1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..d55709406b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
+From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 11 Dec 2020 15:03:13 +0000
+Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
+The model of grub_efi_get_memory_map() is that if memory_map is NULL,
+then the purpose is to discover how much memory should be allocated to
+it for the subsequent call.
+The problem here is that with grub_efi_is_finished set to 1, there is no
+check at all that the function is being called with a non-NULL memory_map.
+While this MAY be true, we shouldn't assume it.
+The solution to this is to behave as expected, and if memory_map is NULL,
+then don't try to use it and allow memory_map_size to be filled in, and
+return 0 as is done later in the code if the buffer is too small (or NULL).
+Additionally, drop unneeded ret = 1.
+Fixes: CID 96632
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/mm.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index b02fab1..5afcef7 100644
+--- a/grub-core/kern/efi/mm.c
+++ b/grub-core/kern/efi/mm.c
+@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
+   if (grub_efi_is_finished)
+     {
+       int ret = 1;
+-      if (*memory_map_size < finish_mmap_size)
+
+      if (memory_map != NULL)
+        {
+-         grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+-         ret = 0;
+         if (*memory_map_size < finish_mmap_size)
+           {
+             grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+             ret = 0;
+           }
+          else
+           grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+        }
+       else
+        {
+-         grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+-         ret = 1;
+         /*
+          * Incomplete, no buffer to copy into, same as
+          * GRUB_EFI_BUFFER_TOO_SMALL below.
+          */
+         ret = 0;
+        }
+       *memory_map_size = finish_mmap_size;
+       if (map_key)

diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000000..d55709406b --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
	1	From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001
	2	From: Darren Kenny <darren.kenny@oracle.com>
	3	Date: Fri, 11 Dec 2020 15:03:13 +0000
	4	Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
	5
	6	The model of grub_efi_get_memory_map() is that if memory_map is NULL,
	7	then the purpose is to discover how much memory should be allocated to
	8	it for the subsequent call.
	9
	10	The problem here is that with grub_efi_is_finished set to 1, there is no
	11	check at all that the function is being called with a non-NULL memory_map.
	12
	13	While this MAY be true, we shouldn't assume it.
	14
	15	The solution to this is to behave as expected, and if memory_map is NULL,
	16	then don't try to use it and allow memory_map_size to be filled in, and
	17	return 0 as is done later in the code if the buffer is too small (or NULL).
	18
	19	Additionally, drop unneeded ret = 1.
	20
	21	Fixes: CID 96632
	22
	23	Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
	24	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	25
	26	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1]
	27	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	28	---
	29	grub-core/kern/efi/mm.c \| 19 ++++++++++++++-----
	30	1 file changed, 14 insertions(+), 5 deletions(-)
	31
	32	diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
	33	index b02fab1..5afcef7 100644
	34	--- a/grub-core/kern/efi/mm.c
	35	+++ b/grub-core/kern/efi/mm.c
	36	@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
	37	if (grub_efi_is_finished)
	38	{
	39	int ret = 1;
	40	- if (*memory_map_size < finish_mmap_size)
	41	+
	42	+ if (memory_map != NULL)
	43	{
	44	- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
	45	- ret = 0;
	46	+ if (*memory_map_size < finish_mmap_size)
	47	+ {
	48	+ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
	49	+ ret = 0;
	50	+ }
	51	+ else
	52	+ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
	53	}
	54	else
	55	{
	56	- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
	57	- ret = 1;
	58	+ /*
	59	+ * Incomplete, no buffer to copy into, same as
	60	+ * GRUB_EFI_BUFFER_TOO_SMALL below.
	61	+ */
	62	+ ret = 0;
	63	}
	64	*memory_map_size = finish_mmap_size;
	65	if (map_key)