kern/efi/mm: Change to keep track of map allocation size

Resolves: #RHEL-148310

Signed-off-by: Josue Hernandez <josherna@redhat.com>

0536-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mate Kukri <mate.kukri@canonical.com>
+Date: Wed, 12 Jun 2024 16:10:49 +0100
+Subject: [PATCH] kern/efi/mm: Change grub_efi_mm_add_regions() to keep track
+ of map allocation size
+
+If the map was too big for the initial allocation, it was freed and replaced
+with a bigger one, but the free call still used the hard-coded size.
+
+Seems like this wasn't hit for a long time, because most firmware maps
+fit into 12K.
+
+This bug was triggered on Project Mu firmware with a big memory map, and
+results in the heap getting trashed and the firmware ASSERTING on
+corrupted heap guard values when GRUB exits.
+
+Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/mm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index b27e966e1..e31603c47 100644
+--- a/grub-core/kern/efi/mm.c
++++ b/grub-core/kern/efi/mm.c
+@@ -683,6 +683,7 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
+   grub_efi_memory_descriptor_t *memory_map_end;
+   grub_efi_memory_descriptor_t *filtered_memory_map;
+   grub_efi_memory_descriptor_t *filtered_memory_map_end;
++  grub_efi_uintn_t alloc_size;
+   grub_efi_uintn_t map_size;
+   grub_efi_uintn_t desc_size;
+   grub_err_t err;
+@@ -691,7 +692,8 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
+   grub_nx_init ();
+ 
+   /* Prepare a memory region to store two memory maps.  */
+-  memory_map = grub_efi_allocate_any_pages (2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
++  alloc_size = 2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE);
++  memory_map = grub_efi_allocate_any_pages (alloc_size);
+   if (! memory_map)
+     return grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate memory for memory map");
+ 
+@@ -702,14 +704,13 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
+ 
+   if (mm_status == 0)
+     {
+-      grub_efi_free_pages
+-	((grub_efi_physical_address_t) ((grub_addr_t) memory_map),
+-	 2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
++      grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t) memory_map, alloc_size);
+ 
+       /* Freeing/allocating operations may increase memory map size.  */
+       map_size += desc_size * 32;
+ 
+-      memory_map = grub_efi_allocate_any_pages (2 * BYTES_TO_PAGES (map_size));
++      alloc_size = 2 * BYTES_TO_PAGES (map_size);
++      memory_map = grub_efi_allocate_any_pages (alloc_size);
+       if (! memory_map)
+ 	return grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate memory for new memory map");
+ 
+@@ -753,8 +754,7 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
+ #endif
+ 
+   /* Release the memory maps.  */
+-  grub_efi_free_pages ((grub_addr_t) memory_map,
+-		       2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
++  grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t) memory_map, alloc_size);
+ 
+   return GRUB_ERR_NONE;
+ }

grub.patches

@@ -532,3 +532,4 @@ Patch0532: 0532-commands-usbtest-Use-correct-string-length-field.patch
 Patch0533: 0533-commands-usbtest-Ensure-string-length-is-sufficient-.patch
 Patch0534: 0534-util-grub-mkimagexx-Stop-generating-unaligned-append.patch
 Patch0535: 0535-grub-mkimage-Do-not-generate-empty-SBAT-metadata.patch
+Patch0536: 0536-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch

grub2.spec

@@ -16,7 +16,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	125%{?dist}
+Release:	126%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -543,6 +543,10 @@ fi
 %endif
 
 %changelog
+* Mon Mar 09 2026 Josue Hernandez <josherna@redhat.com> 2.06-126
+- kern/efi/mm: Change grub_efi_mm_add_regions() to keep track of map allocation size
+- Resolves: #RHEL-148310
+
 * Thu Mar 05 2026 Nicolas Frayer <nfrayer@redhat.com> 2.06-125
 - ppc64le/sbat: Add an sbat CSV file for ppc64le
 - Resolves: #RHEL-146555