import grub2-2.02-90.el8_3.1

This commit is contained in:
CentOS Sources 2021-03-02 13:56:20 -05:00 committed by Andrew Lukoshko
parent d0cbb56535
commit fa384bc6b3
147 changed files with 8020 additions and 273 deletions

View File

@ -1,7 +1,7 @@
From 0bde74dcdf9de128317a28796e2690f92214db0d Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 15 Apr 2020 15:45:02 -0400 Date: Wed, 15 Apr 2020 15:45:02 -0400
Subject: [PATCH 281/314] yylex: Make lexer fatal errors actually be fatal Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal
When presented with a command that can't be tokenized to anything When presented with a command that can't be tokenized to anything
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
@ -65,6 +65,3 @@ index 7b44c37b76f..b7203c82309 100644
} while (0) } while (0)
#define COPY(str, hint) \ #define COPY(str, hint) \
--
2.26.2

View File

@ -1,8 +1,8 @@
From 42b76ec749c30cb11cad7c070d0b03a7d4f1f7d6 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 10:58:42 -0400 Date: Mon, 15 Jun 2020 10:58:42 -0400
Subject: [PATCH 282/314] safemath: Add some arithmetic primitives that check Subject: [PATCH] safemath: Add some arithmetic primitives that check for
for overflow overflow
This adds a new header, include/grub/safemath.h, that includes easy to This adds a new header, include/grub/safemath.h, that includes easy to
use wrappers for __builtin_{add,sub,mul}_overflow() declared like: use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
@ -122,6 +122,3 @@ index f3c20edc844..f8bd9116480 100644
* GNU Make * GNU Make
* GNU Bison 2.3 or later * GNU Bison 2.3 or later
* GNU gettext 0.17 or later * GNU gettext 0.17 or later
--
2.26.2

View File

@ -1,7 +1,7 @@
From 832189364ee0c85a94f670952c951252e54d3d1c Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 12:15:29 -0400 Date: Mon, 15 Jun 2020 12:15:29 -0400
Subject: [PATCH 283/314] calloc: Make sure we always have an overflow-checking Subject: [PATCH] calloc: Make sure we always have an overflow-checking
calloc() available calloc() available
This tries to make sure that everywhere in this source tree, we always have This tries to make sure that everywhere in this source tree, we always have
@ -13,13 +13,13 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-commit-id: 79e51ab7a9a Upstream-commit-id: 79e51ab7a9a
--- ---
grub-core/kern/emu/misc.c | 12 +++++++++ grub-core/kern/emu/misc.c | 12 ++++++++++++
grub-core/kern/emu/mm.c | 10 ++++++++ grub-core/kern/emu/mm.c | 10 ++++++++++
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++ grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++-- grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
grub-core/lib/posix_wrap/stdlib.h | 8 +++++- grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
include/grub/emu/misc.h | 1 + include/grub/emu/misc.h | 1 +
include/grub/mm.h | 6 +++++ include/grub/mm.h | 6 ++++++
7 files changed, 85 insertions(+), 3 deletions(-) 7 files changed, 85 insertions(+), 3 deletions(-)
diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
@ -238,6 +238,3 @@ index 28e2e53eb32..9c38dd3ca5d 100644
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line, void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
grub_size_t size); grub_size_t size);
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line, void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
--
2.26.2

View File

@ -1,7 +1,7 @@
From 778ddaeac8a8a821f6844ec8b8c404d0e437991f Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 12:26:01 -0400 Date: Mon, 15 Jun 2020 12:26:01 -0400
Subject: [PATCH 284/314] calloc: Use calloc() at most places Subject: [PATCH] calloc: Use calloc() at most places
This modifies most of the places we do some form of: This modifies most of the places we do some form of:
@ -23,91 +23,91 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-commit-id: 48eeedf1e4b Upstream-commit-id: 48eeedf1e4b
--- ---
grub-core/bus/usb/usbhub.c | 8 ++-- grub-core/bus/usb/usbhub.c | 8 +++---
grub-core/commands/efi/lsefisystab.c | 3 +- grub-core/commands/efi/lsefisystab.c | 3 ++-
grub-core/commands/legacycfg.c | 6 +-- grub-core/commands/legacycfg.c | 6 ++---
grub-core/commands/menuentry.c | 2 +- grub-core/commands/menuentry.c | 2 +-
grub-core/commands/nativedisk.c | 2 +- grub-core/commands/nativedisk.c | 2 +-
grub-core/commands/parttool.c | 12 ++++-- grub-core/commands/parttool.c | 12 ++++++---
grub-core/commands/regexp.c | 2 +- grub-core/commands/regexp.c | 2 +-
grub-core/commands/search_wrap.c | 2 +- grub-core/commands/search_wrap.c | 2 +-
grub-core/disk/diskfilter.c | 4 +- grub-core/disk/diskfilter.c | 4 +--
grub-core/disk/ieee1275/ofdisk.c | 2 +- grub-core/disk/ieee1275/ofdisk.c | 2 +-
grub-core/disk/ldm.c | 14 +++---- grub-core/disk/ldm.c | 14 +++++-----
grub-core/disk/luks.c | 2 +- grub-core/disk/luks.c | 2 +-
grub-core/disk/lvm.c | 8 ++-- grub-core/disk/lvm.c | 8 +++---
grub-core/disk/xen/xendisk.c | 2 +- grub-core/disk/xen/xendisk.c | 2 +-
grub-core/efiemu/loadcore.c | 2 +- grub-core/efiemu/loadcore.c | 2 +-
grub-core/efiemu/mm.c | 6 +-- grub-core/efiemu/mm.c | 6 ++---
grub-core/font/font.c | 3 +- grub-core/font/font.c | 3 +--
grub-core/fs/affs.c | 6 +-- grub-core/fs/affs.c | 6 ++---
grub-core/fs/btrfs.c | 4 +- grub-core/fs/btrfs.c | 4 +--
grub-core/fs/hfs.c | 2 +- grub-core/fs/hfs.c | 2 +-
grub-core/fs/hfsplus.c | 45 +++++++++++++++-------- grub-core/fs/hfsplus.c | 45 ++++++++++++++++++++-----------
grub-core/fs/iso9660.c | 2 +- grub-core/fs/iso9660.c | 2 +-
grub-core/fs/ntfs.c | 4 +- grub-core/fs/ntfs.c | 4 +--
grub-core/fs/sfs.c | 2 +- grub-core/fs/sfs.c | 2 +-
grub-core/fs/tar.c | 2 +- grub-core/fs/tar.c | 2 +-
grub-core/fs/udf.c | 4 +- grub-core/fs/udf.c | 4 +--
grub-core/fs/zfs/zfs.c | 4 +- grub-core/fs/zfs/zfs.c | 4 +--
grub-core/gfxmenu/gui_string_util.c | 2 +- grub-core/gfxmenu/gui_string_util.c | 2 +-
grub-core/gfxmenu/widget-box.c | 4 +- grub-core/gfxmenu/widget-box.c | 4 +--
grub-core/io/gzio.c | 2 +- grub-core/io/gzio.c | 2 +-
grub-core/kern/efi/efi.c | 33 ++++++++++++++--- grub-core/kern/efi/efi.c | 33 ++++++++++++++++++-----
grub-core/kern/emu/hostdisk.c | 2 +- grub-core/kern/emu/hostdisk.c | 2 +-
grub-core/kern/fs.c | 2 +- grub-core/kern/fs.c | 2 +-
grub-core/kern/misc.c | 2 +- grub-core/kern/misc.c | 2 +-
grub-core/kern/parser.c | 2 +- grub-core/kern/parser.c | 2 +-
grub-core/kern/uboot/uboot.c | 2 +- grub-core/kern/uboot/uboot.c | 2 +-
grub-core/lib/libgcrypt/cipher/ac.c | 8 ++-- grub-core/lib/libgcrypt/cipher/ac.c | 8 +++---
grub-core/lib/libgcrypt/cipher/primegen.c | 4 +- grub-core/lib/libgcrypt/cipher/primegen.c | 4 +--
grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +- grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +--
grub-core/lib/priority_queue.c | 2 +- grub-core/lib/priority_queue.c | 2 +-
grub-core/lib/reed_solomon.c | 7 ++-- grub-core/lib/reed_solomon.c | 7 +++--
grub-core/lib/relocator.c | 10 ++--- grub-core/lib/relocator.c | 10 +++----
grub-core/loader/arm/linux.c | 2 +- grub-core/loader/arm/linux.c | 2 +-
grub-core/loader/efi/chainloader.c | 11 ++++-- grub-core/loader/efi/chainloader.c | 11 +++++---
grub-core/loader/i386/bsdXX.c | 2 +- grub-core/loader/i386/bsdXX.c | 2 +-
grub-core/loader/i386/xnu.c | 4 +- grub-core/loader/i386/xnu.c | 4 +--
grub-core/loader/macho.c | 2 +- grub-core/loader/macho.c | 2 +-
grub-core/loader/multiboot_elfxx.c | 2 +- grub-core/loader/multiboot_elfxx.c | 2 +-
grub-core/loader/xnu.c | 2 +- grub-core/loader/xnu.c | 2 +-
grub-core/mmap/mmap.c | 4 +- grub-core/mmap/mmap.c | 4 +--
grub-core/net/bootp.c | 2 +- grub-core/net/bootp.c | 2 +-
grub-core/net/dns.c | 10 ++--- grub-core/net/dns.c | 10 +++----
grub-core/net/net.c | 4 +- grub-core/net/net.c | 4 +--
grub-core/normal/charset.c | 10 ++--- grub-core/normal/charset.c | 10 +++----
grub-core/normal/cmdline.c | 14 +++---- grub-core/normal/cmdline.c | 14 +++++-----
grub-core/normal/menu_entry.c | 14 +++---- grub-core/normal/menu_entry.c | 14 +++++-----
grub-core/normal/menu_text.c | 4 +- grub-core/normal/menu_text.c | 4 +--
grub-core/normal/term.c | 4 +- grub-core/normal/term.c | 4 +--
grub-core/osdep/linux/getroot.c | 6 +-- grub-core/osdep/linux/getroot.c | 6 ++---
grub-core/osdep/unix/config.c | 2 +- grub-core/osdep/unix/config.c | 2 +-
grub-core/osdep/windows/getroot.c | 2 +- grub-core/osdep/windows/getroot.c | 2 +-
grub-core/osdep/windows/hostdisk.c | 4 +- grub-core/osdep/windows/hostdisk.c | 4 +--
grub-core/osdep/windows/init.c | 2 +- grub-core/osdep/windows/init.c | 2 +-
grub-core/osdep/windows/platform.c | 4 +- grub-core/osdep/windows/platform.c | 4 +--
grub-core/osdep/windows/relpath.c | 2 +- grub-core/osdep/windows/relpath.c | 2 +-
grub-core/partmap/gpt.c | 2 +- grub-core/partmap/gpt.c | 2 +-
grub-core/partmap/msdos.c | 2 +- grub-core/partmap/msdos.c | 2 +-
grub-core/script/execute.c | 2 +- grub-core/script/execute.c | 2 +-
grub-core/tests/fake_input.c | 2 +- grub-core/tests/fake_input.c | 2 +-
grub-core/tests/video_checksum.c | 6 +-- grub-core/tests/video_checksum.c | 6 ++---
grub-core/video/capture.c | 2 +- grub-core/video/capture.c | 2 +-
grub-core/video/emu/sdl.c | 2 +- grub-core/video/emu/sdl.c | 2 +-
grub-core/video/i386/pc/vga.c | 2 +- grub-core/video/i386/pc/vga.c | 2 +-
grub-core/video/readers/png.c | 2 +- grub-core/video/readers/png.c | 2 +-
util/getroot.c | 2 +- util/getroot.c | 2 +-
util/grub-file.c | 2 +- util/grub-file.c | 2 +-
util/grub-fstest.c | 4 +- util/grub-fstest.c | 4 +--
util/grub-install-common.c | 2 +- util/grub-install-common.c | 2 +-
util/grub-install.c | 4 +- util/grub-install.c | 4 +--
util/grub-mkimagexx.c | 6 +-- util/grub-mkimagexx.c | 6 ++---
util/grub-mkrescue.c | 4 +- util/grub-mkrescue.c | 4 +--
util/grub-mkstandalone.c | 2 +- util/grub-mkstandalone.c | 2 +-
util/grub-pe2elf.c | 12 +++--- util/grub-pe2elf.c | 12 ++++-----
util/grub-probe.c | 4 +- util/grub-probe.c | 4 +--
include/grub/unicode.h | 4 +- include/grub/unicode.h | 4 +--
85 files changed, 231 insertions(+), 191 deletions(-) 85 files changed, 231 insertions(+), 191 deletions(-)
diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
@ -1940,6 +1940,3 @@ index a0403e91f9a..4de986a8576 100644
if (!out->combining_ptr) if (!out->combining_ptr)
return; return;
grub_memcpy (out->combining_ptr, in->combining_ptr, grub_memcpy (out->combining_ptr, in->combining_ptr,
--
2.26.2

View File

@ -1,8 +1,8 @@
From 05c062003cff8dbbf1b394fa836378e88522e29c Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 12:28:27 -0400 Date: Mon, 15 Jun 2020 12:28:27 -0400
Subject: [PATCH 285/314] malloc: Use overflow checking primitives where we do Subject: [PATCH] malloc: Use overflow checking primitives where we do complex
complex allocations allocations
This attempts to fix the places where we do the following where This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data: arithmetic_expr may include unvalidated data:
@ -30,29 +30,29 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-commit-id: 5fb2befbf04 Upstream-commit-id: 5fb2befbf04
--- ---
grub-core/commands/legacycfg.c | 29 +++++++++++++++---- grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
grub-core/commands/wildcard.c | 36 ++++++++++++++++++++---- grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
grub-core/disk/ldm.c | 32 +++++++++++++++------ grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
grub-core/font/font.c | 7 ++++- grub-core/font/font.c | 7 +++++-
grub-core/fs/btrfs.c | 29 +++++++++++++------ grub-core/fs/btrfs.c | 29 ++++++++++++++++--------
grub-core/fs/ext2.c | 10 ++++++- grub-core/fs/ext2.c | 10 ++++++++-
grub-core/fs/iso9660.c | 51 ++++++++++++++++++++++++---------- grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
grub-core/fs/sfs.c | 27 ++++++++++++++---- grub-core/fs/sfs.c | 27 +++++++++++++++++-----
grub-core/fs/squash4.c | 45 ++++++++++++++++++++++-------- grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
grub-core/fs/udf.c | 41 +++++++++++++++++---------- grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
grub-core/fs/xfs.c | 11 +++++--- grub-core/fs/xfs.c | 11 +++++----
grub-core/fs/zfs/zfs.c | 22 ++++++++++----- grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
grub-core/fs/zfs/zfscrypt.c | 7 ++++- grub-core/fs/zfs/zfscrypt.c | 7 +++++-
grub-core/lib/arg.c | 20 +++++++++++-- grub-core/lib/arg.c | 20 +++++++++++++++--
grub-core/loader/i386/bsd.c | 8 +++++- grub-core/loader/i386/bsd.c | 8 ++++++-
grub-core/net/dns.c | 9 +++++- grub-core/net/dns.c | 9 +++++++-
grub-core/normal/charset.c | 10 +++++-- grub-core/normal/charset.c | 10 +++++++--
grub-core/normal/cmdline.c | 14 ++++++++-- grub-core/normal/cmdline.c | 14 ++++++++++--
grub-core/normal/menu_entry.c | 13 +++++++-- grub-core/normal/menu_entry.c | 13 +++++++++--
grub-core/script/argv.c | 16 +++++++++-- grub-core/script/argv.c | 16 +++++++++++--
grub-core/script/lexer.c | 21 ++++++++++++-- grub-core/script/lexer.c | 21 ++++++++++++++---
grub-core/video/bitmap.c | 25 +++++++++++------ grub-core/video/bitmap.c | 25 +++++++++++++--------
grub-core/video/readers/png.c | 13 +++++++-- grub-core/video/readers/png.c | 13 +++++++++--
23 files changed, 383 insertions(+), 113 deletions(-) 23 files changed, 383 insertions(+), 113 deletions(-)
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
@ -1318,6 +1318,3 @@ index e85df3c1b04..719e647e44f 100644
#ifndef GRUB_CPU_WORDS_BIGENDIAN #ifndef GRUB_CPU_WORDS_BIGENDIAN
if (data->is_16bit || data->is_gray || data->is_palette) if (data->is_16bit || data->is_gray || data->is_palette)
--
2.26.2

View File

@ -1,7 +1,7 @@
From c37e76df9c58c3f170e838c42527ef8544bf4468 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sat, 4 Jul 2020 12:25:09 -0400 Date: Sat, 4 Jul 2020 12:25:09 -0400
Subject: [PATCH 286/314] iso9660: Don't leak memory on realloc() failures Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
@ -64,6 +64,3 @@ index f45841e2b47..6fc9302bce3 100644
/* In pos + 1 the length of the `Component Record' is /* In pos + 1 the length of the `Component Record' is
stored. */ stored. */
pos += entry->data[pos + 1] + 2; pos += entry->data[pos + 1] + 2;
--
2.26.2

View File

@ -1,7 +1,7 @@
From 0b3c4b90e1b928a2606f0801e6e872dd6cb85c42 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com> From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Tue, 7 Jul 2020 15:36:26 +0200 Date: Tue, 7 Jul 2020 15:36:26 +0200
Subject: [PATCH 287/314] font: Do not load more than one NAME section Subject: [PATCH] font: Do not load more than one NAME section
The GRUB font file can have one NAME section only. Though if somebody The GRUB font file can have one NAME section only. Though if somebody
crafts a broken font file with many NAME sections and loads it then the crafts a broken font file with many NAME sections and loads it then the
@ -33,6 +33,3 @@ index d63354fb51b..a7b955a1a74 100644
font->name = read_section_as_string (&section); font->name = read_section_as_string (&section);
if (!font->name) if (!font->name)
goto fail; goto fail;
--
2.26.2

View File

@ -1,7 +1,7 @@
From 583a48bca23f7c4e0d691f0e6d065dac61bbfca1 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 20:41:56 +0000 Date: Wed, 8 Jul 2020 20:41:56 +0000
Subject: [PATCH 288/314] gfxmenu: Fix double free in load_image() Subject: [PATCH] gfxmenu: Fix double free in load_image()
self->bitmap should be zeroed after free. Otherwise, there is a chance self->bitmap should be zeroed after free. Otherwise, there is a chance
to double free (USE_AFTER_FREE) it later in rescale_image(). to double free (USE_AFTER_FREE) it later in rescale_image().
@ -31,6 +31,3 @@ index 29784ed2d9a..6b2e976f16e 100644
if (self->raw_bitmap) if (self->raw_bitmap)
grub_video_bitmap_destroy (self->raw_bitmap); grub_video_bitmap_destroy (self->raw_bitmap);
--
2.26.2

View File

@ -1,8 +1,7 @@
From 301523f584d9aa624424c68ab3f085a9b7eca417 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 21:30:43 +0000 Date: Wed, 8 Jul 2020 21:30:43 +0000
Subject: [PATCH 289/314] xnu: Fix double free in Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property()
grub_xnu_devprop_add_property()
grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
allocated and freed in the caller. allocated and freed in the caller.
@ -52,6 +51,3 @@ index ee0eaadc4ee..c760db30fc0 100644
grub_list_push (GRUB_AS_LIST_P (&dev->properties), grub_list_push (GRUB_AS_LIST_P (&dev->properties),
GRUB_AS_LIST (prop)); GRUB_AS_LIST (prop));
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
--
2.26.2

View File

@ -1,7 +1,7 @@
From 656e3376d52c7244edac9264454c0fadac835749 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Thu, 9 Jul 2020 03:05:23 +0000 Date: Thu, 9 Jul 2020 03:05:23 +0000
Subject: [PATCH 290/314] lzma: Make sure we don't dereference past array Subject: [PATCH] lzma: Make sure we don't dereference past array
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
using the GetLenToPosState() macro which checks if len is less than 5, using the GetLenToPosState() macro which checks if len is less than 5,
@ -47,6 +47,3 @@ index f2ec04a8c28..753e56a95e3 100644
if (posSlot >= kStartPosModelIndex) if (posSlot >= kStartPosModelIndex)
{ {
--
2.26.2

View File

@ -1,7 +1,7 @@
From 6df814d4f43a47ffe2b354b9fa683ed4022fa5f1 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Tue, 7 Jul 2020 15:12:25 -0400 Date: Tue, 7 Jul 2020 15:12:25 -0400
Subject: [PATCH 291/314] term: Fix overflow on user inputs Subject: [PATCH] term: Fix overflow on user inputs
This requires a very weird input from the serial interface but can cause This requires a very weird input from the serial interface but can cause
an overflow in input_buf (keys) overwriting the next variable (npending) an overflow in input_buf (keys) overwriting the next variable (npending)
@ -61,6 +61,3 @@ index 537a5c0cb0b..44d0b3b19fb 100644
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275) #if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
--
2.26.2

View File

@ -1,7 +1,7 @@
From 1864839f0e0eeb2b93a5b20e4e36f9b80abc3c23 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Tue, 7 Jul 2020 22:02:31 -0400 Date: Tue, 7 Jul 2020 22:02:31 -0400
Subject: [PATCH 292/314] udf: Fix memory leak Subject: [PATCH] udf: Fix memory leak
Fixes: CID 73796 Fixes: CID 73796
@ -51,6 +51,3 @@ index be41b48f913..6670beb5665 100644
if (filename && hook (filename, type, child, hook_data)) if (filename && hook (filename, type, child, hook_data))
{ {
--
2.26.2

View File

@ -1,8 +1,8 @@
From 9b970d31434e3fd6a8de36a6adef5cc721b265a8 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Fri, 26 Jun 2020 10:51:43 -0400 Date: Fri, 26 Jun 2020 10:51:43 -0400
Subject: [PATCH 293/314] multiboot2: Fix memory leak if Subject: [PATCH] multiboot2: Fix memory leak if grub_create_loader_cmdline()
grub_create_loader_cmdline() fails fails
Fixes: CID 292468 Fixes: CID 292468
@ -42,6 +42,3 @@ index 54078455e2f..872dcd42e97 100644
if (modules_last) if (modules_last)
modules_last->next = newmod; modules_last->next = newmod;
--
2.26.2

View File

@ -1,7 +1,7 @@
From 0ecb57c7bc38cb5de4a1b23909203a3331f5c84b Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Thu, 9 Jul 2020 08:10:40 +0000 Date: Thu, 9 Jul 2020 08:10:40 +0000
Subject: [PATCH 294/314] tftp: Do not use priority queue Subject: [PATCH] tftp: Do not use priority queue
There is not need to reassemble the order of blocks. Per RFC 1350, There is not need to reassemble the order of blocks. Per RFC 1350,
server must wait for the ACK, before sending next block. Data packets server must wait for the ACK, before sending next block. Data packets
@ -31,7 +31,7 @@ Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-commit-id: 8316694c4f7 Upstream-commit-id: 8316694c4f7
--- ---
grub-core/net/tftp.c | 174 ++++++++++++++----------------------------- grub-core/net/tftp.c | 174 ++++++++++++++++-----------------------------------
1 file changed, 54 insertions(+), 120 deletions(-) 1 file changed, 54 insertions(+), 120 deletions(-)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
@ -284,6 +284,3 @@ index e267af354f4..79c16f9b041 100644
grub_free (data); grub_free (data);
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
} }
--
2.26.2

View File

@ -1,8 +1,8 @@
From 320fe69ffff39f90169f793402de4d4223a1a64c Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 15 Jul 2020 06:42:37 +0000 Date: Wed, 15 Jul 2020 06:42:37 +0000
Subject: [PATCH 295/314] relocator: Protect grub_relocator_alloc_chunk_addr() Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() input
input args against integer underflow/overflow args against integer underflow/overflow
Use arithmetic macros from safemath.h to accomplish it. In this commit, Use arithmetic macros from safemath.h to accomplish it. In this commit,
I didn't want to be too paranoid to check every possible math equation I didn't want to be too paranoid to check every possible math equation
@ -145,6 +145,3 @@ index dc7d5409e1e..2bf02489bad 100644
grub_xnu_heap_size += size; grub_xnu_heap_size += size;
grub_dprintf ("xnu", "val=%p\n", *src); grub_dprintf ("xnu", "val=%p\n", *src);
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
--
2.26.2

View File

@ -1,7 +1,7 @@
From 93d697a46b43ee13e0343c79777af5ce23c313b7 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 01:44:38 +0000 Date: Wed, 8 Jul 2020 01:44:38 +0000
Subject: [PATCH 296/314] relocator: Protect grub_relocator_alloc_chunk_align() Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align()
max_addr against integer underflow max_addr against integer underflow
This commit introduces integer underflow mitigation in max_addr calculation This commit introduces integer underflow mitigation in max_addr calculation
@ -20,7 +20,7 @@ Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-commit-id: 10498c8ba17 Upstream-commit-id: 10498c8ba17
--- ---
grub-core/lib/i386/relocator.c | 28 ++++++++++---------------- grub-core/lib/i386/relocator.c | 28 +++++++++++-----------------
grub-core/lib/mips/relocator.c | 6 ++---- grub-core/lib/mips/relocator.c | 6 ++----
grub-core/lib/powerpc/relocator.c | 6 ++---- grub-core/lib/powerpc/relocator.c | 6 ++----
grub-core/lib/x86_64/efi/relocator.c | 7 +++---- grub-core/lib/x86_64/efi/relocator.c | 7 +++----
@ -29,10 +29,10 @@ Upstream-commit-id: 10498c8ba17
grub-core/loader/i386/pc/linux.c | 6 ++---- grub-core/loader/i386/pc/linux.c | 6 ++----
grub-core/loader/mips/linux.c | 9 +++------ grub-core/loader/mips/linux.c | 9 +++------
grub-core/loader/multiboot.c | 2 +- grub-core/loader/multiboot.c | 2 +-
grub-core/loader/multiboot_elfxx.c | 10 ++++----- grub-core/loader/multiboot_elfxx.c | 10 +++++-----
grub-core/loader/multiboot_mbi2.c | 10 ++++----- grub-core/loader/multiboot_mbi2.c | 10 +++++-----
grub-core/loader/xnu_resume.c | 2 +- grub-core/loader/xnu_resume.c | 2 +-
include/grub/relocator.h | 29 +++++++++++++++++++++++++++ include/grub/relocator.h | 29 +++++++++++++++++++++++++++++
13 files changed, 69 insertions(+), 58 deletions(-) 13 files changed, 69 insertions(+), 58 deletions(-)
diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c
@ -333,6 +333,3 @@ index 24d8672d22c..1b3bdd92ac6 100644
#define GRUB_RELOCATOR_PREFERENCE_NONE 0 #define GRUB_RELOCATOR_PREFERENCE_NONE 0
#define GRUB_RELOCATOR_PREFERENCE_LOW 1 #define GRUB_RELOCATOR_PREFERENCE_LOW 1
#define GRUB_RELOCATOR_PREFERENCE_HIGH 2 #define GRUB_RELOCATOR_PREFERENCE_HIGH 2
--
2.26.2

View File

@ -1,8 +1,7 @@
From 19d627a430f6917afeee167daa9190d1ec83d7b7 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com> From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 11:21:14 +0100 Date: Fri, 10 Jul 2020 11:21:14 +0100
Subject: [PATCH 297/314] script: Remove unused fields from Subject: [PATCH] script: Remove unused fields from grub_script_function struct
grub_script_function struct
Signed-off-by: Chris Coulson <chris.coulson@canonical.com> Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
@ -29,6 +28,3 @@ index 360c2be1f05..b382bcf09bc 100644
}; };
typedef struct grub_script_function *grub_script_function_t; typedef struct grub_script_function *grub_script_function_t;
--
2.26.2

View File

@ -1,8 +1,8 @@
From c1de65c0e3d630f33160d34e1e85925f01966b0d Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com> From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 14:41:45 +0100 Date: Fri, 10 Jul 2020 14:41:45 +0100
Subject: [PATCH 298/314] script: Avoid a use-after-free when redefining a Subject: [PATCH] script: Avoid a use-after-free when redefining a function
function during execution during execution
Defining a new function with the same name as a previously defined Defining a new function with the same name as a previously defined
function causes the grub_script and associated resources for the function causes the grub_script and associated resources for the
@ -103,6 +103,3 @@ index 4f0ab8319e3..f80b86b6f15 100644
} }
state->scripts = $<scripts>3; state->scripts = $<scripts>3;
--
2.26.2

View File

@ -1,8 +1,8 @@
From 7de922a99acd0521b99cd0dd81fe62643ce734a5 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Fri, 17 Jul 2020 05:17:26 +0000 Date: Fri, 17 Jul 2020 05:17:26 +0000
Subject: [PATCH 299/314] relocator: Fix grub_relocator_alloc_chunk_align() top Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top memory
memory allocation allocation
Current implementation of grub_relocator_alloc_chunk_align() Current implementation of grub_relocator_alloc_chunk_align()
does not allow allocation of the top byte. does not allow allocation of the top byte.
@ -41,6 +41,3 @@ index 5847aac3643..f2c1944c28d 100644
#ifdef GRUB_MACHINE_PCBIOS #ifdef GRUB_MACHINE_PCBIOS
if (min_addr < 0x1000) if (min_addr < 0x1000)
--
2.26.2

View File

@ -1,7 +1,7 @@
From 3a60f2bfd8ab98484a7d8ba52748795f7b225ddc Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 14:43:31 -0400 Date: Sun, 19 Jul 2020 14:43:31 -0400
Subject: [PATCH 300/314] hfsplus: fix two more overflows Subject: [PATCH] hfsplus: fix two more overflows
Both node->size and node->namelen come from the supplied filesystem, Both node->size and node->namelen come from the supplied filesystem,
which may be user-supplied. We can't trust them for the math unless we which may be user-supplied. We can't trust them for the math unless we
@ -52,6 +52,3 @@ index f1cd72398ec..8b17ebba296 100644
if (! filename) if (! filename)
return 0; return 0;
--
2.26.2

View File

@ -1,8 +1,7 @@
From 5c219ca7ec3b481573309245e3b7399c2f19a99c Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 15:48:20 -0400 Date: Sun, 19 Jul 2020 15:48:20 -0400
Subject: [PATCH 301/314] lvm: fix two more potential data-dependent alloc Subject: [PATCH] lvm: fix two more potential data-dependent alloc overflows
overflows
It appears to be possible to make a (possibly invalid) lvm PV with a It appears to be possible to make a (possibly invalid) lvm PV with a
metadata size field that overflows our type when adding it to the metadata size field that overflows our type when adding it to the
@ -14,7 +13,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Upstream-commit-id: 45ec6046ea0 Upstream-commit-id: 45ec6046ea0
--- ---
grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++-------- grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 8 deletions(-) 1 file changed, 40 insertions(+), 8 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
@ -108,6 +107,3 @@ index d1df640b311..ca09d469990 100644
if (!lv->fullname) if (!lv->fullname)
goto lvs_fail; goto lvs_fail;
--
2.26.2

View File

@ -1,7 +1,7 @@
From d38b6703c0668e5d99e6f00aeef5d1b1d7458f9a Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 16:08:08 -0400 Date: Sun, 19 Jul 2020 16:08:08 -0400
Subject: [PATCH 302/314] emu: make grub_free(NULL) safe Subject: [PATCH] emu: make grub_free(NULL) safe
The grub_free() implementation in kern/mm.c safely handles NULL The grub_free() implementation in kern/mm.c safely handles NULL
pointers, and code at many places depends on this. We don't know that pointers, and code at many places depends on this. We don't know that
@ -29,6 +29,3 @@ index 145b01d3719..4d1046a219e 100644
} }
void * void *
--
2.26.2

View File

@ -1,8 +1,7 @@
From 3ca105b5d77e292517091da4777484068848da6d Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 16:53:27 -0400 Date: Sun, 19 Jul 2020 16:53:27 -0400
Subject: [PATCH 303/314] efi: fix some malformed device path arithmetic Subject: [PATCH] efi: fix some malformed device path arithmetic errors.
errors.
Several places we take the length of a device path and subtract 4 from Several places we take the length of a device path and subtract 4 from
it, without ever checking that it's >= 4. There are also cases where it, without ever checking that it's >= 4. There are also cases where
@ -19,10 +18,10 @@ code check for and return errors in these cases.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: 23e68a83990 Upstream-commit-id: 23e68a83990
--- ---
grub-core/kern/efi/efi.c | 67 +++++++++++++++++++++++++----- grub-core/kern/efi/efi.c | 67 ++++++++++++++++++++++++++++++++------
grub-core/loader/efi/chainloader.c | 19 ++++++++- grub-core/loader/efi/chainloader.c | 19 +++++++++--
grub-core/loader/i386/xnu.c | 9 ++-- grub-core/loader/i386/xnu.c | 9 ++---
include/grub/efi/api.h | 14 ++++--- include/grub/efi/api.h | 14 +++++---
4 files changed, 88 insertions(+), 21 deletions(-) 4 files changed, 88 insertions(+), 21 deletions(-)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
@ -247,6 +246,3 @@ index 6c440c61316..a092fddb629 100644
/* Hardware Device Path. */ /* Hardware Device Path. */
#define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1 #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1
--
2.26.2

View File

@ -1,8 +1,8 @@
From cab9214c4caad2ad95ce8bd456c68bc08def0833 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com> From: Chris Coulson <chris.coulson@canonical.com>
Date: Wed, 22 Jul 2020 17:06:04 +0100 Date: Wed, 22 Jul 2020 17:06:04 +0100
Subject: [PATCH 304/314] Fix a regression caused by "efi: fix some malformed Subject: [PATCH] Fix a regression caused by "efi: fix some malformed device
device path arithmetic errors" path arithmetic errors"
This commit introduced a bogus check inside copy_file_path to This commit introduced a bogus check inside copy_file_path to
determine whether the destination grub_efi_file_path_device_path_t determine whether the destination grub_efi_file_path_device_path_t
@ -83,6 +83,3 @@ index c2411b6dab2..8b99cf23e9d 100644
/* Fill the end of device path nodes. */ /* Fill the end of device path nodes. */
d = GRUB_EFI_NEXT_DEVICE_PATH (d); d = GRUB_EFI_NEXT_DEVICE_PATH (d);
--
2.26.2

View File

@ -1,8 +1,7 @@
From 0bfbb0c63ccc73d8508d1a402f53f9f6a64de903 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexander Burmashev <alexander.burmashev@oracle.com> From: Alexander Burmashev <alexander.burmashev@oracle.com>
Date: Wed, 22 Jul 2020 06:04:38 -0700 Date: Wed, 22 Jul 2020 06:04:38 -0700
Subject: [PATCH 305/314] update safemath with fallback code for gcc older than Subject: [PATCH] update safemath with fallback code for gcc older than 5.1
5.1
The code used in the header was taken from linux kernel commit The code used in the header was taken from linux kernel commit
f0907827a8a9152aedac2833ed1b674a7b2a44f2. Rasmus Villemoes f0907827a8a9152aedac2833ed1b674a7b2a44f2. Rasmus Villemoes
@ -13,7 +12,7 @@ sources
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com> Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
--- ---
include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++- include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 118 insertions(+), 1 deletion(-) 1 file changed, 118 insertions(+), 1 deletion(-)
diff --git a/include/grub/safemath.h b/include/grub/safemath.h diff --git a/include/grub/safemath.h b/include/grub/safemath.h
@ -146,6 +145,3 @@ index c17b89bba17..1ccac276b59 100644
#endif #endif
#endif /* GRUB_SAFEMATH_H */ #endif /* GRUB_SAFEMATH_H */
--
2.26.2

View File

@ -1,7 +1,7 @@
From 7a7d0278212dde624229dd6da973ccfdf60a7982 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com> From: Alexey Makhalov <amakhalov@vmware.com>
Date: Mon, 20 Jul 2020 23:03:05 +0000 Date: Mon, 20 Jul 2020 23:03:05 +0000
Subject: [PATCH 306/314] efi: Fix use-after-free in halt/reboot path Subject: [PATCH] efi: Fix use-after-free in halt/reboot path
commit 92bfc33db984 ("efi: Free malloc regions on exit") commit 92bfc33db984 ("efi: Free malloc regions on exit")
introduced memory freeing in grub_efi_fini(), which is introduced memory freeing in grub_efi_fini(), which is
@ -160,6 +160,3 @@ index 7f82a499fd9..b208642821b 100644
}; };
void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
--
2.26.2

View File

@ -1,7 +1,7 @@
From c62652ca26ed1c145d0e820e0f108ce4e61b1f17 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 17:11:06 -0400 Date: Sun, 19 Jul 2020 17:11:06 -0400
Subject: [PATCH 307/314] efi+dhcp: fix some allocation error checking. Subject: [PATCH] efi+dhcp: fix some allocation error checking.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---
@ -35,6 +35,3 @@ index dbef63d8c08..e5c79b748b0 100644
} }
if (status != GRUB_EFI_SUCCESS) if (status != GRUB_EFI_SUCCESS)
--
2.26.2

View File

@ -1,7 +1,7 @@
From 4436316229bc5b46016d61215b709ec434f4e0d3 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 17:14:15 -0400 Date: Sun, 19 Jul 2020 17:14:15 -0400
Subject: [PATCH 308/314] efi+http: fix some allocation error checking. Subject: [PATCH] efi+http: fix some allocation error checking.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---
@ -37,6 +37,3 @@ index fc8cb25ae0a..26647a50fa4 100644
file->size = size; file->size = size;
file->data = buf; file->data = buf;
--
2.26.2

View File

@ -1,8 +1,7 @@
From 9f8ce6fac51e229a18ed2fa3321f7fc3d6d822a6 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 17:27:00 -0400 Date: Sun, 19 Jul 2020 17:27:00 -0400
Subject: [PATCH 309/314] efi/ip[46]_config.c: fix some potential allocation Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows
overflows
In theory all of this data comes from the firmware stack and it should In theory all of this data comes from the firmware stack and it should
be safe, but it's better to be paranoid. be safe, but it's better to be paranoid.
@ -126,6 +125,3 @@ index e0e00c23d21..1c5415d7185 100644
{ {
char *gateway, *destination; char *gateway, *destination;
grub_uint64_t u64_gateway[2]; grub_uint64_t u64_gateway[2];
--
2.26.2

View File

@ -1,7 +1,7 @@
From e5ef076d3188c3389769a3bde72382db9b94dc97 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Thu, 23 Jul 2020 15:02:48 -0400 Date: Thu, 23 Jul 2020 15:02:48 -0400
Subject: [PATCH 310/314] Fix up some types for gcc 4.8 compat safemath.h Subject: [PATCH] Fix up some types for gcc 4.8 compat safemath.h
The compat macros aren't as forgiving as __builtin_*_overflow(). The compat macros aren't as forgiving as __builtin_*_overflow().
@ -214,6 +214,3 @@ index 4dfcc31078d..f902b13b44e 100644
goto fail; goto fail;
n = grub_realloc (out->combining_ptr, sz); n = grub_realloc (out->combining_ptr, sz);
--
2.26.2

View File

@ -1,7 +1,7 @@
From 0a9a828e88a2e14be684761afe582e7bb286676b Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org> From: Colin Watson <cjwatson@debian.org>
Date: Fri, 24 Jul 2020 17:18:09 +0100 Date: Fri, 24 Jul 2020 17:18:09 +0100
Subject: [PATCH 311/314] efilinux: Fix integer overflows in grub_cmd_initrd Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
These could be triggered by an extremely large number of arguments to These could be triggered by an extremely large number of arguments to
the initrd command on 32-bit architectures, or a crafted filesystem with the initrd command on 32-bit architectures, or a crafted filesystem with
@ -46,6 +46,3 @@ index ea9f5134e67..ade7ab8f573 100644
} }
initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size)); initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
--
2.26.2

View File

@ -1,8 +1,7 @@
From 9fa474528317c2311e2f2ac0fd626316ef7486d4 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Fri, 24 Jul 2020 13:57:27 -0400 Date: Fri, 24 Jul 2020 13:57:27 -0400
Subject: [PATCH 312/314] linux loader: avoid overflow on initrd size Subject: [PATCH] linux loader: avoid overflow on initrd size calculation
calculation
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---
@ -24,6 +23,3 @@ index c2c7cfcd0fd..61a2e144db0 100644
if (!initrd_ctx->components) if (!initrd_ctx->components)
return grub_errno; return grub_errno;
--
2.26.2

View File

@ -1,8 +1,7 @@
From 2ba58823b68d5fbf8d625ed6d7e18b09bc556860 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com> From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Wed, 22 Jul 2020 11:31:43 +0100 Date: Wed, 22 Jul 2020 11:31:43 +0100
Subject: [PATCH 313/314] linuxefi: fail kernel validation without shim Subject: [PATCH] linuxefi: fail kernel validation without shim protocol.
protocol.
If certificates that signed grub are installed into db, grub can be If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature booted directly. It will then boot any kernel without signature
@ -96,6 +95,3 @@ index ade7ab8f573..361e503cb52 100644
} }
params = grub_efi_allocate_pages_max (0x3fffffff, params = grub_efi_allocate_pages_max (0x3fffffff,
--
2.26.2

View File

@ -1,7 +1,7 @@
From 9715e08cf30ebd8a24ca27b7c4dda8e949e100df Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org> From: Colin Watson <cjwatson@debian.org>
Date: Sat, 25 Jul 2020 12:15:37 +0100 Date: Sat, 25 Jul 2020 12:15:37 +0100
Subject: [PATCH 314/314] linux: Fix integer overflows in initrd size handling Subject: [PATCH] linux: Fix integer overflows in initrd size handling
These could be triggered by a crafted filesystem with very large files. These could be triggered by a crafted filesystem with very large files.
@ -10,7 +10,7 @@ Fixes: CVE-2020-15707
Signed-off-by: Colin Watson <cjwatson@debian.org> Signed-off-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
--- ---
grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++----------- grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 54 insertions(+), 20 deletions(-) 1 file changed, 54 insertions(+), 20 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
@ -163,6 +163,3 @@ index 61a2e144db0..0953f6d3266 100644
ptr = make_header (ptr, initrd_ctx->components[i].newc_name, ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
grub_strlen (initrd_ctx->components[i].newc_name), grub_strlen (initrd_ctx->components[i].newc_name),
0100777, 0100777,
--
2.26.2

View File

@ -23,7 +23,7 @@ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
1 file changed, 14 insertions(+), 2 deletions(-) 1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 2c52f692b25..4f38d7ef1f7 100644 index 79c16f9b041..b9a4b607a3d 100644
--- a/grub-core/net/tftp.c --- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c +++ b/grub-core/net/tftp.c
@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), @@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),

View File

@ -0,0 +1,441 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 19 Feb 2021 10:33:54 +0100
Subject: [PATCH] kern: Add lockdown support
When the GRUB starts on a secure boot platform, some commands can be
used to subvert the protections provided by the verification mechanism and
could lead to booting untrusted system.
To prevent that situation, allow GRUB to be locked down. That way the code
may check if GRUB has been locked down and further restrict the commands
that are registered or what subset of their functionality could be used.
The lockdown support adds the following components:
* The grub_lockdown() function which can be used to lockdown GRUB if,
e.g., UEFI Secure Boot is enabled.
* The grub_is_lockdown() function which can be used to check if the GRUB
was locked down.
* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
verifiers. These files are only successfully verified if another registered
verifier returns success. Otherwise, the whole verification process fails.
For example, PE/COFF binaries verification can be done by the shim_lock
verifier which validates the signatures using the shim_lock protocol.
However, the verification is not deferred directly to the shim_lock verifier.
The shim_lock verifier is hooked into the verification process instead.
* A set of grub_{command,extcmd}_lockdown functions that can be used by
code registering command handlers, to only register unsafe commands if
the GRUB has not been locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/Makefile.core.def | 1 +
grub-core/commands/extcmd.c | 23 +++++++++++
grub-core/kern/command.c | 24 ++++++++++++
grub-core/kern/lockdown.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
include/grub/command.h | 5 +++
include/grub/extcmd.h | 7 ++++
include/grub/lockdown.h | 44 +++++++++++++++++++++
conf/Makefile.common | 2 +
docs/grub-dev.texi | 27 +++++++++++++
docs/grub.texi | 9 +++++
grub-core/Makefile.am | 5 ++-
11 files changed, 239 insertions(+), 1 deletion(-)
create mode 100644 grub-core/kern/lockdown.c
create mode 100644 include/grub/lockdown.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index c8a50b4fcfa..0eb7f312b29 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -197,6 +197,7 @@ kernel = {
efi = term/efi/console.c;
efi = kern/acpi.c;
efi = kern/efi/acpi.c;
+ efi = kern/lockdown.c;
efi = lib/envblk.c;
efi = kern/efi/tpm.c;
i386_coreboot = kern/i386/pc/acpi.c;
diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
index 69574e2b05b..90a5ca24a64 100644
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@@ -19,6 +19,7 @@
#include <grub/mm.h>
#include <grub/list.h>
+#include <grub/lockdown.h>
#include <grub/misc.h>
#include <grub/extcmd.h>
#include <grub/script_sh.h>
@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
summary, description, parser, 1);
}
+static grub_err_t
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+ int argc __attribute__ ((unused)),
+ char **argv __attribute__ ((unused)))
+{
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ N_("%s: the command is not allowed when lockdown is enforced"),
+ ctxt->extcmd->cmd->name);
+}
+
+grub_extcmd_t
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
+ grub_command_flags_t flags, const char *summary,
+ const char *description,
+ const struct grub_arg_option *parser)
+{
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+ func = grub_extcmd_lockdown;
+
+ return grub_register_extcmd (name, func, flags, summary, description, parser);
+}
+
void
grub_unregister_extcmd (grub_extcmd_t ext)
{
diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
index acd72187992..4aabcd4b5f9 100644
--- a/grub-core/kern/command.c
+++ b/grub-core/kern/command.c
@@ -17,6 +17,7 @@
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
+#include <grub/lockdown.h>
#include <grub/mm.h>
#include <grub/command.h>
@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
return cmd;
}
+static grub_err_t
+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
+ int argc __attribute__ ((unused)),
+ char **argv __attribute__ ((unused)))
+
+{
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ N_("%s: the command is not allowed when lockdown is enforced"),
+ cmd->name);
+}
+
+grub_command_t
+grub_register_command_lockdown (const char *name,
+ grub_command_func_t func,
+ const char *summary,
+ const char *description)
+{
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+ func = grub_cmd_lockdown;
+
+ return grub_register_command_prio (name, func, summary, description, 0);
+}
+
void
grub_unregister_command (grub_command_t cmd)
{
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
new file mode 100644
index 00000000000..f87ddaeb1ee
--- /dev/null
+++ b/grub-core/kern/lockdown.c
@@ -0,0 +1,93 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <grub/dl.h>
+#include <grub/file.h>
+#include <grub/lockdown.h>
+
+/* There is no verifier framework in grub 2.02 */
+#if 0
+#include <grub/verify.h>
+#endif
+
+static int lockdown = GRUB_LOCKDOWN_DISABLED;
+
+/* There is no verifier framework in grub 2.02 */
+#if 0
+static grub_err_t
+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
+ enum grub_file_type type,
+ void **context __attribute__ ((unused)),
+ enum grub_verify_flags *flags)
+{
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+
+ switch (type & GRUB_FILE_TYPE_MASK)
+ {
+ case GRUB_FILE_TYPE_GRUB_MODULE:
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
+ case GRUB_FILE_TYPE_BSD_KERNEL:
+ case GRUB_FILE_TYPE_XNU_KERNEL:
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
+ case GRUB_FILE_TYPE_NTLDR:
+ case GRUB_FILE_TYPE_TRUECRYPT:
+ case GRUB_FILE_TYPE_FREEDOS:
+ case GRUB_FILE_TYPE_PXECHAINLOADER:
+ case GRUB_FILE_TYPE_PCCHAINLOADER:
+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
+ case GRUB_FILE_TYPE_ACPI_TABLE:
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+
+ /* Fall through. */
+
+ default:
+ return GRUB_ERR_NONE;
+ }
+}
+
+struct grub_file_verifier lockdown_verifier =
+ {
+ .name = "lockdown_verifier",
+ .init = lockdown_verifier_init,
+ };
+#endif
+
+void
+grub_lockdown (void)
+{
+ lockdown = GRUB_LOCKDOWN_ENABLED;
+
+ /*
+ * XXX: The lockdown verifier doesn't make sense until
+ * GRUB has moved to the shim_lock verifier.
+ */
+#if 0
+ grub_verifier_register (&lockdown_verifier);
+#endif
+}
+
+int
+grub_is_lockdown (void)
+{
+ return lockdown;
+}
diff --git a/include/grub/command.h b/include/grub/command.h
index eee4e847ee4..2a6f7f84697 100644
--- a/include/grub/command.h
+++ b/include/grub/command.h
@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
const char *summary,
const char *description,
int prio);
+grub_command_t
+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
+ grub_command_func_t func,
+ const char *summary,
+ const char *description);
void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
static inline grub_command_t
diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
index 19fe592669e..fe9248b8bb6 100644
--- a/include/grub/extcmd.h
+++ b/include/grub/extcmd.h
@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
const char *description,
const struct grub_arg_option *parser);
+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
+ grub_extcmd_func_t func,
+ grub_command_flags_t flags,
+ const char *summary,
+ const char *description,
+ const struct grub_arg_option *parser);
+
grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
grub_extcmd_func_t func,
grub_command_flags_t flags,
diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
new file mode 100644
index 00000000000..40531fa823b
--- /dev/null
+++ b/include/grub/lockdown.h
@@ -0,0 +1,44 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_LOCKDOWN_H
+#define GRUB_LOCKDOWN_H 1
+
+#include <grub/symbol.h>
+
+#define GRUB_LOCKDOWN_DISABLED 0
+#define GRUB_LOCKDOWN_ENABLED 1
+
+#ifdef GRUB_MACHINE_EFI
+extern void
+EXPORT_FUNC (grub_lockdown) (void);
+extern int
+EXPORT_FUNC (grub_is_lockdown) (void);
+#else
+static inline void
+grub_lockdown (void)
+{
+}
+
+static inline int
+grub_is_lockdown (void)
+{
+ return GRUB_LOCKDOWN_DISABLED;
+}
+#endif
+#endif /* ! GRUB_LOCKDOWN_H */
diff --git a/conf/Makefile.common b/conf/Makefile.common
index b93879804c0..521cdda1f5a 100644
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@@ -85,7 +85,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
index 3ce827ab726..421dd410e50 100644
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@@ -84,6 +84,7 @@ This edition documents version @value{VERSION}.
* Video Subsystem::
* PFF2 Font File Format::
* Graphical Menu Software Design::
+* Lockdown framework::
* Copying This Manual:: Copying This Manual
* Index::
@end menu
@@ -1949,6 +1950,32 @@ the graphics mode that was in use before @code{grub_video_setup()} was called
might fix some of the problems.
+@node Lockdown framework
+@chapter Lockdown framework
+
+The GRUB can be locked down, which is a restricted mode where some operations
+are not allowed. For instance, some commands cannot be used when the GRUB is
+locked down.
+
+The function
+@code{grub_lockdown()} is used to lockdown GRUB and the function
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
+
+The following functions can be used to register the commands that can only be
+used when lockdown is disabled:
+
+@itemize
+
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
+GRUB is in lockdown mode.
+
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
+when the GRUB is in lockdown mode.
+
+@end itemize
+
@node Copying This Manual
@appendix Copying This Manual
diff --git a/docs/grub.texi b/docs/grub.texi
index c54bee31679..0a53c28ee88 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5610,6 +5610,8 @@ environment variables and commands are listed in the same order.
@menu
* Authentication and authorisation:: Users and access control
* Using digital signatures:: Booting digitally signed code
+* Lockdown:: Lockdown when booting on a secure setup
+
@end menu
@node Authentication and authorisation
@@ -5772,6 +5774,13 @@ or BIOS) configuration to cause the machine to boot from a different
(attacker-controlled) device. GRUB is at best only one link in a
secure boot chain.
+@node Lockdown
+@section Lockdown when booting on a secure setup
+
+The GRUB can be locked down when booted on a secure boot environment, for example
+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+be restricted and some operations/commands cannot be executed.
+
@node Platform limitations
@chapter Platform limitations
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 4062652506d..a6f1b0dcd06 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -82,6 +82,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
if COND_emu
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
@@ -350,8 +351,10 @@ command.lst: $(MARKER_FILES)
b=`basename $$pp .marker`; \
sed -n \
-e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
-e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
done) | sort -u > $@
platform_DATA += command.lst
CLEANFILES += command.lst

View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 2 Feb 2021 19:59:48 +0100
Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
It may be useful for scripts to determine whether the GRUB is locked
down or not. Add the lockdown variable which is set to "y" when the GRUB
is locked down.
Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/lockdown.c | 4 ++++
docs/grub.texi | 3 +++
2 files changed, 7 insertions(+)
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index f87ddaeb1ee..30cba7f5ea2 100644
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -18,6 +18,7 @@
*/
#include <grub/dl.h>
+#include <grub/env.h>
#include <grub/file.h>
#include <grub/lockdown.h>
@@ -84,6 +85,9 @@ grub_lockdown (void)
#if 0
grub_verifier_register (&lockdown_verifier);
#endif
+
+ grub_env_set ("lockdown", "y");
+ grub_env_export ("lockdown");
}
int
diff --git a/docs/grub.texi b/docs/grub.texi
index 0a53c28ee88..6f5efaace32 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5781,6 +5781,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
be restricted and some operations/commands cannot be executed.
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
+Otherwise it does not exit.
+
@node Platform limitations
@chapter Platform limitations

View File

@ -0,0 +1,52 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:29 +0200
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
If the UEFI Secure Boot is enabled then the GRUB must be locked down
to prevent executing code that can potentially be used to subvert its
verification mechanisms.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/init.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 79243b364a1..97bf36906a4 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -20,6 +20,8 @@
#include <grub/efi/efi.h>
#include <grub/efi/console.h>
#include <grub/efi/disk.h>
+#include <grub/efi/sb.h>
+#include <grub/lockdown.h>
#include <grub/term.h>
#include <grub/misc.h>
#include <grub/env.h>
@@ -93,6 +95,23 @@ grub_efi_init (void)
/* Initialize the memory management system. */
grub_efi_mm_init ();
+ /*
+ * Lockdown the GRUB and register the shim_lock verifier
+ * if the UEFI Secure Boot is enabled.
+ */
+ if (grub_efi_secure_boot ())
+ {
+ grub_lockdown ();
+
+ /*
+ * TODO: Move GRUB to using the shim_lock verifier and
+ * enable the lockdown verifier.
+ */
+#if 0
+ grub_shim_lock_verifier_setup ();
+#endif
+ }
+
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
0, 0, 0, NULL);

View File

@ -0,0 +1,137 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:33 +0200
Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
modules list
Now the GRUB can check if it has been locked down and this can be used to
prevent executing commands that can be utilized to circumvent the UEFI
Secure Boot mechanisms. So, instead of hardcoding a list of modules that
have to be disabled, prevent the usage of commands that can be dangerous.
This not only allows the commands to be disabled on other platforms, but
also properly separate the concerns. Since the shim_lock verifier logic
should be only about preventing to run untrusted binaries and not about
defining these kind of policies.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/iorw.c | 26 ++++++++++----------------
grub-core/commands/memrw.c | 26 ++++++++++----------------
2 files changed, 20 insertions(+), 32 deletions(-)
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
index 41a7f3f0466..584baec8f91 100644
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@@ -23,7 +23,7 @@
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
-#include <grub/efi/sb.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -119,9 +119,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
- if (grub_efi_secure_boot())
- return;
-
cmd_read_byte =
grub_register_extcmd ("inb", grub_cmd_read, 0,
N_("PORT"), N_("Read 8-bit value from PORT."),
@@ -135,24 +132,21 @@ GRUB_MOD_INIT(memrw)
N_("PORT"), N_("Read 32-bit value from PORT."),
options);
cmd_write_byte =
- grub_register_command ("outb", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 8-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outb", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 8-bit VALUE to PORT."));
cmd_write_word =
- grub_register_command ("outw", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 16-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outw", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 16-bit VALUE to PORT."));
cmd_write_dword =
- grub_register_command ("outl", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outl", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to PORT."));
}
GRUB_MOD_FINI(memrw)
{
- if (grub_efi_secure_boot())
- return;
-
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
index 088cbe9e2bc..d401a6db0ef 100644
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@@ -22,7 +22,7 @@
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
-#include <grub/efi/sb.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -121,9 +121,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
- if (grub_efi_secure_boot())
- return;
-
cmd_read_byte =
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
N_("ADDR"), N_("Read 8-bit value from ADDR."),
@@ -137,24 +134,21 @@ GRUB_MOD_INIT(memrw)
N_("ADDR"), N_("Read 32-bit value from ADDR."),
options);
cmd_write_byte =
- grub_register_command ("write_byte", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 8-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 8-bit VALUE to ADDR."));
cmd_write_word =
- grub_register_command ("write_word", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 16-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_word", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 16-bit VALUE to ADDR."));
cmd_write_dword =
- grub_register_command ("write_dword", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to ADDR."));
}
GRUB_MOD_FINI(memrw)
{
- if (grub_efi_secure_boot())
- return;
-
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);

View File

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:41 +0200
Subject: [PATCH] acpi: Don't register the acpi command when locked down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command is not allowed when lockdown is enforced. Otherwise an
attacker can instruct the GRUB to load an SSDT table to overwrite
the kernel lockdown configuration and later load and execute
unsigned code.
Fixes: CVE-2020-14372
Reported-by: Máté Kukri <km@mkukri.xyz>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/acpi.c | 15 ++++++++-------
docs/grub.texi | 5 +++++
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
index 9f02f22019a..a2912989b5c 100644
--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@@ -27,6 +27,7 @@
#include <grub/mm.h>
#include <grub/memory.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
#ifdef GRUB_MACHINE_EFI
#include <grub/efi/efi.h>
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
GRUB_MOD_INIT(acpi)
{
- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
- "--load-only=TABLE1,TABLE2] FILE1"
- " [FILE2] [...]"),
- N_("Load host ACPI tables and tables "
- "specified by arguments."),
- options);
+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+ "--load-only=TABLE1,TABLE2] FILE1"
+ " [FILE2] [...]"),
+ N_("Load host ACPI tables and tables "
+ "specified by arguments."),
+ options);
}
GRUB_MOD_FINI(acpi)
diff --git a/docs/grub.texi b/docs/grub.texi
index 6f5efaace32..a724d0712ed 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4033,6 +4033,11 @@ Normally, this command will replace the Root System Description Pointer
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
@option{--no-ebda} option is used, the new tables will be known only to
GRUB, but may be used by GRUB's EFI emulation.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
+ overwrite the kernel lockdown configuration and later load and execute
+ unsigned code.
@end deffn

View File

@ -0,0 +1,66 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 14 Oct 2020 16:33:42 +0200
Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
is enforced
The cutmem and badram commands can be used to remove EFI memory regions
and potentially disable the UEFI Secure Boot. Prevent the commands to be
registered if the GRUB is locked down.
Fixes: CVE-2020-27779
Reported-by: Teddy Reed <teddy.reed@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/mmap/mmap.c | 13 +++++++------
docs/grub.texi | 4 ++++
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
index 57b4e9a72a9..7ebf32e1e5e 100644
--- a/grub-core/mmap/mmap.c
+++ b/grub-core/mmap/mmap.c
@@ -20,6 +20,7 @@
#include <grub/memory.h>
#include <grub/machine/memory.h>
#include <grub/err.h>
+#include <grub/lockdown.h>
#include <grub/misc.h>
#include <grub/mm.h>
#include <grub/command.h>
@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
GRUB_MOD_INIT(mmap)
{
- cmd = grub_register_command ("badram", grub_cmd_badram,
- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
- N_("Declare memory regions as faulty (badram)."));
- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
- N_("FROM[K|M|G] TO[K|M|G]"),
- N_("Remove any memory regions in specified range."));
+ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
+ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+ N_("Declare memory regions as faulty (badram)."));
+ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
+ N_("FROM[K|M|G] TO[K|M|G]"),
+ N_("Remove any memory regions in specified range."));
}
diff --git a/docs/grub.texi b/docs/grub.texi
index a724d0712ed..a9b02190404 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4098,6 +4098,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
that are often result of memory damage, due to physical distribution of memory
cells.
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This prevents removing EFI memory regions to potentially subvert the
+ security mechanisms provided by the UEFI secure boot.
+
@node blocklist
@subsection blocklist

View File

@ -0,0 +1,108 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 09:00:05 +0100
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
when locked down
There are some more commands that should be restricted when the GRUB is
locked down. Following is the list of commands and reasons to restrict:
* fakebios: creates BIOS-like structures for backward compatibility with
existing OSes. This should not be allowed when locked down.
* loadbios: reads a BIOS dump from storage and loads it. This action
should not be allowed when locked down.
* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
any Device Tree provided by the firmware. This also should
not be allowed when locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/efi/loadbios.c | 14 +++++++-------
grub-core/loader/arm/linux.c | 6 +++---
grub-core/loader/efi/fdt.c | 4 ++--
docs/grub.texi | 6 ++++--
4 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
index 132cadbc764..3da4c26df7a 100644
--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
GRUB_MOD_INIT(loadbios)
{
- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
- 0, N_("Create BIOS-like structures for"
- " backward compatibility with"
- " existing OS."));
+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
+ 0, N_("Create BIOS-like structures for"
+ " backward compatibility with"
+ " existing OS."));
- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
- N_("BIOS_DUMP [INT10_DUMP]"),
- N_("Load BIOS dump."));
+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
+ N_("BIOS_DUMP [INT10_DUMP]"),
+ N_("Load BIOS dump."));
}
GRUB_MOD_FINI(loadbios)
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
index ea29d7a724a..ff2911baa67 100644
--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
@@ -489,9 +489,9 @@ GRUB_MOD_INIT (linux)
0, N_("Load Linux."));
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
0, N_("Load initrd."));
- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
- /* TRANSLATORS: DTB stands for device tree blob. */
- 0, N_("Load DTB file."));
+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
+ /* TRANSLATORS: DTB stands for device tree blob. */
+ 0, N_("Load DTB file."));
my_mod = mod;
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
machine_type = grub_arm_firmware_get_machine_type ();
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
index a9dbcfdfeaf..c0ea050dc8b 100644
--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
GRUB_MOD_INIT (fdt)
{
cmd_devicetree =
- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
- N_("Load DTB file."));
+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
+ N_("Load DTB file."));
}
GRUB_MOD_FINI (fdt)
diff --git a/docs/grub.texi b/docs/grub.texi
index a9b02190404..71943b15dd1 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4276,13 +4276,15 @@ hour, minute, and second unchanged.
@node devicetree
-@subsection linux
+@subsection devicetree
@deffn Command devicetree file
Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
kernel. Does not perform merging with any device tree supplied by firmware,
but rather replaces it completely.
-@ref{GNU/Linux}.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This is done to prevent subverting various security mechanisms.
@end deffn
@node distrust

View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 22:59:59 +0100
Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
This command can set PCI devices register values, which makes it dangerous
in a locked down configuration. Restrict it so can't be used on this setup.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/setpci.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
index d5bc97d60b2..fa2ba7d8919 100644
--- a/grub-core/commands/setpci.c
+++ b/grub-core/commands/setpci.c
@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
GRUB_MOD_INIT(setpci)
{
- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
- N_("[-s POSITION] [-d DEVICE] [-v VAR] "
- "REGISTER[=VALUE[:MASK]]"),
- N_("Manipulate PCI devices."), options);
+ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
+ N_("[-s POSITION] [-d DEVICE] [-v VAR] "
+ "REGISTER[=VALUE[:MASK]]"),
+ N_("Manipulate PCI devices."), options);
}
GRUB_MOD_FINI(setpci)

View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 12:59:29 +0100
Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
The command can be used to get/set ATA disk parameters. Some of these can
be dangerous since change the disk behavior. Restrict it when locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/hdparm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
index d3fa9661e5f..2e2319e645a 100644
--- a/grub-core/commands/hdparm.c
+++ b/grub-core/commands/hdparm.c
@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
GRUB_MOD_INIT(hdparm)
{
- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
- N_("[OPTIONS] DISK"),
- N_("Get/set ATA disk parameters."), options);
+ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
+ N_("[OPTIONS] DISK"),
+ N_("Get/set ATA disk parameters."), options);
}
GRUB_MOD_FINI(hdparm)

View File

@ -0,0 +1,58 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 15:03:26 +0100
Subject: [PATCH] gdb: Restrict GDB access when locked down
The gdbstub* commands allow to start and control a GDB stub running on
local host that can be used to connect from a remote debugger. Restrict
this functionality when the GRUB is locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
index 847a1e1e36f..1818cb6f8eb 100644
--- a/grub-core/gdb/gdb.c
+++ b/grub-core/gdb/gdb.c
@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
GRUB_MOD_INIT (gdb)
{
grub_gdb_idtinit ();
- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
- N_("PORT"),
- /* TRANSLATORS: GDB stub is a small part of
- GDB functionality running on local host
- which allows remote debugger to
- connect to it. */
- N_("Start GDB stub on given port"));
- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
- /* TRANSLATORS: this refers to triggering
- a breakpoint so that the user will land
- into GDB. */
- 0, N_("Break into GDB"));
- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
- 0, N_("Stop GDB stub"));
+ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
+ N_("PORT"),
+ /*
+ * TRANSLATORS: GDB stub is a small part of
+ * GDB functionality running on local host
+ * which allows remote debugger to
+ * connect to it.
+ */
+ N_("Start GDB stub on given port"));
+ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
+ /*
+ * TRANSLATORS: this refers to triggering
+ * a breakpoint so that the user will land
+ * into GDB.
+ */
+ 0, N_("Break into GDB"));
+ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
+ 0, N_("Stop GDB stub"));
}
GRUB_MOD_FINI (gdb)

View File

@ -0,0 +1,57 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 14:44:38 +0100
Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
locked down
The shim_lock verifier validates the XNU kernels but no its extensions
and packages. Prevent these to be loaded when the GRUB is locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index 2bf02489bad..0c4b33250fb 100644
--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
@@ -1480,20 +1480,23 @@ GRUB_MOD_INIT(xnu)
N_("Load XNU image."));
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
0, N_("Load 64-bit XNU image."));
- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
- N_("Load XNU extension package."));
- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
- N_("Load XNU extension."));
- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
- /* TRANSLATORS: OSBundleRequired is a
- variable name in xnu extensions
- manifests. It behaves mostly like
- GNU/Linux runlevels.
- */
- N_("DIRECTORY [OSBundleRequired]"),
- /* TRANSLATORS: There are many extensions
- in extension directory. */
- N_("Load XNU extension directory."));
+ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+ N_("Load XNU extension package."));
+ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
+ N_("Load XNU extension."));
+ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
+ /*
+ * TRANSLATORS: OSBundleRequired is
+ * a variable name in xnu extensions
+ * manifests. It behaves mostly like
+ * GNU/Linux runlevels.
+ */
+ N_("DIRECTORY [OSBundleRequired]"),
+ /*
+ * TRANSLATORS: There are many extensions
+ * in extension directory.
+ */
+ N_("Load XNU extension directory."));
cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
/* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
N_("Load XNU ramdisk. "

View File

@ -0,0 +1,61 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Sat, 7 Nov 2020 01:03:18 +0100
Subject: [PATCH] docs: Document the cutmem command
The command is not present in the docs/grub.texi user documentation.
Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
---
docs/grub.texi | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 71943b15dd1..067aa294162 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3941,6 +3941,7 @@ you forget a command, you can run the command @command{help}
* cpuid:: Check for CPU features
* crc:: Compute or check CRC32 checksums
* cryptomount:: Mount a crypto device
+* cutmem:: Remove memory regions
* date:: Display or set current date and time
* devicetree:: Load a device tree blob
* distrust:: Remove a pubkey from trusted keys
@@ -4098,6 +4099,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
that are often result of memory damage, due to physical distribution of memory
cells.
+The command is similar to @command{cutmem} command.
+
Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
This prevents removing EFI memory regions to potentially subvert the
security mechanisms provided by the UEFI secure boot.
@@ -4261,6 +4264,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
be used.
@end deffn
+@node cutmem
+@subsection cutmem
+
+@deffn Command cutmem from[K|M|G] to[K|M|G]
+Remove any memory regions in specified range.
+@end deffn
+
+This command notifies the memory manager that specified regions of RAM ought to
+be filtered out. This remains in effect after a payload kernel has been loaded
+by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
+that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
+kernels in general.
+
+The command is similar to @command{badram} command.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This prevents removing EFI memory regions to potentially subvert the
+ security mechanisms provided by the UEFI secure boot.
@node date
@subsection date

View File

@ -0,0 +1,83 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 29 Sep 2020 14:08:55 +0200
Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
When a module is attempted to be removed its reference counter is always
decremented. This means that repeated rmmod invocations will cause the
module to be unloaded even if another module depends on it.
This may lead to a use-after-free scenario allowing an attacker to execute
arbitrary code and by-pass the UEFI Secure Boot protection.
While being there, add the extern keyword to some function declarations in
that header file.
Fixes: CVE-2020-25632
Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/minicmd.c | 7 +++++--
grub-core/kern/dl.c | 9 +++++++++
include/grub/dl.h | 8 +++++---
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
index b25ca4b9f17..4660a020bda 100644
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@@ -137,8 +137,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
if (! mod)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module");
- if (grub_dl_unref (mod) <= 0)
- grub_dl_unload (mod);
+ if (grub_dl_ref_count (mod) > 1)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
+
+ grub_dl_unref (mod);
+ grub_dl_unload (mod);
return 0;
}
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index 91105bc4677..333c1329eab 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -621,6 +621,15 @@ grub_dl_unref (grub_dl_t mod)
return --mod->ref_count;
}
+int
+grub_dl_ref_count (grub_dl_t mod)
+{
+ if (mod == NULL)
+ return 0;
+
+ return mod->ref_count;
+}
+
static void
grub_dl_flush_cache (grub_dl_t mod)
{
diff --git a/include/grub/dl.h b/include/grub/dl.h
index 7b5bfb07ce6..a58fbc767c0 100644
--- a/include/grub/dl.h
+++ b/include/grub/dl.h
@@ -204,9 +204,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
-void grub_dl_unload_unneeded (void);
-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
+extern void grub_dl_unload_unneeded (void);
+extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
+extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
+
extern grub_dl_t EXPORT_VAR(grub_dl_head);
#ifndef GRUB_UTIL

View File

@ -0,0 +1,112 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 11 Dec 2020 19:19:21 +0100
Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
devices
The maximum number of configurations and interfaces are fixed but there is
no out-of-bound checking to prevent a malicious USB device to report large
values for these and cause accesses outside the arrays' memory.
Fixes: CVE-2020-25647
Reported-by: Joseph Tartaro (IOActive)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/bus/usb/usb.c | 15 ++++++++++++---
include/grub/usb.h | 10 +++++++---
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
index 8da5e4c7491..7cb3cc230b2 100644
--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
grub_usb_err_t
grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
{
+ if (endpoint >= GRUB_USB_MAX_TOGGLE)
+ return GRUB_USB_ERR_BADDEVICE;
+
dev->toggle[endpoint] = 0;
return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
| GRUB_USB_REQTYPE_STANDARD
@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
return err;
descdev = &dev->descdev;
- for (i = 0; i < 8; i++)
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
dev->config[i].descconf = NULL;
- if (descdev->configcnt == 0)
+ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
{
err = GRUB_USB_ERR_BADDEVICE;
goto fail;
@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
/* Skip the configuration descriptor. */
pos = dev->config[i].descconf->length;
+ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
+ {
+ err = GRUB_USB_ERR_BADDEVICE;
+ goto fail;
+ }
+
/* Read all interfaces. */
for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
{
@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
fail:
- for (i = 0; i < 8; i++)
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
grub_free (dev->config[i].descconf);
return err;
diff --git a/include/grub/usb.h b/include/grub/usb.h
index 512ae1dd0e6..6475c552fc6 100644
--- a/include/grub/usb.h
+++ b/include/grub/usb.h
@@ -23,6 +23,10 @@
#include <grub/usbdesc.h>
#include <grub/usbtrans.h>
+#define GRUB_USB_MAX_CONF 8
+#define GRUB_USB_MAX_IF 32
+#define GRUB_USB_MAX_TOGGLE 256
+
typedef struct grub_usb_device *grub_usb_device_t;
typedef struct grub_usb_controller *grub_usb_controller_t;
typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
@@ -167,7 +171,7 @@ struct grub_usb_configuration
struct grub_usb_desc_config *descconf;
/* Interfaces associated to this configuration. */
- struct grub_usb_interface interf[32];
+ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
};
struct grub_usb_hub_port
@@ -191,7 +195,7 @@ struct grub_usb_device
struct grub_usb_controller controller;
/* Device configurations (after opening the device). */
- struct grub_usb_configuration config[8];
+ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
/* Device address. */
int addr;
@@ -203,7 +207,7 @@ struct grub_usb_device
int initialized;
/* Data toggle values (used for bulk transfers only). */
- int toggle[256];
+ int toggle[GRUB_USB_MAX_TOGGLE];
/* Used by libusb wrapper. Schedulded for removal. */
void *data;

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 3 Dec 2020 14:39:45 +0000
Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
When returning from grub_mmap_iterate() the memory allocated to present
is not being released causing it to leak.
Fixes: CID 96655
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/mmap/mmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
index 7ebf32e1e5e..8bf235f3400 100644
--- a/grub-core/mmap/mmap.c
+++ b/grub-core/mmap/mmap.c
@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
hook_data))
{
grub_free (ctx.scanline_events);
+ grub_free (present);
return GRUB_ERR_NONE;
}
@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
}
grub_free (ctx.scanline_events);
+ grub_free (present);
return GRUB_ERR_NONE;
}

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 27 Nov 2020 15:10:26 +0000
Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
It is always possible that grub_zalloc() could fail, so we should check for
a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
Fixes: CID 296221
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/net.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 0e72bbb9b39..50d0609038c 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -89,8 +89,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
/* Add sender to cache table. */
if (card->link_layer_table == NULL)
- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
- * sizeof (card->link_layer_table[0]));
+ {
+ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
+ * sizeof (card->link_layer_table[0]));
+ if (card->link_layer_table == NULL)
+ return;
+ }
+
entry = &(card->link_layer_table[card->new_ll_entry]);
entry->avail = 1;
grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 19 Feb 2021 17:12:23 +0000
Subject: [PATCH] net/tftp: Fix dangling memory pointer
The static code analysis tool, Parfait, reported that the valid of
file->data was left referencing memory that was freed by the call to
grub_free(data) where data was initialized from file->data.
To ensure that there is no unintentional access to this memory
referenced by file->data we should set the pointer to NULL.
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/tftp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index b9a4b607a3d..aa0424dcee3 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -444,6 +444,7 @@ tftp_close (struct grub_file *file)
grub_net_udp_close (data->sock);
}
grub_free (data);
+ file->data = NULL;
return GRUB_ERR_NONE;
}

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 22 Jan 2021 12:32:41 +0000
Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
After processing the command-line yet arriving at the point where we are
setting argv, we are allocating memory, even if argc == 0, which makes
no sense since we never put anything into the allocated argv.
The solution is to simply return that we've successfully processed the
arguments but that argc == 0, and also ensure that argv is NULL when
we're not allocating anything in it.
There are only 2 callers of this function, and both are handling a zero
value in argc assuming nothing is allocated in argv.
Fixes: CID 96680
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/parser.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
index 619db3122a0..d1cf061ad68 100644
--- a/grub-core/kern/parser.c
+++ b/grub-core/kern/parser.c
@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
int i;
*argc = 0;
+ *argv = NULL;
do
{
if (!rd || !*rd)
@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
(*argc)++;
}
+ /* If there are no args, then we're done. */
+ if (!*argc)
+ return 0;
+
/* Reserve memory for the return values. */
args = grub_malloc (bp - buffer);
if (!args)

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 5 Nov 2020 10:15:25 +0000
Subject: [PATCH] kern/efi: Fix memory leak on failure
Free the memory allocated to name before returning on failure.
Fixes: CID 296222
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/efi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 5dfcf943322..4b95a400490 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -400,6 +400,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
{
grub_error (GRUB_ERR_OUT_OF_RANGE,
"malformed EFI Device Path node has length=%d", len);
+ grub_free (name);
return NULL;
}

View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 11 Dec 2020 15:03:13 +0000
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
then the purpose is to discover how much memory should be allocated to
it for the subsequent call.
The problem here is that with grub_efi_is_finished set to 1, there is no
check at all that the function is being called with a non-NULL memory_map.
While this MAY be true, we shouldn't assume it.
The solution to this is to behave as expected, and if memory_map is NULL,
then don't try to use it and allow memory_map_size to be filled in, and
return 0 as is done later in the code if the buffer is too small (or NULL).
Additionally, drop unneeded ret = 1.
Fixes: CID 96632
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
index 306924f73a4..2d9c9032b2a 100644
--- a/grub-core/kern/efi/mm.c
+++ b/grub-core/kern/efi/mm.c
@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
if (grub_efi_is_finished)
{
int ret = 1;
- if (*memory_map_size < finish_mmap_size)
+
+ if (memory_map != NULL)
{
- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+ if (*memory_map_size < finish_mmap_size)
+ {
+ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+ ret = 0;
+ }
+ else
+ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+ }
+ else
+ {
+ /*
+ * Incomplete, no buffer to copy into, same as
+ * GRUB_EFI_BUFFER_TOO_SMALL below.
+ */
ret = 0;
}
- else
- {
- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
- ret = 1;
- }
*memory_map_size = finish_mmap_size;
if (map_key)
*map_key = finish_key;

View File

@ -0,0 +1,73 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Wed, 21 Oct 2020 14:41:27 +0000
Subject: [PATCH] gnulib/regexec: Resolve unused variable
This is a really minor issue where a variable is being assigned to but
not checked before it is overwritten again.
The reason for this issue is that we are not building with DEBUG set and
this in turn means that the assert() that reads the value of the
variable match_last is being processed out.
The solution, move the assignment to match_last in to an ifdef DEBUG too.
Fixes: CID 292459
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gnulib/regexec.c | 4 ++++
conf/Makefile.extra-dist | 1 +
grub-core/gnulib-fix-unused-value.patch | 14 ++++++++++++++
3 files changed, 19 insertions(+)
create mode 100644 grub-core/gnulib-fix-unused-value.patch
diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
index a7776f088f2..9264f262893 100644
--- a/grub-core/gnulib/regexec.c
+++ b/grub-core/gnulib/regexec.c
@@ -879,7 +879,11 @@ re_search_internal (const regex_t *preg,
break;
if (BE (err != REG_NOMATCH, 0))
goto free_return;
+#ifdef DEBUG
+ /* Only used for assertion below when DEBUG is set, otherwise
+ it will be over-written when we loop around. */
match_last = REG_MISSING;
+#endif
}
else
break; /* We found a match. */
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 5946ec24a65..b53fe6dfdcc 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
EXTRA_DIST += grub-core/genemuinitheader.sh
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
+EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
EXTRA_DIST += grub-core/gnulib-fix-width.diff
EXTRA_DIST += grub-core/gnulib-no-abort.diff
EXTRA_DIST += grub-core/gnulib-no-gets.diff
diff --git a/grub-core/gnulib-fix-unused-value.patch b/grub-core/gnulib-fix-unused-value.patch
new file mode 100644
index 00000000000..452a8732922
--- /dev/null
+++ b/grub-core/gnulib-fix-unused-value.patch
@@ -0,0 +1,14 @@
+--- grub-core/gnulib/regexec.c 2020-10-21 14:25:35.310195912 +0000
++++ grub-core/gnulib/regexec.c 2020-10-21 14:32:07.961765604 +0000
+@@ -828,7 +828,11 @@
+ break;
+ if (BE (err != REG_NOMATCH, 0))
+ goto free_return;
++#ifdef DEBUG
++ /* Only used for assertion below when DEBUG is set, otherwise
++ it will be over-written when we loop around. */
+ match_last = REG_MISSING;
++#endif
+ }
+ else
+ break; /* We found a match. */

View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 22 Oct 2020 13:54:06 +0000
Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
The code is assuming that the value of br_token.constraint was
initialized to zero when it wasn't.
While some compilers will ensure that, not all do, so it is better to
fix this explicitly than leave it to chance.
Fixes: CID 73749
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gnulib/regcomp.c | 2 +-
conf/Makefile.extra-dist | 1 +
grub-core/gnulib-fix-uninit-structure.patch | 11 +++++++++++
3 files changed, 13 insertions(+), 1 deletion(-)
create mode 100644 grub-core/gnulib-fix-uninit-structure.patch
diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
index 596e0cf3ef7..de9f622088f 100644
--- a/grub-core/gnulib/regcomp.c
+++ b/grub-core/gnulib/regcomp.c
@@ -3641,7 +3641,7 @@ build_charclass_op (re_dfa_t *dfa, RE_TRANSLATE_TYPE trans,
Idx alloc = 0;
#endif /* not RE_ENABLE_I18N */
reg_errcode_t ret;
- re_token_t br_token;
+ re_token_t br_token = {0};
bin_tree_t *tree;
sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index b53fe6dfdcc..883baba56d5 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
EXTRA_DIST += grub-core/genemuinitheader.sh
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
+EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
EXTRA_DIST += grub-core/gnulib-fix-width.diff
EXTRA_DIST += grub-core/gnulib-no-abort.diff
diff --git a/grub-core/gnulib-fix-uninit-structure.patch b/grub-core/gnulib-fix-uninit-structure.patch
new file mode 100644
index 00000000000..7b4d9f67af4
--- /dev/null
+++ b/grub-core/gnulib-fix-uninit-structure.patch
@@ -0,0 +1,11 @@
+--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000
++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000
+@@ -3662,7 +3662,7 @@
+ Idx alloc = 0;
+ #endif /* not RE_ENABLE_I18N */
+ reg_errcode_t ret;
+- re_token_t br_token;
++ re_token_t br_token = {0};
+ bin_tree_t *tree;
+
+ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);

View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Wed, 28 Oct 2020 14:43:01 +0000
Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
All other instances of call to __argp_failure() where there is
a dgettext() call is first checking whether state is NULL before
attempting to dereference it to get the root_argp->argp_domain.
Fixes: CID 292436
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gnulib/argp-help.c | 3 ++-
conf/Makefile.extra-dist | 1 +
grub-core/gnulib-fix-null-state-deref.patch | 12 ++++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 grub-core/gnulib-fix-null-state-deref.patch
diff --git a/grub-core/gnulib/argp-help.c b/grub-core/gnulib/argp-help.c
index b9be63f40d2..8af8be07341 100644
--- a/grub-core/gnulib/argp-help.c
+++ b/grub-core/gnulib/argp-help.c
@@ -145,7 +145,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr)
if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
{
__argp_failure (state, 0, 0,
- dgettext (state->root_argp->argp_domain,
+ dgettext (state == NULL ? NULL
+ : state->root_argp->argp_domain,
"\
ARGP_HELP_FMT: %s value is less than or equal to %s"),
"rmargin", up->name);
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 883baba56d5..06606de8d19 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
EXTRA_DIST += grub-core/genemuinitheader.sh
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
+EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
EXTRA_DIST += grub-core/gnulib-fix-width.diff
diff --git a/grub-core/gnulib-fix-null-state-deref.patch b/grub-core/gnulib-fix-null-state-deref.patch
new file mode 100644
index 00000000000..813ec09c8a1
--- /dev/null
+++ b/grub-core/gnulib-fix-null-state-deref.patch
@@ -0,0 +1,12 @@
+--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000
++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000
+@@ -145,7 +145,8 @@
+ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
+ {
+ __argp_failure (state, 0, 0,
+- dgettext (state->root_argp->argp_domain,
++ dgettext (state == NULL ? NULL
++ : state->root_argp->argp_domain,
+ "\
+ ARGP_HELP_FMT: %s value is less than or equal to %s"),
+ "rmargin", up->name);

View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 5 Nov 2020 10:57:14 +0000
Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
It appears to be possible that the mctx->state_log field may be NULL,
and the name of this function, clean_state_log_if_needed(), suggests
that it should be checking that it is valid to be cleaned before
assuming that it does.
Fixes: CID 86720
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gnulib/regexec.c | 3 +++
conf/Makefile.extra-dist | 1 +
grub-core/gnulib-fix-regexec-null-deref.patch | 12 ++++++++++++
3 files changed, 16 insertions(+)
create mode 100644 grub-core/gnulib-fix-regexec-null-deref.patch
diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
index 9264f262893..fdacff12ce3 100644
--- a/grub-core/gnulib/regexec.c
+++ b/grub-core/gnulib/regexec.c
@@ -1754,6 +1754,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx)
{
Idx top = mctx->state_log_top;
+ if (mctx->state_log == NULL)
+ return REG_NOERROR;
+
if ((next_state_log_idx >= mctx->input.bufs_len
&& mctx->input.bufs_len < mctx->input.len)
|| (next_state_log_idx >= mctx->input.valid_len
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 06606de8d19..edbe7846eb1 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
+EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
EXTRA_DIST += grub-core/gnulib-fix-width.diff
diff --git a/grub-core/gnulib-fix-regexec-null-deref.patch b/grub-core/gnulib-fix-regexec-null-deref.patch
new file mode 100644
index 00000000000..db6dac9c9e3
--- /dev/null
+++ b/grub-core/gnulib-fix-regexec-null-deref.patch
@@ -0,0 +1,12 @@
+--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000
+@@ -1692,6 +1692,9 @@
+ {
+ Idx top = mctx->state_log_top;
+
++ if (mctx->state_log == NULL)
++ return REG_NOERROR;
++
+ if ((next_state_log_idx >= mctx->input.bufs_len
+ && mctx->input.bufs_len < mctx->input.len)
+ || (next_state_log_idx >= mctx->input.valid_len

View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 24 Nov 2020 18:04:22 +0000
Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
This issue has been fixed in the latest version of gnulib, so to
maintain consistency, I've backported that change rather than doing
something different.
Fixes: CID 73828
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gnulib/regcomp.c | 3 +--
conf/Makefile.extra-dist | 1 +
grub-core/gnulib-fix-regcomp-uninit-token.patch | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
create mode 100644 grub-core/gnulib-fix-regcomp-uninit-token.patch
diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
index de9f622088f..6d0830ac691 100644
--- a/grub-core/gnulib/regcomp.c
+++ b/grub-core/gnulib/regcomp.c
@@ -3790,8 +3790,7 @@ static bin_tree_t *
create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
re_token_type_t type)
{
- re_token_t t;
- t.type = type;
+ re_token_t t = { .type = type };
return create_token_tree (dfa, left, right, &t);
}
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index edbe7846eb1..ee276a87764 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
+EXTRA_DIST += grub-core/gnulib-fix-regcomp-uninit-token.patch
EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
diff --git a/grub-core/gnulib-fix-regcomp-uninit-token.patch b/grub-core/gnulib-fix-regcomp-uninit-token.patch
new file mode 100644
index 00000000000..d615745221b
--- /dev/null
+++ b/grub-core/gnulib-fix-regcomp-uninit-token.patch
@@ -0,0 +1,12 @@
+--- grub-core/gnulib/regcomp.c
++++ grub-core/gnulib/regcomp.c
+@@ -3808,8 +3808,7 @@ static bin_tree_t *
+ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
+ re_token_type_t type)
+ {
+- re_token_t t;
+- t.type = type;
++ re_token_t t = { .type = type };
+ return create_token_tree (dfa, left, right, &t);
+ }
+

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Wed, 21 Oct 2020 14:44:10 +0000
Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
These 2 assignments are unnecessary since they are just assigning
to themselves.
Fixes: CID 73643
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/io/lzopio.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
index 7559c6c9cab..dcb58746da1 100644
--- a/grub-core/io/lzopio.c
+++ b/grub-core/io/lzopio.c
@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
sizeof (lzopio->block.ucheck)) !=
sizeof (lzopio->block.ucheck))
return -1;
-
- lzopio->block.ucheck = lzopio->block.ucheck;
}
/* Read checksum of compressed data. */
@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
sizeof (lzopio->block.ccheck)) !=
sizeof (lzopio->block.ccheck))
return -1;
-
- lzopio->block.ccheck = lzopio->block.ccheck;
}
}

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 23 Oct 2020 09:49:59 +0000
Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
string
There is the possibility that the value of str comes from an external
source and continuing to use it before ever checking its validity is
wrong. So, needs fixing.
Additionally, drop unneeded part initialization.
Fixes: CID 292444
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/partition.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
index 2c401b866c4..3068c4dcac0 100644
--- a/grub-core/kern/partition.c
+++ b/grub-core/kern/partition.c
@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
grub_partition_t
grub_partition_probe (struct grub_disk *disk, const char *str)
{
- grub_partition_t part = 0;
+ grub_partition_t part;
grub_partition_t curpart = 0;
grub_partition_t tail;
const char *ptr;
+ if (str == NULL)
+ return 0;
+
part = tail = disk->partition;
for (ptr = str; *ptr;)

View File

@ -0,0 +1,125 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marco A Benatto <mbenatto@redhat.com>
Date: Mon, 7 Dec 2020 11:53:03 -0300
Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
make_vg()
Several error handling paths in make_vg() do not free comp data before
jumping to fail2 label and returning from the function. This will leak
memory. So, let's fix all issues of that kind.
Fixes: CID 73804
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 44 insertions(+), 7 deletions(-)
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
index 58f8a53e1ab..428415fac24 100644
--- a/grub-core/disk/ldm.c
+++ b/grub-core/disk/ldm.c
@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
comp->segments = grub_calloc (comp->segment_alloc,
sizeof (*comp->segments));
if (!comp->segments)
- goto fail2;
+ {
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
}
else
{
@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
comp->segment_count = 1;
comp->segments = grub_malloc (sizeof (*comp->segments));
if (!comp->segments)
- goto fail2;
+ {
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
comp->segments->start_extent = 0;
comp->segments->extent_count = lv->size;
comp->segments->layout = 0;
@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
}
else
- goto fail2;
+ {
+ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
ptr += *ptr + 1;
ptr++;
if (!(vblk[i].flags & 0x10))
- goto fail2;
+ {
+ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
|| ptr + *ptr + 1 >= vblk[i].dynamic
+ sizeof (vblk[i].dynamic))
{
+ grub_free (comp->segments);
grub_free (comp->internal_id);
grub_free (comp);
goto fail2;
@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
if (ptr + *ptr + 1 >= vblk[i].dynamic
+ sizeof (vblk[i].dynamic))
{
+ grub_free (comp->segments);
grub_free (comp->internal_id);
grub_free (comp);
goto fail2;
@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
sizeof (*comp->segments->nodes));
if (!lv->segments->nodes)
- goto fail2;
+ {
+ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
}
if (lv->segments->node_alloc == lv->segments->node_count)
@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
- goto fail2;
+ {
+ grub_free (comp->segments->nodes);
+ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
t = grub_realloc (lv->segments->nodes, sz);
if (!t)
- goto fail2;
+ {
+ grub_free (comp->segments->nodes);
+ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+ }
lv->segments->nodes = t;
}
lv->segments->nodes[lv->segments->node_count].pv = 0;

View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Mon, 7 Dec 2020 10:07:47 -0300
Subject: [PATCH] disk/ldm: If failed then free vg variable too
Fixes: CID 73809
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/ldm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
index 428415fac24..54713f45a12 100644
--- a/grub-core/disk/ldm.c
+++ b/grub-core/disk/ldm.c
@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
{
grub_free (vg->uuid);
grub_free (vg->name);
+ grub_free (vg);
return NULL;
}
grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 8 Dec 2020 10:00:51 +0000
Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
The problem here is that the memory allocated to the variable lv is not
yet inserted into the list that is being processed at the label fail2.
As we can already see at line 342, which correctly frees lv before going
to fail2, we should also be doing that at these earlier jumps to fail2.
Fixes: CID 73824
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/ldm.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
index 54713f45a12..e82e9899f96 100644
--- a/grub-core/disk/ldm.c
+++ b/grub-core/disk/ldm.c
@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
lv->visible = 1;
lv->segments = grub_zalloc (sizeof (*lv->segments));
if (!lv->segments)
- goto fail2;
+ {
+ grub_free (lv);
+ goto fail2;
+ }
lv->segments->start_extent = 0;
lv->segments->type = GRUB_DISKFILTER_MIRROR;
lv->segments->node_count = 0;
@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
sizeof (*lv->segments->nodes));
if (!lv->segments->nodes)
- goto fail2;
+ {
+ grub_free (lv);
+ goto fail2;
+ }
ptr = vblk[i].dynamic;
if (ptr + *ptr + 1 >= vblk[i].dynamic
+ sizeof (vblk[i].dynamic))

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 21 Jan 2021 11:38:31 +0000
Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
The encrypt and decrypt functions expect a grub_size_t. So, we need to
ensure that the constant bit shift is using grub_size_t rather than
unsigned int when it is performing the shift.
Fixes: CID 307788
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/cryptodisk.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index bd60a66b384..78a902515e9 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
case GRUB_CRYPTODISK_MODE_CBC:
if (do_encrypt)
err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
- (1U << dev->log_sector_size), iv);
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
else
err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
- (1U << dev->log_sector_size), iv);
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
if (err)
return err;
break;
@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
case GRUB_CRYPTODISK_MODE_PCBC:
if (do_encrypt)
err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
- (1U << dev->log_sector_size), iv);
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
else
err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
- (1U << dev->log_sector_size), iv);
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
if (err)
return err;
break;

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 23 Oct 2020 17:09:31 +0000
Subject: [PATCH] hfsplus: Check that the volume name length is valid
HFS+ documentation suggests that the maximum filename and volume name is
255 Unicode characters in length.
So, when converting from big-endian to little-endian, we should ensure
that the name of the volume has a length that is between 0 and 255,
inclusive.
Fixes: CID 73641
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/hfsplus.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index e06bcbb9ba3..03a33ea2477 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -1012,6 +1012,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
label_len = grub_be_to_cpu16 (catkey->namelen);
+
+ /* Ensure that the length is >= 0. */
+ if (label_len < 0)
+ label_len = 0;
+
+ /* Ensure label length is at most 255 Unicode characters. */
+ if (label_len > 255)
+ label_len = 255;
+
label_name = grub_calloc (label_len, sizeof (*label_name));
if (!label_name)
{

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 24 Nov 2020 16:41:49 +0000
Subject: [PATCH] zfs: Fix possible negative shift operation
While it is possible for the return value from zfs_log2() to be zero
(0), it is quite unlikely, given that the previous assignment to blksz
is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
assignment to epbs.
But, while unlikely during a normal operation, it may be that a carefully
crafted ZFS filesystem could result in a zero (0) value to the
dn_datalbkszsec field, which means that the shift left does nothing
and assigns zero (0) to blksz, resulting in a negative epbs value.
Fixes: CID 73608
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/zfs/zfs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index c6204367e78..3dfde080750 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
mdn->endian) << SPA_MINBLOCKSHIFT;
epbs = zfs_log2 (blksz) - DNODE_SHIFT;
+
+ /* While this should never happen, we should check that epbs is not negative. */
+ if (epbs < 0)
+ epbs = 0;
+
blkid = objnum >> epbs;
idx = objnum & ((1 << epbs) - 1);

View File

@ -0,0 +1,118 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Mon, 14 Dec 2020 18:54:49 -0300
Subject: [PATCH] zfs: Fix resource leaks while constructing path
There are several exit points in dnode_get_path() that are causing possible
memory leaks.
In the while(1) the correct exit mechanism should not be to do a direct return,
but to instead break out of the loop, setting err first if it is not already set.
The reason behind this is that the dnode_path is a linked list, and while doing
through this loop, it is being allocated and built up - the only way to
correctly unravel it is to traverse it, which is what is being done at the end
of the function outside of the loop.
Several of the existing exit points correctly did a break, but not all so this
change makes that more consistent and should resolve the leaking of memory as
found by Coverity.
Fixes: CID 73741
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index 3dfde080750..44d8bde6b33 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
{
- grub_free (path_buf);
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
+ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
+ break;
}
err = zap_lookup (&(dnode_path->dn), cname, &objnum,
data, subvol->case_insensitive);
@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
<< SPA_MINBLOCKSHIFT);
if (blksz == 0)
- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
+ {
+ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
+ break;
+ }
sym_value = grub_malloc (sym_sz);
if (!sym_value)
- return grub_errno;
+ {
+ err = grub_errno;
+ break;
+ }
+
for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
{
void *t;
@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
if (err)
{
grub_free (sym_value);
- return err;
+ break;
}
movesize = sym_sz - block * blksz;
@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
grub_memcpy (sym_value + block * blksz, t, movesize);
grub_free (t);
}
+ if (err)
+ break;
free_symval = 1;
}
path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
grub_free (oldpathbuf);
if (free_symval)
grub_free (sym_value);
- return grub_errno;
+ err = grub_errno;
+ break;
}
grub_memcpy (path, sym_value, sym_sz);
if (free_symval)
@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
if (err)
- return err;
+ break;
}
else
{
- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
+ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
+ break;
}
hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
if (!path_buf)
{
grub_free (oldpathbuf);
- return grub_errno;
+ err = grub_errno;
+ break;
}
grub_memcpy (path, sym_value, sym_sz);
path [sym_sz] = 0;

View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 8 Dec 2020 22:17:04 +0000
Subject: [PATCH] zfs: Fix possible integer overflows
In all cases the problem is that the value being acted upon by
a left-shift is a 32-bit number which is then being used in the
context of a 64-bit number.
To avoid overflow we ensure that the number being shifted is 64-bit
before the shift is done.
Fixes: CID 73684, CID 73695, CID 73764
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/zfs/zfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index 44d8bde6b33..0d8c08eec92 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ ((i << ub_shift)
/ sizeof (grub_properly_aligned_t)));
- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
+ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
if (err)
{
grub_errno = GRUB_ERR_NONE;
@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
high = grub_divmod64 ((offset >> desc->ashift) + c,
desc->n_children, &devn);
- csize = bsize << desc->ashift;
+ csize = (grub_size_t) bsize << desc->ashift;
if (csize > len)
csize = len;
@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
while (len > 0)
{
- grub_size_t csize;
- csize = ((s / (desc->n_children - desc->nparity))
+ grub_size_t csize = s;
+ csize = ((csize / (desc->n_children - desc->nparity))
<< desc->ashift);
if (csize > len)
csize = len;

View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 26 Nov 2020 10:56:45 +0000
Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
While arguably the check for grub_errno is correct, we should really be
checking the return value from the function since it is always possible
that grub_errno was set elsewhere, making this code behave incorrectly.
Fixes: CID 73668
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/zfs/zfsinfo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
index c8a28acf52b..bf2918018e7 100644
--- a/grub-core/fs/zfs/zfsinfo.c
+++ b/grub-core/fs/zfs/zfsinfo.c
@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
devname = grub_file_get_device_name (args[0]);
- if (grub_errno)
- return grub_errno;
+ if (devname == NULL)
+ return GRUB_ERR_OUT_OF_MEMORY;
dev = grub_device_open (devname);
grub_free (devname);

View File

@ -0,0 +1,79 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 26 Nov 2020 12:48:07 +0000
Subject: [PATCH] affs: Fix memory leaks
The node structure reference is being allocated but not freed if it
reaches the end of the function. If any of the hooks had returned
a non-zero value, then node would have been copied in to the context
reference, but otherwise node is not stored and should be freed.
Similarly, the call to grub_affs_create_node() replaces the allocated
memory in node with a newly allocated structure, leaking the existing
memory pointed by node.
Finally, when dir->parent is set, then we again replace node with newly
allocated memory, which seems unnecessary when we copy in the values
from dir->parent immediately after.
Fixes: CID 73759
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/affs.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
index 91073795f90..e4615c74381 100644
--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
{
unsigned int i;
struct grub_affs_file file;
- struct grub_fshelp_node *node = 0;
+ struct grub_fshelp_node *node, *orig_node;
struct grub_affs_data *data = dir->data;
grub_uint32_t *hashtable;
/* Create the directory entries for `.' and `..'. */
- node = grub_zalloc (sizeof (*node));
+ node = orig_node = grub_zalloc (sizeof (*node));
if (!node)
return 1;
@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
return 1;
if (dir->parent)
{
- node = grub_zalloc (sizeof (*node));
- if (!node)
- return 1;
*node = *dir->parent;
if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
return 1;
@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
next, &file))
- return 1;
+ {
+ /* Node has been replaced in function. */
+ grub_free (orig_node);
+ return 1;
+ }
next = grub_be_to_cpu32 (file.next);
}
}
- grub_free (hashtable);
- return 0;
-
fail:
- grub_free (node);
+ grub_free (orig_node);
grub_free (hashtable);
return 0;
}

View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 3 Nov 2020 16:43:37 +0000
Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
The array of unsigned char gets promoted to a signed 32-bit int before
it is finally promoted to a size_t. There is the possibility that this
may result in the signed-bit being set for the intermediate signed
32-bit int. We should ensure that the promotion is to the correct type
before we bitwise-OR the values.
Fixes: CID 96697
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
index a3435ed142a..7ecad27b23a 100644
--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
if (len && len < 4)
return gcry_error (GPG_ERR_TOO_SHORT);
- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
+ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
s += 4;
if (len)
len -= 4;

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 26 Nov 2020 10:41:54 +0000
Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
is no explicit check for that, so we add one.
Fixes: CID 73757
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
index 7ecad27b23a..6fe38916532 100644
--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
unsigned int len;
int secure = (buffer && gcry_is_secure (buffer));
+ if (!buffer)
+ return gcry_error (GPG_ERR_INV_ARG);
+
if (format == GCRYMPI_FMT_SSH)
len = 0;
else

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 26 Nov 2020 15:31:53 +0000
Subject: [PATCH] syslinux: Fix memory leak while parsing
In syslinux_parse_real() the 2 points where return is being called
didn't release the memory stored in buf which is no longer required.
Fixes: CID 176634
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/lib/syslinux_parse.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
index 21ca040ada7..2eb59ff8ac4 100644
--- a/grub-core/lib/syslinux_parse.c
+++ b/grub-core/lib/syslinux_parse.c
@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
&& grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
{
if (helptext (ptr5, file, menu))
- return 1;
+ {
+ grub_free (buf);
+ return 1;
+ }
continue;
}
@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
}
fail:
grub_file_close (file);
+ grub_free (buf);
return err;
}

View File

@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 4 Dec 2020 18:56:48 +0000
Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
completion
It is possible for the code to reach the end of the function without
freeing the memory allocated to argv and argc still to be 0.
We should always call grub_free(argv). The grub_free() will handle
a NULL argument correctly if it reaches that code without the memory
being allocated.
Fixes: CID 96672
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/normal/completion.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
index 93aa0d8eda8..5036bcf2d98 100644
--- a/grub-core/normal/completion.c
+++ b/grub-core/normal/completion.c
@@ -401,8 +401,8 @@ char *
grub_normal_do_completion (char *buf, int *restore,
void (*hook) (const char *, grub_completion_type_t, int))
{
- int argc;
- char **argv;
+ int argc = 0;
+ char **argv = NULL;
/* Initialize variables. */
match = 0;
@@ -517,10 +517,8 @@ grub_normal_do_completion (char *buf, int *restore,
fail:
if (argc != 0)
- {
- grub_free (argv[0]);
- grub_free (argv);
- }
+ grub_free (argv[0]);
+ grub_free (argv);
grub_free (match);
grub_errno = GRUB_ERR_NONE;

View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Tue, 1 Dec 2020 23:41:24 +0000
Subject: [PATCH] commands/hashsum: Fix a memory leak
check_list() uses grub_file_getline(), which allocates a buffer.
If the hash list file contains invalid lines, the function leaks
this buffer when it returns an error.
Fixes: CID 176635
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/hashsum.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
index d18687351a5..282922bba1e 100644
--- a/grub-core/commands/hashsum.c
+++ b/grub-core/commands/hashsum.c
@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
high = hextoval (*p++);
low = hextoval (*p++);
if (high < 0 || low < 0)
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+ {
+ grub_free (buf);
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+ }
expected[i] = (high << 4) | low;
}
if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+ {
+ grub_free (buf);
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+ }
p += 2;
if (prefix)
{
@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
filename = grub_xasprintf ("%s/%s", prefix, p);
if (!filename)
- return grub_errno;
+ {
+ grub_free (buf);
+ return grub_errno;
+ }
if (!uncompress)
grub_file_filter_disable_compression ();
file = grub_file_open (filename);

View File

@ -0,0 +1,91 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 8 Dec 2020 21:14:31 +0000
Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
grub_video_gop_fill_mode_info()
The return value of grub_video_gop_fill_mode_info() is never able to be
anything other than GRUB_ERR_NONE. So, rather than continue to return
a value and checking it each time, it is more correct to redefine the
function to not return anything and remove checks of its return value
altogether.
Fixes: CID 96701
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/efi_gop.c | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
index c9e40e8d4e9..9fcc41ac03c 100644
--- a/grub-core/video/efi_gop.c
+++ b/grub-core/video/efi_gop.c
@@ -229,7 +229,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
return GRUB_ERR_NONE;
}
-static grub_err_t
+static void
grub_video_gop_fill_mode_info (unsigned mode,
struct grub_efi_gop_mode_info *in,
struct grub_video_mode_info *out)
@@ -254,8 +254,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
| GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
-
- return GRUB_ERR_NONE;
}
static int
@@ -268,7 +266,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
grub_efi_uintn_t size;
grub_efi_status_t status;
struct grub_efi_gop_mode_info *info = NULL;
- grub_err_t err;
struct grub_video_mode_info mode_info;
status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
@@ -279,12 +276,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
continue;
}
- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
- if (err)
- {
- grub_errno = GRUB_ERR_NONE;
- continue;
- }
+ grub_video_gop_fill_mode_info (mode, info, &mode_info);
if (hook (&mode_info, hook_arg))
return 1;
}
@@ -468,13 +460,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
info = gop->mode->info;
- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
- &framebuffer.mode_info);
- if (err)
- {
- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
- return err;
- }
+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
+ &framebuffer.mode_info);
framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
framebuffer.offscreen
@@ -488,8 +475,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
{
grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
grub_errno = 0;
- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
- &framebuffer.mode_info);
+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
+ &framebuffer.mode_info);
buffer = framebuffer.ptr;
}

View File

@ -0,0 +1,75 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Wed, 4 Nov 2020 15:10:51 +0000
Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
The multiplication of 2 unsigned 32-bit integers may overflow before
promotion to unsigned 64-bit. We should ensure that the multiplication
is done with overflow detection. Additionally, use grub_sub() for
subtraction.
Fixes: CID 73640, CID 73697, CID 73702, CID 73823
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/fb/fbfill.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
index 11816d07a0b..a37acd1e293 100644
--- a/grub-core/video/fb/fbfill.c
+++ b/grub-core/video/fb/fbfill.c
@@ -31,6 +31,7 @@
#include <grub/fbfill.h>
#include <grub/fbutil.h>
#include <grub/types.h>
+#include <grub/safemath.h>
#include <grub/video.h>
/* Generic filler that works for every supported mode. */
@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
#endif
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);

View File

@ -0,0 +1,101 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Wed, 4 Nov 2020 14:43:44 +0000
Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
The calculation of the unsigned 64-bit value is being generated by
multiplying 2, signed or unsigned, 32-bit integers which may overflow
before promotion to unsigned 64-bit. Fix all of them.
Fixes: CID 73703, CID 73767, CID 73833
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++++++++-------------
1 file changed, 36 insertions(+), 16 deletions(-)
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
index 1a602c8b251..1c9a138dcdc 100644
--- a/grub-core/video/fb/video_fb.c
+++ b/grub-core/video/fb/video_fb.c
@@ -25,6 +25,7 @@
#include <grub/fbutil.h>
#include <grub/bitmap.h>
#include <grub/dl.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
{
if (framebuffer.current_dirty.first_line
<= framebuffer.current_dirty.last_line)
- grub_memcpy ((char *) framebuffer.pages[0]
- + framebuffer.current_dirty.first_line
- * framebuffer.back_target->mode_info.pitch,
- (char *) framebuffer.back_target->data
- + framebuffer.current_dirty.first_line
- * framebuffer.back_target->mode_info.pitch,
- framebuffer.back_target->mode_info.pitch
- * (framebuffer.current_dirty.last_line
- - framebuffer.current_dirty.first_line));
+ {
+ grub_size_t copy_size;
+
+ if (grub_sub (framebuffer.current_dirty.last_line,
+ framebuffer.current_dirty.first_line, &copy_size) ||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
+ {
+ /* Shouldn't happen, but if it does we've a bug. */
+ return GRUB_ERR_BUG;
+ }
+
+ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
+ framebuffer.back_target->mode_info.pitch,
+ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
+ framebuffer.back_target->mode_info.pitch,
+ copy_size);
+ }
framebuffer.current_dirty.first_line
= framebuffer.back_target->mode_info.height;
framebuffer.current_dirty.last_line = 0;
@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
volatile void *framebuf)
{
grub_err_t err;
- grub_size_t page_size = mode_info.pitch * mode_info.height;
+ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
framebuffer.offscreen_buffer = grub_zalloc (page_size);
if (! framebuffer.offscreen_buffer)
@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
last_line = framebuffer.previous_dirty.last_line;
if (first_line <= last_line)
- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
- + first_line * framebuffer.back_target->mode_info.pitch,
- (char *) framebuffer.back_target->data
- + first_line * framebuffer.back_target->mode_info.pitch,
- framebuffer.back_target->mode_info.pitch
- * (last_line - first_line));
+ {
+ grub_size_t copy_size;
+
+ if (grub_sub (last_line, first_line, &copy_size) ||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
+ {
+ /* Shouldn't happen, but if it does we've a bug. */
+ return GRUB_ERR_BUG;
+ }
+
+ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
+ framebuffer.back_target->mode_info.pitch,
+ (char *) framebuffer.back_target->data + first_line *
+ framebuffer.back_target->mode_info.pitch,
+ copy_size);
+ }
+
framebuffer.previous_dirty = framebuffer.current_dirty;
framebuffer.current_dirty.first_line
= framebuffer.back_target->mode_info.height;

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 4 Dec 2020 14:51:30 +0000
Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
It is minimal possibility that the values being used here will overflow.
So, change the code to use the safemath function grub_mul() to ensure
that doesn't happen.
Fixes: CID 73761
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/fb/video_fb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
index 1c9a138dcdc..ae6b89f9aea 100644
--- a/grub-core/video/fb/video_fb.c
+++ b/grub-core/video/fb/video_fb.c
@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
volatile void *page1_ptr)
{
grub_err_t err;
- grub_size_t page_size = mode_info->pitch * mode_info->height;
+ grub_size_t page_size = 0;
+
+ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
+ {
+ /* Shouldn't happen, but if it does we've a bug. */
+ return GRUB_ERR_BUG;
+ }
framebuffer.offscreen_buffer = grub_malloc (page_size);
if (! framebuffer.offscreen_buffer)

View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 4 Dec 2020 15:39:00 +0000
Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
from a jpeg file
While it may never happen, and potentially could be caught at the end of
the function, it is worth checking up front for a bad reference to the
next marker just in case of a maliciously crafted file being provided.
Fixes: CID 73694
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/jpeg.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index 21b0d9ded67..a4a8269e237 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
next_marker = data->file->offset;
next_marker += grub_jpeg_get_word (data);
+ if (next_marker > data->file->size)
+ {
+ /* Should never be set beyond the size of the file. */
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
+ }
+
while (data->file->offset + sizeof (data->quan_table[id]) + 1
<= next_marker)
{

View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Mon, 7 Dec 2020 14:44:47 +0000
Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
dead
The test of value for NULL before calling grub_strdup() is not required,
since the if condition prior to this has already tested for value being
NULL and cannot reach this code if it is.
Fixes: CID 73659
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gfxmenu/gui_list.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
index 01477cdf2b3..df334a6c56f 100644
--- a/grub-core/gfxmenu/gui_list.c
+++ b/grub-core/gfxmenu/gui_list.c
@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
{
self->need_to_recreate_boxes = 1;
grub_free (self->selected_item_box_pattern);
- self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
+ self->selected_item_box_pattern = grub_strdup (value);
self->selected_item_box_pattern_inherit = 0;
}
}

View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 8 Dec 2020 21:47:13 +0000
Subject: [PATCH] loader/bsd: Check for NULL arg up-front
The code in the next block suggests that it is possible for .set to be
true but .arg may still be NULL.
This code assumes that it is never NULL, yet later is testing if it is
NULL - that is inconsistent.
So we should check first if .arg is not NULL, and remove this check that
is being flagged by Coverity since it is no longer required.
Fixes: CID 292471
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/i386/bsd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
index 0f317632a3b..35a06e66d38 100644
--- a/grub-core/loader/i386/bsd.c
+++ b/grub-core/loader/i386/bsd.c
@@ -1600,7 +1600,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
kernel_type = KERNEL_TYPE_OPENBSD;
bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
- if (ctxt->state[OPENBSD_ROOT_ARG].set)
+ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
{
const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
unsigned type, unit, part;
@@ -1617,7 +1617,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
"unknown disk type name");
unit = grub_strtoul (arg, (char **) &arg, 10);
- if (! (arg && *arg >= 'a' && *arg <= 'z'))
+ if (! (*arg >= 'a' && *arg <= 'z'))
return grub_error (GRUB_ERR_BAD_ARGUMENT,
"only device specifications of form "
"<type><number><lowercase letter> are supported");

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 26 Nov 2020 12:53:10 +0000
Subject: [PATCH] loader/xnu: Fix memory leak
The code here is finished with the memory stored in name, but it only
frees it if there curvalue is valid, while it could actually free it
regardless.
The fix is a simple relocation of the grub_free() to before the test
of curvalue.
Fixes: CID 96646
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/xnu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index 0c4b33250fb..2adeac8a549 100644
--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
@@ -1383,9 +1383,9 @@ grub_xnu_fill_devicetree (void)
name[len] = 0;
curvalue = grub_xnu_create_value (curkey, name);
- if (!curvalue)
- return grub_errno;
grub_free (name);
+ if (!curvalue)
+ return grub_errno;
data = grub_malloc (grub_strlen (var->value) + 1);
if (!data)

View File

@ -0,0 +1,74 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marco A Benatto <mbenatto@redhat.com>
Date: Mon, 30 Nov 2020 12:18:24 -0300
Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
grub_xnu_writetree_toheap()
... to avoid memory leaks.
Fixes: CID 96640
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index 2adeac8a549..a0aaa290ef7 100644
--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
@@ -227,26 +227,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
if (! memorymap)
return grub_errno;
- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
+ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
if (! driverkey)
return grub_errno;
driverkey->name = grub_strdup ("DeviceTree");
if (! driverkey->name)
- return grub_errno;
+ {
+ err = grub_errno;
+ goto fail;
+ }
+
driverkey->datasize = sizeof (*extdesc);
driverkey->next = memorymap->first_child;
memorymap->first_child = driverkey;
driverkey->data = extdesc
= (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
if (! driverkey->data)
- return grub_errno;
+ {
+ err = grub_errno;
+ goto fail;
+ }
/* Allocate the space based on the size with dummy value. */
*size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
&src, target);
if (err)
- return err;
+ goto fail;
/* Put real data in the dummy. */
extdesc->addr = *target;
@@ -255,6 +262,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
/* Write the tree to heap. */
grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
return GRUB_ERR_NONE;
+
+ fail:
+ memorymap->first_child = NULL;
+
+ grub_free (driverkey->data);
+ grub_free (driverkey->name);
+ grub_free (driverkey);
+
+ return err;
}
/* Find a key or value in parent key. */

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Mon, 30 Nov 2020 10:36:00 -0300
Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
Fixes: CID 73654
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/xnu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index a0aaa290ef7..5e0c8c84797 100644
--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
@@ -662,6 +662,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
char *name, *nameend;
int namelen;
+ if (infoplistname == NULL)
+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
+
name = get_name_ptr (infoplistname);
nameend = grub_strchr (name, '/');
@@ -693,10 +696,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
else
macho = 0;
- if (infoplistname)
- infoplist = grub_file_open (infoplistname);
- else
- infoplist = 0;
+ infoplist = grub_file_open (infoplistname);
grub_errno = GRUB_ERR_NONE;
if (infoplist)
{

View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Thu, 5 Nov 2020 14:33:50 +0000
Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
The return value of ftell() may be negative (-1) on error. While it is
probably unlikely to occur, we should not blindly cast to an unsigned
value without first testing that it is not negative.
Fixes: CID 73856
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
util/grub-editenv.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/util/grub-editenv.c b/util/grub-editenv.c
index 2918bb71cfe..e9011e0fbde 100644
--- a/util/grub-editenv.c
+++ b/util/grub-editenv.c
@@ -128,6 +128,7 @@ open_envblk_file (const char *name)
{
FILE *fp;
char *buf;
+ long loc;
size_t size;
grub_envblk_t envblk;
@@ -146,7 +147,12 @@ open_envblk_file (const char *name)
grub_util_error (_("cannot seek `%s': %s"), name,
strerror (errno));
- size = (size_t) ftell (fp);
+ loc = ftell (fp);
+ if (loc < 0)
+ grub_util_error (_("cannot get file location `%s': %s"), name,
+ strerror (errno));
+
+ size = (size_t) loc;
if (fseek (fp, 0, SEEK_SET) < 0)
grub_util_error (_("cannot seek `%s': %s"), name,

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Fri, 4 Dec 2020 15:04:28 +0000
Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
It is possible for the ftell() function to return a negative value,
although it is fairly unlikely here, we should be checking for
a negative value before we assign it to an unsigned value.
Fixes: CID 73744
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
util/glue-efi.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/util/glue-efi.c b/util/glue-efi.c
index 68f53168b58..de0fa6d33d5 100644
--- a/util/glue-efi.c
+++ b/util/glue-efi.c
@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
struct grub_macho_fat_header head;
struct grub_macho_fat_arch arch32, arch64;
grub_uint32_t size32, size64;
+ long size;
char *buf;
fseek (in32, 0, SEEK_END);
- size32 = ftell (in32);
+ size = ftell (in32);
+ if (size < 0)
+ grub_util_error ("cannot get end of input file '%s': %s",
+ name32, strerror (errno));
+ size32 = (grub_uint32_t) size;
fseek (in32, 0, SEEK_SET);
+
fseek (in64, 0, SEEK_END);
- size64 = ftell (in64);
+ size = ftell (in64);
+ if (size < 0)
+ grub_util_error ("cannot get end of input file '%s': %s",
+ name64, strerror (errno));
+ size64 = (grub_uint64_t) size;
fseek (in64, 0, SEEK_SET);
head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);

View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 3 Apr 2020 23:05:13 +1100
Subject: [PATCH] script/execute: Fix NULL dereference in
grub_script_execute_cmdline()
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/script/execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index a1aadb9ee05..2e47c046741 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -978,7 +978,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
struct grub_script_argv argv = { 0, 0, 0 };
/* Lookup the command. */
- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
+ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
return grub_errno;
for (i = 0; i < argv.argc; i++) {

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 11 Jan 2021 16:57:37 +1100
Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
This can be triggered with:
ls -l (0 0*)
and causes a NULL deref in grub_normal_print_device_info().
I'm not sure if there's any implication with the IEEE 1275 platform.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/ls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
index c25161cc4f2..ed646201035 100644
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
goto fail;
}
- if (! *path)
+ if (! *path && device_name)
{
if (grub_errno == GRUB_ERR_UNKNOWN_FS)
grub_errno = GRUB_ERR_NONE;

View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 11 Jan 2021 17:30:42 +1100
Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
function scope
"$#" represents the number of arguments to a function. It is only
defined in a function scope, where "scope" is non-NULL. Currently,
if we attempt to evaluate "$#" outside a function scope, "scope" will
be NULL and we will crash with a NULL pointer dereference.
Do not attempt to count arguments for "$#" if "scope" is NULL. This
will result in "$#" being interpreted as an empty string if evaluated
outside a function scope.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/script/execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index 2e47c046741..17f4dcab2c6 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -519,7 +519,7 @@ gettext_putvar (const char *str, grub_size_t len,
return 0;
/* Enough for any number. */
- if (len == 1 && str[0] == '#')
+ if (len == 1 && str[0] == '#' && scope != NULL)
{
grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
*ptr += grub_strlen (*ptr);

View File

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 22 Jan 2021 16:07:29 +1100
Subject: [PATCH] lib/arg: Block repeated short options that require an
argument
Fuzzing found the following crash:
search -hhhhhhhhhhhhhf
We didn't allocate enough option space for 13 hints because the
allocation code counts the number of discrete arguments (i.e. argc).
However, the shortopt parsing code will happily keep processing
a combination of short options without checking if those short
options require an argument. This means you can easily end writing
past the allocated option space.
This fixes a OOB write which can cause heap corruption.
Fixes: CVE-2021-20225
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/lib/arg.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
index 3288609a5e1..537c5e94b83 100644
--- a/grub-core/lib/arg.c
+++ b/grub-core/lib/arg.c
@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
it can have an argument value. */
if (*curshort)
{
+ /*
+ * Only permit further short opts if this one doesn't
+ * require a value.
+ */
+ if (opt->type != ARG_TYPE_NONE &&
+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
+ {
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("missing mandatory option for `%s'"),
+ opt->longarg);
+ goto fail;
+ }
+
if (parse_option (cmd, opt, 0, usr) || grub_errno)
goto fail;
}

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 22 Jan 2021 16:18:26 +1100
Subject: [PATCH] script/execute: Don't crash on a "for" loop with no items
The following crashes the parser:
for x in; do
0
done
This is because grub_script_arglist_to_argv() doesn't consider the
possibility that arglist is NULL. Catch that explicitly.
This avoids a NULL pointer dereference.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/script/execute.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index 17f4dcab2c6..266d99ed337 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -658,6 +658,9 @@ grub_script_arglist_to_argv (struct grub_script_arglist *arglist,
struct grub_script_arg *arg = 0;
struct grub_script_argv result = { 0, 0, 0 };
+ if (arglist == NULL)
+ return 1;
+
for (; arglist && arglist->arg; arglist = arglist->next)
{
if (grub_script_argv_next (&result))

View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 22 Jan 2021 17:10:48 +1100
Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix()
Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
says that expressing a quoted single quote will require 3 characters. It
actually requires (and always did require!) 4 characters:
str: a'b => a'\''b
len: 3 => 6 (2 for the letters + 4 for the quote)
This leads to not allocating enough memory and thus out of bounds writes
that have been observed to cause heap corruption.
Allocate 4 bytes for each single quote.
Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
quoting, but it adds 3 as extra overhead on top of the single byte that
the quote already needs. So it's correct.
Fixes: CVE-2021-20233
Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/menuentry.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 4b5fcf2ce9a..7a533b9741b 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -239,7 +239,7 @@ setparams_prefix (int argc, char **args)
len += 3; /* 3 = 1 space + 2 quotes */
p = args[i];
while (*p)
- len += (*p++ == '\'' ? 3 : 1);
+ len += (*p++ == '\'' ? 4 : 1);
}
result = grub_malloc (len + 2);

View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Wed, 13 Jan 2021 22:19:01 +1100
Subject: [PATCH] kern/misc: Always set *end in grub_strtoull()
Currently, if there is an error in grub_strtoull(), *end is not set.
This differs from the usual behavior of strtoull(), and also means that
some callers may use an uninitialized value for *end.
Set *end unconditionally.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/misc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index c034f49f97c..62b4068e810 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -452,6 +452,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
{
grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("overflow is detected"));
+
+ if (end)
+ *end = (char *) str;
+
return ~0ULL;
}
@@ -463,6 +467,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
{
grub_error (GRUB_ERR_BAD_NUMBER,
N_("unrecognized number"));
+
+ if (end)
+ *end = (char *) str;
+
return 0;
}

View File

@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 15 Jan 2021 12:57:04 +1100
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
or Huffman tables
Our decoder only supports 2 quantization tables. If a file asks for
a quantization table with index > 1, reject it.
Similarly, our decoder only supports 4 Huffman tables. If a file asks
for a Huffman table with index > 3, reject it.
This fixes some out of bounds reads. It's not clear what degree of control
over subsequent execution could be gained by someone who can carefully
set up the contents of memory before loading an invalid JPEG file.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/jpeg.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index a4a8269e237..856573996ac 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
else if (ss != JPEG_SAMPLING_1x1)
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: sampling method not supported");
+
data->comp_index[id][0] = grub_jpeg_get_byte (data);
+ if (data->comp_index[id][0] > 1)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: too many quantization tables");
}
if (data->file->offset != next_marker)
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
ht = grub_jpeg_get_byte (data);
data->comp_index[id][1] = (ht >> 4);
data->comp_index[id][2] = (ht & 0xF) + 2;
+
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
}
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */

View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 15 Jan 2021 13:29:53 +1100
Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in
grub_jpeg_decode_du()
The key line is:
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
jpeg_zigzag_order is grub_uint8_t[64].
I don't understand JPEG decoders quite well enough to explain what's
going on here. However, I observe sometimes pos=64, which leads to an
OOB read of the jpeg_zigzag_order global then an OOB write to du.
That leads to various unpleasant memory corruption conditions.
Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/jpeg.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index 856573996ac..28c1d62515e 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
val = grub_jpeg_get_number (data, num & 0xF);
num >>= 4;
pos += num;
+
+ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
+ {
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: invalid position in zigzag order!?");
+ return;
+ }
+
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
pos++;
}

View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 15 Jan 2021 14:06:46 +1100
Subject: [PATCH] video/readers/jpeg: Don't decode data before start of stream
When a start of stream marker is encountered, we call grub_jpeg_decode_sos()
which allocates space for a bitmap.
When a restart marker is encountered, we call grub_jpeg_decode_data() which
then fills in that bitmap.
If we get a restart marker before the start of stream marker, we will
attempt to write to a bitmap_ptr that hasn't been allocated. Catch this
and bail out. This fixes an attempt to write to NULL.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/jpeg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index 28c1d62515e..c48cbd41b48 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -646,6 +646,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+ if (data->bitmap_ptr == NULL)
+ return grub_error(GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: attempted to decode data before start of stream");
+
for (; data->r1 < nr1 && (!data->dri || rst);
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
for (c1 = 0; c1 < nc1 && (!data->dri || rst);

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 15 Jan 2021 20:03:20 +1100
Subject: [PATCH] term/gfxterm: Don't set up a font with glyphs that are too
big
Catch the case where we have a font so big that it causes the number of
rows or columns to be 0. Currently we continue and allocate a
virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
and things go badly.
On the emu platform, malloc() may give us a valid pointer, in which case
we'll access heap memory which we shouldn't. Alternatively, it may give us
NULL, in which case we'll crash. For other platforms, if I understand
grub_memalign() correctly, we will receive a valid but small allocation
that we will very likely later overrun.
Prevent the creation of a virtual screen that isn't at least 40 cols
by 12 rows. This is arbitrary, but it seems that if your width or height
is half a standard 80x24 terminal, you're probably going to struggle to
read anything anyway.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/term/gfxterm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/term/gfxterm.c b/grub-core/term/gfxterm.c
index af7c090a3e7..b40fcce9151 100644
--- a/grub-core/term/gfxterm.c
+++ b/grub-core/term/gfxterm.c
@@ -232,6 +232,15 @@ grub_virtual_screen_setup (unsigned int x, unsigned int y,
virtual_screen.columns = virtual_screen.width / virtual_screen.normal_char_width;
virtual_screen.rows = virtual_screen.height / virtual_screen.normal_char_height;
+ /*
+ * There must be a minimum number of rows and columns for the screen to
+ * make sense. Arbitrarily pick half of 80x24. If either dimensions is 0
+ * we would allocate 0 bytes for the text_buffer.
+ */
+ if (virtual_screen.columns < 40 || virtual_screen.rows < 12)
+ return grub_error (GRUB_ERR_BAD_FONT,
+ "font: glyphs too large to fit on screen");
+
/* Allocate memory for text buffer. */
virtual_screen.text_buffer =
(struct grub_colored_char *) grub_malloc (virtual_screen.columns

Some files were not shown because too many files have changed in this diff Show More