Fix several security issues about module unloading and file handling

Resolves: #RHEL-141594
Resolves: #CVE-2025-54771 #CVE-2025-61661
Resolves: #CVE-2025-61662 #CVE-2025-61663 #CVE-2025-61664
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>

0527-commands-test-Fix-error-in-recursion-depth-calculati.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Fri, 9 May 2025 13:51:08 +0200
+Subject: [PATCH] commands/test: Fix error in recursion depth calculation
+
+The commit c68b7d236 (commands/test: Stack overflow due to unlimited
+recursion depth) added recursion depth tests to the test command. But in
+the error case it decrements the pointer to the depth value instead of
+the value itself. Fix it.
+
+Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth)
+
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c
+index b585c3d70316..ee47ab2641a6 100644
+--- a/grub-core/commands/test.c
++++ b/grub-core/commands/test.c
+@@ -403,7 +403,7 @@ test_parse (char **args, int *argn, int argc, int *depth)
+ 	  if (++(*depth) > MAX_TEST_RECURSION_DEPTH)
+ 	    {
+ 	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded"));
+-	      depth--;
++	      (*depth)--;
+ 	      return ctx.or || ctx.and;
+ 	    }
+ 

0528-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Wed, 7 May 2025 16:15:22 +0200
+Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close()
+
+With commit 16f196874 (kern/file: Implement filesystem reference
+counting) files hold a reference to their file systems.
+
+When closing a file in grub_file_close() we should not expect
+file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
+So, grub_dl_unref() should be called after file->fs->fs_close().
+
+Fixes: CVE-2025-54771
+Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
+
+Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index fa73c045aa5e..55921e3f1e01 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -219,13 +219,13 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
+ grub_err_t
+ grub_file_close (grub_file_t file)
+ {
+-  if (file->fs->mod)
+-    grub_dl_unref (file->fs->mod);
+-
+   grub_dprintf ("file", "Closing `%s' ...\n", file->name);
+   if (file->fs->fs_close)
+     (file->fs->fs_close) (file);
+ 
++  if (file->fs->mod)
++    grub_dl_unref (file->fs->mod);
++
+   if (file->device)
+     grub_device_close (file->device);
+ 

0529-gettext-gettext-Unregister-gettext-command-on-module.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:06 +0000
+Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload
+
+When the gettext module is loaded, the gettext command is registered but
+isn't unregistered when the module is unloaded. We need to add a call to
+grub_unregister_command() when unloading the module.
+
+Fixes: CVE-2025-61662
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gettext/gettext.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 0e51b5d28ad0..92e91b35e87f 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
++static grub_command_t cmd;
++
+ GRUB_MOD_INIT (gettext)
+ {
+   const char *lang;
+@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext)
+   grub_register_variable_hook ("locale_dir", NULL, read_main);
+   grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
+ 
+-  grub_register_command_p1 ("gettext", grub_cmd_translate,
+-			    N_("STRING"),
+-			    /* TRANSLATORS: It refers to passing the string through gettext.
+-			       So it's "translate" in the same meaning as in what you're 
+-			       doing now.
+-			     */
+-			    N_("Translates the string with the current settings."));
++  cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
++				  N_("STRING"),
++				  /*
++				   * TRANSLATORS: It refers to passing the string through gettext.
++				   * So it's "translate" in the same meaning as in what you're
++				   * doing now.
++				   */
++				  N_("Translates the string with the current settings."));
+ 
+   /* Reload .mo file information if lang changes.  */
+   grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
+@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext)
+   grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+   grub_register_variable_hook ("lang", NULL, NULL);
+ 
++  grub_unregister_command (cmd);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 

0530-normal-main-Unregister-commands-on-module-unload.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:07 +0000
+Subject: [PATCH] normal/main: Unregister commands on module unload
+
+When the normal module is loaded, the normal and normal_exit commands
+are registered but aren't unregistered when the module is unloaded. We
+need to add calls to grub_unregister_command() when unloading the module
+for these commands.
+
+Fixes: CVE-2025-61663
+Fixes: CVE-2025-61664
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index c96b6609d516..b099b23eacbf 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -607,7 +607,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
+-static grub_command_t cmd_clear;
++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit;
+ 
+ static void (*grub_xputs_saved) (const char *str);
+ static const char *features[] = {
+@@ -649,10 +649,10 @@ GRUB_MOD_INIT(normal)
+   grub_env_export ("pager");
+ 
+   /* Register a command "normal" for the rescue mode.  */
+-  grub_register_command ("normal", grub_cmd_normal,
+-			 0, N_("Enter normal mode."));
+-  grub_register_command ("normal_exit", grub_cmd_normal_exit,
+-			 0, N_("Exit from normal mode."));
++  cmd_normal = grub_register_command ("normal", grub_cmd_normal,
++				      0, N_("Enter normal mode."));
++  cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit,
++					   0, N_("Exit from normal mode."));
+ 
+   /* Reload terminal colors when these variables are written to.  */
+   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
+@@ -694,4 +694,6 @@ GRUB_MOD_FINI(normal)
+   grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
++  grub_unregister_command (cmd_normal);
++  grub_unregister_command (cmd_normal_exit);
+ }

0531-tests-lib-functional_test-Unregister-commands-on-mod.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:08 +0000
+Subject: [PATCH] tests/lib/functional_test: Unregister commands on module
+ unload
+
+When the functional_test module is loaded, both the functional_test and
+all_functional_test commands are registered but only the all_functional_test
+command is being unregistered since it was the last to set the cmd variable
+that gets unregistered when the module is unloaded. To unregister both
+commands, we need to create an additional grub_extcmd_t variable.
+
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/tests/lib/functional_test.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
+index 403fa5c789ab..31b6b5dab350 100644
+--- a/grub-core/tests/lib/functional_test.c
++++ b/grub-core/tests/lib/functional_test.c
+@@ -90,17 +90,18 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+   return GRUB_ERR_NONE;
+ }
+ 
+-static grub_extcmd_t cmd;
++static grub_extcmd_t cmd, cmd_all;
+ 
+ GRUB_MOD_INIT (functional_test)
+ {
+   cmd = grub_register_extcmd ("functional_test", grub_functional_test, 0, 0,
+ 			      "Run all loaded functional tests.", 0);
+-  cmd = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0,
+-			      "Run all functional tests.", 0);
++  cmd_all = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0,
++				  "Run all functional tests.", 0);
+ }
+ 
+ GRUB_MOD_FINI (functional_test)
+ {
+   grub_unregister_extcmd (cmd);
++  grub_unregister_extcmd (cmd_all);
+ }

0532-commands-usbtest-Use-correct-string-length-field.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 09:52:59 +0100
+Subject: [PATCH] commands/usbtest: Use correct string length field
+
+An incorrect length field is used for buffer allocation. This leads to
+grub_utf16_to_utf8() receiving an incorrect/different length and possibly
+causing OOB write. This makes sure to use the correct length.
+
+Fixes: CVE-2025-61661
+
+Reported-by: Jamie <volticks@gmail.com>
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 2c6d93fe66d5..8ef187a9ae76 100644
+--- a/grub-core/commands/usbtest.c
++++ b/grub-core/commands/usbtest.c
+@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+       return GRUB_USB_ERR_NONE;
+     }
+ 
+-  *string = grub_malloc (descstr.length * 2 + 1);
++  *string = grub_malloc (descstrp->length * 2 + 1);
+   if (! *string)
+     {
+       grub_free (descstrp);

0533-commands-usbtest-Ensure-string-length-is-sufficient-.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 10:07:47 +0100
+Subject: [PATCH] commands/usbtest: Ensure string length is sufficient in usb
+ string processing
+
+If descstrp->length is less than 2 this will result in underflow in
+"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
+value is sufficient.
+
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 8ef187a9ae76..3184ac9afd37 100644
+--- a/grub-core/commands/usbtest.c
++++ b/grub-core/commands/usbtest.c
+@@ -90,7 +90,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+ 			      0x06, (3 << 8) | index,
+ 			      langid, descstr.length, (char *) descstrp);
+ 
+-  if (descstrp->length == 0)
++  if (descstrp->length < 2)
+     {
+       grub_free (descstrp);
+       *string = grub_strdup ("");

grub.patches

@@ -523,3 +523,10 @@ Patch0523: 0523-Appended-sig-Fix-build.patch
 Patch0524: 0524-docs-fix-some-duplicated-sections.patch
 Patch0525: 0525-mkimage-Remove-duplicates.patch
 Patch0526: 0526-appendedsig-Fix-grub-mkimage-with-an-unaligned-appen.patch
+Patch0527: 0527-commands-test-Fix-error-in-recursion-depth-calculati.patch
+Patch0528: 0528-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
+Patch0529: 0529-gettext-gettext-Unregister-gettext-command-on-module.patch
+Patch0530: 0530-normal-main-Unregister-commands-on-module-unload.patch
+Patch0531: 0531-tests-lib-functional_test-Unregister-commands-on-mod.patch
+Patch0532: 0532-commands-usbtest-Use-correct-string-length-field.patch
+Patch0533: 0533-commands-usbtest-Ensure-string-length-is-sufficient-.patch

grub2.spec

@@ -16,7 +16,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	121%{?dist}
+Release:	122%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -538,6 +538,12 @@ fi
 %endif
 
 %changelog
+* Wed Feb 04 2026 Nicolas Frayer <nfrayer@redhat.com> 2.06-122
+- Fix several security issues about module unloading and file handling
+- Resolved: #RHEL-141594
+- Resolves: #CVE-2025-54771 #CVE-2025-61661
+- Resolves: #CVE-2025-61662 #CVE-2025-61663 #CVE-2025-61664
+
 * Fri Dec 05 2025 Leo Sandoval <lsandova@redhat.com> 2.06-121
 - rpminspect: disable abidiff inspections
 - Resolves: #RHEL-106446