import grub2-2.02-90.el8_3.1
This commit is contained in:
parent
d0cbb56535
commit
fa384bc6b3
@ -1,7 +1,7 @@
|
||||
From 0bde74dcdf9de128317a28796e2690f92214db0d Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 15 Apr 2020 15:45:02 -0400
|
||||
Subject: [PATCH 281/314] yylex: Make lexer fatal errors actually be fatal
|
||||
Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal
|
||||
|
||||
When presented with a command that can't be tokenized to anything
|
||||
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
|
||||
@ -65,6 +65,3 @@ index 7b44c37b76f..b7203c82309 100644
|
||||
} while (0)
|
||||
|
||||
#define COPY(str, hint) \
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 42b76ec749c30cb11cad7c070d0b03a7d4f1f7d6 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 10:58:42 -0400
|
||||
Subject: [PATCH 282/314] safemath: Add some arithmetic primitives that check
|
||||
for overflow
|
||||
Subject: [PATCH] safemath: Add some arithmetic primitives that check for
|
||||
overflow
|
||||
|
||||
This adds a new header, include/grub/safemath.h, that includes easy to
|
||||
use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
|
||||
@ -122,6 +122,3 @@ index f3c20edc844..f8bd9116480 100644
|
||||
* GNU Make
|
||||
* GNU Bison 2.3 or later
|
||||
* GNU gettext 0.17 or later
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 832189364ee0c85a94f670952c951252e54d3d1c Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 12:15:29 -0400
|
||||
Subject: [PATCH 283/314] calloc: Make sure we always have an overflow-checking
|
||||
Subject: [PATCH] calloc: Make sure we always have an overflow-checking
|
||||
calloc() available
|
||||
|
||||
This tries to make sure that everywhere in this source tree, we always have
|
||||
@ -13,13 +13,13 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream-commit-id: 79e51ab7a9a
|
||||
---
|
||||
grub-core/kern/emu/misc.c | 12 +++++++++
|
||||
grub-core/kern/emu/mm.c | 10 ++++++++
|
||||
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++
|
||||
grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++--
|
||||
grub-core/lib/posix_wrap/stdlib.h | 8 +++++-
|
||||
grub-core/kern/emu/misc.c | 12 ++++++++++++
|
||||
grub-core/kern/emu/mm.c | 10 ++++++++++
|
||||
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
|
||||
grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
|
||||
grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
|
||||
include/grub/emu/misc.h | 1 +
|
||||
include/grub/mm.h | 6 +++++
|
||||
include/grub/mm.h | 6 ++++++
|
||||
7 files changed, 85 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
|
||||
@ -238,6 +238,3 @@ index 28e2e53eb32..9c38dd3ca5d 100644
|
||||
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
|
||||
grub_size_t size);
|
||||
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 778ddaeac8a8a821f6844ec8b8c404d0e437991f Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 12:26:01 -0400
|
||||
Subject: [PATCH 284/314] calloc: Use calloc() at most places
|
||||
Subject: [PATCH] calloc: Use calloc() at most places
|
||||
|
||||
This modifies most of the places we do some form of:
|
||||
|
||||
@ -23,91 +23,91 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream-commit-id: 48eeedf1e4b
|
||||
---
|
||||
grub-core/bus/usb/usbhub.c | 8 ++--
|
||||
grub-core/commands/efi/lsefisystab.c | 3 +-
|
||||
grub-core/commands/legacycfg.c | 6 +--
|
||||
grub-core/bus/usb/usbhub.c | 8 +++---
|
||||
grub-core/commands/efi/lsefisystab.c | 3 ++-
|
||||
grub-core/commands/legacycfg.c | 6 ++---
|
||||
grub-core/commands/menuentry.c | 2 +-
|
||||
grub-core/commands/nativedisk.c | 2 +-
|
||||
grub-core/commands/parttool.c | 12 ++++--
|
||||
grub-core/commands/parttool.c | 12 ++++++---
|
||||
grub-core/commands/regexp.c | 2 +-
|
||||
grub-core/commands/search_wrap.c | 2 +-
|
||||
grub-core/disk/diskfilter.c | 4 +-
|
||||
grub-core/disk/diskfilter.c | 4 +--
|
||||
grub-core/disk/ieee1275/ofdisk.c | 2 +-
|
||||
grub-core/disk/ldm.c | 14 +++----
|
||||
grub-core/disk/ldm.c | 14 +++++-----
|
||||
grub-core/disk/luks.c | 2 +-
|
||||
grub-core/disk/lvm.c | 8 ++--
|
||||
grub-core/disk/lvm.c | 8 +++---
|
||||
grub-core/disk/xen/xendisk.c | 2 +-
|
||||
grub-core/efiemu/loadcore.c | 2 +-
|
||||
grub-core/efiemu/mm.c | 6 +--
|
||||
grub-core/font/font.c | 3 +-
|
||||
grub-core/fs/affs.c | 6 +--
|
||||
grub-core/fs/btrfs.c | 4 +-
|
||||
grub-core/efiemu/mm.c | 6 ++---
|
||||
grub-core/font/font.c | 3 +--
|
||||
grub-core/fs/affs.c | 6 ++---
|
||||
grub-core/fs/btrfs.c | 4 +--
|
||||
grub-core/fs/hfs.c | 2 +-
|
||||
grub-core/fs/hfsplus.c | 45 +++++++++++++++--------
|
||||
grub-core/fs/hfsplus.c | 45 ++++++++++++++++++++-----------
|
||||
grub-core/fs/iso9660.c | 2 +-
|
||||
grub-core/fs/ntfs.c | 4 +-
|
||||
grub-core/fs/ntfs.c | 4 +--
|
||||
grub-core/fs/sfs.c | 2 +-
|
||||
grub-core/fs/tar.c | 2 +-
|
||||
grub-core/fs/udf.c | 4 +-
|
||||
grub-core/fs/zfs/zfs.c | 4 +-
|
||||
grub-core/fs/udf.c | 4 +--
|
||||
grub-core/fs/zfs/zfs.c | 4 +--
|
||||
grub-core/gfxmenu/gui_string_util.c | 2 +-
|
||||
grub-core/gfxmenu/widget-box.c | 4 +-
|
||||
grub-core/gfxmenu/widget-box.c | 4 +--
|
||||
grub-core/io/gzio.c | 2 +-
|
||||
grub-core/kern/efi/efi.c | 33 ++++++++++++++---
|
||||
grub-core/kern/efi/efi.c | 33 ++++++++++++++++++-----
|
||||
grub-core/kern/emu/hostdisk.c | 2 +-
|
||||
grub-core/kern/fs.c | 2 +-
|
||||
grub-core/kern/misc.c | 2 +-
|
||||
grub-core/kern/parser.c | 2 +-
|
||||
grub-core/kern/uboot/uboot.c | 2 +-
|
||||
grub-core/lib/libgcrypt/cipher/ac.c | 8 ++--
|
||||
grub-core/lib/libgcrypt/cipher/primegen.c | 4 +-
|
||||
grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +-
|
||||
grub-core/lib/libgcrypt/cipher/ac.c | 8 +++---
|
||||
grub-core/lib/libgcrypt/cipher/primegen.c | 4 +--
|
||||
grub-core/lib/libgcrypt/cipher/pubkey.c | 4 +--
|
||||
grub-core/lib/priority_queue.c | 2 +-
|
||||
grub-core/lib/reed_solomon.c | 7 ++--
|
||||
grub-core/lib/relocator.c | 10 ++---
|
||||
grub-core/lib/reed_solomon.c | 7 +++--
|
||||
grub-core/lib/relocator.c | 10 +++----
|
||||
grub-core/loader/arm/linux.c | 2 +-
|
||||
grub-core/loader/efi/chainloader.c | 11 ++++--
|
||||
grub-core/loader/efi/chainloader.c | 11 +++++---
|
||||
grub-core/loader/i386/bsdXX.c | 2 +-
|
||||
grub-core/loader/i386/xnu.c | 4 +-
|
||||
grub-core/loader/i386/xnu.c | 4 +--
|
||||
grub-core/loader/macho.c | 2 +-
|
||||
grub-core/loader/multiboot_elfxx.c | 2 +-
|
||||
grub-core/loader/xnu.c | 2 +-
|
||||
grub-core/mmap/mmap.c | 4 +-
|
||||
grub-core/mmap/mmap.c | 4 +--
|
||||
grub-core/net/bootp.c | 2 +-
|
||||
grub-core/net/dns.c | 10 ++---
|
||||
grub-core/net/net.c | 4 +-
|
||||
grub-core/normal/charset.c | 10 ++---
|
||||
grub-core/normal/cmdline.c | 14 +++----
|
||||
grub-core/normal/menu_entry.c | 14 +++----
|
||||
grub-core/normal/menu_text.c | 4 +-
|
||||
grub-core/normal/term.c | 4 +-
|
||||
grub-core/osdep/linux/getroot.c | 6 +--
|
||||
grub-core/net/dns.c | 10 +++----
|
||||
grub-core/net/net.c | 4 +--
|
||||
grub-core/normal/charset.c | 10 +++----
|
||||
grub-core/normal/cmdline.c | 14 +++++-----
|
||||
grub-core/normal/menu_entry.c | 14 +++++-----
|
||||
grub-core/normal/menu_text.c | 4 +--
|
||||
grub-core/normal/term.c | 4 +--
|
||||
grub-core/osdep/linux/getroot.c | 6 ++---
|
||||
grub-core/osdep/unix/config.c | 2 +-
|
||||
grub-core/osdep/windows/getroot.c | 2 +-
|
||||
grub-core/osdep/windows/hostdisk.c | 4 +-
|
||||
grub-core/osdep/windows/hostdisk.c | 4 +--
|
||||
grub-core/osdep/windows/init.c | 2 +-
|
||||
grub-core/osdep/windows/platform.c | 4 +-
|
||||
grub-core/osdep/windows/platform.c | 4 +--
|
||||
grub-core/osdep/windows/relpath.c | 2 +-
|
||||
grub-core/partmap/gpt.c | 2 +-
|
||||
grub-core/partmap/msdos.c | 2 +-
|
||||
grub-core/script/execute.c | 2 +-
|
||||
grub-core/tests/fake_input.c | 2 +-
|
||||
grub-core/tests/video_checksum.c | 6 +--
|
||||
grub-core/tests/video_checksum.c | 6 ++---
|
||||
grub-core/video/capture.c | 2 +-
|
||||
grub-core/video/emu/sdl.c | 2 +-
|
||||
grub-core/video/i386/pc/vga.c | 2 +-
|
||||
grub-core/video/readers/png.c | 2 +-
|
||||
util/getroot.c | 2 +-
|
||||
util/grub-file.c | 2 +-
|
||||
util/grub-fstest.c | 4 +-
|
||||
util/grub-fstest.c | 4 +--
|
||||
util/grub-install-common.c | 2 +-
|
||||
util/grub-install.c | 4 +-
|
||||
util/grub-mkimagexx.c | 6 +--
|
||||
util/grub-mkrescue.c | 4 +-
|
||||
util/grub-install.c | 4 +--
|
||||
util/grub-mkimagexx.c | 6 ++---
|
||||
util/grub-mkrescue.c | 4 +--
|
||||
util/grub-mkstandalone.c | 2 +-
|
||||
util/grub-pe2elf.c | 12 +++---
|
||||
util/grub-probe.c | 4 +-
|
||||
include/grub/unicode.h | 4 +-
|
||||
util/grub-pe2elf.c | 12 ++++-----
|
||||
util/grub-probe.c | 4 +--
|
||||
include/grub/unicode.h | 4 +--
|
||||
85 files changed, 231 insertions(+), 191 deletions(-)
|
||||
|
||||
diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
|
||||
@ -1940,6 +1940,3 @@ index a0403e91f9a..4de986a8576 100644
|
||||
if (!out->combining_ptr)
|
||||
return;
|
||||
grub_memcpy (out->combining_ptr, in->combining_ptr,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 05c062003cff8dbbf1b394fa836378e88522e29c Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 12:28:27 -0400
|
||||
Subject: [PATCH 285/314] malloc: Use overflow checking primitives where we do
|
||||
complex allocations
|
||||
Subject: [PATCH] malloc: Use overflow checking primitives where we do complex
|
||||
allocations
|
||||
|
||||
This attempts to fix the places where we do the following where
|
||||
arithmetic_expr may include unvalidated data:
|
||||
@ -30,29 +30,29 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream-commit-id: 5fb2befbf04
|
||||
---
|
||||
grub-core/commands/legacycfg.c | 29 +++++++++++++++----
|
||||
grub-core/commands/wildcard.c | 36 ++++++++++++++++++++----
|
||||
grub-core/disk/ldm.c | 32 +++++++++++++++------
|
||||
grub-core/font/font.c | 7 ++++-
|
||||
grub-core/fs/btrfs.c | 29 +++++++++++++------
|
||||
grub-core/fs/ext2.c | 10 ++++++-
|
||||
grub-core/fs/iso9660.c | 51 ++++++++++++++++++++++++----------
|
||||
grub-core/fs/sfs.c | 27 ++++++++++++++----
|
||||
grub-core/fs/squash4.c | 45 ++++++++++++++++++++++--------
|
||||
grub-core/fs/udf.c | 41 +++++++++++++++++----------
|
||||
grub-core/fs/xfs.c | 11 +++++---
|
||||
grub-core/fs/zfs/zfs.c | 22 ++++++++++-----
|
||||
grub-core/fs/zfs/zfscrypt.c | 7 ++++-
|
||||
grub-core/lib/arg.c | 20 +++++++++++--
|
||||
grub-core/loader/i386/bsd.c | 8 +++++-
|
||||
grub-core/net/dns.c | 9 +++++-
|
||||
grub-core/normal/charset.c | 10 +++++--
|
||||
grub-core/normal/cmdline.c | 14 ++++++++--
|
||||
grub-core/normal/menu_entry.c | 13 +++++++--
|
||||
grub-core/script/argv.c | 16 +++++++++--
|
||||
grub-core/script/lexer.c | 21 ++++++++++++--
|
||||
grub-core/video/bitmap.c | 25 +++++++++++------
|
||||
grub-core/video/readers/png.c | 13 +++++++--
|
||||
grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
|
||||
grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
|
||||
grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
|
||||
grub-core/font/font.c | 7 +++++-
|
||||
grub-core/fs/btrfs.c | 29 ++++++++++++++++--------
|
||||
grub-core/fs/ext2.c | 10 ++++++++-
|
||||
grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
|
||||
grub-core/fs/sfs.c | 27 +++++++++++++++++-----
|
||||
grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
|
||||
grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
|
||||
grub-core/fs/xfs.c | 11 +++++----
|
||||
grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
|
||||
grub-core/fs/zfs/zfscrypt.c | 7 +++++-
|
||||
grub-core/lib/arg.c | 20 +++++++++++++++--
|
||||
grub-core/loader/i386/bsd.c | 8 ++++++-
|
||||
grub-core/net/dns.c | 9 +++++++-
|
||||
grub-core/normal/charset.c | 10 +++++++--
|
||||
grub-core/normal/cmdline.c | 14 ++++++++++--
|
||||
grub-core/normal/menu_entry.c | 13 +++++++++--
|
||||
grub-core/script/argv.c | 16 +++++++++++--
|
||||
grub-core/script/lexer.c | 21 ++++++++++++++---
|
||||
grub-core/video/bitmap.c | 25 +++++++++++++--------
|
||||
grub-core/video/readers/png.c | 13 +++++++++--
|
||||
23 files changed, 383 insertions(+), 113 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
|
||||
@ -1318,6 +1318,3 @@ index e85df3c1b04..719e647e44f 100644
|
||||
|
||||
#ifndef GRUB_CPU_WORDS_BIGENDIAN
|
||||
if (data->is_16bit || data->is_gray || data->is_palette)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c37e76df9c58c3f170e838c42527ef8544bf4468 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sat, 4 Jul 2020 12:25:09 -0400
|
||||
Subject: [PATCH 286/314] iso9660: Don't leak memory on realloc() failures
|
||||
Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
@ -64,6 +64,3 @@ index f45841e2b47..6fc9302bce3 100644
|
||||
/* In pos + 1 the length of the `Component Record' is
|
||||
stored. */
|
||||
pos += entry->data[pos + 1] + 2;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 0b3c4b90e1b928a2606f0801e6e872dd6cb85c42 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Date: Tue, 7 Jul 2020 15:36:26 +0200
|
||||
Subject: [PATCH 287/314] font: Do not load more than one NAME section
|
||||
Subject: [PATCH] font: Do not load more than one NAME section
|
||||
|
||||
The GRUB font file can have one NAME section only. Though if somebody
|
||||
crafts a broken font file with many NAME sections and loads it then the
|
||||
@ -33,6 +33,3 @@ index d63354fb51b..a7b955a1a74 100644
|
||||
font->name = read_section_as_string (§ion);
|
||||
if (!font->name)
|
||||
goto fail;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 583a48bca23f7c4e0d691f0e6d065dac61bbfca1 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Wed, 8 Jul 2020 20:41:56 +0000
|
||||
Subject: [PATCH 288/314] gfxmenu: Fix double free in load_image()
|
||||
Subject: [PATCH] gfxmenu: Fix double free in load_image()
|
||||
|
||||
self->bitmap should be zeroed after free. Otherwise, there is a chance
|
||||
to double free (USE_AFTER_FREE) it later in rescale_image().
|
||||
@ -31,6 +31,3 @@ index 29784ed2d9a..6b2e976f16e 100644
|
||||
if (self->raw_bitmap)
|
||||
grub_video_bitmap_destroy (self->raw_bitmap);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 301523f584d9aa624424c68ab3f085a9b7eca417 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Wed, 8 Jul 2020 21:30:43 +0000
|
||||
Subject: [PATCH 289/314] xnu: Fix double free in
|
||||
grub_xnu_devprop_add_property()
|
||||
Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property()
|
||||
|
||||
grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
|
||||
allocated and freed in the caller.
|
||||
@ -52,6 +51,3 @@ index ee0eaadc4ee..c760db30fc0 100644
|
||||
grub_list_push (GRUB_AS_LIST_P (&dev->properties),
|
||||
GRUB_AS_LIST (prop));
|
||||
return GRUB_ERR_NONE;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 656e3376d52c7244edac9264454c0fadac835749 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Date: Thu, 9 Jul 2020 03:05:23 +0000
|
||||
Subject: [PATCH 290/314] lzma: Make sure we don't dereference past array
|
||||
Subject: [PATCH] lzma: Make sure we don't dereference past array
|
||||
|
||||
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
|
||||
using the GetLenToPosState() macro which checks if len is less than 5,
|
||||
@ -47,6 +47,3 @@ index f2ec04a8c28..753e56a95e3 100644
|
||||
|
||||
if (posSlot >= kStartPosModelIndex)
|
||||
{
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 6df814d4f43a47ffe2b354b9fa683ed4022fa5f1 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Date: Tue, 7 Jul 2020 15:12:25 -0400
|
||||
Subject: [PATCH 291/314] term: Fix overflow on user inputs
|
||||
Subject: [PATCH] term: Fix overflow on user inputs
|
||||
|
||||
This requires a very weird input from the serial interface but can cause
|
||||
an overflow in input_buf (keys) overwriting the next variable (npending)
|
||||
@ -61,6 +61,3 @@ index 537a5c0cb0b..44d0b3b19fb 100644
|
||||
|
||||
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
|
||||
if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 1864839f0e0eeb2b93a5b20e4e36f9b80abc3c23 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Date: Tue, 7 Jul 2020 22:02:31 -0400
|
||||
Subject: [PATCH 292/314] udf: Fix memory leak
|
||||
Subject: [PATCH] udf: Fix memory leak
|
||||
|
||||
Fixes: CID 73796
|
||||
|
||||
@ -51,6 +51,3 @@ index be41b48f913..6670beb5665 100644
|
||||
|
||||
if (filename && hook (filename, type, child, hook_data))
|
||||
{
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 9b970d31434e3fd6a8de36a6adef5cc721b265a8 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Date: Fri, 26 Jun 2020 10:51:43 -0400
|
||||
Subject: [PATCH 293/314] multiboot2: Fix memory leak if
|
||||
grub_create_loader_cmdline() fails
|
||||
Subject: [PATCH] multiboot2: Fix memory leak if grub_create_loader_cmdline()
|
||||
fails
|
||||
|
||||
Fixes: CID 292468
|
||||
|
||||
@ -42,6 +42,3 @@ index 54078455e2f..872dcd42e97 100644
|
||||
|
||||
if (modules_last)
|
||||
modules_last->next = newmod;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 0ecb57c7bc38cb5de4a1b23909203a3331f5c84b Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Thu, 9 Jul 2020 08:10:40 +0000
|
||||
Subject: [PATCH 294/314] tftp: Do not use priority queue
|
||||
Subject: [PATCH] tftp: Do not use priority queue
|
||||
|
||||
There is not need to reassemble the order of blocks. Per RFC 1350,
|
||||
server must wait for the ACK, before sending next block. Data packets
|
||||
@ -31,7 +31,7 @@ Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream-commit-id: 8316694c4f7
|
||||
---
|
||||
grub-core/net/tftp.c | 174 ++++++++++++++-----------------------------
|
||||
grub-core/net/tftp.c | 174 ++++++++++++++++-----------------------------------
|
||||
1 file changed, 54 insertions(+), 120 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
|
||||
@ -284,6 +284,3 @@ index e267af354f4..79c16f9b041 100644
|
||||
grub_free (data);
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 320fe69ffff39f90169f793402de4d4223a1a64c Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Wed, 15 Jul 2020 06:42:37 +0000
|
||||
Subject: [PATCH 295/314] relocator: Protect grub_relocator_alloc_chunk_addr()
|
||||
input args against integer underflow/overflow
|
||||
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() input
|
||||
args against integer underflow/overflow
|
||||
|
||||
Use arithmetic macros from safemath.h to accomplish it. In this commit,
|
||||
I didn't want to be too paranoid to check every possible math equation
|
||||
@ -145,6 +145,3 @@ index dc7d5409e1e..2bf02489bad 100644
|
||||
grub_xnu_heap_size += size;
|
||||
grub_dprintf ("xnu", "val=%p\n", *src);
|
||||
return GRUB_ERR_NONE;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 93d697a46b43ee13e0343c79777af5ce23c313b7 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Wed, 8 Jul 2020 01:44:38 +0000
|
||||
Subject: [PATCH 296/314] relocator: Protect grub_relocator_alloc_chunk_align()
|
||||
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align()
|
||||
max_addr against integer underflow
|
||||
|
||||
This commit introduces integer underflow mitigation in max_addr calculation
|
||||
@ -20,7 +20,7 @@ Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream-commit-id: 10498c8ba17
|
||||
---
|
||||
grub-core/lib/i386/relocator.c | 28 ++++++++++----------------
|
||||
grub-core/lib/i386/relocator.c | 28 +++++++++++-----------------
|
||||
grub-core/lib/mips/relocator.c | 6 ++----
|
||||
grub-core/lib/powerpc/relocator.c | 6 ++----
|
||||
grub-core/lib/x86_64/efi/relocator.c | 7 +++----
|
||||
@ -29,10 +29,10 @@ Upstream-commit-id: 10498c8ba17
|
||||
grub-core/loader/i386/pc/linux.c | 6 ++----
|
||||
grub-core/loader/mips/linux.c | 9 +++------
|
||||
grub-core/loader/multiboot.c | 2 +-
|
||||
grub-core/loader/multiboot_elfxx.c | 10 ++++-----
|
||||
grub-core/loader/multiboot_mbi2.c | 10 ++++-----
|
||||
grub-core/loader/multiboot_elfxx.c | 10 +++++-----
|
||||
grub-core/loader/multiboot_mbi2.c | 10 +++++-----
|
||||
grub-core/loader/xnu_resume.c | 2 +-
|
||||
include/grub/relocator.h | 29 +++++++++++++++++++++++++++
|
||||
include/grub/relocator.h | 29 +++++++++++++++++++++++++++++
|
||||
13 files changed, 69 insertions(+), 58 deletions(-)
|
||||
|
||||
diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c
|
||||
@ -333,6 +333,3 @@ index 24d8672d22c..1b3bdd92ac6 100644
|
||||
#define GRUB_RELOCATOR_PREFERENCE_NONE 0
|
||||
#define GRUB_RELOCATOR_PREFERENCE_LOW 1
|
||||
#define GRUB_RELOCATOR_PREFERENCE_HIGH 2
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 19d627a430f6917afeee167daa9190d1ec83d7b7 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Fri, 10 Jul 2020 11:21:14 +0100
|
||||
Subject: [PATCH 297/314] script: Remove unused fields from
|
||||
grub_script_function struct
|
||||
Subject: [PATCH] script: Remove unused fields from grub_script_function struct
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
@ -29,6 +28,3 @@ index 360c2be1f05..b382bcf09bc 100644
|
||||
};
|
||||
typedef struct grub_script_function *grub_script_function_t;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From c1de65c0e3d630f33160d34e1e85925f01966b0d Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Fri, 10 Jul 2020 14:41:45 +0100
|
||||
Subject: [PATCH 298/314] script: Avoid a use-after-free when redefining a
|
||||
function during execution
|
||||
Subject: [PATCH] script: Avoid a use-after-free when redefining a function
|
||||
during execution
|
||||
|
||||
Defining a new function with the same name as a previously defined
|
||||
function causes the grub_script and associated resources for the
|
||||
@ -103,6 +103,3 @@ index 4f0ab8319e3..f80b86b6f15 100644
|
||||
}
|
||||
|
||||
state->scripts = $<scripts>3;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 7de922a99acd0521b99cd0dd81fe62643ce734a5 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Fri, 17 Jul 2020 05:17:26 +0000
|
||||
Subject: [PATCH 299/314] relocator: Fix grub_relocator_alloc_chunk_align() top
|
||||
memory allocation
|
||||
Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top memory
|
||||
allocation
|
||||
|
||||
Current implementation of grub_relocator_alloc_chunk_align()
|
||||
does not allow allocation of the top byte.
|
||||
@ -41,6 +41,3 @@ index 5847aac3643..f2c1944c28d 100644
|
||||
|
||||
#ifdef GRUB_MACHINE_PCBIOS
|
||||
if (min_addr < 0x1000)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 3a60f2bfd8ab98484a7d8ba52748795f7b225ddc Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 14:43:31 -0400
|
||||
Subject: [PATCH 300/314] hfsplus: fix two more overflows
|
||||
Subject: [PATCH] hfsplus: fix two more overflows
|
||||
|
||||
Both node->size and node->namelen come from the supplied filesystem,
|
||||
which may be user-supplied. We can't trust them for the math unless we
|
||||
@ -52,6 +52,3 @@ index f1cd72398ec..8b17ebba296 100644
|
||||
if (! filename)
|
||||
return 0;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 5c219ca7ec3b481573309245e3b7399c2f19a99c Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 15:48:20 -0400
|
||||
Subject: [PATCH 301/314] lvm: fix two more potential data-dependent alloc
|
||||
overflows
|
||||
Subject: [PATCH] lvm: fix two more potential data-dependent alloc overflows
|
||||
|
||||
It appears to be possible to make a (possibly invalid) lvm PV with a
|
||||
metadata size field that overflows our type when adding it to the
|
||||
@ -14,7 +13,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Upstream-commit-id: 45ec6046ea0
|
||||
---
|
||||
grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++--------
|
||||
grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 40 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
|
||||
@ -108,6 +107,3 @@ index d1df640b311..ca09d469990 100644
|
||||
if (!lv->fullname)
|
||||
goto lvs_fail;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From d38b6703c0668e5d99e6f00aeef5d1b1d7458f9a Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 16:08:08 -0400
|
||||
Subject: [PATCH 302/314] emu: make grub_free(NULL) safe
|
||||
Subject: [PATCH] emu: make grub_free(NULL) safe
|
||||
|
||||
The grub_free() implementation in kern/mm.c safely handles NULL
|
||||
pointers, and code at many places depends on this. We don't know that
|
||||
@ -29,6 +29,3 @@ index 145b01d3719..4d1046a219e 100644
|
||||
}
|
||||
|
||||
void *
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 3ca105b5d77e292517091da4777484068848da6d Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 16:53:27 -0400
|
||||
Subject: [PATCH 303/314] efi: fix some malformed device path arithmetic
|
||||
errors.
|
||||
Subject: [PATCH] efi: fix some malformed device path arithmetic errors.
|
||||
|
||||
Several places we take the length of a device path and subtract 4 from
|
||||
it, without ever checking that it's >= 4. There are also cases where
|
||||
@ -19,10 +18,10 @@ code check for and return errors in these cases.
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Upstream-commit-id: 23e68a83990
|
||||
---
|
||||
grub-core/kern/efi/efi.c | 67 +++++++++++++++++++++++++-----
|
||||
grub-core/loader/efi/chainloader.c | 19 ++++++++-
|
||||
grub-core/loader/i386/xnu.c | 9 ++--
|
||||
include/grub/efi/api.h | 14 ++++---
|
||||
grub-core/kern/efi/efi.c | 67 ++++++++++++++++++++++++++++++++------
|
||||
grub-core/loader/efi/chainloader.c | 19 +++++++++--
|
||||
grub-core/loader/i386/xnu.c | 9 ++---
|
||||
include/grub/efi/api.h | 14 +++++---
|
||||
4 files changed, 88 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
||||
@ -247,6 +246,3 @@ index 6c440c61316..a092fddb629 100644
|
||||
|
||||
/* Hardware Device Path. */
|
||||
#define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From cab9214c4caad2ad95ce8bd456c68bc08def0833 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Wed, 22 Jul 2020 17:06:04 +0100
|
||||
Subject: [PATCH 304/314] Fix a regression caused by "efi: fix some malformed
|
||||
device path arithmetic errors"
|
||||
Subject: [PATCH] Fix a regression caused by "efi: fix some malformed device
|
||||
path arithmetic errors"
|
||||
|
||||
This commit introduced a bogus check inside copy_file_path to
|
||||
determine whether the destination grub_efi_file_path_device_path_t
|
||||
@ -83,6 +83,3 @@ index c2411b6dab2..8b99cf23e9d 100644
|
||||
|
||||
/* Fill the end of device path nodes. */
|
||||
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 0bfbb0c63ccc73d8508d1a402f53f9f6a64de903 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Burmashev <alexander.burmashev@oracle.com>
|
||||
Date: Wed, 22 Jul 2020 06:04:38 -0700
|
||||
Subject: [PATCH 305/314] update safemath with fallback code for gcc older than
|
||||
5.1
|
||||
Subject: [PATCH] update safemath with fallback code for gcc older than 5.1
|
||||
|
||||
The code used in the header was taken from linux kernel commit
|
||||
f0907827a8a9152aedac2833ed1b674a7b2a44f2. Rasmus Villemoes
|
||||
@ -13,7 +12,7 @@ sources
|
||||
|
||||
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
||||
---
|
||||
include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++-
|
||||
include/grub/safemath.h | 119 +++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 118 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
|
||||
@ -146,6 +145,3 @@ index c17b89bba17..1ccac276b59 100644
|
||||
#endif
|
||||
|
||||
#endif /* GRUB_SAFEMATH_H */
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 7a7d0278212dde624229dd6da973ccfdf60a7982 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Makhalov <amakhalov@vmware.com>
|
||||
Date: Mon, 20 Jul 2020 23:03:05 +0000
|
||||
Subject: [PATCH 306/314] efi: Fix use-after-free in halt/reboot path
|
||||
Subject: [PATCH] efi: Fix use-after-free in halt/reboot path
|
||||
|
||||
commit 92bfc33db984 ("efi: Free malloc regions on exit")
|
||||
introduced memory freeing in grub_efi_fini(), which is
|
||||
@ -160,6 +160,3 @@ index 7f82a499fd9..b208642821b 100644
|
||||
};
|
||||
|
||||
void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c62652ca26ed1c145d0e820e0f108ce4e61b1f17 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 17:11:06 -0400
|
||||
Subject: [PATCH 307/314] efi+dhcp: fix some allocation error checking.
|
||||
Subject: [PATCH] efi+dhcp: fix some allocation error checking.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
@ -35,6 +35,3 @@ index dbef63d8c08..e5c79b748b0 100644
|
||||
}
|
||||
|
||||
if (status != GRUB_EFI_SUCCESS)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4436316229bc5b46016d61215b709ec434f4e0d3 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 17:14:15 -0400
|
||||
Subject: [PATCH 308/314] efi+http: fix some allocation error checking.
|
||||
Subject: [PATCH] efi+http: fix some allocation error checking.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
@ -37,6 +37,3 @@ index fc8cb25ae0a..26647a50fa4 100644
|
||||
|
||||
file->size = size;
|
||||
file->data = buf;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 9f8ce6fac51e229a18ed2fa3321f7fc3d6d822a6 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 19 Jul 2020 17:27:00 -0400
|
||||
Subject: [PATCH 309/314] efi/ip[46]_config.c: fix some potential allocation
|
||||
overflows
|
||||
Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows
|
||||
|
||||
In theory all of this data comes from the firmware stack and it should
|
||||
be safe, but it's better to be paranoid.
|
||||
@ -126,6 +125,3 @@ index e0e00c23d21..1c5415d7185 100644
|
||||
{
|
||||
char *gateway, *destination;
|
||||
grub_uint64_t u64_gateway[2];
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e5ef076d3188c3389769a3bde72382db9b94dc97 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 23 Jul 2020 15:02:48 -0400
|
||||
Subject: [PATCH 310/314] Fix up some types for gcc 4.8 compat safemath.h
|
||||
Subject: [PATCH] Fix up some types for gcc 4.8 compat safemath.h
|
||||
|
||||
The compat macros aren't as forgiving as __builtin_*_overflow().
|
||||
|
||||
@ -214,6 +214,3 @@ index 4dfcc31078d..f902b13b44e 100644
|
||||
goto fail;
|
||||
|
||||
n = grub_realloc (out->combining_ptr, sz);
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 0a9a828e88a2e14be684761afe582e7bb286676b Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Fri, 24 Jul 2020 17:18:09 +0100
|
||||
Subject: [PATCH 311/314] efilinux: Fix integer overflows in grub_cmd_initrd
|
||||
Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
|
||||
|
||||
These could be triggered by an extremely large number of arguments to
|
||||
the initrd command on 32-bit architectures, or a crafted filesystem with
|
||||
@ -46,6 +46,3 @@ index ea9f5134e67..ade7ab8f573 100644
|
||||
}
|
||||
|
||||
initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 9fa474528317c2311e2f2ac0fd626316ef7486d4 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 24 Jul 2020 13:57:27 -0400
|
||||
Subject: [PATCH 312/314] linux loader: avoid overflow on initrd size
|
||||
calculation
|
||||
Subject: [PATCH] linux loader: avoid overflow on initrd size calculation
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
@ -24,6 +23,3 @@ index c2c7cfcd0fd..61a2e144db0 100644
|
||||
if (!initrd_ctx->components)
|
||||
return grub_errno;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 2ba58823b68d5fbf8d625ed6d7e18b09bc556860 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dimitri John Ledkov <xnox@ubuntu.com>
|
||||
Date: Wed, 22 Jul 2020 11:31:43 +0100
|
||||
Subject: [PATCH 313/314] linuxefi: fail kernel validation without shim
|
||||
protocol.
|
||||
Subject: [PATCH] linuxefi: fail kernel validation without shim protocol.
|
||||
|
||||
If certificates that signed grub are installed into db, grub can be
|
||||
booted directly. It will then boot any kernel without signature
|
||||
@ -96,6 +95,3 @@ index ade7ab8f573..361e503cb52 100644
|
||||
}
|
||||
|
||||
params = grub_efi_allocate_pages_max (0x3fffffff,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 9715e08cf30ebd8a24ca27b7c4dda8e949e100df Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sat, 25 Jul 2020 12:15:37 +0100
|
||||
Subject: [PATCH 314/314] linux: Fix integer overflows in initrd size handling
|
||||
Subject: [PATCH] linux: Fix integer overflows in initrd size handling
|
||||
|
||||
These could be triggered by a crafted filesystem with very large files.
|
||||
|
||||
@ -10,7 +10,7 @@ Fixes: CVE-2020-15707
|
||||
Signed-off-by: Colin Watson <cjwatson@debian.org>
|
||||
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
---
|
||||
grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++-----------
|
||||
grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 54 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
|
||||
@ -163,6 +163,3 @@ index 61a2e144db0..0953f6d3266 100644
|
||||
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
|
||||
grub_strlen (initrd_ctx->components[i].newc_name),
|
||||
0100777,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -23,7 +23,7 @@ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
|
||||
index 2c52f692b25..4f38d7ef1f7 100644
|
||||
index 79c16f9b041..b9a4b607a3d 100644
|
||||
--- a/grub-core/net/tftp.c
|
||||
+++ b/grub-core/net/tftp.c
|
||||
@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
|
||||
|
441
SOURCES/0318-kern-Add-lockdown-support.patch
Normal file
441
SOURCES/0318-kern-Add-lockdown-support.patch
Normal file
@ -0,0 +1,441 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Fri, 19 Feb 2021 10:33:54 +0100
|
||||
Subject: [PATCH] kern: Add lockdown support
|
||||
|
||||
When the GRUB starts on a secure boot platform, some commands can be
|
||||
used to subvert the protections provided by the verification mechanism and
|
||||
could lead to booting untrusted system.
|
||||
|
||||
To prevent that situation, allow GRUB to be locked down. That way the code
|
||||
may check if GRUB has been locked down and further restrict the commands
|
||||
that are registered or what subset of their functionality could be used.
|
||||
|
||||
The lockdown support adds the following components:
|
||||
|
||||
* The grub_lockdown() function which can be used to lockdown GRUB if,
|
||||
e.g., UEFI Secure Boot is enabled.
|
||||
|
||||
* The grub_is_lockdown() function which can be used to check if the GRUB
|
||||
was locked down.
|
||||
|
||||
* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
|
||||
tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
|
||||
verifiers. These files are only successfully verified if another registered
|
||||
verifier returns success. Otherwise, the whole verification process fails.
|
||||
|
||||
For example, PE/COFF binaries verification can be done by the shim_lock
|
||||
verifier which validates the signatures using the shim_lock protocol.
|
||||
However, the verification is not deferred directly to the shim_lock verifier.
|
||||
The shim_lock verifier is hooked into the verification process instead.
|
||||
|
||||
* A set of grub_{command,extcmd}_lockdown functions that can be used by
|
||||
code registering command handlers, to only register unsafe commands if
|
||||
the GRUB has not been locked down.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/Makefile.core.def | 1 +
|
||||
grub-core/commands/extcmd.c | 23 +++++++++++
|
||||
grub-core/kern/command.c | 24 ++++++++++++
|
||||
grub-core/kern/lockdown.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
include/grub/command.h | 5 +++
|
||||
include/grub/extcmd.h | 7 ++++
|
||||
include/grub/lockdown.h | 44 +++++++++++++++++++++
|
||||
conf/Makefile.common | 2 +
|
||||
docs/grub-dev.texi | 27 +++++++++++++
|
||||
docs/grub.texi | 9 +++++
|
||||
grub-core/Makefile.am | 5 ++-
|
||||
11 files changed, 239 insertions(+), 1 deletion(-)
|
||||
create mode 100644 grub-core/kern/lockdown.c
|
||||
create mode 100644 include/grub/lockdown.h
|
||||
|
||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||
index c8a50b4fcfa..0eb7f312b29 100644
|
||||
--- a/grub-core/Makefile.core.def
|
||||
+++ b/grub-core/Makefile.core.def
|
||||
@@ -197,6 +197,7 @@ kernel = {
|
||||
efi = term/efi/console.c;
|
||||
efi = kern/acpi.c;
|
||||
efi = kern/efi/acpi.c;
|
||||
+ efi = kern/lockdown.c;
|
||||
efi = lib/envblk.c;
|
||||
efi = kern/efi/tpm.c;
|
||||
i386_coreboot = kern/i386/pc/acpi.c;
|
||||
diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
|
||||
index 69574e2b05b..90a5ca24a64 100644
|
||||
--- a/grub-core/commands/extcmd.c
|
||||
+++ b/grub-core/commands/extcmd.c
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
#include <grub/mm.h>
|
||||
#include <grub/list.h>
|
||||
+#include <grub/lockdown.h>
|
||||
#include <grub/misc.h>
|
||||
#include <grub/extcmd.h>
|
||||
#include <grub/script_sh.h>
|
||||
@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
|
||||
summary, description, parser, 1);
|
||||
}
|
||||
|
||||
+static grub_err_t
|
||||
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
|
||||
+ int argc __attribute__ ((unused)),
|
||||
+ char **argv __attribute__ ((unused)))
|
||||
+{
|
||||
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||
+ N_("%s: the command is not allowed when lockdown is enforced"),
|
||||
+ ctxt->extcmd->cmd->name);
|
||||
+}
|
||||
+
|
||||
+grub_extcmd_t
|
||||
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
|
||||
+ grub_command_flags_t flags, const char *summary,
|
||||
+ const char *description,
|
||||
+ const struct grub_arg_option *parser)
|
||||
+{
|
||||
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
|
||||
+ func = grub_extcmd_lockdown;
|
||||
+
|
||||
+ return grub_register_extcmd (name, func, flags, summary, description, parser);
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_unregister_extcmd (grub_extcmd_t ext)
|
||||
{
|
||||
diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
|
||||
index acd72187992..4aabcd4b5f9 100644
|
||||
--- a/grub-core/kern/command.c
|
||||
+++ b/grub-core/kern/command.c
|
||||
@@ -17,6 +17,7 @@
|
||||
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
+#include <grub/lockdown.h>
|
||||
#include <grub/mm.h>
|
||||
#include <grub/command.h>
|
||||
|
||||
@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
|
||||
return cmd;
|
||||
}
|
||||
|
||||
+static grub_err_t
|
||||
+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
|
||||
+ int argc __attribute__ ((unused)),
|
||||
+ char **argv __attribute__ ((unused)))
|
||||
+
|
||||
+{
|
||||
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||
+ N_("%s: the command is not allowed when lockdown is enforced"),
|
||||
+ cmd->name);
|
||||
+}
|
||||
+
|
||||
+grub_command_t
|
||||
+grub_register_command_lockdown (const char *name,
|
||||
+ grub_command_func_t func,
|
||||
+ const char *summary,
|
||||
+ const char *description)
|
||||
+{
|
||||
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
|
||||
+ func = grub_cmd_lockdown;
|
||||
+
|
||||
+ return grub_register_command_prio (name, func, summary, description, 0);
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_unregister_command (grub_command_t cmd)
|
||||
{
|
||||
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
|
||||
new file mode 100644
|
||||
index 00000000000..f87ddaeb1ee
|
||||
--- /dev/null
|
||||
+++ b/grub-core/kern/lockdown.c
|
||||
@@ -0,0 +1,93 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#include <grub/dl.h>
|
||||
+#include <grub/file.h>
|
||||
+#include <grub/lockdown.h>
|
||||
+
|
||||
+/* There is no verifier framework in grub 2.02 */
|
||||
+#if 0
|
||||
+#include <grub/verify.h>
|
||||
+#endif
|
||||
+
|
||||
+static int lockdown = GRUB_LOCKDOWN_DISABLED;
|
||||
+
|
||||
+/* There is no verifier framework in grub 2.02 */
|
||||
+#if 0
|
||||
+static grub_err_t
|
||||
+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
|
||||
+ enum grub_file_type type,
|
||||
+ void **context __attribute__ ((unused)),
|
||||
+ enum grub_verify_flags *flags)
|
||||
+{
|
||||
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||
+
|
||||
+ switch (type & GRUB_FILE_TYPE_MASK)
|
||||
+ {
|
||||
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
||||
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
||||
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
|
||||
+ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
|
||||
+ case GRUB_FILE_TYPE_BSD_KERNEL:
|
||||
+ case GRUB_FILE_TYPE_XNU_KERNEL:
|
||||
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
|
||||
+ case GRUB_FILE_TYPE_NTLDR:
|
||||
+ case GRUB_FILE_TYPE_TRUECRYPT:
|
||||
+ case GRUB_FILE_TYPE_FREEDOS:
|
||||
+ case GRUB_FILE_TYPE_PXECHAINLOADER:
|
||||
+ case GRUB_FILE_TYPE_PCCHAINLOADER:
|
||||
+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
|
||||
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
|
||||
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
||||
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
||||
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
||||
+
|
||||
+ /* Fall through. */
|
||||
+
|
||||
+ default:
|
||||
+ return GRUB_ERR_NONE;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+struct grub_file_verifier lockdown_verifier =
|
||||
+ {
|
||||
+ .name = "lockdown_verifier",
|
||||
+ .init = lockdown_verifier_init,
|
||||
+ };
|
||||
+#endif
|
||||
+
|
||||
+void
|
||||
+grub_lockdown (void)
|
||||
+{
|
||||
+ lockdown = GRUB_LOCKDOWN_ENABLED;
|
||||
+
|
||||
+ /*
|
||||
+ * XXX: The lockdown verifier doesn't make sense until
|
||||
+ * GRUB has moved to the shim_lock verifier.
|
||||
+ */
|
||||
+#if 0
|
||||
+ grub_verifier_register (&lockdown_verifier);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+grub_is_lockdown (void)
|
||||
+{
|
||||
+ return lockdown;
|
||||
+}
|
||||
diff --git a/include/grub/command.h b/include/grub/command.h
|
||||
index eee4e847ee4..2a6f7f84697 100644
|
||||
--- a/include/grub/command.h
|
||||
+++ b/include/grub/command.h
|
||||
@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
|
||||
const char *summary,
|
||||
const char *description,
|
||||
int prio);
|
||||
+grub_command_t
|
||||
+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
|
||||
+ grub_command_func_t func,
|
||||
+ const char *summary,
|
||||
+ const char *description);
|
||||
void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
|
||||
|
||||
static inline grub_command_t
|
||||
diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
|
||||
index 19fe592669e..fe9248b8bb6 100644
|
||||
--- a/include/grub/extcmd.h
|
||||
+++ b/include/grub/extcmd.h
|
||||
@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
|
||||
const char *description,
|
||||
const struct grub_arg_option *parser);
|
||||
|
||||
+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
|
||||
+ grub_extcmd_func_t func,
|
||||
+ grub_command_flags_t flags,
|
||||
+ const char *summary,
|
||||
+ const char *description,
|
||||
+ const struct grub_arg_option *parser);
|
||||
+
|
||||
grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
|
||||
grub_extcmd_func_t func,
|
||||
grub_command_flags_t flags,
|
||||
diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
|
||||
new file mode 100644
|
||||
index 00000000000..40531fa823b
|
||||
--- /dev/null
|
||||
+++ b/include/grub/lockdown.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#ifndef GRUB_LOCKDOWN_H
|
||||
+#define GRUB_LOCKDOWN_H 1
|
||||
+
|
||||
+#include <grub/symbol.h>
|
||||
+
|
||||
+#define GRUB_LOCKDOWN_DISABLED 0
|
||||
+#define GRUB_LOCKDOWN_ENABLED 1
|
||||
+
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
+extern void
|
||||
+EXPORT_FUNC (grub_lockdown) (void);
|
||||
+extern int
|
||||
+EXPORT_FUNC (grub_is_lockdown) (void);
|
||||
+#else
|
||||
+static inline void
|
||||
+grub_lockdown (void)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
+static inline int
|
||||
+grub_is_lockdown (void)
|
||||
+{
|
||||
+ return GRUB_LOCKDOWN_DISABLED;
|
||||
+}
|
||||
+#endif
|
||||
+#endif /* ! GRUB_LOCKDOWN_H */
|
||||
diff --git a/conf/Makefile.common b/conf/Makefile.common
|
||||
index b93879804c0..521cdda1f5a 100644
|
||||
--- a/conf/Makefile.common
|
||||
+++ b/conf/Makefile.common
|
||||
@@ -85,7 +85,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
|
||||
CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
|
||||
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
|
||||
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
|
||||
CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
|
||||
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
|
||||
index 3ce827ab726..421dd410e50 100644
|
||||
--- a/docs/grub-dev.texi
|
||||
+++ b/docs/grub-dev.texi
|
||||
@@ -84,6 +84,7 @@ This edition documents version @value{VERSION}.
|
||||
* Video Subsystem::
|
||||
* PFF2 Font File Format::
|
||||
* Graphical Menu Software Design::
|
||||
+* Lockdown framework::
|
||||
* Copying This Manual:: Copying This Manual
|
||||
* Index::
|
||||
@end menu
|
||||
@@ -1949,6 +1950,32 @@ the graphics mode that was in use before @code{grub_video_setup()} was called
|
||||
might fix some of the problems.
|
||||
|
||||
|
||||
+@node Lockdown framework
|
||||
+@chapter Lockdown framework
|
||||
+
|
||||
+The GRUB can be locked down, which is a restricted mode where some operations
|
||||
+are not allowed. For instance, some commands cannot be used when the GRUB is
|
||||
+locked down.
|
||||
+
|
||||
+The function
|
||||
+@code{grub_lockdown()} is used to lockdown GRUB and the function
|
||||
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
|
||||
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
|
||||
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
|
||||
+
|
||||
+The following functions can be used to register the commands that can only be
|
||||
+used when lockdown is disabled:
|
||||
+
|
||||
+@itemize
|
||||
+
|
||||
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
|
||||
+GRUB is in lockdown mode.
|
||||
+
|
||||
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
|
||||
+when the GRUB is in lockdown mode.
|
||||
+
|
||||
+@end itemize
|
||||
+
|
||||
@node Copying This Manual
|
||||
@appendix Copying This Manual
|
||||
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index c54bee31679..0a53c28ee88 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -5610,6 +5610,8 @@ environment variables and commands are listed in the same order.
|
||||
@menu
|
||||
* Authentication and authorisation:: Users and access control
|
||||
* Using digital signatures:: Booting digitally signed code
|
||||
+* Lockdown:: Lockdown when booting on a secure setup
|
||||
+
|
||||
@end menu
|
||||
|
||||
@node Authentication and authorisation
|
||||
@@ -5772,6 +5774,13 @@ or BIOS) configuration to cause the machine to boot from a different
|
||||
(attacker-controlled) device. GRUB is at best only one link in a
|
||||
secure boot chain.
|
||||
|
||||
+@node Lockdown
|
||||
+@section Lockdown when booting on a secure setup
|
||||
+
|
||||
+The GRUB can be locked down when booted on a secure boot environment, for example
|
||||
+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
||||
+be restricted and some operations/commands cannot be executed.
|
||||
+
|
||||
@node Platform limitations
|
||||
@chapter Platform limitations
|
||||
|
||||
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
||||
index 4062652506d..a6f1b0dcd06 100644
|
||||
--- a/grub-core/Makefile.am
|
||||
+++ b/grub-core/Makefile.am
|
||||
@@ -82,6 +82,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
|
||||
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
|
||||
if COND_emu
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
|
||||
@@ -350,8 +351,10 @@ command.lst: $(MARKER_FILES)
|
||||
b=`basename $$pp .marker`; \
|
||||
sed -n \
|
||||
-e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
||||
+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
||||
-e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
||||
- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
|
||||
+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
|
||||
+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
|
||||
done) | sort -u > $@
|
||||
platform_DATA += command.lst
|
||||
CLEANFILES += command.lst
|
@ -0,0 +1,53 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 19:59:48 +0100
|
||||
Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
|
||||
|
||||
It may be useful for scripts to determine whether the GRUB is locked
|
||||
down or not. Add the lockdown variable which is set to "y" when the GRUB
|
||||
is locked down.
|
||||
|
||||
Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/lockdown.c | 4 ++++
|
||||
docs/grub.texi | 3 +++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
|
||||
index f87ddaeb1ee..30cba7f5ea2 100644
|
||||
--- a/grub-core/kern/lockdown.c
|
||||
+++ b/grub-core/kern/lockdown.c
|
||||
@@ -18,6 +18,7 @@
|
||||
*/
|
||||
|
||||
#include <grub/dl.h>
|
||||
+#include <grub/env.h>
|
||||
#include <grub/file.h>
|
||||
#include <grub/lockdown.h>
|
||||
|
||||
@@ -84,6 +85,9 @@ grub_lockdown (void)
|
||||
#if 0
|
||||
grub_verifier_register (&lockdown_verifier);
|
||||
#endif
|
||||
+
|
||||
+ grub_env_set ("lockdown", "y");
|
||||
+ grub_env_export ("lockdown");
|
||||
}
|
||||
|
||||
int
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index 0a53c28ee88..6f5efaace32 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -5781,6 +5781,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
|
||||
if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
||||
be restricted and some operations/commands cannot be executed.
|
||||
|
||||
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
|
||||
+Otherwise it does not exit.
|
||||
+
|
||||
@node Platform limitations
|
||||
@chapter Platform limitations
|
||||
|
@ -0,0 +1,52 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Mon, 28 Sep 2020 20:08:29 +0200
|
||||
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
|
||||
|
||||
If the UEFI Secure Boot is enabled then the GRUB must be locked down
|
||||
to prevent executing code that can potentially be used to subvert its
|
||||
verification mechanisms.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/efi/init.c | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
|
||||
index 79243b364a1..97bf36906a4 100644
|
||||
--- a/grub-core/kern/efi/init.c
|
||||
+++ b/grub-core/kern/efi/init.c
|
||||
@@ -20,6 +20,8 @@
|
||||
#include <grub/efi/efi.h>
|
||||
#include <grub/efi/console.h>
|
||||
#include <grub/efi/disk.h>
|
||||
+#include <grub/efi/sb.h>
|
||||
+#include <grub/lockdown.h>
|
||||
#include <grub/term.h>
|
||||
#include <grub/misc.h>
|
||||
#include <grub/env.h>
|
||||
@@ -93,6 +95,23 @@ grub_efi_init (void)
|
||||
/* Initialize the memory management system. */
|
||||
grub_efi_mm_init ();
|
||||
|
||||
+ /*
|
||||
+ * Lockdown the GRUB and register the shim_lock verifier
|
||||
+ * if the UEFI Secure Boot is enabled.
|
||||
+ */
|
||||
+ if (grub_efi_secure_boot ())
|
||||
+ {
|
||||
+ grub_lockdown ();
|
||||
+
|
||||
+ /*
|
||||
+ * TODO: Move GRUB to using the shim_lock verifier and
|
||||
+ * enable the lockdown verifier.
|
||||
+ */
|
||||
+#if 0
|
||||
+ grub_shim_lock_verifier_setup ();
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
|
||||
0, 0, 0, NULL);
|
||||
|
@ -0,0 +1,137 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Mon, 28 Sep 2020 20:08:33 +0200
|
||||
Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
|
||||
modules list
|
||||
|
||||
Now the GRUB can check if it has been locked down and this can be used to
|
||||
prevent executing commands that can be utilized to circumvent the UEFI
|
||||
Secure Boot mechanisms. So, instead of hardcoding a list of modules that
|
||||
have to be disabled, prevent the usage of commands that can be dangerous.
|
||||
|
||||
This not only allows the commands to be disabled on other platforms, but
|
||||
also properly separate the concerns. Since the shim_lock verifier logic
|
||||
should be only about preventing to run untrusted binaries and not about
|
||||
defining these kind of policies.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/iorw.c | 26 ++++++++++----------------
|
||||
grub-core/commands/memrw.c | 26 ++++++++++----------------
|
||||
2 files changed, 20 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
|
||||
index 41a7f3f0466..584baec8f91 100644
|
||||
--- a/grub-core/commands/iorw.c
|
||||
+++ b/grub-core/commands/iorw.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include <grub/env.h>
|
||||
#include <grub/cpu/io.h>
|
||||
#include <grub/i18n.h>
|
||||
-#include <grub/efi/sb.h>
|
||||
+#include <grub/lockdown.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -119,9 +119,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
||||
|
||||
GRUB_MOD_INIT(memrw)
|
||||
{
|
||||
- if (grub_efi_secure_boot())
|
||||
- return;
|
||||
-
|
||||
cmd_read_byte =
|
||||
grub_register_extcmd ("inb", grub_cmd_read, 0,
|
||||
N_("PORT"), N_("Read 8-bit value from PORT."),
|
||||
@@ -135,24 +132,21 @@ GRUB_MOD_INIT(memrw)
|
||||
N_("PORT"), N_("Read 32-bit value from PORT."),
|
||||
options);
|
||||
cmd_write_byte =
|
||||
- grub_register_command ("outb", grub_cmd_write,
|
||||
- N_("PORT VALUE [MASK]"),
|
||||
- N_("Write 8-bit VALUE to PORT."));
|
||||
+ grub_register_command_lockdown ("outb", grub_cmd_write,
|
||||
+ N_("PORT VALUE [MASK]"),
|
||||
+ N_("Write 8-bit VALUE to PORT."));
|
||||
cmd_write_word =
|
||||
- grub_register_command ("outw", grub_cmd_write,
|
||||
- N_("PORT VALUE [MASK]"),
|
||||
- N_("Write 16-bit VALUE to PORT."));
|
||||
+ grub_register_command_lockdown ("outw", grub_cmd_write,
|
||||
+ N_("PORT VALUE [MASK]"),
|
||||
+ N_("Write 16-bit VALUE to PORT."));
|
||||
cmd_write_dword =
|
||||
- grub_register_command ("outl", grub_cmd_write,
|
||||
- N_("ADDR VALUE [MASK]"),
|
||||
- N_("Write 32-bit VALUE to PORT."));
|
||||
+ grub_register_command_lockdown ("outl", grub_cmd_write,
|
||||
+ N_("ADDR VALUE [MASK]"),
|
||||
+ N_("Write 32-bit VALUE to PORT."));
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(memrw)
|
||||
{
|
||||
- if (grub_efi_secure_boot())
|
||||
- return;
|
||||
-
|
||||
grub_unregister_extcmd (cmd_read_byte);
|
||||
grub_unregister_extcmd (cmd_read_word);
|
||||
grub_unregister_extcmd (cmd_read_dword);
|
||||
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
|
||||
index 088cbe9e2bc..d401a6db0ef 100644
|
||||
--- a/grub-core/commands/memrw.c
|
||||
+++ b/grub-core/commands/memrw.c
|
||||
@@ -22,7 +22,7 @@
|
||||
#include <grub/extcmd.h>
|
||||
#include <grub/env.h>
|
||||
#include <grub/i18n.h>
|
||||
-#include <grub/efi/sb.h>
|
||||
+#include <grub/lockdown.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -121,9 +121,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
||||
|
||||
GRUB_MOD_INIT(memrw)
|
||||
{
|
||||
- if (grub_efi_secure_boot())
|
||||
- return;
|
||||
-
|
||||
cmd_read_byte =
|
||||
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
|
||||
N_("ADDR"), N_("Read 8-bit value from ADDR."),
|
||||
@@ -137,24 +134,21 @@ GRUB_MOD_INIT(memrw)
|
||||
N_("ADDR"), N_("Read 32-bit value from ADDR."),
|
||||
options);
|
||||
cmd_write_byte =
|
||||
- grub_register_command ("write_byte", grub_cmd_write,
|
||||
- N_("ADDR VALUE [MASK]"),
|
||||
- N_("Write 8-bit VALUE to ADDR."));
|
||||
+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
|
||||
+ N_("ADDR VALUE [MASK]"),
|
||||
+ N_("Write 8-bit VALUE to ADDR."));
|
||||
cmd_write_word =
|
||||
- grub_register_command ("write_word", grub_cmd_write,
|
||||
- N_("ADDR VALUE [MASK]"),
|
||||
- N_("Write 16-bit VALUE to ADDR."));
|
||||
+ grub_register_command_lockdown ("write_word", grub_cmd_write,
|
||||
+ N_("ADDR VALUE [MASK]"),
|
||||
+ N_("Write 16-bit VALUE to ADDR."));
|
||||
cmd_write_dword =
|
||||
- grub_register_command ("write_dword", grub_cmd_write,
|
||||
- N_("ADDR VALUE [MASK]"),
|
||||
- N_("Write 32-bit VALUE to ADDR."));
|
||||
+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
|
||||
+ N_("ADDR VALUE [MASK]"),
|
||||
+ N_("Write 32-bit VALUE to ADDR."));
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(memrw)
|
||||
{
|
||||
- if (grub_efi_secure_boot())
|
||||
- return;
|
||||
-
|
||||
grub_unregister_extcmd (cmd_read_byte);
|
||||
grub_unregister_extcmd (cmd_read_word);
|
||||
grub_unregister_extcmd (cmd_read_dword);
|
@ -0,0 +1,72 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Mon, 28 Sep 2020 20:08:41 +0200
|
||||
Subject: [PATCH] acpi: Don't register the acpi command when locked down
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The command is not allowed when lockdown is enforced. Otherwise an
|
||||
attacker can instruct the GRUB to load an SSDT table to overwrite
|
||||
the kernel lockdown configuration and later load and execute
|
||||
unsigned code.
|
||||
|
||||
Fixes: CVE-2020-14372
|
||||
|
||||
Reported-by: Máté Kukri <km@mkukri.xyz>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/acpi.c | 15 ++++++++-------
|
||||
docs/grub.texi | 5 +++++
|
||||
2 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
|
||||
index 9f02f22019a..a2912989b5c 100644
|
||||
--- a/grub-core/commands/acpi.c
|
||||
+++ b/grub-core/commands/acpi.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/memory.h>
|
||||
#include <grub/i18n.h>
|
||||
+#include <grub/lockdown.h>
|
||||
|
||||
#ifdef GRUB_MACHINE_EFI
|
||||
#include <grub/efi/efi.h>
|
||||
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
|
||||
|
||||
GRUB_MOD_INIT(acpi)
|
||||
{
|
||||
- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
|
||||
- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
||||
- "--load-only=TABLE1,TABLE2] FILE1"
|
||||
- " [FILE2] [...]"),
|
||||
- N_("Load host ACPI tables and tables "
|
||||
- "specified by arguments."),
|
||||
- options);
|
||||
+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
|
||||
+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
||||
+ "--load-only=TABLE1,TABLE2] FILE1"
|
||||
+ " [FILE2] [...]"),
|
||||
+ N_("Load host ACPI tables and tables "
|
||||
+ "specified by arguments."),
|
||||
+ options);
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(acpi)
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index 6f5efaace32..a724d0712ed 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -4033,6 +4033,11 @@ Normally, this command will replace the Root System Description Pointer
|
||||
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
|
||||
@option{--no-ebda} option is used, the new tables will be known only to
|
||||
GRUB, but may be used by GRUB's EFI emulation.
|
||||
+
|
||||
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||
+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
|
||||
+ overwrite the kernel lockdown configuration and later load and execute
|
||||
+ unsigned code.
|
||||
@end deffn
|
||||
|
||||
|
@ -0,0 +1,66 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 14 Oct 2020 16:33:42 +0200
|
||||
Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
|
||||
is enforced
|
||||
|
||||
The cutmem and badram commands can be used to remove EFI memory regions
|
||||
and potentially disable the UEFI Secure Boot. Prevent the commands to be
|
||||
registered if the GRUB is locked down.
|
||||
|
||||
Fixes: CVE-2020-27779
|
||||
|
||||
Reported-by: Teddy Reed <teddy.reed@gmail.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/mmap/mmap.c | 13 +++++++------
|
||||
docs/grub.texi | 4 ++++
|
||||
2 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
|
||||
index 57b4e9a72a9..7ebf32e1e5e 100644
|
||||
--- a/grub-core/mmap/mmap.c
|
||||
+++ b/grub-core/mmap/mmap.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <grub/memory.h>
|
||||
#include <grub/machine/memory.h>
|
||||
#include <grub/err.h>
|
||||
+#include <grub/lockdown.h>
|
||||
#include <grub/misc.h>
|
||||
#include <grub/mm.h>
|
||||
#include <grub/command.h>
|
||||
@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
|
||||
|
||||
GRUB_MOD_INIT(mmap)
|
||||
{
|
||||
- cmd = grub_register_command ("badram", grub_cmd_badram,
|
||||
- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
|
||||
- N_("Declare memory regions as faulty (badram)."));
|
||||
- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
|
||||
- N_("FROM[K|M|G] TO[K|M|G]"),
|
||||
- N_("Remove any memory regions in specified range."));
|
||||
+ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
|
||||
+ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
|
||||
+ N_("Declare memory regions as faulty (badram)."));
|
||||
+ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
|
||||
+ N_("FROM[K|M|G] TO[K|M|G]"),
|
||||
+ N_("Remove any memory regions in specified range."));
|
||||
|
||||
}
|
||||
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index a724d0712ed..a9b02190404 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -4098,6 +4098,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
||||
that are often result of memory damage, due to physical distribution of memory
|
||||
cells.
|
||||
|
||||
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||
+ This prevents removing EFI memory regions to potentially subvert the
|
||||
+ security mechanisms provided by the UEFI secure boot.
|
||||
+
|
||||
@node blocklist
|
||||
@subsection blocklist
|
||||
|
@ -0,0 +1,108 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 24 Feb 2021 09:00:05 +0100
|
||||
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
|
||||
when locked down
|
||||
|
||||
There are some more commands that should be restricted when the GRUB is
|
||||
locked down. Following is the list of commands and reasons to restrict:
|
||||
|
||||
* fakebios: creates BIOS-like structures for backward compatibility with
|
||||
existing OSes. This should not be allowed when locked down.
|
||||
|
||||
* loadbios: reads a BIOS dump from storage and loads it. This action
|
||||
should not be allowed when locked down.
|
||||
|
||||
* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
|
||||
any Device Tree provided by the firmware. This also should
|
||||
not be allowed when locked down.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/efi/loadbios.c | 14 +++++++-------
|
||||
grub-core/loader/arm/linux.c | 6 +++---
|
||||
grub-core/loader/efi/fdt.c | 4 ++--
|
||||
docs/grub.texi | 6 ++++--
|
||||
4 files changed, 16 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
||||
index 132cadbc764..3da4c26df7a 100644
|
||||
--- a/grub-core/commands/efi/loadbios.c
|
||||
+++ b/grub-core/commands/efi/loadbios.c
|
||||
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
||||
|
||||
GRUB_MOD_INIT(loadbios)
|
||||
{
|
||||
- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
|
||||
- 0, N_("Create BIOS-like structures for"
|
||||
- " backward compatibility with"
|
||||
- " existing OS."));
|
||||
+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
|
||||
+ 0, N_("Create BIOS-like structures for"
|
||||
+ " backward compatibility with"
|
||||
+ " existing OS."));
|
||||
|
||||
- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
|
||||
- N_("BIOS_DUMP [INT10_DUMP]"),
|
||||
- N_("Load BIOS dump."));
|
||||
+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
|
||||
+ N_("BIOS_DUMP [INT10_DUMP]"),
|
||||
+ N_("Load BIOS dump."));
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(loadbios)
|
||||
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
||||
index ea29d7a724a..ff2911baa67 100644
|
||||
--- a/grub-core/loader/arm/linux.c
|
||||
+++ b/grub-core/loader/arm/linux.c
|
||||
@@ -489,9 +489,9 @@ GRUB_MOD_INIT (linux)
|
||||
0, N_("Load Linux."));
|
||||
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
||||
0, N_("Load initrd."));
|
||||
- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
|
||||
- /* TRANSLATORS: DTB stands for device tree blob. */
|
||||
- 0, N_("Load DTB file."));
|
||||
+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
|
||||
+ /* TRANSLATORS: DTB stands for device tree blob. */
|
||||
+ 0, N_("Load DTB file."));
|
||||
my_mod = mod;
|
||||
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
||||
machine_type = grub_arm_firmware_get_machine_type ();
|
||||
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
||||
index a9dbcfdfeaf..c0ea050dc8b 100644
|
||||
--- a/grub-core/loader/efi/fdt.c
|
||||
+++ b/grub-core/loader/efi/fdt.c
|
||||
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
|
||||
GRUB_MOD_INIT (fdt)
|
||||
{
|
||||
cmd_devicetree =
|
||||
- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
|
||||
- N_("Load DTB file."));
|
||||
+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
|
||||
+ N_("Load DTB file."));
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI (fdt)
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index a9b02190404..71943b15dd1 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -4276,13 +4276,15 @@ hour, minute, and second unchanged.
|
||||
|
||||
|
||||
@node devicetree
|
||||
-@subsection linux
|
||||
+@subsection devicetree
|
||||
|
||||
@deffn Command devicetree file
|
||||
Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
|
||||
kernel. Does not perform merging with any device tree supplied by firmware,
|
||||
but rather replaces it completely.
|
||||
-@ref{GNU/Linux}.
|
||||
+
|
||||
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||
+ This is done to prevent subverting various security mechanisms.
|
||||
@end deffn
|
||||
|
||||
@node distrust
|
@ -0,0 +1,33 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 24 Feb 2021 22:59:59 +0100
|
||||
Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
|
||||
|
||||
This command can set PCI devices register values, which makes it dangerous
|
||||
in a locked down configuration. Restrict it so can't be used on this setup.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/setpci.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
|
||||
index d5bc97d60b2..fa2ba7d8919 100644
|
||||
--- a/grub-core/commands/setpci.c
|
||||
+++ b/grub-core/commands/setpci.c
|
||||
@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
|
||||
|
||||
GRUB_MOD_INIT(setpci)
|
||||
{
|
||||
- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
|
||||
- N_("[-s POSITION] [-d DEVICE] [-v VAR] "
|
||||
- "REGISTER[=VALUE[:MASK]]"),
|
||||
- N_("Manipulate PCI devices."), options);
|
||||
+ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
|
||||
+ N_("[-s POSITION] [-d DEVICE] [-v VAR] "
|
||||
+ "REGISTER[=VALUE[:MASK]]"),
|
||||
+ N_("Manipulate PCI devices."), options);
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(setpci)
|
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 24 Feb 2021 12:59:29 +0100
|
||||
Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
|
||||
|
||||
The command can be used to get/set ATA disk parameters. Some of these can
|
||||
be dangerous since change the disk behavior. Restrict it when locked down.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/hdparm.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
|
||||
index d3fa9661e5f..2e2319e645a 100644
|
||||
--- a/grub-core/commands/hdparm.c
|
||||
+++ b/grub-core/commands/hdparm.c
|
||||
@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
|
||||
|
||||
GRUB_MOD_INIT(hdparm)
|
||||
{
|
||||
- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
|
||||
- N_("[OPTIONS] DISK"),
|
||||
- N_("Get/set ATA disk parameters."), options);
|
||||
+ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
|
||||
+ N_("[OPTIONS] DISK"),
|
||||
+ N_("Get/set ATA disk parameters."), options);
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(hdparm)
|
58
SOURCES/0327-gdb-Restrict-GDB-access-when-locked-down.patch
Normal file
58
SOURCES/0327-gdb-Restrict-GDB-access-when-locked-down.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 24 Feb 2021 15:03:26 +0100
|
||||
Subject: [PATCH] gdb: Restrict GDB access when locked down
|
||||
|
||||
The gdbstub* commands allow to start and control a GDB stub running on
|
||||
local host that can be used to connect from a remote debugger. Restrict
|
||||
this functionality when the GRUB is locked down.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
|
||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
|
||||
index 847a1e1e36f..1818cb6f8eb 100644
|
||||
--- a/grub-core/gdb/gdb.c
|
||||
+++ b/grub-core/gdb/gdb.c
|
||||
@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
|
||||
GRUB_MOD_INIT (gdb)
|
||||
{
|
||||
grub_gdb_idtinit ();
|
||||
- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
|
||||
- N_("PORT"),
|
||||
- /* TRANSLATORS: GDB stub is a small part of
|
||||
- GDB functionality running on local host
|
||||
- which allows remote debugger to
|
||||
- connect to it. */
|
||||
- N_("Start GDB stub on given port"));
|
||||
- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
|
||||
- /* TRANSLATORS: this refers to triggering
|
||||
- a breakpoint so that the user will land
|
||||
- into GDB. */
|
||||
- 0, N_("Break into GDB"));
|
||||
- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
|
||||
- 0, N_("Stop GDB stub"));
|
||||
+ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
|
||||
+ N_("PORT"),
|
||||
+ /*
|
||||
+ * TRANSLATORS: GDB stub is a small part of
|
||||
+ * GDB functionality running on local host
|
||||
+ * which allows remote debugger to
|
||||
+ * connect to it.
|
||||
+ */
|
||||
+ N_("Start GDB stub on given port"));
|
||||
+ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
|
||||
+ /*
|
||||
+ * TRANSLATORS: this refers to triggering
|
||||
+ * a breakpoint so that the user will land
|
||||
+ * into GDB.
|
||||
+ */
|
||||
+ 0, N_("Break into GDB"));
|
||||
+ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
|
||||
+ 0, N_("Stop GDB stub"));
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI (gdb)
|
@ -0,0 +1,57 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 24 Feb 2021 14:44:38 +0100
|
||||
Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
|
||||
locked down
|
||||
|
||||
The shim_lock verifier validates the XNU kernels but no its extensions
|
||||
and packages. Prevent these to be loaded when the GRUB is locked down.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
|
||||
1 file changed, 17 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||
index 2bf02489bad..0c4b33250fb 100644
|
||||
--- a/grub-core/loader/xnu.c
|
||||
+++ b/grub-core/loader/xnu.c
|
||||
@@ -1480,20 +1480,23 @@ GRUB_MOD_INIT(xnu)
|
||||
N_("Load XNU image."));
|
||||
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
|
||||
0, N_("Load 64-bit XNU image."));
|
||||
- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
|
||||
- N_("Load XNU extension package."));
|
||||
- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
|
||||
- N_("Load XNU extension."));
|
||||
- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
|
||||
- /* TRANSLATORS: OSBundleRequired is a
|
||||
- variable name in xnu extensions
|
||||
- manifests. It behaves mostly like
|
||||
- GNU/Linux runlevels.
|
||||
- */
|
||||
- N_("DIRECTORY [OSBundleRequired]"),
|
||||
- /* TRANSLATORS: There are many extensions
|
||||
- in extension directory. */
|
||||
- N_("Load XNU extension directory."));
|
||||
+ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
|
||||
+ N_("Load XNU extension package."));
|
||||
+ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
|
||||
+ N_("Load XNU extension."));
|
||||
+ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
|
||||
+ /*
|
||||
+ * TRANSLATORS: OSBundleRequired is
|
||||
+ * a variable name in xnu extensions
|
||||
+ * manifests. It behaves mostly like
|
||||
+ * GNU/Linux runlevels.
|
||||
+ */
|
||||
+ N_("DIRECTORY [OSBundleRequired]"),
|
||||
+ /*
|
||||
+ * TRANSLATORS: There are many extensions
|
||||
+ * in extension directory.
|
||||
+ */
|
||||
+ N_("Load XNU extension directory."));
|
||||
cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
|
||||
/* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
|
||||
N_("Load XNU ramdisk. "
|
61
SOURCES/0329-docs-Document-the-cutmem-command.patch
Normal file
61
SOURCES/0329-docs-Document-the-cutmem-command.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Sat, 7 Nov 2020 01:03:18 +0100
|
||||
Subject: [PATCH] docs: Document the cutmem command
|
||||
|
||||
The command is not present in the docs/grub.texi user documentation.
|
||||
|
||||
Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
---
|
||||
docs/grub.texi | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index 71943b15dd1..067aa294162 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -3941,6 +3941,7 @@ you forget a command, you can run the command @command{help}
|
||||
* cpuid:: Check for CPU features
|
||||
* crc:: Compute or check CRC32 checksums
|
||||
* cryptomount:: Mount a crypto device
|
||||
+* cutmem:: Remove memory regions
|
||||
* date:: Display or set current date and time
|
||||
* devicetree:: Load a device tree blob
|
||||
* distrust:: Remove a pubkey from trusted keys
|
||||
@@ -4098,6 +4099,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
||||
that are often result of memory damage, due to physical distribution of memory
|
||||
cells.
|
||||
|
||||
+The command is similar to @command{cutmem} command.
|
||||
+
|
||||
Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||
This prevents removing EFI memory regions to potentially subvert the
|
||||
security mechanisms provided by the UEFI secure boot.
|
||||
@@ -4261,6 +4264,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
|
||||
be used.
|
||||
@end deffn
|
||||
|
||||
+@node cutmem
|
||||
+@subsection cutmem
|
||||
+
|
||||
+@deffn Command cutmem from[K|M|G] to[K|M|G]
|
||||
+Remove any memory regions in specified range.
|
||||
+@end deffn
|
||||
+
|
||||
+This command notifies the memory manager that specified regions of RAM ought to
|
||||
+be filtered out. This remains in effect after a payload kernel has been loaded
|
||||
+by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
|
||||
+that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
|
||||
+kernels in general.
|
||||
+
|
||||
+The command is similar to @command{badram} command.
|
||||
+
|
||||
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||
+ This prevents removing EFI memory regions to potentially subvert the
|
||||
+ security mechanisms provided by the UEFI secure boot.
|
||||
|
||||
@node date
|
||||
@subsection date
|
@ -0,0 +1,83 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 14:08:55 +0200
|
||||
Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
|
||||
|
||||
When a module is attempted to be removed its reference counter is always
|
||||
decremented. This means that repeated rmmod invocations will cause the
|
||||
module to be unloaded even if another module depends on it.
|
||||
|
||||
This may lead to a use-after-free scenario allowing an attacker to execute
|
||||
arbitrary code and by-pass the UEFI Secure Boot protection.
|
||||
|
||||
While being there, add the extern keyword to some function declarations in
|
||||
that header file.
|
||||
|
||||
Fixes: CVE-2020-25632
|
||||
|
||||
Reported-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/minicmd.c | 7 +++++--
|
||||
grub-core/kern/dl.c | 9 +++++++++
|
||||
include/grub/dl.h | 8 +++++---
|
||||
3 files changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
||||
index b25ca4b9f17..4660a020bda 100644
|
||||
--- a/grub-core/commands/minicmd.c
|
||||
+++ b/grub-core/commands/minicmd.c
|
||||
@@ -137,8 +137,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
|
||||
if (! mod)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module");
|
||||
|
||||
- if (grub_dl_unref (mod) <= 0)
|
||||
- grub_dl_unload (mod);
|
||||
+ if (grub_dl_ref_count (mod) > 1)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
|
||||
+
|
||||
+ grub_dl_unref (mod);
|
||||
+ grub_dl_unload (mod);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
||||
index 91105bc4677..333c1329eab 100644
|
||||
--- a/grub-core/kern/dl.c
|
||||
+++ b/grub-core/kern/dl.c
|
||||
@@ -621,6 +621,15 @@ grub_dl_unref (grub_dl_t mod)
|
||||
return --mod->ref_count;
|
||||
}
|
||||
|
||||
+int
|
||||
+grub_dl_ref_count (grub_dl_t mod)
|
||||
+{
|
||||
+ if (mod == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ return mod->ref_count;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
grub_dl_flush_cache (grub_dl_t mod)
|
||||
{
|
||||
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
||||
index 7b5bfb07ce6..a58fbc767c0 100644
|
||||
--- a/include/grub/dl.h
|
||||
+++ b/include/grub/dl.h
|
||||
@@ -204,9 +204,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
|
||||
grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
|
||||
grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
|
||||
int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
|
||||
-void grub_dl_unload_unneeded (void);
|
||||
-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
|
||||
-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
|
||||
+extern void grub_dl_unload_unneeded (void);
|
||||
+extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
|
||||
+extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
|
||||
+extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
|
||||
+
|
||||
extern grub_dl_t EXPORT_VAR(grub_dl_head);
|
||||
|
||||
#ifndef GRUB_UTIL
|
@ -0,0 +1,112 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Fri, 11 Dec 2020 19:19:21 +0100
|
||||
Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
|
||||
devices
|
||||
|
||||
The maximum number of configurations and interfaces are fixed but there is
|
||||
no out-of-bound checking to prevent a malicious USB device to report large
|
||||
values for these and cause accesses outside the arrays' memory.
|
||||
|
||||
Fixes: CVE-2020-25647
|
||||
|
||||
Reported-by: Joseph Tartaro (IOActive)
|
||||
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/bus/usb/usb.c | 15 ++++++++++++---
|
||||
include/grub/usb.h | 10 +++++++---
|
||||
2 files changed, 19 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
|
||||
index 8da5e4c7491..7cb3cc230b2 100644
|
||||
--- a/grub-core/bus/usb/usb.c
|
||||
+++ b/grub-core/bus/usb/usb.c
|
||||
@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
|
||||
grub_usb_err_t
|
||||
grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
|
||||
{
|
||||
+ if (endpoint >= GRUB_USB_MAX_TOGGLE)
|
||||
+ return GRUB_USB_ERR_BADDEVICE;
|
||||
+
|
||||
dev->toggle[endpoint] = 0;
|
||||
return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
|
||||
| GRUB_USB_REQTYPE_STANDARD
|
||||
@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
|
||||
return err;
|
||||
descdev = &dev->descdev;
|
||||
|
||||
- for (i = 0; i < 8; i++)
|
||||
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
|
||||
dev->config[i].descconf = NULL;
|
||||
|
||||
- if (descdev->configcnt == 0)
|
||||
+ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
|
||||
{
|
||||
err = GRUB_USB_ERR_BADDEVICE;
|
||||
goto fail;
|
||||
@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
|
||||
/* Skip the configuration descriptor. */
|
||||
pos = dev->config[i].descconf->length;
|
||||
|
||||
+ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
|
||||
+ {
|
||||
+ err = GRUB_USB_ERR_BADDEVICE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
/* Read all interfaces. */
|
||||
for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
|
||||
{
|
||||
@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
|
||||
|
||||
fail:
|
||||
|
||||
- for (i = 0; i < 8; i++)
|
||||
+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
|
||||
grub_free (dev->config[i].descconf);
|
||||
|
||||
return err;
|
||||
diff --git a/include/grub/usb.h b/include/grub/usb.h
|
||||
index 512ae1dd0e6..6475c552fc6 100644
|
||||
--- a/include/grub/usb.h
|
||||
+++ b/include/grub/usb.h
|
||||
@@ -23,6 +23,10 @@
|
||||
#include <grub/usbdesc.h>
|
||||
#include <grub/usbtrans.h>
|
||||
|
||||
+#define GRUB_USB_MAX_CONF 8
|
||||
+#define GRUB_USB_MAX_IF 32
|
||||
+#define GRUB_USB_MAX_TOGGLE 256
|
||||
+
|
||||
typedef struct grub_usb_device *grub_usb_device_t;
|
||||
typedef struct grub_usb_controller *grub_usb_controller_t;
|
||||
typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
|
||||
@@ -167,7 +171,7 @@ struct grub_usb_configuration
|
||||
struct grub_usb_desc_config *descconf;
|
||||
|
||||
/* Interfaces associated to this configuration. */
|
||||
- struct grub_usb_interface interf[32];
|
||||
+ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
|
||||
};
|
||||
|
||||
struct grub_usb_hub_port
|
||||
@@ -191,7 +195,7 @@ struct grub_usb_device
|
||||
struct grub_usb_controller controller;
|
||||
|
||||
/* Device configurations (after opening the device). */
|
||||
- struct grub_usb_configuration config[8];
|
||||
+ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
|
||||
|
||||
/* Device address. */
|
||||
int addr;
|
||||
@@ -203,7 +207,7 @@ struct grub_usb_device
|
||||
int initialized;
|
||||
|
||||
/* Data toggle values (used for bulk transfers only). */
|
||||
- int toggle[256];
|
||||
+ int toggle[GRUB_USB_MAX_TOGGLE];
|
||||
|
||||
/* Used by libusb wrapper. Schedulded for removal. */
|
||||
void *data;
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 3 Dec 2020 14:39:45 +0000
|
||||
Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
|
||||
|
||||
When returning from grub_mmap_iterate() the memory allocated to present
|
||||
is not being released causing it to leak.
|
||||
|
||||
Fixes: CID 96655
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/mmap/mmap.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
|
||||
index 7ebf32e1e5e..8bf235f3400 100644
|
||||
--- a/grub-core/mmap/mmap.c
|
||||
+++ b/grub-core/mmap/mmap.c
|
||||
@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
|
||||
hook_data))
|
||||
{
|
||||
grub_free (ctx.scanline_events);
|
||||
+ grub_free (present);
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
|
||||
}
|
||||
|
||||
grub_free (ctx.scanline_events);
|
||||
+ grub_free (present);
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 27 Nov 2020 15:10:26 +0000
|
||||
Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
|
||||
|
||||
It is always possible that grub_zalloc() could fail, so we should check for
|
||||
a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
|
||||
|
||||
Fixes: CID 296221
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/net/net.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
||||
index 0e72bbb9b39..50d0609038c 100644
|
||||
--- a/grub-core/net/net.c
|
||||
+++ b/grub-core/net/net.c
|
||||
@@ -89,8 +89,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
|
||||
|
||||
/* Add sender to cache table. */
|
||||
if (card->link_layer_table == NULL)
|
||||
- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
|
||||
- * sizeof (card->link_layer_table[0]));
|
||||
+ {
|
||||
+ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
|
||||
+ * sizeof (card->link_layer_table[0]));
|
||||
+ if (card->link_layer_table == NULL)
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
entry = &(card->link_layer_table[card->new_ll_entry]);
|
||||
entry->avail = 1;
|
||||
grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
|
30
SOURCES/0334-net-tftp-Fix-dangling-memory-pointer.patch
Normal file
30
SOURCES/0334-net-tftp-Fix-dangling-memory-pointer.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 19 Feb 2021 17:12:23 +0000
|
||||
Subject: [PATCH] net/tftp: Fix dangling memory pointer
|
||||
|
||||
The static code analysis tool, Parfait, reported that the valid of
|
||||
file->data was left referencing memory that was freed by the call to
|
||||
grub_free(data) where data was initialized from file->data.
|
||||
|
||||
To ensure that there is no unintentional access to this memory
|
||||
referenced by file->data we should set the pointer to NULL.
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/net/tftp.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
|
||||
index b9a4b607a3d..aa0424dcee3 100644
|
||||
--- a/grub-core/net/tftp.c
|
||||
+++ b/grub-core/net/tftp.c
|
||||
@@ -444,6 +444,7 @@ tftp_close (struct grub_file *file)
|
||||
grub_net_udp_close (data->sock);
|
||||
}
|
||||
grub_free (data);
|
||||
+ file->data = NULL;
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
47
SOURCES/0335-kern-parser-Fix-resource-leak-if-argc-0.patch
Normal file
47
SOURCES/0335-kern-parser-Fix-resource-leak-if-argc-0.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 22 Jan 2021 12:32:41 +0000
|
||||
Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
|
||||
|
||||
After processing the command-line yet arriving at the point where we are
|
||||
setting argv, we are allocating memory, even if argc == 0, which makes
|
||||
no sense since we never put anything into the allocated argv.
|
||||
|
||||
The solution is to simply return that we've successfully processed the
|
||||
arguments but that argc == 0, and also ensure that argv is NULL when
|
||||
we're not allocating anything in it.
|
||||
|
||||
There are only 2 callers of this function, and both are handling a zero
|
||||
value in argc assuming nothing is allocated in argv.
|
||||
|
||||
Fixes: CID 96680
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/parser.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
|
||||
index 619db3122a0..d1cf061ad68 100644
|
||||
--- a/grub-core/kern/parser.c
|
||||
+++ b/grub-core/kern/parser.c
|
||||
@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
|
||||
int i;
|
||||
|
||||
*argc = 0;
|
||||
+ *argv = NULL;
|
||||
do
|
||||
{
|
||||
if (!rd || !*rd)
|
||||
@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
|
||||
(*argc)++;
|
||||
}
|
||||
|
||||
+ /* If there are no args, then we're done. */
|
||||
+ if (!*argc)
|
||||
+ return 0;
|
||||
+
|
||||
/* Reserve memory for the return values. */
|
||||
args = grub_malloc (bp - buffer);
|
||||
if (!args)
|
27
SOURCES/0336-kern-efi-Fix-memory-leak-on-failure.patch
Normal file
27
SOURCES/0336-kern-efi-Fix-memory-leak-on-failure.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 5 Nov 2020 10:15:25 +0000
|
||||
Subject: [PATCH] kern/efi: Fix memory leak on failure
|
||||
|
||||
Free the memory allocated to name before returning on failure.
|
||||
|
||||
Fixes: CID 296222
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/efi/efi.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
||||
index 5dfcf943322..4b95a400490 100644
|
||||
--- a/grub-core/kern/efi/efi.c
|
||||
+++ b/grub-core/kern/efi/efi.c
|
||||
@@ -400,6 +400,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
|
||||
{
|
||||
grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||
"malformed EFI Device Path node has length=%d", len);
|
||||
+ grub_free (name);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -0,0 +1,65 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 11 Dec 2020 15:03:13 +0000
|
||||
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
|
||||
|
||||
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
|
||||
then the purpose is to discover how much memory should be allocated to
|
||||
it for the subsequent call.
|
||||
|
||||
The problem here is that with grub_efi_is_finished set to 1, there is no
|
||||
check at all that the function is being called with a non-NULL memory_map.
|
||||
|
||||
While this MAY be true, we shouldn't assume it.
|
||||
|
||||
The solution to this is to behave as expected, and if memory_map is NULL,
|
||||
then don't try to use it and allow memory_map_size to be filled in, and
|
||||
return 0 as is done later in the code if the buffer is too small (or NULL).
|
||||
|
||||
Additionally, drop unneeded ret = 1.
|
||||
|
||||
Fixes: CID 96632
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
|
||||
1 file changed, 16 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
|
||||
index 306924f73a4..2d9c9032b2a 100644
|
||||
--- a/grub-core/kern/efi/mm.c
|
||||
+++ b/grub-core/kern/efi/mm.c
|
||||
@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
|
||||
if (grub_efi_is_finished)
|
||||
{
|
||||
int ret = 1;
|
||||
- if (*memory_map_size < finish_mmap_size)
|
||||
+
|
||||
+ if (memory_map != NULL)
|
||||
{
|
||||
- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
|
||||
+ if (*memory_map_size < finish_mmap_size)
|
||||
+ {
|
||||
+ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ else
|
||||
+ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /*
|
||||
+ * Incomplete, no buffer to copy into, same as
|
||||
+ * GRUB_EFI_BUFFER_TOO_SMALL below.
|
||||
+ */
|
||||
ret = 0;
|
||||
}
|
||||
- else
|
||||
- {
|
||||
- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
|
||||
- ret = 1;
|
||||
- }
|
||||
*memory_map_size = finish_mmap_size;
|
||||
if (map_key)
|
||||
*map_key = finish_key;
|
73
SOURCES/0338-gnulib-regexec-Resolve-unused-variable.patch
Normal file
73
SOURCES/0338-gnulib-regexec-Resolve-unused-variable.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 21 Oct 2020 14:41:27 +0000
|
||||
Subject: [PATCH] gnulib/regexec: Resolve unused variable
|
||||
|
||||
This is a really minor issue where a variable is being assigned to but
|
||||
not checked before it is overwritten again.
|
||||
|
||||
The reason for this issue is that we are not building with DEBUG set and
|
||||
this in turn means that the assert() that reads the value of the
|
||||
variable match_last is being processed out.
|
||||
|
||||
The solution, move the assignment to match_last in to an ifdef DEBUG too.
|
||||
|
||||
Fixes: CID 292459
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gnulib/regexec.c | 4 ++++
|
||||
conf/Makefile.extra-dist | 1 +
|
||||
grub-core/gnulib-fix-unused-value.patch | 14 ++++++++++++++
|
||||
3 files changed, 19 insertions(+)
|
||||
create mode 100644 grub-core/gnulib-fix-unused-value.patch
|
||||
|
||||
diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
|
||||
index a7776f088f2..9264f262893 100644
|
||||
--- a/grub-core/gnulib/regexec.c
|
||||
+++ b/grub-core/gnulib/regexec.c
|
||||
@@ -879,7 +879,11 @@ re_search_internal (const regex_t *preg,
|
||||
break;
|
||||
if (BE (err != REG_NOMATCH, 0))
|
||||
goto free_return;
|
||||
+#ifdef DEBUG
|
||||
+ /* Only used for assertion below when DEBUG is set, otherwise
|
||||
+ it will be over-written when we loop around. */
|
||||
match_last = REG_MISSING;
|
||||
+#endif
|
||||
}
|
||||
else
|
||||
break; /* We found a match. */
|
||||
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
|
||||
index 5946ec24a65..b53fe6dfdcc 100644
|
||||
--- a/conf/Makefile.extra-dist
|
||||
+++ b/conf/Makefile.extra-dist
|
||||
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
|
||||
EXTRA_DIST += grub-core/genemuinitheader.sh
|
||||
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
|
||||
+EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-width.diff
|
||||
EXTRA_DIST += grub-core/gnulib-no-abort.diff
|
||||
EXTRA_DIST += grub-core/gnulib-no-gets.diff
|
||||
diff --git a/grub-core/gnulib-fix-unused-value.patch b/grub-core/gnulib-fix-unused-value.patch
|
||||
new file mode 100644
|
||||
index 00000000000..452a8732922
|
||||
--- /dev/null
|
||||
+++ b/grub-core/gnulib-fix-unused-value.patch
|
||||
@@ -0,0 +1,14 @@
|
||||
+--- grub-core/gnulib/regexec.c 2020-10-21 14:25:35.310195912 +0000
|
||||
++++ grub-core/gnulib/regexec.c 2020-10-21 14:32:07.961765604 +0000
|
||||
+@@ -828,7 +828,11 @@
|
||||
+ break;
|
||||
+ if (BE (err != REG_NOMATCH, 0))
|
||||
+ goto free_return;
|
||||
++#ifdef DEBUG
|
||||
++ /* Only used for assertion below when DEBUG is set, otherwise
|
||||
++ it will be over-written when we loop around. */
|
||||
+ match_last = REG_MISSING;
|
||||
++#endif
|
||||
+ }
|
||||
+ else
|
||||
+ break; /* We found a match. */
|
@ -0,0 +1,64 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 22 Oct 2020 13:54:06 +0000
|
||||
Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
|
||||
|
||||
The code is assuming that the value of br_token.constraint was
|
||||
initialized to zero when it wasn't.
|
||||
|
||||
While some compilers will ensure that, not all do, so it is better to
|
||||
fix this explicitly than leave it to chance.
|
||||
|
||||
Fixes: CID 73749
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gnulib/regcomp.c | 2 +-
|
||||
conf/Makefile.extra-dist | 1 +
|
||||
grub-core/gnulib-fix-uninit-structure.patch | 11 +++++++++++
|
||||
3 files changed, 13 insertions(+), 1 deletion(-)
|
||||
create mode 100644 grub-core/gnulib-fix-uninit-structure.patch
|
||||
|
||||
diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
|
||||
index 596e0cf3ef7..de9f622088f 100644
|
||||
--- a/grub-core/gnulib/regcomp.c
|
||||
+++ b/grub-core/gnulib/regcomp.c
|
||||
@@ -3641,7 +3641,7 @@ build_charclass_op (re_dfa_t *dfa, RE_TRANSLATE_TYPE trans,
|
||||
Idx alloc = 0;
|
||||
#endif /* not RE_ENABLE_I18N */
|
||||
reg_errcode_t ret;
|
||||
- re_token_t br_token;
|
||||
+ re_token_t br_token = {0};
|
||||
bin_tree_t *tree;
|
||||
|
||||
sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
|
||||
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
|
||||
index b53fe6dfdcc..883baba56d5 100644
|
||||
--- a/conf/Makefile.extra-dist
|
||||
+++ b/conf/Makefile.extra-dist
|
||||
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
|
||||
EXTRA_DIST += grub-core/genemuinitheader.sh
|
||||
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
|
||||
+EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-width.diff
|
||||
EXTRA_DIST += grub-core/gnulib-no-abort.diff
|
||||
diff --git a/grub-core/gnulib-fix-uninit-structure.patch b/grub-core/gnulib-fix-uninit-structure.patch
|
||||
new file mode 100644
|
||||
index 00000000000..7b4d9f67af4
|
||||
--- /dev/null
|
||||
+++ b/grub-core/gnulib-fix-uninit-structure.patch
|
||||
@@ -0,0 +1,11 @@
|
||||
+--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000
|
||||
++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000
|
||||
+@@ -3662,7 +3662,7 @@
|
||||
+ Idx alloc = 0;
|
||||
+ #endif /* not RE_ENABLE_I18N */
|
||||
+ reg_errcode_t ret;
|
||||
+- re_token_t br_token;
|
||||
++ re_token_t br_token = {0};
|
||||
+ bin_tree_t *tree;
|
||||
+
|
||||
+ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
|
@ -0,0 +1,64 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 28 Oct 2020 14:43:01 +0000
|
||||
Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
|
||||
|
||||
All other instances of call to __argp_failure() where there is
|
||||
a dgettext() call is first checking whether state is NULL before
|
||||
attempting to dereference it to get the root_argp->argp_domain.
|
||||
|
||||
Fixes: CID 292436
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gnulib/argp-help.c | 3 ++-
|
||||
conf/Makefile.extra-dist | 1 +
|
||||
grub-core/gnulib-fix-null-state-deref.patch | 12 ++++++++++++
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
create mode 100644 grub-core/gnulib-fix-null-state-deref.patch
|
||||
|
||||
diff --git a/grub-core/gnulib/argp-help.c b/grub-core/gnulib/argp-help.c
|
||||
index b9be63f40d2..8af8be07341 100644
|
||||
--- a/grub-core/gnulib/argp-help.c
|
||||
+++ b/grub-core/gnulib/argp-help.c
|
||||
@@ -145,7 +145,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr)
|
||||
if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
|
||||
{
|
||||
__argp_failure (state, 0, 0,
|
||||
- dgettext (state->root_argp->argp_domain,
|
||||
+ dgettext (state == NULL ? NULL
|
||||
+ : state->root_argp->argp_domain,
|
||||
"\
|
||||
ARGP_HELP_FMT: %s value is less than or equal to %s"),
|
||||
"rmargin", up->name);
|
||||
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
|
||||
index 883baba56d5..06606de8d19 100644
|
||||
--- a/conf/Makefile.extra-dist
|
||||
+++ b/conf/Makefile.extra-dist
|
||||
@@ -31,6 +31,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
|
||||
EXTRA_DIST += grub-core/genemuinitheader.sh
|
||||
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
|
||||
+EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-width.diff
|
||||
diff --git a/grub-core/gnulib-fix-null-state-deref.patch b/grub-core/gnulib-fix-null-state-deref.patch
|
||||
new file mode 100644
|
||||
index 00000000000..813ec09c8a1
|
||||
--- /dev/null
|
||||
+++ b/grub-core/gnulib-fix-null-state-deref.patch
|
||||
@@ -0,0 +1,12 @@
|
||||
+--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000
|
||||
++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000
|
||||
+@@ -145,7 +145,8 @@
|
||||
+ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
|
||||
+ {
|
||||
+ __argp_failure (state, 0, 0,
|
||||
+- dgettext (state->root_argp->argp_domain,
|
||||
++ dgettext (state == NULL ? NULL
|
||||
++ : state->root_argp->argp_domain,
|
||||
+ "\
|
||||
+ ARGP_HELP_FMT: %s value is less than or equal to %s"),
|
||||
+ "rmargin", up->name);
|
@ -0,0 +1,65 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 5 Nov 2020 10:57:14 +0000
|
||||
Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
|
||||
|
||||
It appears to be possible that the mctx->state_log field may be NULL,
|
||||
and the name of this function, clean_state_log_if_needed(), suggests
|
||||
that it should be checking that it is valid to be cleaned before
|
||||
assuming that it does.
|
||||
|
||||
Fixes: CID 86720
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gnulib/regexec.c | 3 +++
|
||||
conf/Makefile.extra-dist | 1 +
|
||||
grub-core/gnulib-fix-regexec-null-deref.patch | 12 ++++++++++++
|
||||
3 files changed, 16 insertions(+)
|
||||
create mode 100644 grub-core/gnulib-fix-regexec-null-deref.patch
|
||||
|
||||
diff --git a/grub-core/gnulib/regexec.c b/grub-core/gnulib/regexec.c
|
||||
index 9264f262893..fdacff12ce3 100644
|
||||
--- a/grub-core/gnulib/regexec.c
|
||||
+++ b/grub-core/gnulib/regexec.c
|
||||
@@ -1754,6 +1754,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx)
|
||||
{
|
||||
Idx top = mctx->state_log_top;
|
||||
|
||||
+ if (mctx->state_log == NULL)
|
||||
+ return REG_NOERROR;
|
||||
+
|
||||
if ((next_state_log_idx >= mctx->input.bufs_len
|
||||
&& mctx->input.bufs_len < mctx->input.len)
|
||||
|| (next_state_log_idx >= mctx->input.valid_len
|
||||
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
|
||||
index 06606de8d19..edbe7846eb1 100644
|
||||
--- a/conf/Makefile.extra-dist
|
||||
+++ b/conf/Makefile.extra-dist
|
||||
@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
|
||||
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
|
||||
+EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-width.diff
|
||||
diff --git a/grub-core/gnulib-fix-regexec-null-deref.patch b/grub-core/gnulib-fix-regexec-null-deref.patch
|
||||
new file mode 100644
|
||||
index 00000000000..db6dac9c9e3
|
||||
--- /dev/null
|
||||
+++ b/grub-core/gnulib-fix-regexec-null-deref.patch
|
||||
@@ -0,0 +1,12 @@
|
||||
+--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
|
||||
++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000
|
||||
+@@ -1692,6 +1692,9 @@
|
||||
+ {
|
||||
+ Idx top = mctx->state_log_top;
|
||||
+
|
||||
++ if (mctx->state_log == NULL)
|
||||
++ return REG_NOERROR;
|
||||
++
|
||||
+ if ((next_state_log_idx >= mctx->input.bufs_len
|
||||
+ && mctx->input.bufs_len < mctx->input.len)
|
||||
+ || (next_state_log_idx >= mctx->input.valid_len
|
64
SOURCES/0342-gnulib-regcomp-Fix-uninitialized-re_token.patch
Normal file
64
SOURCES/0342-gnulib-regcomp-Fix-uninitialized-re_token.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 24 Nov 2020 18:04:22 +0000
|
||||
Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
|
||||
|
||||
This issue has been fixed in the latest version of gnulib, so to
|
||||
maintain consistency, I've backported that change rather than doing
|
||||
something different.
|
||||
|
||||
Fixes: CID 73828
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gnulib/regcomp.c | 3 +--
|
||||
conf/Makefile.extra-dist | 1 +
|
||||
grub-core/gnulib-fix-regcomp-uninit-token.patch | 12 ++++++++++++
|
||||
3 files changed, 14 insertions(+), 2 deletions(-)
|
||||
create mode 100644 grub-core/gnulib-fix-regcomp-uninit-token.patch
|
||||
|
||||
diff --git a/grub-core/gnulib/regcomp.c b/grub-core/gnulib/regcomp.c
|
||||
index de9f622088f..6d0830ac691 100644
|
||||
--- a/grub-core/gnulib/regcomp.c
|
||||
+++ b/grub-core/gnulib/regcomp.c
|
||||
@@ -3790,8 +3790,7 @@ static bin_tree_t *
|
||||
create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
|
||||
re_token_type_t type)
|
||||
{
|
||||
- re_token_t t;
|
||||
- t.type = type;
|
||||
+ re_token_t t = { .type = type };
|
||||
return create_token_tree (dfa, left, right, &t);
|
||||
}
|
||||
|
||||
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
|
||||
index edbe7846eb1..ee276a87764 100644
|
||||
--- a/conf/Makefile.extra-dist
|
||||
+++ b/conf/Makefile.extra-dist
|
||||
@@ -32,6 +32,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
|
||||
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-deref.diff
|
||||
EXTRA_DIST += grub-core/gnulib-fix-null-state-deref.patch
|
||||
+EXTRA_DIST += grub-core/gnulib-fix-regcomp-uninit-token.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-regexec-null-deref.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-uninit-structure.patch
|
||||
EXTRA_DIST += grub-core/gnulib-fix-unused-value.patch
|
||||
diff --git a/grub-core/gnulib-fix-regcomp-uninit-token.patch b/grub-core/gnulib-fix-regcomp-uninit-token.patch
|
||||
new file mode 100644
|
||||
index 00000000000..d615745221b
|
||||
--- /dev/null
|
||||
+++ b/grub-core/gnulib-fix-regcomp-uninit-token.patch
|
||||
@@ -0,0 +1,12 @@
|
||||
+--- grub-core/gnulib/regcomp.c
|
||||
++++ grub-core/gnulib/regcomp.c
|
||||
+@@ -3808,8 +3808,7 @@ static bin_tree_t *
|
||||
+ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
|
||||
+ re_token_type_t type)
|
||||
+ {
|
||||
+- re_token_t t;
|
||||
+- t.type = type;
|
||||
++ re_token_t t = { .type = type };
|
||||
+ return create_token_tree (dfa, left, right, &t);
|
||||
+ }
|
||||
+
|
@ -0,0 +1,38 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 21 Oct 2020 14:44:10 +0000
|
||||
Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
|
||||
|
||||
These 2 assignments are unnecessary since they are just assigning
|
||||
to themselves.
|
||||
|
||||
Fixes: CID 73643
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/io/lzopio.c | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
|
||||
index 7559c6c9cab..dcb58746da1 100644
|
||||
--- a/grub-core/io/lzopio.c
|
||||
+++ b/grub-core/io/lzopio.c
|
||||
@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
|
||||
sizeof (lzopio->block.ucheck)) !=
|
||||
sizeof (lzopio->block.ucheck))
|
||||
return -1;
|
||||
-
|
||||
- lzopio->block.ucheck = lzopio->block.ucheck;
|
||||
}
|
||||
|
||||
/* Read checksum of compressed data. */
|
||||
@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
|
||||
sizeof (lzopio->block.ccheck)) !=
|
||||
sizeof (lzopio->block.ccheck))
|
||||
return -1;
|
||||
-
|
||||
- lzopio->block.ccheck = lzopio->block.ccheck;
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 23 Oct 2020 09:49:59 +0000
|
||||
Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
|
||||
string
|
||||
|
||||
There is the possibility that the value of str comes from an external
|
||||
source and continuing to use it before ever checking its validity is
|
||||
wrong. So, needs fixing.
|
||||
|
||||
Additionally, drop unneeded part initialization.
|
||||
|
||||
Fixes: CID 292444
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/partition.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
|
||||
index 2c401b866c4..3068c4dcac0 100644
|
||||
--- a/grub-core/kern/partition.c
|
||||
+++ b/grub-core/kern/partition.c
|
||||
@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
|
||||
grub_partition_t
|
||||
grub_partition_probe (struct grub_disk *disk, const char *str)
|
||||
{
|
||||
- grub_partition_t part = 0;
|
||||
+ grub_partition_t part;
|
||||
grub_partition_t curpart = 0;
|
||||
grub_partition_t tail;
|
||||
const char *ptr;
|
||||
|
||||
+ if (str == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
part = tail = disk->partition;
|
||||
|
||||
for (ptr = str; *ptr;)
|
@ -0,0 +1,125 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Marco A Benatto <mbenatto@redhat.com>
|
||||
Date: Mon, 7 Dec 2020 11:53:03 -0300
|
||||
Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
|
||||
make_vg()
|
||||
|
||||
Several error handling paths in make_vg() do not free comp data before
|
||||
jumping to fail2 label and returning from the function. This will leak
|
||||
memory. So, let's fix all issues of that kind.
|
||||
|
||||
Fixes: CID 73804
|
||||
|
||||
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 44 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
|
||||
index 58f8a53e1ab..428415fac24 100644
|
||||
--- a/grub-core/disk/ldm.c
|
||||
+++ b/grub-core/disk/ldm.c
|
||||
@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
|
||||
comp->segments = grub_calloc (comp->segment_alloc,
|
||||
sizeof (*comp->segments));
|
||||
if (!comp->segments)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
|
||||
comp->segment_count = 1;
|
||||
comp->segments = grub_malloc (sizeof (*comp->segments));
|
||||
if (!comp->segments)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
comp->segments->start_extent = 0;
|
||||
comp->segments->extent_count = lv->size;
|
||||
comp->segments->layout = 0;
|
||||
@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
|
||||
comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
|
||||
}
|
||||
else
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->segments);
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
ptr += *ptr + 1;
|
||||
ptr++;
|
||||
if (!(vblk[i].flags & 0x10))
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->segments);
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
|
||||
|| ptr + *ptr + 1 >= vblk[i].dynamic
|
||||
+ sizeof (vblk[i].dynamic))
|
||||
{
|
||||
+ grub_free (comp->segments);
|
||||
grub_free (comp->internal_id);
|
||||
grub_free (comp);
|
||||
goto fail2;
|
||||
@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
|
||||
if (ptr + *ptr + 1 >= vblk[i].dynamic
|
||||
+ sizeof (vblk[i].dynamic))
|
||||
{
|
||||
+ grub_free (comp->segments);
|
||||
grub_free (comp->internal_id);
|
||||
grub_free (comp);
|
||||
goto fail2;
|
||||
@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
|
||||
comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
|
||||
sizeof (*comp->segments->nodes));
|
||||
if (!lv->segments->nodes)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->segments);
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (lv->segments->node_alloc == lv->segments->node_count)
|
||||
@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
|
||||
|
||||
if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
|
||||
grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->segments->nodes);
|
||||
+ grub_free (comp->segments);
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
|
||||
t = grub_realloc (lv->segments->nodes, sz);
|
||||
if (!t)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (comp->segments->nodes);
|
||||
+ grub_free (comp->segments);
|
||||
+ grub_free (comp->internal_id);
|
||||
+ grub_free (comp);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
lv->segments->nodes = t;
|
||||
}
|
||||
lv->segments->nodes[lv->segments->node_count].pv = 0;
|
@ -0,0 +1,25 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Date: Mon, 7 Dec 2020 10:07:47 -0300
|
||||
Subject: [PATCH] disk/ldm: If failed then free vg variable too
|
||||
|
||||
Fixes: CID 73809
|
||||
|
||||
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/disk/ldm.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
|
||||
index 428415fac24..54713f45a12 100644
|
||||
--- a/grub-core/disk/ldm.c
|
||||
+++ b/grub-core/disk/ldm.c
|
||||
@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
|
||||
{
|
||||
grub_free (vg->uuid);
|
||||
grub_free (vg->name);
|
||||
+ grub_free (vg);
|
||||
return NULL;
|
||||
}
|
||||
grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
|
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 8 Dec 2020 10:00:51 +0000
|
||||
Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
|
||||
|
||||
The problem here is that the memory allocated to the variable lv is not
|
||||
yet inserted into the list that is being processed at the label fail2.
|
||||
|
||||
As we can already see at line 342, which correctly frees lv before going
|
||||
to fail2, we should also be doing that at these earlier jumps to fail2.
|
||||
|
||||
Fixes: CID 73824
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/disk/ldm.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
|
||||
index 54713f45a12..e82e9899f96 100644
|
||||
--- a/grub-core/disk/ldm.c
|
||||
+++ b/grub-core/disk/ldm.c
|
||||
@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
|
||||
lv->visible = 1;
|
||||
lv->segments = grub_zalloc (sizeof (*lv->segments));
|
||||
if (!lv->segments)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (lv);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
lv->segments->start_extent = 0;
|
||||
lv->segments->type = GRUB_DISKFILTER_MIRROR;
|
||||
lv->segments->node_count = 0;
|
||||
@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
|
||||
lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
|
||||
sizeof (*lv->segments->nodes));
|
||||
if (!lv->segments->nodes)
|
||||
- goto fail2;
|
||||
+ {
|
||||
+ grub_free (lv);
|
||||
+ goto fail2;
|
||||
+ }
|
||||
ptr = vblk[i].dynamic;
|
||||
if (ptr + *ptr + 1 >= vblk[i].dynamic
|
||||
+ sizeof (vblk[i].dynamic))
|
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 21 Jan 2021 11:38:31 +0000
|
||||
Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
|
||||
|
||||
The encrypt and decrypt functions expect a grub_size_t. So, we need to
|
||||
ensure that the constant bit shift is using grub_size_t rather than
|
||||
unsigned int when it is performing the shift.
|
||||
|
||||
Fixes: CID 307788
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/disk/cryptodisk.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||||
index bd60a66b384..78a902515e9 100644
|
||||
--- a/grub-core/disk/cryptodisk.c
|
||||
+++ b/grub-core/disk/cryptodisk.c
|
||||
@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
|
||||
case GRUB_CRYPTODISK_MODE_CBC:
|
||||
if (do_encrypt)
|
||||
err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
|
||||
- (1U << dev->log_sector_size), iv);
|
||||
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
|
||||
else
|
||||
err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
|
||||
- (1U << dev->log_sector_size), iv);
|
||||
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
|
||||
if (err)
|
||||
return err;
|
||||
break;
|
||||
@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
|
||||
case GRUB_CRYPTODISK_MODE_PCBC:
|
||||
if (do_encrypt)
|
||||
err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
|
||||
- (1U << dev->log_sector_size), iv);
|
||||
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
|
||||
else
|
||||
err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
|
||||
- (1U << dev->log_sector_size), iv);
|
||||
+ ((grub_size_t) 1 << dev->log_sector_size), iv);
|
||||
if (err)
|
||||
return err;
|
||||
break;
|
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 23 Oct 2020 17:09:31 +0000
|
||||
Subject: [PATCH] hfsplus: Check that the volume name length is valid
|
||||
|
||||
HFS+ documentation suggests that the maximum filename and volume name is
|
||||
255 Unicode characters in length.
|
||||
|
||||
So, when converting from big-endian to little-endian, we should ensure
|
||||
that the name of the volume has a length that is between 0 and 255,
|
||||
inclusive.
|
||||
|
||||
Fixes: CID 73641
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/hfsplus.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
|
||||
index e06bcbb9ba3..03a33ea2477 100644
|
||||
--- a/grub-core/fs/hfsplus.c
|
||||
+++ b/grub-core/fs/hfsplus.c
|
||||
@@ -1012,6 +1012,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
|
||||
grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
|
||||
|
||||
label_len = grub_be_to_cpu16 (catkey->namelen);
|
||||
+
|
||||
+ /* Ensure that the length is >= 0. */
|
||||
+ if (label_len < 0)
|
||||
+ label_len = 0;
|
||||
+
|
||||
+ /* Ensure label length is at most 255 Unicode characters. */
|
||||
+ if (label_len > 255)
|
||||
+ label_len = 255;
|
||||
+
|
||||
label_name = grub_calloc (label_len, sizeof (*label_name));
|
||||
if (!label_name)
|
||||
{
|
39
SOURCES/0350-zfs-Fix-possible-negative-shift-operation.patch
Normal file
39
SOURCES/0350-zfs-Fix-possible-negative-shift-operation.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 24 Nov 2020 16:41:49 +0000
|
||||
Subject: [PATCH] zfs: Fix possible negative shift operation
|
||||
|
||||
While it is possible for the return value from zfs_log2() to be zero
|
||||
(0), it is quite unlikely, given that the previous assignment to blksz
|
||||
is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
|
||||
assignment to epbs.
|
||||
|
||||
But, while unlikely during a normal operation, it may be that a carefully
|
||||
crafted ZFS filesystem could result in a zero (0) value to the
|
||||
dn_datalbkszsec field, which means that the shift left does nothing
|
||||
and assigns zero (0) to blksz, resulting in a negative epbs value.
|
||||
|
||||
Fixes: CID 73608
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/zfs/zfs.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
|
||||
index c6204367e78..3dfde080750 100644
|
||||
--- a/grub-core/fs/zfs/zfs.c
|
||||
+++ b/grub-core/fs/zfs/zfs.c
|
||||
@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
|
||||
blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
|
||||
mdn->endian) << SPA_MINBLOCKSHIFT;
|
||||
epbs = zfs_log2 (blksz) - DNODE_SHIFT;
|
||||
+
|
||||
+ /* While this should never happen, we should check that epbs is not negative. */
|
||||
+ if (epbs < 0)
|
||||
+ epbs = 0;
|
||||
+
|
||||
blkid = objnum >> epbs;
|
||||
idx = objnum & ((1 << epbs) - 1);
|
||||
|
@ -0,0 +1,118 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Date: Mon, 14 Dec 2020 18:54:49 -0300
|
||||
Subject: [PATCH] zfs: Fix resource leaks while constructing path
|
||||
|
||||
There are several exit points in dnode_get_path() that are causing possible
|
||||
memory leaks.
|
||||
|
||||
In the while(1) the correct exit mechanism should not be to do a direct return,
|
||||
but to instead break out of the loop, setting err first if it is not already set.
|
||||
|
||||
The reason behind this is that the dnode_path is a linked list, and while doing
|
||||
through this loop, it is being allocated and built up - the only way to
|
||||
correctly unravel it is to traverse it, which is what is being done at the end
|
||||
of the function outside of the loop.
|
||||
|
||||
Several of the existing exit points correctly did a break, but not all so this
|
||||
change makes that more consistent and should resolve the leaking of memory as
|
||||
found by Coverity.
|
||||
|
||||
Fixes: CID 73741
|
||||
|
||||
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
|
||||
1 file changed, 21 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
|
||||
index 3dfde080750..44d8bde6b33 100644
|
||||
--- a/grub-core/fs/zfs/zfs.c
|
||||
+++ b/grub-core/fs/zfs/zfs.c
|
||||
@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
|
||||
if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
|
||||
{
|
||||
- grub_free (path_buf);
|
||||
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
|
||||
+ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
|
||||
+ break;
|
||||
}
|
||||
err = zap_lookup (&(dnode_path->dn), cname, &objnum,
|
||||
data, subvol->case_insensitive);
|
||||
@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
<< SPA_MINBLOCKSHIFT);
|
||||
|
||||
if (blksz == 0)
|
||||
- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
|
||||
+ {
|
||||
+ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
sym_value = grub_malloc (sym_sz);
|
||||
if (!sym_value)
|
||||
- return grub_errno;
|
||||
+ {
|
||||
+ err = grub_errno;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
|
||||
{
|
||||
void *t;
|
||||
@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
if (err)
|
||||
{
|
||||
grub_free (sym_value);
|
||||
- return err;
|
||||
+ break;
|
||||
}
|
||||
|
||||
movesize = sym_sz - block * blksz;
|
||||
@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
grub_memcpy (sym_value + block * blksz, t, movesize);
|
||||
grub_free (t);
|
||||
}
|
||||
+ if (err)
|
||||
+ break;
|
||||
free_symval = 1;
|
||||
}
|
||||
path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
|
||||
@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
grub_free (oldpathbuf);
|
||||
if (free_symval)
|
||||
grub_free (sym_value);
|
||||
- return grub_errno;
|
||||
+ err = grub_errno;
|
||||
+ break;
|
||||
}
|
||||
grub_memcpy (path, sym_value, sym_sz);
|
||||
if (free_symval)
|
||||
@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
|
||||
err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
|
||||
if (err)
|
||||
- return err;
|
||||
+ break;
|
||||
}
|
||||
else
|
||||
{
|
||||
- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
|
||||
+ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
|
||||
+ break;
|
||||
}
|
||||
|
||||
hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
|
||||
@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
|
||||
if (!path_buf)
|
||||
{
|
||||
grub_free (oldpathbuf);
|
||||
- return grub_errno;
|
||||
+ err = grub_errno;
|
||||
+ break;
|
||||
}
|
||||
grub_memcpy (path, sym_value, sym_sz);
|
||||
path [sym_sz] = 0;
|
53
SOURCES/0352-zfs-Fix-possible-integer-overflows.patch
Normal file
53
SOURCES/0352-zfs-Fix-possible-integer-overflows.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 8 Dec 2020 22:17:04 +0000
|
||||
Subject: [PATCH] zfs: Fix possible integer overflows
|
||||
|
||||
In all cases the problem is that the value being acted upon by
|
||||
a left-shift is a 32-bit number which is then being used in the
|
||||
context of a 64-bit number.
|
||||
|
||||
To avoid overflow we ensure that the number being shifted is 64-bit
|
||||
before the shift is done.
|
||||
|
||||
Fixes: CID 73684, CID 73695, CID 73764
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/zfs/zfs.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
|
||||
index 44d8bde6b33..0d8c08eec92 100644
|
||||
--- a/grub-core/fs/zfs/zfs.c
|
||||
+++ b/grub-core/fs/zfs/zfs.c
|
||||
@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
|
||||
ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
|
||||
+ ((i << ub_shift)
|
||||
/ sizeof (grub_properly_aligned_t)));
|
||||
- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
|
||||
+ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
|
||||
if (err)
|
||||
{
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
|
||||
|
||||
high = grub_divmod64 ((offset >> desc->ashift) + c,
|
||||
desc->n_children, &devn);
|
||||
- csize = bsize << desc->ashift;
|
||||
+ csize = (grub_size_t) bsize << desc->ashift;
|
||||
if (csize > len)
|
||||
csize = len;
|
||||
|
||||
@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
|
||||
|
||||
while (len > 0)
|
||||
{
|
||||
- grub_size_t csize;
|
||||
- csize = ((s / (desc->n_children - desc->nparity))
|
||||
+ grub_size_t csize = s;
|
||||
+ csize = ((csize / (desc->n_children - desc->nparity))
|
||||
<< desc->ashift);
|
||||
if (csize > len)
|
||||
csize = len;
|
@ -0,0 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 26 Nov 2020 10:56:45 +0000
|
||||
Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
|
||||
|
||||
While arguably the check for grub_errno is correct, we should really be
|
||||
checking the return value from the function since it is always possible
|
||||
that grub_errno was set elsewhere, making this code behave incorrectly.
|
||||
|
||||
Fixes: CID 73668
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/zfs/zfsinfo.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
|
||||
index c8a28acf52b..bf2918018e7 100644
|
||||
--- a/grub-core/fs/zfs/zfsinfo.c
|
||||
+++ b/grub-core/fs/zfs/zfsinfo.c
|
||||
@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||
|
||||
devname = grub_file_get_device_name (args[0]);
|
||||
- if (grub_errno)
|
||||
- return grub_errno;
|
||||
+ if (devname == NULL)
|
||||
+ return GRUB_ERR_OUT_OF_MEMORY;
|
||||
|
||||
dev = grub_device_open (devname);
|
||||
grub_free (devname);
|
79
SOURCES/0354-affs-Fix-memory-leaks.patch
Normal file
79
SOURCES/0354-affs-Fix-memory-leaks.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 26 Nov 2020 12:48:07 +0000
|
||||
Subject: [PATCH] affs: Fix memory leaks
|
||||
|
||||
The node structure reference is being allocated but not freed if it
|
||||
reaches the end of the function. If any of the hooks had returned
|
||||
a non-zero value, then node would have been copied in to the context
|
||||
reference, but otherwise node is not stored and should be freed.
|
||||
|
||||
Similarly, the call to grub_affs_create_node() replaces the allocated
|
||||
memory in node with a newly allocated structure, leaking the existing
|
||||
memory pointed by node.
|
||||
|
||||
Finally, when dir->parent is set, then we again replace node with newly
|
||||
allocated memory, which seems unnecessary when we copy in the values
|
||||
from dir->parent immediately after.
|
||||
|
||||
Fixes: CID 73759
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/affs.c | 18 ++++++++----------
|
||||
1 file changed, 8 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
|
||||
index 91073795f90..e4615c74381 100644
|
||||
--- a/grub-core/fs/affs.c
|
||||
+++ b/grub-core/fs/affs.c
|
||||
@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
|
||||
{
|
||||
unsigned int i;
|
||||
struct grub_affs_file file;
|
||||
- struct grub_fshelp_node *node = 0;
|
||||
+ struct grub_fshelp_node *node, *orig_node;
|
||||
struct grub_affs_data *data = dir->data;
|
||||
grub_uint32_t *hashtable;
|
||||
|
||||
/* Create the directory entries for `.' and `..'. */
|
||||
- node = grub_zalloc (sizeof (*node));
|
||||
+ node = orig_node = grub_zalloc (sizeof (*node));
|
||||
if (!node)
|
||||
return 1;
|
||||
|
||||
@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
|
||||
return 1;
|
||||
if (dir->parent)
|
||||
{
|
||||
- node = grub_zalloc (sizeof (*node));
|
||||
- if (!node)
|
||||
- return 1;
|
||||
*node = *dir->parent;
|
||||
if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
|
||||
return 1;
|
||||
@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
|
||||
|
||||
if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
|
||||
next, &file))
|
||||
- return 1;
|
||||
+ {
|
||||
+ /* Node has been replaced in function. */
|
||||
+ grub_free (orig_node);
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
next = grub_be_to_cpu32 (file.next);
|
||||
}
|
||||
}
|
||||
|
||||
- grub_free (hashtable);
|
||||
- return 0;
|
||||
-
|
||||
fail:
|
||||
- grub_free (node);
|
||||
+ grub_free (orig_node);
|
||||
grub_free (hashtable);
|
||||
return 0;
|
||||
}
|
@ -0,0 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 3 Nov 2020 16:43:37 +0000
|
||||
Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
|
||||
|
||||
The array of unsigned char gets promoted to a signed 32-bit int before
|
||||
it is finally promoted to a size_t. There is the possibility that this
|
||||
may result in the signed-bit being set for the intermediate signed
|
||||
32-bit int. We should ensure that the promotion is to the correct type
|
||||
before we bitwise-OR the values.
|
||||
|
||||
Fixes: CID 96697
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
index a3435ed142a..7ecad27b23a 100644
|
||||
--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
|
||||
if (len && len < 4)
|
||||
return gcry_error (GPG_ERR_TOO_SHORT);
|
||||
|
||||
- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
|
||||
+ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
|
||||
s += 4;
|
||||
if (len)
|
||||
len -= 4;
|
@ -0,0 +1,30 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 26 Nov 2020 10:41:54 +0000
|
||||
Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
|
||||
|
||||
The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
|
||||
is no explicit check for that, so we add one.
|
||||
|
||||
Fixes: CID 73757
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
index 7ecad27b23a..6fe38916532 100644
|
||||
--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
|
||||
@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
|
||||
unsigned int len;
|
||||
int secure = (buffer && gcry_is_secure (buffer));
|
||||
|
||||
+ if (!buffer)
|
||||
+ return gcry_error (GPG_ERR_INV_ARG);
|
||||
+
|
||||
if (format == GCRYMPI_FMT_SSH)
|
||||
len = 0;
|
||||
else
|
40
SOURCES/0357-syslinux-Fix-memory-leak-while-parsing.patch
Normal file
40
SOURCES/0357-syslinux-Fix-memory-leak-while-parsing.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 26 Nov 2020 15:31:53 +0000
|
||||
Subject: [PATCH] syslinux: Fix memory leak while parsing
|
||||
|
||||
In syslinux_parse_real() the 2 points where return is being called
|
||||
didn't release the memory stored in buf which is no longer required.
|
||||
|
||||
Fixes: CID 176634
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/lib/syslinux_parse.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
|
||||
index 21ca040ada7..2eb59ff8ac4 100644
|
||||
--- a/grub-core/lib/syslinux_parse.c
|
||||
+++ b/grub-core/lib/syslinux_parse.c
|
||||
@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
|
||||
&& grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
|
||||
{
|
||||
if (helptext (ptr5, file, menu))
|
||||
- return 1;
|
||||
+ {
|
||||
+ grub_free (buf);
|
||||
+ return 1;
|
||||
+ }
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
|
||||
}
|
||||
fail:
|
||||
grub_file_close (file);
|
||||
+ grub_free (buf);
|
||||
return err;
|
||||
}
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 4 Dec 2020 18:56:48 +0000
|
||||
Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
|
||||
completion
|
||||
|
||||
It is possible for the code to reach the end of the function without
|
||||
freeing the memory allocated to argv and argc still to be 0.
|
||||
|
||||
We should always call grub_free(argv). The grub_free() will handle
|
||||
a NULL argument correctly if it reaches that code without the memory
|
||||
being allocated.
|
||||
|
||||
Fixes: CID 96672
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/normal/completion.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
|
||||
index 93aa0d8eda8..5036bcf2d98 100644
|
||||
--- a/grub-core/normal/completion.c
|
||||
+++ b/grub-core/normal/completion.c
|
||||
@@ -401,8 +401,8 @@ char *
|
||||
grub_normal_do_completion (char *buf, int *restore,
|
||||
void (*hook) (const char *, grub_completion_type_t, int))
|
||||
{
|
||||
- int argc;
|
||||
- char **argv;
|
||||
+ int argc = 0;
|
||||
+ char **argv = NULL;
|
||||
|
||||
/* Initialize variables. */
|
||||
match = 0;
|
||||
@@ -517,10 +517,8 @@ grub_normal_do_completion (char *buf, int *restore,
|
||||
|
||||
fail:
|
||||
if (argc != 0)
|
||||
- {
|
||||
- grub_free (argv[0]);
|
||||
- grub_free (argv);
|
||||
- }
|
||||
+ grub_free (argv[0]);
|
||||
+ grub_free (argv);
|
||||
grub_free (match);
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
|
53
SOURCES/0359-commands-hashsum-Fix-a-memory-leak.patch
Normal file
53
SOURCES/0359-commands-hashsum-Fix-a-memory-leak.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Tue, 1 Dec 2020 23:41:24 +0000
|
||||
Subject: [PATCH] commands/hashsum: Fix a memory leak
|
||||
|
||||
check_list() uses grub_file_getline(), which allocates a buffer.
|
||||
If the hash list file contains invalid lines, the function leaks
|
||||
this buffer when it returns an error.
|
||||
|
||||
Fixes: CID 176635
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/hashsum.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
|
||||
index d18687351a5..282922bba1e 100644
|
||||
--- a/grub-core/commands/hashsum.c
|
||||
+++ b/grub-core/commands/hashsum.c
|
||||
@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
|
||||
high = hextoval (*p++);
|
||||
low = hextoval (*p++);
|
||||
if (high < 0 || low < 0)
|
||||
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
|
||||
+ {
|
||||
+ grub_free (buf);
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
|
||||
+ }
|
||||
expected[i] = (high << 4) | low;
|
||||
}
|
||||
if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
|
||||
- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
|
||||
+ {
|
||||
+ grub_free (buf);
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
|
||||
+ }
|
||||
p += 2;
|
||||
if (prefix)
|
||||
{
|
||||
@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
|
||||
|
||||
filename = grub_xasprintf ("%s/%s", prefix, p);
|
||||
if (!filename)
|
||||
- return grub_errno;
|
||||
+ {
|
||||
+ grub_free (buf);
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
if (!uncompress)
|
||||
grub_file_filter_disable_compression ();
|
||||
file = grub_file_open (filename);
|
@ -0,0 +1,91 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 8 Dec 2020 21:14:31 +0000
|
||||
Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
|
||||
grub_video_gop_fill_mode_info()
|
||||
|
||||
The return value of grub_video_gop_fill_mode_info() is never able to be
|
||||
anything other than GRUB_ERR_NONE. So, rather than continue to return
|
||||
a value and checking it each time, it is more correct to redefine the
|
||||
function to not return anything and remove checks of its return value
|
||||
altogether.
|
||||
|
||||
Fixes: CID 96701
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/efi_gop.c | 25 ++++++-------------------
|
||||
1 file changed, 6 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
|
||||
index c9e40e8d4e9..9fcc41ac03c 100644
|
||||
--- a/grub-core/video/efi_gop.c
|
||||
+++ b/grub-core/video/efi_gop.c
|
||||
@@ -229,7 +229,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
-static grub_err_t
|
||||
+static void
|
||||
grub_video_gop_fill_mode_info (unsigned mode,
|
||||
struct grub_efi_gop_mode_info *in,
|
||||
struct grub_video_mode_info *out)
|
||||
@@ -254,8 +254,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
|
||||
out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
|
||||
out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
|
||||
| GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
|
||||
-
|
||||
- return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -268,7 +266,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
|
||||
grub_efi_uintn_t size;
|
||||
grub_efi_status_t status;
|
||||
struct grub_efi_gop_mode_info *info = NULL;
|
||||
- grub_err_t err;
|
||||
struct grub_video_mode_info mode_info;
|
||||
|
||||
status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
|
||||
@@ -279,12 +276,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
|
||||
continue;
|
||||
}
|
||||
|
||||
- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
|
||||
- if (err)
|
||||
- {
|
||||
- grub_errno = GRUB_ERR_NONE;
|
||||
- continue;
|
||||
- }
|
||||
+ grub_video_gop_fill_mode_info (mode, info, &mode_info);
|
||||
if (hook (&mode_info, hook_arg))
|
||||
return 1;
|
||||
}
|
||||
@@ -468,13 +460,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
|
||||
info = gop->mode->info;
|
||||
|
||||
- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
|
||||
- &framebuffer.mode_info);
|
||||
- if (err)
|
||||
- {
|
||||
- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
|
||||
- return err;
|
||||
- }
|
||||
+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
|
||||
+ &framebuffer.mode_info);
|
||||
|
||||
framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
|
||||
framebuffer.offscreen
|
||||
@@ -488,8 +475,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
{
|
||||
grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
|
||||
grub_errno = 0;
|
||||
- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
|
||||
- &framebuffer.mode_info);
|
||||
+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
|
||||
+ &framebuffer.mode_info);
|
||||
buffer = framebuffer.ptr;
|
||||
}
|
||||
|
@ -0,0 +1,75 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 4 Nov 2020 15:10:51 +0000
|
||||
Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
|
||||
|
||||
The multiplication of 2 unsigned 32-bit integers may overflow before
|
||||
promotion to unsigned 64-bit. We should ensure that the multiplication
|
||||
is done with overflow detection. Additionally, use grub_sub() for
|
||||
subtraction.
|
||||
|
||||
Fixes: CID 73640, CID 73697, CID 73702, CID 73823
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/fb/fbfill.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
|
||||
index 11816d07a0b..a37acd1e293 100644
|
||||
--- a/grub-core/video/fb/fbfill.c
|
||||
+++ b/grub-core/video/fb/fbfill.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <grub/fbfill.h>
|
||||
#include <grub/fbutil.h>
|
||||
#include <grub/types.h>
|
||||
+#include <grub/safemath.h>
|
||||
#include <grub/video.h>
|
||||
|
||||
/* Generic filler that works for every supported mode. */
|
||||
@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
|
||||
#endif
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
||||
@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
|
||||
|
||||
/* Calculate the number of bytes to advance from the end of one line
|
||||
to the beginning of the next line. */
|
||||
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
|
||||
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
|
||||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
|
||||
+ return;
|
||||
|
||||
/* Get the start address. */
|
||||
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
|
@ -0,0 +1,101 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Wed, 4 Nov 2020 14:43:44 +0000
|
||||
Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
|
||||
|
||||
The calculation of the unsigned 64-bit value is being generated by
|
||||
multiplying 2, signed or unsigned, 32-bit integers which may overflow
|
||||
before promotion to unsigned 64-bit. Fix all of them.
|
||||
|
||||
Fixes: CID 73703, CID 73767, CID 73833
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 36 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
|
||||
index 1a602c8b251..1c9a138dcdc 100644
|
||||
--- a/grub-core/video/fb/video_fb.c
|
||||
+++ b/grub-core/video/fb/video_fb.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <grub/fbutil.h>
|
||||
#include <grub/bitmap.h>
|
||||
#include <grub/dl.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
|
||||
{
|
||||
if (framebuffer.current_dirty.first_line
|
||||
<= framebuffer.current_dirty.last_line)
|
||||
- grub_memcpy ((char *) framebuffer.pages[0]
|
||||
- + framebuffer.current_dirty.first_line
|
||||
- * framebuffer.back_target->mode_info.pitch,
|
||||
- (char *) framebuffer.back_target->data
|
||||
- + framebuffer.current_dirty.first_line
|
||||
- * framebuffer.back_target->mode_info.pitch,
|
||||
- framebuffer.back_target->mode_info.pitch
|
||||
- * (framebuffer.current_dirty.last_line
|
||||
- - framebuffer.current_dirty.first_line));
|
||||
+ {
|
||||
+ grub_size_t copy_size;
|
||||
+
|
||||
+ if (grub_sub (framebuffer.current_dirty.last_line,
|
||||
+ framebuffer.current_dirty.first_line, ©_size) ||
|
||||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size))
|
||||
+ {
|
||||
+ /* Shouldn't happen, but if it does we've a bug. */
|
||||
+ return GRUB_ERR_BUG;
|
||||
+ }
|
||||
+
|
||||
+ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
|
||||
+ framebuffer.back_target->mode_info.pitch,
|
||||
+ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
|
||||
+ framebuffer.back_target->mode_info.pitch,
|
||||
+ copy_size);
|
||||
+ }
|
||||
framebuffer.current_dirty.first_line
|
||||
= framebuffer.back_target->mode_info.height;
|
||||
framebuffer.current_dirty.last_line = 0;
|
||||
@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
|
||||
volatile void *framebuf)
|
||||
{
|
||||
grub_err_t err;
|
||||
- grub_size_t page_size = mode_info.pitch * mode_info.height;
|
||||
+ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
|
||||
|
||||
framebuffer.offscreen_buffer = grub_zalloc (page_size);
|
||||
if (! framebuffer.offscreen_buffer)
|
||||
@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
|
||||
last_line = framebuffer.previous_dirty.last_line;
|
||||
|
||||
if (first_line <= last_line)
|
||||
- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
|
||||
- + first_line * framebuffer.back_target->mode_info.pitch,
|
||||
- (char *) framebuffer.back_target->data
|
||||
- + first_line * framebuffer.back_target->mode_info.pitch,
|
||||
- framebuffer.back_target->mode_info.pitch
|
||||
- * (last_line - first_line));
|
||||
+ {
|
||||
+ grub_size_t copy_size;
|
||||
+
|
||||
+ if (grub_sub (last_line, first_line, ©_size) ||
|
||||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size))
|
||||
+ {
|
||||
+ /* Shouldn't happen, but if it does we've a bug. */
|
||||
+ return GRUB_ERR_BUG;
|
||||
+ }
|
||||
+
|
||||
+ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
|
||||
+ framebuffer.back_target->mode_info.pitch,
|
||||
+ (char *) framebuffer.back_target->data + first_line *
|
||||
+ framebuffer.back_target->mode_info.pitch,
|
||||
+ copy_size);
|
||||
+ }
|
||||
+
|
||||
framebuffer.previous_dirty = framebuffer.current_dirty;
|
||||
framebuffer.current_dirty.first_line
|
||||
= framebuffer.back_target->mode_info.height;
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 4 Dec 2020 14:51:30 +0000
|
||||
Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
|
||||
|
||||
It is minimal possibility that the values being used here will overflow.
|
||||
So, change the code to use the safemath function grub_mul() to ensure
|
||||
that doesn't happen.
|
||||
|
||||
Fixes: CID 73761
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/fb/video_fb.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
|
||||
index 1c9a138dcdc..ae6b89f9aea 100644
|
||||
--- a/grub-core/video/fb/video_fb.c
|
||||
+++ b/grub-core/video/fb/video_fb.c
|
||||
@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
|
||||
volatile void *page1_ptr)
|
||||
{
|
||||
grub_err_t err;
|
||||
- grub_size_t page_size = mode_info->pitch * mode_info->height;
|
||||
+ grub_size_t page_size = 0;
|
||||
+
|
||||
+ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
|
||||
+ {
|
||||
+ /* Shouldn't happen, but if it does we've a bug. */
|
||||
+ return GRUB_ERR_BUG;
|
||||
+ }
|
||||
|
||||
framebuffer.offscreen_buffer = grub_malloc (page_size);
|
||||
if (! framebuffer.offscreen_buffer)
|
@ -0,0 +1,35 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 4 Dec 2020 15:39:00 +0000
|
||||
Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
|
||||
from a jpeg file
|
||||
|
||||
While it may never happen, and potentially could be caught at the end of
|
||||
the function, it is worth checking up front for a bad reference to the
|
||||
next marker just in case of a maliciously crafted file being provided.
|
||||
|
||||
Fixes: CID 73694
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/readers/jpeg.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||||
index 21b0d9ded67..a4a8269e237 100644
|
||||
--- a/grub-core/video/readers/jpeg.c
|
||||
+++ b/grub-core/video/readers/jpeg.c
|
||||
@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
|
||||
next_marker = data->file->offset;
|
||||
next_marker += grub_jpeg_get_word (data);
|
||||
|
||||
+ if (next_marker > data->file->size)
|
||||
+ {
|
||||
+ /* Should never be set beyond the size of the file. */
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
|
||||
+ }
|
||||
+
|
||||
while (data->file->offset + sizeof (data->quan_table[id]) + 1
|
||||
<= next_marker)
|
||||
{
|
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Mon, 7 Dec 2020 14:44:47 +0000
|
||||
Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
|
||||
dead
|
||||
|
||||
The test of value for NULL before calling grub_strdup() is not required,
|
||||
since the if condition prior to this has already tested for value being
|
||||
NULL and cannot reach this code if it is.
|
||||
|
||||
Fixes: CID 73659
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/gfxmenu/gui_list.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
|
||||
index 01477cdf2b3..df334a6c56f 100644
|
||||
--- a/grub-core/gfxmenu/gui_list.c
|
||||
+++ b/grub-core/gfxmenu/gui_list.c
|
||||
@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
|
||||
{
|
||||
self->need_to_recreate_boxes = 1;
|
||||
grub_free (self->selected_item_box_pattern);
|
||||
- self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
|
||||
+ self->selected_item_box_pattern = grub_strdup (value);
|
||||
self->selected_item_box_pattern_inherit = 0;
|
||||
}
|
||||
}
|
44
SOURCES/0366-loader-bsd-Check-for-NULL-arg-up-front.patch
Normal file
44
SOURCES/0366-loader-bsd-Check-for-NULL-arg-up-front.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Tue, 8 Dec 2020 21:47:13 +0000
|
||||
Subject: [PATCH] loader/bsd: Check for NULL arg up-front
|
||||
|
||||
The code in the next block suggests that it is possible for .set to be
|
||||
true but .arg may still be NULL.
|
||||
|
||||
This code assumes that it is never NULL, yet later is testing if it is
|
||||
NULL - that is inconsistent.
|
||||
|
||||
So we should check first if .arg is not NULL, and remove this check that
|
||||
is being flagged by Coverity since it is no longer required.
|
||||
|
||||
Fixes: CID 292471
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/loader/i386/bsd.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
|
||||
index 0f317632a3b..35a06e66d38 100644
|
||||
--- a/grub-core/loader/i386/bsd.c
|
||||
+++ b/grub-core/loader/i386/bsd.c
|
||||
@@ -1600,7 +1600,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
|
||||
kernel_type = KERNEL_TYPE_OPENBSD;
|
||||
bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
|
||||
|
||||
- if (ctxt->state[OPENBSD_ROOT_ARG].set)
|
||||
+ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
|
||||
{
|
||||
const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
|
||||
unsigned type, unit, part;
|
||||
@@ -1617,7 +1617,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
|
||||
"unknown disk type name");
|
||||
|
||||
unit = grub_strtoul (arg, (char **) &arg, 10);
|
||||
- if (! (arg && *arg >= 'a' && *arg <= 'z'))
|
||||
+ if (! (*arg >= 'a' && *arg <= 'z'))
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
"only device specifications of form "
|
||||
"<type><number><lowercase letter> are supported");
|
36
SOURCES/0367-loader-xnu-Fix-memory-leak.patch
Normal file
36
SOURCES/0367-loader-xnu-Fix-memory-leak.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 26 Nov 2020 12:53:10 +0000
|
||||
Subject: [PATCH] loader/xnu: Fix memory leak
|
||||
|
||||
The code here is finished with the memory stored in name, but it only
|
||||
frees it if there curvalue is valid, while it could actually free it
|
||||
regardless.
|
||||
|
||||
The fix is a simple relocation of the grub_free() to before the test
|
||||
of curvalue.
|
||||
|
||||
Fixes: CID 96646
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/loader/xnu.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||
index 0c4b33250fb..2adeac8a549 100644
|
||||
--- a/grub-core/loader/xnu.c
|
||||
+++ b/grub-core/loader/xnu.c
|
||||
@@ -1383,9 +1383,9 @@ grub_xnu_fill_devicetree (void)
|
||||
name[len] = 0;
|
||||
|
||||
curvalue = grub_xnu_create_value (curkey, name);
|
||||
- if (!curvalue)
|
||||
- return grub_errno;
|
||||
grub_free (name);
|
||||
+ if (!curvalue)
|
||||
+ return grub_errno;
|
||||
|
||||
data = grub_malloc (grub_strlen (var->value) + 1);
|
||||
if (!data)
|
@ -0,0 +1,74 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Marco A Benatto <mbenatto@redhat.com>
|
||||
Date: Mon, 30 Nov 2020 12:18:24 -0300
|
||||
Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
|
||||
grub_xnu_writetree_toheap()
|
||||
|
||||
... to avoid memory leaks.
|
||||
|
||||
Fixes: CID 96640
|
||||
|
||||
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||
index 2adeac8a549..a0aaa290ef7 100644
|
||||
--- a/grub-core/loader/xnu.c
|
||||
+++ b/grub-core/loader/xnu.c
|
||||
@@ -227,26 +227,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
|
||||
if (! memorymap)
|
||||
return grub_errno;
|
||||
|
||||
- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
|
||||
+ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
|
||||
if (! driverkey)
|
||||
return grub_errno;
|
||||
driverkey->name = grub_strdup ("DeviceTree");
|
||||
if (! driverkey->name)
|
||||
- return grub_errno;
|
||||
+ {
|
||||
+ err = grub_errno;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
driverkey->datasize = sizeof (*extdesc);
|
||||
driverkey->next = memorymap->first_child;
|
||||
memorymap->first_child = driverkey;
|
||||
driverkey->data = extdesc
|
||||
= (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
|
||||
if (! driverkey->data)
|
||||
- return grub_errno;
|
||||
+ {
|
||||
+ err = grub_errno;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
/* Allocate the space based on the size with dummy value. */
|
||||
*size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
|
||||
err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
|
||||
&src, target);
|
||||
if (err)
|
||||
- return err;
|
||||
+ goto fail;
|
||||
|
||||
/* Put real data in the dummy. */
|
||||
extdesc->addr = *target;
|
||||
@@ -255,6 +262,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
|
||||
/* Write the tree to heap. */
|
||||
grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
|
||||
return GRUB_ERR_NONE;
|
||||
+
|
||||
+ fail:
|
||||
+ memorymap->first_child = NULL;
|
||||
+
|
||||
+ grub_free (driverkey->data);
|
||||
+ grub_free (driverkey->name);
|
||||
+ grub_free (driverkey);
|
||||
+
|
||||
+ return err;
|
||||
}
|
||||
|
||||
/* Find a key or value in parent key. */
|
@ -0,0 +1,39 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Date: Mon, 30 Nov 2020 10:36:00 -0300
|
||||
Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
|
||||
|
||||
Fixes: CID 73654
|
||||
|
||||
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/loader/xnu.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||
index a0aaa290ef7..5e0c8c84797 100644
|
||||
--- a/grub-core/loader/xnu.c
|
||||
+++ b/grub-core/loader/xnu.c
|
||||
@@ -662,6 +662,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
|
||||
char *name, *nameend;
|
||||
int namelen;
|
||||
|
||||
+ if (infoplistname == NULL)
|
||||
+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
|
||||
+
|
||||
name = get_name_ptr (infoplistname);
|
||||
nameend = grub_strchr (name, '/');
|
||||
|
||||
@@ -693,10 +696,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
|
||||
else
|
||||
macho = 0;
|
||||
|
||||
- if (infoplistname)
|
||||
- infoplist = grub_file_open (infoplistname);
|
||||
- else
|
||||
- infoplist = 0;
|
||||
+ infoplist = grub_file_open (infoplistname);
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
if (infoplist)
|
||||
{
|
@ -0,0 +1,43 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Thu, 5 Nov 2020 14:33:50 +0000
|
||||
Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
|
||||
|
||||
The return value of ftell() may be negative (-1) on error. While it is
|
||||
probably unlikely to occur, we should not blindly cast to an unsigned
|
||||
value without first testing that it is not negative.
|
||||
|
||||
Fixes: CID 73856
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
util/grub-editenv.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/util/grub-editenv.c b/util/grub-editenv.c
|
||||
index 2918bb71cfe..e9011e0fbde 100644
|
||||
--- a/util/grub-editenv.c
|
||||
+++ b/util/grub-editenv.c
|
||||
@@ -128,6 +128,7 @@ open_envblk_file (const char *name)
|
||||
{
|
||||
FILE *fp;
|
||||
char *buf;
|
||||
+ long loc;
|
||||
size_t size;
|
||||
grub_envblk_t envblk;
|
||||
|
||||
@@ -146,7 +147,12 @@ open_envblk_file (const char *name)
|
||||
grub_util_error (_("cannot seek `%s': %s"), name,
|
||||
strerror (errno));
|
||||
|
||||
- size = (size_t) ftell (fp);
|
||||
+ loc = ftell (fp);
|
||||
+ if (loc < 0)
|
||||
+ grub_util_error (_("cannot get file location `%s': %s"), name,
|
||||
+ strerror (errno));
|
||||
+
|
||||
+ size = (size_t) loc;
|
||||
|
||||
if (fseek (fp, 0, SEEK_SET) < 0)
|
||||
grub_util_error (_("cannot seek `%s': %s"), name,
|
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Kenny <darren.kenny@oracle.com>
|
||||
Date: Fri, 4 Dec 2020 15:04:28 +0000
|
||||
Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
|
||||
|
||||
It is possible for the ftell() function to return a negative value,
|
||||
although it is fairly unlikely here, we should be checking for
|
||||
a negative value before we assign it to an unsigned value.
|
||||
|
||||
Fixes: CID 73744
|
||||
|
||||
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
util/glue-efi.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/util/glue-efi.c b/util/glue-efi.c
|
||||
index 68f53168b58..de0fa6d33d5 100644
|
||||
--- a/util/glue-efi.c
|
||||
+++ b/util/glue-efi.c
|
||||
@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
|
||||
struct grub_macho_fat_header head;
|
||||
struct grub_macho_fat_arch arch32, arch64;
|
||||
grub_uint32_t size32, size64;
|
||||
+ long size;
|
||||
char *buf;
|
||||
|
||||
fseek (in32, 0, SEEK_END);
|
||||
- size32 = ftell (in32);
|
||||
+ size = ftell (in32);
|
||||
+ if (size < 0)
|
||||
+ grub_util_error ("cannot get end of input file '%s': %s",
|
||||
+ name32, strerror (errno));
|
||||
+ size32 = (grub_uint32_t) size;
|
||||
fseek (in32, 0, SEEK_SET);
|
||||
+
|
||||
fseek (in64, 0, SEEK_END);
|
||||
- size64 = ftell (in64);
|
||||
+ size = ftell (in64);
|
||||
+ if (size < 0)
|
||||
+ grub_util_error ("cannot get end of input file '%s': %s",
|
||||
+ name64, strerror (errno));
|
||||
+ size64 = (grub_uint64_t) size;
|
||||
fseek (in64, 0, SEEK_SET);
|
||||
|
||||
head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);
|
@ -0,0 +1,25 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 3 Apr 2020 23:05:13 +1100
|
||||
Subject: [PATCH] script/execute: Fix NULL dereference in
|
||||
grub_script_execute_cmdline()
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/script/execute.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
|
||||
index a1aadb9ee05..2e47c046741 100644
|
||||
--- a/grub-core/script/execute.c
|
||||
+++ b/grub-core/script/execute.c
|
||||
@@ -978,7 +978,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
|
||||
struct grub_script_argv argv = { 0, 0, 0 };
|
||||
|
||||
/* Lookup the command. */
|
||||
- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
|
||||
+ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
|
||||
return grub_errno;
|
||||
|
||||
for (i = 0; i < argv.argc; i++) {
|
@ -0,0 +1,30 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Mon, 11 Jan 2021 16:57:37 +1100
|
||||
Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
|
||||
|
||||
This can be triggered with:
|
||||
ls -l (0 0*)
|
||||
and causes a NULL deref in grub_normal_print_device_info().
|
||||
|
||||
I'm not sure if there's any implication with the IEEE 1275 platform.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/ls.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
|
||||
index c25161cc4f2..ed646201035 100644
|
||||
--- a/grub-core/commands/ls.c
|
||||
+++ b/grub-core/commands/ls.c
|
||||
@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- if (! *path)
|
||||
+ if (! *path && device_name)
|
||||
{
|
||||
if (grub_errno == GRUB_ERR_UNKNOWN_FS)
|
||||
grub_errno = GRUB_ERR_NONE;
|
@ -0,0 +1,34 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Mon, 11 Jan 2021 17:30:42 +1100
|
||||
Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
|
||||
function scope
|
||||
|
||||
"$#" represents the number of arguments to a function. It is only
|
||||
defined in a function scope, where "scope" is non-NULL. Currently,
|
||||
if we attempt to evaluate "$#" outside a function scope, "scope" will
|
||||
be NULL and we will crash with a NULL pointer dereference.
|
||||
|
||||
Do not attempt to count arguments for "$#" if "scope" is NULL. This
|
||||
will result in "$#" being interpreted as an empty string if evaluated
|
||||
outside a function scope.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/script/execute.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
|
||||
index 2e47c046741..17f4dcab2c6 100644
|
||||
--- a/grub-core/script/execute.c
|
||||
+++ b/grub-core/script/execute.c
|
||||
@@ -519,7 +519,7 @@ gettext_putvar (const char *str, grub_size_t len,
|
||||
return 0;
|
||||
|
||||
/* Enough for any number. */
|
||||
- if (len == 1 && str[0] == '#')
|
||||
+ if (len == 1 && str[0] == '#' && scope != NULL)
|
||||
{
|
||||
grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
|
||||
*ptr += grub_strlen (*ptr);
|
@ -0,0 +1,51 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 22 Jan 2021 16:07:29 +1100
|
||||
Subject: [PATCH] lib/arg: Block repeated short options that require an
|
||||
argument
|
||||
|
||||
Fuzzing found the following crash:
|
||||
|
||||
search -hhhhhhhhhhhhhf
|
||||
|
||||
We didn't allocate enough option space for 13 hints because the
|
||||
allocation code counts the number of discrete arguments (i.e. argc).
|
||||
However, the shortopt parsing code will happily keep processing
|
||||
a combination of short options without checking if those short
|
||||
options require an argument. This means you can easily end writing
|
||||
past the allocated option space.
|
||||
|
||||
This fixes a OOB write which can cause heap corruption.
|
||||
|
||||
Fixes: CVE-2021-20225
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/lib/arg.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
|
||||
index 3288609a5e1..537c5e94b83 100644
|
||||
--- a/grub-core/lib/arg.c
|
||||
+++ b/grub-core/lib/arg.c
|
||||
@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
|
||||
it can have an argument value. */
|
||||
if (*curshort)
|
||||
{
|
||||
+ /*
|
||||
+ * Only permit further short opts if this one doesn't
|
||||
+ * require a value.
|
||||
+ */
|
||||
+ if (opt->type != ARG_TYPE_NONE &&
|
||||
+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("missing mandatory option for `%s'"),
|
||||
+ opt->longarg);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
if (parse_option (cmd, opt, 0, usr) || grub_errno)
|
||||
goto fail;
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 22 Jan 2021 16:18:26 +1100
|
||||
Subject: [PATCH] script/execute: Don't crash on a "for" loop with no items
|
||||
|
||||
The following crashes the parser:
|
||||
|
||||
for x in; do
|
||||
0
|
||||
done
|
||||
|
||||
This is because grub_script_arglist_to_argv() doesn't consider the
|
||||
possibility that arglist is NULL. Catch that explicitly.
|
||||
|
||||
This avoids a NULL pointer dereference.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/script/execute.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
|
||||
index 17f4dcab2c6..266d99ed337 100644
|
||||
--- a/grub-core/script/execute.c
|
||||
+++ b/grub-core/script/execute.c
|
||||
@@ -658,6 +658,9 @@ grub_script_arglist_to_argv (struct grub_script_arglist *arglist,
|
||||
struct grub_script_arg *arg = 0;
|
||||
struct grub_script_argv result = { 0, 0, 0 };
|
||||
|
||||
+ if (arglist == NULL)
|
||||
+ return 1;
|
||||
+
|
||||
for (; arglist && arglist->arg; arglist = arglist->next)
|
||||
{
|
||||
if (grub_script_argv_next (&result))
|
@ -0,0 +1,43 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 22 Jan 2021 17:10:48 +1100
|
||||
Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix()
|
||||
|
||||
Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
|
||||
says that expressing a quoted single quote will require 3 characters. It
|
||||
actually requires (and always did require!) 4 characters:
|
||||
|
||||
str: a'b => a'\''b
|
||||
len: 3 => 6 (2 for the letters + 4 for the quote)
|
||||
|
||||
This leads to not allocating enough memory and thus out of bounds writes
|
||||
that have been observed to cause heap corruption.
|
||||
|
||||
Allocate 4 bytes for each single quote.
|
||||
|
||||
Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
|
||||
quoting, but it adds 3 as extra overhead on top of the single byte that
|
||||
the quote already needs. So it's correct.
|
||||
|
||||
Fixes: CVE-2021-20233
|
||||
Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/commands/menuentry.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
|
||||
index 4b5fcf2ce9a..7a533b9741b 100644
|
||||
--- a/grub-core/commands/menuentry.c
|
||||
+++ b/grub-core/commands/menuentry.c
|
||||
@@ -239,7 +239,7 @@ setparams_prefix (int argc, char **args)
|
||||
len += 3; /* 3 = 1 space + 2 quotes */
|
||||
p = args[i];
|
||||
while (*p)
|
||||
- len += (*p++ == '\'' ? 3 : 1);
|
||||
+ len += (*p++ == '\'' ? 4 : 1);
|
||||
}
|
||||
|
||||
result = grub_malloc (len + 2);
|
43
SOURCES/0378-kern-misc-Always-set-end-in-grub_strtoull.patch
Normal file
43
SOURCES/0378-kern-misc-Always-set-end-in-grub_strtoull.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Wed, 13 Jan 2021 22:19:01 +1100
|
||||
Subject: [PATCH] kern/misc: Always set *end in grub_strtoull()
|
||||
|
||||
Currently, if there is an error in grub_strtoull(), *end is not set.
|
||||
This differs from the usual behavior of strtoull(), and also means that
|
||||
some callers may use an uninitialized value for *end.
|
||||
|
||||
Set *end unconditionally.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/misc.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
||||
index c034f49f97c..62b4068e810 100644
|
||||
--- a/grub-core/kern/misc.c
|
||||
+++ b/grub-core/kern/misc.c
|
||||
@@ -452,6 +452,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
|
||||
{
|
||||
grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||
N_("overflow is detected"));
|
||||
+
|
||||
+ if (end)
|
||||
+ *end = (char *) str;
|
||||
+
|
||||
return ~0ULL;
|
||||
}
|
||||
|
||||
@@ -463,6 +467,10 @@ grub_strtoull (const char *str, const char ** const end, int base)
|
||||
{
|
||||
grub_error (GRUB_ERR_BAD_NUMBER,
|
||||
N_("unrecognized number"));
|
||||
+
|
||||
+ if (end)
|
||||
+ *end = (char *) str;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 15 Jan 2021 12:57:04 +1100
|
||||
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
|
||||
or Huffman tables
|
||||
|
||||
Our decoder only supports 2 quantization tables. If a file asks for
|
||||
a quantization table with index > 1, reject it.
|
||||
|
||||
Similarly, our decoder only supports 4 Huffman tables. If a file asks
|
||||
for a Huffman table with index > 3, reject it.
|
||||
|
||||
This fixes some out of bounds reads. It's not clear what degree of control
|
||||
over subsequent execution could be gained by someone who can carefully
|
||||
set up the contents of memory before loading an invalid JPEG file.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/readers/jpeg.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||||
index a4a8269e237..856573996ac 100644
|
||||
--- a/grub-core/video/readers/jpeg.c
|
||||
+++ b/grub-core/video/readers/jpeg.c
|
||||
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
||||
else if (ss != JPEG_SAMPLING_1x1)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"jpeg: sampling method not supported");
|
||||
+
|
||||
data->comp_index[id][0] = grub_jpeg_get_byte (data);
|
||||
+ if (data->comp_index[id][0] > 1)
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "jpeg: too many quantization tables");
|
||||
}
|
||||
|
||||
if (data->file->offset != next_marker)
|
||||
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
||||
ht = grub_jpeg_get_byte (data);
|
||||
data->comp_index[id][1] = (ht >> 4);
|
||||
data->comp_index[id][2] = (ht & 0xF) + 2;
|
||||
+
|
||||
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
|
||||
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
|
||||
}
|
||||
|
||||
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
|
@ -0,0 +1,44 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 15 Jan 2021 13:29:53 +1100
|
||||
Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in
|
||||
grub_jpeg_decode_du()
|
||||
|
||||
The key line is:
|
||||
|
||||
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
||||
|
||||
jpeg_zigzag_order is grub_uint8_t[64].
|
||||
|
||||
I don't understand JPEG decoders quite well enough to explain what's
|
||||
going on here. However, I observe sometimes pos=64, which leads to an
|
||||
OOB read of the jpeg_zigzag_order global then an OOB write to du.
|
||||
That leads to various unpleasant memory corruption conditions.
|
||||
|
||||
Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/readers/jpeg.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||||
index 856573996ac..28c1d62515e 100644
|
||||
--- a/grub-core/video/readers/jpeg.c
|
||||
+++ b/grub-core/video/readers/jpeg.c
|
||||
@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
||||
val = grub_jpeg_get_number (data, num & 0xF);
|
||||
num >>= 4;
|
||||
pos += num;
|
||||
+
|
||||
+ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "jpeg: invalid position in zigzag order!?");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
||||
pos++;
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 15 Jan 2021 14:06:46 +1100
|
||||
Subject: [PATCH] video/readers/jpeg: Don't decode data before start of stream
|
||||
|
||||
When a start of stream marker is encountered, we call grub_jpeg_decode_sos()
|
||||
which allocates space for a bitmap.
|
||||
|
||||
When a restart marker is encountered, we call grub_jpeg_decode_data() which
|
||||
then fills in that bitmap.
|
||||
|
||||
If we get a restart marker before the start of stream marker, we will
|
||||
attempt to write to a bitmap_ptr that hasn't been allocated. Catch this
|
||||
and bail out. This fixes an attempt to write to NULL.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/video/readers/jpeg.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||||
index 28c1d62515e..c48cbd41b48 100644
|
||||
--- a/grub-core/video/readers/jpeg.c
|
||||
+++ b/grub-core/video/readers/jpeg.c
|
||||
@@ -646,6 +646,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
||||
nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
|
||||
nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
|
||||
|
||||
+ if (data->bitmap_ptr == NULL)
|
||||
+ return grub_error(GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "jpeg: attempted to decode data before start of stream");
|
||||
+
|
||||
for (; data->r1 < nr1 && (!data->dri || rst);
|
||||
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
||||
for (c1 = 0; c1 < nc1 && (!data->dri || rst);
|
@ -0,0 +1,48 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 15 Jan 2021 20:03:20 +1100
|
||||
Subject: [PATCH] term/gfxterm: Don't set up a font with glyphs that are too
|
||||
big
|
||||
|
||||
Catch the case where we have a font so big that it causes the number of
|
||||
rows or columns to be 0. Currently we continue and allocate a
|
||||
virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
|
||||
and things go badly.
|
||||
|
||||
On the emu platform, malloc() may give us a valid pointer, in which case
|
||||
we'll access heap memory which we shouldn't. Alternatively, it may give us
|
||||
NULL, in which case we'll crash. For other platforms, if I understand
|
||||
grub_memalign() correctly, we will receive a valid but small allocation
|
||||
that we will very likely later overrun.
|
||||
|
||||
Prevent the creation of a virtual screen that isn't at least 40 cols
|
||||
by 12 rows. This is arbitrary, but it seems that if your width or height
|
||||
is half a standard 80x24 terminal, you're probably going to struggle to
|
||||
read anything anyway.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/term/gfxterm.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/grub-core/term/gfxterm.c b/grub-core/term/gfxterm.c
|
||||
index af7c090a3e7..b40fcce9151 100644
|
||||
--- a/grub-core/term/gfxterm.c
|
||||
+++ b/grub-core/term/gfxterm.c
|
||||
@@ -232,6 +232,15 @@ grub_virtual_screen_setup (unsigned int x, unsigned int y,
|
||||
virtual_screen.columns = virtual_screen.width / virtual_screen.normal_char_width;
|
||||
virtual_screen.rows = virtual_screen.height / virtual_screen.normal_char_height;
|
||||
|
||||
+ /*
|
||||
+ * There must be a minimum number of rows and columns for the screen to
|
||||
+ * make sense. Arbitrarily pick half of 80x24. If either dimensions is 0
|
||||
+ * we would allocate 0 bytes for the text_buffer.
|
||||
+ */
|
||||
+ if (virtual_screen.columns < 40 || virtual_screen.rows < 12)
|
||||
+ return grub_error (GRUB_ERR_BAD_FONT,
|
||||
+ "font: glyphs too large to fit on screen");
|
||||
+
|
||||
/* Allocate memory for text buffer. */
|
||||
virtual_screen.text_buffer =
|
||||
(struct grub_colored_char *) grub_malloc (virtual_screen.columns
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user