diff options
author | Yongxin Liu <yongxin.liu@windriver.com> | 2020-10-28 11:18:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-30 13:04:39 +0000 |
commit | 141bf3fdb65d3c17426843ec3ea040244d59379f (patch) | |
tree | f4731ece58d7303f5ccc12b83a5ec0cf28f43b72 /meta | |
parent | a65148ba0a1403fbb3b9271909c48c53a3ee9b6d (diff) | |
download | poky-141bf3fdb65d3c17426843ec3ea040244d59379f.tar.gz |
grub: fix several CVEs in grub 2.04
Backport patches from https://git.savannah.gnu.org/git/grub.git
to fix some CVEs. Here is the list.
CVE-2020-14308:
0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch
0002-lvm-Add-LVM-cache-logical-volume-handling.patch
0003-calloc-Use-calloc-at-most-places.patch
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311:
0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch
0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
CVE-2020-15706:
0006-script-Remove-unused-fields-from-grub_script_functio.patch
0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
CVE-2020-15707:
0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch
(From OE-Core rev: 67329184985a03534f11f95e9df5f9fb2305a261)
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
9 files changed, 4143 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch b/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch new file mode 100644 index 0000000000..c9536e68ef --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch | |||
@@ -0,0 +1,246 @@ | |||
1 | From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Mon, 15 Jun 2020 12:15:29 -0400 | ||
4 | Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking | ||
5 | calloc() available | ||
6 | |||
7 | This tries to make sure that everywhere in this source tree, we always have | ||
8 | an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.) | ||
9 | available, and that they all safely check for overflow and return NULL when | ||
10 | it would occur. | ||
11 | |||
12 | Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8 | ||
13 | from https://git.savannah.gnu.org/git/grub.git] | ||
14 | |||
15 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
18 | --- | ||
19 | grub-core/kern/emu/misc.c | 12 ++++++++++++ | ||
20 | grub-core/kern/emu/mm.c | 10 ++++++++++ | ||
21 | grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++ | ||
22 | grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++-- | ||
23 | grub-core/lib/posix_wrap/stdlib.h | 8 +++++++- | ||
24 | include/grub/emu/misc.h | 1 + | ||
25 | include/grub/mm.h | 6 ++++++ | ||
26 | 7 files changed, 85 insertions(+), 3 deletions(-) | ||
27 | |||
28 | diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c | ||
29 | index 65db79b..dfd8a8e 100644 | ||
30 | --- a/grub-core/kern/emu/misc.c | ||
31 | +++ b/grub-core/kern/emu/misc.c | ||
32 | @@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...) | ||
33 | exit (1); | ||
34 | } | ||
35 | |||
36 | +void * | ||
37 | +xcalloc (grub_size_t nmemb, grub_size_t size) | ||
38 | +{ | ||
39 | + void *p; | ||
40 | + | ||
41 | + p = calloc (nmemb, size); | ||
42 | + if (!p) | ||
43 | + grub_util_error ("%s", _("out of memory")); | ||
44 | + | ||
45 | + return p; | ||
46 | +} | ||
47 | + | ||
48 | void * | ||
49 | xmalloc (grub_size_t size) | ||
50 | { | ||
51 | diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c | ||
52 | index f262e95..145b01d 100644 | ||
53 | --- a/grub-core/kern/emu/mm.c | ||
54 | +++ b/grub-core/kern/emu/mm.c | ||
55 | @@ -25,6 +25,16 @@ | ||
56 | #include <string.h> | ||
57 | #include <grub/i18n.h> | ||
58 | |||
59 | +void * | ||
60 | +grub_calloc (grub_size_t nmemb, grub_size_t size) | ||
61 | +{ | ||
62 | + void *ret; | ||
63 | + ret = calloc (nmemb, size); | ||
64 | + if (!ret) | ||
65 | + grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory")); | ||
66 | + return ret; | ||
67 | +} | ||
68 | + | ||
69 | void * | ||
70 | grub_malloc (grub_size_t size) | ||
71 | { | ||
72 | diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c | ||
73 | index ee88ff6..f2822a8 100644 | ||
74 | --- a/grub-core/kern/mm.c | ||
75 | +++ b/grub-core/kern/mm.c | ||
76 | @@ -67,8 +67,10 @@ | ||
77 | #include <grub/dl.h> | ||
78 | #include <grub/i18n.h> | ||
79 | #include <grub/mm_private.h> | ||
80 | +#include <grub/safemath.h> | ||
81 | |||
82 | #ifdef MM_DEBUG | ||
83 | +# undef grub_calloc | ||
84 | # undef grub_malloc | ||
85 | # undef grub_zalloc | ||
86 | # undef grub_realloc | ||
87 | @@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size) | ||
88 | return 0; | ||
89 | } | ||
90 | |||
91 | +/* | ||
92 | + * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on | ||
93 | + * integer overflow. | ||
94 | + */ | ||
95 | +void * | ||
96 | +grub_calloc (grub_size_t nmemb, grub_size_t size) | ||
97 | +{ | ||
98 | + void *ret; | ||
99 | + grub_size_t sz = 0; | ||
100 | + | ||
101 | + if (grub_mul (nmemb, size, &sz)) | ||
102 | + { | ||
103 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
104 | + return NULL; | ||
105 | + } | ||
106 | + | ||
107 | + ret = grub_memalign (0, sz); | ||
108 | + if (!ret) | ||
109 | + return NULL; | ||
110 | + | ||
111 | + grub_memset (ret, 0, sz); | ||
112 | + return ret; | ||
113 | +} | ||
114 | + | ||
115 | /* Allocate SIZE bytes and return the pointer. */ | ||
116 | void * | ||
117 | grub_malloc (grub_size_t size) | ||
118 | @@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno) | ||
119 | grub_printf ("\n"); | ||
120 | } | ||
121 | |||
122 | +void * | ||
123 | +grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size) | ||
124 | +{ | ||
125 | + void *ptr; | ||
126 | + | ||
127 | + if (grub_mm_debug) | ||
128 | + grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ", | ||
129 | + file, line, size); | ||
130 | + ptr = grub_calloc (nmemb, size); | ||
131 | + if (grub_mm_debug) | ||
132 | + grub_printf ("%p\n", ptr); | ||
133 | + return ptr; | ||
134 | +} | ||
135 | + | ||
136 | void * | ||
137 | grub_debug_malloc (const char *file, int line, grub_size_t size) | ||
138 | { | ||
139 | diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c | ||
140 | index beeb661..74c6eaf 100644 | ||
141 | --- a/grub-core/lib/libgcrypt_wrap/mem.c | ||
142 | +++ b/grub-core/lib/libgcrypt_wrap/mem.c | ||
143 | @@ -4,6 +4,7 @@ | ||
144 | #include <grub/crypto.h> | ||
145 | #include <grub/dl.h> | ||
146 | #include <grub/env.h> | ||
147 | +#include <grub/safemath.h> | ||
148 | |||
149 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
150 | |||
151 | @@ -36,7 +37,10 @@ void * | ||
152 | gcry_xcalloc (size_t n, size_t m) | ||
153 | { | ||
154 | void *ret; | ||
155 | - ret = grub_zalloc (n * m); | ||
156 | + size_t sz; | ||
157 | + if (grub_mul (n, m, &sz)) | ||
158 | + grub_fatal ("gcry_xcalloc would overflow"); | ||
159 | + ret = grub_zalloc (sz); | ||
160 | if (!ret) | ||
161 | grub_fatal ("gcry_xcalloc failed"); | ||
162 | return ret; | ||
163 | @@ -56,7 +60,10 @@ void * | ||
164 | gcry_xcalloc_secure (size_t n, size_t m) | ||
165 | { | ||
166 | void *ret; | ||
167 | - ret = grub_zalloc (n * m); | ||
168 | + size_t sz; | ||
169 | + if (grub_mul (n, m, &sz)) | ||
170 | + grub_fatal ("gcry_xcalloc would overflow"); | ||
171 | + ret = grub_zalloc (sz); | ||
172 | if (!ret) | ||
173 | grub_fatal ("gcry_xcalloc failed"); | ||
174 | return ret; | ||
175 | diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h | ||
176 | index 3b46f47..7a8d385 100644 | ||
177 | --- a/grub-core/lib/posix_wrap/stdlib.h | ||
178 | +++ b/grub-core/lib/posix_wrap/stdlib.h | ||
179 | @@ -21,6 +21,7 @@ | ||
180 | |||
181 | #include <grub/mm.h> | ||
182 | #include <grub/misc.h> | ||
183 | +#include <grub/safemath.h> | ||
184 | |||
185 | static inline void | ||
186 | free (void *ptr) | ||
187 | @@ -37,7 +38,12 @@ malloc (grub_size_t size) | ||
188 | static inline void * | ||
189 | calloc (grub_size_t size, grub_size_t nelem) | ||
190 | { | ||
191 | - return grub_zalloc (size * nelem); | ||
192 | + grub_size_t sz; | ||
193 | + | ||
194 | + if (grub_mul (size, nelem, &sz)) | ||
195 | + return NULL; | ||
196 | + | ||
197 | + return grub_zalloc (sz); | ||
198 | } | ||
199 | |||
200 | static inline void * | ||
201 | diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h | ||
202 | index ce464cf..ff9c48a 100644 | ||
203 | --- a/include/grub/emu/misc.h | ||
204 | +++ b/include/grub/emu/misc.h | ||
205 | @@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev); | ||
206 | #define GRUB_HOST_PRIuLONG_LONG "llu" | ||
207 | #define GRUB_HOST_PRIxLONG_LONG "llx" | ||
208 | |||
209 | +void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT; | ||
210 | void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT; | ||
211 | void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT; | ||
212 | char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT; | ||
213 | diff --git a/include/grub/mm.h b/include/grub/mm.h | ||
214 | index 28e2e53..9c38dd3 100644 | ||
215 | --- a/include/grub/mm.h | ||
216 | +++ b/include/grub/mm.h | ||
217 | @@ -29,6 +29,7 @@ | ||
218 | #endif | ||
219 | |||
220 | void grub_mm_init_region (void *addr, grub_size_t size); | ||
221 | +void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size); | ||
222 | void *EXPORT_FUNC(grub_malloc) (grub_size_t size); | ||
223 | void *EXPORT_FUNC(grub_zalloc) (grub_size_t size); | ||
224 | void EXPORT_FUNC(grub_free) (void *ptr); | ||
225 | @@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug); | ||
226 | void grub_mm_dump_free (void); | ||
227 | void grub_mm_dump (unsigned lineno); | ||
228 | |||
229 | +#define grub_calloc(nmemb, size) \ | ||
230 | + grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size) | ||
231 | + | ||
232 | #define grub_malloc(size) \ | ||
233 | grub_debug_malloc (GRUB_FILE, __LINE__, size) | ||
234 | |||
235 | @@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno); | ||
236 | #define grub_free(ptr) \ | ||
237 | grub_debug_free (GRUB_FILE, __LINE__, ptr) | ||
238 | |||
239 | +void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line, | ||
240 | + grub_size_t nmemb, grub_size_t size); | ||
241 | void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line, | ||
242 | grub_size_t size); | ||
243 | void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line, | ||
244 | -- | ||
245 | 2.14.4 | ||
246 | |||
diff --git a/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch b/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch new file mode 100644 index 0000000000..2b8157f592 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0002-lvm-Add-LVM-cache-logical-volume-handling.patch | |||
@@ -0,0 +1,287 @@ | |||
1 | From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Chang <mchang@suse.com> | ||
3 | Date: Thu, 19 Mar 2020 13:56:13 +0800 | ||
4 | Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling | ||
5 | |||
6 | The LVM cache logical volume is the logical volume consisting of the original | ||
7 | and the cache pool logical volume. The original is usually on a larger and | ||
8 | slower storage device while the cache pool is on a smaller and faster one. The | ||
9 | performance of the original volume can be improved by storing the frequently | ||
10 | used data on the cache pool to utilize the greater performance of faster | ||
11 | device. | ||
12 | |||
13 | The default cache mode "writethrough" ensures that any data written will be | ||
14 | stored both in the cache and on the origin LV, therefore grub can be straight | ||
15 | to read the original lv as no data loss is guarenteed. | ||
16 | |||
17 | The second cache mode is "writeback", which delays writing from the cache pool | ||
18 | back to the origin LV to have increased performance. The drawback is potential | ||
19 | data loss if losing the associated cache device. | ||
20 | |||
21 | During the boot time grub reads the LVM offline i.e. LVM volumes are not | ||
22 | activated and mounted, hence it should be fine to read directly from original | ||
23 | lv since all cached data should have been flushed back in the process of taking | ||
24 | it offline. | ||
25 | |||
26 | It is also not much helpful to the situation by adding fsync calls to the | ||
27 | install code. The fsync did not force to write back dirty cache to the original | ||
28 | device and rather it would update associated cache metadata to complete the | ||
29 | write transaction with the cache device. IOW the writes to cached blocks still | ||
30 | go only to the cache device. | ||
31 | |||
32 | To write back dirty cache, as LVM cache did not support dirty cache flush per | ||
33 | block range, there'no way to do it for file. On the other hand the "cleaner" | ||
34 | policy is implemented and can be used to write back "all" dirty blocks in a | ||
35 | cache, which effectively drain all dirty cache gradually to attain and last in | ||
36 | the "clean" state, which can be useful for shrinking or decommissioning a | ||
37 | cache. The result and effect is not what we are looking for here. | ||
38 | |||
39 | In conclusion, as it seems no way to enforce file writes to the original | ||
40 | device, grub may suffer from power failure as it cannot assemble the cache | ||
41 | device and read the dirty data from it. However since the case is only | ||
42 | applicable to writeback mode which is sensitive to data lost in nature, I'd | ||
43 | still like to propose my (relatively simple) patch and treat reading dirty | ||
44 | cache as improvement. | ||
45 | |||
46 | Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135 | ||
47 | from https://git.savannah.gnu.org/git/grub.git] | ||
48 | |||
49 | Signed-off-by: Michael Chang <mchang@suse.com> | ||
50 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
51 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
52 | --- | ||
53 | grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
54 | 1 file changed, 190 insertions(+) | ||
55 | |||
56 | diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c | ||
57 | index 7b265c7..dc6b83b 100644 | ||
58 | --- a/grub-core/disk/lvm.c | ||
59 | +++ b/grub-core/disk/lvm.c | ||
60 | @@ -33,6 +33,14 @@ | ||
61 | |||
62 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
63 | |||
64 | +struct cache_lv | ||
65 | +{ | ||
66 | + struct grub_diskfilter_lv *lv; | ||
67 | + char *cache_pool; | ||
68 | + char *origin; | ||
69 | + struct cache_lv *next; | ||
70 | +}; | ||
71 | + | ||
72 | |||
73 | /* Go the string STR and return the number after STR. *P will point | ||
74 | at the number. In case STR is not found, *P will be NULL and the | ||
75 | @@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag) | ||
76 | } | ||
77 | } | ||
78 | |||
79 | +static void | ||
80 | +grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs) | ||
81 | +{ | ||
82 | + struct cache_lv *cache; | ||
83 | + | ||
84 | + while ((cache = cache_lvs)) | ||
85 | + { | ||
86 | + cache_lvs = cache_lvs->next; | ||
87 | + | ||
88 | + if (cache->lv) | ||
89 | + { | ||
90 | + unsigned int i; | ||
91 | + | ||
92 | + for (i = 0; i < cache->lv->segment_count; ++i) | ||
93 | + if (cache->lv->segments) | ||
94 | + grub_free (cache->lv->segments[i].nodes); | ||
95 | + grub_free (cache->lv->segments); | ||
96 | + grub_free (cache->lv->fullname); | ||
97 | + grub_free (cache->lv->idname); | ||
98 | + grub_free (cache->lv->name); | ||
99 | + } | ||
100 | + grub_free (cache->lv); | ||
101 | + grub_free (cache->origin); | ||
102 | + grub_free (cache->cache_pool); | ||
103 | + grub_free (cache); | ||
104 | + } | ||
105 | +} | ||
106 | + | ||
107 | static struct grub_diskfilter_vg * | ||
108 | grub_lvm_detect (grub_disk_t disk, | ||
109 | struct grub_diskfilter_pv_id *id, | ||
110 | @@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk, | ||
111 | |||
112 | if (! vg) | ||
113 | { | ||
114 | + struct cache_lv *cache_lvs = NULL; | ||
115 | + | ||
116 | /* First time we see this volume group. We've to create the | ||
117 | whole volume group structure. */ | ||
118 | vg = grub_malloc (sizeof (*vg)); | ||
119 | @@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk, | ||
120 | seg->nodes[seg->node_count - 1].name = tmp; | ||
121 | } | ||
122 | } | ||
123 | + else if (grub_memcmp (p, "cache\"", | ||
124 | + sizeof ("cache\"") - 1) == 0) | ||
125 | + { | ||
126 | + struct cache_lv *cache = NULL; | ||
127 | + | ||
128 | + char *p2, *p3; | ||
129 | + grub_size_t sz; | ||
130 | + | ||
131 | + cache = grub_zalloc (sizeof (*cache)); | ||
132 | + if (!cache) | ||
133 | + goto cache_lv_fail; | ||
134 | + cache->lv = grub_zalloc (sizeof (*cache->lv)); | ||
135 | + if (!cache->lv) | ||
136 | + goto cache_lv_fail; | ||
137 | + grub_memcpy (cache->lv, lv, sizeof (*cache->lv)); | ||
138 | + | ||
139 | + if (lv->fullname) | ||
140 | + { | ||
141 | + cache->lv->fullname = grub_strdup (lv->fullname); | ||
142 | + if (!cache->lv->fullname) | ||
143 | + goto cache_lv_fail; | ||
144 | + } | ||
145 | + if (lv->idname) | ||
146 | + { | ||
147 | + cache->lv->idname = grub_strdup (lv->idname); | ||
148 | + if (!cache->lv->idname) | ||
149 | + goto cache_lv_fail; | ||
150 | + } | ||
151 | + if (lv->name) | ||
152 | + { | ||
153 | + cache->lv->name = grub_strdup (lv->name); | ||
154 | + if (!cache->lv->name) | ||
155 | + goto cache_lv_fail; | ||
156 | + } | ||
157 | + | ||
158 | + skip_lv = 1; | ||
159 | + | ||
160 | + p2 = grub_strstr (p, "cache_pool = \""); | ||
161 | + if (!p2) | ||
162 | + goto cache_lv_fail; | ||
163 | + | ||
164 | + p2 = grub_strchr (p2, '"'); | ||
165 | + if (!p2) | ||
166 | + goto cache_lv_fail; | ||
167 | + | ||
168 | + p3 = ++p2; | ||
169 | + p3 = grub_strchr (p3, '"'); | ||
170 | + if (!p3) | ||
171 | + goto cache_lv_fail; | ||
172 | + | ||
173 | + sz = p3 - p2; | ||
174 | + | ||
175 | + cache->cache_pool = grub_malloc (sz + 1); | ||
176 | + if (!cache->cache_pool) | ||
177 | + goto cache_lv_fail; | ||
178 | + grub_memcpy (cache->cache_pool, p2, sz); | ||
179 | + cache->cache_pool[sz] = '\0'; | ||
180 | + | ||
181 | + p2 = grub_strstr (p, "origin = \""); | ||
182 | + if (!p2) | ||
183 | + goto cache_lv_fail; | ||
184 | + | ||
185 | + p2 = grub_strchr (p2, '"'); | ||
186 | + if (!p2) | ||
187 | + goto cache_lv_fail; | ||
188 | + | ||
189 | + p3 = ++p2; | ||
190 | + p3 = grub_strchr (p3, '"'); | ||
191 | + if (!p3) | ||
192 | + goto cache_lv_fail; | ||
193 | + | ||
194 | + sz = p3 - p2; | ||
195 | + | ||
196 | + cache->origin = grub_malloc (sz + 1); | ||
197 | + if (!cache->origin) | ||
198 | + goto cache_lv_fail; | ||
199 | + grub_memcpy (cache->origin, p2, sz); | ||
200 | + cache->origin[sz] = '\0'; | ||
201 | + | ||
202 | + cache->next = cache_lvs; | ||
203 | + cache_lvs = cache; | ||
204 | + break; | ||
205 | + | ||
206 | + cache_lv_fail: | ||
207 | + if (cache) | ||
208 | + { | ||
209 | + grub_free (cache->origin); | ||
210 | + grub_free (cache->cache_pool); | ||
211 | + if (cache->lv) | ||
212 | + { | ||
213 | + grub_free (cache->lv->fullname); | ||
214 | + grub_free (cache->lv->idname); | ||
215 | + grub_free (cache->lv->name); | ||
216 | + } | ||
217 | + grub_free (cache->lv); | ||
218 | + grub_free (cache); | ||
219 | + } | ||
220 | + grub_lvm_free_cache_lvs (cache_lvs); | ||
221 | + goto fail4; | ||
222 | + } | ||
223 | else | ||
224 | { | ||
225 | #ifdef GRUB_UTIL | ||
226 | @@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk, | ||
227 | } | ||
228 | |||
229 | } | ||
230 | + | ||
231 | + { | ||
232 | + struct cache_lv *cache; | ||
233 | + | ||
234 | + for (cache = cache_lvs; cache; cache = cache->next) | ||
235 | + { | ||
236 | + struct grub_diskfilter_lv *lv; | ||
237 | + | ||
238 | + for (lv = vg->lvs; lv; lv = lv->next) | ||
239 | + if (grub_strcmp (lv->name, cache->origin) == 0) | ||
240 | + break; | ||
241 | + if (lv) | ||
242 | + { | ||
243 | + cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments)); | ||
244 | + if (!cache->lv->segments) | ||
245 | + { | ||
246 | + grub_lvm_free_cache_lvs (cache_lvs); | ||
247 | + goto fail4; | ||
248 | + } | ||
249 | + grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments)); | ||
250 | + | ||
251 | + for (i = 0; i < lv->segment_count; ++i) | ||
252 | + { | ||
253 | + struct grub_diskfilter_node *nodes = lv->segments[i].nodes; | ||
254 | + grub_size_t node_count = lv->segments[i].node_count; | ||
255 | + | ||
256 | + cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes)); | ||
257 | + if (!cache->lv->segments[i].nodes) | ||
258 | + { | ||
259 | + for (j = 0; j < i; ++j) | ||
260 | + grub_free (cache->lv->segments[j].nodes); | ||
261 | + grub_free (cache->lv->segments); | ||
262 | + cache->lv->segments = NULL; | ||
263 | + grub_lvm_free_cache_lvs (cache_lvs); | ||
264 | + goto fail4; | ||
265 | + } | ||
266 | + grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes)); | ||
267 | + } | ||
268 | + | ||
269 | + if (cache->lv->segments) | ||
270 | + { | ||
271 | + cache->lv->segment_count = lv->segment_count; | ||
272 | + cache->lv->vg = vg; | ||
273 | + cache->lv->next = vg->lvs; | ||
274 | + vg->lvs = cache->lv; | ||
275 | + cache->lv = NULL; | ||
276 | + } | ||
277 | + } | ||
278 | + } | ||
279 | + } | ||
280 | + | ||
281 | + grub_lvm_free_cache_lvs (cache_lvs); | ||
282 | if (grub_diskfilter_vg_register (vg)) | ||
283 | goto fail4; | ||
284 | } | ||
285 | -- | ||
286 | 2.14.4 | ||
287 | |||
diff --git a/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch b/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch new file mode 100644 index 0000000000..eb3e42c3af --- /dev/null +++ b/meta/recipes-bsp/grub/files/0003-calloc-Use-calloc-at-most-places.patch | |||
@@ -0,0 +1,1859 @@ | |||
1 | From bcdd6a55952222ec9829a59348240a4f983b0b56 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Mon, 15 Jun 2020 12:26:01 -0400 | ||
4 | Subject: [PATCH 4/9] calloc: Use calloc() at most places | ||
5 | |||
6 | This modifies most of the places we do some form of: | ||
7 | |||
8 | X = malloc(Y * Z); | ||
9 | |||
10 | to use calloc(Y, Z) instead. | ||
11 | |||
12 | Among other issues, this fixes: | ||
13 | - allocation of integer overflow in grub_png_decode_image_header() | ||
14 | reported by Chris Coulson, | ||
15 | - allocation of integer overflow in luks_recover_key() | ||
16 | reported by Chris Coulson, | ||
17 | - allocation of integer overflow in grub_lvm_detect() | ||
18 | reported by Chris Coulson. | ||
19 | |||
20 | Fixes: CVE-2020-14308 | ||
21 | |||
22 | Upstream-Status: Backport [commit f725fa7cb2ece547c5af01eeeecfe8d95802ed41 | ||
23 | from https://git.savannah.gnu.org/git/grub.git] | ||
24 | |||
25 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | [YL: don't patch on grub-core/lib/json/json.c, which is not existing in grub 2.04] | ||
28 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
29 | --- | ||
30 | grub-core/bus/usb/usbhub.c | 8 ++++---- | ||
31 | grub-core/commands/efi/lsefisystab.c | 3 ++- | ||
32 | grub-core/commands/legacycfg.c | 6 +++--- | ||
33 | grub-core/commands/menuentry.c | 2 +- | ||
34 | grub-core/commands/nativedisk.c | 2 +- | ||
35 | grub-core/commands/parttool.c | 12 +++++++++--- | ||
36 | grub-core/commands/regexp.c | 2 +- | ||
37 | grub-core/commands/search_wrap.c | 2 +- | ||
38 | grub-core/disk/diskfilter.c | 4 ++-- | ||
39 | grub-core/disk/ieee1275/ofdisk.c | 2 +- | ||
40 | grub-core/disk/ldm.c | 14 +++++++------- | ||
41 | grub-core/disk/luks.c | 2 +- | ||
42 | grub-core/disk/lvm.c | 12 ++++++------ | ||
43 | grub-core/disk/xen/xendisk.c | 2 +- | ||
44 | grub-core/efiemu/loadcore.c | 2 +- | ||
45 | grub-core/efiemu/mm.c | 6 +++--- | ||
46 | grub-core/font/font.c | 3 +-- | ||
47 | grub-core/fs/affs.c | 6 +++--- | ||
48 | grub-core/fs/btrfs.c | 6 +++--- | ||
49 | grub-core/fs/hfs.c | 2 +- | ||
50 | grub-core/fs/hfsplus.c | 6 +++--- | ||
51 | grub-core/fs/iso9660.c | 2 +- | ||
52 | grub-core/fs/ntfs.c | 4 ++-- | ||
53 | grub-core/fs/sfs.c | 2 +- | ||
54 | grub-core/fs/tar.c | 2 +- | ||
55 | grub-core/fs/udf.c | 4 ++-- | ||
56 | grub-core/fs/zfs/zfs.c | 4 ++-- | ||
57 | grub-core/gfxmenu/gui_string_util.c | 2 +- | ||
58 | grub-core/gfxmenu/widget-box.c | 4 ++-- | ||
59 | grub-core/io/gzio.c | 2 +- | ||
60 | grub-core/kern/efi/efi.c | 6 +++--- | ||
61 | grub-core/kern/emu/hostdisk.c | 2 +- | ||
62 | grub-core/kern/fs.c | 2 +- | ||
63 | grub-core/kern/misc.c | 2 +- | ||
64 | grub-core/kern/parser.c | 2 +- | ||
65 | grub-core/kern/uboot/uboot.c | 2 +- | ||
66 | grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++---- | ||
67 | grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++-- | ||
68 | grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++-- | ||
69 | grub-core/lib/priority_queue.c | 2 +- | ||
70 | grub-core/lib/reed_solomon.c | 7 +++---- | ||
71 | grub-core/lib/relocator.c | 10 +++++----- | ||
72 | grub-core/lib/zstd/fse_decompress.c | 2 +- | ||
73 | grub-core/loader/arm/linux.c | 2 +- | ||
74 | grub-core/loader/efi/chainloader.c | 2 +- | ||
75 | grub-core/loader/i386/bsdXX.c | 2 +- | ||
76 | grub-core/loader/i386/xnu.c | 4 ++-- | ||
77 | grub-core/loader/macho.c | 2 +- | ||
78 | grub-core/loader/multiboot_elfxx.c | 2 +- | ||
79 | grub-core/loader/xnu.c | 2 +- | ||
80 | grub-core/mmap/mmap.c | 4 ++-- | ||
81 | grub-core/net/bootp.c | 2 +- | ||
82 | grub-core/net/dns.c | 10 +++++----- | ||
83 | grub-core/net/net.c | 4 ++-- | ||
84 | grub-core/normal/charset.c | 10 +++++----- | ||
85 | grub-core/normal/cmdline.c | 14 +++++++------- | ||
86 | grub-core/normal/menu_entry.c | 14 +++++++------- | ||
87 | grub-core/normal/menu_text.c | 4 ++-- | ||
88 | grub-core/normal/term.c | 4 ++-- | ||
89 | grub-core/osdep/linux/getroot.c | 6 +++--- | ||
90 | grub-core/osdep/unix/config.c | 2 +- | ||
91 | grub-core/osdep/windows/getroot.c | 2 +- | ||
92 | grub-core/osdep/windows/hostdisk.c | 4 ++-- | ||
93 | grub-core/osdep/windows/init.c | 2 +- | ||
94 | grub-core/osdep/windows/platform.c | 4 ++-- | ||
95 | grub-core/osdep/windows/relpath.c | 2 +- | ||
96 | grub-core/partmap/gpt.c | 2 +- | ||
97 | grub-core/partmap/msdos.c | 2 +- | ||
98 | grub-core/script/execute.c | 2 +- | ||
99 | grub-core/tests/fake_input.c | 2 +- | ||
100 | grub-core/tests/video_checksum.c | 6 +++--- | ||
101 | grub-core/video/capture.c | 2 +- | ||
102 | grub-core/video/emu/sdl.c | 2 +- | ||
103 | grub-core/video/i386/pc/vga.c | 2 +- | ||
104 | grub-core/video/readers/png.c | 2 +- | ||
105 | include/grub/unicode.h | 4 ++-- | ||
106 | util/getroot.c | 2 +- | ||
107 | util/grub-file.c | 2 +- | ||
108 | util/grub-fstest.c | 4 ++-- | ||
109 | util/grub-install-common.c | 2 +- | ||
110 | util/grub-install.c | 4 ++-- | ||
111 | util/grub-mkimagexx.c | 6 ++---- | ||
112 | util/grub-mkrescue.c | 4 ++-- | ||
113 | util/grub-mkstandalone.c | 2 +- | ||
114 | util/grub-pe2elf.c | 12 +++++------- | ||
115 | util/grub-probe.c | 4 ++-- | ||
116 | 86 files changed, 178 insertions(+), 177 deletions(-) | ||
117 | |||
118 | diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c | ||
119 | index 34a7ff1..a06cce3 100644 | ||
120 | --- a/grub-core/bus/usb/usbhub.c | ||
121 | +++ b/grub-core/bus/usb/usbhub.c | ||
122 | @@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev) | ||
123 | grub_usb_set_configuration (dev, 1); | ||
124 | |||
125 | dev->nports = hubdesc.portcnt; | ||
126 | - dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0])); | ||
127 | - dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0])); | ||
128 | + dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0])); | ||
129 | + dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0])); | ||
130 | if (!dev->children || !dev->ports) | ||
131 | { | ||
132 | grub_free (dev->children); | ||
133 | @@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d | ||
134 | |||
135 | /* Query the number of ports the root Hub has. */ | ||
136 | hub->nports = controller->dev->hubports (controller); | ||
137 | - hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports); | ||
138 | - hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports); | ||
139 | + hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0])); | ||
140 | + hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0])); | ||
141 | if (!hub->devices || !hub->ports) | ||
142 | { | ||
143 | grub_free (hub->devices); | ||
144 | diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c | ||
145 | index df10302..cd81507 100644 | ||
146 | --- a/grub-core/commands/efi/lsefisystab.c | ||
147 | +++ b/grub-core/commands/efi/lsefisystab.c | ||
148 | @@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)), | ||
149 | grub_printf ("Vendor: "); | ||
150 | |||
151 | for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++); | ||
152 | - vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1); | ||
153 | + /* Allocate extra 3 bytes to simplify math. */ | ||
154 | + vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1); | ||
155 | if (!vendor) | ||
156 | return grub_errno; | ||
157 | *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor, | ||
158 | diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c | ||
159 | index db7a8f0..5e3ec0d 100644 | ||
160 | --- a/grub-core/commands/legacycfg.c | ||
161 | +++ b/grub-core/commands/legacycfg.c | ||
162 | @@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)), | ||
163 | if (argc < 2) | ||
164 | return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); | ||
165 | |||
166 | - cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1)); | ||
167 | + cutargs = grub_calloc (argc - 1, sizeof (cutargs[0])); | ||
168 | if (!cutargs) | ||
169 | return grub_errno; | ||
170 | cutargc = argc - 1; | ||
171 | @@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)), | ||
172 | { | ||
173 | char rbuf[3] = "-r"; | ||
174 | bsdargc = cutargc + 2; | ||
175 | - bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc); | ||
176 | + bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0])); | ||
177 | if (!bsdargs) | ||
178 | { | ||
179 | err = grub_errno; | ||
180 | @@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused | ||
181 | return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"), | ||
182 | "module"); | ||
183 | |||
184 | - newargs = grub_malloc ((argc + 1) * sizeof (newargs[0])); | ||
185 | + newargs = grub_calloc (argc + 1, sizeof (newargs[0])); | ||
186 | if (!newargs) | ||
187 | return grub_errno; | ||
188 | grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0])); | ||
189 | diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c | ||
190 | index 2c5363d..9164df7 100644 | ||
191 | --- a/grub-core/commands/menuentry.c | ||
192 | +++ b/grub-core/commands/menuentry.c | ||
193 | @@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args, | ||
194 | goto fail; | ||
195 | |||
196 | /* Save argc, args to pass as parameters to block arg later. */ | ||
197 | - menu_args = grub_malloc (sizeof (char*) * (argc + 1)); | ||
198 | + menu_args = grub_calloc (argc + 1, sizeof (char *)); | ||
199 | if (! menu_args) | ||
200 | goto fail; | ||
201 | |||
202 | diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c | ||
203 | index 699447d..7c8f97f 100644 | ||
204 | --- a/grub-core/commands/nativedisk.c | ||
205 | +++ b/grub-core/commands/nativedisk.c | ||
206 | @@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)), | ||
207 | else | ||
208 | path_prefix = prefix; | ||
209 | |||
210 | - mods = grub_malloc (argc * sizeof (mods[0])); | ||
211 | + mods = grub_calloc (argc, sizeof (mods[0])); | ||
212 | if (!mods) | ||
213 | return grub_errno; | ||
214 | |||
215 | diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c | ||
216 | index 22b46b1..051e313 100644 | ||
217 | --- a/grub-core/commands/parttool.c | ||
218 | +++ b/grub-core/commands/parttool.c | ||
219 | @@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name, | ||
220 | for (nargs = 0; args[nargs].name != 0; nargs++); | ||
221 | cur->nargs = nargs; | ||
222 | cur->args = (struct grub_parttool_argdesc *) | ||
223 | - grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc)); | ||
224 | + grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc)); | ||
225 | + if (!cur->args) | ||
226 | + { | ||
227 | + grub_free (cur); | ||
228 | + curhandle--; | ||
229 | + return -1; | ||
230 | + } | ||
231 | grub_memcpy (cur->args, args, | ||
232 | (nargs + 1) * sizeof (struct grub_parttool_argdesc)); | ||
233 | |||
234 | @@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)), | ||
235 | return err; | ||
236 | } | ||
237 | |||
238 | - parsed = (int *) grub_zalloc (argc * sizeof (int)); | ||
239 | + parsed = (int *) grub_calloc (argc, sizeof (int)); | ||
240 | |||
241 | for (i = 1; i < argc; i++) | ||
242 | if (! parsed[i]) | ||
243 | @@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)), | ||
244 | } | ||
245 | ptool = cur; | ||
246 | pargs = (struct grub_parttool_args *) | ||
247 | - grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args)); | ||
248 | + grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args)); | ||
249 | for (j = i; j < argc; j++) | ||
250 | if (! parsed[j]) | ||
251 | { | ||
252 | diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c | ||
253 | index f00b184..4019164 100644 | ||
254 | --- a/grub-core/commands/regexp.c | ||
255 | +++ b/grub-core/commands/regexp.c | ||
256 | @@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args) | ||
257 | if (ret) | ||
258 | goto fail; | ||
259 | |||
260 | - matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1)); | ||
261 | + matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches)); | ||
262 | if (! matches) | ||
263 | goto fail; | ||
264 | |||
265 | diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c | ||
266 | index d7fd26b..47fc8eb 100644 | ||
267 | --- a/grub-core/commands/search_wrap.c | ||
268 | +++ b/grub-core/commands/search_wrap.c | ||
269 | @@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args) | ||
270 | for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++) | ||
271 | nhints++; | ||
272 | |||
273 | - hints = grub_malloc (sizeof (hints[0]) * nhints); | ||
274 | + hints = grub_calloc (nhints, sizeof (hints[0])); | ||
275 | if (!hints) | ||
276 | return grub_errno; | ||
277 | j = 0; | ||
278 | diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c | ||
279 | index c3b578a..68ca9e0 100644 | ||
280 | --- a/grub-core/disk/diskfilter.c | ||
281 | +++ b/grub-core/disk/diskfilter.c | ||
282 | @@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb, | ||
283 | array->lvs->segments->node_count = nmemb; | ||
284 | array->lvs->segments->raid_member_size = disk_size; | ||
285 | array->lvs->segments->nodes | ||
286 | - = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0])); | ||
287 | + = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0])); | ||
288 | array->lvs->segments->stripe_size = stripe_size; | ||
289 | for (i = 0; i < nmemb; i++) | ||
290 | { | ||
291 | @@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id, | ||
292 | grub_partition_t p; | ||
293 | for (p = disk->partition; p; p = p->parent) | ||
294 | s++; | ||
295 | - pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0])); | ||
296 | + pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0])); | ||
297 | s = 0; | ||
298 | for (p = disk->partition; p; p = p->parent) | ||
299 | pv->partmaps[s++] = xstrdup (p->partmap->name); | ||
300 | diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c | ||
301 | index f73257e..03674cb 100644 | ||
302 | --- a/grub-core/disk/ieee1275/ofdisk.c | ||
303 | +++ b/grub-core/disk/ieee1275/ofdisk.c | ||
304 | @@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias) | ||
305 | /* Power machines documentation specify 672 as maximum SAS disks in | ||
306 | one system. Using a slightly larger value to be safe. */ | ||
307 | table_size = 768; | ||
308 | - table = grub_malloc (table_size * sizeof (grub_uint64_t)); | ||
309 | + table = grub_calloc (table_size, sizeof (grub_uint64_t)); | ||
310 | |||
311 | if (!table) | ||
312 | { | ||
313 | diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c | ||
314 | index 2a22d2d..e632370 100644 | ||
315 | --- a/grub-core/disk/ldm.c | ||
316 | +++ b/grub-core/disk/ldm.c | ||
317 | @@ -323,8 +323,8 @@ make_vg (grub_disk_t disk, | ||
318 | lv->segments->type = GRUB_DISKFILTER_MIRROR; | ||
319 | lv->segments->node_count = 0; | ||
320 | lv->segments->node_alloc = 8; | ||
321 | - lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes) | ||
322 | - * lv->segments->node_alloc); | ||
323 | + lv->segments->nodes = grub_calloc (lv->segments->node_alloc, | ||
324 | + sizeof (*lv->segments->nodes)); | ||
325 | if (!lv->segments->nodes) | ||
326 | goto fail2; | ||
327 | ptr = vblk[i].dynamic; | ||
328 | @@ -543,8 +543,8 @@ make_vg (grub_disk_t disk, | ||
329 | { | ||
330 | comp->segment_alloc = 8; | ||
331 | comp->segment_count = 0; | ||
332 | - comp->segments = grub_malloc (sizeof (*comp->segments) | ||
333 | - * comp->segment_alloc); | ||
334 | + comp->segments = grub_calloc (comp->segment_alloc, | ||
335 | + sizeof (*comp->segments)); | ||
336 | if (!comp->segments) | ||
337 | goto fail2; | ||
338 | } | ||
339 | @@ -590,8 +590,8 @@ make_vg (grub_disk_t disk, | ||
340 | } | ||
341 | comp->segments->node_count = read_int (ptr + 1, *ptr); | ||
342 | comp->segments->node_alloc = comp->segments->node_count; | ||
343 | - comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes) | ||
344 | - * comp->segments->node_alloc); | ||
345 | + comp->segments->nodes = grub_calloc (comp->segments->node_alloc, | ||
346 | + sizeof (*comp->segments->nodes)); | ||
347 | if (!lv->segments->nodes) | ||
348 | goto fail2; | ||
349 | } | ||
350 | @@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors, | ||
351 | *nsectors = lv->size; | ||
352 | if (*nsectors > max_nsectors) | ||
353 | *nsectors = max_nsectors; | ||
354 | - *sectors = grub_malloc (*nsectors * sizeof (**sectors)); | ||
355 | + *sectors = grub_calloc (*nsectors, sizeof (**sectors)); | ||
356 | if (!*sectors) | ||
357 | return grub_errno; | ||
358 | for (i = 0; i < *nsectors; i++) | ||
359 | diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c | ||
360 | index 86c50c6..18b3a8b 100644 | ||
361 | --- a/grub-core/disk/luks.c | ||
362 | +++ b/grub-core/disk/luks.c | ||
363 | @@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source, | ||
364 | && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) | ||
365 | max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes); | ||
366 | |||
367 | - split_key = grub_malloc (keysize * max_stripes); | ||
368 | + split_key = grub_calloc (keysize, max_stripes); | ||
369 | if (!split_key) | ||
370 | return grub_errno; | ||
371 | |||
372 | diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c | ||
373 | index dc6b83b..7b5fbbc 100644 | ||
374 | --- a/grub-core/disk/lvm.c | ||
375 | +++ b/grub-core/disk/lvm.c | ||
376 | @@ -209,7 +209,7 @@ grub_lvm_detect (grub_disk_t disk, | ||
377 | first one. */ | ||
378 | |||
379 | /* Allocate buffer space for the circular worst-case scenario. */ | ||
380 | - metadatabuf = grub_malloc (2 * mda_size); | ||
381 | + metadatabuf = grub_calloc (2, mda_size); | ||
382 | if (! metadatabuf) | ||
383 | goto fail; | ||
384 | |||
385 | @@ -464,7 +464,7 @@ grub_lvm_detect (grub_disk_t disk, | ||
386 | #endif | ||
387 | goto lvs_fail; | ||
388 | } | ||
389 | - lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count); | ||
390 | + lv->segments = grub_calloc (lv->segment_count, sizeof (*seg)); | ||
391 | seg = lv->segments; | ||
392 | |||
393 | for (i = 0; i < lv->segment_count; i++) | ||
394 | @@ -521,8 +521,8 @@ grub_lvm_detect (grub_disk_t disk, | ||
395 | if (seg->node_count != 1) | ||
396 | seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = "); | ||
397 | |||
398 | - seg->nodes = grub_zalloc (sizeof (*stripe) | ||
399 | - * seg->node_count); | ||
400 | + seg->nodes = grub_calloc (seg->node_count, | ||
401 | + sizeof (*stripe)); | ||
402 | stripe = seg->nodes; | ||
403 | |||
404 | p = grub_strstr (p, "stripes = ["); | ||
405 | @@ -898,7 +898,7 @@ grub_lvm_detect (grub_disk_t disk, | ||
406 | break; | ||
407 | if (lv) | ||
408 | { | ||
409 | - cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments)); | ||
410 | + cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments)); | ||
411 | if (!cache->lv->segments) | ||
412 | { | ||
413 | grub_lvm_free_cache_lvs (cache_lvs); | ||
414 | @@ -911,7 +911,7 @@ grub_lvm_detect (grub_disk_t disk, | ||
415 | struct grub_diskfilter_node *nodes = lv->segments[i].nodes; | ||
416 | grub_size_t node_count = lv->segments[i].node_count; | ||
417 | |||
418 | - cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes)); | ||
419 | + cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes)); | ||
420 | if (!cache->lv->segments[i].nodes) | ||
421 | { | ||
422 | for (j = 0; j < i; ++j) | ||
423 | diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c | ||
424 | index 48476cb..d6612ee 100644 | ||
425 | --- a/grub-core/disk/xen/xendisk.c | ||
426 | +++ b/grub-core/disk/xen/xendisk.c | ||
427 | @@ -426,7 +426,7 @@ grub_xendisk_init (void) | ||
428 | if (!ctr) | ||
429 | return; | ||
430 | |||
431 | - virtdisks = grub_malloc (ctr * sizeof (virtdisks[0])); | ||
432 | + virtdisks = grub_calloc (ctr, sizeof (virtdisks[0])); | ||
433 | if (!virtdisks) | ||
434 | return; | ||
435 | if (grub_xenstore_dir ("device/vbd", fill, &ctr)) | ||
436 | diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c | ||
437 | index 44085ef..2b92462 100644 | ||
438 | --- a/grub-core/efiemu/loadcore.c | ||
439 | +++ b/grub-core/efiemu/loadcore.c | ||
440 | @@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e) | ||
441 | |||
442 | grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize; | ||
443 | grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *) | ||
444 | - grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms); | ||
445 | + grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym)); | ||
446 | |||
447 | /* Relocators */ | ||
448 | for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff); | ||
449 | diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c | ||
450 | index 52a032f..9b8e0d0 100644 | ||
451 | --- a/grub-core/efiemu/mm.c | ||
452 | +++ b/grub-core/efiemu/mm.c | ||
453 | @@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void) | ||
454 | /* Initialize variables*/ | ||
455 | grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE); | ||
456 | scanline_events = (struct grub_efiemu_mmap_scan *) | ||
457 | - grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num); | ||
458 | + grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2); | ||
459 | |||
460 | /* Number of chunks can't increase more than by factor of 2 */ | ||
461 | result = (grub_efi_memory_descriptor_t *) | ||
462 | - grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num); | ||
463 | + grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2); | ||
464 | if (!result || !scanline_events) | ||
465 | { | ||
466 | grub_free (result); | ||
467 | @@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void) | ||
468 | |||
469 | /* Preallocate mmap */ | ||
470 | efiemu_mmap = (grub_efi_memory_descriptor_t *) | ||
471 | - grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t)); | ||
472 | + grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t)); | ||
473 | if (!efiemu_mmap) | ||
474 | { | ||
475 | grub_efiemu_unload (); | ||
476 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
477 | index 85a2925..8e118b3 100644 | ||
478 | --- a/grub-core/font/font.c | ||
479 | +++ b/grub-core/font/font.c | ||
480 | @@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct | ||
481 | font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE; | ||
482 | |||
483 | /* Allocate the character index array. */ | ||
484 | - font->char_index = grub_malloc (font->num_chars | ||
485 | - * sizeof (struct char_index_entry)); | ||
486 | + font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry)); | ||
487 | if (!font->char_index) | ||
488 | return 1; | ||
489 | font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t)); | ||
490 | diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c | ||
491 | index 6b6a2bc..220b371 100644 | ||
492 | --- a/grub-core/fs/affs.c | ||
493 | +++ b/grub-core/fs/affs.c | ||
494 | @@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node) | ||
495 | return 0; | ||
496 | } | ||
497 | latin1[symlink_size] = 0; | ||
498 | - utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||
499 | + utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size); | ||
500 | if (!utf8) | ||
501 | { | ||
502 | grub_free (latin1); | ||
503 | @@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, | ||
504 | return 1; | ||
505 | } | ||
506 | |||
507 | - hashtable = grub_zalloc (data->htsize * sizeof (*hashtable)); | ||
508 | + hashtable = grub_calloc (data->htsize, sizeof (*hashtable)); | ||
509 | if (!hashtable) | ||
510 | return 1; | ||
511 | |||
512 | @@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label) | ||
513 | len = file.namelen; | ||
514 | if (len > sizeof (file.name)) | ||
515 | len = sizeof (file.name); | ||
516 | - *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||
517 | + *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len); | ||
518 | if (*label) | ||
519 | *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0'; | ||
520 | } | ||
521 | diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c | ||
522 | index 48bd3d0..11272ef 100644 | ||
523 | --- a/grub-core/fs/btrfs.c | ||
524 | +++ b/grub-core/fs/btrfs.c | ||
525 | @@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data, | ||
526 | { | ||
527 | desc->allocated = 16; | ||
528 | desc->depth = 0; | ||
529 | - desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated); | ||
530 | + desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0])); | ||
531 | if (!desc->data) | ||
532 | return grub_errno; | ||
533 | } | ||
534 | @@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data, | ||
535 | grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY; | ||
536 | grub_uint64_t i, failed_devices; | ||
537 | |||
538 | - buffers = grub_zalloc (sizeof(*buffers) * nstripes); | ||
539 | + buffers = grub_calloc (nstripes, sizeof (*buffers)); | ||
540 | if (!buffers) | ||
541 | goto cleanup; | ||
542 | |||
543 | @@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)), | ||
544 | *nsectors = 64 * 2 - 1; | ||
545 | if (*nsectors > max_nsectors) | ||
546 | *nsectors = max_nsectors; | ||
547 | - *sectors = grub_malloc (*nsectors * sizeof (**sectors)); | ||
548 | + *sectors = grub_calloc (*nsectors, sizeof (**sectors)); | ||
549 | if (!*sectors) | ||
550 | return grub_errno; | ||
551 | for (i = 0; i < *nsectors; i++) | ||
552 | diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c | ||
553 | index ac0a409..3fe842b 100644 | ||
554 | --- a/grub-core/fs/hfs.c | ||
555 | +++ b/grub-core/fs/hfs.c | ||
556 | @@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label) | ||
557 | grub_size_t len = data->sblock.volname[0]; | ||
558 | if (len > sizeof (data->sblock.volname) - 1) | ||
559 | len = sizeof (data->sblock.volname) - 1; | ||
560 | - *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1); | ||
561 | + *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len); | ||
562 | if (*label) | ||
563 | macroman_to_utf8 (*label, data->sblock.volname + 1, | ||
564 | len + 1, 0); | ||
565 | diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c | ||
566 | index 54786bb..dae43be 100644 | ||
567 | --- a/grub-core/fs/hfsplus.c | ||
568 | +++ b/grub-core/fs/hfsplus.c | ||
569 | @@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg) | ||
570 | if (! filename) | ||
571 | return 0; | ||
572 | |||
573 | - keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname)); | ||
574 | + keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname)); | ||
575 | if (!keyname) | ||
576 | { | ||
577 | grub_free (filename); | ||
578 | @@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label) | ||
579 | grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr); | ||
580 | |||
581 | label_len = grub_be_to_cpu16 (catkey->namelen); | ||
582 | - label_name = grub_malloc (label_len * sizeof (*label_name)); | ||
583 | + label_name = grub_calloc (label_len, sizeof (*label_name)); | ||
584 | if (!label_name) | ||
585 | { | ||
586 | grub_free (node); | ||
587 | @@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label) | ||
588 | } | ||
589 | } | ||
590 | |||
591 | - *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
592 | + *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
593 | if (! *label) | ||
594 | { | ||
595 | grub_free (label_name); | ||
596 | diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c | ||
597 | index 49c0c63..4f1b52a 100644 | ||
598 | --- a/grub-core/fs/iso9660.c | ||
599 | +++ b/grub-core/fs/iso9660.c | ||
600 | @@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len) | ||
601 | int i; | ||
602 | grub_uint16_t t[MAX_NAMELEN / 2 + 1]; | ||
603 | |||
604 | - p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
605 | + p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
606 | if (! p) | ||
607 | return NULL; | ||
608 | |||
609 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
610 | index fc4e1f6..2f34f76 100644 | ||
611 | --- a/grub-core/fs/ntfs.c | ||
612 | +++ b/grub-core/fs/ntfs.c | ||
613 | @@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len) | ||
614 | grub_uint16_t *tmp; | ||
615 | grub_size_t i; | ||
616 | |||
617 | - buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
618 | - tmp = grub_malloc (len * sizeof (tmp[0])); | ||
619 | + buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
620 | + tmp = grub_calloc (len, sizeof (tmp[0])); | ||
621 | if (!buf || !tmp) | ||
622 | { | ||
623 | grub_free (buf); | ||
624 | diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c | ||
625 | index 50c1fe7..90f7fb3 100644 | ||
626 | --- a/grub-core/fs/sfs.c | ||
627 | +++ b/grub-core/fs/sfs.c | ||
628 | @@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) | ||
629 | node->next_extent = node->block; | ||
630 | node->cache_size = 0; | ||
631 | |||
632 | - node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size); | ||
633 | + node->cache = grub_calloc (cache_size, sizeof (node->cache[0])); | ||
634 | if (!node->cache) | ||
635 | { | ||
636 | grub_errno = 0; | ||
637 | diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c | ||
638 | index 7d63e0c..c551ed6 100644 | ||
639 | --- a/grub-core/fs/tar.c | ||
640 | +++ b/grub-core/fs/tar.c | ||
641 | @@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, | ||
642 | if (data->linkname_alloc < linksize + 1) | ||
643 | { | ||
644 | char *n; | ||
645 | - n = grub_malloc (2 * (linksize + 1)); | ||
646 | + n = grub_calloc (2, linksize + 1); | ||
647 | if (!n) | ||
648 | return grub_errno; | ||
649 | grub_free (data->linkname); | ||
650 | diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c | ||
651 | index dc8b6e2..a837616 100644 | ||
652 | --- a/grub-core/fs/udf.c | ||
653 | +++ b/grub-core/fs/udf.c | ||
654 | @@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) | ||
655 | { | ||
656 | unsigned i; | ||
657 | utf16len = sz - 1; | ||
658 | - utf16 = grub_malloc (utf16len * sizeof (utf16[0])); | ||
659 | + utf16 = grub_calloc (utf16len, sizeof (utf16[0])); | ||
660 | if (!utf16) | ||
661 | return NULL; | ||
662 | for (i = 0; i < utf16len; i++) | ||
663 | @@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) | ||
664 | { | ||
665 | unsigned i; | ||
666 | utf16len = (sz - 1) / 2; | ||
667 | - utf16 = grub_malloc (utf16len * sizeof (utf16[0])); | ||
668 | + utf16 = grub_calloc (utf16len, sizeof (utf16[0])); | ||
669 | if (!utf16) | ||
670 | return NULL; | ||
671 | for (i = 0; i < utf16len; i++) | ||
672 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
673 | index 2f72e42..381dde5 100644 | ||
674 | --- a/grub-core/fs/zfs/zfs.c | ||
675 | +++ b/grub-core/fs/zfs/zfs.c | ||
676 | @@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol, | ||
677 | } | ||
678 | subvol->nkeys = 0; | ||
679 | zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data); | ||
680 | - subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0])); | ||
681 | + subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0])); | ||
682 | if (!subvol->keyring) | ||
683 | { | ||
684 | grub_free (fsname); | ||
685 | @@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)), | ||
686 | *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS); | ||
687 | if (*nsectors > max_nsectors) | ||
688 | *nsectors = max_nsectors; | ||
689 | - *sectors = grub_malloc (*nsectors * sizeof (**sectors)); | ||
690 | + *sectors = grub_calloc (*nsectors, sizeof (**sectors)); | ||
691 | if (!*sectors) | ||
692 | return grub_errno; | ||
693 | for (i = 0; i < *nsectors; i++) | ||
694 | diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c | ||
695 | index a9a415e..ba1e1ea 100644 | ||
696 | --- a/grub-core/gfxmenu/gui_string_util.c | ||
697 | +++ b/grub-core/gfxmenu/gui_string_util.c | ||
698 | @@ -55,7 +55,7 @@ canonicalize_path (const char *path) | ||
699 | if (*p == '/') | ||
700 | components++; | ||
701 | |||
702 | - char **path_array = grub_malloc (components * sizeof (*path_array)); | ||
703 | + char **path_array = grub_calloc (components, sizeof (*path_array)); | ||
704 | if (! path_array) | ||
705 | return 0; | ||
706 | |||
707 | diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c | ||
708 | index b606028..470597d 100644 | ||
709 | --- a/grub-core/gfxmenu/widget-box.c | ||
710 | +++ b/grub-core/gfxmenu/widget-box.c | ||
711 | @@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix, | ||
712 | box->content_height = 0; | ||
713 | box->raw_pixmaps = | ||
714 | (struct grub_video_bitmap **) | ||
715 | - grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *)); | ||
716 | + grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *)); | ||
717 | box->scaled_pixmaps = | ||
718 | (struct grub_video_bitmap **) | ||
719 | - grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *)); | ||
720 | + grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *)); | ||
721 | |||
722 | /* Initialize all pixmap pointers to NULL so that proper destruction can | ||
723 | be performed if an error is encountered partway through construction. */ | ||
724 | diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c | ||
725 | index 6208a97..43d98a7 100644 | ||
726 | --- a/grub-core/io/gzio.c | ||
727 | +++ b/grub-core/io/gzio.c | ||
728 | @@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ | ||
729 | z = 1 << j; /* table entries for j-bit table */ | ||
730 | |||
731 | /* allocate and link in new table */ | ||
732 | - q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft)); | ||
733 | + q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft)); | ||
734 | if (! q) | ||
735 | { | ||
736 | if (h) | ||
737 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
738 | index 6e1ceb9..dc31caa 100644 | ||
739 | --- a/grub-core/kern/efi/efi.c | ||
740 | +++ b/grub-core/kern/efi/efi.c | ||
741 | @@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid, | ||
742 | |||
743 | len = grub_strlen (var); | ||
744 | len16 = len * GRUB_MAX_UTF16_PER_UTF8; | ||
745 | - var16 = grub_malloc ((len16 + 1) * sizeof (var16[0])); | ||
746 | + var16 = grub_calloc (len16 + 1, sizeof (var16[0])); | ||
747 | if (!var16) | ||
748 | return grub_errno; | ||
749 | len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL); | ||
750 | @@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, | ||
751 | |||
752 | len = grub_strlen (var); | ||
753 | len16 = len * GRUB_MAX_UTF16_PER_UTF8; | ||
754 | - var16 = grub_malloc ((len16 + 1) * sizeof (var16[0])); | ||
755 | + var16 = grub_calloc (len16 + 1, sizeof (var16[0])); | ||
756 | if (!var16) | ||
757 | return NULL; | ||
758 | len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL); | ||
759 | @@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
760 | while (len > 0 && fp->path_name[len - 1] == 0) | ||
761 | len--; | ||
762 | |||
763 | - dup_name = grub_malloc (len * sizeof (*dup_name)); | ||
764 | + dup_name = grub_calloc (len, sizeof (*dup_name)); | ||
765 | if (!dup_name) | ||
766 | { | ||
767 | grub_free (name); | ||
768 | diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c | ||
769 | index e9ec680..d975265 100644 | ||
770 | --- a/grub-core/kern/emu/hostdisk.c | ||
771 | +++ b/grub-core/kern/emu/hostdisk.c | ||
772 | @@ -615,7 +615,7 @@ static char * | ||
773 | grub_util_path_concat_real (size_t n, int ext, va_list ap) | ||
774 | { | ||
775 | size_t totlen = 0; | ||
776 | - char **l = xmalloc ((n + ext) * sizeof (l[0])); | ||
777 | + char **l = xcalloc (n + ext, sizeof (l[0])); | ||
778 | char *r, *p, *pi; | ||
779 | size_t i; | ||
780 | int first = 1; | ||
781 | diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c | ||
782 | index 2b85f49..f90be65 100644 | ||
783 | --- a/grub-core/kern/fs.c | ||
784 | +++ b/grub-core/kern/fs.c | ||
785 | @@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name) | ||
786 | while (p); | ||
787 | |||
788 | /* Allocate a block list. */ | ||
789 | - blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1)); | ||
790 | + blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block)); | ||
791 | if (! blocks) | ||
792 | return 0; | ||
793 | |||
794 | diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c | ||
795 | index 3b633d5..a7abd36 100644 | ||
796 | --- a/grub-core/kern/misc.c | ||
797 | +++ b/grub-core/kern/misc.c | ||
798 | @@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, | ||
799 | args->ptr = args->prealloc; | ||
800 | else | ||
801 | { | ||
802 | - args->ptr = grub_malloc (args->count * sizeof (args->ptr[0])); | ||
803 | + args->ptr = grub_calloc (args->count, sizeof (args->ptr[0])); | ||
804 | if (!args->ptr) | ||
805 | { | ||
806 | grub_errno = GRUB_ERR_NONE; | ||
807 | diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c | ||
808 | index 78175aa..619db31 100644 | ||
809 | --- a/grub-core/kern/parser.c | ||
810 | +++ b/grub-core/kern/parser.c | ||
811 | @@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline, | ||
812 | return grub_errno; | ||
813 | grub_memcpy (args, buffer, bp - buffer); | ||
814 | |||
815 | - *argv = grub_malloc (sizeof (char *) * (*argc + 1)); | ||
816 | + *argv = grub_calloc (*argc + 1, sizeof (char *)); | ||
817 | if (!*argv) | ||
818 | { | ||
819 | grub_free (args); | ||
820 | diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c | ||
821 | index be4816f..aac8f9a 100644 | ||
822 | --- a/grub-core/kern/uboot/uboot.c | ||
823 | +++ b/grub-core/kern/uboot/uboot.c | ||
824 | @@ -133,7 +133,7 @@ grub_uboot_dev_enum (void) | ||
825 | return num_devices; | ||
826 | |||
827 | max_devices = 2; | ||
828 | - enum_devices = grub_malloc (sizeof(struct device_info) * max_devices); | ||
829 | + enum_devices = grub_calloc (max_devices, sizeof(struct device_info)); | ||
830 | if (!enum_devices) | ||
831 | return 0; | ||
832 | |||
833 | diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c | ||
834 | index f5e946a..63f6fcd 100644 | ||
835 | --- a/grub-core/lib/libgcrypt/cipher/ac.c | ||
836 | +++ b/grub-core/lib/libgcrypt/cipher/ac.c | ||
837 | @@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n, | ||
838 | gcry_mpi_t mpi; | ||
839 | char *label; | ||
840 | |||
841 | - data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n); | ||
842 | + data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new)); | ||
843 | if (! data_mpis_new) | ||
844 | { | ||
845 | err = gcry_error_from_errno (errno); | ||
846 | @@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp, | ||
847 | } | ||
848 | |||
849 | /* Add MPI list. */ | ||
850 | - arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1)); | ||
851 | + arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list)); | ||
852 | if (! arg_list) | ||
853 | { | ||
854 | err = gcry_error_from_errno (errno); | ||
855 | @@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags, | ||
856 | /* We build a list of arguments to pass to | ||
857 | gcry_sexp_build_array(). */ | ||
858 | data_length = _gcry_ac_data_length (data); | ||
859 | - arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2)); | ||
860 | + arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2); | ||
861 | if (! arg_list) | ||
862 | { | ||
863 | err = gcry_error_from_errno (errno); | ||
864 | @@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits, | ||
865 | arg_list_n += 2; | ||
866 | |||
867 | /* Allocate list. */ | ||
868 | - arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n); | ||
869 | + arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list)); | ||
870 | if (! arg_list) | ||
871 | { | ||
872 | err = gcry_error_from_errno (errno); | ||
873 | diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c | ||
874 | index 2788e34..b12e79b 100644 | ||
875 | --- a/grub-core/lib/libgcrypt/cipher/primegen.c | ||
876 | +++ b/grub-core/lib/libgcrypt/cipher/primegen.c | ||
877 | @@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor, | ||
878 | } | ||
879 | |||
880 | /* Allocate an array to track pool usage. */ | ||
881 | - pool_in_use = gcry_malloc (n * sizeof *pool_in_use); | ||
882 | + pool_in_use = gcry_calloc (n, sizeof *pool_in_use); | ||
883 | if (!pool_in_use) | ||
884 | { | ||
885 | err = gpg_err_code_from_errno (errno); | ||
886 | @@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel, | ||
887 | if (nbits < 16) | ||
888 | log_fatal ("can't generate a prime with less than %d bits\n", 16); | ||
889 | |||
890 | - mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods ); | ||
891 | + mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods); | ||
892 | /* Make nbits fit into gcry_mpi_t implementation. */ | ||
893 | val_2 = mpi_alloc_set_ui( 2 ); | ||
894 | val_3 = mpi_alloc_set_ui( 3); | ||
895 | diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c | ||
896 | index 9109821..ca087ad 100644 | ||
897 | --- a/grub-core/lib/libgcrypt/cipher/pubkey.c | ||
898 | +++ b/grub-core/lib/libgcrypt/cipher/pubkey.c | ||
899 | @@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey) | ||
900 | * array to a format string, so we have to do it this way :-(. */ | ||
901 | /* FIXME: There is now such a format specifier, so we can | ||
902 | change the code to be more clear. */ | ||
903 | - arg_list = malloc (nelem * sizeof *arg_list); | ||
904 | + arg_list = calloc (nelem, sizeof *arg_list); | ||
905 | if (!arg_list) | ||
906 | { | ||
907 | rc = gpg_err_code_from_syserror (); | ||
908 | @@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey) | ||
909 | } | ||
910 | strcpy (p, "))"); | ||
911 | |||
912 | - arg_list = malloc (nelem * sizeof *arg_list); | ||
913 | + arg_list = calloc (nelem, sizeof *arg_list); | ||
914 | if (!arg_list) | ||
915 | { | ||
916 | rc = gpg_err_code_from_syserror (); | ||
917 | diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c | ||
918 | index 659be0b..7d5e7c0 100644 | ||
919 | --- a/grub-core/lib/priority_queue.c | ||
920 | +++ b/grub-core/lib/priority_queue.c | ||
921 | @@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize, | ||
922 | { | ||
923 | struct grub_priority_queue *ret; | ||
924 | void *els; | ||
925 | - els = grub_malloc (elsize * 8); | ||
926 | + els = grub_calloc (8, elsize); | ||
927 | if (!els) | ||
928 | return 0; | ||
929 | ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret)); | ||
930 | diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c | ||
931 | index ee9fa7b..467305b 100644 | ||
932 | --- a/grub-core/lib/reed_solomon.c | ||
933 | +++ b/grub-core/lib/reed_solomon.c | ||
934 | @@ -20,6 +20,7 @@ | ||
935 | #include <stdio.h> | ||
936 | #include <string.h> | ||
937 | #include <stdlib.h> | ||
938 | +#define xcalloc calloc | ||
939 | #define xmalloc malloc | ||
940 | #define grub_memset memset | ||
941 | #define grub_memcpy memcpy | ||
942 | @@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs) | ||
943 | gf_single_t *rs_polynomial; | ||
944 | int i, j; | ||
945 | gf_single_t *m; | ||
946 | - m = xmalloc ((s + rs) * sizeof (gf_single_t)); | ||
947 | + m = xcalloc (s + rs, sizeof (gf_single_t)); | ||
948 | grub_memcpy (m, data, s * sizeof (gf_single_t)); | ||
949 | - grub_memset (m + s, 0, rs * sizeof (gf_single_t)); | ||
950 | - rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t)); | ||
951 | - grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t)); | ||
952 | + rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t)); | ||
953 | rs_polynomial[rs] = 1; | ||
954 | /* Multiply with X - a^r */ | ||
955 | for (j = 0; j < rs; j++) | ||
956 | diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c | ||
957 | index ea3ebc7..5847aac 100644 | ||
958 | --- a/grub-core/lib/relocator.c | ||
959 | +++ b/grub-core/lib/relocator.c | ||
960 | @@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel, | ||
961 | } | ||
962 | #endif | ||
963 | |||
964 | - eventt = grub_malloc (maxevents * sizeof (events[0])); | ||
965 | + eventt = grub_calloc (maxevents, sizeof (events[0])); | ||
966 | counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0])); | ||
967 | - events = grub_malloc (maxevents * sizeof (events[0])); | ||
968 | + events = grub_calloc (maxevents, sizeof (events[0])); | ||
969 | if (!events || !eventt || !counter) | ||
970 | { | ||
971 | grub_dprintf ("relocator", "events or counter allocation failed %d\n", | ||
972 | @@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel, | ||
973 | #endif | ||
974 | unsigned cural = 0; | ||
975 | int oom = 0; | ||
976 | - res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs); | ||
977 | + res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0])); | ||
978 | if (!res->subchunks) | ||
979 | oom = 1; | ||
980 | res->nsubchunks = nallocs; | ||
981 | @@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr, | ||
982 | count[(chunk->src & 0xff) + 1]++; | ||
983 | } | ||
984 | } | ||
985 | - from = grub_malloc (nchunks * sizeof (sorted[0])); | ||
986 | - to = grub_malloc (nchunks * sizeof (sorted[0])); | ||
987 | + from = grub_calloc (nchunks, sizeof (sorted[0])); | ||
988 | + to = grub_calloc (nchunks, sizeof (sorted[0])); | ||
989 | if (!from || !to) | ||
990 | { | ||
991 | grub_free (from); | ||
992 | diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c | ||
993 | index 72bbead..2227b84 100644 | ||
994 | --- a/grub-core/lib/zstd/fse_decompress.c | ||
995 | +++ b/grub-core/lib/zstd/fse_decompress.c | ||
996 | @@ -82,7 +82,7 @@ | ||
997 | FSE_DTable* FSE_createDTable (unsigned tableLog) | ||
998 | { | ||
999 | if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX; | ||
1000 | - return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) ); | ||
1001 | + return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) ); | ||
1002 | } | ||
1003 | |||
1004 | void FSE_freeDTable (FSE_DTable* dt) | ||
1005 | diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c | ||
1006 | index 5168491..d70c174 100644 | ||
1007 | --- a/grub-core/loader/arm/linux.c | ||
1008 | +++ b/grub-core/loader/arm/linux.c | ||
1009 | @@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag) | ||
1010 | |||
1011 | /* some place for cmdline, initrd and terminator. */ | ||
1012 | tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4; | ||
1013 | - tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t)); | ||
1014 | + tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t)); | ||
1015 | if (!tmp_atag) | ||
1016 | return grub_errno; | ||
1017 | |||
1018 | diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c | ||
1019 | index cd92ea3..daf8c6b 100644 | ||
1020 | --- a/grub-core/loader/efi/chainloader.c | ||
1021 | +++ b/grub-core/loader/efi/chainloader.c | ||
1022 | @@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, | ||
1023 | fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE; | ||
1024 | fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE; | ||
1025 | |||
1026 | - path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); | ||
1027 | + path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); | ||
1028 | if (!path_name) | ||
1029 | return; | ||
1030 | |||
1031 | diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c | ||
1032 | index af6741d..a8d8bf7 100644 | ||
1033 | --- a/grub-core/loader/i386/bsdXX.c | ||
1034 | +++ b/grub-core/loader/i386/bsdXX.c | ||
1035 | @@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr) | ||
1036 | if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS)) | ||
1037 | return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic")); | ||
1038 | |||
1039 | - *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize); | ||
1040 | + *shdr = grub_calloc (e->e_shnum, e->e_shentsize); | ||
1041 | if (! *shdr) | ||
1042 | return grub_errno; | ||
1043 | |||
1044 | diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c | ||
1045 | index e64ed08..b7d176b 100644 | ||
1046 | --- a/grub-core/loader/i386/xnu.c | ||
1047 | +++ b/grub-core/loader/i386/xnu.c | ||
1048 | @@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d | ||
1049 | return grub_errno; | ||
1050 | |||
1051 | len = grub_strlen (name); | ||
1052 | - utf16 = grub_malloc (sizeof (grub_uint16_t) * len); | ||
1053 | + utf16 = grub_calloc (len, sizeof (grub_uint16_t)); | ||
1054 | if (!utf16) | ||
1055 | { | ||
1056 | grub_free (utf8); | ||
1057 | @@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor * | ||
1058 | grub_uint16_t *utf16; | ||
1059 | grub_err_t err; | ||
1060 | |||
1061 | - utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen); | ||
1062 | + utf16 = grub_calloc (namelen, sizeof (grub_uint16_t)); | ||
1063 | if (!utf16) | ||
1064 | return grub_errno; | ||
1065 | grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen); | ||
1066 | diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c | ||
1067 | index 085f9c6..05710c4 100644 | ||
1068 | --- a/grub-core/loader/macho.c | ||
1069 | +++ b/grub-core/loader/macho.c | ||
1070 | @@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit) | ||
1071 | if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header)) | ||
1072 | == (grub_off_t) -1) | ||
1073 | goto fail; | ||
1074 | - archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs); | ||
1075 | + archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch)); | ||
1076 | if (!archs) | ||
1077 | goto fail; | ||
1078 | if (grub_file_read (macho->file, archs, | ||
1079 | diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c | ||
1080 | index 70cd1db..cc68536 100644 | ||
1081 | --- a/grub-core/loader/multiboot_elfxx.c | ||
1082 | +++ b/grub-core/loader/multiboot_elfxx.c | ||
1083 | @@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) | ||
1084 | { | ||
1085 | grub_uint8_t *shdr, *shdrptr; | ||
1086 | |||
1087 | - shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize); | ||
1088 | + shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize); | ||
1089 | if (!shdr) | ||
1090 | return grub_errno; | ||
1091 | |||
1092 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
1093 | index 7f74d1d..77d7060 100644 | ||
1094 | --- a/grub-core/loader/xnu.c | ||
1095 | +++ b/grub-core/loader/xnu.c | ||
1096 | @@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)), | ||
1097 | if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC) | ||
1098 | { | ||
1099 | narchs = grub_be_to_cpu32 (head.nfat_arch); | ||
1100 | - archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs); | ||
1101 | + archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch)); | ||
1102 | if (! archs) | ||
1103 | { | ||
1104 | grub_file_close (file); | ||
1105 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
1106 | index 6a31cba..57b4e9a 100644 | ||
1107 | --- a/grub-core/mmap/mmap.c | ||
1108 | +++ b/grub-core/mmap/mmap.c | ||
1109 | @@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) | ||
1110 | |||
1111 | /* Initialize variables. */ | ||
1112 | ctx.scanline_events = (struct grub_mmap_scan *) | ||
1113 | - grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num); | ||
1114 | + grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2); | ||
1115 | |||
1116 | - present = grub_zalloc (sizeof (present[0]) * current_priority); | ||
1117 | + present = grub_calloc (current_priority, sizeof (present[0])); | ||
1118 | |||
1119 | if (! ctx.scanline_events || !present) | ||
1120 | { | ||
1121 | diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c | ||
1122 | index 04cfbb0..6539572 100644 | ||
1123 | --- a/grub-core/net/bootp.c | ||
1124 | +++ b/grub-core/net/bootp.c | ||
1125 | @@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)), | ||
1126 | if (ncards == 0) | ||
1127 | return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found")); | ||
1128 | |||
1129 | - ifaces = grub_zalloc (ncards * sizeof (ifaces[0])); | ||
1130 | + ifaces = grub_calloc (ncards, sizeof (ifaces[0])); | ||
1131 | if (!ifaces) | ||
1132 | return grub_errno; | ||
1133 | |||
1134 | diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c | ||
1135 | index 5d9afe0..e332d5e 100644 | ||
1136 | --- a/grub-core/net/dns.c | ||
1137 | +++ b/grub-core/net/dns.c | ||
1138 | @@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), | ||
1139 | ptr++; | ||
1140 | ptr += 4; | ||
1141 | } | ||
1142 | - *data->addresses = grub_malloc (sizeof ((*data->addresses)[0]) | ||
1143 | - * grub_be_to_cpu16 (head->ancount)); | ||
1144 | + *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount), | ||
1145 | + sizeof ((*data->addresses)[0])); | ||
1146 | if (!*data->addresses) | ||
1147 | { | ||
1148 | grub_errno = GRUB_ERR_NONE; | ||
1149 | @@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), | ||
1150 | dns_cache[h].addresses = 0; | ||
1151 | dns_cache[h].name = grub_strdup (data->oname); | ||
1152 | dns_cache[h].naddresses = *data->naddresses; | ||
1153 | - dns_cache[h].addresses = grub_malloc (*data->naddresses | ||
1154 | - * sizeof (dns_cache[h].addresses[0])); | ||
1155 | + dns_cache[h].addresses = grub_calloc (*data->naddresses, | ||
1156 | + sizeof (dns_cache[h].addresses[0])); | ||
1157 | dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all; | ||
1158 | if (!dns_cache[h].addresses || !dns_cache[h].name) | ||
1159 | { | ||
1160 | @@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name, | ||
1161 | } | ||
1162 | } | ||
1163 | |||
1164 | - sockets = grub_malloc (sizeof (sockets[0]) * n_servers); | ||
1165 | + sockets = grub_calloc (n_servers, sizeof (sockets[0])); | ||
1166 | if (!sockets) | ||
1167 | return grub_errno; | ||
1168 | |||
1169 | diff --git a/grub-core/net/net.c b/grub-core/net/net.c | ||
1170 | index d5d726a..38f19df 100644 | ||
1171 | --- a/grub-core/net/net.c | ||
1172 | +++ b/grub-core/net/net.c | ||
1173 | @@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)), | ||
1174 | ncards++; | ||
1175 | } | ||
1176 | |||
1177 | - ifaces = grub_zalloc (ncards * sizeof (ifaces[0])); | ||
1178 | - slaacs = grub_zalloc (ncards * sizeof (slaacs[0])); | ||
1179 | + ifaces = grub_calloc (ncards, sizeof (ifaces[0])); | ||
1180 | + slaacs = grub_calloc (ncards, sizeof (slaacs[0])); | ||
1181 | if (!ifaces || !slaacs) | ||
1182 | { | ||
1183 | grub_free (ifaces); | ||
1184 | diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c | ||
1185 | index b0ab47d..d57fb72 100644 | ||
1186 | --- a/grub-core/normal/charset.c | ||
1187 | +++ b/grub-core/normal/charset.c | ||
1188 | @@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg, | ||
1189 | { | ||
1190 | grub_size_t msg_len = grub_strlen (msg); | ||
1191 | |||
1192 | - *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); | ||
1193 | + *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); | ||
1194 | |||
1195 | if (!*unicode_msg) | ||
1196 | return -1; | ||
1197 | @@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, | ||
1198 | } | ||
1199 | else | ||
1200 | { | ||
1201 | - n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1)); | ||
1202 | + n = grub_calloc (out->ncomb + 1, sizeof (n[0])); | ||
1203 | if (!n) | ||
1204 | { | ||
1205 | grub_errno = GRUB_ERR_NONE; | ||
1206 | @@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical, | ||
1207 | } \ | ||
1208 | } | ||
1209 | |||
1210 | - visual = grub_malloc (sizeof (visual[0]) * logical_len); | ||
1211 | + visual = grub_calloc (logical_len, sizeof (visual[0])); | ||
1212 | if (!visual) | ||
1213 | return -1; | ||
1214 | |||
1215 | @@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical, | ||
1216 | { | ||
1217 | const grub_uint32_t *line_start = logical, *ptr; | ||
1218 | struct grub_unicode_glyph *visual_ptr; | ||
1219 | - *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0]) | ||
1220 | - * (logical_len + 2)); | ||
1221 | + *visual_out = visual_ptr = grub_calloc (logical_len + 2, | ||
1222 | + 3 * sizeof (visual_ptr[0])); | ||
1223 | if (!visual_ptr) | ||
1224 | return -1; | ||
1225 | for (ptr = logical; ptr <= logical + logical_len; ptr++) | ||
1226 | diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c | ||
1227 | index c037d50..c57242e 100644 | ||
1228 | --- a/grub-core/normal/cmdline.c | ||
1229 | +++ b/grub-core/normal/cmdline.c | ||
1230 | @@ -41,7 +41,7 @@ grub_err_t | ||
1231 | grub_set_history (int newsize) | ||
1232 | { | ||
1233 | grub_uint32_t **old_hist_lines = hist_lines; | ||
1234 | - hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize); | ||
1235 | + hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *)); | ||
1236 | |||
1237 | /* Copy the old lines into the new buffer. */ | ||
1238 | if (old_hist_lines) | ||
1239 | @@ -114,7 +114,7 @@ static void | ||
1240 | grub_history_set (int pos, grub_uint32_t *s, grub_size_t len) | ||
1241 | { | ||
1242 | grub_free (hist_lines[pos]); | ||
1243 | - hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t)); | ||
1244 | + hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t)); | ||
1245 | if (!hist_lines[pos]) | ||
1246 | { | ||
1247 | grub_print_error (); | ||
1248 | @@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated) | ||
1249 | char *ret; | ||
1250 | unsigned nterms; | ||
1251 | |||
1252 | - buf = grub_malloc (max_len * sizeof (grub_uint32_t)); | ||
1253 | + buf = grub_calloc (max_len, sizeof (grub_uint32_t)); | ||
1254 | if (!buf) | ||
1255 | return 0; | ||
1256 | |||
1257 | @@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated) | ||
1258 | FOR_ACTIVE_TERM_OUTPUTS(cur) | ||
1259 | nterms++; | ||
1260 | |||
1261 | - cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms); | ||
1262 | + cl_terms = grub_calloc (nterms, sizeof (cl_terms[0])); | ||
1263 | if (!cl_terms) | ||
1264 | { | ||
1265 | grub_free (buf); | ||
1266 | @@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated) | ||
1267 | } | ||
1268 | cl_term_cur = cl_terms; | ||
1269 | |||
1270 | - unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); | ||
1271 | + unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); | ||
1272 | if (!unicode_msg) | ||
1273 | { | ||
1274 | grub_free (buf); | ||
1275 | @@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated) | ||
1276 | grub_uint32_t *insert; | ||
1277 | |||
1278 | insertlen = grub_strlen (insertu8); | ||
1279 | - insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t)); | ||
1280 | + insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t)); | ||
1281 | if (!insert) | ||
1282 | { | ||
1283 | grub_free (insertu8); | ||
1284 | @@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated) | ||
1285 | |||
1286 | grub_free (kill_buf); | ||
1287 | |||
1288 | - kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t)); | ||
1289 | + kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t)); | ||
1290 | if (grub_errno) | ||
1291 | { | ||
1292 | grub_print_error (); | ||
1293 | diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c | ||
1294 | index cdf3590..1993995 100644 | ||
1295 | --- a/grub-core/normal/menu_entry.c | ||
1296 | +++ b/grub-core/normal/menu_entry.c | ||
1297 | @@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep) | ||
1298 | { | ||
1299 | linep->len = 0; | ||
1300 | linep->max_len = 80; | ||
1301 | - linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0])); | ||
1302 | - linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0])); | ||
1303 | + linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0])); | ||
1304 | + linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0])); | ||
1305 | if (! linep->buf || !linep->pos) | ||
1306 | { | ||
1307 | grub_free (linep->buf); | ||
1308 | @@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen, | ||
1309 | pos = linep->pos + (term_screen - screen->terms); | ||
1310 | |||
1311 | if (!*pos) | ||
1312 | - *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos)); | ||
1313 | + *pos = grub_calloc (linep->len + 1, sizeof (**pos)); | ||
1314 | |||
1315 | if (i == region_start || linep == screen->lines + screen->line | ||
1316 | || (i > region_start && mode == ALL_LINES)) | ||
1317 | @@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update) | ||
1318 | |||
1319 | /* Insert the string. */ | ||
1320 | current_linep = screen->lines + screen->line; | ||
1321 | - unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t)); | ||
1322 | + unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t)); | ||
1323 | |||
1324 | if (!unicode_msg) | ||
1325 | return 0; | ||
1326 | @@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update) | ||
1327 | if (completion_buffer.buf) | ||
1328 | { | ||
1329 | buflen = grub_strlen (completion_buffer.buf); | ||
1330 | - ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1)); | ||
1331 | + ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t)); | ||
1332 | |||
1333 | if (!ucs4) | ||
1334 | { | ||
1335 | @@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry) | ||
1336 | for (i = 0; i < (unsigned) screen->num_lines; i++) | ||
1337 | { | ||
1338 | grub_free (screen->lines[i].pos); | ||
1339 | - screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0])); | ||
1340 | + screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0])); | ||
1341 | if (! screen->lines[i].pos) | ||
1342 | { | ||
1343 | grub_print_error (); | ||
1344 | @@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry) | ||
1345 | } | ||
1346 | } | ||
1347 | |||
1348 | - screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0])); | ||
1349 | + screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0])); | ||
1350 | if (!screen->terms) | ||
1351 | { | ||
1352 | grub_print_error (); | ||
1353 | diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c | ||
1354 | index e22bb91..18240e7 100644 | ||
1355 | --- a/grub-core/normal/menu_text.c | ||
1356 | +++ b/grub-core/normal/menu_text.c | ||
1357 | @@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left, | ||
1358 | grub_size_t msg_len = grub_strlen (msg) + 2; | ||
1359 | int ret = 0; | ||
1360 | |||
1361 | - unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); | ||
1362 | + unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); | ||
1363 | |||
1364 | if (!unicode_msg) | ||
1365 | return 0; | ||
1366 | @@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry, | ||
1367 | |||
1368 | title = entry ? entry->title : ""; | ||
1369 | title_len = grub_strlen (title); | ||
1370 | - unicode_title = grub_malloc (title_len * sizeof (*unicode_title)); | ||
1371 | + unicode_title = grub_calloc (title_len, sizeof (*unicode_title)); | ||
1372 | if (! unicode_title) | ||
1373 | /* XXX How to show this error? */ | ||
1374 | return; | ||
1375 | diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c | ||
1376 | index a1e5c5a..cc8c173 100644 | ||
1377 | --- a/grub-core/normal/term.c | ||
1378 | +++ b/grub-core/normal/term.c | ||
1379 | @@ -264,7 +264,7 @@ grub_term_save_pos (void) | ||
1380 | FOR_ACTIVE_TERM_OUTPUTS(cur) | ||
1381 | cnt++; | ||
1382 | |||
1383 | - ret = grub_malloc (cnt * sizeof (ret[0])); | ||
1384 | + ret = grub_calloc (cnt, sizeof (ret[0])); | ||
1385 | if (!ret) | ||
1386 | return NULL; | ||
1387 | |||
1388 | @@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len) | ||
1389 | |||
1390 | grub_error_push (); | ||
1391 | |||
1392 | - unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t)); | ||
1393 | + unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t)); | ||
1394 | |||
1395 | grub_error_pop (); | ||
1396 | |||
1397 | diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c | ||
1398 | index 90d92d3..5b41ad0 100644 | ||
1399 | --- a/grub-core/osdep/linux/getroot.c | ||
1400 | +++ b/grub-core/osdep/linux/getroot.c | ||
1401 | @@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable) | ||
1402 | if (ret != 0) | ||
1403 | grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno)); | ||
1404 | |||
1405 | - devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *)); | ||
1406 | + devicelist = xcalloc (info.nr_disks + 1, sizeof (char *)); | ||
1407 | |||
1408 | for (i = 0, j = 0; j < info.nr_disks; i++) | ||
1409 | { | ||
1410 | @@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir) | ||
1411 | return NULL; | ||
1412 | } | ||
1413 | |||
1414 | - ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0])); | ||
1415 | + ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0])); | ||
1416 | |||
1417 | for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++) | ||
1418 | { | ||
1419 | @@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot) | ||
1420 | if (relroot) | ||
1421 | *relroot = NULL; | ||
1422 | |||
1423 | - entries = xmalloc (entry_max * sizeof (*entries)); | ||
1424 | + entries = xcalloc (entry_max, sizeof (*entries)); | ||
1425 | |||
1426 | again: | ||
1427 | fp = grub_util_fopen ("/proc/self/mountinfo", "r"); | ||
1428 | diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c | ||
1429 | index 65effa9..7d63251 100644 | ||
1430 | --- a/grub-core/osdep/unix/config.c | ||
1431 | +++ b/grub-core/osdep/unix/config.c | ||
1432 | @@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg) | ||
1433 | argv[0] = "sh"; | ||
1434 | argv[1] = "-c"; | ||
1435 | |||
1436 | - script = xmalloc (4 * strlen (cfgfile) + 300); | ||
1437 | + script = xcalloc (4, strlen (cfgfile) + 300); | ||
1438 | |||
1439 | ptr = script; | ||
1440 | memcpy (ptr, ". '", 3); | ||
1441 | diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c | ||
1442 | index 661d954..eada663 100644 | ||
1443 | --- a/grub-core/osdep/windows/getroot.c | ||
1444 | +++ b/grub-core/osdep/windows/getroot.c | ||
1445 | @@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path) | ||
1446 | |||
1447 | for (ptr = path; *ptr; ptr++); | ||
1448 | allocsize = (ptr - path + 10) * 2; | ||
1449 | - out = xmalloc (allocsize * sizeof (out[0])); | ||
1450 | + out = xcalloc (allocsize, sizeof (out[0])); | ||
1451 | |||
1452 | /* When pointing to EFI system partition GetVolumePathName fails | ||
1453 | for ESP root and returns abberant information for everything | ||
1454 | diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c | ||
1455 | index 3551007..0be3273 100644 | ||
1456 | --- a/grub-core/osdep/windows/hostdisk.c | ||
1457 | +++ b/grub-core/osdep/windows/hostdisk.c | ||
1458 | @@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path) | ||
1459 | |||
1460 | while (1) | ||
1461 | { | ||
1462 | - fpa = xmalloc (alloc * sizeof (fpa[0])); | ||
1463 | + fpa = xcalloc (alloc, sizeof (fpa[0])); | ||
1464 | |||
1465 | len = GetFullPathName (tpath, alloc, fpa, NULL); | ||
1466 | if (len >= alloc) | ||
1467 | @@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name) | ||
1468 | for (l = 0; name_windows[l]; l++); | ||
1469 | for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--); | ||
1470 | l++; | ||
1471 | - pattern = xmalloc ((l + 3) * sizeof (pattern[0])); | ||
1472 | + pattern = xcalloc (l + 3, sizeof (pattern[0])); | ||
1473 | memcpy (pattern, name_windows, l * sizeof (pattern[0])); | ||
1474 | pattern[l] = '\\'; | ||
1475 | pattern[l + 1] = '*'; | ||
1476 | diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c | ||
1477 | index e8ffd62..6297de6 100644 | ||
1478 | --- a/grub-core/osdep/windows/init.c | ||
1479 | +++ b/grub-core/osdep/windows/init.c | ||
1480 | @@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)), | ||
1481 | LPWSTR *targv; | ||
1482 | |||
1483 | targv = CommandLineToArgvW (tcmdline, argc); | ||
1484 | - *argv = xmalloc ((*argc + 1) * sizeof (argv[0])); | ||
1485 | + *argv = xcalloc (*argc + 1, sizeof (argv[0])); | ||
1486 | |||
1487 | for (i = 0; i < *argc; i++) | ||
1488 | (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]); | ||
1489 | diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c | ||
1490 | index 7eb53fe..1ef86bf 100644 | ||
1491 | --- a/grub-core/osdep/windows/platform.c | ||
1492 | +++ b/grub-core/osdep/windows/platform.c | ||
1493 | @@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev, | ||
1494 | grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode")); | ||
1495 | |||
1496 | distrib8_len = grub_strlen (efi_distributor); | ||
1497 | - distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8 | ||
1498 | - * sizeof (grub_uint16_t)); | ||
1499 | + distributor16 = xcalloc (distrib8_len + 1, | ||
1500 | + GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t)); | ||
1501 | distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8, | ||
1502 | (const grub_uint8_t *) efi_distributor, | ||
1503 | distrib8_len, 0); | ||
1504 | diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c | ||
1505 | index cb08617..478e8ef 100644 | ||
1506 | --- a/grub-core/osdep/windows/relpath.c | ||
1507 | +++ b/grub-core/osdep/windows/relpath.c | ||
1508 | @@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path) | ||
1509 | if (dirwindows[0] && dirwindows[1] == ':') | ||
1510 | offset = 2; | ||
1511 | } | ||
1512 | - ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2)); | ||
1513 | + ret = xcalloc (flen - offset + 2, sizeof (ret[0])); | ||
1514 | if (dirwindows[offset] != '\\' | ||
1515 | && dirwindows[offset] != '/' | ||
1516 | && dirwindows[offset]) | ||
1517 | diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c | ||
1518 | index 103f679..72a2e37 100644 | ||
1519 | --- a/grub-core/partmap/gpt.c | ||
1520 | +++ b/grub-core/partmap/gpt.c | ||
1521 | @@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors, | ||
1522 | *nsectors = ctx.len; | ||
1523 | if (*nsectors > max_nsectors) | ||
1524 | *nsectors = max_nsectors; | ||
1525 | - *sectors = grub_malloc (*nsectors * sizeof (**sectors)); | ||
1526 | + *sectors = grub_calloc (*nsectors, sizeof (**sectors)); | ||
1527 | if (!*sectors) | ||
1528 | return grub_errno; | ||
1529 | for (i = 0; i < *nsectors; i++) | ||
1530 | diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c | ||
1531 | index 7b8e450..ee3f249 100644 | ||
1532 | --- a/grub-core/partmap/msdos.c | ||
1533 | +++ b/grub-core/partmap/msdos.c | ||
1534 | @@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors, | ||
1535 | avail_nsectors = *nsectors; | ||
1536 | if (*nsectors > max_nsectors) | ||
1537 | *nsectors = max_nsectors; | ||
1538 | - *sectors = grub_malloc (*nsectors * sizeof (**sectors)); | ||
1539 | + *sectors = grub_calloc (*nsectors, sizeof (**sectors)); | ||
1540 | if (!*sectors) | ||
1541 | return grub_errno; | ||
1542 | for (i = 0; i < *nsectors; i++) | ||
1543 | diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c | ||
1544 | index ee299fd..c8d6806 100644 | ||
1545 | --- a/grub-core/script/execute.c | ||
1546 | +++ b/grub-core/script/execute.c | ||
1547 | @@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str) | ||
1548 | for (iptr = orig_str; *iptr; iptr++) | ||
1549 | if (*iptr == '$') | ||
1550 | dollar_cnt++; | ||
1551 | - ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt); | ||
1552 | + ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0])); | ||
1553 | |||
1554 | if (parse_string (orig_str, gettext_save_allow, &ctx, 0)) | ||
1555 | goto fail; | ||
1556 | diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c | ||
1557 | index 2d60852..b5eb516 100644 | ||
1558 | --- a/grub-core/tests/fake_input.c | ||
1559 | +++ b/grub-core/tests/fake_input.c | ||
1560 | @@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in) | ||
1561 | saved = grub_term_inputs; | ||
1562 | if (seq) | ||
1563 | grub_free (seq); | ||
1564 | - seq = grub_malloc (nseq_in * sizeof (seq[0])); | ||
1565 | + seq = grub_calloc (nseq_in, sizeof (seq[0])); | ||
1566 | if (!seq) | ||
1567 | return; | ||
1568 | |||
1569 | diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c | ||
1570 | index 74d5b65..44d0810 100644 | ||
1571 | --- a/grub-core/tests/video_checksum.c | ||
1572 | +++ b/grub-core/tests/video_checksum.c | ||
1573 | @@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname, | ||
1574 | { | ||
1575 | case 4: | ||
1576 | { | ||
1577 | - grub_uint8_t *buffer = xmalloc (mode_info->width * 3); | ||
1578 | + grub_uint8_t *buffer = xcalloc (3, mode_info->width); | ||
1579 | grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1); | ||
1580 | grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1); | ||
1581 | grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1); | ||
1582 | @@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname, | ||
1583 | } | ||
1584 | case 3: | ||
1585 | { | ||
1586 | - grub_uint8_t *buffer = xmalloc (mode_info->width * 3); | ||
1587 | + grub_uint8_t *buffer = xcalloc (3, mode_info->width); | ||
1588 | grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1); | ||
1589 | grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1); | ||
1590 | grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1); | ||
1591 | @@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname, | ||
1592 | } | ||
1593 | case 2: | ||
1594 | { | ||
1595 | - grub_uint8_t *buffer = xmalloc (mode_info->width * 3); | ||
1596 | + grub_uint8_t *buffer = xcalloc (3, mode_info->width); | ||
1597 | grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1); | ||
1598 | grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1); | ||
1599 | grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1); | ||
1600 | diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c | ||
1601 | index 4f83c74..4d3195e 100644 | ||
1602 | --- a/grub-core/video/capture.c | ||
1603 | +++ b/grub-core/video/capture.c | ||
1604 | @@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info, | ||
1605 | framebuffer.mode_info = *mode_info; | ||
1606 | framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info); | ||
1607 | |||
1608 | - framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch); | ||
1609 | + framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch); | ||
1610 | if (!framebuffer.ptr) | ||
1611 | return grub_errno; | ||
1612 | |||
1613 | diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c | ||
1614 | index a2f639f..0ebab6f 100644 | ||
1615 | --- a/grub-core/video/emu/sdl.c | ||
1616 | +++ b/grub-core/video/emu/sdl.c | ||
1617 | @@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count, | ||
1618 | if (start + count > mode_info.number_of_colors) | ||
1619 | count = mode_info.number_of_colors - start; | ||
1620 | |||
1621 | - tmp = grub_malloc (count * sizeof (tmp[0])); | ||
1622 | + tmp = grub_calloc (count, sizeof (tmp[0])); | ||
1623 | for (i = 0; i < count; i++) | ||
1624 | { | ||
1625 | tmp[i].r = palette_data[i].r; | ||
1626 | diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c | ||
1627 | index 01f4711..b2f776c 100644 | ||
1628 | --- a/grub-core/video/i386/pc/vga.c | ||
1629 | +++ b/grub-core/video/i386/pc/vga.c | ||
1630 | @@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height, | ||
1631 | |||
1632 | vga_height = height ? : 480; | ||
1633 | |||
1634 | - framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH); | ||
1635 | + framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH); | ||
1636 | framebuffer.front_page = 0; | ||
1637 | framebuffer.back_page = 0; | ||
1638 | if (!framebuffer.temporary_buffer) | ||
1639 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
1640 | index 777e713..61bd645 100644 | ||
1641 | --- a/grub-core/video/readers/png.c | ||
1642 | +++ b/grub-core/video/readers/png.c | ||
1643 | @@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
1644 | if (data->is_16bit || data->is_gray || data->is_palette) | ||
1645 | #endif | ||
1646 | { | ||
1647 | - data->image_data = grub_malloc (data->image_height * data->row_bytes); | ||
1648 | + data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
1649 | if (grub_errno) | ||
1650 | return grub_errno; | ||
1651 | |||
1652 | diff --git a/include/grub/unicode.h b/include/grub/unicode.h | ||
1653 | index a0403e9..4de986a 100644 | ||
1654 | --- a/include/grub/unicode.h | ||
1655 | +++ b/include/grub/unicode.h | ||
1656 | @@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in) | ||
1657 | grub_memcpy (out, in, sizeof (*in)); | ||
1658 | if (in->ncomb > ARRAY_SIZE (out->combining_inline)) | ||
1659 | { | ||
1660 | - out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0])); | ||
1661 | + out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0])); | ||
1662 | if (!out->combining_ptr) | ||
1663 | { | ||
1664 | grub_free (out); | ||
1665 | @@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out, | ||
1666 | grub_memcpy (out, in, sizeof (*in)); | ||
1667 | if (in->ncomb > ARRAY_SIZE (out->combining_inline)) | ||
1668 | { | ||
1669 | - out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0])); | ||
1670 | + out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0])); | ||
1671 | if (!out->combining_ptr) | ||
1672 | return; | ||
1673 | grub_memcpy (out->combining_ptr, in->combining_ptr, | ||
1674 | diff --git a/util/getroot.c b/util/getroot.c | ||
1675 | index 847406f..a5eaa64 100644 | ||
1676 | --- a/util/getroot.c | ||
1677 | +++ b/util/getroot.c | ||
1678 | @@ -200,7 +200,7 @@ make_device_name (const char *drive) | ||
1679 | char *ret, *ptr; | ||
1680 | const char *iptr; | ||
1681 | |||
1682 | - ret = xmalloc (strlen (drive) * 2); | ||
1683 | + ret = xcalloc (2, strlen (drive)); | ||
1684 | ptr = ret; | ||
1685 | for (iptr = drive; *iptr; iptr++) | ||
1686 | { | ||
1687 | diff --git a/util/grub-file.c b/util/grub-file.c | ||
1688 | index 50c18b6..b2e7dd6 100644 | ||
1689 | --- a/util/grub-file.c | ||
1690 | +++ b/util/grub-file.c | ||
1691 | @@ -54,7 +54,7 @@ main (int argc, char *argv[]) | ||
1692 | |||
1693 | grub_util_host_init (&argc, &argv); | ||
1694 | |||
1695 | - argv2 = xmalloc (argc * sizeof (argv2[0])); | ||
1696 | + argv2 = xcalloc (argc, sizeof (argv2[0])); | ||
1697 | |||
1698 | if (argc == 2 && strcmp (argv[1], "--version") == 0) | ||
1699 | { | ||
1700 | diff --git a/util/grub-fstest.c b/util/grub-fstest.c | ||
1701 | index f14e02d..57246af 100644 | ||
1702 | --- a/util/grub-fstest.c | ||
1703 | +++ b/util/grub-fstest.c | ||
1704 | @@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state) | ||
1705 | if (args_count < num_disks) | ||
1706 | { | ||
1707 | if (args_count == 0) | ||
1708 | - images = xmalloc (num_disks * sizeof (images[0])); | ||
1709 | + images = xcalloc (num_disks, sizeof (images[0])); | ||
1710 | images[args_count] = grub_canonicalize_file_name (arg); | ||
1711 | args_count++; | ||
1712 | return 0; | ||
1713 | @@ -734,7 +734,7 @@ main (int argc, char *argv[]) | ||
1714 | |||
1715 | grub_util_host_init (&argc, &argv); | ||
1716 | |||
1717 | - args = xmalloc (argc * sizeof (args[0])); | ||
1718 | + args = xcalloc (argc, sizeof (args[0])); | ||
1719 | |||
1720 | argp_parse (&argp, argc, argv, 0, 0, 0); | ||
1721 | |||
1722 | diff --git a/util/grub-install-common.c b/util/grub-install-common.c | ||
1723 | index ca0ac61..0295d40 100644 | ||
1724 | --- a/util/grub-install-common.c | ||
1725 | +++ b/util/grub-install-common.c | ||
1726 | @@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val, | ||
1727 | il->n_entries++; | ||
1728 | } | ||
1729 | il->n_alloc = il->n_entries + 1; | ||
1730 | - il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0])); | ||
1731 | + il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0])); | ||
1732 | ptr = val; | ||
1733 | for (ce = il->entries; ; ce++) | ||
1734 | { | ||
1735 | diff --git a/util/grub-install.c b/util/grub-install.c | ||
1736 | index 8a55ad4..a82725f 100644 | ||
1737 | --- a/util/grub-install.c | ||
1738 | +++ b/util/grub-install.c | ||
1739 | @@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map) | ||
1740 | if (! fp) | ||
1741 | return; | ||
1742 | |||
1743 | - d = xmalloc (alloced * sizeof (d[0])); | ||
1744 | + d = xcalloc (alloced, sizeof (d[0])); | ||
1745 | |||
1746 | while (fgets (buf, sizeof (buf), fp)) | ||
1747 | { | ||
1748 | @@ -1260,7 +1260,7 @@ main (int argc, char *argv[]) | ||
1749 | ndev++; | ||
1750 | } | ||
1751 | |||
1752 | - grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1)); | ||
1753 | + grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0])); | ||
1754 | |||
1755 | for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++, | ||
1756 | curdrive++) | ||
1757 | diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c | ||
1758 | index bc087c2..d97d0e7 100644 | ||
1759 | --- a/util/grub-mkimagexx.c | ||
1760 | +++ b/util/grub-mkimagexx.c | ||
1761 | @@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path, | ||
1762 | + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize); | ||
1763 | smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset); | ||
1764 | |||
1765 | - smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections); | ||
1766 | - memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections); | ||
1767 | - smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections); | ||
1768 | - memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections); | ||
1769 | + smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs)); | ||
1770 | + smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs)); | ||
1771 | |||
1772 | SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target); | ||
1773 | |||
1774 | diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c | ||
1775 | index ce2cbc4..5183102 100644 | ||
1776 | --- a/util/grub-mkrescue.c | ||
1777 | +++ b/util/grub-mkrescue.c | ||
1778 | @@ -441,8 +441,8 @@ main (int argc, char *argv[]) | ||
1779 | xorriso = xstrdup ("xorriso"); | ||
1780 | label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2"); | ||
1781 | |||
1782 | - argp_argv = xmalloc (sizeof (argp_argv[0]) * argc); | ||
1783 | - xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc); | ||
1784 | + argp_argv = xcalloc (argc, sizeof (argp_argv[0])); | ||
1785 | + xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0])); | ||
1786 | |||
1787 | xorriso_tail_argc = 0; | ||
1788 | /* Program name */ | ||
1789 | diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c | ||
1790 | index 4907d44..edf3097 100644 | ||
1791 | --- a/util/grub-mkstandalone.c | ||
1792 | +++ b/util/grub-mkstandalone.c | ||
1793 | @@ -296,7 +296,7 @@ main (int argc, char *argv[]) | ||
1794 | grub_util_host_init (&argc, &argv); | ||
1795 | grub_util_disable_fd_syncs (); | ||
1796 | |||
1797 | - files = xmalloc ((argc + 1) * sizeof (files[0])); | ||
1798 | + files = xcalloc (argc + 1, sizeof (files[0])); | ||
1799 | |||
1800 | argp_parse (&argp, argc, argv, 0, 0, 0); | ||
1801 | |||
1802 | diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c | ||
1803 | index 0d4084a..1133129 100644 | ||
1804 | --- a/util/grub-pe2elf.c | ||
1805 | +++ b/util/grub-pe2elf.c | ||
1806 | @@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image, | ||
1807 | char *pe_strtab = (image + pe_chdr->symtab_offset | ||
1808 | + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol)); | ||
1809 | |||
1810 | - section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int)); | ||
1811 | + section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int)); | ||
1812 | section_map[0] = 0; | ||
1813 | - shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0])); | ||
1814 | + shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0])); | ||
1815 | idx = 1; | ||
1816 | idx_reloc = pe_chdr->num_sections + 1; | ||
1817 | |||
1818 | @@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image, | ||
1819 | |||
1820 | pe_sec = pe_shdr + shdr[i].sh_link; | ||
1821 | pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset); | ||
1822 | - rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t)); | ||
1823 | + rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t)); | ||
1824 | num_rels = 0; | ||
1825 | modified = 0; | ||
1826 | |||
1827 | @@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image, | ||
1828 | pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset); | ||
1829 | pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols); | ||
1830 | |||
1831 | - symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) * | ||
1832 | - sizeof (Elf_Sym)); | ||
1833 | - memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym)); | ||
1834 | + symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym)); | ||
1835 | num_syms = 1; | ||
1836 | |||
1837 | - symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int)); | ||
1838 | + symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int)); | ||
1839 | |||
1840 | for (i = 0; i < (int) pe_chdr->num_symbols; | ||
1841 | i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1) | ||
1842 | diff --git a/util/grub-probe.c b/util/grub-probe.c | ||
1843 | index 81d27ee..cbe6ed9 100644 | ||
1844 | --- a/util/grub-probe.c | ||
1845 | +++ b/util/grub-probe.c | ||
1846 | @@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim) | ||
1847 | grub_util_pull_device (*curdev); | ||
1848 | ndev++; | ||
1849 | } | ||
1850 | - | ||
1851 | - drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1)); | ||
1852 | + | ||
1853 | + drives_names = xcalloc (ndev + 1, sizeof (drives_names[0])); | ||
1854 | |||
1855 | for (curdev = device_names, curdrive = drives_names; *curdev; curdev++, | ||
1856 | curdrive++) | ||
1857 | -- | ||
1858 | 2.14.4 | ||
1859 | |||
diff --git a/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch b/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch new file mode 100644 index 0000000000..29021e8d8f --- /dev/null +++ b/meta/recipes-bsp/grub/files/0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Mon, 15 Jun 2020 10:58:42 -0400 | ||
4 | Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for | ||
5 | overflow | ||
6 | |||
7 | This adds a new header, include/grub/safemath.h, that includes easy to | ||
8 | use wrappers for __builtin_{add,sub,mul}_overflow() declared like: | ||
9 | |||
10 | bool OP(a, b, res) | ||
11 | |||
12 | where OP is grub_add, grub_sub or grub_mul. OP() returns true in the | ||
13 | case where the operation would overflow and res is not modified. | ||
14 | Otherwise, false is returned and the operation is executed. | ||
15 | |||
16 | These arithmetic primitives require newer compiler versions. So, bump | ||
17 | these requirements in the INSTALL file too. | ||
18 | |||
19 | Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d | ||
20 | from https://git.savannah.gnu.org/git/grub.git] | ||
21 | |||
22 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
23 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
24 | [YL: omit the change to INSTALL from original patch] | ||
25 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
26 | --- | ||
27 | include/grub/compiler.h | 8 ++++++++ | ||
28 | include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++ | ||
29 | 2 files changed, 45 insertions(+) | ||
30 | create mode 100644 include/grub/safemath.h | ||
31 | |||
32 | diff --git a/include/grub/compiler.h b/include/grub/compiler.h | ||
33 | index c9e1d7a..8f3be3a 100644 | ||
34 | --- a/include/grub/compiler.h | ||
35 | +++ b/include/grub/compiler.h | ||
36 | @@ -48,4 +48,12 @@ | ||
37 | # define WARN_UNUSED_RESULT | ||
38 | #endif | ||
39 | |||
40 | +#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__) | ||
41 | +# define CLANG_PREREQ(maj,min) \ | ||
42 | + ((__clang_major__ > (maj)) || \ | ||
43 | + (__clang_major__ == (maj) && __clang_minor__ >= (min))) | ||
44 | +#else | ||
45 | +# define CLANG_PREREQ(maj,min) 0 | ||
46 | +#endif | ||
47 | + | ||
48 | #endif /* ! GRUB_COMPILER_HEADER */ | ||
49 | diff --git a/include/grub/safemath.h b/include/grub/safemath.h | ||
50 | new file mode 100644 | ||
51 | index 0000000..c17b89b | ||
52 | --- /dev/null | ||
53 | +++ b/include/grub/safemath.h | ||
54 | @@ -0,0 +1,37 @@ | ||
55 | +/* | ||
56 | + * GRUB -- GRand Unified Bootloader | ||
57 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
58 | + * | ||
59 | + * GRUB is free software: you can redistribute it and/or modify | ||
60 | + * it under the terms of the GNU General Public License as published by | ||
61 | + * the Free Software Foundation, either version 3 of the License, or | ||
62 | + * (at your option) any later version. | ||
63 | + * | ||
64 | + * GRUB is distributed in the hope that it will be useful, | ||
65 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
66 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
67 | + * GNU General Public License for more details. | ||
68 | + * | ||
69 | + * You should have received a copy of the GNU General Public License | ||
70 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
71 | + * | ||
72 | + * Arithmetic operations that protect against overflow. | ||
73 | + */ | ||
74 | + | ||
75 | +#ifndef GRUB_SAFEMATH_H | ||
76 | +#define GRUB_SAFEMATH_H 1 | ||
77 | + | ||
78 | +#include <grub/compiler.h> | ||
79 | + | ||
80 | +/* These appear in gcc 5.1 and clang 3.8. */ | ||
81 | +#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8) | ||
82 | + | ||
83 | +#define grub_add(a, b, res) __builtin_add_overflow(a, b, res) | ||
84 | +#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) | ||
85 | +#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) | ||
86 | + | ||
87 | +#else | ||
88 | +#error gcc 5.1 or newer or clang 3.8 or newer is required | ||
89 | +#endif | ||
90 | + | ||
91 | +#endif /* GRUB_SAFEMATH_H */ | ||
92 | -- | ||
93 | 2.14.4 | ||
94 | |||
diff --git a/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch new file mode 100644 index 0000000000..146602cd3e --- /dev/null +++ b/meta/recipes-bsp/grub/files/0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch | |||
@@ -0,0 +1,1326 @@ | |||
1 | From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Mon, 15 Jun 2020 12:28:27 -0400 | ||
4 | Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do | ||
5 | complex allocations | ||
6 | |||
7 | This attempts to fix the places where we do the following where | ||
8 | arithmetic_expr may include unvalidated data: | ||
9 | |||
10 | X = grub_malloc(arithmetic_expr); | ||
11 | |||
12 | It accomplishes this by doing the arithmetic ahead of time using grub_add(), | ||
13 | grub_sub(), grub_mul() and testing for overflow before proceeding. | ||
14 | |||
15 | Among other issues, this fixes: | ||
16 | - allocation of integer overflow in grub_video_bitmap_create() | ||
17 | reported by Chris Coulson, | ||
18 | - allocation of integer overflow in grub_png_decode_image_header() | ||
19 | reported by Chris Coulson, | ||
20 | - allocation of integer overflow in grub_squash_read_symlink() | ||
21 | reported by Chris Coulson, | ||
22 | - allocation of integer overflow in grub_ext2_read_symlink() | ||
23 | reported by Chris Coulson, | ||
24 | - allocation of integer overflow in read_section_as_string() | ||
25 | reported by Chris Coulson. | ||
26 | |||
27 | Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 | ||
28 | |||
29 | Upstream-Status: Backport [commit 3f05d693d1274965ffbe4ba99080dc2c570944c6 | ||
30 | from https://git.savannah.gnu.org/git/grub.git] | ||
31 | |||
32 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
33 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
34 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
35 | --- | ||
36 | grub-core/commands/legacycfg.c | 29 +++++++++++++++++++----- | ||
37 | grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++----- | ||
38 | grub-core/disk/ldm.c | 32 ++++++++++++++++++-------- | ||
39 | grub-core/font/font.c | 7 +++++- | ||
40 | grub-core/fs/btrfs.c | 28 +++++++++++++++-------- | ||
41 | grub-core/fs/ext2.c | 10 ++++++++- | ||
42 | grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++------------- | ||
43 | grub-core/fs/sfs.c | 27 +++++++++++++++++----- | ||
44 | grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++--------- | ||
45 | grub-core/fs/udf.c | 41 +++++++++++++++++++++------------ | ||
46 | grub-core/fs/xfs.c | 11 +++++---- | ||
47 | grub-core/fs/zfs/zfs.c | 22 ++++++++++++------ | ||
48 | grub-core/fs/zfs/zfscrypt.c | 7 +++++- | ||
49 | grub-core/lib/arg.c | 20 +++++++++++++++-- | ||
50 | grub-core/loader/i386/bsd.c | 8 ++++++- | ||
51 | grub-core/net/dns.c | 9 +++++++- | ||
52 | grub-core/normal/charset.c | 10 +++++++-- | ||
53 | grub-core/normal/cmdline.c | 14 ++++++++++-- | ||
54 | grub-core/normal/menu_entry.c | 13 +++++++++-- | ||
55 | grub-core/script/argv.c | 16 +++++++++++-- | ||
56 | grub-core/script/lexer.c | 21 ++++++++++++++--- | ||
57 | grub-core/video/bitmap.c | 25 +++++++++++++-------- | ||
58 | grub-core/video/readers/png.c | 13 +++++++++-- | ||
59 | 23 files changed, 382 insertions(+), 113 deletions(-) | ||
60 | |||
61 | diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c | ||
62 | index 5e3ec0d..cc5971f 100644 | ||
63 | --- a/grub-core/commands/legacycfg.c | ||
64 | +++ b/grub-core/commands/legacycfg.c | ||
65 | @@ -32,6 +32,7 @@ | ||
66 | #include <grub/auth.h> | ||
67 | #include <grub/disk.h> | ||
68 | #include <grub/partition.h> | ||
69 | +#include <grub/safemath.h> | ||
70 | |||
71 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
72 | |||
73 | @@ -104,13 +105,22 @@ legacy_file (const char *filename) | ||
74 | if (newsuffix) | ||
75 | { | ||
76 | char *t; | ||
77 | - | ||
78 | + grub_size_t sz; | ||
79 | + | ||
80 | + if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) || | ||
81 | + grub_add (sz, 1, &sz)) | ||
82 | + { | ||
83 | + grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||
84 | + goto fail_0; | ||
85 | + } | ||
86 | + | ||
87 | t = suffix; | ||
88 | - suffix = grub_realloc (suffix, grub_strlen (suffix) | ||
89 | - + grub_strlen (newsuffix) + 1); | ||
90 | + suffix = grub_realloc (suffix, sz); | ||
91 | if (!suffix) | ||
92 | { | ||
93 | grub_free (t); | ||
94 | + | ||
95 | + fail_0: | ||
96 | grub_free (entrysrc); | ||
97 | grub_free (parsed); | ||
98 | grub_free (newsuffix); | ||
99 | @@ -154,13 +164,22 @@ legacy_file (const char *filename) | ||
100 | else | ||
101 | { | ||
102 | char *t; | ||
103 | + grub_size_t sz; | ||
104 | + | ||
105 | + if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) || | ||
106 | + grub_add (sz, 1, &sz)) | ||
107 | + { | ||
108 | + grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||
109 | + goto fail_1; | ||
110 | + } | ||
111 | |||
112 | t = entrysrc; | ||
113 | - entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc) | ||
114 | - + grub_strlen (parsed) + 1); | ||
115 | + entrysrc = grub_realloc (entrysrc, sz); | ||
116 | if (!entrysrc) | ||
117 | { | ||
118 | grub_free (t); | ||
119 | + | ||
120 | + fail_1: | ||
121 | grub_free (parsed); | ||
122 | grub_free (suffix); | ||
123 | return grub_errno; | ||
124 | diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c | ||
125 | index 4a106ca..cc32903 100644 | ||
126 | --- a/grub-core/commands/wildcard.c | ||
127 | +++ b/grub-core/commands/wildcard.c | ||
128 | @@ -23,6 +23,7 @@ | ||
129 | #include <grub/file.h> | ||
130 | #include <grub/device.h> | ||
131 | #include <grub/script_sh.h> | ||
132 | +#include <grub/safemath.h> | ||
133 | |||
134 | #include <regex.h> | ||
135 | |||
136 | @@ -48,6 +49,7 @@ merge (char **dest, char **ps) | ||
137 | int i; | ||
138 | int j; | ||
139 | char **p; | ||
140 | + grub_size_t sz; | ||
141 | |||
142 | if (! dest) | ||
143 | return ps; | ||
144 | @@ -60,7 +62,12 @@ merge (char **dest, char **ps) | ||
145 | for (j = 0; ps[j]; j++) | ||
146 | ; | ||
147 | |||
148 | - p = grub_realloc (dest, sizeof (char*) * (i + j + 1)); | ||
149 | + if (grub_add (i, j, &sz) || | ||
150 | + grub_add (sz, 1, &sz) || | ||
151 | + grub_mul (sz, sizeof (char *), &sz)) | ||
152 | + return dest; | ||
153 | + | ||
154 | + p = grub_realloc (dest, sz); | ||
155 | if (! p) | ||
156 | { | ||
157 | grub_free (dest); | ||
158 | @@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp) | ||
159 | char ch; | ||
160 | int i = 0; | ||
161 | unsigned len = end - start; | ||
162 | - char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */ | ||
163 | + char *buffer; | ||
164 | + grub_size_t sz; | ||
165 | |||
166 | + /* Worst case size is (len * 2 + 2 + 1). */ | ||
167 | + if (grub_mul (len, 2, &sz) || | ||
168 | + grub_add (sz, 3, &sz)) | ||
169 | + return 1; | ||
170 | + | ||
171 | + buffer = grub_malloc (sz); | ||
172 | if (! buffer) | ||
173 | return 1; | ||
174 | |||
175 | @@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data) | ||
176 | struct match_devices_ctx *ctx = data; | ||
177 | char **t; | ||
178 | char *buffer; | ||
179 | + grub_size_t sz; | ||
180 | |||
181 | /* skip partitions if asked to. */ | ||
182 | if (ctx->noparts && grub_strchr (name, ',')) | ||
183 | @@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data) | ||
184 | if (regexec (ctx->regexp, buffer, 0, 0, 0)) | ||
185 | { | ||
186 | grub_dprintf ("expand", "not matched\n"); | ||
187 | + fail: | ||
188 | grub_free (buffer); | ||
189 | return 0; | ||
190 | } | ||
191 | |||
192 | - t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2)); | ||
193 | + if (grub_add (ctx->ndev, 2, &sz) || | ||
194 | + grub_mul (sz, sizeof (char *), &sz)) | ||
195 | + goto fail; | ||
196 | + | ||
197 | + t = grub_realloc (ctx->devs, sz); | ||
198 | if (! t) | ||
199 | { | ||
200 | grub_free (buffer); | ||
201 | @@ -300,6 +320,7 @@ match_files_iter (const char *name, | ||
202 | struct match_files_ctx *ctx = data; | ||
203 | char **t; | ||
204 | char *buffer; | ||
205 | + grub_size_t sz; | ||
206 | |||
207 | /* skip . and .. names */ | ||
208 | if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0) | ||
209 | @@ -315,9 +336,14 @@ match_files_iter (const char *name, | ||
210 | if (! buffer) | ||
211 | return 1; | ||
212 | |||
213 | - t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2)); | ||
214 | - if (! t) | ||
215 | + if (grub_add (ctx->nfile, 2, &sz) || | ||
216 | + grub_mul (sz, sizeof (char *), &sz)) | ||
217 | + goto fail; | ||
218 | + | ||
219 | + t = grub_realloc (ctx->files, sz); | ||
220 | + if (!t) | ||
221 | { | ||
222 | + fail: | ||
223 | grub_free (buffer); | ||
224 | return 1; | ||
225 | } | ||
226 | diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c | ||
227 | index e632370..58f8a53 100644 | ||
228 | --- a/grub-core/disk/ldm.c | ||
229 | +++ b/grub-core/disk/ldm.c | ||
230 | @@ -25,6 +25,7 @@ | ||
231 | #include <grub/msdos_partition.h> | ||
232 | #include <grub/gpt_partition.h> | ||
233 | #include <grub/i18n.h> | ||
234 | +#include <grub/safemath.h> | ||
235 | |||
236 | #ifdef GRUB_UTIL | ||
237 | #include <grub/emu/misc.h> | ||
238 | @@ -289,6 +290,7 @@ make_vg (grub_disk_t disk, | ||
239 | struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE | ||
240 | / sizeof (struct grub_ldm_vblk)]; | ||
241 | unsigned i; | ||
242 | + grub_size_t sz; | ||
243 | err = grub_disk_read (disk, cursec, 0, | ||
244 | sizeof(vblk), &vblk); | ||
245 | if (err) | ||
246 | @@ -350,7 +352,13 @@ make_vg (grub_disk_t disk, | ||
247 | grub_free (lv); | ||
248 | goto fail2; | ||
249 | } | ||
250 | - lv->name = grub_malloc (*ptr + 1); | ||
251 | + if (grub_add (*ptr, 1, &sz)) | ||
252 | + { | ||
253 | + grub_free (lv->internal_id); | ||
254 | + grub_free (lv); | ||
255 | + goto fail2; | ||
256 | + } | ||
257 | + lv->name = grub_malloc (sz); | ||
258 | if (!lv->name) | ||
259 | { | ||
260 | grub_free (lv->internal_id); | ||
261 | @@ -599,10 +607,13 @@ make_vg (grub_disk_t disk, | ||
262 | if (lv->segments->node_alloc == lv->segments->node_count) | ||
263 | { | ||
264 | void *t; | ||
265 | - lv->segments->node_alloc *= 2; | ||
266 | - t = grub_realloc (lv->segments->nodes, | ||
267 | - sizeof (*lv->segments->nodes) | ||
268 | - * lv->segments->node_alloc); | ||
269 | + grub_size_t sz; | ||
270 | + | ||
271 | + if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) || | ||
272 | + grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz)) | ||
273 | + goto fail2; | ||
274 | + | ||
275 | + t = grub_realloc (lv->segments->nodes, sz); | ||
276 | if (!t) | ||
277 | goto fail2; | ||
278 | lv->segments->nodes = t; | ||
279 | @@ -723,10 +734,13 @@ make_vg (grub_disk_t disk, | ||
280 | if (comp->segment_alloc == comp->segment_count) | ||
281 | { | ||
282 | void *t; | ||
283 | - comp->segment_alloc *= 2; | ||
284 | - t = grub_realloc (comp->segments, | ||
285 | - comp->segment_alloc | ||
286 | - * sizeof (*comp->segments)); | ||
287 | + grub_size_t sz; | ||
288 | + | ||
289 | + if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) || | ||
290 | + grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz)) | ||
291 | + goto fail2; | ||
292 | + | ||
293 | + t = grub_realloc (comp->segments, sz); | ||
294 | if (!t) | ||
295 | goto fail2; | ||
296 | comp->segments = t; | ||
297 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
298 | index 8e118b3..5edb477 100644 | ||
299 | --- a/grub-core/font/font.c | ||
300 | +++ b/grub-core/font/font.c | ||
301 | @@ -30,6 +30,7 @@ | ||
302 | #include <grub/unicode.h> | ||
303 | #include <grub/fontformat.h> | ||
304 | #include <grub/env.h> | ||
305 | +#include <grub/safemath.h> | ||
306 | |||
307 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
308 | |||
309 | @@ -360,9 +361,13 @@ static char * | ||
310 | read_section_as_string (struct font_file_section *section) | ||
311 | { | ||
312 | char *str; | ||
313 | + grub_size_t sz; | ||
314 | grub_ssize_t ret; | ||
315 | |||
316 | - str = grub_malloc (section->length + 1); | ||
317 | + if (grub_add (section->length, 1, &sz)) | ||
318 | + return NULL; | ||
319 | + | ||
320 | + str = grub_malloc (sz); | ||
321 | if (!str) | ||
322 | return 0; | ||
323 | |||
324 | diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c | ||
325 | index 11272ef..2b65bd5 100644 | ||
326 | --- a/grub-core/fs/btrfs.c | ||
327 | +++ b/grub-core/fs/btrfs.c | ||
328 | @@ -40,6 +40,7 @@ | ||
329 | #include <grub/btrfs.h> | ||
330 | #include <grub/crypto.h> | ||
331 | #include <grub/diskfilter.h> | ||
332 | +#include <grub/safemath.h> | ||
333 | |||
334 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
335 | |||
336 | @@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc, | ||
337 | if (desc->allocated < desc->depth) | ||
338 | { | ||
339 | void *newdata; | ||
340 | - desc->allocated *= 2; | ||
341 | - newdata = grub_realloc (desc->data, sizeof (desc->data[0]) | ||
342 | - * desc->allocated); | ||
343 | + grub_size_t sz; | ||
344 | + | ||
345 | + if (grub_mul (desc->allocated, 2, &desc->allocated) || | ||
346 | + grub_mul (desc->allocated, sizeof (desc->data[0]), &sz)) | ||
347 | + return GRUB_ERR_OUT_OF_RANGE; | ||
348 | + | ||
349 | + newdata = grub_realloc (desc->data, sz); | ||
350 | if (!newdata) | ||
351 | return grub_errno; | ||
352 | desc->data = newdata; | ||
353 | @@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id) | ||
354 | if (data->n_devices_attached > data->n_devices_allocated) | ||
355 | { | ||
356 | void *tmp; | ||
357 | - data->n_devices_allocated = 2 * data->n_devices_attached + 1; | ||
358 | - data->devices_attached | ||
359 | - = grub_realloc (tmp = data->devices_attached, | ||
360 | - data->n_devices_allocated | ||
361 | - * sizeof (data->devices_attached[0])); | ||
362 | + grub_size_t sz; | ||
363 | + | ||
364 | + if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || | ||
365 | + grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || | ||
366 | + grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) | ||
367 | + goto fail; | ||
368 | + | ||
369 | + data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); | ||
370 | if (!data->devices_attached) | ||
371 | { | ||
372 | + data->devices_attached = tmp; | ||
373 | + | ||
374 | + fail: | ||
375 | if (ctx.dev_found) | ||
376 | grub_device_close (ctx.dev_found); | ||
377 | - data->devices_attached = tmp; | ||
378 | return NULL; | ||
379 | } | ||
380 | } | ||
381 | diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c | ||
382 | index 9b38980..ac33bcd 100644 | ||
383 | --- a/grub-core/fs/ext2.c | ||
384 | +++ b/grub-core/fs/ext2.c | ||
385 | @@ -46,6 +46,7 @@ | ||
386 | #include <grub/dl.h> | ||
387 | #include <grub/types.h> | ||
388 | #include <grub/fshelp.h> | ||
389 | +#include <grub/safemath.h> | ||
390 | |||
391 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
392 | |||
393 | @@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) | ||
394 | { | ||
395 | char *symlink; | ||
396 | struct grub_fshelp_node *diro = node; | ||
397 | + grub_size_t sz; | ||
398 | |||
399 | if (! diro->inode_read) | ||
400 | { | ||
401 | @@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) | ||
402 | } | ||
403 | } | ||
404 | |||
405 | - symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); | ||
406 | + if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz)) | ||
407 | + { | ||
408 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
409 | + return NULL; | ||
410 | + } | ||
411 | + | ||
412 | + symlink = grub_malloc (sz); | ||
413 | if (! symlink) | ||
414 | return 0; | ||
415 | |||
416 | diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c | ||
417 | index 4f1b52a..7ba5b30 100644 | ||
418 | --- a/grub-core/fs/iso9660.c | ||
419 | +++ b/grub-core/fs/iso9660.c | ||
420 | @@ -28,6 +28,7 @@ | ||
421 | #include <grub/fshelp.h> | ||
422 | #include <grub/charset.h> | ||
423 | #include <grub/datetime.h> | ||
424 | +#include <grub/safemath.h> | ||
425 | |||
426 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
427 | |||
428 | @@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx, | ||
429 | int len2) | ||
430 | { | ||
431 | int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; | ||
432 | + grub_size_t sz; | ||
433 | |||
434 | - ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1); | ||
435 | + if (grub_add (size, len2, &sz) || | ||
436 | + grub_add (sz, 1, &sz)) | ||
437 | + return; | ||
438 | + | ||
439 | + ctx->symlink = grub_realloc (ctx->symlink, sz); | ||
440 | if (! ctx->symlink) | ||
441 | return; | ||
442 | |||
443 | @@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, | ||
444 | { | ||
445 | grub_size_t off = 0, csize = 1; | ||
446 | char *old; | ||
447 | + grub_size_t sz; | ||
448 | + | ||
449 | csize = entry->len - 5; | ||
450 | old = ctx->filename; | ||
451 | if (ctx->filename_alloc) | ||
452 | { | ||
453 | off = grub_strlen (ctx->filename); | ||
454 | - ctx->filename = grub_realloc (ctx->filename, csize + off + 1); | ||
455 | + if (grub_add (csize, off, &sz) || | ||
456 | + grub_add (sz, 1, &sz)) | ||
457 | + return GRUB_ERR_OUT_OF_RANGE; | ||
458 | + ctx->filename = grub_realloc (ctx->filename, sz); | ||
459 | } | ||
460 | else | ||
461 | { | ||
462 | off = 0; | ||
463 | - ctx->filename = grub_zalloc (csize + 1); | ||
464 | + if (grub_add (csize, 1, &sz)) | ||
465 | + return GRUB_ERR_OUT_OF_RANGE; | ||
466 | + ctx->filename = grub_zalloc (sz); | ||
467 | } | ||
468 | if (!ctx->filename) | ||
469 | { | ||
470 | @@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, | ||
471 | if (node->have_dirents >= node->alloc_dirents) | ||
472 | { | ||
473 | struct grub_fshelp_node *new_node; | ||
474 | - node->alloc_dirents *= 2; | ||
475 | - new_node = grub_realloc (node, | ||
476 | - sizeof (struct grub_fshelp_node) | ||
477 | - + ((node->alloc_dirents | ||
478 | - - ARRAY_SIZE (node->dirents)) | ||
479 | - * sizeof (node->dirents[0]))); | ||
480 | + grub_size_t sz; | ||
481 | + | ||
482 | + if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) || | ||
483 | + grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || | ||
484 | + grub_mul (sz, sizeof (node->dirents[0]), &sz) || | ||
485 | + grub_add (sz, sizeof (struct grub_fshelp_node), &sz)) | ||
486 | + goto fail_0; | ||
487 | + | ||
488 | + new_node = grub_realloc (node, sz); | ||
489 | if (!new_node) | ||
490 | { | ||
491 | + fail_0: | ||
492 | if (ctx.filename_alloc) | ||
493 | grub_free (ctx.filename); | ||
494 | grub_free (node); | ||
495 | @@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, | ||
496 | * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1) | ||
497 | { | ||
498 | struct grub_fshelp_node *new_node; | ||
499 | - new_node = grub_realloc (node, | ||
500 | - sizeof (struct grub_fshelp_node) | ||
501 | - + ((node->alloc_dirents | ||
502 | - - ARRAY_SIZE (node->dirents)) | ||
503 | - * sizeof (node->dirents[0])) | ||
504 | - + grub_strlen (ctx.symlink) + 1); | ||
505 | + grub_size_t sz; | ||
506 | + | ||
507 | + if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || | ||
508 | + grub_mul (sz, sizeof (node->dirents[0]), &sz) || | ||
509 | + grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) || | ||
510 | + grub_add (sz, grub_strlen (ctx.symlink), &sz)) | ||
511 | + goto fail_1; | ||
512 | + | ||
513 | + new_node = grub_realloc (node, sz); | ||
514 | if (!new_node) | ||
515 | { | ||
516 | + fail_1: | ||
517 | if (ctx.filename_alloc) | ||
518 | grub_free (ctx.filename); | ||
519 | grub_free (node); | ||
520 | diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c | ||
521 | index 90f7fb3..de2b107 100644 | ||
522 | --- a/grub-core/fs/sfs.c | ||
523 | +++ b/grub-core/fs/sfs.c | ||
524 | @@ -26,6 +26,7 @@ | ||
525 | #include <grub/types.h> | ||
526 | #include <grub/fshelp.h> | ||
527 | #include <grub/charset.h> | ||
528 | +#include <grub/safemath.h> | ||
529 | |||
530 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
531 | |||
532 | @@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) | ||
533 | if (node->cache && node->cache_size >= node->cache_allocated) | ||
534 | { | ||
535 | struct cache_entry *e = node->cache; | ||
536 | - e = grub_realloc (node->cache,node->cache_allocated * 2 | ||
537 | - * sizeof (e[0])); | ||
538 | + grub_size_t sz; | ||
539 | + | ||
540 | + if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz)) | ||
541 | + goto fail; | ||
542 | + | ||
543 | + e = grub_realloc (node->cache, sz); | ||
544 | if (!e) | ||
545 | { | ||
546 | + fail: | ||
547 | grub_errno = 0; | ||
548 | grub_free (node->cache); | ||
549 | node->cache = 0; | ||
550 | @@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node, | ||
551 | grub_size_t len = grub_strlen (name); | ||
552 | grub_uint8_t *name_u8; | ||
553 | int ret; | ||
554 | + grub_size_t sz; | ||
555 | + | ||
556 | + if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || | ||
557 | + grub_add (sz, 1, &sz)) | ||
558 | + return 1; | ||
559 | + | ||
560 | *node = grub_malloc (sizeof (**node)); | ||
561 | if (!*node) | ||
562 | return 1; | ||
563 | - name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||
564 | + name_u8 = grub_malloc (sz); | ||
565 | if (!name_u8) | ||
566 | { | ||
567 | grub_free (*node); | ||
568 | @@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label) | ||
569 | data = grub_sfs_mount (disk); | ||
570 | if (data) | ||
571 | { | ||
572 | - grub_size_t len = grub_strlen (data->label); | ||
573 | - *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||
574 | + grub_size_t sz, len = grub_strlen (data->label); | ||
575 | + | ||
576 | + if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || | ||
577 | + grub_add (sz, 1, &sz)) | ||
578 | + return GRUB_ERR_OUT_OF_RANGE; | ||
579 | + | ||
580 | + *label = grub_malloc (sz); | ||
581 | if (*label) | ||
582 | *grub_latin1_to_utf8 ((grub_uint8_t *) *label, | ||
583 | (const grub_uint8_t *) data->label, | ||
584 | diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c | ||
585 | index 95d5c1e..7851238 100644 | ||
586 | --- a/grub-core/fs/squash4.c | ||
587 | +++ b/grub-core/fs/squash4.c | ||
588 | @@ -26,6 +26,7 @@ | ||
589 | #include <grub/types.h> | ||
590 | #include <grub/fshelp.h> | ||
591 | #include <grub/deflate.h> | ||
592 | +#include <grub/safemath.h> | ||
593 | #include <minilzo.h> | ||
594 | |||
595 | #include "xz.h" | ||
596 | @@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node) | ||
597 | { | ||
598 | char *ret; | ||
599 | grub_err_t err; | ||
600 | - ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1); | ||
601 | + grub_size_t sz; | ||
602 | + | ||
603 | + if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz)) | ||
604 | + { | ||
605 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
606 | + return NULL; | ||
607 | + } | ||
608 | + | ||
609 | + ret = grub_malloc (sz); | ||
610 | + if (!ret) | ||
611 | + return NULL; | ||
612 | |||
613 | err = read_chunk (node->data, ret, | ||
614 | grub_le_to_cpu32 (node->ino.symlink.namelen), | ||
615 | @@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | ||
616 | |||
617 | { | ||
618 | grub_fshelp_node_t node; | ||
619 | - node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||
620 | + grub_size_t sz; | ||
621 | + | ||
622 | + if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || | ||
623 | + grub_add (sz, sizeof (*node), &sz)) | ||
624 | + return 0; | ||
625 | + | ||
626 | + node = grub_malloc (sz); | ||
627 | if (!node) | ||
628 | return 0; | ||
629 | - grub_memcpy (node, dir, | ||
630 | - sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||
631 | + grub_memcpy (node, dir, sz); | ||
632 | if (hook (".", GRUB_FSHELP_DIR, node, hook_data)) | ||
633 | return 1; | ||
634 | |||
635 | @@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | ||
636 | { | ||
637 | grub_err_t err; | ||
638 | |||
639 | - node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||
640 | + if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || | ||
641 | + grub_add (sz, sizeof (*node), &sz)) | ||
642 | + return 0; | ||
643 | + | ||
644 | + node = grub_malloc (sz); | ||
645 | if (!node) | ||
646 | return 0; | ||
647 | |||
648 | - grub_memcpy (node, dir, | ||
649 | - sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||
650 | + grub_memcpy (node, dir, sz); | ||
651 | |||
652 | node->stsize--; | ||
653 | err = read_chunk (dir->data, &node->ino, sizeof (node->ino), | ||
654 | @@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | ||
655 | enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG; | ||
656 | struct grub_squash_dirent di; | ||
657 | struct grub_squash_inode ino; | ||
658 | + grub_size_t sz; | ||
659 | |||
660 | err = read_chunk (dir->data, &di, sizeof (di), | ||
661 | grub_le_to_cpu64 (dir->data->sb.diroffset) | ||
662 | @@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | ||
663 | if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK) | ||
664 | filetype = GRUB_FSHELP_SYMLINK; | ||
665 | |||
666 | - node = grub_malloc (sizeof (*node) | ||
667 | - + (dir->stsize + 1) * sizeof (dir->stack[0])); | ||
668 | + if (grub_add (dir->stsize, 1, &sz) || | ||
669 | + grub_mul (sz, sizeof (dir->stack[0]), &sz) || | ||
670 | + grub_add (sz, sizeof (*node), &sz)) | ||
671 | + return 0; | ||
672 | + | ||
673 | + node = grub_malloc (sz); | ||
674 | if (! node) | ||
675 | return 0; | ||
676 | |||
677 | - grub_memcpy (node, dir, | ||
678 | - sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||
679 | + grub_memcpy (node, dir, sz - sizeof(dir->stack[0])); | ||
680 | |||
681 | node->ino = ino; | ||
682 | node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk); | ||
683 | diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c | ||
684 | index a837616..21ac7f4 100644 | ||
685 | --- a/grub-core/fs/udf.c | ||
686 | +++ b/grub-core/fs/udf.c | ||
687 | @@ -28,6 +28,7 @@ | ||
688 | #include <grub/charset.h> | ||
689 | #include <grub/datetime.h> | ||
690 | #include <grub/udf.h> | ||
691 | +#include <grub/safemath.h> | ||
692 | |||
693 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
694 | |||
695 | @@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) | ||
696 | utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2]; | ||
697 | } | ||
698 | if (!outbuf) | ||
699 | - outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1); | ||
700 | + { | ||
701 | + grub_size_t size; | ||
702 | + | ||
703 | + if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) || | ||
704 | + grub_add (size, 1, &size)) | ||
705 | + goto fail; | ||
706 | + | ||
707 | + outbuf = grub_malloc (size); | ||
708 | + } | ||
709 | if (outbuf) | ||
710 | *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0'; | ||
711 | + | ||
712 | + fail: | ||
713 | grub_free (utf16); | ||
714 | return outbuf; | ||
715 | } | ||
716 | @@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | ||
717 | grub_size_t sz = U64 (node->block.fe.file_size); | ||
718 | grub_uint8_t *raw; | ||
719 | const grub_uint8_t *ptr; | ||
720 | - char *out, *optr; | ||
721 | + char *out = NULL, *optr; | ||
722 | |||
723 | if (sz < 4) | ||
724 | return NULL; | ||
725 | @@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | ||
726 | if (!raw) | ||
727 | return NULL; | ||
728 | if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0) | ||
729 | - { | ||
730 | - grub_free (raw); | ||
731 | - return NULL; | ||
732 | - } | ||
733 | + goto fail_1; | ||
734 | |||
735 | - out = grub_malloc (sz * 2 + 1); | ||
736 | + if (grub_mul (sz, 2, &sz) || | ||
737 | + grub_add (sz, 1, &sz)) | ||
738 | + goto fail_0; | ||
739 | + | ||
740 | + out = grub_malloc (sz); | ||
741 | if (!out) | ||
742 | { | ||
743 | + fail_0: | ||
744 | grub_free (raw); | ||
745 | return NULL; | ||
746 | } | ||
747 | @@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | ||
748 | { | ||
749 | grub_size_t s; | ||
750 | if ((grub_size_t) (ptr - raw + 4) > sz) | ||
751 | - goto fail; | ||
752 | + goto fail_1; | ||
753 | if (!(ptr[2] == 0 && ptr[3] == 0)) | ||
754 | - goto fail; | ||
755 | + goto fail_1; | ||
756 | s = 4 + ptr[1]; | ||
757 | if ((grub_size_t) (ptr - raw + s) > sz) | ||
758 | - goto fail; | ||
759 | + goto fail_1; | ||
760 | switch (*ptr) | ||
761 | { | ||
762 | case 1: | ||
763 | if (ptr[1]) | ||
764 | - goto fail; | ||
765 | + goto fail_1; | ||
766 | /* Fallthrough. */ | ||
767 | case 2: | ||
768 | /* in 4 bytes. out: 1 byte. */ | ||
769 | @@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | ||
770 | if (optr != out) | ||
771 | *optr++ = '/'; | ||
772 | if (!read_string (ptr + 4, s - 4, optr)) | ||
773 | - goto fail; | ||
774 | + goto fail_1; | ||
775 | optr += grub_strlen (optr); | ||
776 | break; | ||
777 | default: | ||
778 | - goto fail; | ||
779 | + goto fail_1; | ||
780 | } | ||
781 | ptr += s; | ||
782 | } | ||
783 | @@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | ||
784 | grub_free (raw); | ||
785 | return out; | ||
786 | |||
787 | - fail: | ||
788 | + fail_1: | ||
789 | grub_free (raw); | ||
790 | grub_free (out); | ||
791 | grub_error (GRUB_ERR_BAD_FS, "invalid symlink"); | ||
792 | diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c | ||
793 | index 96ffecb..ea65902 100644 | ||
794 | --- a/grub-core/fs/xfs.c | ||
795 | +++ b/grub-core/fs/xfs.c | ||
796 | @@ -25,6 +25,7 @@ | ||
797 | #include <grub/dl.h> | ||
798 | #include <grub/types.h> | ||
799 | #include <grub/fshelp.h> | ||
800 | +#include <grub/safemath.h> | ||
801 | |||
802 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
803 | |||
804 | @@ -899,6 +900,7 @@ static struct grub_xfs_data * | ||
805 | grub_xfs_mount (grub_disk_t disk) | ||
806 | { | ||
807 | struct grub_xfs_data *data = 0; | ||
808 | + grub_size_t sz; | ||
809 | |||
810 | data = grub_zalloc (sizeof (struct grub_xfs_data)); | ||
811 | if (!data) | ||
812 | @@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk) | ||
813 | if (!grub_xfs_sb_valid(data)) | ||
814 | goto fail; | ||
815 | |||
816 | - data = grub_realloc (data, | ||
817 | - sizeof (struct grub_xfs_data) | ||
818 | - - sizeof (struct grub_xfs_inode) | ||
819 | - + grub_xfs_inode_size(data) + 1); | ||
820 | + if (grub_add (grub_xfs_inode_size (data), | ||
821 | + sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz)) | ||
822 | + goto fail; | ||
823 | + | ||
824 | + data = grub_realloc (data, sz); | ||
825 | |||
826 | if (! data) | ||
827 | goto fail; | ||
828 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
829 | index 381dde5..36d0373 100644 | ||
830 | --- a/grub-core/fs/zfs/zfs.c | ||
831 | +++ b/grub-core/fs/zfs/zfs.c | ||
832 | @@ -55,6 +55,7 @@ | ||
833 | #include <grub/deflate.h> | ||
834 | #include <grub/crypto.h> | ||
835 | #include <grub/i18n.h> | ||
836 | +#include <grub/safemath.h> | ||
837 | |||
838 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
839 | |||
840 | @@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data, | ||
841 | if (data->n_devices_attached > data->n_devices_allocated) | ||
842 | { | ||
843 | void *tmp; | ||
844 | - data->n_devices_allocated = 2 * data->n_devices_attached + 1; | ||
845 | - data->devices_attached | ||
846 | - = grub_realloc (tmp = data->devices_attached, | ||
847 | - data->n_devices_allocated | ||
848 | - * sizeof (data->devices_attached[0])); | ||
849 | + grub_size_t sz; | ||
850 | + | ||
851 | + if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || | ||
852 | + grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || | ||
853 | + grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) | ||
854 | + return GRUB_ERR_OUT_OF_RANGE; | ||
855 | + | ||
856 | + data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); | ||
857 | if (!data->devices_attached) | ||
858 | { | ||
859 | data->devices_attached = tmp; | ||
860 | @@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name) | ||
861 | { | ||
862 | char *nvpair; | ||
863 | char *ret; | ||
864 | - grub_size_t size; | ||
865 | + grub_size_t size, sz; | ||
866 | int found; | ||
867 | |||
868 | found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair, | ||
869 | &size, 0); | ||
870 | if (!found) | ||
871 | return 0; | ||
872 | - ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t)); | ||
873 | + | ||
874 | + if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz)) | ||
875 | + return 0; | ||
876 | + | ||
877 | + ret = grub_zalloc (sz); | ||
878 | if (!ret) | ||
879 | return 0; | ||
880 | grub_memcpy (ret, nvlist, sizeof (grub_uint32_t)); | ||
881 | diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c | ||
882 | index 1402e0b..de3b015 100644 | ||
883 | --- a/grub-core/fs/zfs/zfscrypt.c | ||
884 | +++ b/grub-core/fs/zfs/zfscrypt.c | ||
885 | @@ -22,6 +22,7 @@ | ||
886 | #include <grub/misc.h> | ||
887 | #include <grub/disk.h> | ||
888 | #include <grub/partition.h> | ||
889 | +#include <grub/safemath.h> | ||
890 | #include <grub/dl.h> | ||
891 | #include <grub/types.h> | ||
892 | #include <grub/zfs/zfs.h> | ||
893 | @@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in, | ||
894 | int passphrase) | ||
895 | { | ||
896 | struct grub_zfs_wrap_key *key; | ||
897 | + grub_size_t sz; | ||
898 | + | ||
899 | if (!passphrase && keylen > 32) | ||
900 | keylen = 32; | ||
901 | - key = grub_malloc (sizeof (*key) + keylen); | ||
902 | + if (grub_add (sizeof (*key), keylen, &sz)) | ||
903 | + return GRUB_ERR_OUT_OF_RANGE; | ||
904 | + key = grub_malloc (sz); | ||
905 | if (!key) | ||
906 | return grub_errno; | ||
907 | key->is_passphrase = passphrase; | ||
908 | diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c | ||
909 | index fd7744a..3288609 100644 | ||
910 | --- a/grub-core/lib/arg.c | ||
911 | +++ b/grub-core/lib/arg.c | ||
912 | @@ -23,6 +23,7 @@ | ||
913 | #include <grub/term.h> | ||
914 | #include <grub/extcmd.h> | ||
915 | #include <grub/i18n.h> | ||
916 | +#include <grub/safemath.h> | ||
917 | |||
918 | /* Built-in parser for default options. */ | ||
919 | static const struct grub_arg_option help_options[] = | ||
920 | @@ -216,7 +217,13 @@ static inline grub_err_t | ||
921 | add_arg (char ***argl, int *num, char *s) | ||
922 | { | ||
923 | char **p = *argl; | ||
924 | - *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *)); | ||
925 | + grub_size_t sz; | ||
926 | + | ||
927 | + if (grub_add (++(*num), 1, &sz) || | ||
928 | + grub_mul (sz, sizeof (char *), &sz)) | ||
929 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
930 | + | ||
931 | + *argl = grub_realloc (*argl, sz); | ||
932 | if (! *argl) | ||
933 | { | ||
934 | grub_free (p); | ||
935 | @@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, | ||
936 | grub_size_t argcnt; | ||
937 | struct grub_arg_list *list; | ||
938 | const struct grub_arg_option *options; | ||
939 | + grub_size_t sz0, sz1; | ||
940 | |||
941 | options = extcmd->options; | ||
942 | if (! options) | ||
943 | @@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, | ||
944 | argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */ | ||
945 | } | ||
946 | |||
947 | - list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt); | ||
948 | + if (grub_mul (sizeof (*list), i, &sz0) || | ||
949 | + grub_mul (sizeof (char *), argcnt, &sz1) || | ||
950 | + grub_add (sz0, sz1, &sz0)) | ||
951 | + { | ||
952 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
953 | + return 0; | ||
954 | + } | ||
955 | + | ||
956 | + list = grub_zalloc (sz0); | ||
957 | if (! list) | ||
958 | return 0; | ||
959 | |||
960 | diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c | ||
961 | index 3730ed3..b92cbe9 100644 | ||
962 | --- a/grub-core/loader/i386/bsd.c | ||
963 | +++ b/grub-core/loader/i386/bsd.c | ||
964 | @@ -35,6 +35,7 @@ | ||
965 | #include <grub/ns8250.h> | ||
966 | #include <grub/bsdlabel.h> | ||
967 | #include <grub/crypto.h> | ||
968 | +#include <grub/safemath.h> | ||
969 | #include <grub/verify.h> | ||
970 | #ifdef GRUB_MACHINE_PCBIOS | ||
971 | #include <grub/machine/int.h> | ||
972 | @@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void) | ||
973 | struct grub_netbsd_btinfo_modules *mods; | ||
974 | unsigned i; | ||
975 | grub_err_t err; | ||
976 | + grub_size_t sz; | ||
977 | |||
978 | for (mod = netbsd_mods; mod; mod = mod->next) | ||
979 | modcnt++; | ||
980 | |||
981 | - mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt); | ||
982 | + if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) || | ||
983 | + grub_add (sz, sizeof (*mods), &sz)) | ||
984 | + return GRUB_ERR_OUT_OF_RANGE; | ||
985 | + | ||
986 | + mods = grub_malloc (sz); | ||
987 | if (!mods) | ||
988 | return grub_errno; | ||
989 | |||
990 | diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c | ||
991 | index e332d5e..906ec7d 100644 | ||
992 | --- a/grub-core/net/dns.c | ||
993 | +++ b/grub-core/net/dns.c | ||
994 | @@ -22,6 +22,7 @@ | ||
995 | #include <grub/i18n.h> | ||
996 | #include <grub/err.h> | ||
997 | #include <grub/time.h> | ||
998 | +#include <grub/safemath.h> | ||
999 | |||
1000 | struct dns_cache_element | ||
1001 | { | ||
1002 | @@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s) | ||
1003 | { | ||
1004 | int na = dns_servers_alloc * 2; | ||
1005 | struct grub_net_network_level_address *ns; | ||
1006 | + grub_size_t sz; | ||
1007 | + | ||
1008 | if (na < 8) | ||
1009 | na = 8; | ||
1010 | - ns = grub_realloc (dns_servers, na * sizeof (ns[0])); | ||
1011 | + | ||
1012 | + if (grub_mul (na, sizeof (ns[0]), &sz)) | ||
1013 | + return GRUB_ERR_OUT_OF_RANGE; | ||
1014 | + | ||
1015 | + ns = grub_realloc (dns_servers, sz); | ||
1016 | if (!ns) | ||
1017 | return grub_errno; | ||
1018 | dns_servers_alloc = na; | ||
1019 | diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c | ||
1020 | index d57fb72..4dfcc31 100644 | ||
1021 | --- a/grub-core/normal/charset.c | ||
1022 | +++ b/grub-core/normal/charset.c | ||
1023 | @@ -48,6 +48,7 @@ | ||
1024 | #include <grub/unicode.h> | ||
1025 | #include <grub/term.h> | ||
1026 | #include <grub/normal.h> | ||
1027 | +#include <grub/safemath.h> | ||
1028 | |||
1029 | #if HAVE_FONT_SOURCE | ||
1030 | #include "widthspec.h" | ||
1031 | @@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, | ||
1032 | { | ||
1033 | struct grub_unicode_combining *n; | ||
1034 | unsigned j; | ||
1035 | + grub_size_t sz; | ||
1036 | |||
1037 | if (!haveout) | ||
1038 | continue; | ||
1039 | @@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, | ||
1040 | n = out->combining_inline; | ||
1041 | else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline)) | ||
1042 | { | ||
1043 | - n = grub_realloc (out->combining_ptr, | ||
1044 | - sizeof (n[0]) * (out->ncomb + 1)); | ||
1045 | + if (grub_add (out->ncomb, 1, &sz) || | ||
1046 | + grub_mul (sz, sizeof (n[0]), &sz)) | ||
1047 | + goto fail; | ||
1048 | + | ||
1049 | + n = grub_realloc (out->combining_ptr, sz); | ||
1050 | if (!n) | ||
1051 | { | ||
1052 | + fail: | ||
1053 | grub_errno = GRUB_ERR_NONE; | ||
1054 | continue; | ||
1055 | } | ||
1056 | diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c | ||
1057 | index c57242e..de03fe6 100644 | ||
1058 | --- a/grub-core/normal/cmdline.c | ||
1059 | +++ b/grub-core/normal/cmdline.c | ||
1060 | @@ -28,6 +28,7 @@ | ||
1061 | #include <grub/env.h> | ||
1062 | #include <grub/i18n.h> | ||
1063 | #include <grub/charset.h> | ||
1064 | +#include <grub/safemath.h> | ||
1065 | |||
1066 | static grub_uint32_t *kill_buf; | ||
1067 | |||
1068 | @@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms, | ||
1069 | if (len + (*llen) >= (*max_len)) | ||
1070 | { | ||
1071 | grub_uint32_t *nbuf; | ||
1072 | - (*max_len) *= 2; | ||
1073 | - nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len)); | ||
1074 | + grub_size_t sz; | ||
1075 | + | ||
1076 | + if (grub_mul (*max_len, 2, max_len) || | ||
1077 | + grub_mul (*max_len, sizeof (grub_uint32_t), &sz)) | ||
1078 | + { | ||
1079 | + grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||
1080 | + goto fail; | ||
1081 | + } | ||
1082 | + | ||
1083 | + nbuf = grub_realloc ((*buf), sz); | ||
1084 | if (nbuf) | ||
1085 | (*buf) = nbuf; | ||
1086 | else | ||
1087 | { | ||
1088 | + fail: | ||
1089 | grub_print_error (); | ||
1090 | grub_errno = GRUB_ERR_NONE; | ||
1091 | (*max_len) /= 2; | ||
1092 | diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c | ||
1093 | index 1993995..50eef91 100644 | ||
1094 | --- a/grub-core/normal/menu_entry.c | ||
1095 | +++ b/grub-core/normal/menu_entry.c | ||
1096 | @@ -27,6 +27,7 @@ | ||
1097 | #include <grub/auth.h> | ||
1098 | #include <grub/i18n.h> | ||
1099 | #include <grub/charset.h> | ||
1100 | +#include <grub/safemath.h> | ||
1101 | |||
1102 | enum update_mode | ||
1103 | { | ||
1104 | @@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra) | ||
1105 | { | ||
1106 | if (linep->max_len < linep->len + extra) | ||
1107 | { | ||
1108 | - linep->max_len = 2 * (linep->len + extra); | ||
1109 | - linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0])); | ||
1110 | + grub_size_t sz0, sz1; | ||
1111 | + | ||
1112 | + if (grub_add (linep->len, extra, &sz0) || | ||
1113 | + grub_mul (sz0, 2, &sz0) || | ||
1114 | + grub_add (sz0, 1, &sz1) || | ||
1115 | + grub_mul (sz1, sizeof (linep->buf[0]), &sz1)) | ||
1116 | + return 0; | ||
1117 | + | ||
1118 | + linep->buf = grub_realloc (linep->buf, sz1); | ||
1119 | if (! linep->buf) | ||
1120 | return 0; | ||
1121 | + linep->max_len = sz0; | ||
1122 | } | ||
1123 | |||
1124 | return 1; | ||
1125 | diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c | ||
1126 | index 217ec5d..5751fdd 100644 | ||
1127 | --- a/grub-core/script/argv.c | ||
1128 | +++ b/grub-core/script/argv.c | ||
1129 | @@ -20,6 +20,7 @@ | ||
1130 | #include <grub/mm.h> | ||
1131 | #include <grub/misc.h> | ||
1132 | #include <grub/script_sh.h> | ||
1133 | +#include <grub/safemath.h> | ||
1134 | |||
1135 | /* Return nearest power of two that is >= v. */ | ||
1136 | static unsigned | ||
1137 | @@ -81,11 +82,16 @@ int | ||
1138 | grub_script_argv_next (struct grub_script_argv *argv) | ||
1139 | { | ||
1140 | char **p = argv->args; | ||
1141 | + grub_size_t sz; | ||
1142 | |||
1143 | if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0) | ||
1144 | return 0; | ||
1145 | |||
1146 | - p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *))); | ||
1147 | + if (grub_add (argv->argc, 2, &sz) || | ||
1148 | + grub_mul (sz, sizeof (char *), &sz)) | ||
1149 | + return 1; | ||
1150 | + | ||
1151 | + p = grub_realloc (p, round_up_exp (sz)); | ||
1152 | if (! p) | ||
1153 | return 1; | ||
1154 | |||
1155 | @@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s, | ||
1156 | { | ||
1157 | grub_size_t a; | ||
1158 | char *p = argv->args[argv->argc - 1]; | ||
1159 | + grub_size_t sz; | ||
1160 | |||
1161 | if (! s) | ||
1162 | return 0; | ||
1163 | |||
1164 | a = p ? grub_strlen (p) : 0; | ||
1165 | |||
1166 | - p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char))); | ||
1167 | + if (grub_add (a, slen, &sz) || | ||
1168 | + grub_add (sz, 1, &sz) || | ||
1169 | + grub_mul (sz, sizeof (char), &sz)) | ||
1170 | + return 1; | ||
1171 | + | ||
1172 | + p = grub_realloc (p, round_up_exp (sz)); | ||
1173 | if (! p) | ||
1174 | return 1; | ||
1175 | |||
1176 | diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c | ||
1177 | index c6bd317..5fb0cbd 100644 | ||
1178 | --- a/grub-core/script/lexer.c | ||
1179 | +++ b/grub-core/script/lexer.c | ||
1180 | @@ -24,6 +24,7 @@ | ||
1181 | #include <grub/mm.h> | ||
1182 | #include <grub/script_sh.h> | ||
1183 | #include <grub/i18n.h> | ||
1184 | +#include <grub/safemath.h> | ||
1185 | |||
1186 | #define yytext_ptr char * | ||
1187 | #include "grub_script.tab.h" | ||
1188 | @@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str) | ||
1189 | old = lexer->recording; | ||
1190 | if (lexer->recordlen < len) | ||
1191 | lexer->recordlen = len; | ||
1192 | - lexer->recordlen *= 2; | ||
1193 | + | ||
1194 | + if (grub_mul (lexer->recordlen, 2, &lexer->recordlen)) | ||
1195 | + goto fail; | ||
1196 | + | ||
1197 | lexer->recording = grub_realloc (lexer->recording, lexer->recordlen); | ||
1198 | if (!lexer->recording) | ||
1199 | { | ||
1200 | + fail: | ||
1201 | grub_free (old); | ||
1202 | lexer->recordpos = 0; | ||
1203 | lexer->recordlen = 0; | ||
1204 | @@ -130,7 +135,7 @@ int | ||
1205 | grub_script_lexer_yywrap (struct grub_parser_param *parserstate, | ||
1206 | const char *input) | ||
1207 | { | ||
1208 | - grub_size_t len = 0; | ||
1209 | + grub_size_t len = 0, sz; | ||
1210 | char *p = 0; | ||
1211 | char *line = 0; | ||
1212 | YY_BUFFER_STATE buffer; | ||
1213 | @@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate, | ||
1214 | } | ||
1215 | else if (len && line[len - 1] != '\n') | ||
1216 | { | ||
1217 | - p = grub_realloc (line, len + 2); | ||
1218 | + if (grub_add (len, 2, &sz)) | ||
1219 | + { | ||
1220 | + grub_free (line); | ||
1221 | + grub_script_yyerror (parserstate, N_("overflow is detected")); | ||
1222 | + return 1; | ||
1223 | + } | ||
1224 | + | ||
1225 | + p = grub_realloc (line, sz); | ||
1226 | if (p) | ||
1227 | { | ||
1228 | p[len++] = '\n'; | ||
1229 | p[len] = '\0'; | ||
1230 | } | ||
1231 | + else | ||
1232 | + grub_free (line); | ||
1233 | + | ||
1234 | line = p; | ||
1235 | } | ||
1236 | |||
1237 | diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c | ||
1238 | index b2e0315..6256e20 100644 | ||
1239 | --- a/grub-core/video/bitmap.c | ||
1240 | +++ b/grub-core/video/bitmap.c | ||
1241 | @@ -23,6 +23,7 @@ | ||
1242 | #include <grub/mm.h> | ||
1243 | #include <grub/misc.h> | ||
1244 | #include <grub/i18n.h> | ||
1245 | +#include <grub/safemath.h> | ||
1246 | |||
1247 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
1248 | |||
1249 | @@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, | ||
1250 | enum grub_video_blit_format blit_format) | ||
1251 | { | ||
1252 | struct grub_video_mode_info *mode_info; | ||
1253 | - unsigned int size; | ||
1254 | + grub_size_t size; | ||
1255 | |||
1256 | if (!bitmap) | ||
1257 | return grub_error (GRUB_ERR_BUG, "invalid argument"); | ||
1258 | @@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, | ||
1259 | |||
1260 | mode_info->pitch = width * mode_info->bytes_per_pixel; | ||
1261 | |||
1262 | - /* Calculate size needed for the data. */ | ||
1263 | - size = (width * mode_info->bytes_per_pixel) * height; | ||
1264 | + /* Calculate size needed for the data. */ | ||
1265 | + if (grub_mul (width, mode_info->bytes_per_pixel, &size) || | ||
1266 | + grub_mul (size, height, &size)) | ||
1267 | + { | ||
1268 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
1269 | + goto fail; | ||
1270 | + } | ||
1271 | |||
1272 | (*bitmap)->data = grub_zalloc (size); | ||
1273 | if (! (*bitmap)->data) | ||
1274 | - { | ||
1275 | - grub_free (*bitmap); | ||
1276 | - *bitmap = 0; | ||
1277 | - | ||
1278 | - return grub_errno; | ||
1279 | - } | ||
1280 | + goto fail; | ||
1281 | |||
1282 | return GRUB_ERR_NONE; | ||
1283 | + | ||
1284 | + fail: | ||
1285 | + grub_free (*bitmap); | ||
1286 | + *bitmap = NULL; | ||
1287 | + | ||
1288 | + return grub_errno; | ||
1289 | } | ||
1290 | |||
1291 | /* Frees all resources allocated by bitmap. */ | ||
1292 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
1293 | index 61bd645..0157ff7 100644 | ||
1294 | --- a/grub-core/video/readers/png.c | ||
1295 | +++ b/grub-core/video/readers/png.c | ||
1296 | @@ -23,6 +23,7 @@ | ||
1297 | #include <grub/mm.h> | ||
1298 | #include <grub/misc.h> | ||
1299 | #include <grub/bufio.h> | ||
1300 | +#include <grub/safemath.h> | ||
1301 | |||
1302 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
1303 | |||
1304 | @@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
1305 | data->bpp <<= 1; | ||
1306 | |||
1307 | data->color_bits = color_bits; | ||
1308 | - data->row_bytes = data->image_width * data->bpp; | ||
1309 | + | ||
1310 | + if (grub_mul (data->image_width, data->bpp, &data->row_bytes)) | ||
1311 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
1312 | + | ||
1313 | if (data->color_bits <= 4) | ||
1314 | - data->row_bytes = (data->image_width * data->color_bits + 7) / 8; | ||
1315 | + { | ||
1316 | + if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes)) | ||
1317 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
1318 | + | ||
1319 | + data->row_bytes >>= 3; | ||
1320 | + } | ||
1321 | |||
1322 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
1323 | if (data->is_16bit || data->is_gray || data->is_palette) | ||
1324 | -- | ||
1325 | 2.14.4 | ||
1326 | |||
diff --git a/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch b/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch new file mode 100644 index 0000000000..84a80d5ffd --- /dev/null +++ b/meta/recipes-bsp/grub/files/0006-script-Remove-unused-fields-from-grub_script_functio.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Coulson <chris.coulson@canonical.com> | ||
3 | Date: Fri, 10 Jul 2020 11:21:14 +0100 | ||
4 | Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function | ||
5 | struct | ||
6 | |||
7 | Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96 | ||
8 | from https://git.savannah.gnu.org/git/grub.git] | ||
9 | |||
10 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
13 | --- | ||
14 | include/grub/script_sh.h | 5 ----- | ||
15 | 1 file changed, 5 deletions(-) | ||
16 | |||
17 | diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h | ||
18 | index 360c2be..b382bcf 100644 | ||
19 | --- a/include/grub/script_sh.h | ||
20 | +++ b/include/grub/script_sh.h | ||
21 | @@ -359,13 +359,8 @@ struct grub_script_function | ||
22 | /* The script function. */ | ||
23 | struct grub_script *func; | ||
24 | |||
25 | - /* The flags. */ | ||
26 | - unsigned flags; | ||
27 | - | ||
28 | /* The next element. */ | ||
29 | struct grub_script_function *next; | ||
30 | - | ||
31 | - int references; | ||
32 | }; | ||
33 | typedef struct grub_script_function *grub_script_function_t; | ||
34 | |||
35 | -- | ||
36 | 2.14.4 | ||
37 | |||
diff --git a/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch new file mode 100644 index 0000000000..fedfc5d203 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Coulson <chris.coulson@canonical.com> | ||
3 | Date: Fri, 10 Jul 2020 14:41:45 +0100 | ||
4 | Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function | ||
5 | during execution | ||
6 | |||
7 | Defining a new function with the same name as a previously defined | ||
8 | function causes the grub_script and associated resources for the | ||
9 | previous function to be freed. If the previous function is currently | ||
10 | executing when a function with the same name is defined, this results | ||
11 | in use-after-frees when processing subsequent commands in the original | ||
12 | function. | ||
13 | |||
14 | Instead, reject a new function definition if it has the same name as | ||
15 | a previously defined function, and that function is currently being | ||
16 | executed. Although a behavioural change, this should be backwards | ||
17 | compatible with existing configurations because they can't be | ||
18 | dependent on the current behaviour without being broken. | ||
19 | |||
20 | Fixes: CVE-2020-15706 | ||
21 | |||
22 | Upstream-Status: Backport [commit 426f57383d647406ae9c628c472059c27cd6e040 | ||
23 | from https://git.savannah.gnu.org/git/grub.git] | ||
24 | |||
25 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
28 | --- | ||
29 | grub-core/script/execute.c | 2 ++ | ||
30 | grub-core/script/function.c | 16 +++++++++++++--- | ||
31 | grub-core/script/parser.y | 3 ++- | ||
32 | include/grub/script_sh.h | 2 ++ | ||
33 | 4 files changed, 19 insertions(+), 4 deletions(-) | ||
34 | |||
35 | diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c | ||
36 | index c8d6806..7e028e1 100644 | ||
37 | --- a/grub-core/script/execute.c | ||
38 | +++ b/grub-core/script/execute.c | ||
39 | @@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) | ||
40 | old_scope = scope; | ||
41 | scope = &new_scope; | ||
42 | |||
43 | + func->executing++; | ||
44 | ret = grub_script_execute (func->func); | ||
45 | + func->executing--; | ||
46 | |||
47 | function_return = 0; | ||
48 | active_loops = loops; | ||
49 | diff --git a/grub-core/script/function.c b/grub-core/script/function.c | ||
50 | index d36655e..3aad04b 100644 | ||
51 | --- a/grub-core/script/function.c | ||
52 | +++ b/grub-core/script/function.c | ||
53 | @@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, | ||
54 | func = (grub_script_function_t) grub_malloc (sizeof (*func)); | ||
55 | if (! func) | ||
56 | return 0; | ||
57 | + func->executing = 0; | ||
58 | |||
59 | func->name = grub_strdup (functionname_arg->str); | ||
60 | if (! func->name) | ||
61 | @@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, | ||
62 | grub_script_function_t q; | ||
63 | |||
64 | q = *p; | ||
65 | - grub_script_free (q->func); | ||
66 | - q->func = cmd; | ||
67 | grub_free (func); | ||
68 | - func = q; | ||
69 | + if (q->executing > 0) | ||
70 | + { | ||
71 | + grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
72 | + N_("attempt to redefine a function being executed")); | ||
73 | + func = NULL; | ||
74 | + } | ||
75 | + else | ||
76 | + { | ||
77 | + grub_script_free (q->func); | ||
78 | + q->func = cmd; | ||
79 | + func = q; | ||
80 | + } | ||
81 | } | ||
82 | else | ||
83 | { | ||
84 | diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y | ||
85 | index 4f0ab83..f80b86b 100644 | ||
86 | --- a/grub-core/script/parser.y | ||
87 | +++ b/grub-core/script/parser.y | ||
88 | @@ -289,7 +289,8 @@ function: "function" "name" | ||
89 | grub_script_mem_free (state->func_mem); | ||
90 | else { | ||
91 | script->children = state->scripts; | ||
92 | - grub_script_function_create ($2, script); | ||
93 | + if (!grub_script_function_create ($2, script)) | ||
94 | + grub_script_free (script); | ||
95 | } | ||
96 | |||
97 | state->scripts = $<scripts>3; | ||
98 | diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h | ||
99 | index b382bcf..6c48e07 100644 | ||
100 | --- a/include/grub/script_sh.h | ||
101 | +++ b/include/grub/script_sh.h | ||
102 | @@ -361,6 +361,8 @@ struct grub_script_function | ||
103 | |||
104 | /* The next element. */ | ||
105 | struct grub_script_function *next; | ||
106 | + | ||
107 | + unsigned executing; | ||
108 | }; | ||
109 | typedef struct grub_script_function *grub_script_function_t; | ||
110 | |||
111 | -- | ||
112 | 2.14.4 | ||
113 | |||
diff --git a/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch new file mode 100644 index 0000000000..0731f0ec53 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch | |||
@@ -0,0 +1,173 @@ | |||
1 | From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sat, 25 Jul 2020 12:15:37 +0100 | ||
4 | Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling | ||
5 | |||
6 | These could be triggered by a crafted filesystem with very large files. | ||
7 | |||
8 | Fixes: CVE-2020-15707 | ||
9 | |||
10 | Upstream-Status: Backport [commit e7b8856f8be3292afdb38d2e8c70ad8d62a61e10 | ||
11 | from https://git.savannah.gnu.org/git/grub.git] | ||
12 | |||
13 | Signed-off-by: Colin Watson <cjwatson@debian.org> | ||
14 | Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
17 | --- | ||
18 | grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++------------- | ||
19 | 1 file changed, 54 insertions(+), 20 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c | ||
22 | index 471b214..8c8565a 100644 | ||
23 | --- a/grub-core/loader/linux.c | ||
24 | +++ b/grub-core/loader/linux.c | ||
25 | @@ -4,6 +4,7 @@ | ||
26 | #include <grub/misc.h> | ||
27 | #include <grub/file.h> | ||
28 | #include <grub/mm.h> | ||
29 | +#include <grub/safemath.h> | ||
30 | |||
31 | struct newc_head | ||
32 | { | ||
33 | @@ -98,13 +99,13 @@ free_dir (struct dir *root) | ||
34 | grub_free (root); | ||
35 | } | ||
36 | |||
37 | -static grub_size_t | ||
38 | +static grub_err_t | ||
39 | insert_dir (const char *name, struct dir **root, | ||
40 | - grub_uint8_t *ptr) | ||
41 | + grub_uint8_t *ptr, grub_size_t *size) | ||
42 | { | ||
43 | struct dir *cur, **head = root; | ||
44 | const char *cb, *ce = name; | ||
45 | - grub_size_t size = 0; | ||
46 | + *size = 0; | ||
47 | while (1) | ||
48 | { | ||
49 | for (cb = ce; *cb == '/'; cb++); | ||
50 | @@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root, | ||
51 | ptr = make_header (ptr, name, ce - name, | ||
52 | 040777, 0); | ||
53 | } | ||
54 | - size += ALIGN_UP ((ce - (char *) name) | ||
55 | - + sizeof (struct newc_head), 4); | ||
56 | + if (grub_add (*size, | ||
57 | + ALIGN_UP ((ce - (char *) name) | ||
58 | + + sizeof (struct newc_head), 4), | ||
59 | + size)) | ||
60 | + { | ||
61 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
62 | + grub_free (n->name); | ||
63 | + grub_free (n); | ||
64 | + return grub_errno; | ||
65 | + } | ||
66 | *head = n; | ||
67 | cur = n; | ||
68 | } | ||
69 | root = &cur->next; | ||
70 | } | ||
71 | - return size; | ||
72 | + return GRUB_ERR_NONE; | ||
73 | } | ||
74 | |||
75 | grub_err_t | ||
76 | @@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[], | ||
77 | eptr = grub_strchr (ptr, ':'); | ||
78 | if (eptr) | ||
79 | { | ||
80 | + grub_size_t dir_size, name_len; | ||
81 | + | ||
82 | initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr); | ||
83 | - if (!initrd_ctx->components[i].newc_name) | ||
84 | + if (!initrd_ctx->components[i].newc_name || | ||
85 | + insert_dir (initrd_ctx->components[i].newc_name, &root, 0, | ||
86 | + &dir_size)) | ||
87 | { | ||
88 | grub_initrd_close (initrd_ctx); | ||
89 | return grub_errno; | ||
90 | } | ||
91 | - initrd_ctx->size | ||
92 | - += ALIGN_UP (sizeof (struct newc_head) | ||
93 | - + grub_strlen (initrd_ctx->components[i].newc_name), | ||
94 | - 4); | ||
95 | - initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name, | ||
96 | - &root, 0); | ||
97 | + name_len = grub_strlen (initrd_ctx->components[i].newc_name); | ||
98 | + if (grub_add (initrd_ctx->size, | ||
99 | + ALIGN_UP (sizeof (struct newc_head) + name_len, 4), | ||
100 | + &initrd_ctx->size) || | ||
101 | + grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size)) | ||
102 | + goto overflow; | ||
103 | newc = 1; | ||
104 | fname = eptr + 1; | ||
105 | } | ||
106 | } | ||
107 | else if (newc) | ||
108 | { | ||
109 | - initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) | ||
110 | - + sizeof ("TRAILER!!!") - 1, 4); | ||
111 | + if (grub_add (initrd_ctx->size, | ||
112 | + ALIGN_UP (sizeof (struct newc_head) | ||
113 | + + sizeof ("TRAILER!!!") - 1, 4), | ||
114 | + &initrd_ctx->size)) | ||
115 | + goto overflow; | ||
116 | free_dir (root); | ||
117 | root = 0; | ||
118 | newc = 0; | ||
119 | @@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[], | ||
120 | initrd_ctx->nfiles++; | ||
121 | initrd_ctx->components[i].size | ||
122 | = grub_file_size (initrd_ctx->components[i].file); | ||
123 | - initrd_ctx->size += initrd_ctx->components[i].size; | ||
124 | + if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size, | ||
125 | + &initrd_ctx->size)) | ||
126 | + goto overflow; | ||
127 | } | ||
128 | |||
129 | if (newc) | ||
130 | { | ||
131 | initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); | ||
132 | - initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) | ||
133 | - + sizeof ("TRAILER!!!") - 1, 4); | ||
134 | + if (grub_add (initrd_ctx->size, | ||
135 | + ALIGN_UP (sizeof (struct newc_head) | ||
136 | + + sizeof ("TRAILER!!!") - 1, 4), | ||
137 | + &initrd_ctx->size)) | ||
138 | + goto overflow; | ||
139 | free_dir (root); | ||
140 | root = 0; | ||
141 | } | ||
142 | |||
143 | return GRUB_ERR_NONE; | ||
144 | + | ||
145 | + overflow: | ||
146 | + free_dir (root); | ||
147 | + grub_initrd_close (initrd_ctx); | ||
148 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
149 | } | ||
150 | |||
151 | grub_size_t | ||
152 | @@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, | ||
153 | |||
154 | if (initrd_ctx->components[i].newc_name) | ||
155 | { | ||
156 | - ptr += insert_dir (initrd_ctx->components[i].newc_name, | ||
157 | - &root, ptr); | ||
158 | + grub_size_t dir_size; | ||
159 | + | ||
160 | + if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr, | ||
161 | + &dir_size)) | ||
162 | + { | ||
163 | + free_dir (root); | ||
164 | + grub_initrd_close (initrd_ctx); | ||
165 | + return grub_errno; | ||
166 | + } | ||
167 | + ptr += dir_size; | ||
168 | ptr = make_header (ptr, initrd_ctx->components[i].newc_name, | ||
169 | grub_strlen (initrd_ctx->components[i].newc_name), | ||
170 | 0100777, | ||
171 | -- | ||
172 | 2.14.4 | ||
173 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 345554e7af..7c53193ebd 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -19,6 +19,14 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
19 | file://grub-module-explicitly-keeps-symbole-.module_license.patch \ | 19 | file://grub-module-explicitly-keeps-symbole-.module_license.patch \ |
20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ | 20 | file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ |
21 | file://CVE-2020-10713.patch \ | 21 | file://CVE-2020-10713.patch \ |
22 | file://0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch \ | ||
23 | file://0002-lvm-Add-LVM-cache-logical-volume-handling.patch \ | ||
24 | file://0003-calloc-Use-calloc-at-most-places.patch \ | ||
25 | file://0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch \ | ||
26 | file://0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch \ | ||
27 | file://0006-script-Remove-unused-fields-from-grub_script_functio.patch \ | ||
28 | file://0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch \ | ||
29 | file://0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch \ | ||
22 | " | 30 | " |
23 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 31 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
24 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 32 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |