1 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
new file mode 100644
index 0000000000..745f335501
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
@@ -0,0 +1,130 @@
+From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Wed, 23 Sep 2020 11:33:33 -0400
+Subject: [PATCH] verifiers: Move verifiers API to kernel image
+Move verifiers API from a module to the kernel image, so it can be
+used there as well. There are no functional changes in this patch.
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/Makefile.am                    | 1 +
+ grub-core/Makefile.core.def              | 6 +-----
+ grub-core/kern/main.c                    | 4 ++++
+ grub-core/{commands => kern}/verifiers.c | 8 ++------
+ include/grub/verify.h                    | 9 ++++++---
+ 5 files changed, 14 insertions(+), 14 deletions(-)
+ rename grub-core/{commands => kern}/verifiers.c (97%)
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 3ea8e7f..375c30d 100644
+--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
+@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 474a63e..cff02f2 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -140,6 +140,7 @@ kernel = {
+   common = kern/rescue_parser.c;
+   common = kern/rescue_reader.c;
+   common = kern/term.c;
+  common = kern/verifiers.c;
+ 
+   noemu = kern/compiler-rt.c;
+   noemu = kern/mm.c;
+@@ -942,11 +943,6 @@ module = {
+   cppflags = '-I$(srcdir)/lib/posix_wrap';
+ };
+ 
+-module = {
+-  name = verifiers;
+-  common = commands/verifiers.c;
+-};
+-
+ module = {
+   name = shim_lock;
+   common = commands/efi/shim_lock.c;
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 9cad0c4..73967e2 100644
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -29,6 +29,7 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
+#include <grub/verify.h>
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -274,6 +275,9 @@ grub_main (void)
+   grub_printf ("Welcome to GRUB!\n\n");
+   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
+ 
+  /* Init verifiers API. */
+  grub_verifiers_init ();
+
+   grub_load_config ();
+ 
+   grub_boot_time ("Before loading embedded modules.");
+diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
+similarity index 97%
+rename from grub-core/commands/verifiers.c
+rename to grub-core/kern/verifiers.c
+index 0dde481..aa3dc7c 100644
+--- a/grub-core/commands/verifiers.c
+++ b/grub-core/kern/verifiers.c
+@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
+   return GRUB_ERR_NONE;
+ }
+ 
+-GRUB_MOD_INIT(verifiers)
+void
+grub_verifiers_init (void)
+ {
+   grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
+ }
+-
+-GRUB_MOD_FINI(verifiers)
+-{
+-  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+-}
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index ea04914..cd129c3 100644
+--- a/include/grub/verify.h
+++ b/include/grub/verify.h
+@@ -64,7 +64,10 @@ struct grub_file_verifier
+   grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
+ };
+ 
+-extern struct grub_file_verifier *grub_file_verifiers;
+extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
+
+extern void
+grub_verifiers_init (void);
+ 
+ static inline void
+ grub_verifier_register (struct grub_file_verifier *ver)
+@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
+   grub_list_remove (GRUB_AS_LIST (ver));
+ }
+ 
+-grub_err_t
+-grub_verify_string (char *str, enum grub_verify_string_type type);
+extern grub_err_t
+EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
+ 
+ #endif /* ! GRUB_VERIFY_HEADER */

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch new file mode 100644 index 0000000000..745f335501 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
@@ -0,0 +1,130 @@
	1	From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001
	2	From: Marco A Benatto <mbenatto@redhat.com>
	3	Date: Wed, 23 Sep 2020 11:33:33 -0400
	4	Subject: [PATCH] verifiers: Move verifiers API to kernel image
	5
	6	Move verifiers API from a module to the kernel image, so it can be
	7	used there as well. There are no functional changes in this patch.
	8
	9	Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
	10	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	11	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	12
	13	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99]
	14	CVE: CVE-2020-14372
	15	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	16	---
	17	grub-core/Makefile.am \| 1 +
	18	grub-core/Makefile.core.def \| 6 +-----
	19	grub-core/kern/main.c \| 4 ++++
	20	grub-core/{commands => kern}/verifiers.c \| 8 ++------
	21	include/grub/verify.h \| 9 ++++++---
	22	5 files changed, 14 insertions(+), 14 deletions(-)
	23	rename grub-core/{commands => kern}/verifiers.c (97%)
	24
	25	diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
	26	index 3ea8e7f..375c30d 100644
	27	--- a/grub-core/Makefile.am
	28	+++ b/grub-core/Makefile.am
	29	@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
	30	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
	31	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
	32	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
	33	+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
	34	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
	35	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
	36	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
	37	diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
	38	index 474a63e..cff02f2 100644
	39	--- a/grub-core/Makefile.core.def
	40	+++ b/grub-core/Makefile.core.def
	41	@@ -140,6 +140,7 @@ kernel = {
	42	common = kern/rescue_parser.c;
	43	common = kern/rescue_reader.c;
	44	common = kern/term.c;
	45	+ common = kern/verifiers.c;
	46
	47	noemu = kern/compiler-rt.c;
	48	noemu = kern/mm.c;
	49	@@ -942,11 +943,6 @@ module = {
	50	cppflags = '-I$(srcdir)/lib/posix_wrap';
	51	};
	52
	53	-module = {
	54	- name = verifiers;
	55	- common = commands/verifiers.c;
	56	-};
	57	-
	58	module = {
	59	name = shim_lock;
	60	common = commands/efi/shim_lock.c;
	61	diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
	62	index 9cad0c4..73967e2 100644
	63	--- a/grub-core/kern/main.c
	64	+++ b/grub-core/kern/main.c
	65	@@ -29,6 +29,7 @@
	66	#include <grub/command.h>
	67	#include <grub/reader.h>
	68	#include <grub/parser.h>
	69	+#include <grub/verify.h>
	70
	71	#ifdef GRUB_MACHINE_PCBIOS
	72	#include <grub/machine/memory.h>
	73	@@ -274,6 +275,9 @@ grub_main (void)
	74	grub_printf ("Welcome to GRUB!\n\n");
	75	grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
	76
	77	+ /* Init verifiers API. */
	78	+ grub_verifiers_init ();
	79	+
	80	grub_load_config ();
	81
	82	grub_boot_time ("Before loading embedded modules.");
	83	diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
	84	similarity index 97%
	85	rename from grub-core/commands/verifiers.c
	86	rename to grub-core/kern/verifiers.c
	87	index 0dde481..aa3dc7c 100644
	88	--- a/grub-core/commands/verifiers.c
	89	+++ b/grub-core/kern/verifiers.c
	90	@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
	91	return GRUB_ERR_NONE;
	92	}
	93
	94	-GRUB_MOD_INIT(verifiers)
	95	+void
	96	+grub_verifiers_init (void)
	97	{
	98	grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
	99	}
	100	-
	101	-GRUB_MOD_FINI(verifiers)
	102	-{
	103	- grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
	104	-}
	105	diff --git a/include/grub/verify.h b/include/grub/verify.h
	106	index ea04914..cd129c3 100644
	107	--- a/include/grub/verify.h
	108	+++ b/include/grub/verify.h
	109	@@ -64,7 +64,10 @@ struct grub_file_verifier
	110	grub_err_t (verify_string) (char str, enum grub_verify_string_type type);
	111	};
	112
	113	-extern struct grub_file_verifier *grub_file_verifiers;
	114	+extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
	115	+
	116	+extern void
	117	+grub_verifiers_init (void);
	118
	119	static inline void
	120	grub_verifier_register (struct grub_file_verifier *ver)
	121	@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
	122	grub_list_remove (GRUB_AS_LIST (ver));
	123	}
	124
	125	-grub_err_t
	126	-grub_verify_string (char *str, enum grub_verify_string_type type);
	127	+extern grub_err_t
	128	+EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
	129
	130	#endif /* ! GRUB_VERIFY_HEADER */