1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
new file mode 100644
index 0000000000..fedfc5d203
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
@@ -0,0 +1,113 @@
+From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 14:41:45 +0100
+Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
+ during execution
+Defining a new function with the same name as a previously defined
+function causes the grub_script and associated resources for the
+previous function to be freed. If the previous function is currently
+executing when a function with the same name is defined, this results
+in use-after-frees when processing subsequent commands in the original
+function.
+Instead, reject a new function definition if it has the same name as
+a previously defined function, and that function is currently being
+executed. Although a behavioural change, this should be backwards
+compatible with existing configurations because they can't be
+dependent on the current behaviour without being broken.
+Fixes: CVE-2020-15706
+Upstream-Status: Backport [commit 426f57383d647406ae9c628c472059c27cd6e040
+from https://git.savannah.gnu.org/git/grub.git]
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/script/execute.c  |  2 ++
+ grub-core/script/function.c | 16 +++++++++++++---
+ grub-core/script/parser.y   |  3 ++-
+ include/grub/script_sh.h    |  2 ++
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index c8d6806..7e028e1 100644
+--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
+@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
+   old_scope = scope;
+   scope = &new_scope;
+ 
+  func->executing++;
+   ret = grub_script_execute (func->func);
+  func->executing--;
+ 
+   function_return = 0;
+   active_loops = loops;
+diff --git a/grub-core/script/function.c b/grub-core/script/function.c
+index d36655e..3aad04b 100644
+--- a/grub-core/script/function.c
+++ b/grub-core/script/function.c
+@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+   func = (grub_script_function_t) grub_malloc (sizeof (*func));
+   if (! func)
+     return 0;
+  func->executing = 0;
+ 
+   func->name = grub_strdup (functionname_arg->str);
+   if (! func->name)
+@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+       grub_script_function_t q;
+ 
+       q = *p;
+-      grub_script_free (q->func);
+-      q->func = cmd;
+       grub_free (func);
+-      func = q;
+      if (q->executing > 0)
+        {
+          grub_error (GRUB_ERR_BAD_ARGUMENT,
+                     N_("attempt to redefine a function being executed"));
+          func = NULL;
+        }
+      else
+        {
+          grub_script_free (q->func);
+          q->func = cmd;
+          func = q;
+        }
+     }
+   else
+     {
+diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
+index 4f0ab83..f80b86b 100644
+--- a/grub-core/script/parser.y
+++ b/grub-core/script/parser.y
+@@ -289,7 +289,8 @@ function: "function" "name"
+              grub_script_mem_free (state->func_mem);
+            else {
+              script->children = state->scripts;
+-             grub_script_function_create ($2, script);
+             if (!grub_script_function_create ($2, script))
+               grub_script_free (script);
+            }
+ 
+            state->scripts = $<scripts>3;
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index b382bcf..6c48e07 100644
+--- a/include/grub/script_sh.h
+++ b/include/grub/script_sh.h
+@@ -361,6 +361,8 @@ struct grub_script_function
+ 
+   /* The next element.  */
+   struct grub_script_function *next;
+
+  unsigned executing;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+ 
+-- 
+2.14.4

diff --git a/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch new file mode 100644 index 0000000000..fedfc5d203 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
@@ -0,0 +1,113 @@
	1	From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
	2	From: Chris Coulson <chris.coulson@canonical.com>
	3	Date: Fri, 10 Jul 2020 14:41:45 +0100
	4	Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
	5	during execution
	6
	7	Defining a new function with the same name as a previously defined
	8	function causes the grub_script and associated resources for the
	9	previous function to be freed. If the previous function is currently
	10	executing when a function with the same name is defined, this results
	11	in use-after-frees when processing subsequent commands in the original
	12	function.
	13
	14	Instead, reject a new function definition if it has the same name as
	15	a previously defined function, and that function is currently being
	16	executed. Although a behavioural change, this should be backwards
	17	compatible with existing configurations because they can't be
	18	dependent on the current behaviour without being broken.
	19
	20	Fixes: CVE-2020-15706
	21
	22	Upstream-Status: Backport [commit 426f57383d647406ae9c628c472059c27cd6e040
	23	from https://git.savannah.gnu.org/git/grub.git]
	24
	25	Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
	26	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	27	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
	28	---
	29	grub-core/script/execute.c \| 2 ++
	30	grub-core/script/function.c \| 16 +++++++++++++---
	31	grub-core/script/parser.y \| 3 ++-
	32	include/grub/script_sh.h \| 2 ++
	33	4 files changed, 19 insertions(+), 4 deletions(-)
	34
	35	diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
	36	index c8d6806..7e028e1 100644
	37	--- a/grub-core/script/execute.c
	38	+++ b/grub-core/script/execute.c
	39	@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
	40	old_scope = scope;
	41	scope = &new_scope;
	42
	43	+ func->executing++;
	44	ret = grub_script_execute (func->func);
	45	+ func->executing--;
	46
	47	function_return = 0;
	48	active_loops = loops;
	49	diff --git a/grub-core/script/function.c b/grub-core/script/function.c
	50	index d36655e..3aad04b 100644
	51	--- a/grub-core/script/function.c
	52	+++ b/grub-core/script/function.c
	53	@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
	54	func = (grub_script_function_t) grub_malloc (sizeof (*func));
	55	if (! func)
	56	return 0;
	57	+ func->executing = 0;
	58
	59	func->name = grub_strdup (functionname_arg->str);
	60	if (! func->name)
	61	@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
	62	grub_script_function_t q;
	63
	64	q = *p;
	65	- grub_script_free (q->func);
	66	- q->func = cmd;
	67	grub_free (func);
	68	- func = q;
	69	+ if (q->executing > 0)
	70	+ {
	71	+ grub_error (GRUB_ERR_BAD_ARGUMENT,
	72	+ N_("attempt to redefine a function being executed"));
	73	+ func = NULL;
	74	+ }
	75	+ else
	76	+ {
	77	+ grub_script_free (q->func);
	78	+ q->func = cmd;
	79	+ func = q;
	80	+ }
	81	}
	82	else
	83	{
	84	diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
	85	index 4f0ab83..f80b86b 100644
	86	--- a/grub-core/script/parser.y
	87	+++ b/grub-core/script/parser.y
	88	@@ -289,7 +289,8 @@ function: "function" "name"
	89	grub_script_mem_free (state->func_mem);
	90	else {
	91	script->children = state->scripts;
	92	- grub_script_function_create ($2, script);
	93	+ if (!grub_script_function_create ($2, script))
	94	+ grub_script_free (script);
	95	}
	96
	97	state->scripts = $<scripts>3;
	98	diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
	99	index b382bcf..6c48e07 100644
	100	--- a/include/grub/script_sh.h
	101	+++ b/include/grub/script_sh.h
	102	@@ -361,6 +361,8 @@ struct grub_script_function
	103
	104	/* The next element. */
	105	struct grub_script_function *next;
	106	+
	107	+ unsigned executing;
	108	};
	109	typedef struct grub_script_function *grub_script_function_t;
	110
	111	--
	112	2.14.4
	113