts to free td explicitly, performing a UAF and then a double free.
+
+Explicitly clean up tl and td in the error paths.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/io/gzio.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index 6e9b9c9361a..97b34f88574 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -953,7 +953,7 @@ init_dynamic_block (grub_gzio_t gzio)
+ if ((unsigned) i + j > n)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found");
+- return;
++ goto fail;
+ }
+ while (j--)
+ ll[i++] = l;
+@@ -966,7 +966,7 @@ init_dynamic_block (grub_gzio_t gzio)
+ if ((unsigned) i + j > n)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found");
+- return;
++ goto fail;
+ }
+ while (j--)
+ ll[i++] = 0;
+@@ -981,7 +981,7 @@ init_dynamic_block (grub_gzio_t gzio)
+ if ((unsigned) i + j > n)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "too many codes found");
+- return;
++ goto fail;
+ }
+ while (j--)
+ ll[i++] = 0;
+@@ -1019,6 +1019,12 @@ init_dynamic_block (grub_gzio_t gzio)
+ /* indicate we're now working on a block */
+ gzio->code_state = 0;
+ gzio->block_len++;
++ return;
++
++ fail:
++ huft_free (gzio->tl);
++ gzio->td = NULL;
++ gzio->tl = NULL;
+ }
+
+
diff --git a/SOURCES/0451-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch b/SOURCES/0451-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch
new file mode 100644
index 0000000..1d1c372
--- /dev/null
+++ b/SOURCES/0451-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 12:20:49 +1100
+Subject: [PATCH] io/gzio: Catch missing values in huft_build() and bail
+
+In huft_build(), "v" is a table of values in order of bit length.
+The code later (when setting up table entries in "r") assumes that all
+elements of this array corresponding to a code are initialized and less
+than N_MAX. However, it doesn't enforce this.
+
+With sufficiently manipulated inputs (e.g. from fuzzing), there can be
+elements of "v" that are not filled. Therefore a lookup into "e" or "d"
+will use an uninitialized value. This can lead to an invalid/OOB read on
+those values, often leading to a crash.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/io/gzio.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index 97b34f88574..f85dbae237d 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -507,6 +507,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
+ }
+
+ /* Make a table of values in order of bit lengths */
++ grub_memset (v, N_MAX, ARRAY_SIZE (v));
+ p = b;
+ i = 0;
+ do
+@@ -588,11 +589,18 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
+ r.v.n = (ush) (*p); /* simple code is just the value */
+ p++; /* one compiler does not like *p++ */
+ }
+- else
++ else if (*p < N_MAX)
+ {
+ r.e = (uch) e[*p - s]; /* non-simple--look up in lists */
+ r.v.n = d[*p++ - s];
+ }
++ else
++ {
++ /* Detected an uninitialised value, abort. */
++ if (h)
++ huft_free (u[0]);
++ return 2;
++ }
+
+ /* fill code-like entries with r */
+ f = 1 << (k - w);
diff --git a/SOURCES/0452-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch b/SOURCES/0452-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch
new file mode 100644
index 0000000..c75f528
--- /dev/null
+++ b/SOURCES/0452-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 12:22:28 +1100
+Subject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if
+ huft_build() fails
+
+If huft_build() fails, gzio->tl or gzio->td could contain pointers that
+are no longer valid. Zero them out.
+
+This prevents a double free when grub_gzio_close() comes through and
+attempts to free them again.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/io/gzio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index f85dbae237d..e9f332fbcd9 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -1010,6 +1010,7 @@ init_dynamic_block (grub_gzio_t gzio)
+ gzio->bl = lbits;
+ if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0)
+ {
++ gzio->tl = 0;
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA,
+ "failed in building a Huffman code table");
+ return;
+@@ -1019,6 +1020,7 @@ init_dynamic_block (grub_gzio_t gzio)
+ {
+ huft_free (gzio->tl);
+ gzio->tl = 0;
++ gzio->td = 0;
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA,
+ "failed in building a Huffman code table");
+ return;
diff --git a/SOURCES/0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch b/SOURCES/0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch
new file mode 100644
index 0000000..3a8cb85
--- /dev/null
+++ b/SOURCES/0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 17:59:14 +1100
+Subject: [PATCH] disk/lvm: Don't go beyond the end of the data we read from
+ disk
+
+We unconditionally trusted offset_xl from the LVM label header, even if
+it told us that the PV header/disk locations were way off past the end
+of the data we read from disk.
+
+Require that the offset be sane, fixing an OOB read and crash.
+
+Fixes: CID 314367, CID 314371
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 4fbb3eac0ea..0f466040a55 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -142,6 +142,20 @@ grub_lvm_detect (grub_disk_t disk,
+ goto fail;
+ }
+
++ /*
++ * We read a grub_lvm_pv_header and then 2 grub_lvm_disk_locns that
++ * immediately follow the PV header. Make sure we have space for both.
++ */
++ if (grub_le_to_cpu32 (lh->offset_xl) >=
++ GRUB_LVM_LABEL_SIZE - sizeof (struct grub_lvm_pv_header) -
++ 2 * sizeof (struct grub_lvm_disk_locn))
++ {
++#ifdef GRUB_UTIL
++ grub_util_info ("LVM PV header/disk locations are beyond the end of the block");
++#endif
++ goto fail;
++ }
++
+ pvh = (struct grub_lvm_pv_header *) (buf + grub_le_to_cpu32(lh->offset_xl));
+
+ for (i = 0, j = 0; i < GRUB_LVM_ID_LEN; i++)
diff --git a/SOURCES/0454-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch b/SOURCES/0454-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch
new file mode 100644
index 0000000..8793efc
--- /dev/null
+++ b/SOURCES/0454-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 18:19:51 +1100
+Subject: [PATCH] disk/lvm: Don't blast past the end of the circular metadata
+ buffer
+
+This catches at least some OOB reads, and it's possible I suppose that
+if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some
+OOB writes too (although that hasn't showed up as a crash in fuzzing yet).
+
+It's a bit ugly and I'd appreciate better suggestions.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 0f466040a55..ec3545e164b 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -215,6 +215,16 @@ grub_lvm_detect (grub_disk_t disk,
+ if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) >
+ grub_le_to_cpu64 (mdah->size))
+ {
++ if (2 * mda_size < GRUB_LVM_MDA_HEADER_SIZE ||
++ (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) -
++ grub_le_to_cpu64 (mdah->size) > mda_size - GRUB_LVM_MDA_HEADER_SIZE))
++ {
++#ifdef GRUB_UTIL
++ grub_util_info ("cannot copy metadata wrap in circular buffer");
++#endif
++ goto fail2;
++ }
++
+ /* Metadata is circular. Copy the wrap in place. */
+ grub_memcpy (metadatabuf + mda_size,
+ metadatabuf + GRUB_LVM_MDA_HEADER_SIZE,
diff --git a/SOURCES/0455-disk-lvm-Bail-on-missing-PV-list.patch b/SOURCES/0455-disk-lvm-Bail-on-missing-PV-list.patch
new file mode 100644
index 0000000..621266b
--- /dev/null
+++ b/SOURCES/0455-disk-lvm-Bail-on-missing-PV-list.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 18:54:29 +1100
+Subject: [PATCH] disk/lvm: Bail on missing PV list
+
+There's an if block for the presence of "physical_volumes {", but if
+that block is absent, then p remains NULL and a NULL-deref will result
+when looking for logical volumes.
+
+It doesn't seem like LVM makes sense without physical volumes, so error
+out rather than crashing.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index ec3545e164b..1e80137c452 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -371,6 +371,8 @@ error_parsing_metadata:
+ goto fail4;
+ }
+ }
++ else
++ goto fail4;
+
+ p = grub_strstr (p, "logical_volumes {");
+ if (p)
diff --git a/SOURCES/0456-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch b/SOURCES/0456-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch
new file mode 100644
index 0000000..2ca0659
--- /dev/null
+++ b/SOURCES/0456-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch
@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 18:35:22 +1100
+Subject: [PATCH] disk/lvm: Do not crash if an expected string is not found
+
+Clean up a bunch of cases where we could have strstr() fail and lead to
+us dereferencing NULL.
+
+We'll still leak memory in some cases (loops don't clean up allocations
+from earlier iterations if a later iteration fails) but at least we're
+not crashing.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 1e80137c452..03587e744dc 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -541,7 +541,16 @@ error_parsing_metadata:
+ }
+
+ if (seg->node_count != 1)
+- seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
++ {
++ seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
++ if (p == NULL)
++ {
++#ifdef GRUB_UTIL
++ grub_util_info ("unknown stripe_size");
++#endif
++ goto lvs_segment_fail;
++ }
++ }
+
+ seg->nodes = grub_calloc (seg->node_count,
+ sizeof (*stripe));
+@@ -561,7 +570,7 @@ error_parsing_metadata:
+ {
+ p = grub_strchr (p, '"');
+ if (p == NULL)
+- continue;
++ goto lvs_segment_fail2;
+ q = ++p;
+ while (*q != '"')
+ q++;
+@@ -580,7 +589,10 @@ error_parsing_metadata:
+ stripe->start = grub_lvm_getvalue (&p, ",")
+ * vg->extent_size;
+ if (p == NULL)
+- continue;
++ {
++ grub_free (stripe->name);
++ goto lvs_segment_fail2;
++ }
+
+ stripe++;
+ }
+@@ -617,7 +629,7 @@ error_parsing_metadata:
+
+ p = grub_strchr (p, '"');
+ if (p == NULL)
+- continue;
++ goto lvs_segment_fail2;
+ q = ++p;
+ while (*q != '"')
+ q++;
+@@ -705,7 +717,7 @@ error_parsing_metadata:
+ p = p ? grub_strchr (p + 1, '"') : 0;
+ p = p ? grub_strchr (p + 1, '"') : 0;
+ if (p == NULL)
+- continue;
++ goto lvs_segment_fail2;
+ q = ++p;
+ while (*q != '"')
+ q++;
diff --git a/SOURCES/0457-disk-lvm-Do-not-overread-metadata.patch b/SOURCES/0457-disk-lvm-Do-not-overread-metadata.patch
new file mode 100644
index 0000000..2138f6c
--- /dev/null
+++ b/SOURCES/0457-disk-lvm-Do-not-overread-metadata.patch
@@ -0,0 +1,107 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 21 Jan 2021 18:35:22 +1100
+Subject: [PATCH] disk/lvm: Do not overread metadata
+
+We could reach the end of valid metadata and not realize, leading to
+some buffer overreads. Check if we have reached the end and bail.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 03587e744dc..267be7b9536 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -314,17 +314,23 @@ error_parsing_metadata:
+ while (1)
+ {
+ grub_ssize_t s;
+- while (grub_isspace (*p))
++ while (grub_isspace (*p) && p < mda_end)
+ p++;
+
++ if (p == mda_end)
++ goto fail4;
++
+ if (*p == '}')
+ break;
+
+ pv = grub_zalloc (sizeof (*pv));
+ q = p;
+- while (*q != ' ')
++ while (*q != ' ' && q < mda_end)
+ q++;
+
++ if (q == mda_end)
++ goto pvs_fail_noname;
++
+ s = q - p;
+ pv->name = grub_malloc (s + 1);
+ grub_memcpy (pv->name, p, s);
+@@ -367,6 +373,7 @@ error_parsing_metadata:
+ continue;
+ pvs_fail:
+ grub_free (pv->name);
++ pvs_fail_noname:
+ grub_free (pv);
+ goto fail4;
+ }
+@@ -388,18 +395,24 @@ error_parsing_metadata:
+ struct grub_diskfilter_segment *seg;
+ int is_pvmove;
+
+- while (grub_isspace (*p))
++ while (grub_isspace (*p) && p < mda_end)
+ p++;
+
++ if (p == mda_end)
++ goto fail4;
++
+ if (*p == '}')
+ break;
+
+ lv = grub_zalloc (sizeof (*lv));
+
+ q = p;
+- while (*q != ' ')
++ while (*q != ' ' && q < mda_end)
+ q++;
+
++ if (q == mda_end)
++ goto lvs_fail;
++
+ s = q - p;
+ lv->name = grub_strndup (p, s);
+ if (!lv->name)
+@@ -572,9 +585,12 @@ error_parsing_metadata:
+ if (p == NULL)
+ goto lvs_segment_fail2;
+ q = ++p;
+- while (*q != '"')
++ while (q < mda_end && *q != '"')
+ q++;
+
++ if (q == mda_end)
++ goto lvs_segment_fail2;
++
+ s = q - p;
+
+ stripe->name = grub_malloc (s + 1);
+@@ -631,9 +647,12 @@ error_parsing_metadata:
+ if (p == NULL)
+ goto lvs_segment_fail2;
+ q = ++p;
+- while (*q != '"')
++ while (q < mda_end && *q != '"')
+ q++;
+
++ if (q == mda_end)
++ goto lvs_segment_fail2;
++
+ s = q - p;
+
+ lvname = grub_malloc (s + 1);
diff --git a/SOURCES/0458-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch b/SOURCES/0458-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch
new file mode 100644
index 0000000..412873f
--- /dev/null
+++ b/SOURCES/0458-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 14:43:58 +1100
+Subject: [PATCH] disk/lvm: Sanitize rlocn->offset to prevent wild read
+
+rlocn->offset is read directly from disk and added to the metadatabuf
+pointer to create a pointer to a block of metadata. It's a 64-bit
+quantity so as long as you don't overflow you can set subsequent
+pointers to point anywhere in memory.
+
+Require that rlocn->offset fits within the metadata buffer size.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 267be7b9536..9eda28d852c 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -212,6 +212,14 @@ grub_lvm_detect (grub_disk_t disk,
+ }
+
+ rlocn = mdah->raw_locns;
++ if (grub_le_to_cpu64 (rlocn->offset) >= grub_le_to_cpu64 (mda_size))
++ {
++#ifdef GRUB_UTIL
++ grub_util_info ("metadata offset is beyond end of metadata area");
++#endif
++ goto fail2;
++ }
++
+ if (grub_le_to_cpu64 (rlocn->offset) + grub_le_to_cpu64 (rlocn->size) >
+ grub_le_to_cpu64 (mdah->size))
+ {
diff --git a/SOURCES/0459-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch b/SOURCES/0459-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch
new file mode 100644
index 0000000..99e32f2
--- /dev/null
+++ b/SOURCES/0459-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 14:42:21 +1100
+Subject: [PATCH] disk/lvm: Do not allow a LV to be it's own segment's node's
+ LV
+
+This prevents infinite recursion in the diskfilter verification code.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/lvm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 9eda28d852c..7e86bb7df4f 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -840,9 +840,13 @@ error_parsing_metadata:
+ }
+ if (lv1->segments[i].nodes[j].pv == NULL)
+ for (lv2 = vg->lvs; lv2; lv2 = lv2->next)
+- if (grub_strcmp (lv2->name,
+- lv1->segments[i].nodes[j].name) == 0)
+- lv1->segments[i].nodes[j].lv = lv2;
++ {
++ if (lv1 == lv2)
++ continue;
++ if (grub_strcmp (lv2->name,
++ lv1->segments[i].nodes[j].name) == 0)
++ lv1->segments[i].nodes[j].lv = lv2;
++ }
+ }
+
+ }
diff --git a/SOURCES/0460-kern-parser-Fix-a-memory-leak.patch b/SOURCES/0460-kern-parser-Fix-a-memory-leak.patch
new file mode 100644
index 0000000..42d42b3
--- /dev/null
+++ b/SOURCES/0460-kern-parser-Fix-a-memory-leak.patch
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 18 Nov 2020 00:59:24 +0000
+Subject: [PATCH] kern/parser: Fix a memory leak
+
+The getline() function supplied to grub_parser_split_cmdline() returns
+a newly allocated buffer and can be called multiple times, but the
+returned buffer is never freed.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index d1cf061ad68..39e4df65b86 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -140,6 +140,7 @@ grub_parser_split_cmdline (const char *cmdline,
+ char buffer[1024];
+ char *bp = buffer;
+ char *rd = (char *) cmdline;
++ char *rp = rd;
+ char varname[200];
+ char *vp = varname;
+ char *args;
+@@ -149,10 +150,18 @@ grub_parser_split_cmdline (const char *cmdline,
+ *argv = NULL;
+ do
+ {
+- if (!rd || !*rd)
++ if (rp == NULL || *rp == '\0')
+ {
++ if (rd != cmdline)
++ {
++ grub_free (rd);
++ rd = rp = NULL;
++ }
+ if (getline)
+- getline (&rd, 1, getline_data);
++ {
++ getline (&rd, 1, getline_data);
++ rp = rd;
++ }
+ else
+ break;
+ }
+@@ -160,12 +169,12 @@ grub_parser_split_cmdline (const char *cmdline,
+ if (!rd)
+ break;
+
+- for (; *rd; rd++)
++ for (; *rp != '\0'; rp++)
+ {
+ grub_parser_state_t newstate;
+ char use;
+
+- newstate = grub_parser_cmdline_state (state, *rd, &use);
++ newstate = grub_parser_cmdline_state (state, *rp, &use);
+
+ /* If a variable was being processed and this character does
+ not describe the variable anymore, write the variable to
+@@ -198,6 +207,9 @@ grub_parser_split_cmdline (const char *cmdline,
+ }
+ while (state != GRUB_PARSER_STATE_TEXT && !check_varstate (state));
+
++ if (rd != cmdline)
++ grub_free (rd);
++
+ /* A special case for when the last character was part of a
+ variable. */
+ add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
diff --git a/SOURCES/0461-kern-parser-Introduce-process_char-helper.patch b/SOURCES/0461-kern-parser-Introduce-process_char-helper.patch
new file mode 100644
index 0000000..c67dc9e
--- /dev/null
+++ b/SOURCES/0461-kern-parser-Introduce-process_char-helper.patch
@@ -0,0 +1,116 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 5 Jan 2021 22:17:28 +0000
+Subject: [PATCH] kern/parser: Introduce process_char() helper
+
+grub_parser_split_cmdline() iterates over each command line character.
+In order to add error checking and to simplify the subsequent error
+handling, split the character processing in to a separate function.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 74 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 28 deletions(-)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 39e4df65b86..0d3582bd874 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -1,7 +1,7 @@
+ /* parser.c - the part of the parser that can return partial tokens */
+ /*
+ * GRUB -- GRand Unified Bootloader
+- * Copyright (C) 2005,2007,2009 Free Software Foundation, Inc.
++ * Copyright (C) 2005,2007,2009,2021 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -129,6 +129,46 @@ add_var (char *varname, char **bp, char **vp,
+ *((*bp)++) = *val;
+ }
+
++static grub_err_t
++process_char (char c, char *buffer, char **bp, char *varname, char **vp,
++ grub_parser_state_t state, int *argc,
++ grub_parser_state_t *newstate)
++{
++ char use;
++
++ *newstate = grub_parser_cmdline_state (state, c, &use);
++
++ /*
++ * If a variable was being processed and this character does
++ * not describe the variable anymore, write the variable to
++ * the buffer.
++ */
++ add_var (varname, bp, vp, state, *newstate);
++
++ if (check_varstate (*newstate))
++ {
++ if (use)
++ *((*vp)++) = use;
++ }
++ else if (*newstate == GRUB_PARSER_STATE_TEXT &&
++ state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
++ {
++ /*
++ * Don't add more than one argument if multiple
++ * spaces are used.
++ */
++ if (*bp != buffer && *((*bp) - 1) != '\0')
++ {
++ *((*bp)++) = '\0';
++ (*argc)++;
++ }
++ }
++ else if (use)
++ *((*bp)++) = use;
++
++ return GRUB_ERR_NONE;
++}
++
+ grub_err_t
+ grub_parser_split_cmdline (const char *cmdline,
+ grub_reader_getline_t getline, void *getline_data,
+@@ -172,35 +212,13 @@ grub_parser_split_cmdline (const char *cmdline,
+ for (; *rp != '\0'; rp++)
+ {
+ grub_parser_state_t newstate;
+- char use;
+
+- newstate = grub_parser_cmdline_state (state, *rp, &use);
+-
+- /* If a variable was being processed and this character does
+- not describe the variable anymore, write the variable to
+- the buffer. */
+- add_var (varname, &bp, &vp, state, newstate);
+-
+- if (check_varstate (newstate))
+- {
+- if (use)
+- *(vp++) = use;
+- }
+- else
++ if (process_char (*rp, buffer, &bp, varname, &vp, state, argc,
++ &newstate) != GRUB_ERR_NONE)
+ {
+- if (newstate == GRUB_PARSER_STATE_TEXT
+- && state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+- {
+- /* Don't add more than one argument if multiple
+- spaces are used. */
+- if (bp != buffer && *(bp - 1))
+- {
+- *(bp++) = '\0';
+- (*argc)++;
+- }
+- }
+- else if (use)
+- *(bp++) = use;
++ if (rd != cmdline)
++ grub_free (rd);
++ return grub_errno;
+ }
+ state = newstate;
+ }
diff --git a/SOURCES/0462-kern-parser-Introduce-terminate_arg-helper.patch b/SOURCES/0462-kern-parser-Introduce-terminate_arg-helper.patch
new file mode 100644
index 0000000..4192ec5
--- /dev/null
+++ b/SOURCES/0462-kern-parser-Introduce-terminate_arg-helper.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 19:53:55 +0000
+Subject: [PATCH] kern/parser: Introduce terminate_arg() helper
+
+process_char() and grub_parser_split_cmdline() use similar code for
+terminating the most recent argument. Add a helper function for this.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 0d3582bd874..572c67089f3 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -129,6 +129,16 @@ add_var (char *varname, char **bp, char **vp,
+ *((*bp)++) = *val;
+ }
+
++static void
++terminate_arg (char *buffer, char **bp, int *argc)
++{
++ if (*bp != buffer && *((*bp) - 1) != '\0')
++ {
++ *((*bp)++) = '\0';
++ (*argc)++;
++ }
++}
++
+ static grub_err_t
+ process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+ grub_parser_state_t state, int *argc,
+@@ -157,11 +167,7 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+ * Don't add more than one argument if multiple
+ * spaces are used.
+ */
+- if (*bp != buffer && *((*bp) - 1) != '\0')
+- {
+- *((*bp)++) = '\0';
+- (*argc)++;
+- }
++ terminate_arg (buffer, bp, argc);
+ }
+ else if (use)
+ *((*bp)++) = use;
+@@ -232,11 +238,8 @@ grub_parser_split_cmdline (const char *cmdline,
+ variable. */
+ add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
+
+- if (bp != buffer && *(bp - 1))
+- {
+- *(bp++) = '\0';
+- (*argc)++;
+- }
++ /* Ensure that the last argument is terminated. */
++ terminate_arg (buffer, &bp, argc);
+
+ /* If there are no args, then we're done. */
+ if (!*argc)
diff --git a/SOURCES/0463-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch b/SOURCES/0463-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
new file mode 100644
index 0000000..c6a0c49
--- /dev/null
+++ b/SOURCES/0463-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
@@ -0,0 +1,88 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 6 Jan 2021 13:54:26 +0000
+Subject: [PATCH] kern/parser: Refactor grub_parser_split_cmdline() cleanup
+
+Introduce a common function epilogue used for cleaning up on all
+return paths, which will simplify additional error handling to be
+introduced in a subsequent commit.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 35 ++++++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 572c67089f3..e010eaa1fa1 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -221,19 +221,13 @@ grub_parser_split_cmdline (const char *cmdline,
+
+ if (process_char (*rp, buffer, &bp, varname, &vp, state, argc,
+ &newstate) != GRUB_ERR_NONE)
+- {
+- if (rd != cmdline)
+- grub_free (rd);
+- return grub_errno;
+- }
++ goto fail;
++
+ state = newstate;
+ }
+ }
+ while (state != GRUB_PARSER_STATE_TEXT && !check_varstate (state));
+
+- if (rd != cmdline)
+- grub_free (rd);
+-
+ /* A special case for when the last character was part of a
+ variable. */
+ add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
+@@ -243,20 +237,20 @@ grub_parser_split_cmdline (const char *cmdline,
+
+ /* If there are no args, then we're done. */
+ if (!*argc)
+- return 0;
++ {
++ grub_errno = GRUB_ERR_NONE;
++ goto out;
++ }
+
+ /* Reserve memory for the return values. */
+ args = grub_malloc (bp - buffer);
+ if (!args)
+- return grub_errno;
++ goto fail;
+ grub_memcpy (args, buffer, bp - buffer);
+
+ *argv = grub_calloc (*argc + 1, sizeof (char *));
+ if (!*argv)
+- {
+- grub_free (args);
+- return grub_errno;
+- }
++ goto fail;
+
+ /* The arguments are separated with 0's, setup argv so it points to
+ the right values. */
+@@ -269,7 +263,18 @@ grub_parser_split_cmdline (const char *cmdline,
+ bp++;
+ }
+
+- return 0;
++ grub_errno = GRUB_ERR_NONE;
++
++ out:
++ if (rd != cmdline)
++ grub_free (rd);
++
++ return grub_errno;
++
++ fail:
++ grub_free (*argv);
++ grub_free (args);
++ goto out;
+ }
+
+ /* Helper for grub_parser_execute. */
diff --git a/SOURCES/0464-kern-buffer-Add-variable-sized-heap-buffer.patch b/SOURCES/0464-kern-buffer-Add-variable-sized-heap-buffer.patch
new file mode 100644
index 0000000..0c46876
--- /dev/null
+++ b/SOURCES/0464-kern-buffer-Add-variable-sized-heap-buffer.patch
@@ -0,0 +1,304 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 15:15:43 +0000
+Subject: [PATCH] kern/buffer: Add variable sized heap buffer
+
+Add a new variable sized heap buffer type (grub_buffer_t) with simple
+operations for appending data, accessing the data and maintaining
+a read cursor.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/Makefile.core.def | 1 +
+ grub-core/kern/buffer.c | 117 +++++++++++++++++++++++++++++++++++
+ include/grub/buffer.h | 144 ++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 262 insertions(+)
+ create mode 100644 grub-core/kern/buffer.c
+ create mode 100644 include/grub/buffer.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 02fbecd4b81..612df2e9c40 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -112,6 +112,7 @@ kernel = {
+ arm_efi_startup = kern/arm/efi/startup.S;
+ arm64_efi_startup = kern/arm64/efi/startup.S;
+
++ common = kern/buffer.c;
+ common = kern/command.c;
+ common = kern/corecmd.c;
+ common = kern/device.c;
+diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
+new file mode 100644
+index 00000000000..9f5f8b86705
+--- /dev/null
++++ b/grub-core/kern/buffer.c
+@@ -0,0 +1,117 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2021 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <grub/buffer.h>
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++grub_buffer_t
++grub_buffer_new (grub_size_t sz)
++{
++ struct grub_buffer *ret;
++
++ ret = (struct grub_buffer *) grub_malloc (sizeof (*ret));
++ if (ret == NULL)
++ return NULL;
++
++ ret->data = (grub_uint8_t *) grub_malloc (sz);
++ if (ret->data == NULL)
++ {
++ grub_free (ret);
++ return NULL;
++ }
++
++ ret->sz = sz;
++ ret->pos = 0;
++ ret->used = 0;
++
++ return ret;
++}
++
++void
++grub_buffer_free (grub_buffer_t buf)
++{
++ grub_free (buf->data);
++ grub_free (buf);
++}
++
++grub_err_t
++grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req)
++{
++ grub_uint8_t *d;
++ grub_size_t newsz = 1;
++
++ /* Is the current buffer size adequate? */
++ if (buf->sz >= req)
++ return GRUB_ERR_NONE;
++
++ /* Find the smallest power-of-2 size that satisfies the request. */
++ while (newsz < req)
++ {
++ if (newsz == 0)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("requested buffer size is too large"));
++ newsz <<= 1;
++ }
++
++ d = (grub_uint8_t *) grub_realloc (buf->data, newsz);
++ if (d == NULL)
++ return grub_errno;
++
++ buf->data = d;
++ buf->sz = newsz;
++
++ return GRUB_ERR_NONE;
++}
++
++void *
++grub_buffer_take_data (grub_buffer_t buf)
++{
++ void *data = buf->data;
++
++ buf->data = NULL;
++ buf->sz = buf->pos = buf->used = 0;
++
++ return data;
++}
++
++void
++grub_buffer_reset (grub_buffer_t buf)
++{
++ buf->pos = buf->used = 0;
++}
++
++grub_err_t
++grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n)
++{
++ grub_size_t newpos;
++
++ if (grub_add (buf->pos, n, &newpos))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ if (newpos > buf->used)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("new read is position beyond the end of the written data"));
++
++ buf->pos = newpos;
++
++ return GRUB_ERR_NONE;
++}
+diff --git a/include/grub/buffer.h b/include/grub/buffer.h
+new file mode 100644
+index 00000000000..f4b10cf2810
+--- /dev/null
++++ b/include/grub/buffer.h
+@@ -0,0 +1,144 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2021 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_BUFFER_H
++#define GRUB_BUFFER_H 1
++
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++struct grub_buffer
++{
++ grub_uint8_t *data;
++ grub_size_t sz;
++ grub_size_t pos;
++ grub_size_t used;
++};
++
++/*
++ * grub_buffer_t represents a simple variable sized byte buffer with
++ * read and write cursors. It currently only implements
++ * functionality required by the only user in GRUB (append byte[s],
++ * peeking data at a specified position and updating the read cursor.
++ * Some things that this doesn't do yet are:
++ * - Reading a portion of the buffer by copying data from the current
++ * read position in to a caller supplied destination buffer and then
++ * automatically updating the read cursor.
++ * - Dropping the read part at the start of the buffer when an append
++ * requires more space.
++ */
++typedef struct grub_buffer *grub_buffer_t;
++
++/* Allocate a new buffer with the specified initial size. */
++extern grub_buffer_t grub_buffer_new (grub_size_t sz);
++
++/* Free the buffer and its resources. */
++extern void grub_buffer_free (grub_buffer_t buf);
++
++/* Return the number of unread bytes in this buffer. */
++static inline grub_size_t
++grub_buffer_get_unread_bytes (grub_buffer_t buf)
++{
++ return buf->used - buf->pos;
++}
++
++/*
++ * Ensure that the buffer size is at least the requested
++ * number of bytes.
++ */
++extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req);
++
++/*
++ * Append the specified number of bytes from the supplied
++ * data to the buffer.
++ */
++static inline grub_err_t
++grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len)
++{
++ grub_size_t req;
++
++ if (grub_add (buf->used, len, &req))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE)
++ return grub_errno;
++
++ grub_memcpy (&buf->data[buf->used], data, len);
++ buf->used = req;
++
++ return GRUB_ERR_NONE;
++}
++
++/* Append the supplied character to the buffer. */
++static inline grub_err_t
++grub_buffer_append_char (grub_buffer_t buf, char c)
++{
++ return grub_buffer_append_data (buf, &c, 1);
++}
++
++/*
++ * Forget and return the underlying data buffer. The caller
++ * becomes the owner of this buffer, and must free it when it
++ * is no longer required.
++ */
++extern void *grub_buffer_take_data (grub_buffer_t buf);
++
++/* Reset this buffer. Note that this does not deallocate any resources. */
++void grub_buffer_reset (grub_buffer_t buf);
++
++/*
++ * Return a pointer to the underlying data buffer at the specified
++ * offset from the current read position. Note that this pointer may
++ * become invalid if the buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off)
++{
++ if (grub_add (buf->pos, off, &off))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected."));
++ return NULL;
++ }
++
++ if (off >= buf->used)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range"));
++ return NULL;
++ }
++
++ return &buf->data[off];
++}
++
++/*
++ * Return a pointer to the underlying data buffer at the current
++ * read position. Note that this pointer may become invalid if the
++ * buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data (grub_buffer_t buf)
++{
++ return grub_buffer_peek_data_at (buf, 0);
++}
++
++/* Advance the read position by the specified number of bytes. */
++extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n);
++
++#endif /* GRUB_BUFFER_H */
diff --git a/SOURCES/0465-kern-parser-Fix-a-stack-buffer-overflow.patch b/SOURCES/0465-kern-parser-Fix-a-stack-buffer-overflow.patch
new file mode 100644
index 0000000..7a30d03
--- /dev/null
+++ b/SOURCES/0465-kern-parser-Fix-a-stack-buffer-overflow.patch
@@ -0,0 +1,244 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 19:21:03 +0000
+Subject: [PATCH] kern/parser: Fix a stack buffer overflow
+
+grub_parser_split_cmdline() expands variable names present in the supplied
+command line in to their corresponding variable contents and uses a 1 kiB
+stack buffer for temporary storage without sufficient bounds checking. If
+the function is called with a command line that references a variable with
+a sufficiently large payload, it is possible to overflow the stack
+buffer via tab completion, corrupt the stack frame and potentially
+control execution.
+
+Fixes: CVE-2020-27749
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/parser.c | 110 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 67 insertions(+), 43 deletions(-)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index e010eaa1fa1..6ab7aa427cc 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -18,6 +18,7 @@
+ */
+
+ #include <grub/parser.h>
++#include <grub/buffer.h>
+ #include <grub/env.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
+ }
+
+
+-static void
+-add_var (char *varname, char **bp, char **vp,
++static grub_err_t
++add_var (grub_buffer_t varname, grub_buffer_t buf,
+ grub_parser_state_t state, grub_parser_state_t newstate)
+ {
+ const char *val;
+@@ -116,31 +117,41 @@ add_var (char *varname, char **bp, char **vp,
+ /* Check if a variable was being read in and the end of the name
+ was reached. */
+ if (!(check_varstate (state) && !check_varstate (newstate)))
+- return;
++ return GRUB_ERR_NONE;
+
+- *((*vp)++) = '\0';
+- val = grub_env_get (varname);
+- *vp = varname;
++ if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
++ return grub_errno;
++
++ val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
++ grub_buffer_reset (varname);
+ if (!val)
+- return;
++ return GRUB_ERR_NONE;
+
+ /* Insert the contents of the variable in the buffer. */
+- for (; *val; val++)
+- *((*bp)++) = *val;
++ return grub_buffer_append_data (buf, val, grub_strlen (val));
+ }
+
+-static void
+-terminate_arg (char *buffer, char **bp, int *argc)
++static grub_err_t
++terminate_arg (grub_buffer_t buffer, int *argc)
+ {
+- if (*bp != buffer && *((*bp) - 1) != '\0')
+- {
+- *((*bp)++) = '\0';
+- (*argc)++;
+- }
++ grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
++
++ if (unread == 0)
++ return GRUB_ERR_NONE;
++
++ if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
++ return GRUB_ERR_NONE;
++
++ if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
++ return grub_errno;
++
++ (*argc)++;
++
++ return GRUB_ERR_NONE;
+ }
+
+ static grub_err_t
+-process_char (char c, char *buffer, char **bp, char *varname, char **vp,
++process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
+ grub_parser_state_t state, int *argc,
+ grub_parser_state_t *newstate)
+ {
+@@ -153,12 +164,13 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+ * not describe the variable anymore, write the variable to
+ * the buffer.
+ */
+- add_var (varname, bp, vp, state, *newstate);
++ if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if (check_varstate (*newstate))
+ {
+ if (use)
+- *((*vp)++) = use;
++ return grub_buffer_append_char (varname, use);
+ }
+ else if (*newstate == GRUB_PARSER_STATE_TEXT &&
+ state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+@@ -167,10 +179,10 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+ * Don't add more than one argument if multiple
+ * spaces are used.
+ */
+- terminate_arg (buffer, bp, argc);
++ return terminate_arg (buffer, argc);
+ }
+ else if (use)
+- *((*bp)++) = use;
++ return grub_buffer_append_char (buffer, use);
+
+ return GRUB_ERR_NONE;
+ }
+@@ -181,19 +193,22 @@ grub_parser_split_cmdline (const char *cmdline,
+ int *argc, char ***argv)
+ {
+ grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
+- /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
+- allocated. */
+- char buffer[1024];
+- char *bp = buffer;
++ grub_buffer_t buffer, varname;
+ char *rd = (char *) cmdline;
+ char *rp = rd;
+- char varname[200];
+- char *vp = varname;
+- char *args;
+ int i;
+
+ *argc = 0;
+ *argv = NULL;
++
++ buffer = grub_buffer_new (1024);
++ if (buffer == NULL)
++ return grub_errno;
++
++ varname = grub_buffer_new (200);
++ if (varname == NULL)
++ goto fail;
++
+ do
+ {
+ if (rp == NULL || *rp == '\0')
+@@ -219,7 +234,7 @@ grub_parser_split_cmdline (const char *cmdline,
+ {
+ grub_parser_state_t newstate;
+
+- if (process_char (*rp, buffer, &bp, varname, &vp, state, argc,
++ if (process_char (*rp, buffer, varname, state, argc,
+ &newstate) != GRUB_ERR_NONE)
+ goto fail;
+
+@@ -230,10 +245,12 @@ grub_parser_split_cmdline (const char *cmdline,
+
+ /* A special case for when the last character was part of a
+ variable. */
+- add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
++ if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE)
++ goto fail;
+
+ /* Ensure that the last argument is terminated. */
+- terminate_arg (buffer, &bp, argc);
++ if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
++ goto fail;
+
+ /* If there are no args, then we're done. */
+ if (!*argc)
+@@ -242,38 +259,45 @@ grub_parser_split_cmdline (const char *cmdline,
+ goto out;
+ }
+
+- /* Reserve memory for the return values. */
+- args = grub_malloc (bp - buffer);
+- if (!args)
+- goto fail;
+- grub_memcpy (args, buffer, bp - buffer);
+-
+ *argv = grub_calloc (*argc + 1, sizeof (char *));
+ if (!*argv)
+ goto fail;
+
+ /* The arguments are separated with 0's, setup argv so it points to
+ the right values. */
+- bp = args;
+ for (i = 0; i < *argc; i++)
+ {
+- (*argv)[i] = bp;
+- while (*bp)
+- bp++;
+- bp++;
++ char *arg;
++
++ if (i > 0)
++ {
++ if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
++ goto fail;
++ }
++
++ arg = (char *) grub_buffer_peek_data (buffer);
++ if (arg == NULL ||
++ grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE)
++ goto fail;
++
++ (*argv)[i] = arg;
+ }
+
++ /* Keep memory for the return values. */
++ grub_buffer_take_data (buffer);
++
+ grub_errno = GRUB_ERR_NONE;
+
+ out:
+ if (rd != cmdline)
+ grub_free (rd);
++ grub_buffer_free (buffer);
++ grub_buffer_free (varname);
+
+ return grub_errno;
+
+ fail:
+ grub_free (*argv);
+- grub_free (args);
+ goto out;
+ }
+
diff --git a/SOURCES/0466-kern-efi-Add-initial-stack-protector-implementation.patch b/SOURCES/0466-kern-efi-Add-initial-stack-protector-implementation.patch
new file mode 100644
index 0000000..8da130b
--- /dev/null
+++ b/SOURCES/0466-kern-efi-Add-initial-stack-protector-implementation.patch
@@ -0,0 +1,298 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 19 Feb 2021 13:53:45 +0100
+Subject: [PATCH] kern/efi: Add initial stack protector implementation
+
+It works only on UEFI platforms but can be quite easily extended to
+others architectures and platforms if needed.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ configure.ac | 44 ++++++++++++++++++++++++++++++----
+ grub-core/kern/efi/init.c | 54 ++++++++++++++++++++++++++++++++++++++++++
+ include/grub/efi/api.h | 19 +++++++++++++++
+ include/grub/stack_protector.h | 30 +++++++++++++++++++++++
+ acinclude.m4 | 38 +++++++++++++++++++++++++++--
+ grub-core/Makefile.am | 1 +
+ 6 files changed, 179 insertions(+), 7 deletions(-)
+ create mode 100644 include/grub/stack_protector.h
+
+diff --git a/configure.ac b/configure.ac
+index 0059b938a3a..f59a7b86c51 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1330,12 +1330,41 @@ fi]
+
+ CFLAGS="$TARGET_CFLAGS"
+
+-# Smashing stack protector.
++# Stack smashing protector.
+ grub_CHECK_STACK_PROTECTOR
+-# Need that, because some distributions ship compilers that include
+-# `-fstack-protector' in the default specs.
+-if test "x$ssp_possible" = xyes; then
+- TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
++AC_ARG_ENABLE([stack-protector],
++ AS_HELP_STRING([--enable-stack-protector],
++ [enable the stack protector]),
++ [],
++ [enable_stack_protector=no])
++if test "x$enable_stack_protector" = xno; then
++ if test "x$ssp_possible" = xyes; then
++ # Need that, because some distributions ship compilers that include
++ # `-fstack-protector' in the default specs.
++ TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
++ fi
++elif test "x$platform" != xefi; then
++ AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
++elif test "x$ssp_global_possible" != xyes; then
++ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
++else
++ TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
++ if test "x$enable_stack_protector" = xyes; then
++ if test "x$ssp_possible" != xyes; then
++ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
++ fi
++ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
++ elif test "x$enable_stack_protector" = xstrong; then
++ if test "x$ssp_strong_possible" != xyes; then
++ AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
++ fi
++ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
++ else
++ # Note, -fstack-protector-all requires that the protector is disabled for
++ # functions that appear in the call stack when the canary is initialized.
++ AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
++ fi
++ TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+ fi
+
+ CFLAGS="$TARGET_CFLAGS"
+@@ -2247,5 +2276,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
+ else
+ echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
+ fi
++if test "x$enable_stack_protector" != xno; then
++echo "With stack smashing protector: Yes"
++else
++echo "With stack smashing protector: No"
++fi
+ echo "*******************************************************"
+ ]
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 97bf36906a4..501608f743e 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -28,6 +28,58 @@
+ #include <grub/mm.h>
+ #include <grub/kernel.h>
+ #include <grub/lib/envblk.h>
++#include <grub/stack_protector.h>
++
++#ifdef GRUB_STACK_PROTECTOR
++
++static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
++
++/*
++ * Don't put this on grub_efi_init()'s local stack to avoid it
++ * getting a stack check.
++ */
++static grub_efi_uint8_t stack_chk_guard_buf[32];
++
++grub_addr_t __stack_chk_guard;
++
++void __attribute__ ((noreturn))
++__stack_chk_fail (void)
++{
++ /*
++ * Assume it's not safe to call into EFI Boot Services. Sorry, that
++ * means no console message here.
++ */
++ do
++ {
++ /* Do not optimize out the loop. */
++ asm volatile ("");
++ }
++ while (1);
++}
++
++static void
++stack_protector_init (void)
++{
++ grub_efi_rng_protocol_t *rng;
++
++ /* Set up the stack canary. Make errors here non-fatal for now. */
++ rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL);
++ if (rng != NULL)
++ {
++ grub_efi_status_t status;
++
++ status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf),
++ stack_chk_guard_buf);
++ if (status == GRUB_EFI_SUCCESS)
++ grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard));
++ }
++}
++#else
++static void
++stack_protector_init (void)
++{
++}
++#endif
+
+ grub_addr_t grub_modbase;
+
+@@ -92,6 +144,8 @@ grub_efi_init (void)
+ messages. */
+ grub_console_init ();
+
++ stack_protector_init ();
++
+ /* Initialize the memory management system. */
+ grub_efi_mm_init ();
+
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index a092fddb629..37e7b162874 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -344,6 +344,11 @@
+ { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
+ }
+
++#define GRUB_EFI_RNG_PROTOCOL_GUID \
++ { 0x3152bca5, 0xeade, 0x433d, \
++ { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
++ }
++
+ struct grub_efi_sal_system_table
+ {
+ grub_uint32_t signature;
+@@ -2067,6 +2072,20 @@ struct grub_efi_ip6_config_manual_address {
+ };
+ typedef struct grub_efi_ip6_config_manual_address grub_efi_ip6_config_manual_address_t;
+
++typedef grub_efi_guid_t grub_efi_rng_algorithm_t;
++
++struct grub_efi_rng_protocol
++{
++ grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this,
++ grub_efi_uintn_t *rng_algorithm_list_size,
++ grub_efi_rng_algorithm_t *rng_algorithm_list);
++ grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this,
++ grub_efi_rng_algorithm_t *rng_algorithm,
++ grub_efi_uintn_t rng_value_length,
++ grub_efi_uint8_t *rng_value);
++};
++typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
++
+ #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
+ || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__)
+
+diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h
+new file mode 100644
+index 00000000000..c88dc00b5f9
+--- /dev/null
++++ b/include/grub/stack_protector.h
+@@ -0,0 +1,30 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2021 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_STACK_PROTECTOR_H
++#define GRUB_STACK_PROTECTOR_H 1
++
++#include <grub/symbol.h>
++#include <grub/types.h>
++
++#ifdef GRUB_STACK_PROTECTOR
++extern grub_addr_t EXPORT_VAR (__stack_chk_guard);
++extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
++#endif
++
++#endif /* GRUB_STACK_PROTECTOR_H */
+diff --git a/acinclude.m4 b/acinclude.m4
+index 242e829ff23..21238fcfd03 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -324,9 +324,9 @@ fi
+ ])
+
+ �
+-dnl Check if the C compiler supports `-fstack-protector'.
++dnl Check if the C compiler supports the stack protector
+ AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
+-[# Smashing stack protector.
++[# Stack smashing protector.
+ ssp_possible=yes]
+ AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
+ # Is this a reliable test case?
+@@ -343,6 +343,40 @@ else
+ ssp_possible=no]
+ AC_MSG_RESULT([no])
+ [fi]
++[# Strong stack smashing protector.
++ssp_strong_possible=yes]
++AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
++# Is this a reliable test case?
++AC_LANG_CONFTEST([AC_LANG_SOURCE([[
++void foo (void) { volatile char a[8]; a[3]; }
++]])])
++[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
++# `ac_compile' like this correct, after all?
++if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
++ AC_MSG_RESULT([yes])
++ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
++ rm -f conftest.s
++else
++ ssp_strong_possible=no]
++ AC_MSG_RESULT([no])
++[fi]
++[# Global stack smashing protector.
++ssp_global_possible=yes]
++AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
++# Is this a reliable test case?
++AC_LANG_CONFTEST([AC_LANG_SOURCE([[
++void foo (void) { volatile char a[8]; a[3]; }
++]])])
++[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
++# `ac_compile' like this correct, after all?
++if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
++ AC_MSG_RESULT([yes])
++ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
++ rm -f conftest.s
++else
++ ssp_global_possible=no]
++ AC_MSG_RESULT([no])
++[fi]
+ ])
+
+ dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index a6f1b0dcd06..308ad8850c9 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -92,6 +92,7 @@ endif
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
diff --git a/SOURCES/0467-util-mkimage-Remove-unused-code-to-add-BSS-section.patch b/SOURCES/0467-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
new file mode 100644
index 0000000..6447426
--- /dev/null
+++ b/SOURCES/0467-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 11 Feb 2021 17:06:49 +0100
+Subject: [PATCH] util/mkimage: Remove unused code to add BSS section
+
+The code is compiled out so there is no reason to keep it.
+
+Additionally, don't set bss_size field since we do not add a BSS section.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index 2529de4bb78..64f4f139832 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -1292,7 +1292,6 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ o->code_size = grub_host_to_target32 (layout.exec_size);
+ o->data_size = grub_cpu_to_le32 (reloc_addr - layout.exec_size
+ - header_size);
+- o->bss_size = grub_cpu_to_le32 (layout.bss_size);
+ o->entry_addr = grub_cpu_to_le32 (layout.start_address);
+ o->code_base = grub_cpu_to_le32 (header_size);
+
+@@ -1330,7 +1329,6 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ o->code_size = grub_host_to_target32 (layout.exec_size);
+ o->data_size = grub_cpu_to_le32 (reloc_addr - layout.exec_size
+ - header_size);
+- o->bss_size = grub_cpu_to_le32 (layout.bss_size);
+ o->entry_addr = grub_cpu_to_le32 (layout.start_address);
+ o->code_base = grub_cpu_to_le32 (header_size);
+ o->image_base = 0;
+@@ -1375,21 +1373,6 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+ | GRUB_PE32_SCN_MEM_READ
+ | GRUB_PE32_SCN_MEM_WRITE);
+-
+-#if 0
+- bss_section = data_section + 1;
+- strcpy (bss_section->name, ".bss");
+- bss_section->virtual_size = grub_cpu_to_le32 (layout.bss_size);
+- bss_section->virtual_address = grub_cpu_to_le32 (header_size + layout.kernel_size);
+- bss_section->raw_data_size = 0;
+- bss_section->raw_data_offset = 0;
+- bss_section->characteristics
+- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_MEM_READ
+- | GRUB_PE32_SCN_MEM_WRITE
+- | GRUB_PE32_SCN_ALIGN_64BYTES
+- | GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+- | 0x80);
+-#endif
+
+ mods_section = data_section + 1;
+ strcpy (mods_section->name, "mods");
diff --git a/SOURCES/0468-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch b/SOURCES/0468-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
new file mode 100644
index 0000000..0043fd0
--- /dev/null
+++ b/SOURCES/0468-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
@@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Feb 2021 13:59:21 +0100
+Subject: [PATCH] util/mkimage: Use grub_host_to_target32() instead of
+ grub_cpu_to_le32()
+
+The latter doesn't take into account the target image endianness. There is
+a grub_cpu_to_le32_compile_time() but no compile time variant for function
+grub_host_to_target32(). So, let's keep using the other one for this case.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index 64f4f139832..601521d34cf 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -1290,10 +1290,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ + sizeof (struct grub_pe32_coff_header));
+ o->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC);
+ o->code_size = grub_host_to_target32 (layout.exec_size);
+- o->data_size = grub_cpu_to_le32 (reloc_addr - layout.exec_size
++ o->data_size = grub_host_to_target32 (reloc_addr - layout.exec_size
+ - header_size);
+- o->entry_addr = grub_cpu_to_le32 (layout.start_address);
+- o->code_base = grub_cpu_to_le32 (header_size);
++ o->entry_addr = grub_host_to_target32 (layout.start_address);
++ o->code_base = grub_host_to_target32 (header_size);
+
+ o->data_base = grub_host_to_target32 (header_size + layout.exec_size);
+
+@@ -1327,10 +1327,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ + sizeof (struct grub_pe32_coff_header));
+ o->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC);
+ o->code_size = grub_host_to_target32 (layout.exec_size);
+- o->data_size = grub_cpu_to_le32 (reloc_addr - layout.exec_size
++ o->data_size = grub_host_to_target32 (reloc_addr - layout.exec_size
+ - header_size);
+- o->entry_addr = grub_cpu_to_le32 (layout.start_address);
+- o->code_base = grub_cpu_to_le32 (header_size);
++ o->entry_addr = grub_host_to_target32 (layout.start_address);
++ o->code_base = grub_host_to_target32 (header_size);
+ o->image_base = 0;
+ o->section_alignment = grub_host_to_target32 (image_target->section_align);
+ o->file_alignment = grub_host_to_target32 (image_target->section_align);
+@@ -1354,10 +1354,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ /* The sections. */
+ text_section = sections;
+ strcpy (text_section->name, ".text");
+- text_section->virtual_size = grub_cpu_to_le32 (layout.exec_size);
+- text_section->virtual_address = grub_cpu_to_le32 (header_size);
+- text_section->raw_data_size = grub_cpu_to_le32 (layout.exec_size);
+- text_section->raw_data_offset = grub_cpu_to_le32 (header_size);
++ text_section->virtual_size = grub_host_to_target32 (layout.exec_size);
++ text_section->virtual_address = grub_host_to_target32 (header_size);
++ text_section->raw_data_size = grub_host_to_target32 (layout.exec_size);
++ text_section->raw_data_offset = grub_host_to_target32 (header_size);
+ text_section->characteristics = grub_cpu_to_le32_compile_time (
+ GRUB_PE32_SCN_CNT_CODE
+ | GRUB_PE32_SCN_MEM_EXECUTE
+@@ -1365,10 +1365,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+
+ data_section = text_section + 1;
+ strcpy (data_section->name, ".data");
+- data_section->virtual_size = grub_cpu_to_le32 (layout.kernel_size - layout.exec_size);
+- data_section->virtual_address = grub_cpu_to_le32 (header_size + layout.exec_size);
+- data_section->raw_data_size = grub_cpu_to_le32 (layout.kernel_size - layout.exec_size);
+- data_section->raw_data_offset = grub_cpu_to_le32 (header_size + layout.exec_size);
++ data_section->virtual_size = grub_host_to_target32 (layout.kernel_size - layout.exec_size);
++ data_section->virtual_address = grub_host_to_target32 (header_size + layout.exec_size);
++ data_section->raw_data_size = grub_host_to_target32 (layout.kernel_size - layout.exec_size);
++ data_section->raw_data_offset = grub_host_to_target32 (header_size + layout.exec_size);
+ data_section->characteristics
+ = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+ | GRUB_PE32_SCN_MEM_READ
+@@ -1376,10 +1376,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+
+ mods_section = data_section + 1;
+ strcpy (mods_section->name, "mods");
+- mods_section->virtual_size = grub_cpu_to_le32 (reloc_addr - layout.kernel_size - header_size);
+- mods_section->virtual_address = grub_cpu_to_le32 (header_size + layout.kernel_size + layout.bss_size);
+- mods_section->raw_data_size = grub_cpu_to_le32 (reloc_addr - layout.kernel_size - header_size);
+- mods_section->raw_data_offset = grub_cpu_to_le32 (header_size + layout.kernel_size);
++ mods_section->virtual_size = grub_host_to_target32 (reloc_addr - layout.kernel_size - header_size);
++ mods_section->virtual_address = grub_host_to_target32 (header_size + layout.kernel_size + layout.bss_size);
++ mods_section->raw_data_size = grub_host_to_target32 (reloc_addr - layout.kernel_size - header_size);
++ mods_section->raw_data_offset = grub_host_to_target32 (header_size + layout.kernel_size);
+ mods_section->characteristics
+ = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+ | GRUB_PE32_SCN_MEM_READ
+@@ -1387,10 +1387,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+
+ reloc_section = mods_section + 1;
+ strcpy (reloc_section->name, ".reloc");
+- reloc_section->virtual_size = grub_cpu_to_le32 (layout.reloc_size);
+- reloc_section->virtual_address = grub_cpu_to_le32 (reloc_addr + layout.bss_size);
+- reloc_section->raw_data_size = grub_cpu_to_le32 (layout.reloc_size);
+- reloc_section->raw_data_offset = grub_cpu_to_le32 (reloc_addr);
++ reloc_section->virtual_size = grub_host_to_target32 (layout.reloc_size);
++ reloc_section->virtual_address = grub_host_to_target32 (reloc_addr + layout.bss_size);
++ reloc_section->raw_data_size = grub_host_to_target32 (layout.reloc_size);
++ reloc_section->raw_data_offset = grub_host_to_target32 (reloc_addr);
+ reloc_section->characteristics
+ = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+ | GRUB_PE32_SCN_MEM_DISCARDABLE
diff --git a/SOURCES/0469-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch b/SOURCES/0469-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
new file mode 100644
index 0000000..cef0a35
--- /dev/null
+++ b/SOURCES/0469-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Feb 2021 14:14:24 +0100
+Subject: [PATCH] util/mkimage: Always use grub_host_to_target32() to
+ initialize PE stack and heap stuff
+
+This change does not impact final result of initialization itself.
+However, it eases PE code unification in subsequent patches.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index 601521d34cf..d2876cdb5fb 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -1339,10 +1339,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION);
+
+ /* Do these really matter? */
+- o->stack_reserve_size = grub_host_to_target64 (0x10000);
+- o->stack_commit_size = grub_host_to_target64 (0x10000);
+- o->heap_reserve_size = grub_host_to_target64 (0x10000);
+- o->heap_commit_size = grub_host_to_target64 (0x10000);
++ o->stack_reserve_size = grub_host_to_target32 (0x10000);
++ o->stack_commit_size = grub_host_to_target32 (0x10000);
++ o->heap_reserve_size = grub_host_to_target32 (0x10000);
++ o->heap_commit_size = grub_host_to_target32 (0x10000);
+
+ o->num_data_directories
+ = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
diff --git a/SOURCES/0470-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch b/SOURCES/0470-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
new file mode 100644
index 0000000..e8e286a
--- /dev/null
+++ b/SOURCES/0470-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
@@ -0,0 +1,165 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 19 Feb 2021 14:22:13 +0100
+Subject: [PATCH] util/mkimage: Unify more of the PE32 and PE32+ header set-up
+
+There's quite a bit of code duplication in the code that sets the optional
+header for PE32 and PE32+. The two are very similar with the exception of
+a few fields that have type grub_uint64_t instead of grub_uint32_t.
+
+Factor out the common code and add a PE_OHDR() macro that simplifies the
+set-up and make the code more readable.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 111 ++++++++++++++++++++++++++-------------------------------
+ 1 file changed, 51 insertions(+), 60 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index d2876cdb5fb..ff5462c98c1 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -771,6 +771,21 @@ grub_install_get_image_targets_string (void)
+ return formats;
+ }
+
++/*
++ * tmp_ is just here so the compiler knows we'll never derefernce a NULL.
++ * It should get fully optimized away.
++ */
++#define PE_OHDR(o32, o64, field) (*( \
++{ \
++ __typeof__((o64)->field) tmp_; \
++ __typeof__((o64)->field) *ret_ = &tmp_; \
++ if (o32) \
++ ret_ = (void *)(&((o32)->field)); \
++ else if (o64) \
++ ret_ = (void *)(&((o64)->field)); \
++ ret_; \
++}))
++
+ void
+ grub_install_generate_image (const char *dir, const char *prefix,
+ FILE *out, const char *outname, char *mods[],
+@@ -1240,6 +1255,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ static const grub_uint8_t stub[] = GRUB_PE32_MSDOS_STUB;
+ int header_size;
+ int reloc_addr;
++ struct grub_pe32_optional_header *o32 = NULL;
++ struct grub_pe64_optional_header *o64 = NULL;
+
+ if (image_target->voidp_sizeof == 4)
+ header_size = EFI32_HEADER_SIZE;
+@@ -1281,76 +1298,50 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ /* The PE Optional header. */
+ if (image_target->voidp_sizeof == 4)
+ {
+- struct grub_pe32_optional_header *o;
+-
+ c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe32_optional_header));
+
+- o = (struct grub_pe32_optional_header *)
+- (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE
+- + sizeof (struct grub_pe32_coff_header));
+- o->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC);
+- o->code_size = grub_host_to_target32 (layout.exec_size);
+- o->data_size = grub_host_to_target32 (reloc_addr - layout.exec_size
+- - header_size);
+- o->entry_addr = grub_host_to_target32 (layout.start_address);
+- o->code_base = grub_host_to_target32 (header_size);
++ o32 = (struct grub_pe32_optional_header *)
++ (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE +
++ sizeof (struct grub_pe32_coff_header));
++ o32->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC);
++ o32->data_base = grub_host_to_target32 (header_size + layout.exec_size);
+
+- o->data_base = grub_host_to_target32 (header_size + layout.exec_size);
+-
+- o->image_base = 0;
+- o->section_alignment = grub_host_to_target32 (image_target->section_align);
+- o->file_alignment = grub_host_to_target32 (image_target->section_align);
+- o->image_size = grub_host_to_target32 (pe_size);
+- o->header_size = grub_host_to_target32 (header_size);
+- o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION);
+-
+- /* Do these really matter? */
+- o->stack_reserve_size = grub_host_to_target32 (0x10000);
+- o->stack_commit_size = grub_host_to_target32 (0x10000);
+- o->heap_reserve_size = grub_host_to_target32 (0x10000);
+- o->heap_commit_size = grub_host_to_target32 (0x10000);
+-
+- o->num_data_directories = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
+-
+- o->base_relocation_table.rva = grub_host_to_target32 (reloc_addr);
+- o->base_relocation_table.size = grub_host_to_target32 (layout.reloc_size);
+- sections = o + 1;
++ sections = o32 + 1;
+ }
+ else
+ {
+- struct grub_pe64_optional_header *o;
+-
+ c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe64_optional_header));
+
+- o = (struct grub_pe64_optional_header *)
+- (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE
+- + sizeof (struct grub_pe32_coff_header));
+- o->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC);
+- o->code_size = grub_host_to_target32 (layout.exec_size);
+- o->data_size = grub_host_to_target32 (reloc_addr - layout.exec_size
+- - header_size);
+- o->entry_addr = grub_host_to_target32 (layout.start_address);
+- o->code_base = grub_host_to_target32 (header_size);
+- o->image_base = 0;
+- o->section_alignment = grub_host_to_target32 (image_target->section_align);
+- o->file_alignment = grub_host_to_target32 (image_target->section_align);
+- o->image_size = grub_host_to_target32 (pe_size);
+- o->header_size = grub_host_to_target32 (header_size);
+- o->subsystem = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION);
++ o64 = (struct grub_pe64_optional_header *)
++ (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE +
++ sizeof (struct grub_pe32_coff_header));
++ o64->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC);
+
+- /* Do these really matter? */
+- o->stack_reserve_size = grub_host_to_target32 (0x10000);
+- o->stack_commit_size = grub_host_to_target32 (0x10000);
+- o->heap_reserve_size = grub_host_to_target32 (0x10000);
+- o->heap_commit_size = grub_host_to_target32 (0x10000);
+-
+- o->num_data_directories
+- = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
+-
+- o->base_relocation_table.rva = grub_host_to_target32 (reloc_addr);
+- o->base_relocation_table.size = grub_host_to_target32 (layout.reloc_size);
+- sections = o + 1;
++ sections = o64 + 1;
+ }
++
++ PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (layout.exec_size);
++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - layout.exec_size - header_size);
++ PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (layout.start_address);
++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size);
++
++ PE_OHDR (o32, o64, image_base) = 0;
++ PE_OHDR (o32, o64, section_alignment) = grub_host_to_target32 (image_target->section_align);
++ PE_OHDR (o32, o64, file_alignment) = grub_host_to_target32 (GRUB_PE32_FILE_ALIGNMENT);
++ PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size);
++ PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
++ PE_OHDR (o32, o64, subsystem) = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION);
++
++ /* Do these really matter? */
++ PE_OHDR (o32, o64, stack_reserve_size) = grub_host_to_target32 (0x10000);
++ PE_OHDR (o32, o64, stack_commit_size) = grub_host_to_target32 (0x10000);
++ PE_OHDR (o32, o64, heap_reserve_size) = grub_host_to_target32 (0x10000);
++ PE_OHDR (o32, o64, heap_commit_size) = grub_host_to_target32 (0x10000);
++
++ PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr);
++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (layout.reloc_size);
++
+ /* The sections. */
+ text_section = sections;
+ strcpy (text_section->name, ".text");
diff --git a/SOURCES/0471-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch b/SOURCES/0471-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
new file mode 100644
index 0000000..95a3c7d
--- /dev/null
+++ b/SOURCES/0471-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Feb 2021 14:21:48 +0100
+Subject: [PATCH] util/mkimage: Reorder PE optional header fields set-up
+
+This makes the PE32 and PE32+ header fields set-up easier to follow by
+setting them closer to the initialization of their related sections.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index ff5462c98c1..e73a5864b22 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -1320,16 +1320,12 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ sections = o64 + 1;
+ }
+
+- PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (layout.exec_size);
+- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - layout.exec_size - header_size);
++ PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
+ PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (layout.start_address);
+- PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size);
+-
+ PE_OHDR (o32, o64, image_base) = 0;
++ PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size);
+ PE_OHDR (o32, o64, section_alignment) = grub_host_to_target32 (image_target->section_align);
+ PE_OHDR (o32, o64, file_alignment) = grub_host_to_target32 (GRUB_PE32_FILE_ALIGNMENT);
+- PE_OHDR (o32, o64, image_size) = grub_host_to_target32 (pe_size);
+- PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
+ PE_OHDR (o32, o64, subsystem) = grub_host_to_target16 (GRUB_PE32_SUBSYSTEM_EFI_APPLICATION);
+
+ /* Do these really matter? */
+@@ -1339,10 +1335,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ PE_OHDR (o32, o64, heap_commit_size) = grub_host_to_target32 (0x10000);
+
+ PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
+- PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr);
+- PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (layout.reloc_size);
+
+ /* The sections. */
++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size);
++ PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (layout.exec_size);
+ text_section = sections;
+ strcpy (text_section->name, ".text");
+ text_section->virtual_size = grub_host_to_target32 (layout.exec_size);
+@@ -1354,6 +1350,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ | GRUB_PE32_SCN_MEM_EXECUTE
+ | GRUB_PE32_SCN_MEM_READ);
+
++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - layout.exec_size - header_size);
++
+ data_section = text_section + 1;
+ strcpy (data_section->name, ".data");
+ data_section->virtual_size = grub_host_to_target32 (layout.kernel_size - layout.exec_size);
+@@ -1376,6 +1374,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ | GRUB_PE32_SCN_MEM_READ
+ | GRUB_PE32_SCN_MEM_WRITE);
+
++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr);
++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (layout.reloc_size);
+ reloc_section = mods_section + 1;
+ strcpy (reloc_section->name, ".reloc");
+ reloc_section->virtual_size = grub_host_to_target32 (layout.reloc_size);
diff --git a/SOURCES/0472-util-mkimage-Improve-data_size-value-calculation.patch b/SOURCES/0472-util-mkimage-Improve-data_size-value-calculation.patch
new file mode 100644
index 0000000..31428ef
--- /dev/null
+++ b/SOURCES/0472-util-mkimage-Improve-data_size-value-calculation.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 11 Feb 2021 17:07:33 +0100
+Subject: [PATCH] util/mkimage: Improve data_size value calculation
+
+According to "Microsoft Portable Executable and Common Object File Format
+Specification", the Optional Header SizeOfInitializedData field contains:
+
+ Size of the initialized data section, or the sum of all such sections if
+ there are multiple data sections.
+
+Make this explicit by adding the GRUB kernel data size to the sum of all
+the modules sizes. The ALIGN_UP() is not required by the PE spec but do
+it to avoid alignment issues.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index e73a5864b22..f22b398d973 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -1248,6 +1248,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ void *pe_img;
+ grub_uint8_t *header;
+ void *sections;
++ size_t scn_size;
+ size_t pe_size;
+ struct grub_pe32_coff_header *c;
+ struct grub_pe32_section_table *text_section, *data_section;
+@@ -1350,7 +1351,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ | GRUB_PE32_SCN_MEM_EXECUTE
+ | GRUB_PE32_SCN_MEM_READ);
+
+- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (reloc_addr - layout.exec_size - header_size);
++ scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size +
++ ALIGN_UP (total_module_size,
++ GRUB_PE32_FILE_ALIGNMENT));
+
+ data_section = text_section + 1;
+ strcpy (data_section->name, ".data");
diff --git a/SOURCES/0473-util-mkimage-Refactor-section-setup-to-use-a-helper.patch b/SOURCES/0473-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
new file mode 100644
index 0000000..41d3f2f
--- /dev/null
+++ b/SOURCES/0473-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
@@ -0,0 +1,216 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Feb 2021 14:58:06 +0100
+Subject: [PATCH] util/mkimage: Refactor section setup to use a helper
+
+Add a init_pe_section() helper function to setup PE sections. This makes
+the code simpler and easier to read.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 141 +++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 76 insertions(+), 65 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index f22b398d973..0f5ae2a76f2 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -771,6 +771,38 @@ grub_install_get_image_targets_string (void)
+ return formats;
+ }
+
++/*
++ * The image_target parameter is used by the grub_host_to_target32() macro.
++ */
++static struct grub_pe32_section_table *
++init_pe_section(const struct grub_install_image_target_desc *image_target,
++ struct grub_pe32_section_table *section,
++ const char * const name,
++ grub_uint32_t *vma, grub_uint32_t vsz, grub_uint32_t valign,
++ grub_uint32_t *rda, grub_uint32_t rsz,
++ grub_uint32_t characteristics)
++{
++ size_t len = strlen (name);
++
++ if (len > sizeof (section->name))
++ grub_util_error (_("section name %s length is bigger than %lu"),
++ name, (unsigned long) sizeof (section->name));
++
++ memcpy (section->name, name, len);
++
++ section->virtual_address = grub_host_to_target32 (*vma);
++ section->virtual_size = grub_host_to_target32 (vsz);
++ (*vma) = ALIGN_UP (*vma + vsz, valign);
++
++ section->raw_data_offset = grub_host_to_target32 (*rda);
++ section->raw_data_size = grub_host_to_target32 (rsz);
++ (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT);
++
++ section->characteristics = grub_host_to_target32 (characteristics);
++
++ return section + 1;
++}
++
+ /*
+ * tmp_ is just here so the compiler knows we'll never derefernce a NULL.
+ * It should get fully optimized away.
+@@ -1245,17 +1277,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ break;
+ case IMAGE_EFI:
+ {
+- void *pe_img;
+- grub_uint8_t *header;
+- void *sections;
++ char *pe_img, *header;
++ struct grub_pe32_section_table *section;
+ size_t scn_size;
+- size_t pe_size;
++ grub_uint32_t vma, raw_data;
++ size_t pe_size, header_size;
+ struct grub_pe32_coff_header *c;
+- struct grub_pe32_section_table *text_section, *data_section;
+- struct grub_pe32_section_table *mods_section, *reloc_section;
+ static const grub_uint8_t stub[] = GRUB_PE32_MSDOS_STUB;
+- int header_size;
+- int reloc_addr;
+ struct grub_pe32_optional_header *o32 = NULL;
+ struct grub_pe64_optional_header *o64 = NULL;
+
+@@ -1264,17 +1292,12 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ else
+ header_size = EFI64_HEADER_SIZE;
+
+- reloc_addr = ALIGN_UP (header_size + core_size,
+- image_target->section_align);
++ vma = raw_data = header_size;
++ pe_size = ALIGN_UP (header_size + core_size, GRUB_PE32_FILE_ALIGNMENT) +
++ ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
++ header = pe_img = xcalloc (1, pe_size);
+
+- pe_size = ALIGN_UP (reloc_addr + layout.reloc_size,
+- image_target->section_align);
+- pe_img = xmalloc (reloc_addr + layout.reloc_size);
+- memset (pe_img, 0, header_size);
+- memcpy ((char *) pe_img + header_size, core_img, core_size);
+- memset ((char *) pe_img + header_size + core_size, 0, reloc_addr - (header_size + core_size));
+- memcpy ((char *) pe_img + reloc_addr, layout.reloc_section, layout.reloc_size);
+- header = pe_img;
++ memcpy (pe_img + raw_data, core_img, core_size);
+
+ /* The magic. */
+ memcpy (header, stub, GRUB_PE32_MSDOS_STUB_SIZE);
+@@ -1307,18 +1330,17 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ o32->magic = grub_host_to_target16 (GRUB_PE32_PE32_MAGIC);
+ o32->data_base = grub_host_to_target32 (header_size + layout.exec_size);
+
+- sections = o32 + 1;
++ section = (struct grub_pe32_section_table *)(o32 + 1);
+ }
+ else
+ {
+ c->optional_header_size = grub_host_to_target16 (sizeof (struct grub_pe64_optional_header));
+-
+ o64 = (struct grub_pe64_optional_header *)
+ (header + GRUB_PE32_MSDOS_STUB_SIZE + GRUB_PE32_SIGNATURE_SIZE +
+ sizeof (struct grub_pe32_coff_header));
+ o64->magic = grub_host_to_target16 (GRUB_PE32_PE64_MAGIC);
+
+- sections = o64 + 1;
++ section = (struct grub_pe32_section_table *)(o64 + 1);
+ }
+
+ PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
+@@ -1338,58 +1360,47 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ PE_OHDR (o32, o64, num_data_directories) = grub_host_to_target32 (GRUB_PE32_NUM_DATA_DIRECTORIES);
+
+ /* The sections. */
+- PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (header_size);
++ PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (vma);
+ PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (layout.exec_size);
+- text_section = sections;
+- strcpy (text_section->name, ".text");
+- text_section->virtual_size = grub_host_to_target32 (layout.exec_size);
+- text_section->virtual_address = grub_host_to_target32 (header_size);
+- text_section->raw_data_size = grub_host_to_target32 (layout.exec_size);
+- text_section->raw_data_offset = grub_host_to_target32 (header_size);
+- text_section->characteristics = grub_cpu_to_le32_compile_time (
+- GRUB_PE32_SCN_CNT_CODE
+- | GRUB_PE32_SCN_MEM_EXECUTE
+- | GRUB_PE32_SCN_MEM_READ);
++ section = init_pe_section (image_target, section, ".text",
++ &vma, layout.exec_size,
++ image_target->section_align,
++ &raw_data, layout.exec_size,
++ GRUB_PE32_SCN_CNT_CODE |
++ GRUB_PE32_SCN_MEM_EXECUTE |
++ GRUB_PE32_SCN_MEM_READ);
+
+ scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
+ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size +
+ ALIGN_UP (total_module_size,
+ GRUB_PE32_FILE_ALIGNMENT));
+
+- data_section = text_section + 1;
+- strcpy (data_section->name, ".data");
+- data_section->virtual_size = grub_host_to_target32 (layout.kernel_size - layout.exec_size);
+- data_section->virtual_address = grub_host_to_target32 (header_size + layout.exec_size);
+- data_section->raw_data_size = grub_host_to_target32 (layout.kernel_size - layout.exec_size);
+- data_section->raw_data_offset = grub_host_to_target32 (header_size + layout.exec_size);
+- data_section->characteristics
+- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+- | GRUB_PE32_SCN_MEM_READ
+- | GRUB_PE32_SCN_MEM_WRITE);
+-
+- mods_section = data_section + 1;
+- strcpy (mods_section->name, "mods");
+- mods_section->virtual_size = grub_host_to_target32 (reloc_addr - layout.kernel_size - header_size);
+- mods_section->virtual_address = grub_host_to_target32 (header_size + layout.kernel_size + layout.bss_size);
+- mods_section->raw_data_size = grub_host_to_target32 (reloc_addr - layout.kernel_size - header_size);
+- mods_section->raw_data_offset = grub_host_to_target32 (header_size + layout.kernel_size);
+- mods_section->characteristics
+- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+- | GRUB_PE32_SCN_MEM_READ
+- | GRUB_PE32_SCN_MEM_WRITE);
++ section = init_pe_section (image_target, section, ".data",
++ &vma, scn_size, image_target->section_align,
++ &raw_data, scn_size,
++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
++ GRUB_PE32_SCN_MEM_READ |
++ GRUB_PE32_SCN_MEM_WRITE);
++
++ scn_size = pe_size - layout.reloc_size - raw_data;
++ section = init_pe_section (image_target, section, "mods",
++ &vma, scn_size, image_target->section_align,
++ &raw_data, scn_size,
++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
++ GRUB_PE32_SCN_MEM_READ |
++ GRUB_PE32_SCN_MEM_WRITE);
++
++ scn_size = layout.reloc_size;
++ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
++ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
++ memcpy (pe_img + raw_data, layout.reloc_section, scn_size);
++ init_pe_section (image_target, section, ".reloc",
++ &vma, scn_size, image_target->section_align,
++ &raw_data, scn_size,
++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
++ GRUB_PE32_SCN_MEM_DISCARDABLE |
++ GRUB_PE32_SCN_MEM_READ);
+
+- PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (reloc_addr);
+- PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (layout.reloc_size);
+- reloc_section = mods_section + 1;
+- strcpy (reloc_section->name, ".reloc");
+- reloc_section->virtual_size = grub_host_to_target32 (layout.reloc_size);
+- reloc_section->virtual_address = grub_host_to_target32 (reloc_addr + layout.bss_size);
+- reloc_section->raw_data_size = grub_host_to_target32 (layout.reloc_size);
+- reloc_section->raw_data_offset = grub_host_to_target32 (reloc_addr);
+- reloc_section->characteristics
+- = grub_cpu_to_le32_compile_time (GRUB_PE32_SCN_CNT_INITIALIZED_DATA
+- | GRUB_PE32_SCN_MEM_DISCARDABLE
+- | GRUB_PE32_SCN_MEM_READ);
+ free (core_img);
+ core_img = pe_img;
+ core_size = pe_size;
diff --git a/SOURCES/0474-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch b/SOURCES/0474-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
new file mode 100644
index 0000000..7044e57
--- /dev/null
+++ b/SOURCES/0474-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
@@ -0,0 +1,260 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Feb 2021 17:07:00 +0100
+Subject: [PATCH] util/mkimage: Add an option to import SBAT metadata into a
+ .sbat section
+
+Add a --sbat option to the grub-mkimage tool which allows us to import
+an SBAT metadata formatted as a CSV file into a .sbat section of the
+EFI binary.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/grub-install-common.c | 2 +-
+ util/grub-mkimage.c | 15 ++++++++++++++-
+ util/mkimage.c | 43 ++++++++++++++++++++++++++++++++++++-------
+ include/grub/util/install.h | 3 ++-
+ include/grub/util/mkimage.h | 1 +
+ docs/grub.texi | 19 +++++++++++++++++++
+ 6 files changed, 73 insertions(+), 10 deletions(-)
+
+diff --git a/util/grub-install-common.c b/util/grub-install-common.c
+index fa6b65347ea..fde4ca7fc8c 100644
+--- a/util/grub-install-common.c
++++ b/util/grub-install-common.c
+@@ -537,7 +537,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
+ pubkeys, npubkeys,
+ x509keys, nx509keys,
+ config_path, tgt,
+- note, appsig_size, compression, dtb);
++ note, appsig_size, compression, dtb, NULL);
+ while (dc--)
+ grub_install_pop_module ();
+ }
+diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
+index 394d2dc5fc9..17a86261ffc 100644
+--- a/util/grub-mkimage.c
++++ b/util/grub-mkimage.c
+@@ -82,6 +82,7 @@ static struct argp_option options[] = {
+ {"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
+ {"format", 'O', N_("FORMAT"), 0, 0, 0},
+ {"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
++ {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
+ {"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
+ {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
+ { 0, 0, 0, 0, 0, 0 }
+@@ -127,6 +128,7 @@ struct arguments
+ size_t nx509keys;
+ char *font;
+ char *config;
++ char *sbat;
+ int note;
+ size_t appsig_size;
+ const struct grub_install_image_target_desc *image_target;
+@@ -244,6 +246,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
+ arguments->prefix = xstrdup (arg);
+ break;
+
++ case 's':
++ if (arguments->sbat)
++ free (arguments->sbat);
++
++ arguments->sbat = xstrdup (arg);
++ break;
++
+ case 'v':
+ verbosity++;
+ break;
+@@ -331,7 +340,8 @@ main (int argc, char *argv[])
+ arguments.nx509keys, arguments.config,
+ arguments.image_target, arguments.note,
+ arguments.appsig_size,
+- arguments.comp, arguments.dtb);
++ arguments.comp, arguments.dtb,
++ arguments.sbat);
+
+ grub_util_file_sync (fp);
+ fclose (fp);
+@@ -346,5 +356,8 @@ main (int argc, char *argv[])
+ if (arguments.output)
+ free (arguments.output);
+
++ if (arguments.sbat)
++ free (arguments.sbat);
++
+ return 0;
+ }
+diff --git a/util/mkimage.c b/util/mkimage.c
+index 0f5ae2a76f2..16418e245d3 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -826,12 +826,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ char **x509key_paths, size_t nx509keys,
+ char *config_path,
+ const struct grub_install_image_target_desc *image_target,
+- int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
++ int note, size_t appsig_size, grub_compression_t comp,
++ const char *dtb_path, const char *sbat_path)
+ {
+ char *kernel_img, *core_img;
+ size_t total_module_size, core_size;
+ size_t memdisk_size = 0, config_size = 0;
+- size_t prefix_size = 0, dtb_size = 0;
++ size_t prefix_size = 0, dtb_size = 0, sbat_size = 0;
+ char *kernel_path;
+ size_t offset;
+ struct grub_util_path_list *path_list, *p;
+@@ -895,6 +896,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ total_module_size += dtb_size + sizeof (struct grub_module_header);
+ }
+
++ if (sbat_path != NULL && image_target->id != IMAGE_EFI)
++ grub_util_error (_(".sbat section can be embedded into EFI images only"));
++
+ if (config_path)
+ {
+ config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1);
+@@ -1277,8 +1281,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ break;
+ case IMAGE_EFI:
+ {
+- char *pe_img, *header;
++ char *pe_img, *pe_sbat, *header;
+ struct grub_pe32_section_table *section;
++ size_t n_sections = 4;
+ size_t scn_size;
+ grub_uint32_t vma, raw_data;
+ size_t pe_size, header_size;
+@@ -1293,8 +1298,15 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ header_size = EFI64_HEADER_SIZE;
+
+ vma = raw_data = header_size;
++
++ if (sbat_path != NULL)
++ {
++ sbat_size = ALIGN_ADDR (grub_util_get_image_size (sbat_path));
++ sbat_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
++ }
++
+ pe_size = ALIGN_UP (header_size + core_size, GRUB_PE32_FILE_ALIGNMENT) +
+- ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
++ ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT) + sbat_size;
+ header = pe_img = xcalloc (1, pe_size);
+
+ memcpy (pe_img + raw_data, core_img, core_size);
+@@ -1309,7 +1321,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ + GRUB_PE32_SIGNATURE_SIZE);
+ c->machine = grub_host_to_target16 (image_target->pe_target);
+
+- c->num_sections = grub_host_to_target16 (4);
++ if (sbat_path != NULL)
++ n_sections++;
++
++ c->num_sections = grub_host_to_target16 (n_sections);
+ c->time = grub_host_to_target32 (STABLE_EMBEDDING_TIMESTAMP);
+ c->characteristics = grub_host_to_target16 (GRUB_PE32_EXECUTABLE_IMAGE
+ | GRUB_PE32_LINE_NUMS_STRIPPED
+@@ -1371,7 +1386,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ GRUB_PE32_SCN_MEM_READ);
+
+ scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
+- PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size +
++ /* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
++ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size +
+ ALIGN_UP (total_module_size,
+ GRUB_PE32_FILE_ALIGNMENT));
+
+@@ -1382,7 +1398,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ GRUB_PE32_SCN_MEM_READ |
+ GRUB_PE32_SCN_MEM_WRITE);
+
+- scn_size = pe_size - layout.reloc_size - raw_data;
++ scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
+ section = init_pe_section (image_target, section, "mods",
+ &vma, scn_size, image_target->section_align,
+ &raw_data, scn_size,
+@@ -1390,6 +1406,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ GRUB_PE32_SCN_MEM_READ |
+ GRUB_PE32_SCN_MEM_WRITE);
+
++ if (sbat_path != NULL)
++ {
++ pe_sbat = pe_img + raw_data;
++ grub_util_load_image (sbat_path, pe_sbat);
++
++ section = init_pe_section (image_target, section, ".sbat",
++ &vma, sbat_size,
++ image_target->section_align,
++ &raw_data, sbat_size,
++ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
++ GRUB_PE32_SCN_MEM_READ);
++ }
++
+ scn_size = layout.reloc_size;
+ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
+ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
+diff --git a/include/grub/util/install.h b/include/grub/util/install.h
+index 95059285bd4..dad17561c4f 100644
+--- a/include/grub/util/install.h
++++ b/include/grub/util/install.h
+@@ -187,7 +187,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ char *config_path,
+ const struct grub_install_image_target_desc *image_target,
+ int note, size_t appsig_size,
+- grub_compression_t comp, const char *dtb_file);
++ grub_compression_t comp, const char *dtb_file,
++ const char *sbat_path);
+
+ const struct grub_install_image_target_desc *
+ grub_install_get_image_target (const char *arg);
+diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
+index cef7fffa7ae..f48d544c28a 100644
+--- a/include/grub/util/mkimage.h
++++ b/include/grub/util/mkimage.h
+@@ -24,6 +24,7 @@ struct grub_mkimage_layout
+ size_t exec_size;
+ size_t kernel_size;
+ size_t bss_size;
++ size_t sbat_size;
+ grub_uint64_t start_address;
+ void *reloc_section;
+ size_t reloc_size;
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 314bbeb8471..52e6e5763b8 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5719,6 +5719,7 @@ environment variables and commands are listed in the same order.
+ * Using GPG-style digital signatures:: Booting digitally signed code
+ * Using appended signatures:: An alternative approach to booting digitally signed code
+ * Signing GRUB itself:: Ensuring the integrity of the GRUB core image
++* Secure Boot Advanced Targeting:: Embedded information for generation number based revocation
+ * Lockdown:: Lockdown when booting on a secure setup
+ @end menu
+
+@@ -6010,6 +6011,24 @@ As with UEFI secure boot, it is necessary to build in the required modules,
+ or sign them separately.
+
+
++@node Secure Boot Advanced Targeting
++@section Embedded information for generation number based revocation
++
++The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation
++of components in the boot path by using generation numbers embedded into the EFI
++binaries. The SBAT metadata is located in an .sbat data section that has set of
++UTF-8 strings as comma-separated values (CSV). See
++@uref{https://github.com/rhboot/shim/blob/main/SBAT.md} for more details.
++
++To add a data section containing the SBAT information into the binary, the
++@option{--sbat} option of @command{grub-mkimage} command should be used. The content
++of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into
++the generated EFI binary. The CSV file can be stored anywhere on the file system.
++
++@example
++grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp
++@end example
++
+ @node Lockdown
+ @section Lockdown when booting on a secure setup
+
diff --git a/SOURCES/0475-kern-misc-Split-parse_printf_args-into-format-parsin.patch b/SOURCES/0475-kern-misc-Split-parse_printf_args-into-format-parsin.patch
new file mode 100644
index 0000000..7ff44dd
--- /dev/null
+++ b/SOURCES/0475-kern-misc-Split-parse_printf_args-into-format-parsin.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Mon, 15 Feb 2021 13:40:16 +0100
+Subject: [PATCH] kern/misc: Split parse_printf_args() into format parsing and
+ va_list handling
+
+This patch is preparing for a follow up patch which will use
+the format parsing part to compare the arguments in a printf()
+format from an external source against a printf() format with
+expected arguments.
+
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/misc.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 475f3e0ef05..ebfcc95f01d 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -711,8 +711,7 @@ grub_lltoa (char *str, int c, unsigned long long n)
+ }
+
+ static void
+-parse_printf_args (const char *fmt0, struct printf_args *args,
+- va_list args_in)
++parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ {
+ const char *fmt;
+ char c;
+@@ -870,6 +869,14 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
+ break;
+ }
+ }
++}
++
++static void
++parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in)
++{
++ grub_size_t n;
++
++ parse_printf_arg_fmt (fmt0, args);
+
+ for (n = 0; n < args->count; n++)
+ switch (args->ptr[n].type)
diff --git a/SOURCES/0476-kern-misc-Add-STRING-type-for-internal-printf-format.patch b/SOURCES/0476-kern-misc-Add-STRING-type-for-internal-printf-format.patch
new file mode 100644
index 0000000..8e6e474
--- /dev/null
+++ b/SOURCES/0476-kern-misc-Add-STRING-type-for-internal-printf-format.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Mon, 15 Feb 2021 14:04:26 +0100
+Subject: [PATCH] kern/misc: Add STRING type for internal printf() format
+ handling
+
+Set printf() argument type for "%s" to new type STRING. This is in
+preparation for a follow up patch to compare a printf() format string
+against an expected printf() format string.
+
+For "%s" the corresponding printf() argument is dereferenced as pointer
+while all other argument types are defined as integer value. However,
+when validating a printf() format it is necessary to differentiate "%s"
+from "%p" and other integers. So, let's do that.
+
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/misc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index ebfcc95f01d..07456faa2a7 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -37,7 +37,8 @@ union printf_arg
+ enum
+ {
+ INT, LONG, LONGLONG,
+- UNSIGNED_INT = 3, UNSIGNED_LONG, UNSIGNED_LONGLONG
++ UNSIGNED_INT = 3, UNSIGNED_LONG, UNSIGNED_LONGLONG,
++ STRING
+ } type;
+ long long ll;
+ };
+@@ -857,12 +858,14 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ args->ptr[curn].type = INT + longfmt;
+ break;
+ case 'p':
+- case 's':
+ if (sizeof (void *) == sizeof (long long))
+ args->ptr[curn].type = UNSIGNED_LONGLONG;
+ else
+ args->ptr[curn].type = UNSIGNED_INT;
+ break;
++ case 's':
++ args->ptr[curn].type = STRING;
++ break;
+ case 'C':
+ case 'c':
+ args->ptr[curn].type = INT;
+@@ -897,6 +900,12 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in)
+ case UNSIGNED_LONGLONG:
+ args->ptr[n].ll = va_arg (args_in, long long);
+ break;
++ case STRING:
++ if (sizeof (void *) == sizeof (long long))
++ args->ptr[n].ll = va_arg (args_in, long long);
++ else
++ args->ptr[n].ll = va_arg (args_in, unsigned int);
++ break;
+ }
+ }
+
diff --git a/SOURCES/0477-kern-misc-Add-function-to-check-printf-format-agains.patch b/SOURCES/0477-kern-misc-Add-function-to-check-printf-format-agains.patch
new file mode 100644
index 0000000..0dacf63
--- /dev/null
+++ b/SOURCES/0477-kern-misc-Add-function-to-check-printf-format-agains.patch
@@ -0,0 +1,215 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Thu, 4 Feb 2021 19:02:33 +0100
+Subject: [PATCH] kern/misc: Add function to check printf() format against
+ expected format
+
+The grub_printf_fmt_check() function parses the arguments of an untrusted
+printf() format and an expected printf() format and then compares the
+arguments counts and arguments types. The arguments count in the untrusted
+format string must be less or equal to the arguments count in the expected
+format string and both arguments types must match.
+
+To do this the parse_printf_arg_fmt() helper function is extended in the
+following way:
+
+ 1. Add a return value to report errors to the grub_printf_fmt_check().
+
+ 2. Add the fmt_check argument to enable stricter format verification:
+ - the function expects that arguments definitions are always
+ terminated by a supported conversion specifier.
+ - positional parameters, "$", are not allowed, as they cannot be
+ validated correctly with the current implementation. For example
+ "%s%1$d" would assign the first args entry twice while leaving the
+ second one unchanged.
+ - Return an error if preallocated space in args is too small and
+ allocation fails for the needed size. The grub_printf_fmt_check()
+ should verify all arguments. So, if validation is not possible for
+ any reason it should return an error.
+ This also adds a case entry to handle "%%", which is the escape
+ sequence to print "%" character.
+
+ 3. Add the max_args argument to check for the maximum allowed arguments
+ count in a printf() string. This should be set to the arguments count
+ of the expected format. Then the parse_printf_arg_fmt() function will
+ return an error if the arguments count is exceeded.
+
+The two additional arguments allow us to use parse_printf_arg_fmt() in
+printf() and grub_printf_fmt_check() calls.
+
+When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the
+function parse user provided untrusted format string too. So, in
+that case it is better to be too strict than too lenient.
+
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/misc.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++---
+ include/grub/misc.h | 16 ++++++++++
+ 2 files changed, 94 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 07456faa2a7..859d71659a2 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -711,8 +711,26 @@ grub_lltoa (char *str, int c, unsigned long long n)
+ return p;
+ }
+
+-static void
+-parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
++/*
++ * Parse printf() fmt0 string into args arguments.
++ *
++ * The parsed arguments are either used by a printf() function to format the fmt0
++ * string or they are used to compare a format string from an untrusted source
++ * against a format string with expected arguments.
++ *
++ * When the fmt_check is set to !0, e.g. 1, then this function is executed in
++ * printf() format check mode. This enforces stricter rules for parsing the
++ * fmt0 to limit exposure to possible errors in printf() handling. It also
++ * disables positional parameters, "$", because some formats, e.g "%s%1$d",
++ * cannot be validated with the current implementation.
++ *
++ * The max_args allows to set a maximum number of accepted arguments. If the fmt0
++ * string defines more arguments than the max_args then the parse_printf_arg_fmt()
++ * function returns an error. This is currently used for format check only.
++ */
++static grub_err_t
++parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,
++ int fmt_check, grub_size_t max_args)
+ {
+ const char *fmt;
+ char c;
+@@ -739,7 +757,12 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ fmt++;
+
+ if (*fmt == '$')
+- fmt++;
++ {
++ if (fmt_check)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ "positional arguments are not supported");
++ fmt++;
++ }
+
+ if (*fmt =='-')
+ fmt++;
+@@ -771,9 +794,19 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ case 's':
+ args->count++;
+ break;
++ case '%':
++ /* "%%" is the escape sequence to output "%". */
++ break;
++ default:
++ if (fmt_check)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "unexpected format");
++ break;
+ }
+ }
+
++ if (fmt_check && args->count > max_args)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "too many arguments");
++
+ if (args->count <= ARRAY_SIZE (args->prealloc))
+ args->ptr = args->prealloc;
+ else
+@@ -781,6 +814,9 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
+ if (!args->ptr)
+ {
++ if (fmt_check)
++ return grub_errno;
++
+ grub_errno = GRUB_ERR_NONE;
+ args->ptr = args->prealloc;
+ args->count = ARRAY_SIZE (args->prealloc);
+@@ -872,6 +908,8 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
+ break;
+ }
+ }
++
++ return GRUB_ERR_NONE;
+ }
+
+ static void
+@@ -879,7 +917,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in)
+ {
+ grub_size_t n;
+
+- parse_printf_arg_fmt (fmt0, args);
++ parse_printf_arg_fmt (fmt0, args, 0, 0);
+
+ for (n = 0; n < args->count; n++)
+ switch (args->ptr[n].type)
+@@ -1187,6 +1225,42 @@ grub_xasprintf (const char *fmt, ...)
+ return ret;
+ }
+
++grub_err_t
++grub_printf_fmt_check (const char *fmt, const char *fmt_expected)
++{
++ struct printf_args args_expected, args_fmt;
++ grub_err_t ret;
++ grub_size_t n;
++
++ if (fmt == NULL || fmt_expected == NULL)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid format");
++
++ ret = parse_printf_arg_fmt (fmt_expected, &args_expected, 1, GRUB_SIZE_MAX);
++ if (ret != GRUB_ERR_NONE)
++ return ret;
++
++ /* Limit parsing to the number of expected arguments. */
++ ret = parse_printf_arg_fmt (fmt, &args_fmt, 1, args_expected.count);
++ if (ret != GRUB_ERR_NONE)
++ {
++ free_printf_args (&args_expected);
++ return ret;
++ }
++
++ for (n = 0; n < args_fmt.count; n++)
++ if (args_fmt.ptr[n].type != args_expected.ptr[n].type)
++ {
++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "arguments types do not match");
++ break;
++ }
++
++ free_printf_args (&args_expected);
++ free_printf_args (&args_fmt);
++
++ return ret;
++}
++
++
+ /* Abort GRUB. This function does not return. */
+ static inline void __attribute__ ((noreturn))
+ grub_abort (void)
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 6ca03c4d692..6be6a88f652 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -488,6 +488,22 @@ grub_error_load (const struct grub_error_saved *save)
+ grub_errno = save->grub_errno;
+ }
+
++/*
++ * grub_printf_fmt_checks() a fmt string for printf() against an expected
++ * format. It is intended for cases where the fmt string could come from
++ * an outside source and cannot be trusted.
++ *
++ * While expected fmt accepts a printf() format string it should be kept
++ * as simple as possible. The printf() format strings with positional
++ * parameters are NOT accepted, neither for fmt nor for fmt_expected.
++ *
++ * The fmt is accepted if it has equal or less arguments than fmt_expected
++ * and if the type of all arguments match.
++ *
++ * Returns GRUB_ERR_NONE if fmt is acceptable.
++ */
++grub_err_t EXPORT_FUNC (grub_printf_fmt_check) (const char *fmt, const char *fmt_expected);
++
+ #if BOOT_TIME_STATS
+ struct grub_boot_time
+ {
diff --git a/SOURCES/0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch b/SOURCES/0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
new file mode 100644
index 0000000..f1c4e5a
--- /dev/null
+++ b/SOURCES/0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Tue, 4 Aug 2020 13:49:51 +0200
+Subject: [PATCH] gfxmenu/gui: Check printf() format in the gui_progress_bar
+ and gui_label
+
+The gui_progress_bar and gui_label components can display the timeout
+value. The format string can be set through a theme file. This patch
+adds a validation step to the format string.
+
+If a user loads a theme file into the GRUB without this patch then
+a GUI label with the following settings
+
+ + label {
+ ...
+ id = "__timeout__"
+ text = "%s"
+ }
+
+will interpret the current timeout value as string pointer and print the
+memory at that position on the screen. It is not desired behavior.
+
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gfxmenu/gui_label.c | 4 ++++
+ grub-core/gfxmenu/gui_progress_bar.c | 3 +++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
+index a4c817891ee..1c190542a2b 100644
+--- a/grub-core/gfxmenu/gui_label.c
++++ b/grub-core/gfxmenu/gui_label.c
+@@ -193,6 +193,10 @@ label_set_property (void *vself, const char *name, const char *value)
+ else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0)
+ value = _("enter: boot, `e': options, `c': cmd-line");
+ /* FIXME: Add more templates here if needed. */
++
++ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE)
++ value = ""; /* Unsupported format. */
++
+ self->template = grub_strdup (value);
+ self->text = grub_xasprintf (value, self->value);
+ }
+diff --git a/grub-core/gfxmenu/gui_progress_bar.c b/grub-core/gfxmenu/gui_progress_bar.c
+index b128f08668e..ace85a12569 100644
+--- a/grub-core/gfxmenu/gui_progress_bar.c
++++ b/grub-core/gfxmenu/gui_progress_bar.c
+@@ -348,6 +348,9 @@ progress_bar_set_property (void *vself, const char *name, const char *value)
+ Please use the shortest form available in you language. */
+ value = _("%ds");
+
++ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE)
++ value = ""; /* Unsupported format. */
++
+ self->template = grub_strdup (value);
+ }
+ else if (grub_strcmp (name, "font") == 0)
diff --git a/SOURCES/0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch b/SOURCES/0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
new file mode 100644
index 0000000..619d6d5
--- /dev/null
+++ b/SOURCES/0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Tue, 9 Feb 2021 12:33:06 -0300
+Subject: [PATCH] kern/mm: Fix grub_debug_calloc() compilation error
+
+Fix compilation error due to missing parameter to
+grub_printf() when MM_DEBUG is defined.
+
+Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available)
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/mm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
+index 80d0720d005..d8c8377578b 100644
+--- a/grub-core/kern/mm.c
++++ b/grub-core/kern/mm.c
+@@ -594,7 +594,7 @@ grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t si
+
+ if (grub_mm_debug)
+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
+- file, line, size);
++ file, line, nmemb, size);
+ ptr = grub_calloc (nmemb, size);
+ if (grub_mm_debug)
+ grub_printf ("%p\n", ptr);
diff --git a/SOURCES/0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch b/SOURCES/0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch
new file mode 100644
index 0000000..054a810
--- /dev/null
+++ b/SOURCES/0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Tue, 4 Aug 2020 17:13:05 +0200
+Subject: [PATCH] efi/net: Fix malformed device path arithmetic errors in efi
+ net methods
+
+---
+ grub-core/net/efi/net.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
+index 3ae1fbbe3c8..a58c24f6364 100644
+--- a/grub-core/net/efi/net.c
++++ b/grub-core/net/efi/net.c
+@@ -1318,11 +1318,18 @@ grub_efi_net_boot_from_https (void)
+
+ dp = grub_efi_get_device_path (image->device_handle);
+
+- while (1)
++ while (dp)
+ {
++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++ if (len < 4)
++ {
++ grub_error(GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ break;
++ }
++
+ grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+ grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
+
+ if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
+ && (subtype == GRUB_EFI_URI_DEVICE_PATH_SUBTYPE))
+@@ -1335,7 +1342,7 @@ grub_efi_net_boot_from_https (void)
+
+ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
+ break;
+- dp = (grub_efi_device_path_t *) ((char *) dp + len);
++ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
+ }
+
+ return 0;
+@@ -1353,11 +1360,18 @@ grub_efi_net_boot_from_opa (void)
+
+ dp = grub_efi_get_device_path (image->device_handle);
+
+- while (1)
++ while (dp)
+ {
++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++ if (len < 4)
++ {
++ grub_error(GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ break;
++ }
++
+ grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+ grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
+
+ if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
+ && (subtype == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE))
+@@ -1368,7 +1382,7 @@ grub_efi_net_boot_from_opa (void)
+
+ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
+ break;
+- dp = (grub_efi_device_path_t *) ((char *) dp + len);
++ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
+ }
+
+ return 0;
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der
deleted file mode 100644
index e8216b1..0000000
Binary files a/SOURCES/centossecureboot001.der and /dev/null differ
diff --git a/SOURCES/centossecureboot202.der b/SOURCES/centossecureboot202.der
deleted file mode 100644
index ab8213c..0000000
Binary files a/SOURCES/centossecureboot202.der and /dev/null differ
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcf..0000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index 05ae140..98ad11a 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -369,9 +369,11 @@ done \
%ifarch x86_64 aarch64 %{arm}
%define mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
- -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \
+ -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
+ --sbat %{4}./sbat.csv \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
- -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
+ -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
+ --sbat %{4}./sbat.csv \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 1f4dab1..cc743e3 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -370,3 +370,111 @@ Patch0369: 0369-appended-signatures-documentation.patch
Patch0370: 0370-ieee1275-link-appended-signature-enforcement-to-ibm-.patch
Patch0371: 0371-include-grub-verify.h-Add-include-guard.patch
Patch0372: 0372-arm64-xen-Fix-too-few-arguments-to-function-grub_cre.patch
+Patch0373: 0373-kern-Add-lockdown-support.patch
+Patch0374: 0374-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
+Patch0375: 0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
+Patch0376: 0376-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
+Patch0377: 0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
+Patch0378: 0378-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
+Patch0379: 0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
+Patch0380: 0380-commands-setpci-Restrict-setpci-command-when-locked-.patch
+Patch0381: 0381-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
+Patch0382: 0382-gdb-Restrict-GDB-access-when-locked-down.patch
+Patch0383: 0383-loader-xnu-Don-t-allow-loading-extension-and-package.patch
+Patch0384: 0384-docs-Document-the-cutmem-command.patch
+Patch0385: 0385-dl-Only-allow-unloading-modules-that-are-not-depende.patch
+Patch0386: 0386-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
+Patch0387: 0387-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
+Patch0388: 0388-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
+Patch0389: 0389-net-tftp-Fix-dangling-memory-pointer.patch
+Patch0390: 0390-kern-parser-Fix-resource-leak-if-argc-0.patch
+Patch0391: 0391-kern-efi-Fix-memory-leak-on-failure.patch
+Patch0392: 0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
+Patch0393: 0393-gnulib-regexec-Resolve-unused-variable.patch
+Patch0394: 0394-gnulib-regcomp-Fix-uninitialized-token-structure.patch
+Patch0395: 0395-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
+Patch0396: 0396-gnulib-regexec-Fix-possible-null-dereference.patch
+Patch0397: 0397-gnulib-regcomp-Fix-uninitialized-re_token.patch
+Patch0398: 0398-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
+Patch0399: 0399-kern-partition-Check-for-NULL-before-dereferencing-i.patch
+Patch0400: 0400-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
+Patch0401: 0401-disk-ldm-If-failed-then-free-vg-variable-too.patch
+Patch0402: 0402-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
+Patch0403: 0403-disk-cryptodisk-Fix-potential-integer-overflow.patch
+Patch0404: 0404-hfsplus-Check-that-the-volume-name-length-is-valid.patch
+Patch0405: 0405-zfs-Fix-possible-negative-shift-operation.patch
+Patch0406: 0406-zfs-Fix-resource-leaks-while-constructing-path.patch
+Patch0407: 0407-zfs-Fix-possible-integer-overflows.patch
+Patch0408: 0408-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
+Patch0409: 0409-affs-Fix-memory-leaks.patch
+Patch0410: 0410-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
+Patch0411: 0411-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
+Patch0412: 0412-syslinux-Fix-memory-leak-while-parsing.patch
+Patch0413: 0413-normal-completion-Fix-leaking-of-memory-when-process.patch
+Patch0414: 0414-commands-hashsum-Fix-a-memory-leak.patch
+Patch0415: 0415-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
+Patch0416: 0416-video-fb-fbfill-Fix-potential-integer-overflow.patch
+Patch0417: 0417-video-fb-video_fb-Fix-multiple-integer-overflows.patch
+Patch0418: 0418-video-fb-video_fb-Fix-possible-integer-overflow.patch
+Patch0419: 0419-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
+Patch0420: 0420-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
+Patch0421: 0421-loader-bsd-Check-for-NULL-arg-up-front.patch
+Patch0422: 0422-loader-xnu-Fix-memory-leak.patch
+Patch0423: 0423-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
+Patch0424: 0424-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
+Patch0425: 0425-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
+Patch0426: 0426-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
+Patch0427: 0427-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
+Patch0428: 0428-commands-ls-Require-device_name-is-not-NULL-before-p.patch
+Patch0429: 0429-script-execute-Avoid-crash-when-using-outside-a-func.patch
+Patch0430: 0430-lib-arg-Block-repeated-short-options-that-require-an.patch
+Patch0431: 0431-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch
+Patch0432: 0432-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
+Patch0433: 0433-kern-misc-Always-set-end-in-grub_strtoull.patch
+Patch0434: 0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
+Patch0435: 0435-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
+Patch0436: 0436-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
+Patch0437: 0437-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch
+Patch0438: 0438-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch
+Patch0439: 0439-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch
+Patch0440: 0440-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch
+Patch0441: 0441-fs-hfs-Disable-under-lockdown.patch
+Patch0442: 0442-fs-sfs-Fix-over-read-of-root-object-name.patch
+Patch0443: 0443-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch
+Patch0444: 0444-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch
+Patch0445: 0445-fs-jfs-Catch-infinite-recursion.patch
+Patch0446: 0446-fs-nilfs2-Reject-too-large-keys.patch
+Patch0447: 0447-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch
+Patch0448: 0448-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch
+Patch0449: 0449-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch
+Patch0450: 0450-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch
+Patch0451: 0451-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch
+Patch0452: 0452-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch
+Patch0453: 0453-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch
+Patch0454: 0454-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch
+Patch0455: 0455-disk-lvm-Bail-on-missing-PV-list.patch
+Patch0456: 0456-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch
+Patch0457: 0457-disk-lvm-Do-not-overread-metadata.patch
+Patch0458: 0458-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch
+Patch0459: 0459-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch
+Patch0460: 0460-kern-parser-Fix-a-memory-leak.patch
+Patch0461: 0461-kern-parser-Introduce-process_char-helper.patch
+Patch0462: 0462-kern-parser-Introduce-terminate_arg-helper.patch
+Patch0463: 0463-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
+Patch0464: 0464-kern-buffer-Add-variable-sized-heap-buffer.patch
+Patch0465: 0465-kern-parser-Fix-a-stack-buffer-overflow.patch
+Patch0466: 0466-kern-efi-Add-initial-stack-protector-implementation.patch
+Patch0467: 0467-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
+Patch0468: 0468-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
+Patch0469: 0469-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
+Patch0470: 0470-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
+Patch0471: 0471-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
+Patch0472: 0472-util-mkimage-Improve-data_size-value-calculation.patch
+Patch0473: 0473-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
+Patch0474: 0474-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
+Patch0475: 0475-kern-misc-Split-parse_printf_args-into-format-parsin.patch
+Patch0476: 0476-kern-misc-Add-STRING-type-for-internal-printf-format.patch
+Patch0477: 0477-kern-misc-Add-function-to-check-printf-format-agains.patch
+Patch0478: 0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
+Patch0479: 0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
+Patch0480: 0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
new file mode 100644
index 0000000..4ff8b79
Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ
diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer
new file mode 100644
index 0000000..be0b5e2
Binary files /dev/null and b/SOURCES/redhatsecureboot502.cer differ
diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in
new file mode 100755
index 0000000..24545c0
--- /dev/null
+++ b/SOURCES/sbat.csv.in
@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
+grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@VERSION@@,mail:secalert@redhat.com
\ No newline at end of file
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 87939de..86208d2 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 97%{?dist}
+Release: 99%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -24,10 +24,11 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
-Source13: centos-ca-secureboot.der
-Source14: centossecureboot001.der
-Source15: centossecurebootca2.der
-Source16: centossecureboot202.der
+Source13: redhatsecurebootca3.cer
+Source14: redhatsecureboot301.cer
+Source15: redhatsecurebootca5.cer
+Source16: redhatsecureboot502.cer
+Source17: sbat.csv.in
%include %{SOURCE1}
@@ -54,11 +55,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch: s390 s390x
+ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
@@ -152,6 +149,8 @@ This subpackage provides tools for support of all platforms.
mkdir grub-%{grubefiarch}-%{tarversion}
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
+sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE17} \
+ > grub-%{grubefiarch}-%{tarversion}/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}
%endif
%if 0%{with_alt_efi_arch}
@@ -170,10 +169,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%endif
%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
@@ -504,6 +503,26 @@ fi
%endif
%changelog
+* Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99
+- Fix bug of grub2-install not checking for the SBAT option
+ Resolves: CVE-2020-14372
+ Resolves: CVE-2020-25632
+ Resolves: CVE-2020-25647
+ Resolves: CVE-2020-27749
+ Resolves: CVE-2020-27779
+ Resolves: CVE-2021-20225
+ Resolves: CVE-2021-20233
+
+* Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-98
+- Fix another batch of CVEs
+ Resolves: CVE-2020-14372
+ Resolves: CVE-2020-25632
+ Resolves: CVE-2020-25647
+ Resolves: CVE-2020-27749
+ Resolves: CVE-2020-27779
+ Resolves: CVE-2021-20225
+ Resolves: CVE-2021-20233
+
* Tue Feb 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-97
- Fix keylayouts module listed twice in GRUB_MODULES variable
Related: rhbz#1897587