summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorYongxin Liu <yongxin.liu@windriver.com>2020-10-28 11:18:06 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-30 13:04:39 +0000
commit141bf3fdb65d3c17426843ec3ea040244d59379f (patch)
treef4731ece58d7303f5ccc12b83a5ec0cf28f43b72 /meta
parenta65148ba0a1403fbb3b9271909c48c53a3ee9b6d (diff)
downloadpoky-141bf3fdb65d3c17426843ec3ea040244d59379f.tar.gz
grub: fix several CVEs in grub 2.04
Backport patches from https://git.savannah.gnu.org/git/grub.git to fix some CVEs. Here is the list. CVE-2020-14308: 0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch 0002-lvm-Add-LVM-cache-logical-volume-handling.patch 0003-calloc-Use-calloc-at-most-places.patch CVE-2020-14309, CVE-2020-14310, CVE-2020-14311: 0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch CVE-2020-15706: 0006-script-Remove-unused-fields-from-grub_script_functio.patch 0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch CVE-2020-15707: 0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch (From OE-Core rev: 67329184985a03534f11f95e9df5f9fb2305a261) Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch246
-rw-r--r--meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch287
-rw-r--r--meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch1859
-rw-r--r--meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch94
-rw-r--r--meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch1326
-rw-r--r--meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch37
-rw-r--r--meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch113
-rw-r--r--meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch173
-rw-r--r--meta/recipes-bsp/grub/grub2.inc8
9 files changed, 4143 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch b/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch
new file mode 100644
index 0000000000..c9536e68ef
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch
@@ -0,0 +1,246 @@
1From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:15:29 -0400
4Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking
5 calloc() available
6
7This tries to make sure that everywhere in this source tree, we always have
8an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
9available, and that they all safely check for overflow and return NULL when
10it would occur.
11
12Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8
13from https://git.savannah.gnu.org/git/grub.git]
14
15Signed-off-by: Peter Jones <pjones@redhat.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
18---
19 grub-core/kern/emu/misc.c | 12 ++++++++++++
20 grub-core/kern/emu/mm.c | 10 ++++++++++
21 grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
22 grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
23 grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
24 include/grub/emu/misc.h | 1 +
25 include/grub/mm.h | 6 ++++++
26 7 files changed, 85 insertions(+), 3 deletions(-)
27
28diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
29index 65db79b..dfd8a8e 100644
30--- a/grub-core/kern/emu/misc.c
31+++ b/grub-core/kern/emu/misc.c
32@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
33 exit (1);
34 }
35
36+void *
37+xcalloc (grub_size_t nmemb, grub_size_t size)
38+{
39+ void *p;
40+
41+ p = calloc (nmemb, size);
42+ if (!p)
43+ grub_util_error ("%s", _("out of memory"));
44+
45+ return p;
46+}
47+
48 void *
49 xmalloc (grub_size_t size)
50 {
51diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
52index f262e95..145b01d 100644
53--- a/grub-core/kern/emu/mm.c
54+++ b/grub-core/kern/emu/mm.c
55@@ -25,6 +25,16 @@
56 #include <string.h>
57 #include <grub/i18n.h>
58
59+void *
60+grub_calloc (grub_size_t nmemb, grub_size_t size)
61+{
62+ void *ret;
63+ ret = calloc (nmemb, size);
64+ if (!ret)
65+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
66+ return ret;
67+}
68+
69 void *
70 grub_malloc (grub_size_t size)
71 {
72diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
73index ee88ff6..f2822a8 100644
74--- a/grub-core/kern/mm.c
75+++ b/grub-core/kern/mm.c
76@@ -67,8 +67,10 @@
77 #include <grub/dl.h>
78 #include <grub/i18n.h>
79 #include <grub/mm_private.h>
80+#include <grub/safemath.h>
81
82 #ifdef MM_DEBUG
83+# undef grub_calloc
84 # undef grub_malloc
85 # undef grub_zalloc
86 # undef grub_realloc
87@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
88 return 0;
89 }
90
91+/*
92+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
93+ * integer overflow.
94+ */
95+void *
96+grub_calloc (grub_size_t nmemb, grub_size_t size)
97+{
98+ void *ret;
99+ grub_size_t sz = 0;
100+
101+ if (grub_mul (nmemb, size, &sz))
102+ {
103+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
104+ return NULL;
105+ }
106+
107+ ret = grub_memalign (0, sz);
108+ if (!ret)
109+ return NULL;
110+
111+ grub_memset (ret, 0, sz);
112+ return ret;
113+}
114+
115 /* Allocate SIZE bytes and return the pointer. */
116 void *
117 grub_malloc (grub_size_t size)
118@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
119 grub_printf ("\n");
120 }
121
122+void *
123+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
124+{
125+ void *ptr;
126+
127+ if (grub_mm_debug)
128+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
129+ file, line, size);
130+ ptr = grub_calloc (nmemb, size);
131+ if (grub_mm_debug)
132+ grub_printf ("%p\n", ptr);
133+ return ptr;
134+}
135+
136 void *
137 grub_debug_malloc (const char *file, int line, grub_size_t size)
138 {
139diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
140index beeb661..74c6eaf 100644
141--- a/grub-core/lib/libgcrypt_wrap/mem.c
142+++ b/grub-core/lib/libgcrypt_wrap/mem.c
143@@ -4,6 +4,7 @@
144 #include <grub/crypto.h>
145 #include <grub/dl.h>
146 #include <grub/env.h>
147+#include <grub/safemath.h>
148
149 GRUB_MOD_LICENSE ("GPLv3+");
150
151@@ -36,7 +37,10 @@ void *
152 gcry_xcalloc (size_t n, size_t m)
153 {
154 void *ret;
155- ret = grub_zalloc (n * m);
156+ size_t sz;
157+ if (grub_mul (n, m, &sz))
158+ grub_fatal ("gcry_xcalloc would overflow");
159+ ret = grub_zalloc (sz);
160 if (!ret)
161 grub_fatal ("gcry_xcalloc failed");
162 return ret;
163@@ -56,7 +60,10 @@ void *
164 gcry_xcalloc_secure (size_t n, size_t m)
165 {
166 void *ret;
167- ret = grub_zalloc (n * m);
168+ size_t sz;
169+ if (grub_mul (n, m, &sz))
170+ grub_fatal ("gcry_xcalloc would overflow");
171+ ret = grub_zalloc (sz);
172 if (!ret)
173 grub_fatal ("gcry_xcalloc failed");
174 return ret;
175diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
176index 3b46f47..7a8d385 100644
177--- a/grub-core/lib/posix_wrap/stdlib.h
178+++ b/grub-core/lib/posix_wrap/stdlib.h
179@@ -21,6 +21,7 @@
180
181 #include <grub/mm.h>
182 #include <grub/misc.h>
183+#include <grub/safemath.h>
184
185 static inline void
186 free (void *ptr)
187@@ -37,7 +38,12 @@ malloc (grub_size_t size)
188 static inline void *
189 calloc (grub_size_t size, grub_size_t nelem)
190 {
191- return grub_zalloc (size * nelem);
192+ grub_size_t sz;
193+
194+ if (grub_mul (size, nelem, &sz))
195+ return NULL;
196+
197+ return grub_zalloc (sz);
198 }
199
200 static inline void *
201diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
202index ce464cf..ff9c48a 100644
203--- a/include/grub/emu/misc.h
204+++ b/include/grub/emu/misc.h
205@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
206 #define GRUB_HOST_PRIuLONG_LONG "llu"
207 #define GRUB_HOST_PRIxLONG_LONG "llx"
208
209+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
210 void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
211 void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
212 char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
213diff --git a/include/grub/mm.h b/include/grub/mm.h
214index 28e2e53..9c38dd3 100644
215--- a/include/grub/mm.h
216+++ b/include/grub/mm.h
217@@ -29,6 +29,7 @@
218 #endif
219
220 void grub_mm_init_region (void *addr, grub_size_t size);
221+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
222 void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
223 void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
224 void EXPORT_FUNC(grub_free) (void *ptr);
225@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
226 void grub_mm_dump_free (void);
227 void grub_mm_dump (unsigned lineno);
228
229+#define grub_calloc(nmemb, size) \
230+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
231+
232 #define grub_malloc(size) \
233 grub_debug_malloc (GRUB_FILE, __LINE__, size)
234
235@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
236 #define grub_free(ptr) \
237 grub_debug_free (GRUB_FILE, __LINE__, ptr)
238
239+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
240+ grub_size_t nmemb, grub_size_t size);
241 void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
242 grub_size_t size);
243 void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
244--
2452.14.4
246
diff --git a/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch b/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch
new file mode 100644
index 0000000000..2b8157f592
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch
@@ -0,0 +1,287 @@
1From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001
2From: Michael Chang <mchang@suse.com>
3Date: Thu, 19 Mar 2020 13:56:13 +0800
4Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling
5
6The LVM cache logical volume is the logical volume consisting of the original
7and the cache pool logical volume. The original is usually on a larger and
8slower storage device while the cache pool is on a smaller and faster one. The
9performance of the original volume can be improved by storing the frequently
10used data on the cache pool to utilize the greater performance of faster
11device.
12
13The default cache mode "writethrough" ensures that any data written will be
14stored both in the cache and on the origin LV, therefore grub can be straight
15to read the original lv as no data loss is guarenteed.
16
17The second cache mode is "writeback", which delays writing from the cache pool
18back to the origin LV to have increased performance. The drawback is potential
19data loss if losing the associated cache device.
20
21During the boot time grub reads the LVM offline i.e. LVM volumes are not
22activated and mounted, hence it should be fine to read directly from original
23lv since all cached data should have been flushed back in the process of taking
24it offline.
25
26It is also not much helpful to the situation by adding fsync calls to the
27install code. The fsync did not force to write back dirty cache to the original
28device and rather it would update associated cache metadata to complete the
29write transaction with the cache device. IOW the writes to cached blocks still
30go only to the cache device.
31
32To write back dirty cache, as LVM cache did not support dirty cache flush per
33block range, there'no way to do it for file. On the other hand the "cleaner"
34policy is implemented and can be used to write back "all" dirty blocks in a
35cache, which effectively drain all dirty cache gradually to attain and last in
36the "clean" state, which can be useful for shrinking or decommissioning a
37cache. The result and effect is not what we are looking for here.
38
39In conclusion, as it seems no way to enforce file writes to the original
40device, grub may suffer from power failure as it cannot assemble the cache
41device and read the dirty data from it. However since the case is only
42applicable to writeback mode which is sensitive to data lost in nature, I'd
43still like to propose my (relatively simple) patch and treat reading dirty
44cache as improvement.
45
46Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135
47from https://git.savannah.gnu.org/git/grub.git]
48
49Signed-off-by: Michael Chang <mchang@suse.com>
50Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
51Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
52---
53 grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++
54 1 file changed, 190 insertions(+)
55
56diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
57index 7b265c7..dc6b83b 100644
58--- a/grub-core/disk/lvm.c
59+++ b/grub-core/disk/lvm.c
60@@ -33,6 +33,14 @@
61
62 GRUB_MOD_LICENSE ("GPLv3+");
63
64+struct cache_lv
65+{
66+ struct grub_diskfilter_lv *lv;
67+ char *cache_pool;
68+ char *origin;
69+ struct cache_lv *next;
70+};
71+
72
73 /* Go the string STR and return the number after STR. *P will point
74 at the number. In case STR is not found, *P will be NULL and the
75@@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag)
76 }
77 }
78
79+static void
80+grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
81+{
82+ struct cache_lv *cache;
83+
84+ while ((cache = cache_lvs))
85+ {
86+ cache_lvs = cache_lvs->next;
87+
88+ if (cache->lv)
89+ {
90+ unsigned int i;
91+
92+ for (i = 0; i < cache->lv->segment_count; ++i)
93+ if (cache->lv->segments)
94+ grub_free (cache->lv->segments[i].nodes);
95+ grub_free (cache->lv->segments);
96+ grub_free (cache->lv->fullname);
97+ grub_free (cache->lv->idname);
98+ grub_free (cache->lv->name);
99+ }
100+ grub_free (cache->lv);
101+ grub_free (cache->origin);
102+ grub_free (cache->cache_pool);
103+ grub_free (cache);
104+ }
105+}
106+
107 static struct grub_diskfilter_vg *
108 grub_lvm_detect (grub_disk_t disk,
109 struct grub_diskfilter_pv_id *id,
110@@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk,
111
112 if (! vg)
113 {
114+ struct cache_lv *cache_lvs = NULL;
115+
116 /* First time we see this volume group. We've to create the
117 whole volume group structure. */
118 vg = grub_malloc (sizeof (*vg));
119@@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk,
120 seg->nodes[seg->node_count - 1].name = tmp;
121 }
122 }
123+ else if (grub_memcmp (p, "cache\"",
124+ sizeof ("cache\"") - 1) == 0)
125+ {
126+ struct cache_lv *cache = NULL;
127+
128+ char *p2, *p3;
129+ grub_size_t sz;
130+
131+ cache = grub_zalloc (sizeof (*cache));
132+ if (!cache)
133+ goto cache_lv_fail;
134+ cache->lv = grub_zalloc (sizeof (*cache->lv));
135+ if (!cache->lv)
136+ goto cache_lv_fail;
137+ grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
138+
139+ if (lv->fullname)
140+ {
141+ cache->lv->fullname = grub_strdup (lv->fullname);
142+ if (!cache->lv->fullname)
143+ goto cache_lv_fail;
144+ }
145+ if (lv->idname)
146+ {
147+ cache->lv->idname = grub_strdup (lv->idname);
148+ if (!cache->lv->idname)
149+ goto cache_lv_fail;
150+ }
151+ if (lv->name)
152+ {
153+ cache->lv->name = grub_strdup (lv->name);
154+ if (!cache->lv->name)
155+ goto cache_lv_fail;
156+ }
157+
158+ skip_lv = 1;
159+
160+ p2 = grub_strstr (p, "cache_pool = \"");
161+ if (!p2)
162+ goto cache_lv_fail;
163+
164+ p2 = grub_strchr (p2, '"');
165+ if (!p2)
166+ goto cache_lv_fail;
167+
168+ p3 = ++p2;
169+ p3 = grub_strchr (p3, '"');
170+ if (!p3)
171+ goto cache_lv_fail;
172+
173+ sz = p3 - p2;
174+
175+ cache->cache_pool = grub_malloc (sz + 1);
176+ if (!cache->cache_pool)
177+ goto cache_lv_fail;
178+ grub_memcpy (cache->cache_pool, p2, sz);
179+ cache->cache_pool[sz] = '\0';
180+
181+ p2 = grub_strstr (p, "origin = \"");
182+ if (!p2)
183+ goto cache_lv_fail;
184+
185+ p2 = grub_strchr (p2, '"');
186+ if (!p2)
187+ goto cache_lv_fail;
188+
189+ p3 = ++p2;
190+ p3 = grub_strchr (p3, '"');
191+ if (!p3)
192+ goto cache_lv_fail;
193+
194+ sz = p3 - p2;
195+
196+ cache->origin = grub_malloc (sz + 1);
197+ if (!cache->origin)
198+ goto cache_lv_fail;
199+ grub_memcpy (cache->origin, p2, sz);
200+ cache->origin[sz] = '\0';
201+
202+ cache->next = cache_lvs;
203+ cache_lvs = cache;
204+ break;
205+
206+ cache_lv_fail:
207+ if (cache)
208+ {
209+ grub_free (cache->origin);
210+ grub_free (cache->cache_pool);
211+ if (cache->lv)
212+ {
213+ grub_free (cache->lv->fullname);
214+ grub_free (cache->lv->idname);
215+ grub_free (cache->lv->name);
216+ }
217+ grub_free (cache->lv);
218+ grub_free (cache);
219+ }
220+ grub_lvm_free_cache_lvs (cache_lvs);
221+ goto fail4;
222+ }
223 else
224 {
225 #ifdef GRUB_UTIL
226@@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk,
227 }
228
229 }
230+
231+ {
232+ struct cache_lv *cache;
233+
234+ for (cache = cache_lvs; cache; cache = cache->next)
235+ {
236+ struct grub_diskfilter_lv *lv;
237+
238+ for (lv = vg->lvs; lv; lv = lv->next)
239+ if (grub_strcmp (lv->name, cache->origin) == 0)
240+ break;
241+ if (lv)
242+ {
243+ cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
244+ if (!cache->lv->segments)
245+ {
246+ grub_lvm_free_cache_lvs (cache_lvs);
247+ goto fail4;
248+ }
249+ grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments));
250+
251+ for (i = 0; i < lv->segment_count; ++i)
252+ {
253+ struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
254+ grub_size_t node_count = lv->segments[i].node_count;
255+
256+ cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
257+ if (!cache->lv->segments[i].nodes)
258+ {
259+ for (j = 0; j < i; ++j)
260+ grub_free (cache->lv->segments[j].nodes);
261+ grub_free (cache->lv->segments);
262+ cache->lv->segments = NULL;
263+ grub_lvm_free_cache_lvs (cache_lvs);
264+ goto fail4;
265+ }
266+ grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes));
267+ }
268+
269+ if (cache->lv->segments)
270+ {
271+ cache->lv->segment_count = lv->segment_count;
272+ cache->lv->vg = vg;
273+ cache->lv->next = vg->lvs;
274+ vg->lvs = cache->lv;
275+ cache->lv = NULL;
276+ }
277+ }
278+ }
279+ }
280+
281+ grub_lvm_free_cache_lvs (cache_lvs);
282 if (grub_diskfilter_vg_register (vg))
283 goto fail4;
284 }
285--
2862.14.4
287
diff --git a/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch b/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch
new file mode 100644
index 0000000000..eb3e42c3af
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch
@@ -0,0 +1,1859 @@
1From bcdd6a55952222ec9829a59348240a4f983b0b56 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:26:01 -0400
4Subject: [PATCH 4/9] calloc: Use calloc() at most places
5
6This modifies most of the places we do some form of:
7
8 X = malloc(Y * Z);
9
10to use calloc(Y, Z) instead.
11
12Among other issues, this fixes:
13 - allocation of integer overflow in grub_png_decode_image_header()
14 reported by Chris Coulson,
15 - allocation of integer overflow in luks_recover_key()
16 reported by Chris Coulson,
17 - allocation of integer overflow in grub_lvm_detect()
18 reported by Chris Coulson.
19
20Fixes: CVE-2020-14308
21
22Upstream-Status: Backport [commit f725fa7cb2ece547c5af01eeeecfe8d95802ed41
23from https://git.savannah.gnu.org/git/grub.git]
24
25Signed-off-by: Peter Jones <pjones@redhat.com>
26Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
27[YL: don't patch on grub-core/lib/json/json.c, which is not existing in grub 2.04]
28Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
29---
30 grub-core/bus/usb/usbhub.c | 8 ++++----
31 grub-core/commands/efi/lsefisystab.c | 3 ++-
32 grub-core/commands/legacycfg.c | 6 +++---
33 grub-core/commands/menuentry.c | 2 +-
34 grub-core/commands/nativedisk.c | 2 +-
35 grub-core/commands/parttool.c | 12 +++++++++---
36 grub-core/commands/regexp.c | 2 +-
37 grub-core/commands/search_wrap.c | 2 +-
38 grub-core/disk/diskfilter.c | 4 ++--
39 grub-core/disk/ieee1275/ofdisk.c | 2 +-
40 grub-core/disk/ldm.c | 14 +++++++-------
41 grub-core/disk/luks.c | 2 +-
42 grub-core/disk/lvm.c | 12 ++++++------
43 grub-core/disk/xen/xendisk.c | 2 +-
44 grub-core/efiemu/loadcore.c | 2 +-
45 grub-core/efiemu/mm.c | 6 +++---
46 grub-core/font/font.c | 3 +--
47 grub-core/fs/affs.c | 6 +++---
48 grub-core/fs/btrfs.c | 6 +++---
49 grub-core/fs/hfs.c | 2 +-
50 grub-core/fs/hfsplus.c | 6 +++---
51 grub-core/fs/iso9660.c | 2 +-
52 grub-core/fs/ntfs.c | 4 ++--
53 grub-core/fs/sfs.c | 2 +-
54 grub-core/fs/tar.c | 2 +-
55 grub-core/fs/udf.c | 4 ++--
56 grub-core/fs/zfs/zfs.c | 4 ++--
57 grub-core/gfxmenu/gui_string_util.c | 2 +-
58 grub-core/gfxmenu/widget-box.c | 4 ++--
59 grub-core/io/gzio.c | 2 +-
60 grub-core/kern/efi/efi.c | 6 +++---
61 grub-core/kern/emu/hostdisk.c | 2 +-
62 grub-core/kern/fs.c | 2 +-
63 grub-core/kern/misc.c | 2 +-
64 grub-core/kern/parser.c | 2 +-
65 grub-core/kern/uboot/uboot.c | 2 +-
66 grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++----
67 grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++--
68 grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++--
69 grub-core/lib/priority_queue.c | 2 +-
70 grub-core/lib/reed_solomon.c | 7 +++----
71 grub-core/lib/relocator.c | 10 +++++-----
72 grub-core/lib/zstd/fse_decompress.c | 2 +-
73 grub-core/loader/arm/linux.c | 2 +-
74 grub-core/loader/efi/chainloader.c | 2 +-
75 grub-core/loader/i386/bsdXX.c | 2 +-
76 grub-core/loader/i386/xnu.c | 4 ++--
77 grub-core/loader/macho.c | 2 +-
78 grub-core/loader/multiboot_elfxx.c | 2 +-
79 grub-core/loader/xnu.c | 2 +-
80 grub-core/mmap/mmap.c | 4 ++--
81 grub-core/net/bootp.c | 2 +-
82 grub-core/net/dns.c | 10 +++++-----
83 grub-core/net/net.c | 4 ++--
84 grub-core/normal/charset.c | 10 +++++-----
85 grub-core/normal/cmdline.c | 14 +++++++-------
86 grub-core/normal/menu_entry.c | 14 +++++++-------
87 grub-core/normal/menu_text.c | 4 ++--
88 grub-core/normal/term.c | 4 ++--
89 grub-core/osdep/linux/getroot.c | 6 +++---
90 grub-core/osdep/unix/config.c | 2 +-
91 grub-core/osdep/windows/getroot.c | 2 +-
92 grub-core/osdep/windows/hostdisk.c | 4 ++--
93 grub-core/osdep/windows/init.c | 2 +-
94 grub-core/osdep/windows/platform.c | 4 ++--
95 grub-core/osdep/windows/relpath.c | 2 +-
96 grub-core/partmap/gpt.c | 2 +-
97 grub-core/partmap/msdos.c | 2 +-
98 grub-core/script/execute.c | 2 +-
99 grub-core/tests/fake_input.c | 2 +-
100 grub-core/tests/video_checksum.c | 6 +++---
101 grub-core/video/capture.c | 2 +-
102 grub-core/video/emu/sdl.c | 2 +-
103 grub-core/video/i386/pc/vga.c | 2 +-
104 grub-core/video/readers/png.c | 2 +-
105 include/grub/unicode.h | 4 ++--
106 util/getroot.c | 2 +-
107 util/grub-file.c | 2 +-
108 util/grub-fstest.c | 4 ++--
109 util/grub-install-common.c | 2 +-
110 util/grub-install.c | 4 ++--
111 util/grub-mkimagexx.c | 6 ++----
112 util/grub-mkrescue.c | 4 ++--
113 util/grub-mkstandalone.c | 2 +-
114 util/grub-pe2elf.c | 12 +++++-------
115 util/grub-probe.c | 4 ++--
116 86 files changed, 178 insertions(+), 177 deletions(-)
117
118diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
119index 34a7ff1..a06cce3 100644
120--- a/grub-core/bus/usb/usbhub.c
121+++ b/grub-core/bus/usb/usbhub.c
122@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
123 grub_usb_set_configuration (dev, 1);
124
125 dev->nports = hubdesc.portcnt;
126- dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
127- dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
128+ dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
129+ dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
130 if (!dev->children || !dev->ports)
131 {
132 grub_free (dev->children);
133@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
134
135 /* Query the number of ports the root Hub has. */
136 hub->nports = controller->dev->hubports (controller);
137- hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
138- hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
139+ hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
140+ hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
141 if (!hub->devices || !hub->ports)
142 {
143 grub_free (hub->devices);
144diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c
145index df10302..cd81507 100644
146--- a/grub-core/commands/efi/lsefisystab.c
147+++ b/grub-core/commands/efi/lsefisystab.c
148@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
149 grub_printf ("Vendor: ");
150
151 for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
152- vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
153+ /* Allocate extra 3 bytes to simplify math. */
154+ vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
155 if (!vendor)
156 return grub_errno;
157 *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
158diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
159index db7a8f0..5e3ec0d 100644
160--- a/grub-core/commands/legacycfg.c
161+++ b/grub-core/commands/legacycfg.c
162@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
163 if (argc < 2)
164 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
165
166- cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
167+ cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
168 if (!cutargs)
169 return grub_errno;
170 cutargc = argc - 1;
171@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
172 {
173 char rbuf[3] = "-r";
174 bsdargc = cutargc + 2;
175- bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
176+ bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
177 if (!bsdargs)
178 {
179 err = grub_errno;
180@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
181 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
182 "module");
183
184- newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
185+ newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
186 if (!newargs)
187 return grub_errno;
188 grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
189diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
190index 2c5363d..9164df7 100644
191--- a/grub-core/commands/menuentry.c
192+++ b/grub-core/commands/menuentry.c
193@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
194 goto fail;
195
196 /* Save argc, args to pass as parameters to block arg later. */
197- menu_args = grub_malloc (sizeof (char*) * (argc + 1));
198+ menu_args = grub_calloc (argc + 1, sizeof (char *));
199 if (! menu_args)
200 goto fail;
201
202diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c
203index 699447d..7c8f97f 100644
204--- a/grub-core/commands/nativedisk.c
205+++ b/grub-core/commands/nativedisk.c
206@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
207 else
208 path_prefix = prefix;
209
210- mods = grub_malloc (argc * sizeof (mods[0]));
211+ mods = grub_calloc (argc, sizeof (mods[0]));
212 if (!mods)
213 return grub_errno;
214
215diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c
216index 22b46b1..051e313 100644
217--- a/grub-core/commands/parttool.c
218+++ b/grub-core/commands/parttool.c
219@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
220 for (nargs = 0; args[nargs].name != 0; nargs++);
221 cur->nargs = nargs;
222 cur->args = (struct grub_parttool_argdesc *)
223- grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
224+ grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
225+ if (!cur->args)
226+ {
227+ grub_free (cur);
228+ curhandle--;
229+ return -1;
230+ }
231 grub_memcpy (cur->args, args,
232 (nargs + 1) * sizeof (struct grub_parttool_argdesc));
233
234@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
235 return err;
236 }
237
238- parsed = (int *) grub_zalloc (argc * sizeof (int));
239+ parsed = (int *) grub_calloc (argc, sizeof (int));
240
241 for (i = 1; i < argc; i++)
242 if (! parsed[i])
243@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
244 }
245 ptool = cur;
246 pargs = (struct grub_parttool_args *)
247- grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
248+ grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
249 for (j = i; j < argc; j++)
250 if (! parsed[j])
251 {
252diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c
253index f00b184..4019164 100644
254--- a/grub-core/commands/regexp.c
255+++ b/grub-core/commands/regexp.c
256@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
257 if (ret)
258 goto fail;
259
260- matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
261+ matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
262 if (! matches)
263 goto fail;
264
265diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
266index d7fd26b..47fc8eb 100644
267--- a/grub-core/commands/search_wrap.c
268+++ b/grub-core/commands/search_wrap.c
269@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
270 for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
271 nhints++;
272
273- hints = grub_malloc (sizeof (hints[0]) * nhints);
274+ hints = grub_calloc (nhints, sizeof (hints[0]));
275 if (!hints)
276 return grub_errno;
277 j = 0;
278diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
279index c3b578a..68ca9e0 100644
280--- a/grub-core/disk/diskfilter.c
281+++ b/grub-core/disk/diskfilter.c
282@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
283 array->lvs->segments->node_count = nmemb;
284 array->lvs->segments->raid_member_size = disk_size;
285 array->lvs->segments->nodes
286- = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
287+ = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
288 array->lvs->segments->stripe_size = stripe_size;
289 for (i = 0; i < nmemb; i++)
290 {
291@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
292 grub_partition_t p;
293 for (p = disk->partition; p; p = p->parent)
294 s++;
295- pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
296+ pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
297 s = 0;
298 for (p = disk->partition; p; p = p->parent)
299 pv->partmaps[s++] = xstrdup (p->partmap->name);
300diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
301index f73257e..03674cb 100644
302--- a/grub-core/disk/ieee1275/ofdisk.c
303+++ b/grub-core/disk/ieee1275/ofdisk.c
304@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
305 /* Power machines documentation specify 672 as maximum SAS disks in
306 one system. Using a slightly larger value to be safe. */
307 table_size = 768;
308- table = grub_malloc (table_size * sizeof (grub_uint64_t));
309+ table = grub_calloc (table_size, sizeof (grub_uint64_t));
310
311 if (!table)
312 {
313diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
314index 2a22d2d..e632370 100644
315--- a/grub-core/disk/ldm.c
316+++ b/grub-core/disk/ldm.c
317@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
318 lv->segments->type = GRUB_DISKFILTER_MIRROR;
319 lv->segments->node_count = 0;
320 lv->segments->node_alloc = 8;
321- lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
322- * lv->segments->node_alloc);
323+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
324+ sizeof (*lv->segments->nodes));
325 if (!lv->segments->nodes)
326 goto fail2;
327 ptr = vblk[i].dynamic;
328@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
329 {
330 comp->segment_alloc = 8;
331 comp->segment_count = 0;
332- comp->segments = grub_malloc (sizeof (*comp->segments)
333- * comp->segment_alloc);
334+ comp->segments = grub_calloc (comp->segment_alloc,
335+ sizeof (*comp->segments));
336 if (!comp->segments)
337 goto fail2;
338 }
339@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
340 }
341 comp->segments->node_count = read_int (ptr + 1, *ptr);
342 comp->segments->node_alloc = comp->segments->node_count;
343- comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
344- * comp->segments->node_alloc);
345+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
346+ sizeof (*comp->segments->nodes));
347 if (!lv->segments->nodes)
348 goto fail2;
349 }
350@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
351 *nsectors = lv->size;
352 if (*nsectors > max_nsectors)
353 *nsectors = max_nsectors;
354- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
355+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
356 if (!*sectors)
357 return grub_errno;
358 for (i = 0; i < *nsectors; i++)
359diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
360index 86c50c6..18b3a8b 100644
361--- a/grub-core/disk/luks.c
362+++ b/grub-core/disk/luks.c
363@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source,
364 && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
365 max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
366
367- split_key = grub_malloc (keysize * max_stripes);
368+ split_key = grub_calloc (keysize, max_stripes);
369 if (!split_key)
370 return grub_errno;
371
372diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
373index dc6b83b..7b5fbbc 100644
374--- a/grub-core/disk/lvm.c
375+++ b/grub-core/disk/lvm.c
376@@ -209,7 +209,7 @@ grub_lvm_detect (grub_disk_t disk,
377 first one. */
378
379 /* Allocate buffer space for the circular worst-case scenario. */
380- metadatabuf = grub_malloc (2 * mda_size);
381+ metadatabuf = grub_calloc (2, mda_size);
382 if (! metadatabuf)
383 goto fail;
384
385@@ -464,7 +464,7 @@ grub_lvm_detect (grub_disk_t disk,
386 #endif
387 goto lvs_fail;
388 }
389- lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
390+ lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
391 seg = lv->segments;
392
393 for (i = 0; i < lv->segment_count; i++)
394@@ -521,8 +521,8 @@ grub_lvm_detect (grub_disk_t disk,
395 if (seg->node_count != 1)
396 seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
397
398- seg->nodes = grub_zalloc (sizeof (*stripe)
399- * seg->node_count);
400+ seg->nodes = grub_calloc (seg->node_count,
401+ sizeof (*stripe));
402 stripe = seg->nodes;
403
404 p = grub_strstr (p, "stripes = [");
405@@ -898,7 +898,7 @@ grub_lvm_detect (grub_disk_t disk,
406 break;
407 if (lv)
408 {
409- cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
410+ cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments));
411 if (!cache->lv->segments)
412 {
413 grub_lvm_free_cache_lvs (cache_lvs);
414@@ -911,7 +911,7 @@ grub_lvm_detect (grub_disk_t disk,
415 struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
416 grub_size_t node_count = lv->segments[i].node_count;
417
418- cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
419+ cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes));
420 if (!cache->lv->segments[i].nodes)
421 {
422 for (j = 0; j < i; ++j)
423diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c
424index 48476cb..d6612ee 100644
425--- a/grub-core/disk/xen/xendisk.c
426+++ b/grub-core/disk/xen/xendisk.c
427@@ -426,7 +426,7 @@ grub_xendisk_init (void)
428 if (!ctr)
429 return;
430
431- virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
432+ virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
433 if (!virtdisks)
434 return;
435 if (grub_xenstore_dir ("device/vbd", fill, &ctr))
436diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c
437index 44085ef..2b92462 100644
438--- a/grub-core/efiemu/loadcore.c
439+++ b/grub-core/efiemu/loadcore.c
440@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
441
442 grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
443 grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
444- grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
445+ grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
446
447 /* Relocators */
448 for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
449diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c
450index 52a032f..9b8e0d0 100644
451--- a/grub-core/efiemu/mm.c
452+++ b/grub-core/efiemu/mm.c
453@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
454 /* Initialize variables*/
455 grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
456 scanline_events = (struct grub_efiemu_mmap_scan *)
457- grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
458+ grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
459
460 /* Number of chunks can't increase more than by factor of 2 */
461 result = (grub_efi_memory_descriptor_t *)
462- grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
463+ grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
464 if (!result || !scanline_events)
465 {
466 grub_free (result);
467@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
468
469 /* Preallocate mmap */
470 efiemu_mmap = (grub_efi_memory_descriptor_t *)
471- grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
472+ grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
473 if (!efiemu_mmap)
474 {
475 grub_efiemu_unload ();
476diff --git a/grub-core/font/font.c b/grub-core/font/font.c
477index 85a2925..8e118b3 100644
478--- a/grub-core/font/font.c
479+++ b/grub-core/font/font.c
480@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
481 font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
482
483 /* Allocate the character index array. */
484- font->char_index = grub_malloc (font->num_chars
485- * sizeof (struct char_index_entry));
486+ font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
487 if (!font->char_index)
488 return 1;
489 font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
490diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
491index 6b6a2bc..220b371 100644
492--- a/grub-core/fs/affs.c
493+++ b/grub-core/fs/affs.c
494@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
495 return 0;
496 }
497 latin1[symlink_size] = 0;
498- utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
499+ utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
500 if (!utf8)
501 {
502 grub_free (latin1);
503@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
504 return 1;
505 }
506
507- hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
508+ hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
509 if (!hashtable)
510 return 1;
511
512@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
513 len = file.namelen;
514 if (len > sizeof (file.name))
515 len = sizeof (file.name);
516- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
517+ *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
518 if (*label)
519 *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
520 }
521diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
522index 48bd3d0..11272ef 100644
523--- a/grub-core/fs/btrfs.c
524+++ b/grub-core/fs/btrfs.c
525@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data,
526 {
527 desc->allocated = 16;
528 desc->depth = 0;
529- desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
530+ desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
531 if (!desc->data)
532 return grub_errno;
533 }
534@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
535 grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
536 grub_uint64_t i, failed_devices;
537
538- buffers = grub_zalloc (sizeof(*buffers) * nstripes);
539+ buffers = grub_calloc (nstripes, sizeof (*buffers));
540 if (!buffers)
541 goto cleanup;
542
543@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
544 *nsectors = 64 * 2 - 1;
545 if (*nsectors > max_nsectors)
546 *nsectors = max_nsectors;
547- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
548+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
549 if (!*sectors)
550 return grub_errno;
551 for (i = 0; i < *nsectors; i++)
552diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
553index ac0a409..3fe842b 100644
554--- a/grub-core/fs/hfs.c
555+++ b/grub-core/fs/hfs.c
556@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
557 grub_size_t len = data->sblock.volname[0];
558 if (len > sizeof (data->sblock.volname) - 1)
559 len = sizeof (data->sblock.volname) - 1;
560- *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
561+ *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
562 if (*label)
563 macroman_to_utf8 (*label, data->sblock.volname + 1,
564 len + 1, 0);
565diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
566index 54786bb..dae43be 100644
567--- a/grub-core/fs/hfsplus.c
568+++ b/grub-core/fs/hfsplus.c
569@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
570 if (! filename)
571 return 0;
572
573- keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
574+ keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
575 if (!keyname)
576 {
577 grub_free (filename);
578@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
579 grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
580
581 label_len = grub_be_to_cpu16 (catkey->namelen);
582- label_name = grub_malloc (label_len * sizeof (*label_name));
583+ label_name = grub_calloc (label_len, sizeof (*label_name));
584 if (!label_name)
585 {
586 grub_free (node);
587@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
588 }
589 }
590
591- *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
592+ *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
593 if (! *label)
594 {
595 grub_free (label_name);
596diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
597index 49c0c63..4f1b52a 100644
598--- a/grub-core/fs/iso9660.c
599+++ b/grub-core/fs/iso9660.c
600@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len)
601 int i;
602 grub_uint16_t t[MAX_NAMELEN / 2 + 1];
603
604- p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
605+ p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
606 if (! p)
607 return NULL;
608
609diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
610index fc4e1f6..2f34f76 100644
611--- a/grub-core/fs/ntfs.c
612+++ b/grub-core/fs/ntfs.c
613@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
614 grub_uint16_t *tmp;
615 grub_size_t i;
616
617- buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
618- tmp = grub_malloc (len * sizeof (tmp[0]));
619+ buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
620+ tmp = grub_calloc (len, sizeof (tmp[0]));
621 if (!buf || !tmp)
622 {
623 grub_free (buf);
624diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
625index 50c1fe7..90f7fb3 100644
626--- a/grub-core/fs/sfs.c
627+++ b/grub-core/fs/sfs.c
628@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
629 node->next_extent = node->block;
630 node->cache_size = 0;
631
632- node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size);
633+ node->cache = grub_calloc (cache_size, sizeof (node->cache[0]));
634 if (!node->cache)
635 {
636 grub_errno = 0;
637diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
638index 7d63e0c..c551ed6 100644
639--- a/grub-core/fs/tar.c
640+++ b/grub-core/fs/tar.c
641@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
642 if (data->linkname_alloc < linksize + 1)
643 {
644 char *n;
645- n = grub_malloc (2 * (linksize + 1));
646+ n = grub_calloc (2, linksize + 1);
647 if (!n)
648 return grub_errno;
649 grub_free (data->linkname);
650diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
651index dc8b6e2..a837616 100644
652--- a/grub-core/fs/udf.c
653+++ b/grub-core/fs/udf.c
654@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
655 {
656 unsigned i;
657 utf16len = sz - 1;
658- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
659+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
660 if (!utf16)
661 return NULL;
662 for (i = 0; i < utf16len; i++)
663@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
664 {
665 unsigned i;
666 utf16len = (sz - 1) / 2;
667- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
668+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
669 if (!utf16)
670 return NULL;
671 for (i = 0; i < utf16len; i++)
672diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
673index 2f72e42..381dde5 100644
674--- a/grub-core/fs/zfs/zfs.c
675+++ b/grub-core/fs/zfs/zfs.c
676@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,
677 }
678 subvol->nkeys = 0;
679 zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data);
680- subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0]));
681+ subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0]));
682 if (!subvol->keyring)
683 {
684 grub_free (fsname);
685@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)),
686 *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS);
687 if (*nsectors > max_nsectors)
688 *nsectors = max_nsectors;
689- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
690+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
691 if (!*sectors)
692 return grub_errno;
693 for (i = 0; i < *nsectors; i++)
694diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c
695index a9a415e..ba1e1ea 100644
696--- a/grub-core/gfxmenu/gui_string_util.c
697+++ b/grub-core/gfxmenu/gui_string_util.c
698@@ -55,7 +55,7 @@ canonicalize_path (const char *path)
699 if (*p == '/')
700 components++;
701
702- char **path_array = grub_malloc (components * sizeof (*path_array));
703+ char **path_array = grub_calloc (components, sizeof (*path_array));
704 if (! path_array)
705 return 0;
706
707diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c
708index b606028..470597d 100644
709--- a/grub-core/gfxmenu/widget-box.c
710+++ b/grub-core/gfxmenu/widget-box.c
711@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix,
712 box->content_height = 0;
713 box->raw_pixmaps =
714 (struct grub_video_bitmap **)
715- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
716+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
717 box->scaled_pixmaps =
718 (struct grub_video_bitmap **)
719- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
720+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
721
722 /* Initialize all pixmap pointers to NULL so that proper destruction can
723 be performed if an error is encountered partway through construction. */
724diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
725index 6208a97..43d98a7 100644
726--- a/grub-core/io/gzio.c
727+++ b/grub-core/io/gzio.c
728@@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
729 z = 1 << j; /* table entries for j-bit table */
730
731 /* allocate and link in new table */
732- q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft));
733+ q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft));
734 if (! q)
735 {
736 if (h)
737diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
738index 6e1ceb9..dc31caa 100644
739--- a/grub-core/kern/efi/efi.c
740+++ b/grub-core/kern/efi/efi.c
741@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
742
743 len = grub_strlen (var);
744 len16 = len * GRUB_MAX_UTF16_PER_UTF8;
745- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
746+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
747 if (!var16)
748 return grub_errno;
749 len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
750@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
751
752 len = grub_strlen (var);
753 len16 = len * GRUB_MAX_UTF16_PER_UTF8;
754- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
755+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
756 if (!var16)
757 return NULL;
758 len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
759@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
760 while (len > 0 && fp->path_name[len - 1] == 0)
761 len--;
762
763- dup_name = grub_malloc (len * sizeof (*dup_name));
764+ dup_name = grub_calloc (len, sizeof (*dup_name));
765 if (!dup_name)
766 {
767 grub_free (name);
768diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c
769index e9ec680..d975265 100644
770--- a/grub-core/kern/emu/hostdisk.c
771+++ b/grub-core/kern/emu/hostdisk.c
772@@ -615,7 +615,7 @@ static char *
773 grub_util_path_concat_real (size_t n, int ext, va_list ap)
774 {
775 size_t totlen = 0;
776- char **l = xmalloc ((n + ext) * sizeof (l[0]));
777+ char **l = xcalloc (n + ext, sizeof (l[0]));
778 char *r, *p, *pi;
779 size_t i;
780 int first = 1;
781diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
782index 2b85f49..f90be65 100644
783--- a/grub-core/kern/fs.c
784+++ b/grub-core/kern/fs.c
785@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name)
786 while (p);
787
788 /* Allocate a block list. */
789- blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1));
790+ blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block));
791 if (! blocks)
792 return 0;
793
794diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
795index 3b633d5..a7abd36 100644
796--- a/grub-core/kern/misc.c
797+++ b/grub-core/kern/misc.c
798@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
799 args->ptr = args->prealloc;
800 else
801 {
802- args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
803+ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
804 if (!args->ptr)
805 {
806 grub_errno = GRUB_ERR_NONE;
807diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
808index 78175aa..619db31 100644
809--- a/grub-core/kern/parser.c
810+++ b/grub-core/kern/parser.c
811@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline,
812 return grub_errno;
813 grub_memcpy (args, buffer, bp - buffer);
814
815- *argv = grub_malloc (sizeof (char *) * (*argc + 1));
816+ *argv = grub_calloc (*argc + 1, sizeof (char *));
817 if (!*argv)
818 {
819 grub_free (args);
820diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c
821index be4816f..aac8f9a 100644
822--- a/grub-core/kern/uboot/uboot.c
823+++ b/grub-core/kern/uboot/uboot.c
824@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void)
825 return num_devices;
826
827 max_devices = 2;
828- enum_devices = grub_malloc (sizeof(struct device_info) * max_devices);
829+ enum_devices = grub_calloc (max_devices, sizeof(struct device_info));
830 if (!enum_devices)
831 return 0;
832
833diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c
834index f5e946a..63f6fcd 100644
835--- a/grub-core/lib/libgcrypt/cipher/ac.c
836+++ b/grub-core/lib/libgcrypt/cipher/ac.c
837@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n,
838 gcry_mpi_t mpi;
839 char *label;
840
841- data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n);
842+ data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new));
843 if (! data_mpis_new)
844 {
845 err = gcry_error_from_errno (errno);
846@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp,
847 }
848
849 /* Add MPI list. */
850- arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1));
851+ arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list));
852 if (! arg_list)
853 {
854 err = gcry_error_from_errno (errno);
855@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags,
856 /* We build a list of arguments to pass to
857 gcry_sexp_build_array(). */
858 data_length = _gcry_ac_data_length (data);
859- arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2));
860+ arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2);
861 if (! arg_list)
862 {
863 err = gcry_error_from_errno (errno);
864@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits,
865 arg_list_n += 2;
866
867 /* Allocate list. */
868- arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n);
869+ arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list));
870 if (! arg_list)
871 {
872 err = gcry_error_from_errno (errno);
873diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c
874index 2788e34..b12e79b 100644
875--- a/grub-core/lib/libgcrypt/cipher/primegen.c
876+++ b/grub-core/lib/libgcrypt/cipher/primegen.c
877@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor,
878 }
879
880 /* Allocate an array to track pool usage. */
881- pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
882+ pool_in_use = gcry_calloc (n, sizeof *pool_in_use);
883 if (!pool_in_use)
884 {
885 err = gpg_err_code_from_errno (errno);
886@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
887 if (nbits < 16)
888 log_fatal ("can't generate a prime with less than %d bits\n", 16);
889
890- mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
891+ mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods);
892 /* Make nbits fit into gcry_mpi_t implementation. */
893 val_2 = mpi_alloc_set_ui( 2 );
894 val_3 = mpi_alloc_set_ui( 3);
895diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c
896index 9109821..ca087ad 100644
897--- a/grub-core/lib/libgcrypt/cipher/pubkey.c
898+++ b/grub-core/lib/libgcrypt/cipher/pubkey.c
899@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey)
900 * array to a format string, so we have to do it this way :-(. */
901 /* FIXME: There is now such a format specifier, so we can
902 change the code to be more clear. */
903- arg_list = malloc (nelem * sizeof *arg_list);
904+ arg_list = calloc (nelem, sizeof *arg_list);
905 if (!arg_list)
906 {
907 rc = gpg_err_code_from_syserror ();
908@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
909 }
910 strcpy (p, "))");
911
912- arg_list = malloc (nelem * sizeof *arg_list);
913+ arg_list = calloc (nelem, sizeof *arg_list);
914 if (!arg_list)
915 {
916 rc = gpg_err_code_from_syserror ();
917diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c
918index 659be0b..7d5e7c0 100644
919--- a/grub-core/lib/priority_queue.c
920+++ b/grub-core/lib/priority_queue.c
921@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize,
922 {
923 struct grub_priority_queue *ret;
924 void *els;
925- els = grub_malloc (elsize * 8);
926+ els = grub_calloc (8, elsize);
927 if (!els)
928 return 0;
929 ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret));
930diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c
931index ee9fa7b..467305b 100644
932--- a/grub-core/lib/reed_solomon.c
933+++ b/grub-core/lib/reed_solomon.c
934@@ -20,6 +20,7 @@
935 #include <stdio.h>
936 #include <string.h>
937 #include <stdlib.h>
938+#define xcalloc calloc
939 #define xmalloc malloc
940 #define grub_memset memset
941 #define grub_memcpy memcpy
942@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs)
943 gf_single_t *rs_polynomial;
944 int i, j;
945 gf_single_t *m;
946- m = xmalloc ((s + rs) * sizeof (gf_single_t));
947+ m = xcalloc (s + rs, sizeof (gf_single_t));
948 grub_memcpy (m, data, s * sizeof (gf_single_t));
949- grub_memset (m + s, 0, rs * sizeof (gf_single_t));
950- rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t));
951- grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t));
952+ rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t));
953 rs_polynomial[rs] = 1;
954 /* Multiply with X - a^r */
955 for (j = 0; j < rs; j++)
956diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
957index ea3ebc7..5847aac 100644
958--- a/grub-core/lib/relocator.c
959+++ b/grub-core/lib/relocator.c
960@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel,
961 }
962 #endif
963
964- eventt = grub_malloc (maxevents * sizeof (events[0]));
965+ eventt = grub_calloc (maxevents, sizeof (events[0]));
966 counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0]));
967- events = grub_malloc (maxevents * sizeof (events[0]));
968+ events = grub_calloc (maxevents, sizeof (events[0]));
969 if (!events || !eventt || !counter)
970 {
971 grub_dprintf ("relocator", "events or counter allocation failed %d\n",
972@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel,
973 #endif
974 unsigned cural = 0;
975 int oom = 0;
976- res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs);
977+ res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0]));
978 if (!res->subchunks)
979 oom = 1;
980 res->nsubchunks = nallocs;
981@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr,
982 count[(chunk->src & 0xff) + 1]++;
983 }
984 }
985- from = grub_malloc (nchunks * sizeof (sorted[0]));
986- to = grub_malloc (nchunks * sizeof (sorted[0]));
987+ from = grub_calloc (nchunks, sizeof (sorted[0]));
988+ to = grub_calloc (nchunks, sizeof (sorted[0]));
989 if (!from || !to)
990 {
991 grub_free (from);
992diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c
993index 72bbead..2227b84 100644
994--- a/grub-core/lib/zstd/fse_decompress.c
995+++ b/grub-core/lib/zstd/fse_decompress.c
996@@ -82,7 +82,7 @@
997 FSE_DTable* FSE_createDTable (unsigned tableLog)
998 {
999 if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX;
1000- return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) );
1001+ return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) );
1002 }
1003
1004 void FSE_freeDTable (FSE_DTable* dt)
1005diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
1006index 5168491..d70c174 100644
1007--- a/grub-core/loader/arm/linux.c
1008+++ b/grub-core/loader/arm/linux.c
1009@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag)
1010
1011 /* some place for cmdline, initrd and terminator. */
1012 tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4;
1013- tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t));
1014+ tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t));
1015 if (!tmp_atag)
1016 return grub_errno;
1017
1018diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
1019index cd92ea3..daf8c6b 100644
1020--- a/grub-core/loader/efi/chainloader.c
1021+++ b/grub-core/loader/efi/chainloader.c
1022@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
1023 fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
1024 fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
1025
1026- path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
1027+ path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
1028 if (!path_name)
1029 return;
1030
1031diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c
1032index af6741d..a8d8bf7 100644
1033--- a/grub-core/loader/i386/bsdXX.c
1034+++ b/grub-core/loader/i386/bsdXX.c
1035@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr)
1036 if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS))
1037 return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic"));
1038
1039- *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize);
1040+ *shdr = grub_calloc (e->e_shnum, e->e_shentsize);
1041 if (! *shdr)
1042 return grub_errno;
1043
1044diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
1045index e64ed08..b7d176b 100644
1046--- a/grub-core/loader/i386/xnu.c
1047+++ b/grub-core/loader/i386/xnu.c
1048@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d
1049 return grub_errno;
1050
1051 len = grub_strlen (name);
1052- utf16 = grub_malloc (sizeof (grub_uint16_t) * len);
1053+ utf16 = grub_calloc (len, sizeof (grub_uint16_t));
1054 if (!utf16)
1055 {
1056 grub_free (utf8);
1057@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor *
1058 grub_uint16_t *utf16;
1059 grub_err_t err;
1060
1061- utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen);
1062+ utf16 = grub_calloc (namelen, sizeof (grub_uint16_t));
1063 if (!utf16)
1064 return grub_errno;
1065 grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen);
1066diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c
1067index 085f9c6..05710c4 100644
1068--- a/grub-core/loader/macho.c
1069+++ b/grub-core/loader/macho.c
1070@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit)
1071 if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header))
1072 == (grub_off_t) -1)
1073 goto fail;
1074- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
1075+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
1076 if (!archs)
1077 goto fail;
1078 if (grub_file_read (macho->file, archs,
1079diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
1080index 70cd1db..cc68536 100644
1081--- a/grub-core/loader/multiboot_elfxx.c
1082+++ b/grub-core/loader/multiboot_elfxx.c
1083@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
1084 {
1085 grub_uint8_t *shdr, *shdrptr;
1086
1087- shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize);
1088+ shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize);
1089 if (!shdr)
1090 return grub_errno;
1091
1092diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
1093index 7f74d1d..77d7060 100644
1094--- a/grub-core/loader/xnu.c
1095+++ b/grub-core/loader/xnu.c
1096@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)),
1097 if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC)
1098 {
1099 narchs = grub_be_to_cpu32 (head.nfat_arch);
1100- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
1101+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
1102 if (! archs)
1103 {
1104 grub_file_close (file);
1105diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
1106index 6a31cba..57b4e9a 100644
1107--- a/grub-core/mmap/mmap.c
1108+++ b/grub-core/mmap/mmap.c
1109@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
1110
1111 /* Initialize variables. */
1112 ctx.scanline_events = (struct grub_mmap_scan *)
1113- grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num);
1114+ grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2);
1115
1116- present = grub_zalloc (sizeof (present[0]) * current_priority);
1117+ present = grub_calloc (current_priority, sizeof (present[0]));
1118
1119 if (! ctx.scanline_events || !present)
1120 {
1121diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
1122index 04cfbb0..6539572 100644
1123--- a/grub-core/net/bootp.c
1124+++ b/grub-core/net/bootp.c
1125@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
1126 if (ncards == 0)
1127 return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found"));
1128
1129- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
1130+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
1131 if (!ifaces)
1132 return grub_errno;
1133
1134diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
1135index 5d9afe0..e332d5e 100644
1136--- a/grub-core/net/dns.c
1137+++ b/grub-core/net/dns.c
1138@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
1139 ptr++;
1140 ptr += 4;
1141 }
1142- *data->addresses = grub_malloc (sizeof ((*data->addresses)[0])
1143- * grub_be_to_cpu16 (head->ancount));
1144+ *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount),
1145+ sizeof ((*data->addresses)[0]));
1146 if (!*data->addresses)
1147 {
1148 grub_errno = GRUB_ERR_NONE;
1149@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
1150 dns_cache[h].addresses = 0;
1151 dns_cache[h].name = grub_strdup (data->oname);
1152 dns_cache[h].naddresses = *data->naddresses;
1153- dns_cache[h].addresses = grub_malloc (*data->naddresses
1154- * sizeof (dns_cache[h].addresses[0]));
1155+ dns_cache[h].addresses = grub_calloc (*data->naddresses,
1156+ sizeof (dns_cache[h].addresses[0]));
1157 dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all;
1158 if (!dns_cache[h].addresses || !dns_cache[h].name)
1159 {
1160@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name,
1161 }
1162 }
1163
1164- sockets = grub_malloc (sizeof (sockets[0]) * n_servers);
1165+ sockets = grub_calloc (n_servers, sizeof (sockets[0]));
1166 if (!sockets)
1167 return grub_errno;
1168
1169diff --git a/grub-core/net/net.c b/grub-core/net/net.c
1170index d5d726a..38f19df 100644
1171--- a/grub-core/net/net.c
1172+++ b/grub-core/net/net.c
1173@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)),
1174 ncards++;
1175 }
1176
1177- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
1178- slaacs = grub_zalloc (ncards * sizeof (slaacs[0]));
1179+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
1180+ slaacs = grub_calloc (ncards, sizeof (slaacs[0]));
1181 if (!ifaces || !slaacs)
1182 {
1183 grub_free (ifaces);
1184diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
1185index b0ab47d..d57fb72 100644
1186--- a/grub-core/normal/charset.c
1187+++ b/grub-core/normal/charset.c
1188@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg,
1189 {
1190 grub_size_t msg_len = grub_strlen (msg);
1191
1192- *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1193+ *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1194
1195 if (!*unicode_msg)
1196 return -1;
1197@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1198 }
1199 else
1200 {
1201- n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1));
1202+ n = grub_calloc (out->ncomb + 1, sizeof (n[0]));
1203 if (!n)
1204 {
1205 grub_errno = GRUB_ERR_NONE;
1206@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical,
1207 } \
1208 }
1209
1210- visual = grub_malloc (sizeof (visual[0]) * logical_len);
1211+ visual = grub_calloc (logical_len, sizeof (visual[0]));
1212 if (!visual)
1213 return -1;
1214
1215@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical,
1216 {
1217 const grub_uint32_t *line_start = logical, *ptr;
1218 struct grub_unicode_glyph *visual_ptr;
1219- *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0])
1220- * (logical_len + 2));
1221+ *visual_out = visual_ptr = grub_calloc (logical_len + 2,
1222+ 3 * sizeof (visual_ptr[0]));
1223 if (!visual_ptr)
1224 return -1;
1225 for (ptr = logical; ptr <= logical + logical_len; ptr++)
1226diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
1227index c037d50..c57242e 100644
1228--- a/grub-core/normal/cmdline.c
1229+++ b/grub-core/normal/cmdline.c
1230@@ -41,7 +41,7 @@ grub_err_t
1231 grub_set_history (int newsize)
1232 {
1233 grub_uint32_t **old_hist_lines = hist_lines;
1234- hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize);
1235+ hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *));
1236
1237 /* Copy the old lines into the new buffer. */
1238 if (old_hist_lines)
1239@@ -114,7 +114,7 @@ static void
1240 grub_history_set (int pos, grub_uint32_t *s, grub_size_t len)
1241 {
1242 grub_free (hist_lines[pos]);
1243- hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t));
1244+ hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t));
1245 if (!hist_lines[pos])
1246 {
1247 grub_print_error ();
1248@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated)
1249 char *ret;
1250 unsigned nterms;
1251
1252- buf = grub_malloc (max_len * sizeof (grub_uint32_t));
1253+ buf = grub_calloc (max_len, sizeof (grub_uint32_t));
1254 if (!buf)
1255 return 0;
1256
1257@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated)
1258 FOR_ACTIVE_TERM_OUTPUTS(cur)
1259 nterms++;
1260
1261- cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms);
1262+ cl_terms = grub_calloc (nterms, sizeof (cl_terms[0]));
1263 if (!cl_terms)
1264 {
1265 grub_free (buf);
1266@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated)
1267 }
1268 cl_term_cur = cl_terms;
1269
1270- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1271+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1272 if (!unicode_msg)
1273 {
1274 grub_free (buf);
1275@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated)
1276 grub_uint32_t *insert;
1277
1278 insertlen = grub_strlen (insertu8);
1279- insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t));
1280+ insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t));
1281 if (!insert)
1282 {
1283 grub_free (insertu8);
1284@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated)
1285
1286 grub_free (kill_buf);
1287
1288- kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t));
1289+ kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t));
1290 if (grub_errno)
1291 {
1292 grub_print_error ();
1293diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
1294index cdf3590..1993995 100644
1295--- a/grub-core/normal/menu_entry.c
1296+++ b/grub-core/normal/menu_entry.c
1297@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep)
1298 {
1299 linep->len = 0;
1300 linep->max_len = 80;
1301- linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0]));
1302- linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0]));
1303+ linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0]));
1304+ linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0]));
1305 if (! linep->buf || !linep->pos)
1306 {
1307 grub_free (linep->buf);
1308@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen,
1309 pos = linep->pos + (term_screen - screen->terms);
1310
1311 if (!*pos)
1312- *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos));
1313+ *pos = grub_calloc (linep->len + 1, sizeof (**pos));
1314
1315 if (i == region_start || linep == screen->lines + screen->line
1316 || (i > region_start && mode == ALL_LINES))
1317@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update)
1318
1319 /* Insert the string. */
1320 current_linep = screen->lines + screen->line;
1321- unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t));
1322+ unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t));
1323
1324 if (!unicode_msg)
1325 return 0;
1326@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update)
1327 if (completion_buffer.buf)
1328 {
1329 buflen = grub_strlen (completion_buffer.buf);
1330- ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1));
1331+ ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t));
1332
1333 if (!ucs4)
1334 {
1335@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
1336 for (i = 0; i < (unsigned) screen->num_lines; i++)
1337 {
1338 grub_free (screen->lines[i].pos);
1339- screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0]));
1340+ screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0]));
1341 if (! screen->lines[i].pos)
1342 {
1343 grub_print_error ();
1344@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
1345 }
1346 }
1347
1348- screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0]));
1349+ screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0]));
1350 if (!screen->terms)
1351 {
1352 grub_print_error ();
1353diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
1354index e22bb91..18240e7 100644
1355--- a/grub-core/normal/menu_text.c
1356+++ b/grub-core/normal/menu_text.c
1357@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left,
1358 grub_size_t msg_len = grub_strlen (msg) + 2;
1359 int ret = 0;
1360
1361- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1362+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1363
1364 if (!unicode_msg)
1365 return 0;
1366@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry,
1367
1368 title = entry ? entry->title : "";
1369 title_len = grub_strlen (title);
1370- unicode_title = grub_malloc (title_len * sizeof (*unicode_title));
1371+ unicode_title = grub_calloc (title_len, sizeof (*unicode_title));
1372 if (! unicode_title)
1373 /* XXX How to show this error? */
1374 return;
1375diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c
1376index a1e5c5a..cc8c173 100644
1377--- a/grub-core/normal/term.c
1378+++ b/grub-core/normal/term.c
1379@@ -264,7 +264,7 @@ grub_term_save_pos (void)
1380 FOR_ACTIVE_TERM_OUTPUTS(cur)
1381 cnt++;
1382
1383- ret = grub_malloc (cnt * sizeof (ret[0]));
1384+ ret = grub_calloc (cnt, sizeof (ret[0]));
1385 if (!ret)
1386 return NULL;
1387
1388@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len)
1389
1390 grub_error_push ();
1391
1392- unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t));
1393+ unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t));
1394
1395 grub_error_pop ();
1396
1397diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
1398index 90d92d3..5b41ad0 100644
1399--- a/grub-core/osdep/linux/getroot.c
1400+++ b/grub-core/osdep/linux/getroot.c
1401@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable)
1402 if (ret != 0)
1403 grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno));
1404
1405- devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *));
1406+ devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
1407
1408 for (i = 0, j = 0; j < info.nr_disks; i++)
1409 {
1410@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir)
1411 return NULL;
1412 }
1413
1414- ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0]));
1415+ ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0]));
1416
1417 for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++)
1418 {
1419@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
1420 if (relroot)
1421 *relroot = NULL;
1422
1423- entries = xmalloc (entry_max * sizeof (*entries));
1424+ entries = xcalloc (entry_max, sizeof (*entries));
1425
1426 again:
1427 fp = grub_util_fopen ("/proc/self/mountinfo", "r");
1428diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c
1429index 65effa9..7d63251 100644
1430--- a/grub-core/osdep/unix/config.c
1431+++ b/grub-core/osdep/unix/config.c
1432@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg)
1433 argv[0] = "sh";
1434 argv[1] = "-c";
1435
1436- script = xmalloc (4 * strlen (cfgfile) + 300);
1437+ script = xcalloc (4, strlen (cfgfile) + 300);
1438
1439 ptr = script;
1440 memcpy (ptr, ". '", 3);
1441diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c
1442index 661d954..eada663 100644
1443--- a/grub-core/osdep/windows/getroot.c
1444+++ b/grub-core/osdep/windows/getroot.c
1445@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path)
1446
1447 for (ptr = path; *ptr; ptr++);
1448 allocsize = (ptr - path + 10) * 2;
1449- out = xmalloc (allocsize * sizeof (out[0]));
1450+ out = xcalloc (allocsize, sizeof (out[0]));
1451
1452 /* When pointing to EFI system partition GetVolumePathName fails
1453 for ESP root and returns abberant information for everything
1454diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c
1455index 3551007..0be3273 100644
1456--- a/grub-core/osdep/windows/hostdisk.c
1457+++ b/grub-core/osdep/windows/hostdisk.c
1458@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path)
1459
1460 while (1)
1461 {
1462- fpa = xmalloc (alloc * sizeof (fpa[0]));
1463+ fpa = xcalloc (alloc, sizeof (fpa[0]));
1464
1465 len = GetFullPathName (tpath, alloc, fpa, NULL);
1466 if (len >= alloc)
1467@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name)
1468 for (l = 0; name_windows[l]; l++);
1469 for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--);
1470 l++;
1471- pattern = xmalloc ((l + 3) * sizeof (pattern[0]));
1472+ pattern = xcalloc (l + 3, sizeof (pattern[0]));
1473 memcpy (pattern, name_windows, l * sizeof (pattern[0]));
1474 pattern[l] = '\\';
1475 pattern[l + 1] = '*';
1476diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c
1477index e8ffd62..6297de6 100644
1478--- a/grub-core/osdep/windows/init.c
1479+++ b/grub-core/osdep/windows/init.c
1480@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)),
1481 LPWSTR *targv;
1482
1483 targv = CommandLineToArgvW (tcmdline, argc);
1484- *argv = xmalloc ((*argc + 1) * sizeof (argv[0]));
1485+ *argv = xcalloc (*argc + 1, sizeof (argv[0]));
1486
1487 for (i = 0; i < *argc; i++)
1488 (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]);
1489diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c
1490index 7eb53fe..1ef86bf 100644
1491--- a/grub-core/osdep/windows/platform.c
1492+++ b/grub-core/osdep/windows/platform.c
1493@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev,
1494 grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode"));
1495
1496 distrib8_len = grub_strlen (efi_distributor);
1497- distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8
1498- * sizeof (grub_uint16_t));
1499+ distributor16 = xcalloc (distrib8_len + 1,
1500+ GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t));
1501 distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8,
1502 (const grub_uint8_t *) efi_distributor,
1503 distrib8_len, 0);
1504diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c
1505index cb08617..478e8ef 100644
1506--- a/grub-core/osdep/windows/relpath.c
1507+++ b/grub-core/osdep/windows/relpath.c
1508@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path)
1509 if (dirwindows[0] && dirwindows[1] == ':')
1510 offset = 2;
1511 }
1512- ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2));
1513+ ret = xcalloc (flen - offset + 2, sizeof (ret[0]));
1514 if (dirwindows[offset] != '\\'
1515 && dirwindows[offset] != '/'
1516 && dirwindows[offset])
1517diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
1518index 103f679..72a2e37 100644
1519--- a/grub-core/partmap/gpt.c
1520+++ b/grub-core/partmap/gpt.c
1521@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
1522 *nsectors = ctx.len;
1523 if (*nsectors > max_nsectors)
1524 *nsectors = max_nsectors;
1525- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
1526+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
1527 if (!*sectors)
1528 return grub_errno;
1529 for (i = 0; i < *nsectors; i++)
1530diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
1531index 7b8e450..ee3f249 100644
1532--- a/grub-core/partmap/msdos.c
1533+++ b/grub-core/partmap/msdos.c
1534@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
1535 avail_nsectors = *nsectors;
1536 if (*nsectors > max_nsectors)
1537 *nsectors = max_nsectors;
1538- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
1539+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
1540 if (!*sectors)
1541 return grub_errno;
1542 for (i = 0; i < *nsectors; i++)
1543diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
1544index ee299fd..c8d6806 100644
1545--- a/grub-core/script/execute.c
1546+++ b/grub-core/script/execute.c
1547@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
1548 for (iptr = orig_str; *iptr; iptr++)
1549 if (*iptr == '$')
1550 dollar_cnt++;
1551- ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt);
1552+ ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
1553
1554 if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
1555 goto fail;
1556diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c
1557index 2d60852..b5eb516 100644
1558--- a/grub-core/tests/fake_input.c
1559+++ b/grub-core/tests/fake_input.c
1560@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in)
1561 saved = grub_term_inputs;
1562 if (seq)
1563 grub_free (seq);
1564- seq = grub_malloc (nseq_in * sizeof (seq[0]));
1565+ seq = grub_calloc (nseq_in, sizeof (seq[0]));
1566 if (!seq)
1567 return;
1568
1569diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c
1570index 74d5b65..44d0810 100644
1571--- a/grub-core/tests/video_checksum.c
1572+++ b/grub-core/tests/video_checksum.c
1573@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname,
1574 {
1575 case 4:
1576 {
1577- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1578+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1579 grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
1580 grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
1581 grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1582@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname,
1583 }
1584 case 3:
1585 {
1586- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1587+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1588 grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
1589 grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
1590 grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1591@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname,
1592 }
1593 case 2:
1594 {
1595- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1596+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1597 grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1);
1598 grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1);
1599 grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1600diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
1601index 4f83c74..4d3195e 100644
1602--- a/grub-core/video/capture.c
1603+++ b/grub-core/video/capture.c
1604@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
1605 framebuffer.mode_info = *mode_info;
1606 framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info);
1607
1608- framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch);
1609+ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
1610 if (!framebuffer.ptr)
1611 return grub_errno;
1612
1613diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c
1614index a2f639f..0ebab6f 100644
1615--- a/grub-core/video/emu/sdl.c
1616+++ b/grub-core/video/emu/sdl.c
1617@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count,
1618 if (start + count > mode_info.number_of_colors)
1619 count = mode_info.number_of_colors - start;
1620
1621- tmp = grub_malloc (count * sizeof (tmp[0]));
1622+ tmp = grub_calloc (count, sizeof (tmp[0]));
1623 for (i = 0; i < count; i++)
1624 {
1625 tmp[i].r = palette_data[i].r;
1626diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
1627index 01f4711..b2f776c 100644
1628--- a/grub-core/video/i386/pc/vga.c
1629+++ b/grub-core/video/i386/pc/vga.c
1630@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
1631
1632 vga_height = height ? : 480;
1633
1634- framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH);
1635+ framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH);
1636 framebuffer.front_page = 0;
1637 framebuffer.back_page = 0;
1638 if (!framebuffer.temporary_buffer)
1639diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
1640index 777e713..61bd645 100644
1641--- a/grub-core/video/readers/png.c
1642+++ b/grub-core/video/readers/png.c
1643@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
1644 if (data->is_16bit || data->is_gray || data->is_palette)
1645 #endif
1646 {
1647- data->image_data = grub_malloc (data->image_height * data->row_bytes);
1648+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
1649 if (grub_errno)
1650 return grub_errno;
1651
1652diff --git a/include/grub/unicode.h b/include/grub/unicode.h
1653index a0403e9..4de986a 100644
1654--- a/include/grub/unicode.h
1655+++ b/include/grub/unicode.h
1656@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in)
1657 grub_memcpy (out, in, sizeof (*in));
1658 if (in->ncomb > ARRAY_SIZE (out->combining_inline))
1659 {
1660- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
1661+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
1662 if (!out->combining_ptr)
1663 {
1664 grub_free (out);
1665@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out,
1666 grub_memcpy (out, in, sizeof (*in));
1667 if (in->ncomb > ARRAY_SIZE (out->combining_inline))
1668 {
1669- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
1670+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
1671 if (!out->combining_ptr)
1672 return;
1673 grub_memcpy (out->combining_ptr, in->combining_ptr,
1674diff --git a/util/getroot.c b/util/getroot.c
1675index 847406f..a5eaa64 100644
1676--- a/util/getroot.c
1677+++ b/util/getroot.c
1678@@ -200,7 +200,7 @@ make_device_name (const char *drive)
1679 char *ret, *ptr;
1680 const char *iptr;
1681
1682- ret = xmalloc (strlen (drive) * 2);
1683+ ret = xcalloc (2, strlen (drive));
1684 ptr = ret;
1685 for (iptr = drive; *iptr; iptr++)
1686 {
1687diff --git a/util/grub-file.c b/util/grub-file.c
1688index 50c18b6..b2e7dd6 100644
1689--- a/util/grub-file.c
1690+++ b/util/grub-file.c
1691@@ -54,7 +54,7 @@ main (int argc, char *argv[])
1692
1693 grub_util_host_init (&argc, &argv);
1694
1695- argv2 = xmalloc (argc * sizeof (argv2[0]));
1696+ argv2 = xcalloc (argc, sizeof (argv2[0]));
1697
1698 if (argc == 2 && strcmp (argv[1], "--version") == 0)
1699 {
1700diff --git a/util/grub-fstest.c b/util/grub-fstest.c
1701index f14e02d..57246af 100644
1702--- a/util/grub-fstest.c
1703+++ b/util/grub-fstest.c
1704@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
1705 if (args_count < num_disks)
1706 {
1707 if (args_count == 0)
1708- images = xmalloc (num_disks * sizeof (images[0]));
1709+ images = xcalloc (num_disks, sizeof (images[0]));
1710 images[args_count] = grub_canonicalize_file_name (arg);
1711 args_count++;
1712 return 0;
1713@@ -734,7 +734,7 @@ main (int argc, char *argv[])
1714
1715 grub_util_host_init (&argc, &argv);
1716
1717- args = xmalloc (argc * sizeof (args[0]));
1718+ args = xcalloc (argc, sizeof (args[0]));
1719
1720 argp_parse (&argp, argc, argv, 0, 0, 0);
1721
1722diff --git a/util/grub-install-common.c b/util/grub-install-common.c
1723index ca0ac61..0295d40 100644
1724--- a/util/grub-install-common.c
1725+++ b/util/grub-install-common.c
1726@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val,
1727 il->n_entries++;
1728 }
1729 il->n_alloc = il->n_entries + 1;
1730- il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0]));
1731+ il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0]));
1732 ptr = val;
1733 for (ce = il->entries; ; ce++)
1734 {
1735diff --git a/util/grub-install.c b/util/grub-install.c
1736index 8a55ad4..a82725f 100644
1737--- a/util/grub-install.c
1738+++ b/util/grub-install.c
1739@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map)
1740 if (! fp)
1741 return;
1742
1743- d = xmalloc (alloced * sizeof (d[0]));
1744+ d = xcalloc (alloced, sizeof (d[0]));
1745
1746 while (fgets (buf, sizeof (buf), fp))
1747 {
1748@@ -1260,7 +1260,7 @@ main (int argc, char *argv[])
1749 ndev++;
1750 }
1751
1752- grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
1753+ grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0]));
1754
1755 for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
1756 curdrive++)
1757diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
1758index bc087c2..d97d0e7 100644
1759--- a/util/grub-mkimagexx.c
1760+++ b/util/grub-mkimagexx.c
1761@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path,
1762 + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize);
1763 smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset);
1764
1765- smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections);
1766- memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections);
1767- smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections);
1768- memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections);
1769+ smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs));
1770+ smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs));
1771
1772 SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target);
1773
1774diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
1775index ce2cbc4..5183102 100644
1776--- a/util/grub-mkrescue.c
1777+++ b/util/grub-mkrescue.c
1778@@ -441,8 +441,8 @@ main (int argc, char *argv[])
1779 xorriso = xstrdup ("xorriso");
1780 label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2");
1781
1782- argp_argv = xmalloc (sizeof (argp_argv[0]) * argc);
1783- xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc);
1784+ argp_argv = xcalloc (argc, sizeof (argp_argv[0]));
1785+ xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0]));
1786
1787 xorriso_tail_argc = 0;
1788 /* Program name */
1789diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c
1790index 4907d44..edf3097 100644
1791--- a/util/grub-mkstandalone.c
1792+++ b/util/grub-mkstandalone.c
1793@@ -296,7 +296,7 @@ main (int argc, char *argv[])
1794 grub_util_host_init (&argc, &argv);
1795 grub_util_disable_fd_syncs ();
1796
1797- files = xmalloc ((argc + 1) * sizeof (files[0]));
1798+ files = xcalloc (argc + 1, sizeof (files[0]));
1799
1800 argp_parse (&argp, argc, argv, 0, 0, 0);
1801
1802diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c
1803index 0d4084a..1133129 100644
1804--- a/util/grub-pe2elf.c
1805+++ b/util/grub-pe2elf.c
1806@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image,
1807 char *pe_strtab = (image + pe_chdr->symtab_offset
1808 + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol));
1809
1810- section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int));
1811+ section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int));
1812 section_map[0] = 0;
1813- shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0]));
1814+ shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0]));
1815 idx = 1;
1816 idx_reloc = pe_chdr->num_sections + 1;
1817
1818@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image,
1819
1820 pe_sec = pe_shdr + shdr[i].sh_link;
1821 pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset);
1822- rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t));
1823+ rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t));
1824 num_rels = 0;
1825 modified = 0;
1826
1827@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image,
1828 pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset);
1829 pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols);
1830
1831- symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) *
1832- sizeof (Elf_Sym));
1833- memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym));
1834+ symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym));
1835 num_syms = 1;
1836
1837- symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int));
1838+ symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int));
1839
1840 for (i = 0; i < (int) pe_chdr->num_symbols;
1841 i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1)
1842diff --git a/util/grub-probe.c b/util/grub-probe.c
1843index 81d27ee..cbe6ed9 100644
1844--- a/util/grub-probe.c
1845+++ b/util/grub-probe.c
1846@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim)
1847 grub_util_pull_device (*curdev);
1848 ndev++;
1849 }
1850-
1851- drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1));
1852+
1853+ drives_names = xcalloc (ndev + 1, sizeof (drives_names[0]));
1854
1855 for (curdev = device_names, curdrive = drives_names; *curdev; curdev++,
1856 curdrive++)
1857--
18582.14.4
1859
diff --git a/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch b/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch
new file mode 100644
index 0000000000..29021e8d8f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch
@@ -0,0 +1,94 @@
1From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 10:58:42 -0400
4Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for
5 overflow
6
7This adds a new header, include/grub/safemath.h, that includes easy to
8use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
9
10 bool OP(a, b, res)
11
12where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
13case where the operation would overflow and res is not modified.
14Otherwise, false is returned and the operation is executed.
15
16These arithmetic primitives require newer compiler versions. So, bump
17these requirements in the INSTALL file too.
18
19Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d
20from https://git.savannah.gnu.org/git/grub.git]
21
22Signed-off-by: Peter Jones <pjones@redhat.com>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24[YL: omit the change to INSTALL from original patch]
25Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
26---
27 include/grub/compiler.h | 8 ++++++++
28 include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
29 2 files changed, 45 insertions(+)
30 create mode 100644 include/grub/safemath.h
31
32diff --git a/include/grub/compiler.h b/include/grub/compiler.h
33index c9e1d7a..8f3be3a 100644
34--- a/include/grub/compiler.h
35+++ b/include/grub/compiler.h
36@@ -48,4 +48,12 @@
37 # define WARN_UNUSED_RESULT
38 #endif
39
40+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
41+# define CLANG_PREREQ(maj,min) \
42+ ((__clang_major__ > (maj)) || \
43+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
44+#else
45+# define CLANG_PREREQ(maj,min) 0
46+#endif
47+
48 #endif /* ! GRUB_COMPILER_HEADER */
49diff --git a/include/grub/safemath.h b/include/grub/safemath.h
50new file mode 100644
51index 0000000..c17b89b
52--- /dev/null
53+++ b/include/grub/safemath.h
54@@ -0,0 +1,37 @@
55+/*
56+ * GRUB -- GRand Unified Bootloader
57+ * Copyright (C) 2020 Free Software Foundation, Inc.
58+ *
59+ * GRUB is free software: you can redistribute it and/or modify
60+ * it under the terms of the GNU General Public License as published by
61+ * the Free Software Foundation, either version 3 of the License, or
62+ * (at your option) any later version.
63+ *
64+ * GRUB is distributed in the hope that it will be useful,
65+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
66+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
67+ * GNU General Public License for more details.
68+ *
69+ * You should have received a copy of the GNU General Public License
70+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
71+ *
72+ * Arithmetic operations that protect against overflow.
73+ */
74+
75+#ifndef GRUB_SAFEMATH_H
76+#define GRUB_SAFEMATH_H 1
77+
78+#include <grub/compiler.h>
79+
80+/* These appear in gcc 5.1 and clang 3.8. */
81+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
82+
83+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
84+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
85+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
86+
87+#else
88+#error gcc 5.1 or newer or clang 3.8 or newer is required
89+#endif
90+
91+#endif /* GRUB_SAFEMATH_H */
92--
932.14.4
94
diff --git a/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
new file mode 100644
index 0000000000..146602cd3e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -0,0 +1,1326 @@
1From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:28:27 -0400
4Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
5 complex allocations
6
7This attempts to fix the places where we do the following where
8arithmetic_expr may include unvalidated data:
9
10 X = grub_malloc(arithmetic_expr);
11
12It accomplishes this by doing the arithmetic ahead of time using grub_add(),
13grub_sub(), grub_mul() and testing for overflow before proceeding.
14
15Among other issues, this fixes:
16 - allocation of integer overflow in grub_video_bitmap_create()
17 reported by Chris Coulson,
18 - allocation of integer overflow in grub_png_decode_image_header()
19 reported by Chris Coulson,
20 - allocation of integer overflow in grub_squash_read_symlink()
21 reported by Chris Coulson,
22 - allocation of integer overflow in grub_ext2_read_symlink()
23 reported by Chris Coulson,
24 - allocation of integer overflow in read_section_as_string()
25 reported by Chris Coulson.
26
27Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
28
29Upstream-Status: Backport [commit 3f05d693d1274965ffbe4ba99080dc2c570944c6
30from https://git.savannah.gnu.org/git/grub.git]
31
32Signed-off-by: Peter Jones <pjones@redhat.com>
33Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
34Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
35---
36 grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
37 grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
38 grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
39 grub-core/font/font.c | 7 +++++-
40 grub-core/fs/btrfs.c | 28 +++++++++++++++--------
41 grub-core/fs/ext2.c | 10 ++++++++-
42 grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
43 grub-core/fs/sfs.c | 27 +++++++++++++++++-----
44 grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
45 grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
46 grub-core/fs/xfs.c | 11 +++++----
47 grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
48 grub-core/fs/zfs/zfscrypt.c | 7 +++++-
49 grub-core/lib/arg.c | 20 +++++++++++++++--
50 grub-core/loader/i386/bsd.c | 8 ++++++-
51 grub-core/net/dns.c | 9 +++++++-
52 grub-core/normal/charset.c | 10 +++++++--
53 grub-core/normal/cmdline.c | 14 ++++++++++--
54 grub-core/normal/menu_entry.c | 13 +++++++++--
55 grub-core/script/argv.c | 16 +++++++++++--
56 grub-core/script/lexer.c | 21 ++++++++++++++---
57 grub-core/video/bitmap.c | 25 +++++++++++++--------
58 grub-core/video/readers/png.c | 13 +++++++++--
59 23 files changed, 382 insertions(+), 113 deletions(-)
60
61diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
62index 5e3ec0d..cc5971f 100644
63--- a/grub-core/commands/legacycfg.c
64+++ b/grub-core/commands/legacycfg.c
65@@ -32,6 +32,7 @@
66 #include <grub/auth.h>
67 #include <grub/disk.h>
68 #include <grub/partition.h>
69+#include <grub/safemath.h>
70
71 GRUB_MOD_LICENSE ("GPLv3+");
72
73@@ -104,13 +105,22 @@ legacy_file (const char *filename)
74 if (newsuffix)
75 {
76 char *t;
77-
78+ grub_size_t sz;
79+
80+ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
81+ grub_add (sz, 1, &sz))
82+ {
83+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
84+ goto fail_0;
85+ }
86+
87 t = suffix;
88- suffix = grub_realloc (suffix, grub_strlen (suffix)
89- + grub_strlen (newsuffix) + 1);
90+ suffix = grub_realloc (suffix, sz);
91 if (!suffix)
92 {
93 grub_free (t);
94+
95+ fail_0:
96 grub_free (entrysrc);
97 grub_free (parsed);
98 grub_free (newsuffix);
99@@ -154,13 +164,22 @@ legacy_file (const char *filename)
100 else
101 {
102 char *t;
103+ grub_size_t sz;
104+
105+ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
106+ grub_add (sz, 1, &sz))
107+ {
108+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
109+ goto fail_1;
110+ }
111
112 t = entrysrc;
113- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
114- + grub_strlen (parsed) + 1);
115+ entrysrc = grub_realloc (entrysrc, sz);
116 if (!entrysrc)
117 {
118 grub_free (t);
119+
120+ fail_1:
121 grub_free (parsed);
122 grub_free (suffix);
123 return grub_errno;
124diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
125index 4a106ca..cc32903 100644
126--- a/grub-core/commands/wildcard.c
127+++ b/grub-core/commands/wildcard.c
128@@ -23,6 +23,7 @@
129 #include <grub/file.h>
130 #include <grub/device.h>
131 #include <grub/script_sh.h>
132+#include <grub/safemath.h>
133
134 #include <regex.h>
135
136@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
137 int i;
138 int j;
139 char **p;
140+ grub_size_t sz;
141
142 if (! dest)
143 return ps;
144@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
145 for (j = 0; ps[j]; j++)
146 ;
147
148- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
149+ if (grub_add (i, j, &sz) ||
150+ grub_add (sz, 1, &sz) ||
151+ grub_mul (sz, sizeof (char *), &sz))
152+ return dest;
153+
154+ p = grub_realloc (dest, sz);
155 if (! p)
156 {
157 grub_free (dest);
158@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
159 char ch;
160 int i = 0;
161 unsigned len = end - start;
162- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
163+ char *buffer;
164+ grub_size_t sz;
165
166+ /* Worst case size is (len * 2 + 2 + 1). */
167+ if (grub_mul (len, 2, &sz) ||
168+ grub_add (sz, 3, &sz))
169+ return 1;
170+
171+ buffer = grub_malloc (sz);
172 if (! buffer)
173 return 1;
174
175@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
176 struct match_devices_ctx *ctx = data;
177 char **t;
178 char *buffer;
179+ grub_size_t sz;
180
181 /* skip partitions if asked to. */
182 if (ctx->noparts && grub_strchr (name, ','))
183@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
184 if (regexec (ctx->regexp, buffer, 0, 0, 0))
185 {
186 grub_dprintf ("expand", "not matched\n");
187+ fail:
188 grub_free (buffer);
189 return 0;
190 }
191
192- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
193+ if (grub_add (ctx->ndev, 2, &sz) ||
194+ grub_mul (sz, sizeof (char *), &sz))
195+ goto fail;
196+
197+ t = grub_realloc (ctx->devs, sz);
198 if (! t)
199 {
200 grub_free (buffer);
201@@ -300,6 +320,7 @@ match_files_iter (const char *name,
202 struct match_files_ctx *ctx = data;
203 char **t;
204 char *buffer;
205+ grub_size_t sz;
206
207 /* skip . and .. names */
208 if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
209@@ -315,9 +336,14 @@ match_files_iter (const char *name,
210 if (! buffer)
211 return 1;
212
213- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
214- if (! t)
215+ if (grub_add (ctx->nfile, 2, &sz) ||
216+ grub_mul (sz, sizeof (char *), &sz))
217+ goto fail;
218+
219+ t = grub_realloc (ctx->files, sz);
220+ if (!t)
221 {
222+ fail:
223 grub_free (buffer);
224 return 1;
225 }
226diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
227index e632370..58f8a53 100644
228--- a/grub-core/disk/ldm.c
229+++ b/grub-core/disk/ldm.c
230@@ -25,6 +25,7 @@
231 #include <grub/msdos_partition.h>
232 #include <grub/gpt_partition.h>
233 #include <grub/i18n.h>
234+#include <grub/safemath.h>
235
236 #ifdef GRUB_UTIL
237 #include <grub/emu/misc.h>
238@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
239 struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
240 / sizeof (struct grub_ldm_vblk)];
241 unsigned i;
242+ grub_size_t sz;
243 err = grub_disk_read (disk, cursec, 0,
244 sizeof(vblk), &vblk);
245 if (err)
246@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
247 grub_free (lv);
248 goto fail2;
249 }
250- lv->name = grub_malloc (*ptr + 1);
251+ if (grub_add (*ptr, 1, &sz))
252+ {
253+ grub_free (lv->internal_id);
254+ grub_free (lv);
255+ goto fail2;
256+ }
257+ lv->name = grub_malloc (sz);
258 if (!lv->name)
259 {
260 grub_free (lv->internal_id);
261@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
262 if (lv->segments->node_alloc == lv->segments->node_count)
263 {
264 void *t;
265- lv->segments->node_alloc *= 2;
266- t = grub_realloc (lv->segments->nodes,
267- sizeof (*lv->segments->nodes)
268- * lv->segments->node_alloc);
269+ grub_size_t sz;
270+
271+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
272+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
273+ goto fail2;
274+
275+ t = grub_realloc (lv->segments->nodes, sz);
276 if (!t)
277 goto fail2;
278 lv->segments->nodes = t;
279@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
280 if (comp->segment_alloc == comp->segment_count)
281 {
282 void *t;
283- comp->segment_alloc *= 2;
284- t = grub_realloc (comp->segments,
285- comp->segment_alloc
286- * sizeof (*comp->segments));
287+ grub_size_t sz;
288+
289+ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
290+ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
291+ goto fail2;
292+
293+ t = grub_realloc (comp->segments, sz);
294 if (!t)
295 goto fail2;
296 comp->segments = t;
297diff --git a/grub-core/font/font.c b/grub-core/font/font.c
298index 8e118b3..5edb477 100644
299--- a/grub-core/font/font.c
300+++ b/grub-core/font/font.c
301@@ -30,6 +30,7 @@
302 #include <grub/unicode.h>
303 #include <grub/fontformat.h>
304 #include <grub/env.h>
305+#include <grub/safemath.h>
306
307 GRUB_MOD_LICENSE ("GPLv3+");
308
309@@ -360,9 +361,13 @@ static char *
310 read_section_as_string (struct font_file_section *section)
311 {
312 char *str;
313+ grub_size_t sz;
314 grub_ssize_t ret;
315
316- str = grub_malloc (section->length + 1);
317+ if (grub_add (section->length, 1, &sz))
318+ return NULL;
319+
320+ str = grub_malloc (sz);
321 if (!str)
322 return 0;
323
324diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
325index 11272ef..2b65bd5 100644
326--- a/grub-core/fs/btrfs.c
327+++ b/grub-core/fs/btrfs.c
328@@ -40,6 +40,7 @@
329 #include <grub/btrfs.h>
330 #include <grub/crypto.h>
331 #include <grub/diskfilter.h>
332+#include <grub/safemath.h>
333
334 GRUB_MOD_LICENSE ("GPLv3+");
335
336@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
337 if (desc->allocated < desc->depth)
338 {
339 void *newdata;
340- desc->allocated *= 2;
341- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
342- * desc->allocated);
343+ grub_size_t sz;
344+
345+ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
346+ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
347+ return GRUB_ERR_OUT_OF_RANGE;
348+
349+ newdata = grub_realloc (desc->data, sz);
350 if (!newdata)
351 return grub_errno;
352 desc->data = newdata;
353@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
354 if (data->n_devices_attached > data->n_devices_allocated)
355 {
356 void *tmp;
357- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
358- data->devices_attached
359- = grub_realloc (tmp = data->devices_attached,
360- data->n_devices_allocated
361- * sizeof (data->devices_attached[0]));
362+ grub_size_t sz;
363+
364+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
365+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
366+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
367+ goto fail;
368+
369+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
370 if (!data->devices_attached)
371 {
372+ data->devices_attached = tmp;
373+
374+ fail:
375 if (ctx.dev_found)
376 grub_device_close (ctx.dev_found);
377- data->devices_attached = tmp;
378 return NULL;
379 }
380 }
381diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
382index 9b38980..ac33bcd 100644
383--- a/grub-core/fs/ext2.c
384+++ b/grub-core/fs/ext2.c
385@@ -46,6 +46,7 @@
386 #include <grub/dl.h>
387 #include <grub/types.h>
388 #include <grub/fshelp.h>
389+#include <grub/safemath.h>
390
391 GRUB_MOD_LICENSE ("GPLv3+");
392
393@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
394 {
395 char *symlink;
396 struct grub_fshelp_node *diro = node;
397+ grub_size_t sz;
398
399 if (! diro->inode_read)
400 {
401@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
402 }
403 }
404
405- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
406+ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
407+ {
408+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
409+ return NULL;
410+ }
411+
412+ symlink = grub_malloc (sz);
413 if (! symlink)
414 return 0;
415
416diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
417index 4f1b52a..7ba5b30 100644
418--- a/grub-core/fs/iso9660.c
419+++ b/grub-core/fs/iso9660.c
420@@ -28,6 +28,7 @@
421 #include <grub/fshelp.h>
422 #include <grub/charset.h>
423 #include <grub/datetime.h>
424+#include <grub/safemath.h>
425
426 GRUB_MOD_LICENSE ("GPLv3+");
427
428@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
429 int len2)
430 {
431 int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
432+ grub_size_t sz;
433
434- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
435+ if (grub_add (size, len2, &sz) ||
436+ grub_add (sz, 1, &sz))
437+ return;
438+
439+ ctx->symlink = grub_realloc (ctx->symlink, sz);
440 if (! ctx->symlink)
441 return;
442
443@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
444 {
445 grub_size_t off = 0, csize = 1;
446 char *old;
447+ grub_size_t sz;
448+
449 csize = entry->len - 5;
450 old = ctx->filename;
451 if (ctx->filename_alloc)
452 {
453 off = grub_strlen (ctx->filename);
454- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
455+ if (grub_add (csize, off, &sz) ||
456+ grub_add (sz, 1, &sz))
457+ return GRUB_ERR_OUT_OF_RANGE;
458+ ctx->filename = grub_realloc (ctx->filename, sz);
459 }
460 else
461 {
462 off = 0;
463- ctx->filename = grub_zalloc (csize + 1);
464+ if (grub_add (csize, 1, &sz))
465+ return GRUB_ERR_OUT_OF_RANGE;
466+ ctx->filename = grub_zalloc (sz);
467 }
468 if (!ctx->filename)
469 {
470@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
471 if (node->have_dirents >= node->alloc_dirents)
472 {
473 struct grub_fshelp_node *new_node;
474- node->alloc_dirents *= 2;
475- new_node = grub_realloc (node,
476- sizeof (struct grub_fshelp_node)
477- + ((node->alloc_dirents
478- - ARRAY_SIZE (node->dirents))
479- * sizeof (node->dirents[0])));
480+ grub_size_t sz;
481+
482+ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
483+ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
484+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
485+ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
486+ goto fail_0;
487+
488+ new_node = grub_realloc (node, sz);
489 if (!new_node)
490 {
491+ fail_0:
492 if (ctx.filename_alloc)
493 grub_free (ctx.filename);
494 grub_free (node);
495@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
496 * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
497 {
498 struct grub_fshelp_node *new_node;
499- new_node = grub_realloc (node,
500- sizeof (struct grub_fshelp_node)
501- + ((node->alloc_dirents
502- - ARRAY_SIZE (node->dirents))
503- * sizeof (node->dirents[0]))
504- + grub_strlen (ctx.symlink) + 1);
505+ grub_size_t sz;
506+
507+ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
508+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
509+ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
510+ grub_add (sz, grub_strlen (ctx.symlink), &sz))
511+ goto fail_1;
512+
513+ new_node = grub_realloc (node, sz);
514 if (!new_node)
515 {
516+ fail_1:
517 if (ctx.filename_alloc)
518 grub_free (ctx.filename);
519 grub_free (node);
520diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
521index 90f7fb3..de2b107 100644
522--- a/grub-core/fs/sfs.c
523+++ b/grub-core/fs/sfs.c
524@@ -26,6 +26,7 @@
525 #include <grub/types.h>
526 #include <grub/fshelp.h>
527 #include <grub/charset.h>
528+#include <grub/safemath.h>
529
530 GRUB_MOD_LICENSE ("GPLv3+");
531
532@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
533 if (node->cache && node->cache_size >= node->cache_allocated)
534 {
535 struct cache_entry *e = node->cache;
536- e = grub_realloc (node->cache,node->cache_allocated * 2
537- * sizeof (e[0]));
538+ grub_size_t sz;
539+
540+ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
541+ goto fail;
542+
543+ e = grub_realloc (node->cache, sz);
544 if (!e)
545 {
546+ fail:
547 grub_errno = 0;
548 grub_free (node->cache);
549 node->cache = 0;
550@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
551 grub_size_t len = grub_strlen (name);
552 grub_uint8_t *name_u8;
553 int ret;
554+ grub_size_t sz;
555+
556+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
557+ grub_add (sz, 1, &sz))
558+ return 1;
559+
560 *node = grub_malloc (sizeof (**node));
561 if (!*node)
562 return 1;
563- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
564+ name_u8 = grub_malloc (sz);
565 if (!name_u8)
566 {
567 grub_free (*node);
568@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
569 data = grub_sfs_mount (disk);
570 if (data)
571 {
572- grub_size_t len = grub_strlen (data->label);
573- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
574+ grub_size_t sz, len = grub_strlen (data->label);
575+
576+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
577+ grub_add (sz, 1, &sz))
578+ return GRUB_ERR_OUT_OF_RANGE;
579+
580+ *label = grub_malloc (sz);
581 if (*label)
582 *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
583 (const grub_uint8_t *) data->label,
584diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
585index 95d5c1e..7851238 100644
586--- a/grub-core/fs/squash4.c
587+++ b/grub-core/fs/squash4.c
588@@ -26,6 +26,7 @@
589 #include <grub/types.h>
590 #include <grub/fshelp.h>
591 #include <grub/deflate.h>
592+#include <grub/safemath.h>
593 #include <minilzo.h>
594
595 #include "xz.h"
596@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
597 {
598 char *ret;
599 grub_err_t err;
600- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
601+ grub_size_t sz;
602+
603+ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
604+ {
605+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
606+ return NULL;
607+ }
608+
609+ ret = grub_malloc (sz);
610+ if (!ret)
611+ return NULL;
612
613 err = read_chunk (node->data, ret,
614 grub_le_to_cpu32 (node->ino.symlink.namelen),
615@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
616
617 {
618 grub_fshelp_node_t node;
619- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
620+ grub_size_t sz;
621+
622+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
623+ grub_add (sz, sizeof (*node), &sz))
624+ return 0;
625+
626+ node = grub_malloc (sz);
627 if (!node)
628 return 0;
629- grub_memcpy (node, dir,
630- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
631+ grub_memcpy (node, dir, sz);
632 if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
633 return 1;
634
635@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
636 {
637 grub_err_t err;
638
639- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
640+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
641+ grub_add (sz, sizeof (*node), &sz))
642+ return 0;
643+
644+ node = grub_malloc (sz);
645 if (!node)
646 return 0;
647
648- grub_memcpy (node, dir,
649- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
650+ grub_memcpy (node, dir, sz);
651
652 node->stsize--;
653 err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
654@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
655 enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
656 struct grub_squash_dirent di;
657 struct grub_squash_inode ino;
658+ grub_size_t sz;
659
660 err = read_chunk (dir->data, &di, sizeof (di),
661 grub_le_to_cpu64 (dir->data->sb.diroffset)
662@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
663 if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
664 filetype = GRUB_FSHELP_SYMLINK;
665
666- node = grub_malloc (sizeof (*node)
667- + (dir->stsize + 1) * sizeof (dir->stack[0]));
668+ if (grub_add (dir->stsize, 1, &sz) ||
669+ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
670+ grub_add (sz, sizeof (*node), &sz))
671+ return 0;
672+
673+ node = grub_malloc (sz);
674 if (! node)
675 return 0;
676
677- grub_memcpy (node, dir,
678- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
679+ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
680
681 node->ino = ino;
682 node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
683diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
684index a837616..21ac7f4 100644
685--- a/grub-core/fs/udf.c
686+++ b/grub-core/fs/udf.c
687@@ -28,6 +28,7 @@
688 #include <grub/charset.h>
689 #include <grub/datetime.h>
690 #include <grub/udf.h>
691+#include <grub/safemath.h>
692
693 GRUB_MOD_LICENSE ("GPLv3+");
694
695@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
696 utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
697 }
698 if (!outbuf)
699- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
700+ {
701+ grub_size_t size;
702+
703+ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
704+ grub_add (size, 1, &size))
705+ goto fail;
706+
707+ outbuf = grub_malloc (size);
708+ }
709 if (outbuf)
710 *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
711+
712+ fail:
713 grub_free (utf16);
714 return outbuf;
715 }
716@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
717 grub_size_t sz = U64 (node->block.fe.file_size);
718 grub_uint8_t *raw;
719 const grub_uint8_t *ptr;
720- char *out, *optr;
721+ char *out = NULL, *optr;
722
723 if (sz < 4)
724 return NULL;
725@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
726 if (!raw)
727 return NULL;
728 if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
729- {
730- grub_free (raw);
731- return NULL;
732- }
733+ goto fail_1;
734
735- out = grub_malloc (sz * 2 + 1);
736+ if (grub_mul (sz, 2, &sz) ||
737+ grub_add (sz, 1, &sz))
738+ goto fail_0;
739+
740+ out = grub_malloc (sz);
741 if (!out)
742 {
743+ fail_0:
744 grub_free (raw);
745 return NULL;
746 }
747@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
748 {
749 grub_size_t s;
750 if ((grub_size_t) (ptr - raw + 4) > sz)
751- goto fail;
752+ goto fail_1;
753 if (!(ptr[2] == 0 && ptr[3] == 0))
754- goto fail;
755+ goto fail_1;
756 s = 4 + ptr[1];
757 if ((grub_size_t) (ptr - raw + s) > sz)
758- goto fail;
759+ goto fail_1;
760 switch (*ptr)
761 {
762 case 1:
763 if (ptr[1])
764- goto fail;
765+ goto fail_1;
766 /* Fallthrough. */
767 case 2:
768 /* in 4 bytes. out: 1 byte. */
769@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
770 if (optr != out)
771 *optr++ = '/';
772 if (!read_string (ptr + 4, s - 4, optr))
773- goto fail;
774+ goto fail_1;
775 optr += grub_strlen (optr);
776 break;
777 default:
778- goto fail;
779+ goto fail_1;
780 }
781 ptr += s;
782 }
783@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
784 grub_free (raw);
785 return out;
786
787- fail:
788+ fail_1:
789 grub_free (raw);
790 grub_free (out);
791 grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
792diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
793index 96ffecb..ea65902 100644
794--- a/grub-core/fs/xfs.c
795+++ b/grub-core/fs/xfs.c
796@@ -25,6 +25,7 @@
797 #include <grub/dl.h>
798 #include <grub/types.h>
799 #include <grub/fshelp.h>
800+#include <grub/safemath.h>
801
802 GRUB_MOD_LICENSE ("GPLv3+");
803
804@@ -899,6 +900,7 @@ static struct grub_xfs_data *
805 grub_xfs_mount (grub_disk_t disk)
806 {
807 struct grub_xfs_data *data = 0;
808+ grub_size_t sz;
809
810 data = grub_zalloc (sizeof (struct grub_xfs_data));
811 if (!data)
812@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
813 if (!grub_xfs_sb_valid(data))
814 goto fail;
815
816- data = grub_realloc (data,
817- sizeof (struct grub_xfs_data)
818- - sizeof (struct grub_xfs_inode)
819- + grub_xfs_inode_size(data) + 1);
820+ if (grub_add (grub_xfs_inode_size (data),
821+ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
822+ goto fail;
823+
824+ data = grub_realloc (data, sz);
825
826 if (! data)
827 goto fail;
828diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
829index 381dde5..36d0373 100644
830--- a/grub-core/fs/zfs/zfs.c
831+++ b/grub-core/fs/zfs/zfs.c
832@@ -55,6 +55,7 @@
833 #include <grub/deflate.h>
834 #include <grub/crypto.h>
835 #include <grub/i18n.h>
836+#include <grub/safemath.h>
837
838 GRUB_MOD_LICENSE ("GPLv3+");
839
840@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
841 if (data->n_devices_attached > data->n_devices_allocated)
842 {
843 void *tmp;
844- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
845- data->devices_attached
846- = grub_realloc (tmp = data->devices_attached,
847- data->n_devices_allocated
848- * sizeof (data->devices_attached[0]));
849+ grub_size_t sz;
850+
851+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
852+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
853+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
854+ return GRUB_ERR_OUT_OF_RANGE;
855+
856+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
857 if (!data->devices_attached)
858 {
859 data->devices_attached = tmp;
860@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
861 {
862 char *nvpair;
863 char *ret;
864- grub_size_t size;
865+ grub_size_t size, sz;
866 int found;
867
868 found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
869 &size, 0);
870 if (!found)
871 return 0;
872- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
873+
874+ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
875+ return 0;
876+
877+ ret = grub_zalloc (sz);
878 if (!ret)
879 return 0;
880 grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
881diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
882index 1402e0b..de3b015 100644
883--- a/grub-core/fs/zfs/zfscrypt.c
884+++ b/grub-core/fs/zfs/zfscrypt.c
885@@ -22,6 +22,7 @@
886 #include <grub/misc.h>
887 #include <grub/disk.h>
888 #include <grub/partition.h>
889+#include <grub/safemath.h>
890 #include <grub/dl.h>
891 #include <grub/types.h>
892 #include <grub/zfs/zfs.h>
893@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
894 int passphrase)
895 {
896 struct grub_zfs_wrap_key *key;
897+ grub_size_t sz;
898+
899 if (!passphrase && keylen > 32)
900 keylen = 32;
901- key = grub_malloc (sizeof (*key) + keylen);
902+ if (grub_add (sizeof (*key), keylen, &sz))
903+ return GRUB_ERR_OUT_OF_RANGE;
904+ key = grub_malloc (sz);
905 if (!key)
906 return grub_errno;
907 key->is_passphrase = passphrase;
908diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
909index fd7744a..3288609 100644
910--- a/grub-core/lib/arg.c
911+++ b/grub-core/lib/arg.c
912@@ -23,6 +23,7 @@
913 #include <grub/term.h>
914 #include <grub/extcmd.h>
915 #include <grub/i18n.h>
916+#include <grub/safemath.h>
917
918 /* Built-in parser for default options. */
919 static const struct grub_arg_option help_options[] =
920@@ -216,7 +217,13 @@ static inline grub_err_t
921 add_arg (char ***argl, int *num, char *s)
922 {
923 char **p = *argl;
924- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
925+ grub_size_t sz;
926+
927+ if (grub_add (++(*num), 1, &sz) ||
928+ grub_mul (sz, sizeof (char *), &sz))
929+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
930+
931+ *argl = grub_realloc (*argl, sz);
932 if (! *argl)
933 {
934 grub_free (p);
935@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
936 grub_size_t argcnt;
937 struct grub_arg_list *list;
938 const struct grub_arg_option *options;
939+ grub_size_t sz0, sz1;
940
941 options = extcmd->options;
942 if (! options)
943@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
944 argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
945 }
946
947- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
948+ if (grub_mul (sizeof (*list), i, &sz0) ||
949+ grub_mul (sizeof (char *), argcnt, &sz1) ||
950+ grub_add (sz0, sz1, &sz0))
951+ {
952+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
953+ return 0;
954+ }
955+
956+ list = grub_zalloc (sz0);
957 if (! list)
958 return 0;
959
960diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
961index 3730ed3..b92cbe9 100644
962--- a/grub-core/loader/i386/bsd.c
963+++ b/grub-core/loader/i386/bsd.c
964@@ -35,6 +35,7 @@
965 #include <grub/ns8250.h>
966 #include <grub/bsdlabel.h>
967 #include <grub/crypto.h>
968+#include <grub/safemath.h>
969 #include <grub/verify.h>
970 #ifdef GRUB_MACHINE_PCBIOS
971 #include <grub/machine/int.h>
972@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
973 struct grub_netbsd_btinfo_modules *mods;
974 unsigned i;
975 grub_err_t err;
976+ grub_size_t sz;
977
978 for (mod = netbsd_mods; mod; mod = mod->next)
979 modcnt++;
980
981- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
982+ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
983+ grub_add (sz, sizeof (*mods), &sz))
984+ return GRUB_ERR_OUT_OF_RANGE;
985+
986+ mods = grub_malloc (sz);
987 if (!mods)
988 return grub_errno;
989
990diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
991index e332d5e..906ec7d 100644
992--- a/grub-core/net/dns.c
993+++ b/grub-core/net/dns.c
994@@ -22,6 +22,7 @@
995 #include <grub/i18n.h>
996 #include <grub/err.h>
997 #include <grub/time.h>
998+#include <grub/safemath.h>
999
1000 struct dns_cache_element
1001 {
1002@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
1003 {
1004 int na = dns_servers_alloc * 2;
1005 struct grub_net_network_level_address *ns;
1006+ grub_size_t sz;
1007+
1008 if (na < 8)
1009 na = 8;
1010- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
1011+
1012+ if (grub_mul (na, sizeof (ns[0]), &sz))
1013+ return GRUB_ERR_OUT_OF_RANGE;
1014+
1015+ ns = grub_realloc (dns_servers, sz);
1016 if (!ns)
1017 return grub_errno;
1018 dns_servers_alloc = na;
1019diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
1020index d57fb72..4dfcc31 100644
1021--- a/grub-core/normal/charset.c
1022+++ b/grub-core/normal/charset.c
1023@@ -48,6 +48,7 @@
1024 #include <grub/unicode.h>
1025 #include <grub/term.h>
1026 #include <grub/normal.h>
1027+#include <grub/safemath.h>
1028
1029 #if HAVE_FONT_SOURCE
1030 #include "widthspec.h"
1031@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1032 {
1033 struct grub_unicode_combining *n;
1034 unsigned j;
1035+ grub_size_t sz;
1036
1037 if (!haveout)
1038 continue;
1039@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1040 n = out->combining_inline;
1041 else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
1042 {
1043- n = grub_realloc (out->combining_ptr,
1044- sizeof (n[0]) * (out->ncomb + 1));
1045+ if (grub_add (out->ncomb, 1, &sz) ||
1046+ grub_mul (sz, sizeof (n[0]), &sz))
1047+ goto fail;
1048+
1049+ n = grub_realloc (out->combining_ptr, sz);
1050 if (!n)
1051 {
1052+ fail:
1053 grub_errno = GRUB_ERR_NONE;
1054 continue;
1055 }
1056diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
1057index c57242e..de03fe6 100644
1058--- a/grub-core/normal/cmdline.c
1059+++ b/grub-core/normal/cmdline.c
1060@@ -28,6 +28,7 @@
1061 #include <grub/env.h>
1062 #include <grub/i18n.h>
1063 #include <grub/charset.h>
1064+#include <grub/safemath.h>
1065
1066 static grub_uint32_t *kill_buf;
1067
1068@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
1069 if (len + (*llen) >= (*max_len))
1070 {
1071 grub_uint32_t *nbuf;
1072- (*max_len) *= 2;
1073- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
1074+ grub_size_t sz;
1075+
1076+ if (grub_mul (*max_len, 2, max_len) ||
1077+ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
1078+ {
1079+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
1080+ goto fail;
1081+ }
1082+
1083+ nbuf = grub_realloc ((*buf), sz);
1084 if (nbuf)
1085 (*buf) = nbuf;
1086 else
1087 {
1088+ fail:
1089 grub_print_error ();
1090 grub_errno = GRUB_ERR_NONE;
1091 (*max_len) /= 2;
1092diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
1093index 1993995..50eef91 100644
1094--- a/grub-core/normal/menu_entry.c
1095+++ b/grub-core/normal/menu_entry.c
1096@@ -27,6 +27,7 @@
1097 #include <grub/auth.h>
1098 #include <grub/i18n.h>
1099 #include <grub/charset.h>
1100+#include <grub/safemath.h>
1101
1102 enum update_mode
1103 {
1104@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
1105 {
1106 if (linep->max_len < linep->len + extra)
1107 {
1108- linep->max_len = 2 * (linep->len + extra);
1109- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
1110+ grub_size_t sz0, sz1;
1111+
1112+ if (grub_add (linep->len, extra, &sz0) ||
1113+ grub_mul (sz0, 2, &sz0) ||
1114+ grub_add (sz0, 1, &sz1) ||
1115+ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
1116+ return 0;
1117+
1118+ linep->buf = grub_realloc (linep->buf, sz1);
1119 if (! linep->buf)
1120 return 0;
1121+ linep->max_len = sz0;
1122 }
1123
1124 return 1;
1125diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
1126index 217ec5d..5751fdd 100644
1127--- a/grub-core/script/argv.c
1128+++ b/grub-core/script/argv.c
1129@@ -20,6 +20,7 @@
1130 #include <grub/mm.h>
1131 #include <grub/misc.h>
1132 #include <grub/script_sh.h>
1133+#include <grub/safemath.h>
1134
1135 /* Return nearest power of two that is >= v. */
1136 static unsigned
1137@@ -81,11 +82,16 @@ int
1138 grub_script_argv_next (struct grub_script_argv *argv)
1139 {
1140 char **p = argv->args;
1141+ grub_size_t sz;
1142
1143 if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
1144 return 0;
1145
1146- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
1147+ if (grub_add (argv->argc, 2, &sz) ||
1148+ grub_mul (sz, sizeof (char *), &sz))
1149+ return 1;
1150+
1151+ p = grub_realloc (p, round_up_exp (sz));
1152 if (! p)
1153 return 1;
1154
1155@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
1156 {
1157 grub_size_t a;
1158 char *p = argv->args[argv->argc - 1];
1159+ grub_size_t sz;
1160
1161 if (! s)
1162 return 0;
1163
1164 a = p ? grub_strlen (p) : 0;
1165
1166- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
1167+ if (grub_add (a, slen, &sz) ||
1168+ grub_add (sz, 1, &sz) ||
1169+ grub_mul (sz, sizeof (char), &sz))
1170+ return 1;
1171+
1172+ p = grub_realloc (p, round_up_exp (sz));
1173 if (! p)
1174 return 1;
1175
1176diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
1177index c6bd317..5fb0cbd 100644
1178--- a/grub-core/script/lexer.c
1179+++ b/grub-core/script/lexer.c
1180@@ -24,6 +24,7 @@
1181 #include <grub/mm.h>
1182 #include <grub/script_sh.h>
1183 #include <grub/i18n.h>
1184+#include <grub/safemath.h>
1185
1186 #define yytext_ptr char *
1187 #include "grub_script.tab.h"
1188@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
1189 old = lexer->recording;
1190 if (lexer->recordlen < len)
1191 lexer->recordlen = len;
1192- lexer->recordlen *= 2;
1193+
1194+ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
1195+ goto fail;
1196+
1197 lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
1198 if (!lexer->recording)
1199 {
1200+ fail:
1201 grub_free (old);
1202 lexer->recordpos = 0;
1203 lexer->recordlen = 0;
1204@@ -130,7 +135,7 @@ int
1205 grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
1206 const char *input)
1207 {
1208- grub_size_t len = 0;
1209+ grub_size_t len = 0, sz;
1210 char *p = 0;
1211 char *line = 0;
1212 YY_BUFFER_STATE buffer;
1213@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
1214 }
1215 else if (len && line[len - 1] != '\n')
1216 {
1217- p = grub_realloc (line, len + 2);
1218+ if (grub_add (len, 2, &sz))
1219+ {
1220+ grub_free (line);
1221+ grub_script_yyerror (parserstate, N_("overflow is detected"));
1222+ return 1;
1223+ }
1224+
1225+ p = grub_realloc (line, sz);
1226 if (p)
1227 {
1228 p[len++] = '\n';
1229 p[len] = '\0';
1230 }
1231+ else
1232+ grub_free (line);
1233+
1234 line = p;
1235 }
1236
1237diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
1238index b2e0315..6256e20 100644
1239--- a/grub-core/video/bitmap.c
1240+++ b/grub-core/video/bitmap.c
1241@@ -23,6 +23,7 @@
1242 #include <grub/mm.h>
1243 #include <grub/misc.h>
1244 #include <grub/i18n.h>
1245+#include <grub/safemath.h>
1246
1247 GRUB_MOD_LICENSE ("GPLv3+");
1248
1249@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
1250 enum grub_video_blit_format blit_format)
1251 {
1252 struct grub_video_mode_info *mode_info;
1253- unsigned int size;
1254+ grub_size_t size;
1255
1256 if (!bitmap)
1257 return grub_error (GRUB_ERR_BUG, "invalid argument");
1258@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
1259
1260 mode_info->pitch = width * mode_info->bytes_per_pixel;
1261
1262- /* Calculate size needed for the data. */
1263- size = (width * mode_info->bytes_per_pixel) * height;
1264+ /* Calculate size needed for the data. */
1265+ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
1266+ grub_mul (size, height, &size))
1267+ {
1268+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1269+ goto fail;
1270+ }
1271
1272 (*bitmap)->data = grub_zalloc (size);
1273 if (! (*bitmap)->data)
1274- {
1275- grub_free (*bitmap);
1276- *bitmap = 0;
1277-
1278- return grub_errno;
1279- }
1280+ goto fail;
1281
1282 return GRUB_ERR_NONE;
1283+
1284+ fail:
1285+ grub_free (*bitmap);
1286+ *bitmap = NULL;
1287+
1288+ return grub_errno;
1289 }
1290
1291 /* Frees all resources allocated by bitmap. */
1292diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
1293index 61bd645..0157ff7 100644
1294--- a/grub-core/video/readers/png.c
1295+++ b/grub-core/video/readers/png.c
1296@@ -23,6 +23,7 @@
1297 #include <grub/mm.h>
1298 #include <grub/misc.h>
1299 #include <grub/bufio.h>
1300+#include <grub/safemath.h>
1301
1302 GRUB_MOD_LICENSE ("GPLv3+");
1303
1304@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
1305 data->bpp <<= 1;
1306
1307 data->color_bits = color_bits;
1308- data->row_bytes = data->image_width * data->bpp;
1309+
1310+ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
1311+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1312+
1313 if (data->color_bits <= 4)
1314- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
1315+ {
1316+ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
1317+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1318+
1319+ data->row_bytes >>= 3;
1320+ }
1321
1322 #ifndef GRUB_CPU_WORDS_BIGENDIAN
1323 if (data->is_16bit || data->is_gray || data->is_palette)
1324--
13252.14.4
1326
diff --git a/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch b/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch
new file mode 100644
index 0000000000..84a80d5ffd
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch
@@ -0,0 +1,37 @@
1From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Fri, 10 Jul 2020 11:21:14 +0100
4Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function
5 struct
6
7Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96
8from https://git.savannah.gnu.org/git/grub.git]
9
10Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
13---
14 include/grub/script_sh.h | 5 -----
15 1 file changed, 5 deletions(-)
16
17diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
18index 360c2be..b382bcf 100644
19--- a/include/grub/script_sh.h
20+++ b/include/grub/script_sh.h
21@@ -359,13 +359,8 @@ struct grub_script_function
22 /* The script function. */
23 struct grub_script *func;
24
25- /* The flags. */
26- unsigned flags;
27-
28 /* The next element. */
29 struct grub_script_function *next;
30-
31- int references;
32 };
33 typedef struct grub_script_function *grub_script_function_t;
34
35--
362.14.4
37
diff --git a/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
new file mode 100644
index 0000000000..fedfc5d203
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
@@ -0,0 +1,113 @@
1From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Fri, 10 Jul 2020 14:41:45 +0100
4Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
5 during execution
6
7Defining a new function with the same name as a previously defined
8function causes the grub_script and associated resources for the
9previous function to be freed. If the previous function is currently
10executing when a function with the same name is defined, this results
11in use-after-frees when processing subsequent commands in the original
12function.
13
14Instead, reject a new function definition if it has the same name as
15a previously defined function, and that function is currently being
16executed. Although a behavioural change, this should be backwards
17compatible with existing configurations because they can't be
18dependent on the current behaviour without being broken.
19
20Fixes: CVE-2020-15706
21
22Upstream-Status: Backport [commit 426f57383d647406ae9c628c472059c27cd6e040
23from https://git.savannah.gnu.org/git/grub.git]
24
25Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
26Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
27Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
28---
29 grub-core/script/execute.c | 2 ++
30 grub-core/script/function.c | 16 +++++++++++++---
31 grub-core/script/parser.y | 3 ++-
32 include/grub/script_sh.h | 2 ++
33 4 files changed, 19 insertions(+), 4 deletions(-)
34
35diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
36index c8d6806..7e028e1 100644
37--- a/grub-core/script/execute.c
38+++ b/grub-core/script/execute.c
39@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
40 old_scope = scope;
41 scope = &new_scope;
42
43+ func->executing++;
44 ret = grub_script_execute (func->func);
45+ func->executing--;
46
47 function_return = 0;
48 active_loops = loops;
49diff --git a/grub-core/script/function.c b/grub-core/script/function.c
50index d36655e..3aad04b 100644
51--- a/grub-core/script/function.c
52+++ b/grub-core/script/function.c
53@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
54 func = (grub_script_function_t) grub_malloc (sizeof (*func));
55 if (! func)
56 return 0;
57+ func->executing = 0;
58
59 func->name = grub_strdup (functionname_arg->str);
60 if (! func->name)
61@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
62 grub_script_function_t q;
63
64 q = *p;
65- grub_script_free (q->func);
66- q->func = cmd;
67 grub_free (func);
68- func = q;
69+ if (q->executing > 0)
70+ {
71+ grub_error (GRUB_ERR_BAD_ARGUMENT,
72+ N_("attempt to redefine a function being executed"));
73+ func = NULL;
74+ }
75+ else
76+ {
77+ grub_script_free (q->func);
78+ q->func = cmd;
79+ func = q;
80+ }
81 }
82 else
83 {
84diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
85index 4f0ab83..f80b86b 100644
86--- a/grub-core/script/parser.y
87+++ b/grub-core/script/parser.y
88@@ -289,7 +289,8 @@ function: "function" "name"
89 grub_script_mem_free (state->func_mem);
90 else {
91 script->children = state->scripts;
92- grub_script_function_create ($2, script);
93+ if (!grub_script_function_create ($2, script))
94+ grub_script_free (script);
95 }
96
97 state->scripts = $<scripts>3;
98diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
99index b382bcf..6c48e07 100644
100--- a/include/grub/script_sh.h
101+++ b/include/grub/script_sh.h
102@@ -361,6 +361,8 @@ struct grub_script_function
103
104 /* The next element. */
105 struct grub_script_function *next;
106+
107+ unsigned executing;
108 };
109 typedef struct grub_script_function *grub_script_function_t;
110
111--
1122.14.4
113
diff --git a/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch
new file mode 100644
index 0000000000..0731f0ec53
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch
@@ -0,0 +1,173 @@
1From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sat, 25 Jul 2020 12:15:37 +0100
4Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling
5
6These could be triggered by a crafted filesystem with very large files.
7
8Fixes: CVE-2020-15707
9
10Upstream-Status: Backport [commit e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
11from https://git.savannah.gnu.org/git/grub.git]
12
13Signed-off-by: Colin Watson <cjwatson@debian.org>
14Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
17---
18 grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
19 1 file changed, 54 insertions(+), 20 deletions(-)
20
21diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
22index 471b214..8c8565a 100644
23--- a/grub-core/loader/linux.c
24+++ b/grub-core/loader/linux.c
25@@ -4,6 +4,7 @@
26 #include <grub/misc.h>
27 #include <grub/file.h>
28 #include <grub/mm.h>
29+#include <grub/safemath.h>
30
31 struct newc_head
32 {
33@@ -98,13 +99,13 @@ free_dir (struct dir *root)
34 grub_free (root);
35 }
36
37-static grub_size_t
38+static grub_err_t
39 insert_dir (const char *name, struct dir **root,
40- grub_uint8_t *ptr)
41+ grub_uint8_t *ptr, grub_size_t *size)
42 {
43 struct dir *cur, **head = root;
44 const char *cb, *ce = name;
45- grub_size_t size = 0;
46+ *size = 0;
47 while (1)
48 {
49 for (cb = ce; *cb == '/'; cb++);
50@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
51 ptr = make_header (ptr, name, ce - name,
52 040777, 0);
53 }
54- size += ALIGN_UP ((ce - (char *) name)
55- + sizeof (struct newc_head), 4);
56+ if (grub_add (*size,
57+ ALIGN_UP ((ce - (char *) name)
58+ + sizeof (struct newc_head), 4),
59+ size))
60+ {
61+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
62+ grub_free (n->name);
63+ grub_free (n);
64+ return grub_errno;
65+ }
66 *head = n;
67 cur = n;
68 }
69 root = &cur->next;
70 }
71- return size;
72+ return GRUB_ERR_NONE;
73 }
74
75 grub_err_t
76@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
77 eptr = grub_strchr (ptr, ':');
78 if (eptr)
79 {
80+ grub_size_t dir_size, name_len;
81+
82 initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
83- if (!initrd_ctx->components[i].newc_name)
84+ if (!initrd_ctx->components[i].newc_name ||
85+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
86+ &dir_size))
87 {
88 grub_initrd_close (initrd_ctx);
89 return grub_errno;
90 }
91- initrd_ctx->size
92- += ALIGN_UP (sizeof (struct newc_head)
93- + grub_strlen (initrd_ctx->components[i].newc_name),
94- 4);
95- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
96- &root, 0);
97+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
98+ if (grub_add (initrd_ctx->size,
99+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
100+ &initrd_ctx->size) ||
101+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
102+ goto overflow;
103 newc = 1;
104 fname = eptr + 1;
105 }
106 }
107 else if (newc)
108 {
109- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
110- + sizeof ("TRAILER!!!") - 1, 4);
111+ if (grub_add (initrd_ctx->size,
112+ ALIGN_UP (sizeof (struct newc_head)
113+ + sizeof ("TRAILER!!!") - 1, 4),
114+ &initrd_ctx->size))
115+ goto overflow;
116 free_dir (root);
117 root = 0;
118 newc = 0;
119@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
120 initrd_ctx->nfiles++;
121 initrd_ctx->components[i].size
122 = grub_file_size (initrd_ctx->components[i].file);
123- initrd_ctx->size += initrd_ctx->components[i].size;
124+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
125+ &initrd_ctx->size))
126+ goto overflow;
127 }
128
129 if (newc)
130 {
131 initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
132- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
133- + sizeof ("TRAILER!!!") - 1, 4);
134+ if (grub_add (initrd_ctx->size,
135+ ALIGN_UP (sizeof (struct newc_head)
136+ + sizeof ("TRAILER!!!") - 1, 4),
137+ &initrd_ctx->size))
138+ goto overflow;
139 free_dir (root);
140 root = 0;
141 }
142
143 return GRUB_ERR_NONE;
144+
145+ overflow:
146+ free_dir (root);
147+ grub_initrd_close (initrd_ctx);
148+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
149 }
150
151 grub_size_t
152@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
153
154 if (initrd_ctx->components[i].newc_name)
155 {
156- ptr += insert_dir (initrd_ctx->components[i].newc_name,
157- &root, ptr);
158+ grub_size_t dir_size;
159+
160+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
161+ &dir_size))
162+ {
163+ free_dir (root);
164+ grub_initrd_close (initrd_ctx);
165+ return grub_errno;
166+ }
167+ ptr += dir_size;
168 ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
169 grub_strlen (initrd_ctx->components[i].newc_name),
170 0100777,
171--
1722.14.4
173
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 345554e7af..7c53193ebd 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -19,6 +19,14 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \ 19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \
20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ 20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
21 file://CVE-2020-10713.patch \ 21 file://CVE-2020-10713.patch \
22 file://0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch \
23 file://0002-lvm-Add-LVM-cache-logical-volume-handling.patch \
24 file://0003-calloc-Use-calloc-at-most-places.patch \
25 file://0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch \
26 file://0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch \
27 file://0006-script-Remove-unused-fields-from-grub_script_functio.patch \
28 file://0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
29 file://0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
22" 30"
23SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" 31SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
24SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" 32SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"