1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
new file mode 100644
index 0000000000..b864febe62
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
+From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: lib/arg: Block repeated short options that require an argument
+Fuzzing found the following crash:
+  search -hhhhhhhhhhhhhf
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+This fixes a OOB write which can cause heap corruption.
+Fixes: CVE-2021-20225
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
+CVE: CVE-2021-20225
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609..537c5e9 100644
+--- a/grub-core/lib/arg.c
+++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+                 it can have an argument value.  */
+              if (*curshort)
+                {
+                 /*
+                  * Only permit further short opts if this one doesn't
+                  * require a value.
+                  */
+                 if (opt->type != ARG_TYPE_NONE &&
+                     !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
+                   {
+                     grub_error (GRUB_ERR_BAD_ARGUMENT,
+                                 N_("missing mandatory option for `%s'"),
+                                 opt->longarg);
+                     goto fail;
+                   }
+
+                  if (parse_option (cmd, opt, 0, usr) || grub_errno)
+                    goto fail;
+                }
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch new file mode 100644 index 0000000000..b864febe62 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
	1	From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
	2	From: Daniel Axtens <dja@axtens.net>
	3	Date: Fri, 22 Jan 2021 16:07:29 +1100
	4	Subject: lib/arg: Block repeated short options that require an argument
	5
	6	Fuzzing found the following crash:
	7
	8	search -hhhhhhhhhhhhhf
	9
	10	We didn't allocate enough option space for 13 hints because the
	11	allocation code counts the number of discrete arguments (i.e. argc).
	12	However, the shortopt parsing code will happily keep processing
	13	a combination of short options without checking if those short
	14	options require an argument. This means you can easily end writing
	15	past the allocated option space.
	16
	17	This fixes a OOB write which can cause heap corruption.
	18
	19	Fixes: CVE-2021-20225
	20
	21	Reported-by: Daniel Axtens <dja@axtens.net>
	22	Signed-off-by: Daniel Axtens <dja@axtens.net>
	23	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	24
	25	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
	26	CVE: CVE-2021-20225
	27	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	28	---
	29	grub-core/lib/arg.c \| 13 +++++++++++++
	30	1 file changed, 13 insertions(+)
	31
	32	diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
	33	index 3288609..537c5e9 100644
	34	--- a/grub-core/lib/arg.c
	35	+++ b/grub-core/lib/arg.c
	36	@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
	37	it can have an argument value. */
	38	if (*curshort)
	39	{
	40	+ /*
	41	+ * Only permit further short opts if this one doesn't
	42	+ * require a value.
	43	+ */
	44	+ if (opt->type != ARG_TYPE_NONE &&
	45	+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
	46	+ {
	47	+ grub_error (GRUB_ERR_BAD_ARGUMENT,
	48	+ N_("missing mandatory option for `%s'"),
	49	+ opt->longarg);
	50	+ goto fail;
	51	+ }
	52	+
	53	if (parse_option (cmd, opt, 0, usr) \|\| grub_errno)
	54	goto fail;
	55	}
	56	--
	57	2.25.1
	58