diff options
Diffstat (limited to 'meta/recipes-bsp')
91 files changed, 6561 insertions, 9 deletions
diff --git a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb index 5d6f200a73..e9dfa0770e 100644 --- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb +++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb | |||
@@ -10,7 +10,7 @@ DEPENDS = "efivar popt" | |||
10 | 10 | ||
11 | COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" | 11 | COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" |
12 | 12 | ||
13 | SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https \ | 13 | SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \ |
14 | file://0001-remove-extra-decl.patch \ | 14 | file://0001-remove-extra-decl.patch \ |
15 | file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \ | 15 | file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \ |
16 | " | 16 | " |
diff --git a/meta/recipes-bsp/efivar/efivar/determinism.patch b/meta/recipes-bsp/efivar/efivar/determinism.patch new file mode 100644 index 0000000000..bdf6bfc4a8 --- /dev/null +++ b/meta/recipes-bsp/efivar/efivar/determinism.patch | |||
@@ -0,0 +1,18 @@ | |||
1 | Fix reproducibility issue caused by unsorted wildcard expansion. | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | RP 2021/3/1 | ||
5 | |||
6 | Index: git/src/Makefile | ||
7 | =================================================================== | ||
8 | --- git.orig/src/Makefile | ||
9 | +++ git/src/Makefile | ||
10 | @@ -15,7 +15,7 @@ TARGETS=$(LIBTARGETS) $(BINTARGETS) $(PC | ||
11 | STATICTARGETS=$(STATICLIBTARGETS) $(STATICBINTARGETS) | ||
12 | |||
13 | LIBEFIBOOT_SOURCES = crc32.c creator.c disk.c gpt.c loadopt.c path-helpers.c \ | ||
14 | - linux.c $(wildcard linux-*.c) | ||
15 | + linux.c $(sort $(wildcard linux-*.c)) | ||
16 | LIBEFIBOOT_OBJECTS = $(patsubst %.c,%.o,$(LIBEFIBOOT_SOURCES)) | ||
17 | LIBEFIVAR_SOURCES = dp.c dp-acpi.c dp-hw.c dp-media.c dp-message.c \ | ||
18 | efivarfs.c error.c export.c guid.c guids.S guid-symbols.c \ | ||
diff --git a/meta/recipes-bsp/efivar/efivar_37.bb b/meta/recipes-bsp/efivar/efivar_37.bb index 9b95721a4e..858c61ae6a 100644 --- a/meta/recipes-bsp/efivar/efivar_37.bb +++ b/meta/recipes-bsp/efivar/efivar_37.bb | |||
@@ -7,7 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6626bb1e20189cfa95f2c508ba286393" | |||
7 | 7 | ||
8 | COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" | 8 | COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" |
9 | 9 | ||
10 | SRC_URI = "git://github.com/rhinstaller/efivar.git \ | 10 | SRC_URI = "git://github.com/rhinstaller/efivar.git;branch=main;protocol=https \ |
11 | file://determinism.patch \ | ||
11 | file://no-werror.patch" | 12 | file://no-werror.patch" |
12 | SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10" | 13 | SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10" |
13 | 14 | ||
diff --git a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb index 9954d7f57a..191b0bc176 100644 --- a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb +++ b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Libraries for producing EFI binaries" | 1 | SUMMARY = "Libraries for producing EFI binaries" |
2 | HOMEPAGE = "http://sourceforge.net/projects/gnu-efi/" | 2 | HOMEPAGE = "http://sourceforge.net/projects/gnu-efi/" |
3 | DESCRIPTION = "GNU-EFI aims to Develop EFI applications for ARM-64, ARM-32, x86_64, IA-64 (IPF), IA-32 (x86), and MIPS platforms using the GNU toolchain and the EFI development environment." | ||
3 | SECTION = "devel" | 4 | SECTION = "devel" |
4 | LICENSE = "GPLv2+ | BSD-2-Clause" | 5 | LICENSE = "GPLv2+ | BSD-2-Clause" |
5 | LIC_FILES_CHKSUM = "file://gnuefi/crt0-efi-arm.S;beginline=4;endline=16;md5=e582764a4776e60c95bf9ab617343d36 \ | 6 | LIC_FILES_CHKSUM = "file://gnuefi/crt0-efi-arm.S;beginline=4;endline=16;md5=e582764a4776e60c95bf9ab617343d36 \ |
diff --git a/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch new file mode 100644 index 0000000000..eaaa7effae --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 0900f11def2e7fbb4880efff0cd9c9b32f1cdb86 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 3 Dec 2020 14:39:45 +0000 | ||
4 | Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory | ||
5 | |||
6 | When returning from grub_mmap_iterate() the memory allocated to present | ||
7 | is not being released causing it to leak. | ||
8 | |||
9 | Fixes: CID 96655 | ||
10 | |||
11 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8cb2848f9699642a698af84b12ba187cab722031] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/mmap/mmap.c | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
21 | index 7ebf32e..8bf235f 100644 | ||
22 | --- a/grub-core/mmap/mmap.c | ||
23 | +++ b/grub-core/mmap/mmap.c | ||
24 | @@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) | ||
25 | hook_data)) | ||
26 | { | ||
27 | grub_free (ctx.scanline_events); | ||
28 | + grub_free (present); | ||
29 | return GRUB_ERR_NONE; | ||
30 | } | ||
31 | |||
32 | @@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) | ||
33 | } | ||
34 | |||
35 | grub_free (ctx.scanline_events); | ||
36 | + grub_free (present); | ||
37 | return GRUB_ERR_NONE; | ||
38 | } | ||
39 | |||
diff --git a/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch new file mode 100644 index 0000000000..d00821f5c3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From f216a75e884ed5e4e94bf86965000dde51148f94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 27 Nov 2020 15:10:26 +0000 | ||
4 | Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer | ||
5 | |||
6 | It is always possible that grub_zalloc() could fail, so we should check for | ||
7 | a NULL return. Otherwise we run the risk of dereferencing a NULL pointer. | ||
8 | |||
9 | Fixes: CID 296221 | ||
10 | |||
11 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03f2515ae0c503406f1a99a2178405049c6555db] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/net/net.c | 9 +++++++-- | ||
18 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/net/net.c b/grub-core/net/net.c | ||
21 | index 38f19df..7c2cdf2 100644 | ||
22 | --- a/grub-core/net/net.c | ||
23 | +++ b/grub-core/net/net.c | ||
24 | @@ -86,8 +86,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card, | ||
25 | |||
26 | /* Add sender to cache table. */ | ||
27 | if (card->link_layer_table == NULL) | ||
28 | - card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE | ||
29 | - * sizeof (card->link_layer_table[0])); | ||
30 | + { | ||
31 | + card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE | ||
32 | + * sizeof (card->link_layer_table[0])); | ||
33 | + if (card->link_layer_table == NULL) | ||
34 | + return; | ||
35 | + } | ||
36 | + | ||
37 | entry = &(card->link_layer_table[card->new_ll_entry]); | ||
38 | entry->avail = 1; | ||
39 | grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address)); | ||
diff --git a/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch new file mode 100644 index 0000000000..3b4633507d --- /dev/null +++ b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 09cc0df477758b60f51fbc0da1dee2f5d54c333d Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 19 Feb 2021 17:12:23 +0000 | ||
4 | Subject: [PATCH] net/tftp: Fix dangling memory pointer | ||
5 | |||
6 | The static code analysis tool, Parfait, reported that the valid of | ||
7 | file->data was left referencing memory that was freed by the call to | ||
8 | grub_free(data) where data was initialized from file->data. | ||
9 | |||
10 | To ensure that there is no unintentional access to this memory | ||
11 | referenced by file->data we should set the pointer to NULL. | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0cb838b281a68b536a09681f9557ea6a7ac5da7a] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/net/tftp.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c | ||
23 | index 7d90bf6..f76b19f 100644 | ||
24 | --- a/grub-core/net/tftp.c | ||
25 | +++ b/grub-core/net/tftp.c | ||
26 | @@ -468,6 +468,7 @@ tftp_close (struct grub_file *file) | ||
27 | } | ||
28 | destroy_pq (data); | ||
29 | grub_free (data); | ||
30 | + file->data = NULL; | ||
31 | return GRUB_ERR_NONE; | ||
32 | } | ||
33 | |||
diff --git a/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch new file mode 100644 index 0000000000..933416605c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 8861fa6226f7229105722ba669465e879b56ee2b Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 22 Jan 2021 12:32:41 +0000 | ||
4 | Subject: [PATCH] kern/parser: Fix resource leak if argc == 0 | ||
5 | |||
6 | After processing the command-line yet arriving at the point where we are | ||
7 | setting argv, we are allocating memory, even if argc == 0, which makes | ||
8 | no sense since we never put anything into the allocated argv. | ||
9 | |||
10 | The solution is to simply return that we've successfully processed the | ||
11 | arguments but that argc == 0, and also ensure that argv is NULL when | ||
12 | we're not allocating anything in it. | ||
13 | |||
14 | There are only 2 callers of this function, and both are handling a zero | ||
15 | value in argc assuming nothing is allocated in argv. | ||
16 | |||
17 | Fixes: CID 96680 | ||
18 | |||
19 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
20 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d06161b035dde4769199ad65aa0a587a5920012b] | ||
23 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
24 | --- | ||
25 | grub-core/kern/parser.c | 5 +++++ | ||
26 | 1 file changed, 5 insertions(+) | ||
27 | |||
28 | diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c | ||
29 | index 619db31..d1cf061 100644 | ||
30 | --- a/grub-core/kern/parser.c | ||
31 | +++ b/grub-core/kern/parser.c | ||
32 | @@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline, | ||
33 | int i; | ||
34 | |||
35 | *argc = 0; | ||
36 | + *argv = NULL; | ||
37 | do | ||
38 | { | ||
39 | if (!rd || !*rd) | ||
40 | @@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline, | ||
41 | (*argc)++; | ||
42 | } | ||
43 | |||
44 | + /* If there are no args, then we're done. */ | ||
45 | + if (!*argc) | ||
46 | + return 0; | ||
47 | + | ||
48 | /* Reserve memory for the return values. */ | ||
49 | args = grub_malloc (bp - buffer); | ||
50 | if (!args) | ||
diff --git a/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch new file mode 100644 index 0000000000..04748befc8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch | |||
@@ -0,0 +1,235 @@ | |||
1 | From 16a4d739b19f8680cf93a3c8fa0ae9fc1b1c310b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Jones <pjones@redhat.com> | ||
3 | Date: Sun, 19 Jul 2020 16:53:27 -0400 | ||
4 | Subject: [PATCH] efi: Fix some malformed device path arithmetic errors | ||
5 | |||
6 | Several places we take the length of a device path and subtract 4 from | ||
7 | it, without ever checking that it's >= 4. There are also cases where | ||
8 | this kind of malformation will result in unpredictable iteration, | ||
9 | including treating the length from one dp node as the type in the next | ||
10 | node. These are all errors, no matter where the data comes from. | ||
11 | |||
12 | This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which | ||
13 | can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH() | ||
14 | return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when | ||
15 | the length is too small. Additionally, it makes several places in the | ||
16 | code check for and return errors in these cases. | ||
17 | |||
18 | Signed-off-by: Peter Jones <pjones@redhat.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d2cf823d0e31818d1b7a223daff6d5e006596543] | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | grub-core/kern/efi/efi.c | 64 +++++++++++++++++++++++++----- | ||
25 | grub-core/loader/efi/chainloader.c | 13 +++++- | ||
26 | grub-core/loader/i386/xnu.c | 9 +++-- | ||
27 | include/grub/efi/api.h | 14 ++++--- | ||
28 | 4 files changed, 79 insertions(+), 21 deletions(-) | ||
29 | |||
30 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
31 | index ad170c7..6a38080 100644 | ||
32 | --- a/grub-core/kern/efi/efi.c | ||
33 | +++ b/grub-core/kern/efi/efi.c | ||
34 | @@ -360,7 +360,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
35 | |||
36 | dp = dp0; | ||
37 | |||
38 | - while (1) | ||
39 | + while (dp) | ||
40 | { | ||
41 | grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); | ||
42 | grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); | ||
43 | @@ -370,9 +370,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
44 | if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE | ||
45 | && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE) | ||
46 | { | ||
47 | - grub_efi_uint16_t len; | ||
48 | - len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4) | ||
49 | - / sizeof (grub_efi_char16_t)); | ||
50 | + grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); | ||
51 | + | ||
52 | + if (len < 4) | ||
53 | + { | ||
54 | + grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
55 | + "malformed EFI Device Path node has length=%d", len); | ||
56 | + return NULL; | ||
57 | + } | ||
58 | + len = (len - 4) / sizeof (grub_efi_char16_t); | ||
59 | filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2; | ||
60 | } | ||
61 | |||
62 | @@ -388,7 +394,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
63 | if (!name) | ||
64 | return NULL; | ||
65 | |||
66 | - while (1) | ||
67 | + while (dp) | ||
68 | { | ||
69 | grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); | ||
70 | grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); | ||
71 | @@ -404,8 +410,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
72 | |||
73 | *p++ = '/'; | ||
74 | |||
75 | - len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4) | ||
76 | - / sizeof (grub_efi_char16_t)); | ||
77 | + len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); | ||
78 | + if (len < 4) | ||
79 | + { | ||
80 | + grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
81 | + "malformed EFI Device Path node has length=%d", len); | ||
82 | + return NULL; | ||
83 | + } | ||
84 | + | ||
85 | + len = (len - 4) / sizeof (grub_efi_char16_t); | ||
86 | fp = (grub_efi_file_path_device_path_t *) dp; | ||
87 | /* According to EFI spec Path Name is NULL terminated */ | ||
88 | while (len > 0 && fp->path_name[len - 1] == 0) | ||
89 | @@ -480,7 +493,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp) | ||
90 | ; | ||
91 | p = GRUB_EFI_NEXT_DEVICE_PATH (p)) | ||
92 | { | ||
93 | - total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p); | ||
94 | + grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p); | ||
95 | + | ||
96 | + /* | ||
97 | + * In the event that we find a node that's completely garbage, for | ||
98 | + * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size | ||
99 | + * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and | ||
100 | + * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue, | ||
101 | + * and neither should our consumers, but there won't be any error raised | ||
102 | + * even though the device path is junk. | ||
103 | + * | ||
104 | + * This keeps us from passing junk down back to our caller. | ||
105 | + */ | ||
106 | + if (len < 4) | ||
107 | + { | ||
108 | + grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
109 | + "malformed EFI Device Path node has length=%d", len); | ||
110 | + return NULL; | ||
111 | + } | ||
112 | + | ||
113 | + total_size += len; | ||
114 | if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p)) | ||
115 | break; | ||
116 | } | ||
117 | @@ -525,7 +557,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor) | ||
118 | void | ||
119 | grub_efi_print_device_path (grub_efi_device_path_t *dp) | ||
120 | { | ||
121 | - while (1) | ||
122 | + while (GRUB_EFI_DEVICE_PATH_VALID (dp)) | ||
123 | { | ||
124 | grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); | ||
125 | grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); | ||
126 | @@ -937,7 +969,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1, | ||
127 | /* Return non-zero. */ | ||
128 | return 1; | ||
129 | |||
130 | - while (1) | ||
131 | + if (dp1 == dp2) | ||
132 | + return 0; | ||
133 | + | ||
134 | + while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2)) | ||
135 | { | ||
136 | grub_efi_uint8_t type1, type2; | ||
137 | grub_efi_uint8_t subtype1, subtype2; | ||
138 | @@ -973,5 +1008,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1, | ||
139 | dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2); | ||
140 | } | ||
141 | |||
142 | + /* | ||
143 | + * There's no "right" answer here, but we probably don't want to call a valid | ||
144 | + * dp and an invalid dp equal, so pick one way or the other. | ||
145 | + */ | ||
146 | + if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2)) | ||
147 | + return 1; | ||
148 | + else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2)) | ||
149 | + return -1; | ||
150 | + | ||
151 | return 0; | ||
152 | } | ||
153 | diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c | ||
154 | index daf8c6b..a8d7b91 100644 | ||
155 | --- a/grub-core/loader/efi/chainloader.c | ||
156 | +++ b/grub-core/loader/efi/chainloader.c | ||
157 | @@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) | ||
158 | |||
159 | size = 0; | ||
160 | d = dp; | ||
161 | - while (1) | ||
162 | + while (d) | ||
163 | { | ||
164 | - size += GRUB_EFI_DEVICE_PATH_LENGTH (d); | ||
165 | + grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d); | ||
166 | + | ||
167 | + if (len < 4) | ||
168 | + { | ||
169 | + grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
170 | + "malformed EFI Device Path node has length=%d", len); | ||
171 | + return NULL; | ||
172 | + } | ||
173 | + | ||
174 | + size += len; | ||
175 | if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d))) | ||
176 | break; | ||
177 | d = GRUB_EFI_NEXT_DEVICE_PATH (d); | ||
178 | diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c | ||
179 | index b7d176b..c50cb54 100644 | ||
180 | --- a/grub-core/loader/i386/xnu.c | ||
181 | +++ b/grub-core/loader/i386/xnu.c | ||
182 | @@ -516,14 +516,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)), | ||
183 | |||
184 | devhead = buf; | ||
185 | buf = devhead + 1; | ||
186 | - dpstart = buf; | ||
187 | + dp = dpstart = buf; | ||
188 | |||
189 | - do | ||
190 | + while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend) | ||
191 | { | ||
192 | - dp = buf; | ||
193 | buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp); | ||
194 | + if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp)) | ||
195 | + break; | ||
196 | + dp = buf; | ||
197 | } | ||
198 | - while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend); | ||
199 | |||
200 | dev = grub_xnu_devprop_add_device (dpstart, (char *) buf | ||
201 | - (char *) dpstart); | ||
202 | diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h | ||
203 | index addcbfa..cf1355a 100644 | ||
204 | --- a/include/grub/efi/api.h | ||
205 | +++ b/include/grub/efi/api.h | ||
206 | @@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t; | ||
207 | #define GRUB_EFI_DEVICE_PATH_TYPE(dp) ((dp)->type & 0x7f) | ||
208 | #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp) ((dp)->subtype) | ||
209 | #define GRUB_EFI_DEVICE_PATH_LENGTH(dp) ((dp)->length) | ||
210 | +#define GRUB_EFI_DEVICE_PATH_VALID(dp) ((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4) | ||
211 | |||
212 | /* The End of Device Path nodes. */ | ||
213 | #define GRUB_EFI_END_DEVICE_PATH_TYPE (0xff & 0x7f) | ||
214 | @@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t; | ||
215 | #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE 0x01 | ||
216 | |||
217 | #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp) \ | ||
218 | - (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \ | ||
219 | - && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \ | ||
220 | - == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)) | ||
221 | + (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \ | ||
222 | + (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \ | ||
223 | + && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \ | ||
224 | + == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))) | ||
225 | |||
226 | #define GRUB_EFI_NEXT_DEVICE_PATH(dp) \ | ||
227 | - ((grub_efi_device_path_t *) ((char *) (dp) \ | ||
228 | - + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) | ||
229 | + (GRUB_EFI_DEVICE_PATH_VALID (dp) \ | ||
230 | + ? ((grub_efi_device_path_t *) \ | ||
231 | + ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \ | ||
232 | + : NULL) | ||
233 | |||
234 | /* Hardware Device Path. */ | ||
235 | #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1 | ||
diff --git a/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch new file mode 100644 index 0000000000..9d7327cee6 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From d4fd0243920b71cc6e03cc0cadf23b4fe03c352f Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 5 Nov 2020 10:15:25 +0000 | ||
4 | Subject: [PATCH] kern/efi: Fix memory leak on failure | ||
5 | |||
6 | Free the memory allocated to name before returning on failure. | ||
7 | |||
8 | Fixes: CID 296222 | ||
9 | |||
10 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ed286ceba6015d37a9304f04602451c47bf195d7] | ||
14 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
15 | --- | ||
16 | grub-core/kern/efi/efi.c | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
20 | index 6a38080..baeeef0 100644 | ||
21 | --- a/grub-core/kern/efi/efi.c | ||
22 | +++ b/grub-core/kern/efi/efi.c | ||
23 | @@ -415,6 +415,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) | ||
24 | { | ||
25 | grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
26 | "malformed EFI Device Path node has length=%d", len); | ||
27 | + grub_free (name); | ||
28 | return NULL; | ||
29 | } | ||
30 | |||
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000000..d55709406b --- /dev/null +++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 11 Dec 2020 15:03:13 +0000 | ||
4 | Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference | ||
5 | |||
6 | The model of grub_efi_get_memory_map() is that if memory_map is NULL, | ||
7 | then the purpose is to discover how much memory should be allocated to | ||
8 | it for the subsequent call. | ||
9 | |||
10 | The problem here is that with grub_efi_is_finished set to 1, there is no | ||
11 | check at all that the function is being called with a non-NULL memory_map. | ||
12 | |||
13 | While this MAY be true, we shouldn't assume it. | ||
14 | |||
15 | The solution to this is to behave as expected, and if memory_map is NULL, | ||
16 | then don't try to use it and allow memory_map_size to be filled in, and | ||
17 | return 0 as is done later in the code if the buffer is too small (or NULL). | ||
18 | |||
19 | Additionally, drop unneeded ret = 1. | ||
20 | |||
21 | Fixes: CID 96632 | ||
22 | |||
23 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
24 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
25 | |||
26 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1] | ||
27 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
28 | --- | ||
29 | grub-core/kern/efi/mm.c | 19 ++++++++++++++----- | ||
30 | 1 file changed, 14 insertions(+), 5 deletions(-) | ||
31 | |||
32 | diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c | ||
33 | index b02fab1..5afcef7 100644 | ||
34 | --- a/grub-core/kern/efi/mm.c | ||
35 | +++ b/grub-core/kern/efi/mm.c | ||
36 | @@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size, | ||
37 | if (grub_efi_is_finished) | ||
38 | { | ||
39 | int ret = 1; | ||
40 | - if (*memory_map_size < finish_mmap_size) | ||
41 | + | ||
42 | + if (memory_map != NULL) | ||
43 | { | ||
44 | - grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
45 | - ret = 0; | ||
46 | + if (*memory_map_size < finish_mmap_size) | ||
47 | + { | ||
48 | + grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); | ||
49 | + ret = 0; | ||
50 | + } | ||
51 | + else | ||
52 | + grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
53 | } | ||
54 | else | ||
55 | { | ||
56 | - grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); | ||
57 | - ret = 1; | ||
58 | + /* | ||
59 | + * Incomplete, no buffer to copy into, same as | ||
60 | + * GRUB_EFI_BUFFER_TOO_SMALL below. | ||
61 | + */ | ||
62 | + ret = 0; | ||
63 | } | ||
64 | *memory_map_size = finish_mmap_size; | ||
65 | if (map_key) | ||
diff --git a/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch new file mode 100644 index 0000000000..74ffb559e9 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 9d36bce5d516b6379ba3a0dd1a94a9c035838827 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 21 Oct 2020 14:41:27 +0000 | ||
4 | Subject: [PATCH] gnulib/regexec: Resolve unused variable | ||
5 | |||
6 | This is a really minor issue where a variable is being assigned to but | ||
7 | not checked before it is overwritten again. | ||
8 | |||
9 | The reason for this issue is that we are not building with DEBUG set and | ||
10 | this in turn means that the assert() that reads the value of the | ||
11 | variable match_last is being processed out. | ||
12 | |||
13 | The solution, move the assignment to match_last in to an ifdef DEBUG too. | ||
14 | |||
15 | Fixes: CID 292459 | ||
16 | |||
17 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a983d36bd9178d377d2072fd4b11c635fdc404b4] | ||
21 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
22 | --- | ||
23 | conf/Makefile.extra-dist | 1 + | ||
24 | .../lib/gnulib-patches/fix-unused-value.patch | 14 ++++++++++++++ | ||
25 | 2 files changed, 15 insertions(+) | ||
26 | create mode 100644 grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
27 | |||
28 | diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist | ||
29 | index 46c4e95..9b01152 100644 | ||
30 | --- a/conf/Makefile.extra-dist | ||
31 | +++ b/conf/Makefile.extra-dist | ||
32 | @@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh | ||
33 | EXTRA_DIST += grub-core/genemuinitheader.sh | ||
34 | |||
35 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch | ||
36 | +EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
37 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch | ||
38 | EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch | ||
39 | |||
40 | diff --git a/grub-core/lib/gnulib-patches/fix-unused-value.patch b/grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
41 | new file mode 100644 | ||
42 | index 0000000..ba51f1b | ||
43 | --- /dev/null | ||
44 | +++ b/grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
45 | @@ -0,0 +1,14 @@ | ||
46 | +--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000 | ||
47 | ++++ b/lib/regexec.c 2020-10-21 14:32:07.961765604 +0000 | ||
48 | +@@ -828,7 +828,11 @@ | ||
49 | + break; | ||
50 | + if (__glibc_unlikely (err != REG_NOMATCH)) | ||
51 | + goto free_return; | ||
52 | ++#ifdef DEBUG | ||
53 | ++ /* Only used for assertion below when DEBUG is set, otherwise | ||
54 | ++ it will be over-written when we loop around. */ | ||
55 | + match_last = -1; | ||
56 | ++#endif | ||
57 | + } | ||
58 | + else | ||
59 | + break; /* We found a match. */ | ||
diff --git a/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch new file mode 100644 index 0000000000..b6e3c7edbe --- /dev/null +++ b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 2af8df02cca7fd4b584575eac304cd03fa23f5cc Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 22 Oct 2020 13:54:06 +0000 | ||
4 | Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure | ||
5 | |||
6 | The code is assuming that the value of br_token.constraint was | ||
7 | initialized to zero when it wasn't. | ||
8 | |||
9 | While some compilers will ensure that, not all do, so it is better to | ||
10 | fix this explicitly than leave it to chance. | ||
11 | |||
12 | Fixes: CID 73749 | ||
13 | |||
14 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=75c3d3cec4f408848f575d6d5e30a95bd6313db0] | ||
18 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
19 | --- | ||
20 | conf/Makefile.extra-dist | 1 + | ||
21 | .../lib/gnulib-patches/fix-uninit-structure.patch | 11 +++++++++++ | ||
22 | 2 files changed, 12 insertions(+) | ||
23 | create mode 100644 grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
24 | |||
25 | diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist | ||
26 | index 9b01152..9e55458 100644 | ||
27 | --- a/conf/Makefile.extra-dist | ||
28 | +++ b/conf/Makefile.extra-dist | ||
29 | @@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh | ||
30 | EXTRA_DIST += grub-core/genemuinitheader.sh | ||
31 | |||
32 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch | ||
33 | +EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
34 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
35 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch | ||
36 | EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch | ||
37 | diff --git a/grub-core/lib/gnulib-patches/fix-uninit-structure.patch b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
38 | new file mode 100644 | ||
39 | index 0000000..7b4d9f6 | ||
40 | --- /dev/null | ||
41 | +++ b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
42 | @@ -0,0 +1,11 @@ | ||
43 | +--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000 | ||
44 | ++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000 | ||
45 | +@@ -3662,7 +3662,7 @@ | ||
46 | + Idx alloc = 0; | ||
47 | + #endif /* not RE_ENABLE_I18N */ | ||
48 | + reg_errcode_t ret; | ||
49 | +- re_token_t br_token; | ||
50 | ++ re_token_t br_token = {0}; | ||
51 | + bin_tree_t *tree; | ||
52 | + | ||
53 | + sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1); | ||
diff --git a/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch new file mode 100644 index 0000000000..102a494561 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From eaf9da8b5f8349c51cfc89dd8e39a1a61f89790a Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 28 Oct 2020 14:43:01 +0000 | ||
4 | Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state | ||
5 | |||
6 | All other instances of call to __argp_failure() where there is | ||
7 | a dgettext() call is first checking whether state is NULL before | ||
8 | attempting to dereference it to get the root_argp->argp_domain. | ||
9 | |||
10 | Fixes: CID 292436 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3a37bf120a9194c373257c70175cdb5b337bc107] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | conf/Makefile.extra-dist | 1 + | ||
19 | .../lib/gnulib-patches/fix-null-state-deref.patch | 12 ++++++++++++ | ||
20 | 2 files changed, 13 insertions(+) | ||
21 | create mode 100644 grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
22 | |||
23 | diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist | ||
24 | index 9e55458..96d7e69 100644 | ||
25 | --- a/conf/Makefile.extra-dist | ||
26 | +++ b/conf/Makefile.extra-dist | ||
27 | @@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh | ||
28 | EXTRA_DIST += grub-core/genemuinitheader.sh | ||
29 | |||
30 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch | ||
31 | +EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
32 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
33 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
34 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch | ||
35 | diff --git a/grub-core/lib/gnulib-patches/fix-null-state-deref.patch b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
36 | new file mode 100644 | ||
37 | index 0000000..813ec09 | ||
38 | --- /dev/null | ||
39 | +++ b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
40 | @@ -0,0 +1,12 @@ | ||
41 | +--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000 | ||
42 | ++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000 | ||
43 | +@@ -145,7 +145,8 @@ | ||
44 | + if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin) | ||
45 | + { | ||
46 | + __argp_failure (state, 0, 0, | ||
47 | +- dgettext (state->root_argp->argp_domain, | ||
48 | ++ dgettext (state == NULL ? NULL | ||
49 | ++ : state->root_argp->argp_domain, | ||
50 | + "\ | ||
51 | + ARGP_HELP_FMT: %s value is less than or equal to %s"), | ||
52 | + "rmargin", up->name); | ||
diff --git a/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch new file mode 100644 index 0000000000..4f43fcf7d5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 244dc2b1f518635069a556c424b2e7627f0cf036 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 5 Nov 2020 10:57:14 +0000 | ||
4 | Subject: [PATCH] gnulib/regexec: Fix possible null-dereference | ||
5 | |||
6 | It appears to be possible that the mctx->state_log field may be NULL, | ||
7 | and the name of this function, clean_state_log_if_needed(), suggests | ||
8 | that it should be checking that it is valid to be cleaned before | ||
9 | assuming that it does. | ||
10 | |||
11 | Fixes: CID 86720 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0b7f347638153e403ee2dd518af3ce26f4f99647] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | conf/Makefile.extra-dist | 1 + | ||
20 | .../lib/gnulib-patches/fix-regexec-null-deref.patch | 12 ++++++++++++ | ||
21 | 2 files changed, 13 insertions(+) | ||
22 | create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | ||
23 | |||
24 | diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist | ||
25 | index 96d7e69..d27d3a9 100644 | ||
26 | --- a/conf/Makefile.extra-dist | ||
27 | +++ b/conf/Makefile.extra-dist | ||
28 | @@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh | ||
29 | |||
30 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch | ||
31 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
32 | +EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | ||
33 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
34 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
35 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch | ||
36 | diff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | ||
37 | new file mode 100644 | ||
38 | index 0000000..db6dac9 | ||
39 | --- /dev/null | ||
40 | +++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | ||
41 | @@ -0,0 +1,12 @@ | ||
42 | +--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000 | ||
43 | ++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000 | ||
44 | +@@ -1692,6 +1692,9 @@ | ||
45 | + { | ||
46 | + Idx top = mctx->state_log_top; | ||
47 | + | ||
48 | ++ if (mctx->state_log == NULL) | ||
49 | ++ return REG_NOERROR; | ||
50 | ++ | ||
51 | + if ((next_state_log_idx >= mctx->input.bufs_len | ||
52 | + && mctx->input.bufs_len < mctx->input.len) | ||
53 | + || (next_state_log_idx >= mctx->input.valid_len | ||
diff --git a/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch new file mode 100644 index 0000000000..0507e0cd66 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 512b6bb380a77233b88c84b7a712896c70281d2f Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 24 Nov 2020 18:04:22 +0000 | ||
4 | Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token | ||
5 | |||
6 | This issue has been fixed in the latest version of gnulib, so to | ||
7 | maintain consistency, I've backported that change rather than doing | ||
8 | something different. | ||
9 | |||
10 | Fixes: CID 73828 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03477085f9a33789ba6cca7cd49ab9326a1baa0e] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | conf/Makefile.extra-dist | 1 + | ||
19 | .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +++++++++++++++ | ||
20 | 2 files changed, 16 insertions(+) | ||
21 | create mode 100644 grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch | ||
22 | |||
23 | diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist | ||
24 | index d27d3a9..ffe6829 100644 | ||
25 | --- a/conf/Makefile.extra-dist | ||
26 | +++ b/conf/Makefile.extra-dist | ||
27 | @@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh | ||
28 | |||
29 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch | ||
30 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch | ||
31 | +EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch | ||
32 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | ||
33 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch | ||
34 | EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch | ||
35 | diff --git a/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch | ||
36 | new file mode 100644 | ||
37 | index 0000000..02e0631 | ||
38 | --- /dev/null | ||
39 | +++ b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch | ||
40 | @@ -0,0 +1,15 @@ | ||
41 | +--- a/lib/regcomp.c 2020-11-24 17:06:08.159223858 +0000 | ||
42 | ++++ b/lib/regcomp.c 2020-11-24 17:06:15.630253923 +0000 | ||
43 | +@@ -3808,11 +3808,7 @@ | ||
44 | + create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right, | ||
45 | + re_token_type_t type) | ||
46 | + { | ||
47 | +- re_token_t t; | ||
48 | +-#if defined GCC_LINT || defined lint | ||
49 | +- memset (&t, 0, sizeof t); | ||
50 | +-#endif | ||
51 | +- t.type = type; | ||
52 | ++ re_token_t t = { .type = type }; | ||
53 | + return create_token_tree (dfa, left, right, &t); | ||
54 | + } | ||
55 | + | ||
diff --git a/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch new file mode 100644 index 0000000000..1190b0d090 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From c529ca446424f1a9c64f0007dfe31fa7645d13ac Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 21 Oct 2020 14:44:10 +0000 | ||
4 | Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors | ||
5 | |||
6 | These 2 assignments are unnecessary since they are just assigning | ||
7 | to themselves. | ||
8 | |||
9 | Fixes: CID 73643 | ||
10 | |||
11 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=59666e520f44177c97b82a44c169b3b315d63b42] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/io/lzopio.c | 4 ---- | ||
18 | 1 file changed, 4 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c | ||
21 | index 3014485..a7d4425 100644 | ||
22 | --- a/grub-core/io/lzopio.c | ||
23 | +++ b/grub-core/io/lzopio.c | ||
24 | @@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio) | ||
25 | sizeof (lzopio->block.ucheck)) != | ||
26 | sizeof (lzopio->block.ucheck)) | ||
27 | return -1; | ||
28 | - | ||
29 | - lzopio->block.ucheck = lzopio->block.ucheck; | ||
30 | } | ||
31 | |||
32 | /* Read checksum of compressed data. */ | ||
33 | @@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio) | ||
34 | sizeof (lzopio->block.ccheck)) != | ||
35 | sizeof (lzopio->block.ccheck)) | ||
36 | return -1; | ||
37 | - | ||
38 | - lzopio->block.ccheck = lzopio->block.ccheck; | ||
39 | } | ||
40 | } | ||
41 | |||
diff --git a/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch new file mode 100644 index 0000000000..19d881c1ca --- /dev/null +++ b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From f55ffe6bd8b844a8cd9956702f42ac2eb96ad56f Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 5 Nov 2020 10:29:59 +0000 | ||
4 | Subject: [PATCH] zstd: Initialize seq_t structure fully | ||
5 | |||
6 | While many compilers will initialize this to zero, not all will, so it | ||
7 | is better to be sure that fields not being explicitly set are at known | ||
8 | values, and there is code that checks this fields value elsewhere in the | ||
9 | code. | ||
10 | |||
11 | Fixes: CID 292440 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2777cf4466719921dbe4b30af358a75e7d76f217] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/lib/zstd/zstd_decompress.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/grub-core/lib/zstd/zstd_decompress.c b/grub-core/lib/zstd/zstd_decompress.c | ||
23 | index 711b5b6..e4b5670 100644 | ||
24 | --- a/grub-core/lib/zstd/zstd_decompress.c | ||
25 | +++ b/grub-core/lib/zstd/zstd_decompress.c | ||
26 | @@ -1325,7 +1325,7 @@ typedef enum { ZSTD_lo_isRegularOffset, ZSTD_lo_isLongOffset=1 } ZSTD_longOffset | ||
27 | FORCE_INLINE_TEMPLATE seq_t | ||
28 | ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets) | ||
29 | { | ||
30 | - seq_t seq; | ||
31 | + seq_t seq = {0}; | ||
32 | U32 const llBits = seqState->stateLL.table[seqState->stateLL.state].nbAdditionalBits; | ||
33 | U32 const mlBits = seqState->stateML.table[seqState->stateML.state].nbAdditionalBits; | ||
34 | U32 const ofBits = seqState->stateOffb.table[seqState->stateOffb.state].nbAdditionalBits; | ||
diff --git a/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch new file mode 100644 index 0000000000..af9fcd45cc --- /dev/null +++ b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 0da8ef2e03a8591586b53a29af92d2ace76a04e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 23 Oct 2020 09:49:59 +0000 | ||
4 | Subject: [PATCH] kern/partition: Check for NULL before dereferencing input | ||
5 | string | ||
6 | |||
7 | There is the possibility that the value of str comes from an external | ||
8 | source and continuing to use it before ever checking its validity is | ||
9 | wrong. So, needs fixing. | ||
10 | |||
11 | Additionally, drop unneeded part initialization. | ||
12 | |||
13 | Fixes: CID 292444 | ||
14 | |||
15 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bc9c468a2ce84bc767234eec888b71f1bc744fff] | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/kern/partition.c | 5 ++++- | ||
22 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c | ||
25 | index e499147..b10a184 100644 | ||
26 | --- a/grub-core/kern/partition.c | ||
27 | +++ b/grub-core/kern/partition.c | ||
28 | @@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap, | ||
29 | grub_partition_t | ||
30 | grub_partition_probe (struct grub_disk *disk, const char *str) | ||
31 | { | ||
32 | - grub_partition_t part = 0; | ||
33 | + grub_partition_t part; | ||
34 | grub_partition_t curpart = 0; | ||
35 | grub_partition_t tail; | ||
36 | const char *ptr; | ||
37 | |||
38 | + if (str == NULL) | ||
39 | + return 0; | ||
40 | + | ||
41 | part = tail = disk->partition; | ||
42 | |||
43 | for (ptr = str; *ptr;) | ||
diff --git a/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch new file mode 100644 index 0000000000..c1687c75d0 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From 0c5d0fd796e6cafba179321de396681a493c4158 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marco A Benatto <mbenatto@redhat.com> | ||
3 | Date: Mon, 7 Dec 2020 11:53:03 -0300 | ||
4 | Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from | ||
5 | make_vg() | ||
6 | |||
7 | Several error handling paths in make_vg() do not free comp data before | ||
8 | jumping to fail2 label and returning from the function. This will leak | ||
9 | memory. So, let's fix all issues of that kind. | ||
10 | |||
11 | Fixes: CID 73804 | ||
12 | |||
13 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=23e39f50ca7a107f6b66396ed4d177a914dee035] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++------ | ||
20 | 1 file changed, 44 insertions(+), 7 deletions(-) | ||
21 | |||
22 | diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c | ||
23 | index 58f8a53..428415f 100644 | ||
24 | --- a/grub-core/disk/ldm.c | ||
25 | +++ b/grub-core/disk/ldm.c | ||
26 | @@ -554,7 +554,11 @@ make_vg (grub_disk_t disk, | ||
27 | comp->segments = grub_calloc (comp->segment_alloc, | ||
28 | sizeof (*comp->segments)); | ||
29 | if (!comp->segments) | ||
30 | - goto fail2; | ||
31 | + { | ||
32 | + grub_free (comp->internal_id); | ||
33 | + grub_free (comp); | ||
34 | + goto fail2; | ||
35 | + } | ||
36 | } | ||
37 | else | ||
38 | { | ||
39 | @@ -562,7 +566,11 @@ make_vg (grub_disk_t disk, | ||
40 | comp->segment_count = 1; | ||
41 | comp->segments = grub_malloc (sizeof (*comp->segments)); | ||
42 | if (!comp->segments) | ||
43 | - goto fail2; | ||
44 | + { | ||
45 | + grub_free (comp->internal_id); | ||
46 | + grub_free (comp); | ||
47 | + goto fail2; | ||
48 | + } | ||
49 | comp->segments->start_extent = 0; | ||
50 | comp->segments->extent_count = lv->size; | ||
51 | comp->segments->layout = 0; | ||
52 | @@ -574,15 +582,26 @@ make_vg (grub_disk_t disk, | ||
53 | comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK; | ||
54 | } | ||
55 | else | ||
56 | - goto fail2; | ||
57 | + { | ||
58 | + grub_free (comp->segments); | ||
59 | + grub_free (comp->internal_id); | ||
60 | + grub_free (comp); | ||
61 | + goto fail2; | ||
62 | + } | ||
63 | ptr += *ptr + 1; | ||
64 | ptr++; | ||
65 | if (!(vblk[i].flags & 0x10)) | ||
66 | - goto fail2; | ||
67 | + { | ||
68 | + grub_free (comp->segments); | ||
69 | + grub_free (comp->internal_id); | ||
70 | + grub_free (comp); | ||
71 | + goto fail2; | ||
72 | + } | ||
73 | if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic) | ||
74 | || ptr + *ptr + 1 >= vblk[i].dynamic | ||
75 | + sizeof (vblk[i].dynamic)) | ||
76 | { | ||
77 | + grub_free (comp->segments); | ||
78 | grub_free (comp->internal_id); | ||
79 | grub_free (comp); | ||
80 | goto fail2; | ||
81 | @@ -592,6 +611,7 @@ make_vg (grub_disk_t disk, | ||
82 | if (ptr + *ptr + 1 >= vblk[i].dynamic | ||
83 | + sizeof (vblk[i].dynamic)) | ||
84 | { | ||
85 | + grub_free (comp->segments); | ||
86 | grub_free (comp->internal_id); | ||
87 | grub_free (comp); | ||
88 | goto fail2; | ||
89 | @@ -601,7 +621,12 @@ make_vg (grub_disk_t disk, | ||
90 | comp->segments->nodes = grub_calloc (comp->segments->node_alloc, | ||
91 | sizeof (*comp->segments->nodes)); | ||
92 | if (!lv->segments->nodes) | ||
93 | - goto fail2; | ||
94 | + { | ||
95 | + grub_free (comp->segments); | ||
96 | + grub_free (comp->internal_id); | ||
97 | + grub_free (comp); | ||
98 | + goto fail2; | ||
99 | + } | ||
100 | } | ||
101 | |||
102 | if (lv->segments->node_alloc == lv->segments->node_count) | ||
103 | @@ -611,11 +636,23 @@ make_vg (grub_disk_t disk, | ||
104 | |||
105 | if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) || | ||
106 | grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz)) | ||
107 | - goto fail2; | ||
108 | + { | ||
109 | + grub_free (comp->segments->nodes); | ||
110 | + grub_free (comp->segments); | ||
111 | + grub_free (comp->internal_id); | ||
112 | + grub_free (comp); | ||
113 | + goto fail2; | ||
114 | + } | ||
115 | |||
116 | t = grub_realloc (lv->segments->nodes, sz); | ||
117 | if (!t) | ||
118 | - goto fail2; | ||
119 | + { | ||
120 | + grub_free (comp->segments->nodes); | ||
121 | + grub_free (comp->segments); | ||
122 | + grub_free (comp->internal_id); | ||
123 | + grub_free (comp); | ||
124 | + goto fail2; | ||
125 | + } | ||
126 | lv->segments->nodes = t; | ||
127 | } | ||
128 | lv->segments->nodes[lv->segments->node_count].pv = 0; | ||
diff --git a/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch new file mode 100644 index 0000000000..ecdb230f76 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 253485e8df3c9dedac848567e638157530184295 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
3 | Date: Mon, 7 Dec 2020 10:07:47 -0300 | ||
4 | Subject: [PATCH] disk/ldm: If failed then free vg variable too | ||
5 | |||
6 | Fixes: CID 73809 | ||
7 | |||
8 | Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
9 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
10 | |||
11 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e0b83df5da538d2a38f770e60817b3a4b9d5b4d7] | ||
12 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
13 | --- | ||
14 | grub-core/disk/ldm.c | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c | ||
18 | index 428415f..54713f4 100644 | ||
19 | --- a/grub-core/disk/ldm.c | ||
20 | +++ b/grub-core/disk/ldm.c | ||
21 | @@ -199,6 +199,7 @@ make_vg (grub_disk_t disk, | ||
22 | { | ||
23 | grub_free (vg->uuid); | ||
24 | grub_free (vg->name); | ||
25 | + grub_free (vg); | ||
26 | return NULL; | ||
27 | } | ||
28 | grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN); | ||
diff --git a/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch new file mode 100644 index 0000000000..26932f674c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 3e1d2f1959acbe5152cdd5818d495f6455d1a158 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 8 Dec 2020 10:00:51 +0000 | ||
4 | Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references | ||
5 | |||
6 | The problem here is that the memory allocated to the variable lv is not | ||
7 | yet inserted into the list that is being processed at the label fail2. | ||
8 | |||
9 | As we can already see at line 342, which correctly frees lv before going | ||
10 | to fail2, we should also be doing that at these earlier jumps to fail2. | ||
11 | |||
12 | Fixes: CID 73824 | ||
13 | |||
14 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=156c281a1625dc73fd350530630c6f2d5673d4f6] | ||
18 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
19 | --- | ||
20 | grub-core/disk/ldm.c | 10 ++++++++-- | ||
21 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c | ||
24 | index 54713f4..e82e989 100644 | ||
25 | --- a/grub-core/disk/ldm.c | ||
26 | +++ b/grub-core/disk/ldm.c | ||
27 | @@ -321,7 +321,10 @@ make_vg (grub_disk_t disk, | ||
28 | lv->visible = 1; | ||
29 | lv->segments = grub_zalloc (sizeof (*lv->segments)); | ||
30 | if (!lv->segments) | ||
31 | - goto fail2; | ||
32 | + { | ||
33 | + grub_free (lv); | ||
34 | + goto fail2; | ||
35 | + } | ||
36 | lv->segments->start_extent = 0; | ||
37 | lv->segments->type = GRUB_DISKFILTER_MIRROR; | ||
38 | lv->segments->node_count = 0; | ||
39 | @@ -329,7 +332,10 @@ make_vg (grub_disk_t disk, | ||
40 | lv->segments->nodes = grub_calloc (lv->segments->node_alloc, | ||
41 | sizeof (*lv->segments->nodes)); | ||
42 | if (!lv->segments->nodes) | ||
43 | - goto fail2; | ||
44 | + { | ||
45 | + grub_free (lv); | ||
46 | + goto fail2; | ||
47 | + } | ||
48 | ptr = vblk[i].dynamic; | ||
49 | if (ptr + *ptr + 1 >= vblk[i].dynamic | ||
50 | + sizeof (vblk[i].dynamic)) | ||
diff --git a/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000000..dd7fda357d --- /dev/null +++ b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 2550aaa0c23fdf8b6c54e00c6b838f2e3aa81fe2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 21 Jan 2021 11:38:31 +0000 | ||
4 | Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow | ||
5 | |||
6 | The encrypt and decrypt functions expect a grub_size_t. So, we need to | ||
7 | ensure that the constant bit shift is using grub_size_t rather than | ||
8 | unsigned int when it is performing the shift. | ||
9 | |||
10 | Fixes: CID 307788 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a201ad17caa430aa710654fdf2e6ab4c8166f031] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/disk/cryptodisk.c | 8 ++++---- | ||
19 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c | ||
22 | index 5037768..6883f48 100644 | ||
23 | --- a/grub-core/disk/cryptodisk.c | ||
24 | +++ b/grub-core/disk/cryptodisk.c | ||
25 | @@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, | ||
26 | case GRUB_CRYPTODISK_MODE_CBC: | ||
27 | if (do_encrypt) | ||
28 | err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i, | ||
29 | - (1U << dev->log_sector_size), iv); | ||
30 | + ((grub_size_t) 1 << dev->log_sector_size), iv); | ||
31 | else | ||
32 | err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i, | ||
33 | - (1U << dev->log_sector_size), iv); | ||
34 | + ((grub_size_t) 1 << dev->log_sector_size), iv); | ||
35 | if (err) | ||
36 | return err; | ||
37 | break; | ||
38 | @@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, | ||
39 | case GRUB_CRYPTODISK_MODE_PCBC: | ||
40 | if (do_encrypt) | ||
41 | err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i, | ||
42 | - (1U << dev->log_sector_size), iv); | ||
43 | + ((grub_size_t) 1 << dev->log_sector_size), iv); | ||
44 | else | ||
45 | err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i, | ||
46 | - (1U << dev->log_sector_size), iv); | ||
47 | + ((grub_size_t) 1 << dev->log_sector_size), iv); | ||
48 | if (err) | ||
49 | return err; | ||
50 | break; | ||
diff --git a/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch new file mode 100644 index 0000000000..eb459c547f --- /dev/null +++ b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 7c1813eeec78892fa651046cc224ae4e80d0c94d Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 23 Oct 2020 17:09:31 +0000 | ||
4 | Subject: [PATCH] hfsplus: Check that the volume name length is valid | ||
5 | |||
6 | HFS+ documentation suggests that the maximum filename and volume name is | ||
7 | 255 Unicode characters in length. | ||
8 | |||
9 | So, when converting from big-endian to little-endian, we should ensure | ||
10 | that the name of the volume has a length that is between 0 and 255, | ||
11 | inclusive. | ||
12 | |||
13 | Fixes: CID 73641 | ||
14 | |||
15 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2298f6e0d951251bb9ca97d891d1bc8b74515f8c] | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/fs/hfsplus.c | 9 +++++++++ | ||
22 | 1 file changed, 9 insertions(+) | ||
23 | |||
24 | diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c | ||
25 | index dae43be..03c3c4c 100644 | ||
26 | --- a/grub-core/fs/hfsplus.c | ||
27 | +++ b/grub-core/fs/hfsplus.c | ||
28 | @@ -1007,6 +1007,15 @@ grub_hfsplus_label (grub_device_t device, char **label) | ||
29 | grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr); | ||
30 | |||
31 | label_len = grub_be_to_cpu16 (catkey->namelen); | ||
32 | + | ||
33 | + /* Ensure that the length is >= 0. */ | ||
34 | + if (label_len < 0) | ||
35 | + label_len = 0; | ||
36 | + | ||
37 | + /* Ensure label length is at most 255 Unicode characters. */ | ||
38 | + if (label_len > 255) | ||
39 | + label_len = 255; | ||
40 | + | ||
41 | label_name = grub_calloc (label_len, sizeof (*label_name)); | ||
42 | if (!label_name) | ||
43 | { | ||
diff --git a/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch new file mode 100644 index 0000000000..12418858f9 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From c757779e5d09719666c3b155afd2421978a107bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 24 Nov 2020 16:41:49 +0000 | ||
4 | Subject: [PATCH] zfs: Fix possible negative shift operation | ||
5 | |||
6 | While it is possible for the return value from zfs_log2() to be zero | ||
7 | (0), it is quite unlikely, given that the previous assignment to blksz | ||
8 | is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the | ||
9 | assignment to epbs. | ||
10 | |||
11 | But, while unlikely during a normal operation, it may be that a carefully | ||
12 | crafted ZFS filesystem could result in a zero (0) value to the | ||
13 | dn_datalbkszsec field, which means that the shift left does nothing | ||
14 | and assigns zero (0) to blksz, resulting in a negative epbs value. | ||
15 | |||
16 | Fixes: CID 73608 | ||
17 | |||
18 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a02091834d3e167320d8a262ff04b8e83c5e616d] | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | grub-core/fs/zfs/zfs.c | 5 +++++ | ||
25 | 1 file changed, 5 insertions(+) | ||
26 | |||
27 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
28 | index 36d0373..0c42cba 100644 | ||
29 | --- a/grub-core/fs/zfs/zfs.c | ||
30 | +++ b/grub-core/fs/zfs/zfs.c | ||
31 | @@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type, | ||
32 | blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec, | ||
33 | mdn->endian) << SPA_MINBLOCKSHIFT; | ||
34 | epbs = zfs_log2 (blksz) - DNODE_SHIFT; | ||
35 | + | ||
36 | + /* While this should never happen, we should check that epbs is not negative. */ | ||
37 | + if (epbs < 0) | ||
38 | + epbs = 0; | ||
39 | + | ||
40 | blkid = objnum >> epbs; | ||
41 | idx = objnum & ((1 << epbs) - 1); | ||
42 | |||
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch new file mode 100644 index 0000000000..5ded5520e9 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
3 | Date: Mon, 14 Dec 2020 18:54:49 -0300 | ||
4 | Subject: [PATCH] zfs: Fix resource leaks while constructing path | ||
5 | |||
6 | There are several exit points in dnode_get_path() that are causing possible | ||
7 | memory leaks. | ||
8 | |||
9 | In the while(1) the correct exit mechanism should not be to do a direct return, | ||
10 | but to instead break out of the loop, setting err first if it is not already set. | ||
11 | |||
12 | The reason behind this is that the dnode_path is a linked list, and while doing | ||
13 | through this loop, it is being allocated and built up - the only way to | ||
14 | correctly unravel it is to traverse it, which is what is being done at the end | ||
15 | of the function outside of the loop. | ||
16 | |||
17 | Several of the existing exit points correctly did a break, but not all so this | ||
18 | change makes that more consistent and should resolve the leaking of memory as | ||
19 | found by Coverity. | ||
20 | |||
21 | Fixes: CID 73741 | ||
22 | |||
23 | Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
24 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
25 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
26 | |||
27 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8] | ||
28 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
29 | --- | ||
30 | grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++--------- | ||
31 | 1 file changed, 21 insertions(+), 9 deletions(-) | ||
32 | |||
33 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
34 | index 0c42cba..9087a72 100644 | ||
35 | --- a/grub-core/fs/zfs/zfs.c | ||
36 | +++ b/grub-core/fs/zfs/zfs.c | ||
37 | @@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
38 | |||
39 | if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS) | ||
40 | { | ||
41 | - grub_free (path_buf); | ||
42 | - return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); | ||
43 | + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); | ||
44 | + break; | ||
45 | } | ||
46 | err = zap_lookup (&(dnode_path->dn), cname, &objnum, | ||
47 | data, subvol->case_insensitive); | ||
48 | @@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
49 | << SPA_MINBLOCKSHIFT); | ||
50 | |||
51 | if (blksz == 0) | ||
52 | - return grub_error(GRUB_ERR_BAD_FS, "0-sized block"); | ||
53 | + { | ||
54 | + err = grub_error (GRUB_ERR_BAD_FS, "0-sized block"); | ||
55 | + break; | ||
56 | + } | ||
57 | |||
58 | sym_value = grub_malloc (sym_sz); | ||
59 | if (!sym_value) | ||
60 | - return grub_errno; | ||
61 | + { | ||
62 | + err = grub_errno; | ||
63 | + break; | ||
64 | + } | ||
65 | + | ||
66 | for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++) | ||
67 | { | ||
68 | void *t; | ||
69 | @@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
70 | if (err) | ||
71 | { | ||
72 | grub_free (sym_value); | ||
73 | - return err; | ||
74 | + break; | ||
75 | } | ||
76 | |||
77 | movesize = sym_sz - block * blksz; | ||
78 | @@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
79 | grub_memcpy (sym_value + block * blksz, t, movesize); | ||
80 | grub_free (t); | ||
81 | } | ||
82 | + if (err) | ||
83 | + break; | ||
84 | free_symval = 1; | ||
85 | } | ||
86 | path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1); | ||
87 | @@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
88 | grub_free (oldpathbuf); | ||
89 | if (free_symval) | ||
90 | grub_free (sym_value); | ||
91 | - return grub_errno; | ||
92 | + err = grub_errno; | ||
93 | + break; | ||
94 | } | ||
95 | grub_memcpy (path, sym_value, sym_sz); | ||
96 | if (free_symval) | ||
97 | @@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
98 | |||
99 | err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data); | ||
100 | if (err) | ||
101 | - return err; | ||
102 | + break; | ||
103 | } | ||
104 | else | ||
105 | { | ||
106 | - return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); | ||
107 | + err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); | ||
108 | + break; | ||
109 | } | ||
110 | |||
111 | hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp)); | ||
112 | @@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
113 | if (!path_buf) | ||
114 | { | ||
115 | grub_free (oldpathbuf); | ||
116 | - return grub_errno; | ||
117 | + err = grub_errno; | ||
118 | + break; | ||
119 | } | ||
120 | grub_memcpy (path, sym_value, sym_sz); | ||
121 | path [sym_sz] = 0; | ||
diff --git a/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch new file mode 100644 index 0000000000..8df758b41f --- /dev/null +++ b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From ec35d862f3567671048aa0d0d8ad1ded1fd25336 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 8 Dec 2020 22:17:04 +0000 | ||
4 | Subject: [PATCH] zfs: Fix possible integer overflows | ||
5 | |||
6 | In all cases the problem is that the value being acted upon by | ||
7 | a left-shift is a 32-bit number which is then being used in the | ||
8 | context of a 64-bit number. | ||
9 | |||
10 | To avoid overflow we ensure that the number being shifted is 64-bit | ||
11 | before the shift is done. | ||
12 | |||
13 | Fixes: CID 73684, CID 73695, CID 73764 | ||
14 | |||
15 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=302c12ff5714bc455949117c1c9548ccb324d55b] | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/fs/zfs/zfs.c | 8 ++++---- | ||
22 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
23 | |||
24 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
25 | index 9087a72..b078ccc 100644 | ||
26 | --- a/grub-core/fs/zfs/zfs.c | ||
27 | +++ b/grub-core/fs/zfs/zfs.c | ||
28 | @@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array, | ||
29 | ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array | ||
30 | + ((i << ub_shift) | ||
31 | / sizeof (grub_properly_aligned_t))); | ||
32 | - err = uberblock_verify (ubptr, offset, 1 << ub_shift); | ||
33 | + err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift); | ||
34 | if (err) | ||
35 | { | ||
36 | grub_errno = GRUB_ERR_NONE; | ||
37 | @@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, | ||
38 | |||
39 | high = grub_divmod64 ((offset >> desc->ashift) + c, | ||
40 | desc->n_children, &devn); | ||
41 | - csize = bsize << desc->ashift; | ||
42 | + csize = (grub_size_t) bsize << desc->ashift; | ||
43 | if (csize > len) | ||
44 | csize = len; | ||
45 | |||
46 | @@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, | ||
47 | |||
48 | while (len > 0) | ||
49 | { | ||
50 | - grub_size_t csize; | ||
51 | - csize = ((s / (desc->n_children - desc->nparity)) | ||
52 | + grub_size_t csize = s; | ||
53 | + csize = ((csize / (desc->n_children - desc->nparity)) | ||
54 | << desc->ashift); | ||
55 | if (csize > len) | ||
56 | csize = len; | ||
diff --git a/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch new file mode 100644 index 0000000000..555dc19168 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From b085da8efda9b81f94aa197ee045226563554fdf Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 26 Nov 2020 10:56:45 +0000 | ||
4 | Subject: [PATCH] zfsinfo: Correct a check for error allocating memory | ||
5 | |||
6 | While arguably the check for grub_errno is correct, we should really be | ||
7 | checking the return value from the function since it is always possible | ||
8 | that grub_errno was set elsewhere, making this code behave incorrectly. | ||
9 | |||
10 | Fixes: CID 73668 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7aab03418ec6a9b991aa44416cb2585aff4e7972] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/fs/zfs/zfsinfo.c | 4 ++-- | ||
19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c | ||
22 | index c8a28ac..bf29180 100644 | ||
23 | --- a/grub-core/fs/zfs/zfsinfo.c | ||
24 | +++ b/grub-core/fs/zfs/zfsinfo.c | ||
25 | @@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc, | ||
26 | return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); | ||
27 | |||
28 | devname = grub_file_get_device_name (args[0]); | ||
29 | - if (grub_errno) | ||
30 | - return grub_errno; | ||
31 | + if (devname == NULL) | ||
32 | + return GRUB_ERR_OUT_OF_MEMORY; | ||
33 | |||
34 | dev = grub_device_open (devname); | ||
35 | grub_free (devname); | ||
diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch new file mode 100644 index 0000000000..435130516c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 26 Nov 2020 12:48:07 +0000 | ||
4 | Subject: [PATCH] affs: Fix memory leaks | ||
5 | |||
6 | The node structure reference is being allocated but not freed if it | ||
7 | reaches the end of the function. If any of the hooks had returned | ||
8 | a non-zero value, then node would have been copied in to the context | ||
9 | reference, but otherwise node is not stored and should be freed. | ||
10 | |||
11 | Similarly, the call to grub_affs_create_node() replaces the allocated | ||
12 | memory in node with a newly allocated structure, leaking the existing | ||
13 | memory pointed by node. | ||
14 | |||
15 | Finally, when dir->parent is set, then we again replace node with newly | ||
16 | allocated memory, which seems unnecessary when we copy in the values | ||
17 | from dir->parent immediately after. | ||
18 | |||
19 | Fixes: CID 73759 | ||
20 | |||
21 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
22 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
23 | |||
24 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a] | ||
25 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
26 | --- | ||
27 | grub-core/fs/affs.c | 18 ++++++++---------- | ||
28 | 1 file changed, 8 insertions(+), 10 deletions(-) | ||
29 | |||
30 | diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c | ||
31 | index 220b371..230e26a 100644 | ||
32 | --- a/grub-core/fs/affs.c | ||
33 | +++ b/grub-core/fs/affs.c | ||
34 | @@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, | ||
35 | { | ||
36 | unsigned int i; | ||
37 | struct grub_affs_file file; | ||
38 | - struct grub_fshelp_node *node = 0; | ||
39 | + struct grub_fshelp_node *node, *orig_node; | ||
40 | struct grub_affs_data *data = dir->data; | ||
41 | grub_uint32_t *hashtable; | ||
42 | |||
43 | /* Create the directory entries for `.' and `..'. */ | ||
44 | - node = grub_zalloc (sizeof (*node)); | ||
45 | + node = orig_node = grub_zalloc (sizeof (*node)); | ||
46 | if (!node) | ||
47 | return 1; | ||
48 | |||
49 | @@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, | ||
50 | return 1; | ||
51 | if (dir->parent) | ||
52 | { | ||
53 | - node = grub_zalloc (sizeof (*node)); | ||
54 | - if (!node) | ||
55 | - return 1; | ||
56 | *node = *dir->parent; | ||
57 | if (hook ("..", GRUB_FSHELP_DIR, node, hook_data)) | ||
58 | return 1; | ||
59 | @@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, | ||
60 | |||
61 | if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable, | ||
62 | next, &file)) | ||
63 | - return 1; | ||
64 | + { | ||
65 | + /* Node has been replaced in function. */ | ||
66 | + grub_free (orig_node); | ||
67 | + return 1; | ||
68 | + } | ||
69 | |||
70 | next = grub_be_to_cpu32 (file.next); | ||
71 | } | ||
72 | } | ||
73 | |||
74 | - grub_free (hashtable); | ||
75 | - return 0; | ||
76 | - | ||
77 | fail: | ||
78 | - grub_free (node); | ||
79 | + grub_free (orig_node); | ||
80 | grub_free (hashtable); | ||
81 | return 0; | ||
82 | } | ||
diff --git a/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch new file mode 100644 index 0000000000..f500f1a296 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 9b16d7bcad1c7fea7f26eb2fb3af1a5ca70ba34e Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 3 Nov 2020 16:43:37 +0000 | ||
4 | Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension | ||
5 | |||
6 | The array of unsigned char gets promoted to a signed 32-bit int before | ||
7 | it is finally promoted to a size_t. There is the possibility that this | ||
8 | may result in the signed-bit being set for the intermediate signed | ||
9 | 32-bit int. We should ensure that the promotion is to the correct type | ||
10 | before we bitwise-OR the values. | ||
11 | |||
12 | Fixes: CID 96697 | ||
13 | |||
14 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e8814c811132a70f9b55418f7567378a34ad3883] | ||
18 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
19 | |||
20 | --- | ||
21 | grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
25 | index a3435ed..7ecad27 100644 | ||
26 | --- a/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
27 | +++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
28 | @@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format, | ||
29 | if (len && len < 4) | ||
30 | return gcry_error (GPG_ERR_TOO_SHORT); | ||
31 | |||
32 | - n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]); | ||
33 | + n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]); | ||
34 | s += 4; | ||
35 | if (len) | ||
36 | len -= 4; | ||
diff --git a/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch new file mode 100644 index 0000000000..08299d021e --- /dev/null +++ b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From d26c8771293637b0465f2cb67d97cb58bacc62da Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 26 Nov 2020 10:41:54 +0000 | ||
4 | Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference | ||
5 | |||
6 | The code in gcry_mpi_scan() assumes that buffer is not NULL, but there | ||
7 | is no explicit check for that, so we add one. | ||
8 | |||
9 | Fixes: CID 73757 | ||
10 | |||
11 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ae0f3fabeba7b393113d5dc185b6aff9b728136d] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++ | ||
18 | 1 file changed, 3 insertions(+) | ||
19 | |||
20 | diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
21 | index 7ecad27..6fe3891 100644 | ||
22 | --- a/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
23 | +++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c | ||
24 | @@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format, | ||
25 | unsigned int len; | ||
26 | int secure = (buffer && gcry_is_secure (buffer)); | ||
27 | |||
28 | + if (!buffer) | ||
29 | + return gcry_error (GPG_ERR_INV_ARG); | ||
30 | + | ||
31 | if (format == GCRYMPI_FMT_SSH) | ||
32 | len = 0; | ||
33 | else | ||
diff --git a/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch new file mode 100644 index 0000000000..d8c21d88f7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From ea12feb69b6af93c7e2fa03df7ac3bd1f4edd599 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 26 Nov 2020 15:31:53 +0000 | ||
4 | Subject: [PATCH] syslinux: Fix memory leak while parsing | ||
5 | |||
6 | In syslinux_parse_real() the 2 points where return is being called | ||
7 | didn't release the memory stored in buf which is no longer required. | ||
8 | |||
9 | Fixes: CID 176634 | ||
10 | |||
11 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=95bc016dba94cab3d398dd74160665915cd08ad6] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/lib/syslinux_parse.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c | ||
21 | index 4afa992..3acc6b4 100644 | ||
22 | --- a/grub-core/lib/syslinux_parse.c | ||
23 | +++ b/grub-core/lib/syslinux_parse.c | ||
24 | @@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu) | ||
25 | && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0)) | ||
26 | { | ||
27 | if (helptext (ptr5, file, menu)) | ||
28 | - return 1; | ||
29 | + { | ||
30 | + grub_free (buf); | ||
31 | + return 1; | ||
32 | + } | ||
33 | continue; | ||
34 | } | ||
35 | |||
36 | @@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu) | ||
37 | } | ||
38 | fail: | ||
39 | grub_file_close (file); | ||
40 | + grub_free (buf); | ||
41 | return err; | ||
42 | } | ||
43 | |||
diff --git a/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch new file mode 100644 index 0000000000..8a26e5bc5b --- /dev/null +++ b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 2367049d2021e00d82d19cee923e06a4b04ebc30 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 4 Dec 2020 18:56:48 +0000 | ||
4 | Subject: [PATCH] normal/completion: Fix leaking of memory when processing a | ||
5 | completion | ||
6 | |||
7 | It is possible for the code to reach the end of the function without | ||
8 | freeing the memory allocated to argv and argc still to be 0. | ||
9 | |||
10 | We should always call grub_free(argv). The grub_free() will handle | ||
11 | a NULL argument correctly if it reaches that code without the memory | ||
12 | being allocated. | ||
13 | |||
14 | Fixes: CID 96672 | ||
15 | |||
16 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
17 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
18 | |||
19 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9213575b7a95b514bce80be5964a28d407d7d56d] | ||
20 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
21 | --- | ||
22 | grub-core/normal/completion.c | 10 ++++------ | ||
23 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c | ||
26 | index 5961028..46e473c 100644 | ||
27 | --- a/grub-core/normal/completion.c | ||
28 | +++ b/grub-core/normal/completion.c | ||
29 | @@ -400,8 +400,8 @@ char * | ||
30 | grub_normal_do_completion (char *buf, int *restore, | ||
31 | void (*hook) (const char *, grub_completion_type_t, int)) | ||
32 | { | ||
33 | - int argc; | ||
34 | - char **argv; | ||
35 | + int argc = 0; | ||
36 | + char **argv = NULL; | ||
37 | |||
38 | /* Initialize variables. */ | ||
39 | match = 0; | ||
40 | @@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore, | ||
41 | |||
42 | fail: | ||
43 | if (argc != 0) | ||
44 | - { | ||
45 | - grub_free (argv[0]); | ||
46 | - grub_free (argv); | ||
47 | - } | ||
48 | + grub_free (argv[0]); | ||
49 | + grub_free (argv); | ||
50 | grub_free (match); | ||
51 | grub_errno = GRUB_ERR_NONE; | ||
52 | |||
diff --git a/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch new file mode 100644 index 0000000000..e34a19e12c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From b136fa14d26d1833ffcb852f86e65da5960cfb99 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Coulson <chris.coulson@canonical.com> | ||
3 | Date: Tue, 1 Dec 2020 23:41:24 +0000 | ||
4 | Subject: [PATCH] commands/hashsum: Fix a memory leak | ||
5 | |||
6 | check_list() uses grub_file_getline(), which allocates a buffer. | ||
7 | If the hash list file contains invalid lines, the function leaks | ||
8 | this buffer when it returns an error. | ||
9 | |||
10 | Fixes: CID 176635 | ||
11 | |||
12 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b6f528e52e18b7a69f90b8dc3671d7b1147d9f3] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/commands/hashsum.c | 15 ++++++++++++--- | ||
19 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c | ||
22 | index 456ba90..b8a22b0 100644 | ||
23 | --- a/grub-core/commands/hashsum.c | ||
24 | +++ b/grub-core/commands/hashsum.c | ||
25 | @@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename, | ||
26 | high = hextoval (*p++); | ||
27 | low = hextoval (*p++); | ||
28 | if (high < 0 || low < 0) | ||
29 | - return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); | ||
30 | + { | ||
31 | + grub_free (buf); | ||
32 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); | ||
33 | + } | ||
34 | expected[i] = (high << 4) | low; | ||
35 | } | ||
36 | if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t')) | ||
37 | - return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); | ||
38 | + { | ||
39 | + grub_free (buf); | ||
40 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list"); | ||
41 | + } | ||
42 | p += 2; | ||
43 | if (prefix) | ||
44 | { | ||
45 | @@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename, | ||
46 | |||
47 | filename = grub_xasprintf ("%s/%s", prefix, p); | ||
48 | if (!filename) | ||
49 | - return grub_errno; | ||
50 | + { | ||
51 | + grub_free (buf); | ||
52 | + return grub_errno; | ||
53 | + } | ||
54 | file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH | ||
55 | | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS | ||
56 | : GRUB_FILE_TYPE_NONE)); | ||
diff --git a/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch new file mode 100644 index 0000000000..7e4e951245 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 2a1e5659763790201a342f8a897c8c9d8d91b1cc Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 8 Dec 2020 21:14:31 +0000 | ||
4 | Subject: [PATCH] video/efi_gop: Remove unnecessary return value of | ||
5 | grub_video_gop_fill_mode_info() | ||
6 | |||
7 | The return value of grub_video_gop_fill_mode_info() is never able to be | ||
8 | anything other than GRUB_ERR_NONE. So, rather than continue to return | ||
9 | a value and checking it each time, it is more correct to redefine the | ||
10 | function to not return anything and remove checks of its return value | ||
11 | altogether. | ||
12 | |||
13 | Fixes: CID 96701 | ||
14 | |||
15 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fc5951d3b1616055ef81a019a5affc09d13344d0] | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/video/efi_gop.c | 25 ++++++------------------- | ||
22 | 1 file changed, 6 insertions(+), 19 deletions(-) | ||
23 | |||
24 | diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c | ||
25 | index 7f9d1c2..db2ee98 100644 | ||
26 | --- a/grub-core/video/efi_gop.c | ||
27 | +++ b/grub-core/video/efi_gop.c | ||
28 | @@ -227,7 +227,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode, | ||
29 | return GRUB_ERR_NONE; | ||
30 | } | ||
31 | |||
32 | -static grub_err_t | ||
33 | +static void | ||
34 | grub_video_gop_fill_mode_info (unsigned mode, | ||
35 | struct grub_efi_gop_mode_info *in, | ||
36 | struct grub_video_mode_info *out) | ||
37 | @@ -252,8 +252,6 @@ grub_video_gop_fill_mode_info (unsigned mode, | ||
38 | out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888; | ||
39 | out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED | ||
40 | | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP); | ||
41 | - | ||
42 | - return GRUB_ERR_NONE; | ||
43 | } | ||
44 | |||
45 | static int | ||
46 | @@ -266,7 +264,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo | ||
47 | grub_efi_uintn_t size; | ||
48 | grub_efi_status_t status; | ||
49 | struct grub_efi_gop_mode_info *info = NULL; | ||
50 | - grub_err_t err; | ||
51 | struct grub_video_mode_info mode_info; | ||
52 | |||
53 | status = efi_call_4 (gop->query_mode, gop, mode, &size, &info); | ||
54 | @@ -277,12 +274,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo | ||
55 | continue; | ||
56 | } | ||
57 | |||
58 | - err = grub_video_gop_fill_mode_info (mode, info, &mode_info); | ||
59 | - if (err) | ||
60 | - { | ||
61 | - grub_errno = GRUB_ERR_NONE; | ||
62 | - continue; | ||
63 | - } | ||
64 | + grub_video_gop_fill_mode_info (mode, info, &mode_info); | ||
65 | if (hook (&mode_info, hook_arg)) | ||
66 | return 1; | ||
67 | } | ||
68 | @@ -466,13 +458,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
69 | |||
70 | info = gop->mode->info; | ||
71 | |||
72 | - err = grub_video_gop_fill_mode_info (gop->mode->mode, info, | ||
73 | - &framebuffer.mode_info); | ||
74 | - if (err) | ||
75 | - { | ||
76 | - grub_dprintf ("video", "GOP: couldn't fill mode info\n"); | ||
77 | - return err; | ||
78 | - } | ||
79 | + grub_video_gop_fill_mode_info (gop->mode->mode, info, | ||
80 | + &framebuffer.mode_info); | ||
81 | |||
82 | framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base; | ||
83 | framebuffer.offscreen | ||
84 | @@ -486,8 +473,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
85 | { | ||
86 | grub_dprintf ("video", "GOP: couldn't allocate shadow\n"); | ||
87 | grub_errno = 0; | ||
88 | - err = grub_video_gop_fill_mode_info (gop->mode->mode, info, | ||
89 | - &framebuffer.mode_info); | ||
90 | + grub_video_gop_fill_mode_info (gop->mode->mode, info, | ||
91 | + &framebuffer.mode_info); | ||
92 | buffer = framebuffer.ptr; | ||
93 | } | ||
94 | |||
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch new file mode 100644 index 0000000000..8165ea3f71 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 4 Nov 2020 15:10:51 +0000 | ||
4 | Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow | ||
5 | |||
6 | The multiplication of 2 unsigned 32-bit integers may overflow before | ||
7 | promotion to unsigned 64-bit. We should ensure that the multiplication | ||
8 | is done with overflow detection. Additionally, use grub_sub() for | ||
9 | subtraction. | ||
10 | |||
11 | Fixes: CID 73640, CID 73697, CID 73702, CID 73823 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6] | ||
18 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
19 | --- | ||
20 | grub-core/video/fb/fbfill.c | 17 +++++++++++++---- | ||
21 | 1 file changed, 13 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c | ||
24 | index 11816d0..a37acd1 100644 | ||
25 | --- a/grub-core/video/fb/fbfill.c | ||
26 | +++ b/grub-core/video/fb/fbfill.c | ||
27 | @@ -31,6 +31,7 @@ | ||
28 | #include <grub/fbfill.h> | ||
29 | #include <grub/fbutil.h> | ||
30 | #include <grub/types.h> | ||
31 | +#include <grub/safemath.h> | ||
32 | #include <grub/video.h> | ||
33 | |||
34 | /* Generic filler that works for every supported mode. */ | ||
35 | @@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst, | ||
36 | |||
37 | /* Calculate the number of bytes to advance from the end of one line | ||
38 | to the beginning of the next line. */ | ||
39 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
40 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
41 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
42 | + return; | ||
43 | |||
44 | /* Get the start address. */ | ||
45 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
46 | @@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst, | ||
47 | #endif | ||
48 | /* Calculate the number of bytes to advance from the end of one line | ||
49 | to the beginning of the next line. */ | ||
50 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
51 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
52 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
53 | + return; | ||
54 | |||
55 | /* Get the start address. */ | ||
56 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
57 | @@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst, | ||
58 | |||
59 | /* Calculate the number of bytes to advance from the end of one line | ||
60 | to the beginning of the next line. */ | ||
61 | - rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width); | ||
62 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
63 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
64 | + return; | ||
65 | |||
66 | /* Get the start address. */ | ||
67 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
68 | @@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst, | ||
69 | |||
70 | /* Calculate the number of bytes to advance from the end of one line | ||
71 | to the beginning of the next line. */ | ||
72 | - rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width; | ||
73 | + if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) || | ||
74 | + grub_sub (dst->mode_info->pitch, rowskip, &rowskip)) | ||
75 | + return; | ||
76 | |||
77 | /* Get the start address. */ | ||
78 | dstptr = grub_video_fb_get_video_ptr (dst, x, y); | ||
diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch new file mode 100644 index 0000000000..544e7f31ae --- /dev/null +++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch | |||
@@ -0,0 +1,104 @@ | |||
1 | From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Wed, 4 Nov 2020 14:43:44 +0000 | ||
4 | Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows | ||
5 | |||
6 | The calculation of the unsigned 64-bit value is being generated by | ||
7 | multiplying 2, signed or unsigned, 32-bit integers which may overflow | ||
8 | before promotion to unsigned 64-bit. Fix all of them. | ||
9 | |||
10 | Fixes: CID 73703, CID 73767, CID 73833 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++----------- | ||
19 | 1 file changed, 36 insertions(+), 16 deletions(-) | ||
20 | |||
21 | diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c | ||
22 | index 1a602c8..1c9a138 100644 | ||
23 | --- a/grub-core/video/fb/video_fb.c | ||
24 | +++ b/grub-core/video/fb/video_fb.c | ||
25 | @@ -25,6 +25,7 @@ | ||
26 | #include <grub/fbutil.h> | ||
27 | #include <grub/bitmap.h> | ||
28 | #include <grub/dl.h> | ||
29 | +#include <grub/safemath.h> | ||
30 | |||
31 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
32 | |||
33 | @@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void) | ||
34 | { | ||
35 | if (framebuffer.current_dirty.first_line | ||
36 | <= framebuffer.current_dirty.last_line) | ||
37 | - grub_memcpy ((char *) framebuffer.pages[0] | ||
38 | - + framebuffer.current_dirty.first_line | ||
39 | - * framebuffer.back_target->mode_info.pitch, | ||
40 | - (char *) framebuffer.back_target->data | ||
41 | - + framebuffer.current_dirty.first_line | ||
42 | - * framebuffer.back_target->mode_info.pitch, | ||
43 | - framebuffer.back_target->mode_info.pitch | ||
44 | - * (framebuffer.current_dirty.last_line | ||
45 | - - framebuffer.current_dirty.first_line)); | ||
46 | + { | ||
47 | + grub_size_t copy_size; | ||
48 | + | ||
49 | + if (grub_sub (framebuffer.current_dirty.last_line, | ||
50 | + framebuffer.current_dirty.first_line, ©_size) || | ||
51 | + grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) | ||
52 | + { | ||
53 | + /* Shouldn't happen, but if it does we've a bug. */ | ||
54 | + return GRUB_ERR_BUG; | ||
55 | + } | ||
56 | + | ||
57 | + grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line * | ||
58 | + framebuffer.back_target->mode_info.pitch, | ||
59 | + (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line * | ||
60 | + framebuffer.back_target->mode_info.pitch, | ||
61 | + copy_size); | ||
62 | + } | ||
63 | framebuffer.current_dirty.first_line | ||
64 | = framebuffer.back_target->mode_info.height; | ||
65 | framebuffer.current_dirty.last_line = 0; | ||
66 | @@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back, | ||
67 | volatile void *framebuf) | ||
68 | { | ||
69 | grub_err_t err; | ||
70 | - grub_size_t page_size = mode_info.pitch * mode_info.height; | ||
71 | + grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height; | ||
72 | |||
73 | framebuffer.offscreen_buffer = grub_zalloc (page_size); | ||
74 | if (! framebuffer.offscreen_buffer) | ||
75 | @@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void) | ||
76 | last_line = framebuffer.previous_dirty.last_line; | ||
77 | |||
78 | if (first_line <= last_line) | ||
79 | - grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] | ||
80 | - + first_line * framebuffer.back_target->mode_info.pitch, | ||
81 | - (char *) framebuffer.back_target->data | ||
82 | - + first_line * framebuffer.back_target->mode_info.pitch, | ||
83 | - framebuffer.back_target->mode_info.pitch | ||
84 | - * (last_line - first_line)); | ||
85 | + { | ||
86 | + grub_size_t copy_size; | ||
87 | + | ||
88 | + if (grub_sub (last_line, first_line, ©_size) || | ||
89 | + grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, ©_size)) | ||
90 | + { | ||
91 | + /* Shouldn't happen, but if it does we've a bug. */ | ||
92 | + return GRUB_ERR_BUG; | ||
93 | + } | ||
94 | + | ||
95 | + grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line * | ||
96 | + framebuffer.back_target->mode_info.pitch, | ||
97 | + (char *) framebuffer.back_target->data + first_line * | ||
98 | + framebuffer.back_target->mode_info.pitch, | ||
99 | + copy_size); | ||
100 | + } | ||
101 | + | ||
102 | framebuffer.previous_dirty = framebuffer.current_dirty; | ||
103 | framebuffer.current_dirty.first_line | ||
104 | = framebuffer.back_target->mode_info.height; | ||
diff --git a/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch new file mode 100644 index 0000000000..c82b2c7df0 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From aac5574ff340a665ccc78d4c3d61596ac67acbbe Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 4 Dec 2020 14:51:30 +0000 | ||
4 | Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow | ||
5 | |||
6 | It is minimal possibility that the values being used here will overflow. | ||
7 | So, change the code to use the safemath function grub_mul() to ensure | ||
8 | that doesn't happen. | ||
9 | |||
10 | Fixes: CID 73761 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/video/fb/video_fb.c | 8 +++++++- | ||
19 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c | ||
22 | index 1c9a138..ae6b89f 100644 | ||
23 | --- a/grub-core/video/fb/video_fb.c | ||
24 | +++ b/grub-core/video/fb/video_fb.c | ||
25 | @@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info, | ||
26 | volatile void *page1_ptr) | ||
27 | { | ||
28 | grub_err_t err; | ||
29 | - grub_size_t page_size = mode_info->pitch * mode_info->height; | ||
30 | + grub_size_t page_size = 0; | ||
31 | + | ||
32 | + if (grub_mul (mode_info->pitch, mode_info->height, &page_size)) | ||
33 | + { | ||
34 | + /* Shouldn't happen, but if it does we've a bug. */ | ||
35 | + return GRUB_ERR_BUG; | ||
36 | + } | ||
37 | |||
38 | framebuffer.offscreen_buffer = grub_malloc (page_size); | ||
39 | if (! framebuffer.offscreen_buffer) | ||
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch new file mode 100644 index 0000000000..3fca2aecb5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 4 Dec 2020 15:39:00 +0000 | ||
4 | Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference | ||
5 | from a jpeg file | ||
6 | |||
7 | While it may never happen, and potentially could be caught at the end of | ||
8 | the function, it is worth checking up front for a bad reference to the | ||
9 | next marker just in case of a maliciously crafted file being provided. | ||
10 | |||
11 | Fixes: CID 73694 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/video/readers/jpeg.c | 6 ++++++ | ||
20 | 1 file changed, 6 insertions(+) | ||
21 | |||
22 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
23 | index 31359a4..0b6ce3c 100644 | ||
24 | --- a/grub-core/video/readers/jpeg.c | ||
25 | +++ b/grub-core/video/readers/jpeg.c | ||
26 | @@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) | ||
27 | next_marker = data->file->offset; | ||
28 | next_marker += grub_jpeg_get_word (data); | ||
29 | |||
30 | + if (next_marker > data->file->size) | ||
31 | + { | ||
32 | + /* Should never be set beyond the size of the file. */ | ||
33 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference"); | ||
34 | + } | ||
35 | + | ||
36 | while (data->file->offset + sizeof (data->quan_table[id]) + 1 | ||
37 | <= next_marker) | ||
38 | { | ||
diff --git a/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch new file mode 100644 index 0000000000..61e5e5797d --- /dev/null +++ b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 9433cb3a37c03f22c2fa769121f1f509fd031ae9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Mon, 7 Dec 2020 14:44:47 +0000 | ||
4 | Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as | ||
5 | dead | ||
6 | |||
7 | The test of value for NULL before calling grub_strdup() is not required, | ||
8 | since the if condition prior to this has already tested for value being | ||
9 | NULL and cannot reach this code if it is. | ||
10 | |||
11 | Fixes: CID 73659 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4a1aa5917595650efbd46b581368c470ebee42ab] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/gfxmenu/gui_list.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c | ||
23 | index 01477cd..df334a6 100644 | ||
24 | --- a/grub-core/gfxmenu/gui_list.c | ||
25 | +++ b/grub-core/gfxmenu/gui_list.c | ||
26 | @@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value) | ||
27 | { | ||
28 | self->need_to_recreate_boxes = 1; | ||
29 | grub_free (self->selected_item_box_pattern); | ||
30 | - self->selected_item_box_pattern = value ? grub_strdup (value) : 0; | ||
31 | + self->selected_item_box_pattern = grub_strdup (value); | ||
32 | self->selected_item_box_pattern_inherit = 0; | ||
33 | } | ||
34 | } | ||
diff --git a/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch new file mode 100644 index 0000000000..34643e10ab --- /dev/null +++ b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 7899384c8fdf9ed96566978c49b0c6e40e70703d Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Tue, 8 Dec 2020 21:47:13 +0000 | ||
4 | Subject: [PATCH] loader/bsd: Check for NULL arg up-front | ||
5 | |||
6 | The code in the next block suggests that it is possible for .set to be | ||
7 | true but .arg may still be NULL. | ||
8 | |||
9 | This code assumes that it is never NULL, yet later is testing if it is | ||
10 | NULL - that is inconsistent. | ||
11 | |||
12 | So we should check first if .arg is not NULL, and remove this check that | ||
13 | is being flagged by Coverity since it is no longer required. | ||
14 | |||
15 | Fixes: CID 292471 | ||
16 | |||
17 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5d5391b0a05abe76e04c1eb68dcc6cbef5326c4a] | ||
21 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
22 | --- | ||
23 | grub-core/loader/i386/bsd.c | 4 ++-- | ||
24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c | ||
27 | index b92cbe9..8432283 100644 | ||
28 | --- a/grub-core/loader/i386/bsd.c | ||
29 | +++ b/grub-core/loader/i386/bsd.c | ||
30 | @@ -1605,7 +1605,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[]) | ||
31 | kernel_type = KERNEL_TYPE_OPENBSD; | ||
32 | bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags); | ||
33 | |||
34 | - if (ctxt->state[OPENBSD_ROOT_ARG].set) | ||
35 | + if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL) | ||
36 | { | ||
37 | const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg; | ||
38 | unsigned type, unit, part; | ||
39 | @@ -1622,7 +1622,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[]) | ||
40 | "unknown disk type name"); | ||
41 | |||
42 | unit = grub_strtoul (arg, (char **) &arg, 10); | ||
43 | - if (! (arg && *arg >= 'a' && *arg <= 'z')) | ||
44 | + if (! (*arg >= 'a' && *arg <= 'z')) | ||
45 | return grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
46 | "only device specifications of form " | ||
47 | "<type><number><lowercase letter> are supported"); | ||
diff --git a/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch new file mode 100644 index 0000000000..41f09a22fc --- /dev/null +++ b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 0a4aa7c16f65cdfaa1013f0796afa929f8d6dc1a Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 26 Nov 2020 12:53:10 +0000 | ||
4 | Subject: [PATCH] loader/xnu: Fix memory leak | ||
5 | |||
6 | The code here is finished with the memory stored in name, but it only | ||
7 | frees it if there curvalue is valid, while it could actually free it | ||
8 | regardless. | ||
9 | |||
10 | The fix is a simple relocation of the grub_free() to before the test | ||
11 | of curvalue. | ||
12 | |||
13 | Fixes: CID 96646 | ||
14 | |||
15 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bcb59ece3263d118510c4440c4da0950f224bb7f] | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/loader/xnu.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
25 | index 07232d2..b3029a8 100644 | ||
26 | --- a/grub-core/loader/xnu.c | ||
27 | +++ b/grub-core/loader/xnu.c | ||
28 | @@ -1388,9 +1388,9 @@ grub_xnu_fill_devicetree (void) | ||
29 | name[len] = 0; | ||
30 | |||
31 | curvalue = grub_xnu_create_value (curkey, name); | ||
32 | + grub_free (name); | ||
33 | if (!curvalue) | ||
34 | return grub_errno; | ||
35 | - grub_free (name); | ||
36 | |||
37 | data = grub_malloc (grub_strlen (var->value) + 1); | ||
38 | if (!data) | ||
diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch new file mode 100644 index 0000000000..f9ad0fc34c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marco A Benatto <mbenatto@redhat.com> | ||
3 | Date: Mon, 30 Nov 2020 12:18:24 -0300 | ||
4 | Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in | ||
5 | grub_xnu_writetree_toheap() | ||
6 | |||
7 | ... to avoid memory leaks. | ||
8 | |||
9 | Fixes: CID 96640 | ||
10 | |||
11 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/loader/xnu.c | 24 ++++++++++++++++++++---- | ||
18 | 1 file changed, 20 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
21 | index b3029a8..39ceff8 100644 | ||
22 | --- a/grub-core/loader/xnu.c | ||
23 | +++ b/grub-core/loader/xnu.c | ||
24 | @@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size) | ||
25 | if (! memorymap) | ||
26 | return grub_errno; | ||
27 | |||
28 | - driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey)); | ||
29 | + driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey)); | ||
30 | if (! driverkey) | ||
31 | return grub_errno; | ||
32 | driverkey->name = grub_strdup ("DeviceTree"); | ||
33 | if (! driverkey->name) | ||
34 | - return grub_errno; | ||
35 | + { | ||
36 | + err = grub_errno; | ||
37 | + goto fail; | ||
38 | + } | ||
39 | + | ||
40 | driverkey->datasize = sizeof (*extdesc); | ||
41 | driverkey->next = memorymap->first_child; | ||
42 | memorymap->first_child = driverkey; | ||
43 | driverkey->data = extdesc | ||
44 | = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc)); | ||
45 | if (! driverkey->data) | ||
46 | - return grub_errno; | ||
47 | + { | ||
48 | + err = grub_errno; | ||
49 | + goto fail; | ||
50 | + } | ||
51 | |||
52 | /* Allocate the space based on the size with dummy value. */ | ||
53 | *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/"); | ||
54 | err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE), | ||
55 | &src, target); | ||
56 | if (err) | ||
57 | - return err; | ||
58 | + goto fail; | ||
59 | |||
60 | /* Put real data in the dummy. */ | ||
61 | extdesc->addr = *target; | ||
62 | @@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size) | ||
63 | /* Write the tree to heap. */ | ||
64 | grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/"); | ||
65 | return GRUB_ERR_NONE; | ||
66 | + | ||
67 | + fail: | ||
68 | + memorymap->first_child = NULL; | ||
69 | + | ||
70 | + grub_free (driverkey->data); | ||
71 | + grub_free (driverkey->name); | ||
72 | + grub_free (driverkey); | ||
73 | + | ||
74 | + return err; | ||
75 | } | ||
76 | |||
77 | /* Find a key or value in parent key. */ | ||
diff --git a/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch new file mode 100644 index 0000000000..8081f7763a --- /dev/null +++ b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 778a3fffd19229e5650a1abfb06c974949991cd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
3 | Date: Mon, 30 Nov 2020 10:36:00 -0300 | ||
4 | Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it | ||
5 | |||
6 | Fixes: CID 73654 | ||
7 | |||
8 | Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
9 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
10 | |||
11 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7c8a2b5d1421a0f2a33d33531f7561f3da93b844] | ||
12 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
13 | --- | ||
14 | grub-core/loader/xnu.c | 8 ++++---- | ||
15 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
16 | |||
17 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
18 | index 39ceff8..adc048c 100644 | ||
19 | --- a/grub-core/loader/xnu.c | ||
20 | +++ b/grub-core/loader/xnu.c | ||
21 | @@ -667,6 +667,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile, | ||
22 | char *name, *nameend; | ||
23 | int namelen; | ||
24 | |||
25 | + if (infoplistname == NULL) | ||
26 | + return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename")); | ||
27 | + | ||
28 | name = get_name_ptr (infoplistname); | ||
29 | nameend = grub_strchr (name, '/'); | ||
30 | |||
31 | @@ -698,10 +701,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile, | ||
32 | else | ||
33 | macho = 0; | ||
34 | |||
35 | - if (infoplistname) | ||
36 | - infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST); | ||
37 | - else | ||
38 | - infoplist = 0; | ||
39 | + infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST); | ||
40 | grub_errno = GRUB_ERR_NONE; | ||
41 | if (infoplist) | ||
42 | { | ||
diff --git a/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch new file mode 100644 index 0000000000..ea563a41a0 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 5d2dd0052474a882a22e47cc8c3ed87a01819f6b Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Kiper <daniel.kiper@oracle.com> | ||
3 | Date: Thu, 25 Feb 2021 18:35:01 +0100 | ||
4 | Subject: [PATCH] util/grub-install: Fix NULL pointer dereferences | ||
5 | |||
6 | Two grub_device_open() calls does not have associated NULL checks | ||
7 | for returned values. Fix that and appease the Coverity. | ||
8 | |||
9 | Fixes: CID 314583 | ||
10 | |||
11 | Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b3a95655b4391122e7b0315d8cc6f876caf8183] | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | util/grub-install.c | 4 ++++ | ||
18 | 1 file changed, 4 insertions(+) | ||
19 | |||
20 | diff --git a/util/grub-install.c b/util/grub-install.c | ||
21 | index a82725f..367350f 100644 | ||
22 | --- a/util/grub-install.c | ||
23 | +++ b/util/grub-install.c | ||
24 | @@ -1775,6 +1775,8 @@ main (int argc, char *argv[]) | ||
25 | fill_core_services (core_services); | ||
26 | |||
27 | ins_dev = grub_device_open (install_drive); | ||
28 | + if (ins_dev == NULL) | ||
29 | + grub_util_error ("%s", grub_errmsg); | ||
30 | |||
31 | bless (ins_dev, core_services, 0); | ||
32 | |||
33 | @@ -1875,6 +1877,8 @@ main (int argc, char *argv[]) | ||
34 | fill_core_services(core_services); | ||
35 | |||
36 | ins_dev = grub_device_open (install_drive); | ||
37 | + if (ins_dev == NULL) | ||
38 | + grub_util_error ("%s", grub_errmsg); | ||
39 | |||
40 | bless (ins_dev, boot_efi, 1); | ||
41 | if (!removable && update_nvram) | ||
diff --git a/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch new file mode 100644 index 0000000000..0cd8ec3611 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 3d68daf2567aace4b52bd238cfd4a8111af3bc04 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Thu, 5 Nov 2020 14:33:50 +0000 | ||
4 | Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value | ||
5 | |||
6 | The return value of ftell() may be negative (-1) on error. While it is | ||
7 | probably unlikely to occur, we should not blindly cast to an unsigned | ||
8 | value without first testing that it is not negative. | ||
9 | |||
10 | Fixes: CID 73856 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5dc41edc4eba259c6043ae7698c245ec1baaacc6] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | util/grub-editenv.c | 8 +++++++- | ||
19 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/util/grub-editenv.c b/util/grub-editenv.c | ||
22 | index f3662c9..db6f187 100644 | ||
23 | --- a/util/grub-editenv.c | ||
24 | +++ b/util/grub-editenv.c | ||
25 | @@ -125,6 +125,7 @@ open_envblk_file (const char *name) | ||
26 | { | ||
27 | FILE *fp; | ||
28 | char *buf; | ||
29 | + long loc; | ||
30 | size_t size; | ||
31 | grub_envblk_t envblk; | ||
32 | |||
33 | @@ -143,7 +144,12 @@ open_envblk_file (const char *name) | ||
34 | grub_util_error (_("cannot seek `%s': %s"), name, | ||
35 | strerror (errno)); | ||
36 | |||
37 | - size = (size_t) ftell (fp); | ||
38 | + loc = ftell (fp); | ||
39 | + if (loc < 0) | ||
40 | + grub_util_error (_("cannot get file location `%s': %s"), name, | ||
41 | + strerror (errno)); | ||
42 | + | ||
43 | + size = (size_t) loc; | ||
44 | |||
45 | if (fseek (fp, 0, SEEK_SET) < 0) | ||
46 | grub_util_error (_("cannot seek `%s': %s"), name, | ||
diff --git a/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch new file mode 100644 index 0000000000..66d7c0aa42 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From e301a0f38a2130eb80f346c31e43bf5089af583c Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 4 Dec 2020 15:04:28 +0000 | ||
4 | Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value | ||
5 | |||
6 | It is possible for the ftell() function to return a negative value, | ||
7 | although it is fairly unlikely here, we should be checking for | ||
8 | a negative value before we assign it to an unsigned value. | ||
9 | |||
10 | Fixes: CID 73744 | ||
11 | |||
12 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1641d74e16f9d1ca35ba1a87ee4a0bf3afa48e72] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | util/glue-efi.c | 14 ++++++++++++-- | ||
19 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/util/glue-efi.c b/util/glue-efi.c | ||
22 | index 68f5316..de0fa6d 100644 | ||
23 | --- a/util/glue-efi.c | ||
24 | +++ b/util/glue-efi.c | ||
25 | @@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename, | ||
26 | struct grub_macho_fat_header head; | ||
27 | struct grub_macho_fat_arch arch32, arch64; | ||
28 | grub_uint32_t size32, size64; | ||
29 | + long size; | ||
30 | char *buf; | ||
31 | |||
32 | fseek (in32, 0, SEEK_END); | ||
33 | - size32 = ftell (in32); | ||
34 | + size = ftell (in32); | ||
35 | + if (size < 0) | ||
36 | + grub_util_error ("cannot get end of input file '%s': %s", | ||
37 | + name32, strerror (errno)); | ||
38 | + size32 = (grub_uint32_t) size; | ||
39 | fseek (in32, 0, SEEK_SET); | ||
40 | + | ||
41 | fseek (in64, 0, SEEK_END); | ||
42 | - size64 = ftell (in64); | ||
43 | + size = ftell (in64); | ||
44 | + if (size < 0) | ||
45 | + grub_util_error ("cannot get end of input file '%s': %s", | ||
46 | + name64, strerror (errno)); | ||
47 | + size64 = (grub_uint64_t) size; | ||
48 | fseek (in64, 0, SEEK_SET); | ||
49 | |||
50 | head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC); | ||
diff --git a/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch new file mode 100644 index 0000000000..b279222fff --- /dev/null +++ b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From f5fb56954e5926ced42a980c3e0842ffd5fea2aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Fri, 3 Apr 2020 23:05:13 +1100 | ||
4 | Subject: [PATCH] script/execute: Fix NULL dereference in | ||
5 | grub_script_execute_cmdline() | ||
6 | |||
7 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
8 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
9 | |||
10 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=41ae93b2e6c75453514629bcfe684300e3aec0ce] | ||
11 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
12 | --- | ||
13 | grub-core/script/execute.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c | ||
17 | index 7e028e1..5ea2aef 100644 | ||
18 | --- a/grub-core/script/execute.c | ||
19 | +++ b/grub-core/script/execute.c | ||
20 | @@ -940,7 +940,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd) | ||
21 | struct grub_script_argv argv = { 0, 0, 0 }; | ||
22 | |||
23 | /* Lookup the command. */ | ||
24 | - if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0]) | ||
25 | + if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0]) | ||
26 | return grub_errno; | ||
27 | |||
28 | for (i = 0; i < argv.argc; i++) | ||
diff --git a/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch new file mode 100644 index 0000000000..5a327fe1d2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From dd82f98fa642907817f59aeaf3761b786898df85 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Mon, 11 Jan 2021 16:57:37 +1100 | ||
4 | Subject: [PATCH] commands/ls: Require device_name is not NULL before printing | ||
5 | |||
6 | This can be triggered with: | ||
7 | ls -l (0 0*) | ||
8 | and causes a NULL deref in grub_normal_print_device_info(). | ||
9 | |||
10 | I'm not sure if there's any implication with the IEEE 1275 platform. | ||
11 | |||
12 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
13 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6afbe6063c95b827372f9ec310c9fc7461311eb1] | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | grub-core/commands/ls.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c | ||
22 | index 5b7491a..326d2d6 100644 | ||
23 | --- a/grub-core/commands/ls.c | ||
24 | +++ b/grub-core/commands/ls.c | ||
25 | @@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human) | ||
26 | goto fail; | ||
27 | } | ||
28 | |||
29 | - if (! *path) | ||
30 | + if (! *path && device_name) | ||
31 | { | ||
32 | if (grub_errno == GRUB_ERR_UNKNOWN_FS) | ||
33 | grub_errno = GRUB_ERR_NONE; | ||
diff --git a/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch new file mode 100644 index 0000000000..84117a9073 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From df2505c4c3cf42b0c419c99a5f9e1ce63e5a5938 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Mon, 11 Jan 2021 17:30:42 +1100 | ||
4 | Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a | ||
5 | function scope | ||
6 | |||
7 | "$#" represents the number of arguments to a function. It is only | ||
8 | defined in a function scope, where "scope" is non-NULL. Currently, | ||
9 | if we attempt to evaluate "$#" outside a function scope, "scope" will | ||
10 | be NULL and we will crash with a NULL pointer dereference. | ||
11 | |||
12 | Do not attempt to count arguments for "$#" if "scope" is NULL. This | ||
13 | will result in "$#" being interpreted as an empty string if evaluated | ||
14 | outside a function scope. | ||
15 | |||
16 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
17 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
18 | |||
19 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fe0586347ee46f927ae27bb9673532da9f5dead5] | ||
20 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
21 | --- | ||
22 | grub-core/script/execute.c | 2 +- | ||
23 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c | ||
26 | index 5ea2aef..23d34bd 100644 | ||
27 | --- a/grub-core/script/execute.c | ||
28 | +++ b/grub-core/script/execute.c | ||
29 | @@ -485,7 +485,7 @@ gettext_putvar (const char *str, grub_size_t len, | ||
30 | return 0; | ||
31 | |||
32 | /* Enough for any number. */ | ||
33 | - if (len == 1 && str[0] == '#') | ||
34 | + if (len == 1 && str[0] == '#' && scope != NULL) | ||
35 | { | ||
36 | grub_snprintf (*ptr, 30, "%u", scope->argv.argc); | ||
37 | *ptr += grub_strlen (*ptr); | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch new file mode 100644 index 0000000000..08e7666cde --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:41 +0200 | ||
4 | Subject: [PATCH] acpi: Don't register the acpi command when locked down | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The command is not allowed when lockdown is enforced. Otherwise an | ||
10 | attacker can instruct the GRUB to load an SSDT table to overwrite | ||
11 | the kernel lockdown configuration and later load and execute | ||
12 | unsigned code. | ||
13 | |||
14 | Fixes: CVE-2020-14372 | ||
15 | |||
16 | Reported-by: Máté Kukri <km@mkukri.xyz> | ||
17 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95] | ||
21 | CVE: CVE-2020-14372 | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | docs/grub.texi | 5 +++++ | ||
25 | grub-core/commands/acpi.c | 15 ++++++++------- | ||
26 | 2 files changed, 13 insertions(+), 7 deletions(-) | ||
27 | |||
28 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
29 | index 0786427..47ac7ff 100644 | ||
30 | --- a/docs/grub.texi | ||
31 | +++ b/docs/grub.texi | ||
32 | @@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer | ||
33 | (RSDP) in the Extended BIOS Data Area to point to the new tables. If the | ||
34 | @option{--no-ebda} option is used, the new tables will be known only to | ||
35 | GRUB, but may be used by GRUB's EFI emulation. | ||
36 | + | ||
37 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
38 | + Otherwise an attacker can instruct the GRUB to load an SSDT table to | ||
39 | + overwrite the kernel lockdown configuration and later load and execute | ||
40 | + unsigned code. | ||
41 | @end deffn | ||
42 | |||
43 | |||
44 | diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c | ||
45 | index 5a1499a..1215f2a 100644 | ||
46 | --- a/grub-core/commands/acpi.c | ||
47 | +++ b/grub-core/commands/acpi.c | ||
48 | @@ -27,6 +27,7 @@ | ||
49 | #include <grub/mm.h> | ||
50 | #include <grub/memory.h> | ||
51 | #include <grub/i18n.h> | ||
52 | +#include <grub/lockdown.h> | ||
53 | |||
54 | #ifdef GRUB_MACHINE_EFI | ||
55 | #include <grub/efi/efi.h> | ||
56 | @@ -775,13 +776,13 @@ static grub_extcmd_t cmd; | ||
57 | |||
58 | GRUB_MOD_INIT(acpi) | ||
59 | { | ||
60 | - cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, | ||
61 | - N_("[-1|-2] [--exclude=TABLE1,TABLE2|" | ||
62 | - "--load-only=TABLE1,TABLE2] FILE1" | ||
63 | - " [FILE2] [...]"), | ||
64 | - N_("Load host ACPI tables and tables " | ||
65 | - "specified by arguments."), | ||
66 | - options); | ||
67 | + cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, | ||
68 | + N_("[-1|-2] [--exclude=TABLE1,TABLE2|" | ||
69 | + "--load-only=TABLE1,TABLE2] FILE1" | ||
70 | + " [FILE2] [...]"), | ||
71 | + N_("Load host ACPI tables and tables " | ||
72 | + "specified by arguments."), | ||
73 | + options); | ||
74 | } | ||
75 | |||
76 | GRUB_MOD_FINI(acpi) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch new file mode 100644 index 0000000000..745f335501 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch | |||
@@ -0,0 +1,130 @@ | |||
1 | From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marco A Benatto <mbenatto@redhat.com> | ||
3 | Date: Wed, 23 Sep 2020 11:33:33 -0400 | ||
4 | Subject: [PATCH] verifiers: Move verifiers API to kernel image | ||
5 | |||
6 | Move verifiers API from a module to the kernel image, so it can be | ||
7 | used there as well. There are no functional changes in this patch. | ||
8 | |||
9 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99] | ||
14 | CVE: CVE-2020-14372 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/Makefile.am | 1 + | ||
18 | grub-core/Makefile.core.def | 6 +----- | ||
19 | grub-core/kern/main.c | 4 ++++ | ||
20 | grub-core/{commands => kern}/verifiers.c | 8 ++------ | ||
21 | include/grub/verify.h | 9 ++++++--- | ||
22 | 5 files changed, 14 insertions(+), 14 deletions(-) | ||
23 | rename grub-core/{commands => kern}/verifiers.c (97%) | ||
24 | |||
25 | diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am | ||
26 | index 3ea8e7f..375c30d 100644 | ||
27 | --- a/grub-core/Makefile.am | ||
28 | +++ b/grub-core/Makefile.am | ||
29 | @@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h | ||
30 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h | ||
31 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h | ||
32 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h | ||
33 | +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h | ||
34 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h | ||
35 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h | ||
36 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h | ||
37 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
38 | index 474a63e..cff02f2 100644 | ||
39 | --- a/grub-core/Makefile.core.def | ||
40 | +++ b/grub-core/Makefile.core.def | ||
41 | @@ -140,6 +140,7 @@ kernel = { | ||
42 | common = kern/rescue_parser.c; | ||
43 | common = kern/rescue_reader.c; | ||
44 | common = kern/term.c; | ||
45 | + common = kern/verifiers.c; | ||
46 | |||
47 | noemu = kern/compiler-rt.c; | ||
48 | noemu = kern/mm.c; | ||
49 | @@ -942,11 +943,6 @@ module = { | ||
50 | cppflags = '-I$(srcdir)/lib/posix_wrap'; | ||
51 | }; | ||
52 | |||
53 | -module = { | ||
54 | - name = verifiers; | ||
55 | - common = commands/verifiers.c; | ||
56 | -}; | ||
57 | - | ||
58 | module = { | ||
59 | name = shim_lock; | ||
60 | common = commands/efi/shim_lock.c; | ||
61 | diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c | ||
62 | index 9cad0c4..73967e2 100644 | ||
63 | --- a/grub-core/kern/main.c | ||
64 | +++ b/grub-core/kern/main.c | ||
65 | @@ -29,6 +29,7 @@ | ||
66 | #include <grub/command.h> | ||
67 | #include <grub/reader.h> | ||
68 | #include <grub/parser.h> | ||
69 | +#include <grub/verify.h> | ||
70 | |||
71 | #ifdef GRUB_MACHINE_PCBIOS | ||
72 | #include <grub/machine/memory.h> | ||
73 | @@ -274,6 +275,9 @@ grub_main (void) | ||
74 | grub_printf ("Welcome to GRUB!\n\n"); | ||
75 | grub_setcolorstate (GRUB_TERM_COLOR_STANDARD); | ||
76 | |||
77 | + /* Init verifiers API. */ | ||
78 | + grub_verifiers_init (); | ||
79 | + | ||
80 | grub_load_config (); | ||
81 | |||
82 | grub_boot_time ("Before loading embedded modules."); | ||
83 | diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c | ||
84 | similarity index 97% | ||
85 | rename from grub-core/commands/verifiers.c | ||
86 | rename to grub-core/kern/verifiers.c | ||
87 | index 0dde481..aa3dc7c 100644 | ||
88 | --- a/grub-core/commands/verifiers.c | ||
89 | +++ b/grub-core/kern/verifiers.c | ||
90 | @@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type) | ||
91 | return GRUB_ERR_NONE; | ||
92 | } | ||
93 | |||
94 | -GRUB_MOD_INIT(verifiers) | ||
95 | +void | ||
96 | +grub_verifiers_init (void) | ||
97 | { | ||
98 | grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open); | ||
99 | } | ||
100 | - | ||
101 | -GRUB_MOD_FINI(verifiers) | ||
102 | -{ | ||
103 | - grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY); | ||
104 | -} | ||
105 | diff --git a/include/grub/verify.h b/include/grub/verify.h | ||
106 | index ea04914..cd129c3 100644 | ||
107 | --- a/include/grub/verify.h | ||
108 | +++ b/include/grub/verify.h | ||
109 | @@ -64,7 +64,10 @@ struct grub_file_verifier | ||
110 | grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type); | ||
111 | }; | ||
112 | |||
113 | -extern struct grub_file_verifier *grub_file_verifiers; | ||
114 | +extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers); | ||
115 | + | ||
116 | +extern void | ||
117 | +grub_verifiers_init (void); | ||
118 | |||
119 | static inline void | ||
120 | grub_verifier_register (struct grub_file_verifier *ver) | ||
121 | @@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver) | ||
122 | grub_list_remove (GRUB_AS_LIST (ver)); | ||
123 | } | ||
124 | |||
125 | -grub_err_t | ||
126 | -grub_verify_string (char *str, enum grub_verify_string_type type); | ||
127 | +extern grub_err_t | ||
128 | +EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type); | ||
129 | |||
130 | #endif /* ! GRUB_VERIFY_HEADER */ | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch new file mode 100644 index 0000000000..a98b5d0455 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch | |||
@@ -0,0 +1,431 @@ | |||
1 | From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:02 +0200 | ||
4 | Subject: [PATCH] kern: Add lockdown support | ||
5 | |||
6 | When the GRUB starts on a secure boot platform, some commands can be | ||
7 | used to subvert the protections provided by the verification mechanism and | ||
8 | could lead to booting untrusted system. | ||
9 | |||
10 | To prevent that situation, allow GRUB to be locked down. That way the code | ||
11 | may check if GRUB has been locked down and further restrict the commands | ||
12 | that are registered or what subset of their functionality could be used. | ||
13 | |||
14 | The lockdown support adds the following components: | ||
15 | |||
16 | * The grub_lockdown() function which can be used to lockdown GRUB if, | ||
17 | e.g., UEFI Secure Boot is enabled. | ||
18 | |||
19 | * The grub_is_lockdown() function which can be used to check if the GRUB | ||
20 | was locked down. | ||
21 | |||
22 | * A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI | ||
23 | tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other | ||
24 | verifiers. These files are only successfully verified if another registered | ||
25 | verifier returns success. Otherwise, the whole verification process fails. | ||
26 | |||
27 | For example, PE/COFF binaries verification can be done by the shim_lock | ||
28 | verifier which validates the signatures using the shim_lock protocol. | ||
29 | However, the verification is not deferred directly to the shim_lock verifier. | ||
30 | The shim_lock verifier is hooked into the verification process instead. | ||
31 | |||
32 | * A set of grub_{command,extcmd}_lockdown functions that can be used by | ||
33 | code registering command handlers, to only register unsafe commands if | ||
34 | the GRUB has not been locked down. | ||
35 | |||
36 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
37 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
38 | |||
39 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc] | ||
40 | CVE: CVE-2020-14372 | ||
41 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
42 | --- | ||
43 | conf/Makefile.common | 2 + | ||
44 | docs/grub-dev.texi | 27 +++++++++++++ | ||
45 | docs/grub.texi | 8 ++++ | ||
46 | grub-core/Makefile.am | 5 ++- | ||
47 | grub-core/Makefile.core.def | 1 + | ||
48 | grub-core/commands/extcmd.c | 23 +++++++++++ | ||
49 | grub-core/kern/command.c | 24 +++++++++++ | ||
50 | grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++ | ||
51 | include/grub/command.h | 5 +++ | ||
52 | include/grub/extcmd.h | 7 ++++ | ||
53 | include/grub/lockdown.h | 44 ++++++++++++++++++++ | ||
54 | 11 files changed, 225 insertions(+), 1 deletion(-) | ||
55 | create mode 100644 grub-core/kern/lockdown.c | ||
56 | create mode 100644 include/grub/lockdown.h | ||
57 | |||
58 | diff --git a/conf/Makefile.common b/conf/Makefile.common | ||
59 | index 6cd71cb..2a1a886 100644 | ||
60 | --- a/conf/Makefile.common | ||
61 | +++ b/conf/Makefile.common | ||
62 | @@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER | ||
63 | CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
64 | CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
65 | CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
66 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
67 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' | ||
68 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
69 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
70 | CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' | ||
71 | CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ | ||
72 | diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi | ||
73 | index ee389fd..635ec72 100644 | ||
74 | --- a/docs/grub-dev.texi | ||
75 | +++ b/docs/grub-dev.texi | ||
76 | @@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. | ||
77 | * PFF2 Font File Format:: | ||
78 | * Graphical Menu Software Design:: | ||
79 | * Verifiers framework:: | ||
80 | +* Lockdown framework:: | ||
81 | * Copying This Manual:: Copying This Manual | ||
82 | * Index:: | ||
83 | @end menu | ||
84 | @@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just | ||
85 | the context. If you return no error during any of @samp{init}, @samp{write} and | ||
86 | @samp{fini} then the file is considered as having succeded verification. | ||
87 | |||
88 | +@node Lockdown framework | ||
89 | +@chapter Lockdown framework | ||
90 | + | ||
91 | +The GRUB can be locked down, which is a restricted mode where some operations | ||
92 | +are not allowed. For instance, some commands cannot be used when the GRUB is | ||
93 | +locked down. | ||
94 | + | ||
95 | +The function | ||
96 | +@code{grub_lockdown()} is used to lockdown GRUB and the function | ||
97 | +@code{grub_is_lockdown()} function can be used to check whether lockdown is | ||
98 | +enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} | ||
99 | +and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. | ||
100 | + | ||
101 | +The following functions can be used to register the commands that can only be | ||
102 | +used when lockdown is disabled: | ||
103 | + | ||
104 | +@itemize | ||
105 | + | ||
106 | +@item @code{grub_cmd_lockdown()} registers command which should not run when the | ||
107 | +GRUB is in lockdown mode. | ||
108 | + | ||
109 | +@item @code{grub_cmd_lockdown()} registers extended command which should not run | ||
110 | +when the GRUB is in lockdown mode. | ||
111 | + | ||
112 | +@end itemize | ||
113 | + | ||
114 | @node Copying This Manual | ||
115 | @appendix Copying This Manual | ||
116 | |||
117 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
118 | index 8779507..d778bfb 100644 | ||
119 | --- a/docs/grub.texi | ||
120 | +++ b/docs/grub.texi | ||
121 | @@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order. | ||
122 | * Using digital signatures:: Booting digitally signed code | ||
123 | * UEFI secure boot and shim:: Booting digitally signed PE files | ||
124 | * Measured Boot:: Measuring boot components | ||
125 | +* Lockdown:: Lockdown when booting on a secure setup | ||
126 | @end menu | ||
127 | |||
128 | @node Authentication and authorisation | ||
129 | @@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between | ||
130 | |||
131 | Measured boot is currently only supported on EFI platforms. | ||
132 | |||
133 | +@node Lockdown | ||
134 | +@section Lockdown when booting on a secure setup | ||
135 | + | ||
136 | +The GRUB can be locked down when booted on a secure boot environment, for example | ||
137 | +if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
138 | +be restricted and some operations/commands cannot be executed. | ||
139 | + | ||
140 | @node Platform limitations | ||
141 | @chapter Platform limitations | ||
142 | |||
143 | diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am | ||
144 | index 375c30d..3096241 100644 | ||
145 | --- a/grub-core/Makefile.am | ||
146 | +++ b/grub-core/Makefile.am | ||
147 | @@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h | ||
148 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h | ||
149 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h | ||
150 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h | ||
151 | +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h | ||
152 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h | ||
153 | if COND_emu | ||
154 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h | ||
155 | @@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES) | ||
156 | b=`basename $$pp .marker`; \ | ||
157 | sed -n \ | ||
158 | -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
159 | + -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
160 | -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
161 | - -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
162 | + -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ | ||
163 | + -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
164 | done) | sort -u > $@ | ||
165 | platform_DATA += command.lst | ||
166 | CLEANFILES += command.lst | ||
167 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
168 | index cff02f2..651ea2a 100644 | ||
169 | --- a/grub-core/Makefile.core.def | ||
170 | +++ b/grub-core/Makefile.core.def | ||
171 | @@ -204,6 +204,7 @@ kernel = { | ||
172 | efi = term/efi/console.c; | ||
173 | efi = kern/acpi.c; | ||
174 | efi = kern/efi/acpi.c; | ||
175 | + efi = kern/lockdown.c; | ||
176 | i386_coreboot = kern/i386/pc/acpi.c; | ||
177 | i386_multiboot = kern/i386/pc/acpi.c; | ||
178 | i386_coreboot = kern/acpi.c; | ||
179 | diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c | ||
180 | index 69574e2..90a5ca2 100644 | ||
181 | --- a/grub-core/commands/extcmd.c | ||
182 | +++ b/grub-core/commands/extcmd.c | ||
183 | @@ -19,6 +19,7 @@ | ||
184 | |||
185 | #include <grub/mm.h> | ||
186 | #include <grub/list.h> | ||
187 | +#include <grub/lockdown.h> | ||
188 | #include <grub/misc.h> | ||
189 | #include <grub/extcmd.h> | ||
190 | #include <grub/script_sh.h> | ||
191 | @@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, | ||
192 | summary, description, parser, 1); | ||
193 | } | ||
194 | |||
195 | +static grub_err_t | ||
196 | +grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), | ||
197 | + int argc __attribute__ ((unused)), | ||
198 | + char **argv __attribute__ ((unused))) | ||
199 | +{ | ||
200 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
201 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
202 | + ctxt->extcmd->cmd->name); | ||
203 | +} | ||
204 | + | ||
205 | +grub_extcmd_t | ||
206 | +grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, | ||
207 | + grub_command_flags_t flags, const char *summary, | ||
208 | + const char *description, | ||
209 | + const struct grub_arg_option *parser) | ||
210 | +{ | ||
211 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
212 | + func = grub_extcmd_lockdown; | ||
213 | + | ||
214 | + return grub_register_extcmd (name, func, flags, summary, description, parser); | ||
215 | +} | ||
216 | + | ||
217 | void | ||
218 | grub_unregister_extcmd (grub_extcmd_t ext) | ||
219 | { | ||
220 | diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c | ||
221 | index acd7218..4aabcd4 100644 | ||
222 | --- a/grub-core/kern/command.c | ||
223 | +++ b/grub-core/kern/command.c | ||
224 | @@ -17,6 +17,7 @@ | ||
225 | * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
226 | */ | ||
227 | |||
228 | +#include <grub/lockdown.h> | ||
229 | #include <grub/mm.h> | ||
230 | #include <grub/command.h> | ||
231 | |||
232 | @@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, | ||
233 | return cmd; | ||
234 | } | ||
235 | |||
236 | +static grub_err_t | ||
237 | +grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), | ||
238 | + int argc __attribute__ ((unused)), | ||
239 | + char **argv __attribute__ ((unused))) | ||
240 | + | ||
241 | +{ | ||
242 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
243 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
244 | + cmd->name); | ||
245 | +} | ||
246 | + | ||
247 | +grub_command_t | ||
248 | +grub_register_command_lockdown (const char *name, | ||
249 | + grub_command_func_t func, | ||
250 | + const char *summary, | ||
251 | + const char *description) | ||
252 | +{ | ||
253 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
254 | + func = grub_cmd_lockdown; | ||
255 | + | ||
256 | + return grub_register_command_prio (name, func, summary, description, 0); | ||
257 | +} | ||
258 | + | ||
259 | void | ||
260 | grub_unregister_command (grub_command_t cmd) | ||
261 | { | ||
262 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
263 | new file mode 100644 | ||
264 | index 0000000..1e56c0b | ||
265 | --- /dev/null | ||
266 | +++ b/grub-core/kern/lockdown.c | ||
267 | @@ -0,0 +1,80 @@ | ||
268 | +/* | ||
269 | + * GRUB -- GRand Unified Bootloader | ||
270 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
271 | + * | ||
272 | + * GRUB is free software: you can redistribute it and/or modify | ||
273 | + * it under the terms of the GNU General Public License as published by | ||
274 | + * the Free Software Foundation, either version 3 of the License, or | ||
275 | + * (at your option) any later version. | ||
276 | + * | ||
277 | + * GRUB is distributed in the hope that it will be useful, | ||
278 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
279 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
280 | + * GNU General Public License for more details. | ||
281 | + * | ||
282 | + * You should have received a copy of the GNU General Public License | ||
283 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
284 | + * | ||
285 | + */ | ||
286 | + | ||
287 | +#include <grub/dl.h> | ||
288 | +#include <grub/file.h> | ||
289 | +#include <grub/lockdown.h> | ||
290 | +#include <grub/verify.h> | ||
291 | + | ||
292 | +static int lockdown = GRUB_LOCKDOWN_DISABLED; | ||
293 | + | ||
294 | +static grub_err_t | ||
295 | +lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
296 | + enum grub_file_type type, | ||
297 | + void **context __attribute__ ((unused)), | ||
298 | + enum grub_verify_flags *flags) | ||
299 | +{ | ||
300 | + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
301 | + | ||
302 | + switch (type & GRUB_FILE_TYPE_MASK) | ||
303 | + { | ||
304 | + case GRUB_FILE_TYPE_GRUB_MODULE: | ||
305 | + case GRUB_FILE_TYPE_LINUX_KERNEL: | ||
306 | + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: | ||
307 | + case GRUB_FILE_TYPE_XEN_HYPERVISOR: | ||
308 | + case GRUB_FILE_TYPE_BSD_KERNEL: | ||
309 | + case GRUB_FILE_TYPE_XNU_KERNEL: | ||
310 | + case GRUB_FILE_TYPE_PLAN9_KERNEL: | ||
311 | + case GRUB_FILE_TYPE_NTLDR: | ||
312 | + case GRUB_FILE_TYPE_TRUECRYPT: | ||
313 | + case GRUB_FILE_TYPE_FREEDOS: | ||
314 | + case GRUB_FILE_TYPE_PXECHAINLOADER: | ||
315 | + case GRUB_FILE_TYPE_PCCHAINLOADER: | ||
316 | + case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: | ||
317 | + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: | ||
318 | + case GRUB_FILE_TYPE_ACPI_TABLE: | ||
319 | + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: | ||
320 | + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; | ||
321 | + | ||
322 | + /* Fall through. */ | ||
323 | + | ||
324 | + default: | ||
325 | + return GRUB_ERR_NONE; | ||
326 | + } | ||
327 | +} | ||
328 | + | ||
329 | +struct grub_file_verifier lockdown_verifier = | ||
330 | + { | ||
331 | + .name = "lockdown_verifier", | ||
332 | + .init = lockdown_verifier_init, | ||
333 | + }; | ||
334 | + | ||
335 | +void | ||
336 | +grub_lockdown (void) | ||
337 | +{ | ||
338 | + lockdown = GRUB_LOCKDOWN_ENABLED; | ||
339 | + | ||
340 | + grub_verifier_register (&lockdown_verifier); | ||
341 | +} | ||
342 | + | ||
343 | +int | ||
344 | +grub_is_lockdown (void) | ||
345 | +{ | ||
346 | + return lockdown; | ||
347 | +} | ||
348 | diff --git a/include/grub/command.h b/include/grub/command.h | ||
349 | index eee4e84..2a6f7f8 100644 | ||
350 | --- a/include/grub/command.h | ||
351 | +++ b/include/grub/command.h | ||
352 | @@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, | ||
353 | const char *summary, | ||
354 | const char *description, | ||
355 | int prio); | ||
356 | +grub_command_t | ||
357 | +EXPORT_FUNC(grub_register_command_lockdown) (const char *name, | ||
358 | + grub_command_func_t func, | ||
359 | + const char *summary, | ||
360 | + const char *description); | ||
361 | void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); | ||
362 | |||
363 | static inline grub_command_t | ||
364 | diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h | ||
365 | index 19fe592..fe9248b 100644 | ||
366 | --- a/include/grub/extcmd.h | ||
367 | +++ b/include/grub/extcmd.h | ||
368 | @@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, | ||
369 | const char *description, | ||
370 | const struct grub_arg_option *parser); | ||
371 | |||
372 | +grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, | ||
373 | + grub_extcmd_func_t func, | ||
374 | + grub_command_flags_t flags, | ||
375 | + const char *summary, | ||
376 | + const char *description, | ||
377 | + const struct grub_arg_option *parser); | ||
378 | + | ||
379 | grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, | ||
380 | grub_extcmd_func_t func, | ||
381 | grub_command_flags_t flags, | ||
382 | diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h | ||
383 | new file mode 100644 | ||
384 | index 0000000..40531fa | ||
385 | --- /dev/null | ||
386 | +++ b/include/grub/lockdown.h | ||
387 | @@ -0,0 +1,44 @@ | ||
388 | +/* | ||
389 | + * GRUB -- GRand Unified Bootloader | ||
390 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
391 | + * | ||
392 | + * GRUB is free software: you can redistribute it and/or modify | ||
393 | + * it under the terms of the GNU General Public License as published by | ||
394 | + * the Free Software Foundation, either version 3 of the License, or | ||
395 | + * (at your option) any later version. | ||
396 | + * | ||
397 | + * GRUB is distributed in the hope that it will be useful, | ||
398 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
399 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
400 | + * GNU General Public License for more details. | ||
401 | + * | ||
402 | + * You should have received a copy of the GNU General Public License | ||
403 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
404 | + */ | ||
405 | + | ||
406 | +#ifndef GRUB_LOCKDOWN_H | ||
407 | +#define GRUB_LOCKDOWN_H 1 | ||
408 | + | ||
409 | +#include <grub/symbol.h> | ||
410 | + | ||
411 | +#define GRUB_LOCKDOWN_DISABLED 0 | ||
412 | +#define GRUB_LOCKDOWN_ENABLED 1 | ||
413 | + | ||
414 | +#ifdef GRUB_MACHINE_EFI | ||
415 | +extern void | ||
416 | +EXPORT_FUNC (grub_lockdown) (void); | ||
417 | +extern int | ||
418 | +EXPORT_FUNC (grub_is_lockdown) (void); | ||
419 | +#else | ||
420 | +static inline void | ||
421 | +grub_lockdown (void) | ||
422 | +{ | ||
423 | +} | ||
424 | + | ||
425 | +static inline int | ||
426 | +grub_is_lockdown (void) | ||
427 | +{ | ||
428 | + return GRUB_LOCKDOWN_DISABLED; | ||
429 | +} | ||
430 | +#endif | ||
431 | +#endif /* ! GRUB_LOCKDOWN_H */ | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch new file mode 100644 index 0000000000..93fdd2cb1a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Tue, 2 Feb 2021 19:59:48 +0100 | ||
4 | Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down | ||
5 | |||
6 | It may be useful for scripts to determine whether the GRUB is locked | ||
7 | down or not. Add the lockdown variable which is set to "y" when the GRUB | ||
8 | is locked down. | ||
9 | |||
10 | Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
11 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908] | ||
15 | CVE: CVE-2020-14372 | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | docs/grub.texi | 3 +++ | ||
19 | grub-core/kern/lockdown.c | 4 ++++ | ||
20 | 2 files changed, 7 insertions(+) | ||
21 | |||
22 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
23 | index d778bfb..5e6cace 100644 | ||
24 | --- a/docs/grub.texi | ||
25 | +++ b/docs/grub.texi | ||
26 | @@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl | ||
27 | if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
28 | be restricted and some operations/commands cannot be executed. | ||
29 | |||
30 | +The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. | ||
31 | +Otherwise it does not exit. | ||
32 | + | ||
33 | @node Platform limitations | ||
34 | @chapter Platform limitations | ||
35 | |||
36 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
37 | index 1e56c0b..0bc70fd 100644 | ||
38 | --- a/grub-core/kern/lockdown.c | ||
39 | +++ b/grub-core/kern/lockdown.c | ||
40 | @@ -18,6 +18,7 @@ | ||
41 | */ | ||
42 | |||
43 | #include <grub/dl.h> | ||
44 | +#include <grub/env.h> | ||
45 | #include <grub/file.h> | ||
46 | #include <grub/lockdown.h> | ||
47 | #include <grub/verify.h> | ||
48 | @@ -71,6 +72,9 @@ grub_lockdown (void) | ||
49 | lockdown = GRUB_LOCKDOWN_ENABLED; | ||
50 | |||
51 | grub_verifier_register (&lockdown_verifier); | ||
52 | + | ||
53 | + grub_env_set ("lockdown", "y"); | ||
54 | + grub_env_export ("lockdown"); | ||
55 | } | ||
56 | |||
57 | int | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch new file mode 100644 index 0000000000..ac509b63c7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:29 +0200 | ||
4 | Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled | ||
5 | |||
6 | If the UEFI Secure Boot is enabled then the GRUB must be locked down | ||
7 | to prevent executing code that can potentially be used to subvert its | ||
8 | verification mechanisms. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77] | ||
14 | CVE: CVE-2020-14372 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/kern/efi/init.c | 15 +++++++++++++++ | ||
18 | 1 file changed, 15 insertions(+) | ||
19 | |||
20 | diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c | ||
21 | index 3dfdf2d..db84d82 100644 | ||
22 | --- a/grub-core/kern/efi/init.c | ||
23 | +++ b/grub-core/kern/efi/init.c | ||
24 | @@ -20,6 +20,7 @@ | ||
25 | #include <grub/efi/efi.h> | ||
26 | #include <grub/efi/console.h> | ||
27 | #include <grub/efi/disk.h> | ||
28 | +#include <grub/lockdown.h> | ||
29 | #include <grub/term.h> | ||
30 | #include <grub/misc.h> | ||
31 | #include <grub/env.h> | ||
32 | @@ -39,6 +40,20 @@ grub_efi_init (void) | ||
33 | /* Initialize the memory management system. */ | ||
34 | grub_efi_mm_init (); | ||
35 | |||
36 | + /* | ||
37 | + * Lockdown the GRUB and register the shim_lock verifier | ||
38 | + * if the UEFI Secure Boot is enabled. | ||
39 | + */ | ||
40 | + if (grub_efi_secure_boot ()) | ||
41 | + { | ||
42 | + grub_lockdown (); | ||
43 | + /* NOTE: Our version does not have the shim_lock_verifier, | ||
44 | + * need to update below if added */ | ||
45 | +#if 0 | ||
46 | + grub_shim_lock_verifier_setup (); | ||
47 | +#endif | ||
48 | + } | ||
49 | + | ||
50 | efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, | ||
51 | 0, 0, 0, NULL); | ||
52 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch new file mode 100644 index 0000000000..12ec4e1c17 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch | |||
@@ -0,0 +1,158 @@ | |||
1 | From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:33 +0200 | ||
4 | Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled | ||
5 | modules list | ||
6 | |||
7 | Now the GRUB can check if it has been locked down and this can be used to | ||
8 | prevent executing commands that can be utilized to circumvent the UEFI | ||
9 | Secure Boot mechanisms. So, instead of hardcoding a list of modules that | ||
10 | have to be disabled, prevent the usage of commands that can be dangerous. | ||
11 | |||
12 | This not only allows the commands to be disabled on other platforms, but | ||
13 | also properly separate the concerns. Since the shim_lock verifier logic | ||
14 | should be only about preventing to run untrusted binaries and not about | ||
15 | defining these kind of policies. | ||
16 | |||
17 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491] | ||
21 | CVE: CVE-2020-14372 | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | docs/grub.texi | 10 ++++++++++ | ||
25 | grub-core/commands/i386/wrmsr.c | 5 +++-- | ||
26 | grub-core/commands/iorw.c | 19 ++++++++++--------- | ||
27 | grub-core/commands/memrw.c | 19 ++++++++++--------- | ||
28 | 4 files changed, 33 insertions(+), 20 deletions(-) | ||
29 | |||
30 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
31 | index 5e6cace..0786427 100644 | ||
32 | --- a/docs/grub.texi | ||
33 | +++ b/docs/grub.texi | ||
34 | @@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command. | ||
35 | Also, if you specify a reserved or unimplemented MSR address, it will | ||
36 | cause a general protection exception (which is not currently being handled) | ||
37 | and the system will reboot. | ||
38 | + | ||
39 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
40 | + This is done to prevent subverting various security mechanisms. | ||
41 | @end deffn | ||
42 | |||
43 | @node xen_hypervisor | ||
44 | @@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the | ||
45 | shim_lock module. And itself it is a persistent module which means that | ||
46 | it cannot be unloaded if it was loaded into the memory. | ||
47 | |||
48 | +All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables, | ||
49 | +Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands | ||
50 | +that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw} | ||
51 | +and @command{memrw} will not be available when the UEFI secure boot is enabled. | ||
52 | +This is done for security reasons and are enforced by the GRUB Lockdown mechanism | ||
53 | +(@pxref{Lockdown}). | ||
54 | + | ||
55 | @node Measured Boot | ||
56 | @section Measuring boot components | ||
57 | |||
58 | diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c | ||
59 | index 9c5e510..56a29c2 100644 | ||
60 | --- a/grub-core/commands/i386/wrmsr.c | ||
61 | +++ b/grub-core/commands/i386/wrmsr.c | ||
62 | @@ -24,6 +24,7 @@ | ||
63 | #include <grub/env.h> | ||
64 | #include <grub/command.h> | ||
65 | #include <grub/extcmd.h> | ||
66 | +#include <grub/lockdown.h> | ||
67 | #include <grub/i18n.h> | ||
68 | #include <grub/i386/cpuid.h> | ||
69 | #include <grub/i386/wrmsr.h> | ||
70 | @@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char | ||
71 | |||
72 | GRUB_MOD_INIT(wrmsr) | ||
73 | { | ||
74 | - cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), | ||
75 | - N_("Write a value to a CPU model specific register.")); | ||
76 | + cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), | ||
77 | + N_("Write a value to a CPU model specific register.")); | ||
78 | } | ||
79 | |||
80 | GRUB_MOD_FINI(wrmsr) | ||
81 | diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c | ||
82 | index a0c164e..584baec 100644 | ||
83 | --- a/grub-core/commands/iorw.c | ||
84 | +++ b/grub-core/commands/iorw.c | ||
85 | @@ -23,6 +23,7 @@ | ||
86 | #include <grub/env.h> | ||
87 | #include <grub/cpu/io.h> | ||
88 | #include <grub/i18n.h> | ||
89 | +#include <grub/lockdown.h> | ||
90 | |||
91 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
92 | |||
93 | @@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw) | ||
94 | N_("PORT"), N_("Read 32-bit value from PORT."), | ||
95 | options); | ||
96 | cmd_write_byte = | ||
97 | - grub_register_command ("outb", grub_cmd_write, | ||
98 | - N_("PORT VALUE [MASK]"), | ||
99 | - N_("Write 8-bit VALUE to PORT.")); | ||
100 | + grub_register_command_lockdown ("outb", grub_cmd_write, | ||
101 | + N_("PORT VALUE [MASK]"), | ||
102 | + N_("Write 8-bit VALUE to PORT.")); | ||
103 | cmd_write_word = | ||
104 | - grub_register_command ("outw", grub_cmd_write, | ||
105 | - N_("PORT VALUE [MASK]"), | ||
106 | - N_("Write 16-bit VALUE to PORT.")); | ||
107 | + grub_register_command_lockdown ("outw", grub_cmd_write, | ||
108 | + N_("PORT VALUE [MASK]"), | ||
109 | + N_("Write 16-bit VALUE to PORT.")); | ||
110 | cmd_write_dword = | ||
111 | - grub_register_command ("outl", grub_cmd_write, | ||
112 | - N_("ADDR VALUE [MASK]"), | ||
113 | - N_("Write 32-bit VALUE to PORT.")); | ||
114 | + grub_register_command_lockdown ("outl", grub_cmd_write, | ||
115 | + N_("ADDR VALUE [MASK]"), | ||
116 | + N_("Write 32-bit VALUE to PORT.")); | ||
117 | } | ||
118 | |||
119 | GRUB_MOD_FINI(memrw) | ||
120 | diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c | ||
121 | index 98769ea..d401a6d 100644 | ||
122 | --- a/grub-core/commands/memrw.c | ||
123 | +++ b/grub-core/commands/memrw.c | ||
124 | @@ -22,6 +22,7 @@ | ||
125 | #include <grub/extcmd.h> | ||
126 | #include <grub/env.h> | ||
127 | #include <grub/i18n.h> | ||
128 | +#include <grub/lockdown.h> | ||
129 | |||
130 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
131 | |||
132 | @@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw) | ||
133 | N_("ADDR"), N_("Read 32-bit value from ADDR."), | ||
134 | options); | ||
135 | cmd_write_byte = | ||
136 | - grub_register_command ("write_byte", grub_cmd_write, | ||
137 | - N_("ADDR VALUE [MASK]"), | ||
138 | - N_("Write 8-bit VALUE to ADDR.")); | ||
139 | + grub_register_command_lockdown ("write_byte", grub_cmd_write, | ||
140 | + N_("ADDR VALUE [MASK]"), | ||
141 | + N_("Write 8-bit VALUE to ADDR.")); | ||
142 | cmd_write_word = | ||
143 | - grub_register_command ("write_word", grub_cmd_write, | ||
144 | - N_("ADDR VALUE [MASK]"), | ||
145 | - N_("Write 16-bit VALUE to ADDR.")); | ||
146 | + grub_register_command_lockdown ("write_word", grub_cmd_write, | ||
147 | + N_("ADDR VALUE [MASK]"), | ||
148 | + N_("Write 16-bit VALUE to ADDR.")); | ||
149 | cmd_write_dword = | ||
150 | - grub_register_command ("write_dword", grub_cmd_write, | ||
151 | - N_("ADDR VALUE [MASK]"), | ||
152 | - N_("Write 32-bit VALUE to ADDR.")); | ||
153 | + grub_register_command_lockdown ("write_dword", grub_cmd_write, | ||
154 | + N_("ADDR VALUE [MASK]"), | ||
155 | + N_("Write 32-bit VALUE to ADDR.")); | ||
156 | } | ||
157 | |||
158 | GRUB_MOD_FINI(memrw) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch new file mode 100644 index 0000000000..0b37c72f0f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Tue, 29 Sep 2020 14:08:55 +0200 | ||
4 | Subject: [PATCH] dl: Only allow unloading modules that are not dependencies | ||
5 | |||
6 | When a module is attempted to be removed its reference counter is always | ||
7 | decremented. This means that repeated rmmod invocations will cause the | ||
8 | module to be unloaded even if another module depends on it. | ||
9 | |||
10 | This may lead to a use-after-free scenario allowing an attacker to execute | ||
11 | arbitrary code and by-pass the UEFI Secure Boot protection. | ||
12 | |||
13 | While being there, add the extern keyword to some function declarations in | ||
14 | that header file. | ||
15 | |||
16 | Fixes: CVE-2020-25632 | ||
17 | |||
18 | Reported-by: Chris Coulson <chris.coulson@canonical.com> | ||
19 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
20 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c] | ||
23 | CVE: CVE-2020-25632 | ||
24 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
25 | --- | ||
26 | grub-core/commands/minicmd.c | 7 +++++-- | ||
27 | grub-core/kern/dl.c | 9 +++++++++ | ||
28 | include/grub/dl.h | 8 +++++--- | ||
29 | 3 files changed, 19 insertions(+), 5 deletions(-) | ||
30 | |||
31 | diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c | ||
32 | index 6bbce3128..fa498931e 100644 | ||
33 | --- a/grub-core/commands/minicmd.c | ||
34 | +++ b/grub-core/commands/minicmd.c | ||
35 | @@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)), | ||
36 | if (grub_dl_is_persistent (mod)) | ||
37 | return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module"); | ||
38 | |||
39 | - if (grub_dl_unref (mod) <= 0) | ||
40 | - grub_dl_unload (mod); | ||
41 | + if (grub_dl_ref_count (mod) > 1) | ||
42 | + return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module"); | ||
43 | + | ||
44 | + grub_dl_unref (mod); | ||
45 | + grub_dl_unload (mod); | ||
46 | |||
47 | return 0; | ||
48 | } | ||
49 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c | ||
50 | index 48eb5e7b6..48f8a7907 100644 | ||
51 | --- a/grub-core/kern/dl.c | ||
52 | +++ b/grub-core/kern/dl.c | ||
53 | @@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod) | ||
54 | return --mod->ref_count; | ||
55 | } | ||
56 | |||
57 | +int | ||
58 | +grub_dl_ref_count (grub_dl_t mod) | ||
59 | +{ | ||
60 | + if (mod == NULL) | ||
61 | + return 0; | ||
62 | + | ||
63 | + return mod->ref_count; | ||
64 | +} | ||
65 | + | ||
66 | static void | ||
67 | grub_dl_flush_cache (grub_dl_t mod) | ||
68 | { | ||
69 | diff --git a/include/grub/dl.h b/include/grub/dl.h | ||
70 | index f03c03561..b3753c9ca 100644 | ||
71 | --- a/include/grub/dl.h | ||
72 | +++ b/include/grub/dl.h | ||
73 | @@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name); | ||
74 | grub_dl_t grub_dl_load_core (void *addr, grub_size_t size); | ||
75 | grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size); | ||
76 | int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod); | ||
77 | -void grub_dl_unload_unneeded (void); | ||
78 | -int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); | ||
79 | -int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); | ||
80 | +extern void grub_dl_unload_unneeded (void); | ||
81 | +extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod); | ||
82 | +extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod); | ||
83 | +extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod); | ||
84 | + | ||
85 | extern grub_dl_t EXPORT_VAR(grub_dl_head); | ||
86 | |||
87 | #ifndef GRUB_UTIL | ||
88 | -- | ||
89 | 2.33.0 | ||
90 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch new file mode 100644 index 0000000000..cb77fd4772 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Fri, 11 Dec 2020 19:19:21 +0100 | ||
4 | Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious | ||
5 | devices | ||
6 | |||
7 | The maximum number of configurations and interfaces are fixed but there is | ||
8 | no out-of-bound checking to prevent a malicious USB device to report large | ||
9 | values for these and cause accesses outside the arrays' memory. | ||
10 | |||
11 | Fixes: CVE-2020-25647 | ||
12 | |||
13 | Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com> | ||
14 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | ||
15 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa] | ||
19 | CVE: CVE-2020-25647 | ||
20 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
21 | --- | ||
22 | grub-core/bus/usb/usb.c | 15 ++++++++++++--- | ||
23 | include/grub/usb.h | 10 +++++++--- | ||
24 | 2 files changed, 19 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c | ||
27 | index 8da5e4c74..7cb3cc230 100644 | ||
28 | --- a/grub-core/bus/usb/usb.c | ||
29 | +++ b/grub-core/bus/usb/usb.c | ||
30 | @@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook, | ||
31 | grub_usb_err_t | ||
32 | grub_usb_clear_halt (grub_usb_device_t dev, int endpoint) | ||
33 | { | ||
34 | + if (endpoint >= GRUB_USB_MAX_TOGGLE) | ||
35 | + return GRUB_USB_ERR_BADDEVICE; | ||
36 | + | ||
37 | dev->toggle[endpoint] = 0; | ||
38 | return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT | ||
39 | | GRUB_USB_REQTYPE_STANDARD | ||
40 | @@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
41 | return err; | ||
42 | descdev = &dev->descdev; | ||
43 | |||
44 | - for (i = 0; i < 8; i++) | ||
45 | + for (i = 0; i < GRUB_USB_MAX_CONF; i++) | ||
46 | dev->config[i].descconf = NULL; | ||
47 | |||
48 | - if (descdev->configcnt == 0) | ||
49 | + if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF) | ||
50 | { | ||
51 | err = GRUB_USB_ERR_BADDEVICE; | ||
52 | goto fail; | ||
53 | @@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
54 | /* Skip the configuration descriptor. */ | ||
55 | pos = dev->config[i].descconf->length; | ||
56 | |||
57 | + if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF) | ||
58 | + { | ||
59 | + err = GRUB_USB_ERR_BADDEVICE; | ||
60 | + goto fail; | ||
61 | + } | ||
62 | + | ||
63 | /* Read all interfaces. */ | ||
64 | for (currif = 0; currif < dev->config[i].descconf->numif; currif++) | ||
65 | { | ||
66 | @@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev) | ||
67 | |||
68 | fail: | ||
69 | |||
70 | - for (i = 0; i < 8; i++) | ||
71 | + for (i = 0; i < GRUB_USB_MAX_CONF; i++) | ||
72 | grub_free (dev->config[i].descconf); | ||
73 | |||
74 | return err; | ||
75 | diff --git a/include/grub/usb.h b/include/grub/usb.h | ||
76 | index 512ae1dd0..6475c552f 100644 | ||
77 | --- a/include/grub/usb.h | ||
78 | +++ b/include/grub/usb.h | ||
79 | @@ -23,6 +23,10 @@ | ||
80 | #include <grub/usbdesc.h> | ||
81 | #include <grub/usbtrans.h> | ||
82 | |||
83 | +#define GRUB_USB_MAX_CONF 8 | ||
84 | +#define GRUB_USB_MAX_IF 32 | ||
85 | +#define GRUB_USB_MAX_TOGGLE 256 | ||
86 | + | ||
87 | typedef struct grub_usb_device *grub_usb_device_t; | ||
88 | typedef struct grub_usb_controller *grub_usb_controller_t; | ||
89 | typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t; | ||
90 | @@ -167,7 +171,7 @@ struct grub_usb_configuration | ||
91 | struct grub_usb_desc_config *descconf; | ||
92 | |||
93 | /* Interfaces associated to this configuration. */ | ||
94 | - struct grub_usb_interface interf[32]; | ||
95 | + struct grub_usb_interface interf[GRUB_USB_MAX_IF]; | ||
96 | }; | ||
97 | |||
98 | struct grub_usb_hub_port | ||
99 | @@ -191,7 +195,7 @@ struct grub_usb_device | ||
100 | struct grub_usb_controller controller; | ||
101 | |||
102 | /* Device configurations (after opening the device). */ | ||
103 | - struct grub_usb_configuration config[8]; | ||
104 | + struct grub_usb_configuration config[GRUB_USB_MAX_CONF]; | ||
105 | |||
106 | /* Device address. */ | ||
107 | int addr; | ||
108 | @@ -203,7 +207,7 @@ struct grub_usb_device | ||
109 | int initialized; | ||
110 | |||
111 | /* Data toggle values (used for bulk transfers only). */ | ||
112 | - int toggle[256]; | ||
113 | + int toggle[GRUB_USB_MAX_TOGGLE]; | ||
114 | |||
115 | /* Used by libusb wrapper. Schedulded for removal. */ | ||
116 | void *data; | ||
117 | -- | ||
118 | 2.33.0 | ||
119 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27749.patch b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch new file mode 100644 index 0000000000..a2566b2ded --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch | |||
@@ -0,0 +1,609 @@ | |||
1 | From 4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Coulson <chris.coulson@canonical.com> | ||
3 | Date: Thu, 7 Jan 2021 19:21:03 +0000 | ||
4 | Subject: kern/parser: Fix a stack buffer overflow | ||
5 | |||
6 | grub_parser_split_cmdline() expands variable names present in the supplied | ||
7 | command line in to their corresponding variable contents and uses a 1 kiB | ||
8 | stack buffer for temporary storage without sufficient bounds checking. If | ||
9 | the function is called with a command line that references a variable with | ||
10 | a sufficiently large payload, it is possible to overflow the stack | ||
11 | buffer via tab completion, corrupt the stack frame and potentially | ||
12 | control execution. | ||
13 | |||
14 | Fixes: CVE-2020-27749 | ||
15 | |||
16 | Reported-by: Chris Coulson <chris.coulson@canonical.com> | ||
17 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
18 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=c6c426e5ab6ea715153b72584de6bd8c82f698ec && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=b1c9e9e889e4273fb15712051c887e6078511448 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=3d157bbd06506b170fde5ec23980c4bf9f7660e2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=8bc817014ce3d7a498db44eae33c8b90e2430926 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=030fb6c4fa354cdbd6a8d6903dfed5d36eaf3cb2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6] | ||
22 | CVE: CVE-2020-27749 | ||
23 | |||
24 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
25 | --- | ||
26 | grub-core/Makefile.core.def | 1 + | ||
27 | grub-core/kern/buffer.c | 117 +++++++++++++++++++++ | ||
28 | grub-core/kern/parser.c | 204 +++++++++++++++++++++++------------- | ||
29 | include/grub/buffer.h | 144 +++++++++++++++++++++++++ | ||
30 | 4 files changed, 395 insertions(+), 71 deletions(-) | ||
31 | create mode 100644 grub-core/kern/buffer.c | ||
32 | create mode 100644 include/grub/buffer.h | ||
33 | |||
34 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
35 | index 651ea2a..823cd57 100644 | ||
36 | --- a/grub-core/Makefile.core.def | ||
37 | +++ b/grub-core/Makefile.core.def | ||
38 | @@ -123,6 +123,7 @@ kernel = { | ||
39 | riscv32_efi_startup = kern/riscv/efi/startup.S; | ||
40 | riscv64_efi_startup = kern/riscv/efi/startup.S; | ||
41 | |||
42 | + common = kern/buffer.c; | ||
43 | common = kern/command.c; | ||
44 | common = kern/corecmd.c; | ||
45 | common = kern/device.c; | ||
46 | diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c | ||
47 | new file mode 100644 | ||
48 | index 0000000..9f5f8b8 | ||
49 | --- /dev/null | ||
50 | +++ b/grub-core/kern/buffer.c | ||
51 | @@ -0,0 +1,117 @@ | ||
52 | +/* | ||
53 | + * GRUB -- GRand Unified Bootloader | ||
54 | + * Copyright (C) 2021 Free Software Foundation, Inc. | ||
55 | + * | ||
56 | + * GRUB is free software: you can redistribute it and/or modify | ||
57 | + * it under the terms of the GNU General Public License as published by | ||
58 | + * the Free Software Foundation, either version 3 of the License, or | ||
59 | + * (at your option) any later version. | ||
60 | + * | ||
61 | + * GRUB is distributed in the hope that it will be useful, | ||
62 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
63 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
64 | + * GNU General Public License for more details. | ||
65 | + * | ||
66 | + * You should have received a copy of the GNU General Public License | ||
67 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
68 | + */ | ||
69 | + | ||
70 | +#include <grub/buffer.h> | ||
71 | +#include <grub/err.h> | ||
72 | +#include <grub/misc.h> | ||
73 | +#include <grub/mm.h> | ||
74 | +#include <grub/safemath.h> | ||
75 | +#include <grub/types.h> | ||
76 | + | ||
77 | +grub_buffer_t | ||
78 | +grub_buffer_new (grub_size_t sz) | ||
79 | +{ | ||
80 | + struct grub_buffer *ret; | ||
81 | + | ||
82 | + ret = (struct grub_buffer *) grub_malloc (sizeof (*ret)); | ||
83 | + if (ret == NULL) | ||
84 | + return NULL; | ||
85 | + | ||
86 | + ret->data = (grub_uint8_t *) grub_malloc (sz); | ||
87 | + if (ret->data == NULL) | ||
88 | + { | ||
89 | + grub_free (ret); | ||
90 | + return NULL; | ||
91 | + } | ||
92 | + | ||
93 | + ret->sz = sz; | ||
94 | + ret->pos = 0; | ||
95 | + ret->used = 0; | ||
96 | + | ||
97 | + return ret; | ||
98 | +} | ||
99 | + | ||
100 | +void | ||
101 | +grub_buffer_free (grub_buffer_t buf) | ||
102 | +{ | ||
103 | + grub_free (buf->data); | ||
104 | + grub_free (buf); | ||
105 | +} | ||
106 | + | ||
107 | +grub_err_t | ||
108 | +grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req) | ||
109 | +{ | ||
110 | + grub_uint8_t *d; | ||
111 | + grub_size_t newsz = 1; | ||
112 | + | ||
113 | + /* Is the current buffer size adequate? */ | ||
114 | + if (buf->sz >= req) | ||
115 | + return GRUB_ERR_NONE; | ||
116 | + | ||
117 | + /* Find the smallest power-of-2 size that satisfies the request. */ | ||
118 | + while (newsz < req) | ||
119 | + { | ||
120 | + if (newsz == 0) | ||
121 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
122 | + N_("requested buffer size is too large")); | ||
123 | + newsz <<= 1; | ||
124 | + } | ||
125 | + | ||
126 | + d = (grub_uint8_t *) grub_realloc (buf->data, newsz); | ||
127 | + if (d == NULL) | ||
128 | + return grub_errno; | ||
129 | + | ||
130 | + buf->data = d; | ||
131 | + buf->sz = newsz; | ||
132 | + | ||
133 | + return GRUB_ERR_NONE; | ||
134 | +} | ||
135 | + | ||
136 | +void * | ||
137 | +grub_buffer_take_data (grub_buffer_t buf) | ||
138 | +{ | ||
139 | + void *data = buf->data; | ||
140 | + | ||
141 | + buf->data = NULL; | ||
142 | + buf->sz = buf->pos = buf->used = 0; | ||
143 | + | ||
144 | + return data; | ||
145 | +} | ||
146 | + | ||
147 | +void | ||
148 | +grub_buffer_reset (grub_buffer_t buf) | ||
149 | +{ | ||
150 | + buf->pos = buf->used = 0; | ||
151 | +} | ||
152 | + | ||
153 | +grub_err_t | ||
154 | +grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n) | ||
155 | +{ | ||
156 | + grub_size_t newpos; | ||
157 | + | ||
158 | + if (grub_add (buf->pos, n, &newpos)) | ||
159 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
160 | + | ||
161 | + if (newpos > buf->used) | ||
162 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, | ||
163 | + N_("new read is position beyond the end of the written data")); | ||
164 | + | ||
165 | + buf->pos = newpos; | ||
166 | + | ||
167 | + return GRUB_ERR_NONE; | ||
168 | +} | ||
169 | diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c | ||
170 | index d1cf061..6ab7aa4 100644 | ||
171 | --- a/grub-core/kern/parser.c | ||
172 | +++ b/grub-core/kern/parser.c | ||
173 | @@ -1,7 +1,7 @@ | ||
174 | /* parser.c - the part of the parser that can return partial tokens */ | ||
175 | /* | ||
176 | * GRUB -- GRand Unified Bootloader | ||
177 | - * Copyright (C) 2005,2007,2009 Free Software Foundation, Inc. | ||
178 | + * Copyright (C) 2005,2007,2009,2021 Free Software Foundation, Inc. | ||
179 | * | ||
180 | * GRUB is free software: you can redistribute it and/or modify | ||
181 | * it under the terms of the GNU General Public License as published by | ||
182 | @@ -18,6 +18,7 @@ | ||
183 | */ | ||
184 | |||
185 | #include <grub/parser.h> | ||
186 | +#include <grub/buffer.h> | ||
187 | #include <grub/env.h> | ||
188 | #include <grub/misc.h> | ||
189 | #include <grub/mm.h> | ||
190 | @@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s) | ||
191 | } | ||
192 | |||
193 | |||
194 | -static void | ||
195 | -add_var (char *varname, char **bp, char **vp, | ||
196 | +static grub_err_t | ||
197 | +add_var (grub_buffer_t varname, grub_buffer_t buf, | ||
198 | grub_parser_state_t state, grub_parser_state_t newstate) | ||
199 | { | ||
200 | const char *val; | ||
201 | @@ -116,17 +117,74 @@ add_var (char *varname, char **bp, char **vp, | ||
202 | /* Check if a variable was being read in and the end of the name | ||
203 | was reached. */ | ||
204 | if (!(check_varstate (state) && !check_varstate (newstate))) | ||
205 | - return; | ||
206 | + return GRUB_ERR_NONE; | ||
207 | + | ||
208 | + if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE) | ||
209 | + return grub_errno; | ||
210 | |||
211 | - *((*vp)++) = '\0'; | ||
212 | - val = grub_env_get (varname); | ||
213 | - *vp = varname; | ||
214 | + val = grub_env_get ((const char *) grub_buffer_peek_data (varname)); | ||
215 | + grub_buffer_reset (varname); | ||
216 | if (!val) | ||
217 | - return; | ||
218 | + return GRUB_ERR_NONE; | ||
219 | |||
220 | /* Insert the contents of the variable in the buffer. */ | ||
221 | - for (; *val; val++) | ||
222 | - *((*bp)++) = *val; | ||
223 | + return grub_buffer_append_data (buf, val, grub_strlen (val)); | ||
224 | +} | ||
225 | + | ||
226 | +static grub_err_t | ||
227 | +terminate_arg (grub_buffer_t buffer, int *argc) | ||
228 | +{ | ||
229 | + grub_size_t unread = grub_buffer_get_unread_bytes (buffer); | ||
230 | + | ||
231 | + if (unread == 0) | ||
232 | + return GRUB_ERR_NONE; | ||
233 | + | ||
234 | + if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0') | ||
235 | + return GRUB_ERR_NONE; | ||
236 | + | ||
237 | + if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE) | ||
238 | + return grub_errno; | ||
239 | + | ||
240 | + (*argc)++; | ||
241 | + | ||
242 | + return GRUB_ERR_NONE; | ||
243 | +} | ||
244 | + | ||
245 | +static grub_err_t | ||
246 | +process_char (char c, grub_buffer_t buffer, grub_buffer_t varname, | ||
247 | + grub_parser_state_t state, int *argc, | ||
248 | + grub_parser_state_t *newstate) | ||
249 | +{ | ||
250 | + char use; | ||
251 | + | ||
252 | + *newstate = grub_parser_cmdline_state (state, c, &use); | ||
253 | + | ||
254 | + /* | ||
255 | + * If a variable was being processed and this character does | ||
256 | + * not describe the variable anymore, write the variable to | ||
257 | + * the buffer. | ||
258 | + */ | ||
259 | + if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE) | ||
260 | + return grub_errno; | ||
261 | + | ||
262 | + if (check_varstate (*newstate)) | ||
263 | + { | ||
264 | + if (use) | ||
265 | + return grub_buffer_append_char (varname, use); | ||
266 | + } | ||
267 | + else if (*newstate == GRUB_PARSER_STATE_TEXT && | ||
268 | + state != GRUB_PARSER_STATE_ESC && grub_isspace (use)) | ||
269 | + { | ||
270 | + /* | ||
271 | + * Don't add more than one argument if multiple | ||
272 | + * spaces are used. | ||
273 | + */ | ||
274 | + return terminate_arg (buffer, argc); | ||
275 | + } | ||
276 | + else if (use) | ||
277 | + return grub_buffer_append_char (buffer, use); | ||
278 | + | ||
279 | + return GRUB_ERR_NONE; | ||
280 | } | ||
281 | |||
282 | grub_err_t | ||
283 | @@ -135,24 +193,36 @@ grub_parser_split_cmdline (const char *cmdline, | ||
284 | int *argc, char ***argv) | ||
285 | { | ||
286 | grub_parser_state_t state = GRUB_PARSER_STATE_TEXT; | ||
287 | - /* XXX: Fixed size buffer, perhaps this buffer should be dynamically | ||
288 | - allocated. */ | ||
289 | - char buffer[1024]; | ||
290 | - char *bp = buffer; | ||
291 | + grub_buffer_t buffer, varname; | ||
292 | char *rd = (char *) cmdline; | ||
293 | - char varname[200]; | ||
294 | - char *vp = varname; | ||
295 | - char *args; | ||
296 | + char *rp = rd; | ||
297 | int i; | ||
298 | |||
299 | *argc = 0; | ||
300 | *argv = NULL; | ||
301 | + | ||
302 | + buffer = grub_buffer_new (1024); | ||
303 | + if (buffer == NULL) | ||
304 | + return grub_errno; | ||
305 | + | ||
306 | + varname = grub_buffer_new (200); | ||
307 | + if (varname == NULL) | ||
308 | + goto fail; | ||
309 | + | ||
310 | do | ||
311 | { | ||
312 | - if (!rd || !*rd) | ||
313 | + if (rp == NULL || *rp == '\0') | ||
314 | { | ||
315 | + if (rd != cmdline) | ||
316 | + { | ||
317 | + grub_free (rd); | ||
318 | + rd = rp = NULL; | ||
319 | + } | ||
320 | if (getline) | ||
321 | - getline (&rd, 1, getline_data); | ||
322 | + { | ||
323 | + getline (&rd, 1, getline_data); | ||
324 | + rp = rd; | ||
325 | + } | ||
326 | else | ||
327 | break; | ||
328 | } | ||
329 | @@ -160,39 +230,14 @@ grub_parser_split_cmdline (const char *cmdline, | ||
330 | if (!rd) | ||
331 | break; | ||
332 | |||
333 | - for (; *rd; rd++) | ||
334 | + for (; *rp != '\0'; rp++) | ||
335 | { | ||
336 | grub_parser_state_t newstate; | ||
337 | - char use; | ||
338 | |||
339 | - newstate = grub_parser_cmdline_state (state, *rd, &use); | ||
340 | + if (process_char (*rp, buffer, varname, state, argc, | ||
341 | + &newstate) != GRUB_ERR_NONE) | ||
342 | + goto fail; | ||
343 | |||
344 | - /* If a variable was being processed and this character does | ||
345 | - not describe the variable anymore, write the variable to | ||
346 | - the buffer. */ | ||
347 | - add_var (varname, &bp, &vp, state, newstate); | ||
348 | - | ||
349 | - if (check_varstate (newstate)) | ||
350 | - { | ||
351 | - if (use) | ||
352 | - *(vp++) = use; | ||
353 | - } | ||
354 | - else | ||
355 | - { | ||
356 | - if (newstate == GRUB_PARSER_STATE_TEXT | ||
357 | - && state != GRUB_PARSER_STATE_ESC && grub_isspace (use)) | ||
358 | - { | ||
359 | - /* Don't add more than one argument if multiple | ||
360 | - spaces are used. */ | ||
361 | - if (bp != buffer && *(bp - 1)) | ||
362 | - { | ||
363 | - *(bp++) = '\0'; | ||
364 | - (*argc)++; | ||
365 | - } | ||
366 | - } | ||
367 | - else if (use) | ||
368 | - *(bp++) = use; | ||
369 | - } | ||
370 | state = newstate; | ||
371 | } | ||
372 | } | ||
373 | @@ -200,43 +245,60 @@ grub_parser_split_cmdline (const char *cmdline, | ||
374 | |||
375 | /* A special case for when the last character was part of a | ||
376 | variable. */ | ||
377 | - add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT); | ||
378 | + if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE) | ||
379 | + goto fail; | ||
380 | |||
381 | - if (bp != buffer && *(bp - 1)) | ||
382 | - { | ||
383 | - *(bp++) = '\0'; | ||
384 | - (*argc)++; | ||
385 | - } | ||
386 | + /* Ensure that the last argument is terminated. */ | ||
387 | + if (terminate_arg (buffer, argc) != GRUB_ERR_NONE) | ||
388 | + goto fail; | ||
389 | |||
390 | /* If there are no args, then we're done. */ | ||
391 | if (!*argc) | ||
392 | - return 0; | ||
393 | - | ||
394 | - /* Reserve memory for the return values. */ | ||
395 | - args = grub_malloc (bp - buffer); | ||
396 | - if (!args) | ||
397 | - return grub_errno; | ||
398 | - grub_memcpy (args, buffer, bp - buffer); | ||
399 | + { | ||
400 | + grub_errno = GRUB_ERR_NONE; | ||
401 | + goto out; | ||
402 | + } | ||
403 | |||
404 | *argv = grub_calloc (*argc + 1, sizeof (char *)); | ||
405 | if (!*argv) | ||
406 | - { | ||
407 | - grub_free (args); | ||
408 | - return grub_errno; | ||
409 | - } | ||
410 | + goto fail; | ||
411 | |||
412 | /* The arguments are separated with 0's, setup argv so it points to | ||
413 | the right values. */ | ||
414 | - bp = args; | ||
415 | for (i = 0; i < *argc; i++) | ||
416 | { | ||
417 | - (*argv)[i] = bp; | ||
418 | - while (*bp) | ||
419 | - bp++; | ||
420 | - bp++; | ||
421 | + char *arg; | ||
422 | + | ||
423 | + if (i > 0) | ||
424 | + { | ||
425 | + if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE) | ||
426 | + goto fail; | ||
427 | + } | ||
428 | + | ||
429 | + arg = (char *) grub_buffer_peek_data (buffer); | ||
430 | + if (arg == NULL || | ||
431 | + grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE) | ||
432 | + goto fail; | ||
433 | + | ||
434 | + (*argv)[i] = arg; | ||
435 | } | ||
436 | |||
437 | - return 0; | ||
438 | + /* Keep memory for the return values. */ | ||
439 | + grub_buffer_take_data (buffer); | ||
440 | + | ||
441 | + grub_errno = GRUB_ERR_NONE; | ||
442 | + | ||
443 | + out: | ||
444 | + if (rd != cmdline) | ||
445 | + grub_free (rd); | ||
446 | + grub_buffer_free (buffer); | ||
447 | + grub_buffer_free (varname); | ||
448 | + | ||
449 | + return grub_errno; | ||
450 | + | ||
451 | + fail: | ||
452 | + grub_free (*argv); | ||
453 | + goto out; | ||
454 | } | ||
455 | |||
456 | /* Helper for grub_parser_execute. */ | ||
457 | diff --git a/include/grub/buffer.h b/include/grub/buffer.h | ||
458 | new file mode 100644 | ||
459 | index 0000000..f4b10cf | ||
460 | --- /dev/null | ||
461 | +++ b/include/grub/buffer.h | ||
462 | @@ -0,0 +1,144 @@ | ||
463 | +/* | ||
464 | + * GRUB -- GRand Unified Bootloader | ||
465 | + * Copyright (C) 2021 Free Software Foundation, Inc. | ||
466 | + * | ||
467 | + * GRUB is free software: you can redistribute it and/or modify | ||
468 | + * it under the terms of the GNU General Public License as published by | ||
469 | + * the Free Software Foundation, either version 3 of the License, or | ||
470 | + * (at your option) any later version. | ||
471 | + * | ||
472 | + * GRUB is distributed in the hope that it will be useful, | ||
473 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
474 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
475 | + * GNU General Public License for more details. | ||
476 | + * | ||
477 | + * You should have received a copy of the GNU General Public License | ||
478 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
479 | + */ | ||
480 | + | ||
481 | +#ifndef GRUB_BUFFER_H | ||
482 | +#define GRUB_BUFFER_H 1 | ||
483 | + | ||
484 | +#include <grub/err.h> | ||
485 | +#include <grub/misc.h> | ||
486 | +#include <grub/mm.h> | ||
487 | +#include <grub/safemath.h> | ||
488 | +#include <grub/types.h> | ||
489 | + | ||
490 | +struct grub_buffer | ||
491 | +{ | ||
492 | + grub_uint8_t *data; | ||
493 | + grub_size_t sz; | ||
494 | + grub_size_t pos; | ||
495 | + grub_size_t used; | ||
496 | +}; | ||
497 | + | ||
498 | +/* | ||
499 | + * grub_buffer_t represents a simple variable sized byte buffer with | ||
500 | + * read and write cursors. It currently only implements | ||
501 | + * functionality required by the only user in GRUB (append byte[s], | ||
502 | + * peeking data at a specified position and updating the read cursor. | ||
503 | + * Some things that this doesn't do yet are: | ||
504 | + * - Reading a portion of the buffer by copying data from the current | ||
505 | + * read position in to a caller supplied destination buffer and then | ||
506 | + * automatically updating the read cursor. | ||
507 | + * - Dropping the read part at the start of the buffer when an append | ||
508 | + * requires more space. | ||
509 | + */ | ||
510 | +typedef struct grub_buffer *grub_buffer_t; | ||
511 | + | ||
512 | +/* Allocate a new buffer with the specified initial size. */ | ||
513 | +extern grub_buffer_t grub_buffer_new (grub_size_t sz); | ||
514 | + | ||
515 | +/* Free the buffer and its resources. */ | ||
516 | +extern void grub_buffer_free (grub_buffer_t buf); | ||
517 | + | ||
518 | +/* Return the number of unread bytes in this buffer. */ | ||
519 | +static inline grub_size_t | ||
520 | +grub_buffer_get_unread_bytes (grub_buffer_t buf) | ||
521 | +{ | ||
522 | + return buf->used - buf->pos; | ||
523 | +} | ||
524 | + | ||
525 | +/* | ||
526 | + * Ensure that the buffer size is at least the requested | ||
527 | + * number of bytes. | ||
528 | + */ | ||
529 | +extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req); | ||
530 | + | ||
531 | +/* | ||
532 | + * Append the specified number of bytes from the supplied | ||
533 | + * data to the buffer. | ||
534 | + */ | ||
535 | +static inline grub_err_t | ||
536 | +grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len) | ||
537 | +{ | ||
538 | + grub_size_t req; | ||
539 | + | ||
540 | + if (grub_add (buf->used, len, &req)) | ||
541 | + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||
542 | + | ||
543 | + if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE) | ||
544 | + return grub_errno; | ||
545 | + | ||
546 | + grub_memcpy (&buf->data[buf->used], data, len); | ||
547 | + buf->used = req; | ||
548 | + | ||
549 | + return GRUB_ERR_NONE; | ||
550 | +} | ||
551 | + | ||
552 | +/* Append the supplied character to the buffer. */ | ||
553 | +static inline grub_err_t | ||
554 | +grub_buffer_append_char (grub_buffer_t buf, char c) | ||
555 | +{ | ||
556 | + return grub_buffer_append_data (buf, &c, 1); | ||
557 | +} | ||
558 | + | ||
559 | +/* | ||
560 | + * Forget and return the underlying data buffer. The caller | ||
561 | + * becomes the owner of this buffer, and must free it when it | ||
562 | + * is no longer required. | ||
563 | + */ | ||
564 | +extern void *grub_buffer_take_data (grub_buffer_t buf); | ||
565 | + | ||
566 | +/* Reset this buffer. Note that this does not deallocate any resources. */ | ||
567 | +void grub_buffer_reset (grub_buffer_t buf); | ||
568 | + | ||
569 | +/* | ||
570 | + * Return a pointer to the underlying data buffer at the specified | ||
571 | + * offset from the current read position. Note that this pointer may | ||
572 | + * become invalid if the buffer is mutated further. | ||
573 | + */ | ||
574 | +static inline void * | ||
575 | +grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off) | ||
576 | +{ | ||
577 | + if (grub_add (buf->pos, off, &off)) | ||
578 | + { | ||
579 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected.")); | ||
580 | + return NULL; | ||
581 | + } | ||
582 | + | ||
583 | + if (off >= buf->used) | ||
584 | + { | ||
585 | + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range")); | ||
586 | + return NULL; | ||
587 | + } | ||
588 | + | ||
589 | + return &buf->data[off]; | ||
590 | +} | ||
591 | + | ||
592 | +/* | ||
593 | + * Return a pointer to the underlying data buffer at the current | ||
594 | + * read position. Note that this pointer may become invalid if the | ||
595 | + * buffer is mutated further. | ||
596 | + */ | ||
597 | +static inline void * | ||
598 | +grub_buffer_peek_data (grub_buffer_t buf) | ||
599 | +{ | ||
600 | + return grub_buffer_peek_data_at (buf, 0); | ||
601 | +} | ||
602 | + | ||
603 | +/* Advance the read position by the specified number of bytes. */ | ||
604 | +extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n); | ||
605 | + | ||
606 | +#endif /* GRUB_BUFFER_H */ | ||
607 | -- | ||
608 | 2.25.1 | ||
609 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch new file mode 100644 index 0000000000..c82423b8af --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 14 Oct 2020 16:33:42 +0200 | ||
4 | Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown | ||
5 | is enforced | ||
6 | |||
7 | The cutmem and badram commands can be used to remove EFI memory regions | ||
8 | and potentially disable the UEFI Secure Boot. Prevent the commands to be | ||
9 | registered if the GRUB is locked down. | ||
10 | |||
11 | Fixes: CVE-2020-27779 | ||
12 | |||
13 | Reported-by: Teddy Reed <teddy.reed@gmail.com> | ||
14 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9] | ||
18 | CVE: CVE-2020-27779 | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | docs/grub.texi | 4 ++++ | ||
22 | grub-core/mmap/mmap.c | 13 +++++++------ | ||
23 | 2 files changed, 11 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
26 | index 47ac7ff..a1aaee6 100644 | ||
27 | --- a/docs/grub.texi | ||
28 | +++ b/docs/grub.texi | ||
29 | @@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
30 | that are often result of memory damage, due to physical distribution of memory | ||
31 | cells. | ||
32 | |||
33 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
34 | + This prevents removing EFI memory regions to potentially subvert the | ||
35 | + security mechanisms provided by the UEFI secure boot. | ||
36 | + | ||
37 | @node blocklist | ||
38 | @subsection blocklist | ||
39 | |||
40 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
41 | index 57b4e9a..7ebf32e 100644 | ||
42 | --- a/grub-core/mmap/mmap.c | ||
43 | +++ b/grub-core/mmap/mmap.c | ||
44 | @@ -20,6 +20,7 @@ | ||
45 | #include <grub/memory.h> | ||
46 | #include <grub/machine/memory.h> | ||
47 | #include <grub/err.h> | ||
48 | +#include <grub/lockdown.h> | ||
49 | #include <grub/misc.h> | ||
50 | #include <grub/mm.h> | ||
51 | #include <grub/command.h> | ||
52 | @@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; | ||
53 | |||
54 | GRUB_MOD_INIT(mmap) | ||
55 | { | ||
56 | - cmd = grub_register_command ("badram", grub_cmd_badram, | ||
57 | - N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
58 | - N_("Declare memory regions as faulty (badram).")); | ||
59 | - cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, | ||
60 | - N_("FROM[K|M|G] TO[K|M|G]"), | ||
61 | - N_("Remove any memory regions in specified range.")); | ||
62 | + cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, | ||
63 | + N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
64 | + N_("Declare memory regions as faulty (badram).")); | ||
65 | + cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, | ||
66 | + N_("FROM[K|M|G] TO[K|M|G]"), | ||
67 | + N_("Remove any memory regions in specified range.")); | ||
68 | |||
69 | } | ||
70 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch new file mode 100644 index 0000000000..e33c96a05b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 09:00:05 +0100 | ||
4 | Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs | ||
5 | when locked down | ||
6 | |||
7 | There are some more commands that should be restricted when the GRUB is | ||
8 | locked down. Following is the list of commands and reasons to restrict: | ||
9 | |||
10 | * fakebios: creates BIOS-like structures for backward compatibility with | ||
11 | existing OSes. This should not be allowed when locked down. | ||
12 | |||
13 | * loadbios: reads a BIOS dump from storage and loads it. This action | ||
14 | should not be allowed when locked down. | ||
15 | |||
16 | * devicetree: loads a Device Tree blob and passes it to the OS. It replaces | ||
17 | any Device Tree provided by the firmware. This also should | ||
18 | not be allowed when locked down. | ||
19 | |||
20 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | |||
23 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e] | ||
24 | CVE: CVE-2020-27779 | ||
25 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
26 | --- | ||
27 | docs/grub.texi | 3 +++ | ||
28 | grub-core/commands/efi/loadbios.c | 16 ++++++++-------- | ||
29 | grub-core/loader/arm/linux.c | 6 +++--- | ||
30 | grub-core/loader/efi/fdt.c | 4 ++-- | ||
31 | 4 files changed, 16 insertions(+), 13 deletions(-) | ||
32 | |||
33 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
34 | index a1aaee6..ccf1908 100644 | ||
35 | --- a/docs/grub.texi | ||
36 | +++ b/docs/grub.texi | ||
37 | @@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux | ||
38 | kernel. Does not perform merging with any device tree supplied by firmware, | ||
39 | but rather replaces it completely. | ||
40 | @ref{GNU/Linux}. | ||
41 | + | ||
42 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
43 | + This is done to prevent subverting various security mechanisms. | ||
44 | @end deffn | ||
45 | |||
46 | @node distrust | ||
47 | diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c | ||
48 | index d41d521..5c7725f 100644 | ||
49 | --- a/grub-core/commands/efi/loadbios.c | ||
50 | +++ b/grub-core/commands/efi/loadbios.c | ||
51 | @@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; | ||
52 | |||
53 | GRUB_MOD_INIT(loadbios) | ||
54 | { | ||
55 | - cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, | ||
56 | - 0, N_("Create BIOS-like structures for" | ||
57 | - " backward compatibility with" | ||
58 | - " existing OS.")); | ||
59 | - | ||
60 | - cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, | ||
61 | - N_("BIOS_DUMP [INT10_DUMP]"), | ||
62 | - N_("Load BIOS dump.")); | ||
63 | + cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, | ||
64 | + 0, N_("Create BIOS-like structures for" | ||
65 | + " backward compatibility with" | ||
66 | + " existing OS.")); | ||
67 | + | ||
68 | + cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, | ||
69 | + N_("BIOS_DUMP [INT10_DUMP]"), | ||
70 | + N_("Load BIOS dump.")); | ||
71 | } | ||
72 | |||
73 | GRUB_MOD_FINI(loadbios) | ||
74 | diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c | ||
75 | index d70c174..ed23dc7 100644 | ||
76 | --- a/grub-core/loader/arm/linux.c | ||
77 | +++ b/grub-core/loader/arm/linux.c | ||
78 | @@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux) | ||
79 | 0, N_("Load Linux.")); | ||
80 | cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, | ||
81 | 0, N_("Load initrd.")); | ||
82 | - cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, | ||
83 | - /* TRANSLATORS: DTB stands for device tree blob. */ | ||
84 | - 0, N_("Load DTB file.")); | ||
85 | + cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, | ||
86 | + /* TRANSLATORS: DTB stands for device tree blob. */ | ||
87 | + 0, N_("Load DTB file.")); | ||
88 | my_mod = mod; | ||
89 | current_fdt = (const void *) grub_arm_firmware_get_boot_data (); | ||
90 | machine_type = grub_arm_firmware_get_machine_type (); | ||
91 | diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c | ||
92 | index ee9c559..003d07c 100644 | ||
93 | --- a/grub-core/loader/efi/fdt.c | ||
94 | +++ b/grub-core/loader/efi/fdt.c | ||
95 | @@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree; | ||
96 | GRUB_MOD_INIT (fdt) | ||
97 | { | ||
98 | cmd_devicetree = | ||
99 | - grub_register_command ("devicetree", grub_cmd_devicetree, 0, | ||
100 | - N_("Load DTB file.")); | ||
101 | + grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, | ||
102 | + N_("Load DTB file.")); | ||
103 | } | ||
104 | |||
105 | GRUB_MOD_FINI (fdt) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch new file mode 100644 index 0000000000..f9a6a73ebc --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 22:59:59 +0100 | ||
4 | Subject: [PATCH] commands/setpci: Restrict setpci command when locked down | ||
5 | |||
6 | This command can set PCI devices register values, which makes it dangerous | ||
7 | in a locked down configuration. Restrict it so can't be used on this setup. | ||
8 | |||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | |||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02] | ||
13 | CVE: CVE-2020-27779 | ||
14 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
15 | --- | ||
16 | grub-core/commands/setpci.c | 8 ++++---- | ||
17 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c | ||
20 | index d5bc97d..fa2ba7d 100644 | ||
21 | --- a/grub-core/commands/setpci.c | ||
22 | +++ b/grub-core/commands/setpci.c | ||
23 | @@ -329,10 +329,10 @@ static grub_extcmd_t cmd; | ||
24 | |||
25 | GRUB_MOD_INIT(setpci) | ||
26 | { | ||
27 | - cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0, | ||
28 | - N_("[-s POSITION] [-d DEVICE] [-v VAR] " | ||
29 | - "REGISTER[=VALUE[:MASK]]"), | ||
30 | - N_("Manipulate PCI devices."), options); | ||
31 | + cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0, | ||
32 | + N_("[-s POSITION] [-d DEVICE] [-v VAR] " | ||
33 | + "REGISTER[=VALUE[:MASK]]"), | ||
34 | + N_("Manipulate PCI devices."), options); | ||
35 | } | ||
36 | |||
37 | GRUB_MOD_FINI(setpci) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch new file mode 100644 index 0000000000..a756f8d1cf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 7949671de268ba3116d113778e5d770574e9f9e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 12:59:29 +0100 | ||
4 | Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down | ||
5 | |||
6 | The command can be used to get/set ATA disk parameters. Some of these can | ||
7 | be dangerous since change the disk behavior. Restrict it when locked down. | ||
8 | |||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | |||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5c97492a29c6063567b65ed1a069f5e6f4e211f0] | ||
13 | CVE: CVE-2020-27779 | ||
14 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
15 | --- | ||
16 | grub-core/commands/hdparm.c | 6 +++--- | ||
17 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c | ||
20 | index d3fa966..2e2319e 100644 | ||
21 | --- a/grub-core/commands/hdparm.c | ||
22 | +++ b/grub-core/commands/hdparm.c | ||
23 | @@ -436,9 +436,9 @@ static grub_extcmd_t cmd; | ||
24 | |||
25 | GRUB_MOD_INIT(hdparm) | ||
26 | { | ||
27 | - cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0, | ||
28 | - N_("[OPTIONS] DISK"), | ||
29 | - N_("Get/set ATA disk parameters."), options); | ||
30 | + cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0, | ||
31 | + N_("[OPTIONS] DISK"), | ||
32 | + N_("Get/set ATA disk parameters."), options); | ||
33 | } | ||
34 | |||
35 | GRUB_MOD_FINI(hdparm) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch new file mode 100644 index 0000000000..b52273ff50 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 15:03:26 +0100 | ||
4 | Subject: [PATCH] gdb: Restrict GDB access when locked down | ||
5 | |||
6 | The gdbstub* commands allow to start and control a GDB stub running on | ||
7 | local host that can be used to connect from a remote debugger. Restrict | ||
8 | this functionality when the GRUB is locked down. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/gdb/gdb.c | 32 ++++++++++++++++++-------------- | ||
18 | 1 file changed, 18 insertions(+), 14 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c | ||
21 | index 847a1e1..1818cb6 100644 | ||
22 | --- a/grub-core/gdb/gdb.c | ||
23 | +++ b/grub-core/gdb/gdb.c | ||
24 | @@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break; | ||
25 | GRUB_MOD_INIT (gdb) | ||
26 | { | ||
27 | grub_gdb_idtinit (); | ||
28 | - cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub, | ||
29 | - N_("PORT"), | ||
30 | - /* TRANSLATORS: GDB stub is a small part of | ||
31 | - GDB functionality running on local host | ||
32 | - which allows remote debugger to | ||
33 | - connect to it. */ | ||
34 | - N_("Start GDB stub on given port")); | ||
35 | - cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break, | ||
36 | - /* TRANSLATORS: this refers to triggering | ||
37 | - a breakpoint so that the user will land | ||
38 | - into GDB. */ | ||
39 | - 0, N_("Break into GDB")); | ||
40 | - cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop, | ||
41 | - 0, N_("Stop GDB stub")); | ||
42 | + cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub, | ||
43 | + N_("PORT"), | ||
44 | + /* | ||
45 | + * TRANSLATORS: GDB stub is a small part of | ||
46 | + * GDB functionality running on local host | ||
47 | + * which allows remote debugger to | ||
48 | + * connect to it. | ||
49 | + */ | ||
50 | + N_("Start GDB stub on given port")); | ||
51 | + cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break, | ||
52 | + /* | ||
53 | + * TRANSLATORS: this refers to triggering | ||
54 | + * a breakpoint so that the user will land | ||
55 | + * into GDB. | ||
56 | + */ | ||
57 | + 0, N_("Break into GDB")); | ||
58 | + cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop, | ||
59 | + 0, N_("Stop GDB stub")); | ||
60 | } | ||
61 | |||
62 | GRUB_MOD_FINI (gdb) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch new file mode 100644 index 0000000000..474826ade5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 14:44:38 +0100 | ||
4 | Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when | ||
5 | locked down | ||
6 | |||
7 | The shim_lock verifier validates the XNU kernels but no its extensions | ||
8 | and packages. Prevent these to be loaded when the GRUB is locked down. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/loader/xnu.c | 31 +++++++++++++++++-------------- | ||
18 | 1 file changed, 17 insertions(+), 14 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
21 | index 77d7060..07232d2 100644 | ||
22 | --- a/grub-core/loader/xnu.c | ||
23 | +++ b/grub-core/loader/xnu.c | ||
24 | @@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu) | ||
25 | N_("Load XNU image.")); | ||
26 | cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64, | ||
27 | 0, N_("Load 64-bit XNU image.")); | ||
28 | - cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
29 | - N_("Load XNU extension package.")); | ||
30 | - cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
31 | - N_("Load XNU extension.")); | ||
32 | - cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
33 | - /* TRANSLATORS: OSBundleRequired is a | ||
34 | - variable name in xnu extensions | ||
35 | - manifests. It behaves mostly like | ||
36 | - GNU/Linux runlevels. | ||
37 | - */ | ||
38 | - N_("DIRECTORY [OSBundleRequired]"), | ||
39 | - /* TRANSLATORS: There are many extensions | ||
40 | - in extension directory. */ | ||
41 | - N_("Load XNU extension directory.")); | ||
42 | + cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
43 | + N_("Load XNU extension package.")); | ||
44 | + cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
45 | + N_("Load XNU extension.")); | ||
46 | + cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
47 | + /* | ||
48 | + * TRANSLATORS: OSBundleRequired is | ||
49 | + * a variable name in xnu extensions | ||
50 | + * manifests. It behaves mostly like | ||
51 | + * GNU/Linux runlevels. | ||
52 | + */ | ||
53 | + N_("DIRECTORY [OSBundleRequired]"), | ||
54 | + /* | ||
55 | + * TRANSLATORS: There are many extensions | ||
56 | + * in extension directory. | ||
57 | + */ | ||
58 | + N_("Load XNU extension directory.")); | ||
59 | cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0, | ||
60 | /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */ | ||
61 | N_("Load XNU ramdisk. " | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch new file mode 100644 index 0000000000..e5d372a2b1 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Sat, 7 Nov 2020 01:03:18 +0100 | ||
4 | Subject: [PATCH] docs: Document the cutmem command | ||
5 | |||
6 | The command is not present in the docs/grub.texi user documentation. | ||
7 | |||
8 | Reported-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | docs/grub.texi | 21 +++++++++++++++++++++ | ||
18 | 1 file changed, 21 insertions(+) | ||
19 | |||
20 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
21 | index ccf1908..ae85f55 100644 | ||
22 | --- a/docs/grub.texi | ||
23 | +++ b/docs/grub.texi | ||
24 | @@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help} | ||
25 | * cpuid:: Check for CPU features | ||
26 | * crc:: Compute or check CRC32 checksums | ||
27 | * cryptomount:: Mount a crypto device | ||
28 | +* cutmem:: Remove memory regions | ||
29 | * date:: Display or set current date and time | ||
30 | * devicetree:: Load a device tree blob | ||
31 | * distrust:: Remove a pubkey from trusted keys | ||
32 | @@ -4051,6 +4052,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
33 | that are often result of memory damage, due to physical distribution of memory | ||
34 | cells. | ||
35 | |||
36 | +The command is similar to @command{cutmem} command. | ||
37 | + | ||
38 | Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
39 | This prevents removing EFI memory regions to potentially subvert the | ||
40 | security mechanisms provided by the UEFI secure boot. | ||
41 | @@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules | ||
42 | be used. | ||
43 | @end deffn | ||
44 | |||
45 | +@node cutmem | ||
46 | +@subsection cutmem | ||
47 | + | ||
48 | +@deffn Command cutmem from[K|M|G] to[K|M|G] | ||
49 | +Remove any memory regions in specified range. | ||
50 | +@end deffn | ||
51 | + | ||
52 | +This command notifies the memory manager that specified regions of RAM ought to | ||
53 | +be filtered out. This remains in effect after a payload kernel has been loaded | ||
54 | +by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels | ||
55 | +that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot | ||
56 | +kernels in general. | ||
57 | + | ||
58 | +The command is similar to @command{badram} command. | ||
59 | + | ||
60 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
61 | + This prevents removing EFI memory regions to potentially subvert the | ||
62 | + security mechanisms provided by the UEFI secure boot. | ||
63 | |||
64 | @node date | ||
65 | @subsection date | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch new file mode 100644 index 0000000000..b864febe62 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Fri, 22 Jan 2021 16:07:29 +1100 | ||
4 | Subject: lib/arg: Block repeated short options that require an argument | ||
5 | |||
6 | Fuzzing found the following crash: | ||
7 | |||
8 | search -hhhhhhhhhhhhhf | ||
9 | |||
10 | We didn't allocate enough option space for 13 hints because the | ||
11 | allocation code counts the number of discrete arguments (i.e. argc). | ||
12 | However, the shortopt parsing code will happily keep processing | ||
13 | a combination of short options without checking if those short | ||
14 | options require an argument. This means you can easily end writing | ||
15 | past the allocated option space. | ||
16 | |||
17 | This fixes a OOB write which can cause heap corruption. | ||
18 | |||
19 | Fixes: CVE-2021-20225 | ||
20 | |||
21 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
22 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
23 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6] | ||
26 | CVE: CVE-2021-20225 | ||
27 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
28 | --- | ||
29 | grub-core/lib/arg.c | 13 +++++++++++++ | ||
30 | 1 file changed, 13 insertions(+) | ||
31 | |||
32 | diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c | ||
33 | index 3288609..537c5e9 100644 | ||
34 | --- a/grub-core/lib/arg.c | ||
35 | +++ b/grub-core/lib/arg.c | ||
36 | @@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv, | ||
37 | it can have an argument value. */ | ||
38 | if (*curshort) | ||
39 | { | ||
40 | + /* | ||
41 | + * Only permit further short opts if this one doesn't | ||
42 | + * require a value. | ||
43 | + */ | ||
44 | + if (opt->type != ARG_TYPE_NONE && | ||
45 | + !(opt->flags & GRUB_ARG_OPTION_OPTIONAL)) | ||
46 | + { | ||
47 | + grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
48 | + N_("missing mandatory option for `%s'"), | ||
49 | + opt->longarg); | ||
50 | + goto fail; | ||
51 | + } | ||
52 | + | ||
53 | if (parse_option (cmd, opt, 0, usr) || grub_errno) | ||
54 | goto fail; | ||
55 | } | ||
56 | -- | ||
57 | 2.25.1 | ||
58 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20233.patch b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch new file mode 100644 index 0000000000..d2069afc18 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Axtens <dja@axtens.net> | ||
3 | Date: Fri, 22 Jan 2021 17:10:48 +1100 | ||
4 | Subject: commands/menuentry: Fix quoting in setparams_prefix() | ||
5 | |||
6 | Commit 9acdcbf32542 (use single quotes in menuentry setparams command) | ||
7 | says that expressing a quoted single quote will require 3 characters. It | ||
8 | actually requires (and always did require!) 4 characters: | ||
9 | |||
10 | str: a'b => a'\''b | ||
11 | len: 3 => 6 (2 for the letters + 4 for the quote) | ||
12 | |||
13 | This leads to not allocating enough memory and thus out of bounds writes | ||
14 | that have been observed to cause heap corruption. | ||
15 | |||
16 | Allocate 4 bytes for each single quote. | ||
17 | |||
18 | Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same | ||
19 | quoting, but it adds 3 as extra overhead on top of the single byte that | ||
20 | the quote already needs. So it's correct. | ||
21 | |||
22 | Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) | ||
23 | Fixes: CVE-2021-20233 | ||
24 | |||
25 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
26 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
27 | |||
28 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33] | ||
29 | CVE: CVE-2021-20233 | ||
30 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
31 | --- | ||
32 | grub-core/commands/menuentry.c | 2 +- | ||
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
34 | |||
35 | diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c | ||
36 | index 9164df7..720e6d8 100644 | ||
37 | --- a/grub-core/commands/menuentry.c | ||
38 | +++ b/grub-core/commands/menuentry.c | ||
39 | @@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args) | ||
40 | len += 3; /* 3 = 1 space + 2 quotes */ | ||
41 | p = args[i]; | ||
42 | while (*p) | ||
43 | - len += (*p++ == '\'' ? 3 : 1); | ||
44 | + len += (*p++ == '\'' ? 4 : 1); | ||
45 | } | ||
46 | |||
47 | result = grub_malloc (len + 2); | ||
48 | -- | ||
49 | 2.25.1 | ||
50 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:01:35 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3695 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08] | ||
7 | CVE: CVE-2021-3695 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Drop greyscale support to fix heap out-of-bounds write | ||
11 | |||
12 | A 16-bit greyscale PNG without alpha is processed in the following loop: | ||
13 | |||
14 | for (i = 0; i < (data->image_width * data->image_height); | ||
15 | i++, d1 += 4, d2 += 2) | ||
16 | { | ||
17 | d1[R3] = d2[1]; | ||
18 | d1[G3] = d2[1]; | ||
19 | d1[B3] = d2[1]; | ||
20 | } | ||
21 | |||
22 | The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, | ||
23 | but there are only 3 bytes allocated for storage. This means that image | ||
24 | data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes | ||
25 | out of every 4 following the end of the image. | ||
26 | |||
27 | This has existed since greyscale support was added in 2013 in commit | ||
28 | 3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). | ||
29 | |||
30 | Saving starfield.png as a 16-bit greyscale image without alpha in the gimp | ||
31 | and attempting to load it causes grub-emu to crash - I don't think this code | ||
32 | has ever worked. | ||
33 | |||
34 | Delete all PNG greyscale support. | ||
35 | |||
36 | Fixes: CVE-2021-3695 | ||
37 | |||
38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
40 | --- | ||
41 | grub-core/video/readers/png.c | 89 ++++------------------------------- | ||
42 | 1 file changed, 8 insertions(+), 81 deletions(-) | ||
43 | |||
44 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
45 | index 0157ff7..db4a9d4 100644 | ||
46 | --- a/grub-core/video/readers/png.c | ||
47 | +++ b/grub-core/video/readers/png.c | ||
48 | @@ -100,7 +100,7 @@ struct grub_png_data | ||
49 | |||
50 | unsigned image_width, image_height; | ||
51 | int bpp, is_16bit; | ||
52 | - int raw_bytes, is_gray, is_alpha, is_palette; | ||
53 | + int raw_bytes, is_alpha, is_palette; | ||
54 | int row_bytes, color_bits; | ||
55 | grub_uint8_t *image_data; | ||
56 | |||
57 | @@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
58 | data->bpp = 3; | ||
59 | else | ||
60 | { | ||
61 | - data->is_gray = 1; | ||
62 | - data->bpp = 1; | ||
63 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
64 | + "png: color type not supported"); | ||
65 | } | ||
66 | |||
67 | if ((color_bits != 8) && (color_bits != 16) | ||
68 | && (color_bits != 4 | ||
69 | - || !(data->is_gray || data->is_palette))) | ||
70 | + || !data->is_palette)) | ||
71 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
72 | "png: bit depth must be 8 or 16"); | ||
73 | |||
74 | @@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
75 | } | ||
76 | |||
77 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
78 | - if (data->is_16bit || data->is_gray || data->is_palette) | ||
79 | + if (data->is_16bit || data->is_palette) | ||
80 | #endif | ||
81 | { | ||
82 | data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
83 | @@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data) | ||
84 | int shift; | ||
85 | int mask = (1 << data->color_bits) - 1; | ||
86 | unsigned j; | ||
87 | - if (data->is_gray) | ||
88 | - { | ||
89 | - /* Generic formula is | ||
90 | - (0xff * i) / ((1U << data->color_bits) - 1) | ||
91 | - but for allowed bit depth of 1, 2 and for it's | ||
92 | - equivalent to | ||
93 | - (0xff / ((1U << data->color_bits) - 1)) * i | ||
94 | - Precompute the multipliers to avoid division. | ||
95 | - */ | ||
96 | - | ||
97 | - const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; | ||
98 | - for (i = 0; i < (1U << data->color_bits); i++) | ||
99 | - { | ||
100 | - grub_uint8_t col = multipliers[data->color_bits] * i; | ||
101 | - palette[i][0] = col; | ||
102 | - palette[i][1] = col; | ||
103 | - palette[i][2] = col; | ||
104 | - } | ||
105 | - } | ||
106 | - else | ||
107 | - grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
108 | + | ||
109 | + grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
110 | d1c = d1; | ||
111 | d2c = d2; | ||
112 | for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, | ||
113 | @@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data) | ||
114 | return; | ||
115 | } | ||
116 | |||
117 | - if (data->is_gray) | ||
118 | - { | ||
119 | - switch (data->bpp) | ||
120 | - { | ||
121 | - case 4: | ||
122 | - /* 16-bit gray with alpha. */ | ||
123 | - for (i = 0; i < (data->image_width * data->image_height); | ||
124 | - i++, d1 += 4, d2 += 4) | ||
125 | - { | ||
126 | - d1[R4] = d2[3]; | ||
127 | - d1[G4] = d2[3]; | ||
128 | - d1[B4] = d2[3]; | ||
129 | - d1[A4] = d2[1]; | ||
130 | - } | ||
131 | - break; | ||
132 | - case 2: | ||
133 | - if (data->is_16bit) | ||
134 | - /* 16-bit gray without alpha. */ | ||
135 | - { | ||
136 | - for (i = 0; i < (data->image_width * data->image_height); | ||
137 | - i++, d1 += 4, d2 += 2) | ||
138 | - { | ||
139 | - d1[R3] = d2[1]; | ||
140 | - d1[G3] = d2[1]; | ||
141 | - d1[B3] = d2[1]; | ||
142 | - } | ||
143 | - } | ||
144 | - else | ||
145 | - /* 8-bit gray with alpha. */ | ||
146 | - { | ||
147 | - for (i = 0; i < (data->image_width * data->image_height); | ||
148 | - i++, d1 += 4, d2 += 2) | ||
149 | - { | ||
150 | - d1[R4] = d2[1]; | ||
151 | - d1[G4] = d2[1]; | ||
152 | - d1[B4] = d2[1]; | ||
153 | - d1[A4] = d2[0]; | ||
154 | - } | ||
155 | - } | ||
156 | - break; | ||
157 | - /* 8-bit gray without alpha. */ | ||
158 | - case 1: | ||
159 | - for (i = 0; i < (data->image_width * data->image_height); | ||
160 | - i++, d1 += 3, d2++) | ||
161 | - { | ||
162 | - d1[R3] = d2[0]; | ||
163 | - d1[G3] = d2[0]; | ||
164 | - d1[B3] = d2[0]; | ||
165 | - } | ||
166 | - break; | ||
167 | - } | ||
168 | - return; | ||
169 | - } | ||
170 | - | ||
171 | - { | ||
172 | + { | ||
173 | /* Only copy the upper 8 bit. */ | ||
174 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
175 | for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1); | ||
176 | -- | ||
177 | 2.25.1 | ||
178 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch new file mode 100644 index 0000000000..ef6da945c4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:05:42 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3696 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042] | ||
7 | CVE: CVE-2021-3696 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Avoid heap OOB R/W inserting huff table items | ||
11 | |||
12 | In fuzzing we observed crashes where a code would attempt to be inserted | ||
13 | into a huffman table before the start, leading to a set of heap OOB reads | ||
14 | and writes as table entries with negative indices were shifted around and | ||
15 | the new code written in. | ||
16 | |||
17 | Catch the case where we would underflow the array and bail. | ||
18 | |||
19 | Fixes: CVE-2021-3696 | ||
20 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | --- | ||
23 | grub-core/video/readers/png.c | 7 +++++++ | ||
24 | 1 file changed, 7 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
27 | index 36b3f10..3c05951 100644 | ||
28 | --- a/grub-core/video/readers/png.c | ||
29 | +++ b/grub-core/video/readers/png.c | ||
30 | @@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) | ||
31 | for (i = len; i < ht->max_length; i++) | ||
32 | n += ht->maxval[i]; | ||
33 | |||
34 | + if (n > ht->num_values) | ||
35 | + { | ||
36 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
37 | + "png: out of range inserting huffman table item"); | ||
38 | + return; | ||
39 | + } | ||
40 | + | ||
41 | for (i = 0; i < n; i++) | ||
42 | ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch new file mode 100644 index 0000000000..be15e7d1f2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 19 Jul 2022 11:13:02 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3697 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6] | ||
7 | CVE: CVE-2021-3697 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/jpeg: Block int underflow -> wild pointer write | ||
11 | |||
12 | Certain 1 px wide images caused a wild pointer write in | ||
13 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
14 | we have the following loop: | ||
15 | |||
16 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
17 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
18 | |||
19 | We did not check if vb * width >= hb * nc1. | ||
20 | |||
21 | On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
22 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
23 | we see data->bitmap_ptr jump, e.g.: | ||
24 | |||
25 | 0x6180_0000_0480 to | ||
26 | 0x6181_0000_0498 | ||
27 | ^ | ||
28 | ~--- carry has occurred and this pointer is now far away from | ||
29 | any object. | ||
30 | |||
31 | On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
32 | that won't crash but will overwrite random data. | ||
33 | |||
34 | Catch the underflow and error out. | ||
35 | |||
36 | Fixes: CVE-2021-3697 | ||
37 | |||
38 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
39 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
40 | --- | ||
41 | grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
42 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
43 | |||
44 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
45 | index 31359a4..545a60b 100644 | ||
46 | --- a/grub-core/video/readers/jpeg.c | ||
47 | +++ b/grub-core/video/readers/jpeg.c | ||
48 | @@ -23,6 +23,7 @@ | ||
49 | #include <grub/mm.h> | ||
50 | #include <grub/misc.h> | ||
51 | #include <grub/bufio.h> | ||
52 | +#include <grub/safemath.h> | ||
53 | |||
54 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
55 | |||
56 | @@ -617,6 +618,7 @@ static grub_err_t | ||
57 | grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
58 | { | ||
59 | unsigned c1, vb, hb, nr1, nc1; | ||
60 | + unsigned stride_a, stride_b, stride; | ||
61 | int rst = data->dri; | ||
62 | |||
63 | vb = 8 << data->log_vs; | ||
64 | @@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
65 | nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); | ||
66 | nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); | ||
67 | |||
68 | + if (grub_mul(vb, data->image_width, &stride_a) || | ||
69 | + grub_mul(hb, nc1, &stride_b) || | ||
70 | + grub_sub(stride_a, stride_b, &stride)) | ||
71 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
72 | + "jpeg: cannot decode image with these dimensions"); | ||
73 | + | ||
74 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
75 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
76 | + data->r1++, data->bitmap_ptr += stride * 3) | ||
77 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
78 | c1++, rst--, data->bitmap_ptr += hb * 3) | ||
79 | { | ||
80 | -- | ||
81 | 2.25.1 | ||
82 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch new file mode 100644 index 0000000000..e27027ea65 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 27 Jun 2022 10:15:29 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3981 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4] | ||
7 | CVE: CVE-2021-3981 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | util/grub-mkconfig.in | 6 +++++- | ||
11 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in | ||
14 | index 9f477ff..ead94a6 100644 | ||
15 | --- a/util/grub-mkconfig.in | ||
16 | +++ b/util/grub-mkconfig.in | ||
17 | @@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with | ||
18 | exit 1 | ||
19 | else | ||
20 | # none of the children aborted with error, install the new grub.cfg | ||
21 | - mv -f ${grub_cfg}.new ${grub_cfg} | ||
22 | + oldumask=$(umask) | ||
23 | + umask 077 | ||
24 | + cat ${grub_cfg}.new > ${grub_cfg} | ||
25 | + umask $oldumask | ||
26 | + rm -f ${grub_cfg}.new | ||
27 | fi | ||
28 | fi | ||
29 | |||
30 | -- | ||
31 | 2.25.1 | ||
32 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..090f693be3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Fri, 5 Aug 2022 01:58:27 +0800 | ||
4 | Subject: [PATCH] font: Fix several integer overflows in | ||
5 | grub_font_construct_glyph() | ||
6 | |||
7 | This patch fixes several integer overflows in grub_font_construct_glyph(). | ||
8 | Glyphs of invalid size, zero or leading to an overflow, are rejected. | ||
9 | The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() | ||
10 | returns NULL is fixed too. | ||
11 | |||
12 | Fixes: CVE-2022-2601 | ||
13 | |||
14 | Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
15 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
17 | |||
18 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] | ||
21 | CVE: CVE-2022-2601 | ||
22 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
23 | --- | ||
24 | grub-core/font/font.c | 29 +++++++++++++++++------------ | ||
25 | 1 file changed, 17 insertions(+), 12 deletions(-) | ||
26 | |||
27 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
28 | index df17dba..f110db9 100644 | ||
29 | --- a/grub-core/font/font.c | ||
30 | +++ b/grub-core/font/font.c | ||
31 | @@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, | ||
32 | struct grub_video_signed_rect bounds; | ||
33 | static struct grub_font_glyph *glyph = 0; | ||
34 | static grub_size_t max_glyph_size = 0; | ||
35 | + grub_size_t cur_glyph_size; | ||
36 | |||
37 | ensure_comb_space (glyph_id); | ||
38 | |||
39 | @@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, | ||
40 | if (!glyph_id->ncomb && !glyph_id->attributes) | ||
41 | return main_glyph; | ||
42 | |||
43 | - if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) | ||
44 | + if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || | ||
45 | + grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) | ||
46 | + return main_glyph; | ||
47 | + | ||
48 | + if (max_glyph_size < cur_glyph_size) | ||
49 | { | ||
50 | grub_free (glyph); | ||
51 | - max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; | ||
52 | - if (max_glyph_size < 8) | ||
53 | - max_glyph_size = 8; | ||
54 | - glyph = grub_malloc (max_glyph_size); | ||
55 | + if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) | ||
56 | + max_glyph_size = 0; | ||
57 | + glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; | ||
58 | } | ||
59 | if (!glyph) | ||
60 | { | ||
61 | + max_glyph_size = 0; | ||
62 | grub_errno = GRUB_ERR_NONE; | ||
63 | return main_glyph; | ||
64 | } | ||
65 | |||
66 | - grub_memset (glyph, 0, sizeof (*glyph) | ||
67 | - + (bounds.width * bounds.height | ||
68 | - + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); | ||
69 | + grub_memset (glyph, 0, cur_glyph_size); | ||
70 | |||
71 | glyph->font = main_glyph->font; | ||
72 | - glyph->width = bounds.width; | ||
73 | - glyph->height = bounds.height; | ||
74 | - glyph->offset_x = bounds.x; | ||
75 | - glyph->offset_y = bounds.y; | ||
76 | + if (bounds.width == 0 || bounds.height == 0 || | ||
77 | + grub_cast (bounds.width, &glyph->width) || | ||
78 | + grub_cast (bounds.height, &glyph->height) || | ||
79 | + grub_cast (bounds.x, &glyph->offset_x) || | ||
80 | + grub_cast (bounds.y, &glyph->offset_y)) | ||
81 | + return main_glyph; | ||
82 | |||
83 | if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) | ||
84 | grub_font_blit_glyph_mirror (glyph, main_glyph, | ||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch new file mode 100644 index 0000000000..6cfdf20e2d --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 1 Aug 2022 10:48:34 +0530 | ||
4 | Subject: [PATCH] CVE-2022-28733 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287] | ||
7 | CVE: CVE-2022-28733 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | net/ip: Do IP fragment maths safely | ||
11 | |||
12 | We can receive packets with invalid IP fragmentation information. This | ||
13 | can lead to rsm->total_len underflowing and becoming very large. | ||
14 | |||
15 | Then, in grub_netbuff_alloc(), we add to this very large number, which can | ||
16 | cause it to overflow and wrap back around to a small positive number. | ||
17 | The allocation then succeeds, but the resulting buffer is too small and | ||
18 | subsequent operations can write past the end of the buffer. | ||
19 | |||
20 | Catch the underflow here. | ||
21 | |||
22 | Fixes: CVE-2022-28733 | ||
23 | |||
24 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
25 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
26 | --- | ||
27 | grub-core/net/ip.c | 10 +++++++++- | ||
28 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c | ||
31 | index ea5edf8..74e4e8b 100644 | ||
32 | --- a/grub-core/net/ip.c | ||
33 | +++ b/grub-core/net/ip.c | ||
34 | @@ -25,6 +25,7 @@ | ||
35 | #include <grub/net/netbuff.h> | ||
36 | #include <grub/mm.h> | ||
37 | #include <grub/priority_queue.h> | ||
38 | +#include <grub/safemath.h> | ||
39 | #include <grub/time.h> | ||
40 | |||
41 | struct iphdr { | ||
42 | @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, | ||
43 | { | ||
44 | rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) | ||
45 | + (nb->tail - nb->data)); | ||
46 | - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); | ||
47 | + | ||
48 | + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), | ||
49 | + &rsm->total_len)) | ||
50 | + { | ||
51 | + grub_dprintf ("net", "IP reassembly size underflow\n"); | ||
52 | + return GRUB_ERR_NONE; | ||
53 | + } | ||
54 | + | ||
55 | rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); | ||
56 | if (!rsm->asm_netbuff) | ||
57 | { | ||
58 | -- | ||
59 | 2.25.1 | ||
60 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch new file mode 100644 index 0000000000..577ec10bea --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 1 Aug 2022 10:59:41 +0530 | ||
4 | Subject: [PATCH] CVE-2022-28734 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4] | ||
7 | CVE: CVE-2022-28734 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | net/http: Fix OOB write for split http headers | ||
11 | |||
12 | GRUB has special code for handling an http header that is split | ||
13 | across two packets. | ||
14 | |||
15 | The code tracks the end of line by looking for a "\n" byte. The | ||
16 | code for split headers has always advanced the pointer just past the | ||
17 | end of the line, whereas the code that handles unsplit headers does | ||
18 | not advance the pointer. This extra advance causes the length to be | ||
19 | one greater, which breaks an assumption in parse_line(), leading to | ||
20 | it writing a NUL byte one byte past the end of the buffer where we | ||
21 | reconstruct the line from the two packets. | ||
22 | |||
23 | It's conceivable that an attacker controlled set of packets could | ||
24 | cause this to zero out the first byte of the "next" pointer of the | ||
25 | grub_mm_region structure following the current_line buffer. | ||
26 | |||
27 | Do not advance the pointer in the split header case. | ||
28 | |||
29 | Fixes: CVE-2022-28734 | ||
30 | --- | ||
31 | grub-core/net/http.c | 12 +++++++++--- | ||
32 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/grub-core/net/http.c b/grub-core/net/http.c | ||
35 | index 5aa4ad3..a220d21 100644 | ||
36 | --- a/grub-core/net/http.c | ||
37 | +++ b/grub-core/net/http.c | ||
38 | @@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) | ||
39 | char *end = ptr + len; | ||
40 | while (end > ptr && *(end - 1) == '\r') | ||
41 | end--; | ||
42 | + | ||
43 | + /* LF without CR. */ | ||
44 | + if (end == ptr + len) | ||
45 | + { | ||
46 | + data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); | ||
47 | + return GRUB_ERR_NONE; | ||
48 | + } | ||
49 | *end = 0; | ||
50 | + | ||
51 | /* Trailing CRLF. */ | ||
52 | if (data->in_chunk_len == 1) | ||
53 | { | ||
54 | @@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), | ||
55 | int have_line = 1; | ||
56 | char *t; | ||
57 | ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); | ||
58 | - if (ptr) | ||
59 | - ptr++; | ||
60 | - else | ||
61 | + if (ptr == NULL) | ||
62 | { | ||
63 | have_line = 0; | ||
64 | ptr = (char *) nb->tail; | ||
65 | -- | ||
66 | 2.25.1 | ||
67 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch new file mode 100644 index 0000000000..89b653a8da --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch | |||
@@ -0,0 +1,271 @@ | |||
1 | From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Julian Andres Klode <julian.klode@canonical.com> | ||
3 | Date: Thu, 2 Dec 2021 15:03:53 +0100 | ||
4 | Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53] | ||
7 | CVE: CVE-2022-28735 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | We must not allow other verifiers to pass things like the GRUB modules. | ||
11 | Instead of maintaining a blocklist, maintain an allowlist of things | ||
12 | that we do not care about. | ||
13 | |||
14 | This allowlist really should be made reusable, and shared by the | ||
15 | lockdown verifier, but this is the minimal patch addressing | ||
16 | security concerns where the TPM verifier was able to mark modules | ||
17 | as verified (or the OpenPGP verifier for that matter), when it | ||
18 | should not do so on shim-powered secure boot systems. | ||
19 | |||
20 | Fixes: CVE-2022-28735 | ||
21 | |||
22 | Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> | ||
23 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
24 | --- | ||
25 | grub-core/kern/efi/sb.c | 221 ++++++++++++++++++++++++++++++++++++++++ | ||
26 | include/grub/verify.h | 1 + | ||
27 | 2 files changed, 222 insertions(+) | ||
28 | create mode 100644 grub-core/kern/efi/sb.c | ||
29 | |||
30 | diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c | ||
31 | new file mode 100644 | ||
32 | index 0000000..89c4bb3 | ||
33 | --- /dev/null | ||
34 | +++ b/grub-core/kern/efi/sb.c | ||
35 | @@ -0,0 +1,221 @@ | ||
36 | +/* | ||
37 | + * GRUB -- GRand Unified Bootloader | ||
38 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
39 | + * | ||
40 | + * GRUB is free software: you can redistribute it and/or modify | ||
41 | + * it under the terms of the GNU General Public License as published by | ||
42 | + * the Free Software Foundation, either version 3 of the License, or | ||
43 | + * (at your option) any later version. | ||
44 | + * | ||
45 | + * GRUB is distributed in the hope that it will be useful, | ||
46 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
47 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
48 | + * GNU General Public License for more details. | ||
49 | + * | ||
50 | + * You should have received a copy of the GNU General Public License | ||
51 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
52 | + * | ||
53 | + * UEFI Secure Boot related checkings. | ||
54 | + */ | ||
55 | + | ||
56 | +#include <grub/efi/efi.h> | ||
57 | +#include <grub/efi/pe32.h> | ||
58 | +#include <grub/efi/sb.h> | ||
59 | +#include <grub/env.h> | ||
60 | +#include <grub/err.h> | ||
61 | +#include <grub/file.h> | ||
62 | +#include <grub/i386/linux.h> | ||
63 | +#include <grub/kernel.h> | ||
64 | +#include <grub/mm.h> | ||
65 | +#include <grub/types.h> | ||
66 | +#include <grub/verify.h> | ||
67 | + | ||
68 | +static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; | ||
69 | + | ||
70 | +/* | ||
71 | + * Determine whether we're in secure boot mode. | ||
72 | + * | ||
73 | + * Please keep the logic in sync with the Linux kernel, | ||
74 | + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). | ||
75 | + */ | ||
76 | +grub_uint8_t | ||
77 | +grub_efi_get_secureboot (void) | ||
78 | +{ | ||
79 | + static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; | ||
80 | + grub_efi_status_t status; | ||
81 | + grub_efi_uint32_t attr = 0; | ||
82 | + grub_size_t size = 0; | ||
83 | + grub_uint8_t *secboot = NULL; | ||
84 | + grub_uint8_t *setupmode = NULL; | ||
85 | + grub_uint8_t *moksbstate = NULL; | ||
86 | + grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN; | ||
87 | + const char *secureboot_str = "UNKNOWN"; | ||
88 | + | ||
89 | + status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid, | ||
90 | + &size, (void **) &secboot); | ||
91 | + | ||
92 | + if (status == GRUB_EFI_NOT_FOUND) | ||
93 | + { | ||
94 | + secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; | ||
95 | + goto out; | ||
96 | + } | ||
97 | + | ||
98 | + if (status != GRUB_EFI_SUCCESS) | ||
99 | + goto out; | ||
100 | + | ||
101 | + status = grub_efi_get_variable ("SetupMode", &efi_variable_guid, | ||
102 | + &size, (void **) &setupmode); | ||
103 | + | ||
104 | + if (status != GRUB_EFI_SUCCESS) | ||
105 | + goto out; | ||
106 | + | ||
107 | + if ((*secboot == 0) || (*setupmode == 1)) | ||
108 | + { | ||
109 | + secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; | ||
110 | + goto out; | ||
111 | + } | ||
112 | + | ||
113 | + /* | ||
114 | + * See if a user has put the shim into insecure mode. If so, and if the | ||
115 | + * variable doesn't have the runtime attribute set, we might as well | ||
116 | + * honor that. | ||
117 | + */ | ||
118 | + status = grub_efi_get_variable_with_attributes ("MokSBState", &shim_lock_guid, | ||
119 | + &size, (void **) &moksbstate, &attr); | ||
120 | + | ||
121 | + /* If it fails, we don't care why. Default to secure. */ | ||
122 | + if (status != GRUB_EFI_SUCCESS) | ||
123 | + { | ||
124 | + secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; | ||
125 | + goto out; | ||
126 | + } | ||
127 | + | ||
128 | + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) | ||
129 | + { | ||
130 | + secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; | ||
131 | + goto out; | ||
132 | + } | ||
133 | + | ||
134 | + secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; | ||
135 | + | ||
136 | + out: | ||
137 | + grub_free (moksbstate); | ||
138 | + grub_free (setupmode); | ||
139 | + grub_free (secboot); | ||
140 | + | ||
141 | + if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED) | ||
142 | + secureboot_str = "Disabled"; | ||
143 | + else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED) | ||
144 | + secureboot_str = "Enabled"; | ||
145 | + | ||
146 | + grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str); | ||
147 | + | ||
148 | + return secureboot; | ||
149 | +} | ||
150 | + | ||
151 | +static grub_err_t | ||
152 | +shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
153 | + enum grub_file_type type, | ||
154 | + void **context __attribute__ ((unused)), | ||
155 | + enum grub_verify_flags *flags) | ||
156 | +{ | ||
157 | + *flags = GRUB_VERIFY_FLAGS_NONE; | ||
158 | + | ||
159 | + switch (type & GRUB_FILE_TYPE_MASK) | ||
160 | + { | ||
161 | + /* Files we check. */ | ||
162 | + case GRUB_FILE_TYPE_LINUX_KERNEL: | ||
163 | + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: | ||
164 | + case GRUB_FILE_TYPE_BSD_KERNEL: | ||
165 | + case GRUB_FILE_TYPE_XNU_KERNEL: | ||
166 | + case GRUB_FILE_TYPE_PLAN9_KERNEL: | ||
167 | + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: | ||
168 | + *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; | ||
169 | + return GRUB_ERR_NONE; | ||
170 | + | ||
171 | + /* Files that do not affect secureboot state. */ | ||
172 | + case GRUB_FILE_TYPE_NONE: | ||
173 | + case GRUB_FILE_TYPE_LOOPBACK: | ||
174 | + case GRUB_FILE_TYPE_LINUX_INITRD: | ||
175 | + case GRUB_FILE_TYPE_OPENBSD_RAMDISK: | ||
176 | + case GRUB_FILE_TYPE_XNU_RAMDISK: | ||
177 | + case GRUB_FILE_TYPE_SIGNATURE: | ||
178 | + case GRUB_FILE_TYPE_PUBLIC_KEY: | ||
179 | + case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST: | ||
180 | + case GRUB_FILE_TYPE_PRINT_BLOCKLIST: | ||
181 | + case GRUB_FILE_TYPE_TESTLOAD: | ||
182 | + case GRUB_FILE_TYPE_GET_SIZE: | ||
183 | + case GRUB_FILE_TYPE_FONT: | ||
184 | + case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: | ||
185 | + case GRUB_FILE_TYPE_CAT: | ||
186 | + case GRUB_FILE_TYPE_HEXCAT: | ||
187 | + case GRUB_FILE_TYPE_CMP: | ||
188 | + case GRUB_FILE_TYPE_HASHLIST: | ||
189 | + case GRUB_FILE_TYPE_TO_HASH: | ||
190 | + case GRUB_FILE_TYPE_KEYBOARD_LAYOUT: | ||
191 | + case GRUB_FILE_TYPE_PIXMAP: | ||
192 | + case GRUB_FILE_TYPE_GRUB_MODULE_LIST: | ||
193 | + case GRUB_FILE_TYPE_CONFIG: | ||
194 | + case GRUB_FILE_TYPE_THEME: | ||
195 | + case GRUB_FILE_TYPE_GETTEXT_CATALOG: | ||
196 | + case GRUB_FILE_TYPE_FS_SEARCH: | ||
197 | + case GRUB_FILE_TYPE_LOADENV: | ||
198 | + case GRUB_FILE_TYPE_SAVEENV: | ||
199 | + case GRUB_FILE_TYPE_VERIFY_SIGNATURE: | ||
200 | + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
201 | + return GRUB_ERR_NONE; | ||
202 | + | ||
203 | + /* Other files. */ | ||
204 | + default: | ||
205 | + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy")); | ||
206 | + } | ||
207 | +} | ||
208 | + | ||
209 | +static grub_err_t | ||
210 | +shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) | ||
211 | +{ | ||
212 | + grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0); | ||
213 | + | ||
214 | + if (!sl) | ||
215 | + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found")); | ||
216 | + | ||
217 | + if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) | ||
218 | + return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); | ||
219 | + | ||
220 | + return GRUB_ERR_NONE; | ||
221 | +} | ||
222 | + | ||
223 | +struct grub_file_verifier shim_lock_verifier = | ||
224 | + { | ||
225 | + .name = "shim_lock_verifier", | ||
226 | + .init = shim_lock_verifier_init, | ||
227 | + .write = shim_lock_verifier_write | ||
228 | + }; | ||
229 | + | ||
230 | +void | ||
231 | +grub_shim_lock_verifier_setup (void) | ||
232 | +{ | ||
233 | + struct grub_module_header *header; | ||
234 | + grub_efi_shim_lock_protocol_t *sl = | ||
235 | + grub_efi_locate_protocol (&shim_lock_guid, 0); | ||
236 | + | ||
237 | + /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */ | ||
238 | + if (!sl) | ||
239 | + { | ||
240 | + FOR_MODULES (header) | ||
241 | + { | ||
242 | + if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK) | ||
243 | + return; | ||
244 | + } | ||
245 | + } | ||
246 | + | ||
247 | + /* Secure Boot is off. Do not load shim_lock. */ | ||
248 | + if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) | ||
249 | + return; | ||
250 | + | ||
251 | + /* Enforce shim_lock_verifier. */ | ||
252 | + grub_verifier_register (&shim_lock_verifier); | ||
253 | + | ||
254 | + grub_env_set ("shim_lock", "y"); | ||
255 | + grub_env_export ("shim_lock"); | ||
256 | +} | ||
257 | diff --git a/include/grub/verify.h b/include/grub/verify.h | ||
258 | index cd129c3..672ae16 100644 | ||
259 | --- a/include/grub/verify.h | ||
260 | +++ b/include/grub/verify.h | ||
261 | @@ -24,6 +24,7 @@ | ||
262 | |||
263 | enum grub_verify_flags | ||
264 | { | ||
265 | + GRUB_VERIFY_FLAGS_NONE = 0, | ||
266 | GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1, | ||
267 | GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2, | ||
268 | /* Defer verification to another authority. */ | ||
269 | -- | ||
270 | 2.25.1 | ||
271 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28736.patch b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch new file mode 100644 index 0000000000..4fc9fdaf05 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch | |||
@@ -0,0 +1,275 @@ | |||
1 | From 431a111c60095fc973d83fe9209f26f29ce78784 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 1 Aug 2022 11:17:17 +0530 | ||
4 | Subject: [PATCH] CVE-2022-28736 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=04c86e0bb7b58fc2f913f798cdb18934933e532d] | ||
7 | CVE: CVE-2022-28736 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | loader/efi/chainloader: Use grub_loader_set_ex() | ||
11 | |||
12 | This ports the EFI chainloader to use grub_loader_set_ex() in order to fix | ||
13 | a use-after-free bug that occurs when grub_cmd_chainloader() is executed | ||
14 | more than once before a boot attempt is performed. | ||
15 | |||
16 | Fixes: CVE-2022-28736 | ||
17 | |||
18 | Signed-off-by: Chris Coulson <chris.coulson@canonical.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | --- | ||
21 | grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++---- | ||
22 | grub-core/loader/efi/chainloader.c | 46 +++++++++++---------- | ||
23 | include/grub/loader.h | 5 +++ | ||
24 | 3 files changed, 87 insertions(+), 30 deletions(-) | ||
25 | |||
26 | diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c | ||
27 | index bbca81e..6151478 100644 | ||
28 | --- a/grub-core/commands/boot.c | ||
29 | +++ b/grub-core/commands/boot.c | ||
30 | @@ -27,10 +27,20 @@ | ||
31 | |||
32 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
33 | |||
34 | -static grub_err_t (*grub_loader_boot_func) (void); | ||
35 | -static grub_err_t (*grub_loader_unload_func) (void); | ||
36 | +static grub_err_t (*grub_loader_boot_func) (void *context); | ||
37 | +static grub_err_t (*grub_loader_unload_func) (void *context); | ||
38 | +static void *grub_loader_context; | ||
39 | static int grub_loader_flags; | ||
40 | |||
41 | +struct grub_simple_loader_hooks | ||
42 | +{ | ||
43 | + grub_err_t (*boot) (void); | ||
44 | + grub_err_t (*unload) (void); | ||
45 | +}; | ||
46 | + | ||
47 | +/* Don't heap allocate this to avoid making grub_loader_set() fallible. */ | ||
48 | +static struct grub_simple_loader_hooks simple_loader_hooks; | ||
49 | + | ||
50 | struct grub_preboot | ||
51 | { | ||
52 | grub_err_t (*preboot_func) (int); | ||
53 | @@ -44,6 +54,29 @@ static int grub_loader_loaded; | ||
54 | static struct grub_preboot *preboots_head = 0, | ||
55 | *preboots_tail = 0; | ||
56 | |||
57 | +static grub_err_t | ||
58 | +grub_simple_boot_hook (void *context) | ||
59 | +{ | ||
60 | + struct grub_simple_loader_hooks *hooks; | ||
61 | + | ||
62 | + hooks = (struct grub_simple_loader_hooks *) context; | ||
63 | + return hooks->boot (); | ||
64 | +} | ||
65 | + | ||
66 | +static grub_err_t | ||
67 | +grub_simple_unload_hook (void *context) | ||
68 | +{ | ||
69 | + struct grub_simple_loader_hooks *hooks; | ||
70 | + grub_err_t ret; | ||
71 | + | ||
72 | + hooks = (struct grub_simple_loader_hooks *) context; | ||
73 | + | ||
74 | + ret = hooks->unload (); | ||
75 | + grub_memset (hooks, 0, sizeof (*hooks)); | ||
76 | + | ||
77 | + return ret; | ||
78 | +} | ||
79 | + | ||
80 | int | ||
81 | grub_loader_is_loaded (void) | ||
82 | { | ||
83 | @@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd) | ||
84 | } | ||
85 | |||
86 | void | ||
87 | -grub_loader_set (grub_err_t (*boot) (void), | ||
88 | - grub_err_t (*unload) (void), | ||
89 | - int flags) | ||
90 | +grub_loader_set_ex (grub_err_t (*boot) (void *context), | ||
91 | + grub_err_t (*unload) (void *context), | ||
92 | + void *context, | ||
93 | + int flags) | ||
94 | { | ||
95 | if (grub_loader_loaded && grub_loader_unload_func) | ||
96 | - grub_loader_unload_func (); | ||
97 | + grub_loader_unload_func (grub_loader_context); | ||
98 | |||
99 | grub_loader_boot_func = boot; | ||
100 | grub_loader_unload_func = unload; | ||
101 | + grub_loader_context = context; | ||
102 | grub_loader_flags = flags; | ||
103 | |||
104 | grub_loader_loaded = 1; | ||
105 | } | ||
106 | |||
107 | +void | ||
108 | +grub_loader_set (grub_err_t (*boot) (void), | ||
109 | + grub_err_t (*unload) (void), | ||
110 | + int flags) | ||
111 | +{ | ||
112 | + grub_loader_set_ex (grub_simple_boot_hook, | ||
113 | + grub_simple_unload_hook, | ||
114 | + &simple_loader_hooks, | ||
115 | + flags); | ||
116 | + | ||
117 | + simple_loader_hooks.boot = boot; | ||
118 | + simple_loader_hooks.unload = unload; | ||
119 | +} | ||
120 | + | ||
121 | void | ||
122 | grub_loader_unset(void) | ||
123 | { | ||
124 | if (grub_loader_loaded && grub_loader_unload_func) | ||
125 | - grub_loader_unload_func (); | ||
126 | + grub_loader_unload_func (grub_loader_context); | ||
127 | |||
128 | grub_loader_boot_func = 0; | ||
129 | grub_loader_unload_func = 0; | ||
130 | + grub_loader_context = 0; | ||
131 | |||
132 | grub_loader_loaded = 0; | ||
133 | } | ||
134 | @@ -158,7 +208,7 @@ grub_loader_boot (void) | ||
135 | return err; | ||
136 | } | ||
137 | } | ||
138 | - err = (grub_loader_boot_func) (); | ||
139 | + err = (grub_loader_boot_func) (grub_loader_context); | ||
140 | |||
141 | for (cur = preboots_tail; cur; cur = cur->prev) | ||
142 | if (! err) | ||
143 | diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c | ||
144 | index a8d7b91..93a028a 100644 | ||
145 | --- a/grub-core/loader/efi/chainloader.c | ||
146 | +++ b/grub-core/loader/efi/chainloader.c | ||
147 | @@ -44,33 +44,28 @@ GRUB_MOD_LICENSE ("GPLv3+"); | ||
148 | |||
149 | static grub_dl_t my_mod; | ||
150 | |||
151 | -static grub_efi_physical_address_t address; | ||
152 | -static grub_efi_uintn_t pages; | ||
153 | -static grub_efi_device_path_t *file_path; | ||
154 | -static grub_efi_handle_t image_handle; | ||
155 | -static grub_efi_char16_t *cmdline; | ||
156 | - | ||
157 | static grub_err_t | ||
158 | -grub_chainloader_unload (void) | ||
159 | +grub_chainloader_unload (void *context) | ||
160 | { | ||
161 | + grub_efi_handle_t image_handle = (grub_efi_handle_t) context; | ||
162 | + grub_efi_loaded_image_t *loaded_image; | ||
163 | grub_efi_boot_services_t *b; | ||
164 | |||
165 | + loaded_image = grub_efi_get_loaded_image (image_handle); | ||
166 | + if (loaded_image != NULL) | ||
167 | + grub_free (loaded_image->load_options); | ||
168 | + | ||
169 | b = grub_efi_system_table->boot_services; | ||
170 | efi_call_1 (b->unload_image, image_handle); | ||
171 | - efi_call_2 (b->free_pages, address, pages); | ||
172 | - | ||
173 | - grub_free (file_path); | ||
174 | - grub_free (cmdline); | ||
175 | - cmdline = 0; | ||
176 | - file_path = 0; | ||
177 | |||
178 | grub_dl_unref (my_mod); | ||
179 | return GRUB_ERR_NONE; | ||
180 | } | ||
181 | |||
182 | static grub_err_t | ||
183 | -grub_chainloader_boot (void) | ||
184 | +grub_chainloader_boot (void *context) | ||
185 | { | ||
186 | + grub_efi_handle_t image_handle = (grub_efi_handle_t) context; | ||
187 | grub_efi_boot_services_t *b; | ||
188 | grub_efi_status_t status; | ||
189 | grub_efi_uintn_t exit_data_size; | ||
190 | @@ -139,7 +134,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) | ||
191 | char *dir_start; | ||
192 | char *dir_end; | ||
193 | grub_size_t size; | ||
194 | - grub_efi_device_path_t *d; | ||
195 | + grub_efi_device_path_t *d, *file_path; | ||
196 | |||
197 | dir_start = grub_strchr (filename, ')'); | ||
198 | if (! dir_start) | ||
199 | @@ -215,11 +210,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), | ||
200 | grub_efi_status_t status; | ||
201 | grub_efi_boot_services_t *b; | ||
202 | grub_device_t dev = 0; | ||
203 | - grub_efi_device_path_t *dp = 0; | ||
204 | + grub_efi_device_path_t *dp = NULL, *file_path = NULL; | ||
205 | grub_efi_loaded_image_t *loaded_image; | ||
206 | char *filename; | ||
207 | void *boot_image = 0; | ||
208 | grub_efi_handle_t dev_handle = 0; | ||
209 | + grub_efi_physical_address_t address = 0; | ||
210 | + grub_efi_uintn_t pages = 0; | ||
211 | + grub_efi_char16_t *cmdline = NULL; | ||
212 | + grub_efi_handle_t image_handle = NULL; | ||
213 | |||
214 | if (argc == 0) | ||
215 | return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); | ||
216 | @@ -227,11 +226,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), | ||
217 | |||
218 | grub_dl_ref (my_mod); | ||
219 | |||
220 | - /* Initialize some global variables. */ | ||
221 | - address = 0; | ||
222 | - image_handle = 0; | ||
223 | - file_path = 0; | ||
224 | - | ||
225 | b = grub_efi_system_table->boot_services; | ||
226 | |||
227 | file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE); | ||
228 | @@ -401,7 +395,11 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), | ||
229 | grub_file_close (file); | ||
230 | grub_device_close (dev); | ||
231 | |||
232 | - grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); | ||
233 | + /* We're finished with the source image buffer and file path now. */ | ||
234 | + efi_call_2 (b->free_pages, address, pages); | ||
235 | + grub_free (file_path); | ||
236 | + | ||
237 | + grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0); | ||
238 | return 0; | ||
239 | |||
240 | fail: | ||
241 | @@ -412,11 +410,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), | ||
242 | if (file) | ||
243 | grub_file_close (file); | ||
244 | |||
245 | + grub_free (cmdline); | ||
246 | grub_free (file_path); | ||
247 | |||
248 | if (address) | ||
249 | efi_call_2 (b->free_pages, address, pages); | ||
250 | |||
251 | + if (image_handle != NULL) | ||
252 | + efi_call_1 (b->unload_image, image_handle); | ||
253 | + | ||
254 | grub_dl_unref (my_mod); | ||
255 | |||
256 | return grub_errno; | ||
257 | diff --git a/include/grub/loader.h b/include/grub/loader.h | ||
258 | index 7f82a49..3071a50 100644 | ||
259 | --- a/include/grub/loader.h | ||
260 | +++ b/include/grub/loader.h | ||
261 | @@ -39,6 +39,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), | ||
262 | grub_err_t (*unload) (void), | ||
263 | int flags); | ||
264 | |||
265 | +void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context), | ||
266 | + grub_err_t (*unload) (void *context), | ||
267 | + void *context, | ||
268 | + int flags); | ||
269 | + | ||
270 | /* Unset current loader, if any. */ | ||
271 | void EXPORT_FUNC (grub_loader_unset) (void); | ||
272 | |||
273 | -- | ||
274 | 2.25.1 | ||
275 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Mon, 24 Oct 2022 08:05:35 +0800 | ||
4 | Subject: [PATCH] font: Fix an integer underflow in blit_comb() | ||
5 | |||
6 | The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may | ||
7 | evaluate to a very big invalid value even if both ctx.bounds.height and | ||
8 | combining_glyphs[i]->height are small integers. For example, if | ||
9 | ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this | ||
10 | expression evaluates to 2147483647 (expected -1). This is because | ||
11 | coordinates are allowed to be negative but ctx.bounds.height is an | ||
12 | unsigned int. So, the subtraction operates on unsigned ints and | ||
13 | underflows to a very big value. The division makes things even worse. | ||
14 | The quotient is still an invalid value even if converted back to int. | ||
15 | |||
16 | This patch fixes the problem by casting ctx.bounds.height to int. As | ||
17 | a result the subtraction will operate on int and grub_uint16_t which | ||
18 | will be promoted to an int. So, the underflow will no longer happen. Other | ||
19 | uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, | ||
20 | to ensure coordinates are always calculated on signed integers. | ||
21 | |||
22 | Fixes: CVE-2022-3775 | ||
23 | |||
24 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
25 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | |||
28 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af] | ||
31 | CVE: CVE-2022-3775 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | grub-core/font/font.c | 16 ++++++++-------- | ||
35 | 1 file changed, 8 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
38 | index f110db9..3b76b22 100644 | ||
39 | --- a/grub-core/font/font.c | ||
40 | +++ b/grub-core/font/font.c | ||
41 | @@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
42 | ctx.bounds.height = main_glyph->height; | ||
43 | |||
44 | above_rightx = main_glyph->offset_x + main_glyph->width; | ||
45 | - above_righty = ctx.bounds.y + ctx.bounds.height; | ||
46 | + above_righty = ctx.bounds.y + (int) ctx.bounds.height; | ||
47 | |||
48 | above_leftx = main_glyph->offset_x; | ||
49 | - above_lefty = ctx.bounds.y + ctx.bounds.height; | ||
50 | + above_lefty = ctx.bounds.y + (int) ctx.bounds.height; | ||
51 | |||
52 | - below_rightx = ctx.bounds.x + ctx.bounds.width; | ||
53 | + below_rightx = ctx.bounds.x + (int) ctx.bounds.width; | ||
54 | below_righty = ctx.bounds.y; | ||
55 | |||
56 | comb = grub_unicode_get_comb (glyph_id); | ||
57 | @@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
58 | |||
59 | if (!combining_glyphs[i]) | ||
60 | continue; | ||
61 | - targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
62 | + targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
63 | /* CGJ is to avoid diacritics reordering. */ | ||
64 | if (comb[i].code | ||
65 | == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) | ||
66 | @@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
67 | case GRUB_UNICODE_COMB_OVERLAY: | ||
68 | do_blit (combining_glyphs[i], | ||
69 | targetx, | ||
70 | - (ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
71 | - - (ctx.bounds.height + ctx.bounds.y), &ctx); | ||
72 | + ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
73 | + - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); | ||
74 | if (min_devwidth < combining_glyphs[i]->width) | ||
75 | min_devwidth = combining_glyphs[i]->width; | ||
76 | break; | ||
77 | @@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
78 | /* Fallthrough. */ | ||
79 | case GRUB_UNICODE_STACK_ATTACHED_ABOVE: | ||
80 | do_blit (combining_glyphs[i], targetx, | ||
81 | - -(ctx.bounds.height + ctx.bounds.y + space | ||
82 | + -((int) ctx.bounds.height + ctx.bounds.y + space | ||
83 | + combining_glyphs[i]->height), &ctx); | ||
84 | if (min_devwidth < combining_glyphs[i]->width) | ||
85 | min_devwidth = combining_glyphs[i]->width; | ||
86 | @@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
87 | |||
88 | case GRUB_UNICODE_COMB_HEBREW_DAGESH: | ||
89 | do_blit (combining_glyphs[i], targetx, | ||
90 | - -(ctx.bounds.height / 2 + ctx.bounds.y | ||
91 | + -((int) ctx.bounds.height / 2 + ctx.bounds.y | ||
92 | + combining_glyphs[i]->height / 2), &ctx); | ||
93 | if (min_devwidth < combining_glyphs[i]->width) | ||
94 | min_devwidth = combining_glyphs[i]->width; | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..0e74870ebf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:31:57 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST | ||
5 | attribute for the $MFT file | ||
6 | |||
7 | When parsing an extremely fragmented $MFT file, i.e., the file described | ||
8 | using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer | ||
9 | containing bytes read from the underlying drive to store sector numbers, | ||
10 | which are consumed later to read data from these sectors into another buffer. | ||
11 | |||
12 | These sectors numbers, two 32-bit integers, are always stored at predefined | ||
13 | offsets, 0x10 and 0x14, relative to first byte of the selected entry within | ||
14 | the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. | ||
15 | |||
16 | However, when parsing a specially-crafted file system image, this may cause | ||
17 | the NTFS code to write these integers beyond the buffer boundary, likely | ||
18 | causing the GRUB memory allocator to misbehave or fail. These integers contain | ||
19 | values which are controlled by on-disk structures of the NTFS file system. | ||
20 | |||
21 | Such modification and resulting misbehavior may touch a memory range not | ||
22 | assigned to the GRUB and owned by firmware or another EFI application/driver. | ||
23 | |||
24 | This fix introduces checks to ensure that these sector numbers are never | ||
25 | written beyond the boundary. | ||
26 | |||
27 | Fixes: CVE-2023-4692 | ||
28 | |||
29 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
30 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
31 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
32 | |||
33 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] | ||
34 | CVE: CVE-2023-4692 | ||
35 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
36 | --- | ||
37 | grub-core/fs/ntfs.c | 18 +++++++++++++++++- | ||
38 | 1 file changed, 17 insertions(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
41 | index 2f34f76..c8d3683 100644 | ||
42 | --- a/grub-core/fs/ntfs.c | ||
43 | +++ b/grub-core/fs/ntfs.c | ||
44 | @@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
45 | } | ||
46 | if (at->attr_end) | ||
47 | { | ||
48 | - grub_uint8_t *pa; | ||
49 | + grub_uint8_t *pa, *pa_end; | ||
50 | |||
51 | at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
52 | if (at->emft_buf == NULL) | ||
53 | @@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
54 | } | ||
55 | at->attr_nxt = at->edat_buf; | ||
56 | at->attr_end = at->edat_buf + u32at (pa, 0x30); | ||
57 | + pa_end = at->edat_buf + n; | ||
58 | } | ||
59 | else | ||
60 | { | ||
61 | at->attr_nxt = at->attr_end + u16at (pa, 0x14); | ||
62 | at->attr_end = at->attr_end + u32at (pa, 4); | ||
63 | + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); | ||
64 | } | ||
65 | at->flags |= GRUB_NTFS_AF_ALST; | ||
66 | while (at->attr_nxt < at->attr_end) | ||
67 | @@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
68 | at->flags |= GRUB_NTFS_AF_GPOS; | ||
69 | at->attr_cur = at->attr_nxt; | ||
70 | pa = at->attr_cur; | ||
71 | + | ||
72 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
73 | + { | ||
74 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
75 | + return NULL; | ||
76 | + } | ||
77 | + | ||
78 | grub_set_unaligned32 ((char *) pa + 0x10, | ||
79 | grub_cpu_to_le32 (at->mft->data->mft_start)); | ||
80 | grub_set_unaligned32 ((char *) pa + 0x14, | ||
81 | @@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) | ||
82 | { | ||
83 | if (*pa != attr) | ||
84 | break; | ||
85 | + | ||
86 | + if ((pa >= pa_end) || (pa_end - pa < 0x18)) | ||
87 | + { | ||
88 | + grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); | ||
89 | + return NULL; | ||
90 | + } | ||
91 | + | ||
92 | if (read_attr | ||
93 | (at, pa + 0x10, | ||
94 | u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..1e6b6efdec --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Suhanov <dfirblog@gmail.com> | ||
3 | Date: Mon, 28 Aug 2023 16:32:33 +0300 | ||
4 | Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident | ||
5 | $DATA attribute | ||
6 | |||
7 | When reading a file containing resident data, i.e., the file data is stored in | ||
8 | the $DATA attribute within the NTFS file record, not in external clusters, | ||
9 | there are no checks that this resident data actually fits the corresponding | ||
10 | file record segment. | ||
11 | |||
12 | When parsing a specially-crafted file system image, the current NTFS code will | ||
13 | read the file data from an arbitrary, attacker-chosen memory offset and of | ||
14 | arbitrary, attacker-chosen length. | ||
15 | |||
16 | This allows an attacker to display arbitrary chunks of memory, which could | ||
17 | contain sensitive information like password hashes or even plain-text, | ||
18 | obfuscated passwords from BS EFI variables. | ||
19 | |||
20 | This fix implements a check to ensure that resident data is read from the | ||
21 | corresponding file record segment only. | ||
22 | |||
23 | Fixes: CVE-2023-4693 | ||
24 | |||
25 | Reported-by: Maxim Suhanov <dfirblog@gmail.com> | ||
26 | Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> | ||
27 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] | ||
30 | CVE: CVE-2023-4693 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | grub-core/fs/ntfs.c | 13 ++++++++++++- | ||
34 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c | ||
37 | index c8d3683..4d1fe42 100644 | ||
38 | --- a/grub-core/fs/ntfs.c | ||
39 | +++ b/grub-core/fs/ntfs.c | ||
40 | @@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, | ||
41 | { | ||
42 | if (ofs + len > u32at (pa, 0x10)) | ||
43 | return grub_error (GRUB_ERR_BAD_FS, "read out of range"); | ||
44 | - grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); | ||
45 | + | ||
46 | + if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
47 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); | ||
48 | + | ||
49 | + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) | ||
50 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
51 | + | ||
52 | + if (u16at (pa, 0x14) + u32at (pa, 0x10) > | ||
53 | + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) | ||
54 | + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); | ||
55 | + | ||
56 | + grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); | ||
57 | return 0; | ||
58 | } | ||
59 | |||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch index 3c1f562c71..bd4e7188ec 100644 --- a/meta/recipes-bsp/grub/files/determinism.patch +++ b/meta/recipes-bsp/grub/files/determinism.patch | |||
@@ -11,7 +11,7 @@ missing sorting of the list used to generate it. Add such a sort. | |||
11 | Also ensure the generated unidata.c file is deterministic by sorting the | 11 | Also ensure the generated unidata.c file is deterministic by sorting the |
12 | keys of the dict. | 12 | keys of the dict. |
13 | 13 | ||
14 | Upstream-Status: Pending | 14 | Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html] |
15 | Richard Purdie <richard.purdie@linuxfoundation.org> | 15 | Richard Purdie <richard.purdie@linuxfoundation.org> |
16 | 16 | ||
17 | Index: grub-2.04/grub-core/genmoddep.awk | 17 | Index: grub-2.04/grub-core/genmoddep.awk |
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Fri, 5 Aug 2022 00:51:20 +0800 | ||
4 | Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() | ||
5 | |||
6 | The length of memory allocation and file read may overflow. This patch | ||
7 | fixes the problem by using safemath macros. | ||
8 | |||
9 | There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe | ||
10 | if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). | ||
11 | It is safe replacement for such code. It has safemath-like prototype. | ||
12 | |||
13 | This patch also introduces grub_cast(value, pointer), it casts value to | ||
14 | typeof(*pointer) then store the value to *pointer. It returns true when | ||
15 | overflow occurs or false if there is no overflow. The semantics of arguments | ||
16 | and return value are designed to be consistent with other safemath macros. | ||
17 | |||
18 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532] | ||
22 | |||
23 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
24 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
25 | --- | ||
26 | grub-core/font/font.c | 17 +++++++++++++---- | ||
27 | include/grub/bitmap.h | 18 ++++++++++++++++++ | ||
28 | include/grub/safemath.h | 2 ++ | ||
29 | 3 files changed, 33 insertions(+), 4 deletions(-) | ||
30 | |||
31 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
32 | index 5edb477..df17dba 100644 | ||
33 | --- a/grub-core/font/font.c | ||
34 | +++ b/grub-core/font/font.c | ||
35 | @@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
36 | grub_int16_t xoff; | ||
37 | grub_int16_t yoff; | ||
38 | grub_int16_t dwidth; | ||
39 | - int len; | ||
40 | + grub_ssize_t len; | ||
41 | + grub_size_t sz; | ||
42 | |||
43 | if (index_entry->glyph) | ||
44 | /* Return cached glyph. */ | ||
45 | @@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
46 | return 0; | ||
47 | } | ||
48 | |||
49 | - len = (width * height + 7) / 8; | ||
50 | - glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); | ||
51 | - if (!glyph) | ||
52 | + /* Calculate real struct size of current glyph. */ | ||
53 | + if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || | ||
54 | + grub_add (sizeof (struct grub_font_glyph), len, &sz)) | ||
55 | + { | ||
56 | + remove_font (font); | ||
57 | + return 0; | ||
58 | + } | ||
59 | + | ||
60 | + /* Allocate and initialize the glyph struct. */ | ||
61 | + glyph = grub_malloc (sz); | ||
62 | + if (glyph == NULL) | ||
63 | { | ||
64 | remove_font (font); | ||
65 | return 0; | ||
66 | diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h | ||
67 | index 5728f8c..0d9603f 100644 | ||
68 | --- a/include/grub/bitmap.h | ||
69 | +++ b/include/grub/bitmap.h | ||
70 | @@ -23,6 +23,7 @@ | ||
71 | #include <grub/symbol.h> | ||
72 | #include <grub/types.h> | ||
73 | #include <grub/video.h> | ||
74 | +#include <grub/safemath.h> | ||
75 | |||
76 | struct grub_video_bitmap | ||
77 | { | ||
78 | @@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) | ||
79 | return bitmap->mode_info.height; | ||
80 | } | ||
81 | |||
82 | +/* | ||
83 | + * Calculate and store the size of data buffer of 1bit bitmap in result. | ||
84 | + * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. | ||
85 | + * Return true when overflow occurs or false if there is no overflow. | ||
86 | + * This function is intentionally implemented as a macro instead of | ||
87 | + * an inline function. Although a bit awkward, it preserves data types for | ||
88 | + * safemath macros and reduces macro side effects as much as possible. | ||
89 | + * | ||
90 | + * XXX: Will report false overflow if width * height > UINT64_MAX. | ||
91 | + */ | ||
92 | +#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ | ||
93 | +({ \ | ||
94 | + grub_uint64_t _bitmap_pixels; \ | ||
95 | + grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ | ||
96 | + grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ | ||
97 | +}) | ||
98 | + | ||
99 | void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, | ||
100 | struct grub_video_mode_info *mode_info); | ||
101 | |||
102 | diff --git a/include/grub/safemath.h b/include/grub/safemath.h | ||
103 | index c17b89b..bb0f826 100644 | ||
104 | --- a/include/grub/safemath.h | ||
105 | +++ b/include/grub/safemath.h | ||
106 | @@ -30,6 +30,8 @@ | ||
107 | #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) | ||
108 | #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) | ||
109 | |||
110 | +#define grub_cast(a, res) grub_add ((a), 0, (res)) | ||
111 | + | ||
112 | #else | ||
113 | #error gcc 5.1 or newer or clang 3.8 or newer is required | ||
114 | #endif | ||
115 | -- | ||
116 | 2.25.1 | ||
117 | |||
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch new file mode 100644 index 0000000000..504352b4e3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch | |||
@@ -0,0 +1,107 @@ | |||
1 | From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Garrett <mjg@redhat.com> | ||
3 | Date: Mon, 13 Jan 2014 12:13:09 +0000 | ||
4 | Subject: Don't permit loading modules on UEFI secure boot | ||
5 | |||
6 | Author: Colin Watson <cjwatson@ubuntu.com> | ||
7 | Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch | ||
8 | Forwarded: no | ||
9 | Last-Update: 2013-12-25 | ||
10 | |||
11 | Patch-Name: no-insmod-on-sb.patch | ||
12 | |||
13 | Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch] | ||
14 | |||
15 | Backport of a Debian (and Fedora) patch implementing a way to get secure boot status | ||
16 | for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport. | ||
17 | Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch | ||
18 | |||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/kern/dl.c | 13 +++++++++++++ | ||
22 | grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ | ||
23 | include/grub/efi/efi.h | 1 + | ||
24 | 3 files changed, 42 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c | ||
27 | index 48eb5e7b6..074dfc3c6 100644 | ||
28 | --- a/grub-core/kern/dl.c | ||
29 | +++ b/grub-core/kern/dl.c | ||
30 | @@ -38,6 +38,10 @@ | ||
31 | #define GRUB_MODULES_MACHINE_READONLY | ||
32 | #endif | ||
33 | |||
34 | +#ifdef GRUB_MACHINE_EFI | ||
35 | +#include <grub/efi/efi.h> | ||
36 | +#endif | ||
37 | + | ||
38 | |||
39 | |||
40 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
41 | @@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename) | ||
42 | void *core = 0; | ||
43 | grub_dl_t mod = 0; | ||
44 | |||
45 | +#ifdef GRUB_MACHINE_EFI | ||
46 | + if (grub_efi_secure_boot ()) | ||
47 | + { | ||
48 | + grub_error (GRUB_ERR_ACCESS_DENIED, | ||
49 | + "Secure Boot forbids loading module from %s", filename); | ||
50 | + return 0; | ||
51 | + } | ||
52 | +#endif | ||
53 | + | ||
54 | grub_boot_time ("Loading module %s", filename); | ||
55 | |||
56 | file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE); | ||
57 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
58 | index 6e1ceb905..96204e39b 100644 | ||
59 | --- a/grub-core/kern/efi/efi.c | ||
60 | +++ b/grub-core/kern/efi/efi.c | ||
61 | @@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, | ||
62 | return NULL; | ||
63 | } | ||
64 | |||
65 | +grub_efi_boolean_t | ||
66 | +grub_efi_secure_boot (void) | ||
67 | +{ | ||
68 | + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; | ||
69 | + grub_size_t datasize; | ||
70 | + char *secure_boot = NULL; | ||
71 | + char *setup_mode = NULL; | ||
72 | + grub_efi_boolean_t ret = 0; | ||
73 | + | ||
74 | + secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize); | ||
75 | + | ||
76 | + if (datasize != 1 || !secure_boot) | ||
77 | + goto out; | ||
78 | + | ||
79 | + setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize); | ||
80 | + | ||
81 | + if (datasize != 1 || !setup_mode) | ||
82 | + goto out; | ||
83 | + | ||
84 | + if (*secure_boot && !*setup_mode) | ||
85 | + ret = 1; | ||
86 | + | ||
87 | + out: | ||
88 | + grub_free (secure_boot); | ||
89 | + grub_free (setup_mode); | ||
90 | + return ret; | ||
91 | +} | ||
92 | + | ||
93 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
94 | |||
95 | /* Search the mods section from the PE32/PE32+ image. This code uses | ||
96 | diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h | ||
97 | index e90e00dc4..a237952b3 100644 | ||
98 | --- a/include/grub/efi/efi.h | ||
99 | +++ b/include/grub/efi/efi.h | ||
100 | @@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var, | ||
101 | const grub_efi_guid_t *guid, | ||
102 | void *data, | ||
103 | grub_size_t datasize); | ||
104 | +grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void); | ||
105 | int | ||
106 | EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, | ||
107 | const grub_efi_device_path_t *dp2); | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 2c55852ef0..bea03f4fc1 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -13,6 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" | |||
13 | 13 | ||
14 | CVE_PRODUCT = "grub2" | 14 | CVE_PRODUCT = "grub2" |
15 | 15 | ||
16 | # Applies only to RHEL | ||
17 | CVE_CHECK_WHITELIST += "CVE-2019-14865" | ||
18 | # Applies only to SUSE | ||
19 | CVE_CHECK_WHITELIST += "CVE-2021-46705" | ||
20 | |||
16 | SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | 21 | SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ |
17 | file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \ | 22 | file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \ |
18 | file://autogen.sh-exclude-pc.patch \ | 23 | file://autogen.sh-exclude-pc.patch \ |
@@ -28,7 +33,85 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
28 | file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \ | 33 | file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \ |
29 | file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \ | 34 | file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \ |
30 | file://determinism.patch \ | 35 | file://determinism.patch \ |
31 | " | 36 | file://no-insmod-on-sb.patch \ |
37 | file://CVE-2020-14372_1.patch \ | ||
38 | file://CVE-2020-14372_2.patch \ | ||
39 | file://CVE-2020-14372_3.patch \ | ||
40 | file://CVE-2020-14372_4.patch \ | ||
41 | file://CVE-2020-14372_5.patch \ | ||
42 | file://CVE-2020-14372.patch \ | ||
43 | file://CVE-2020-27779.patch \ | ||
44 | file://CVE-2020-27779_2.patch \ | ||
45 | file://CVE-2020-27779_3.patch \ | ||
46 | file://CVE-2020-27779_4.patch \ | ||
47 | file://CVE-2020-27779_5.patch \ | ||
48 | file://CVE-2020-27779_6.patch \ | ||
49 | file://CVE-2020-27779_7.patch \ | ||
50 | file://CVE-2020-25632.patch \ | ||
51 | file://CVE-2020-25647.patch \ | ||
52 | file://0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch \ | ||
53 | file://0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch \ | ||
54 | file://0003-net-tftp-Fix-dangling-memory-pointer.patch \ | ||
55 | file://0004-kern-parser-Fix-resource-leak-if-argc-0.patch \ | ||
56 | file://0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch \ | ||
57 | file://0006-kern-efi-Fix-memory-leak-on-failure.patch \ | ||
58 | file://0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch \ | ||
59 | file://0008-gnulib-regexec-Resolve-unused-variable.patch \ | ||
60 | file://0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch \ | ||
61 | file://0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch \ | ||
62 | file://0011-gnulib-regexec-Fix-possible-null-dereference.patch \ | ||
63 | file://0012-gnulib-regcomp-Fix-uninitialized-re_token.patch \ | ||
64 | file://0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch \ | ||
65 | file://0014-zstd-Initialize-seq_t-structure-fully.patch \ | ||
66 | file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \ | ||
67 | file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \ | ||
68 | file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \ | ||
69 | file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \ | ||
70 | file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \ | ||
71 | file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \ | ||
72 | file://0021-zfs-Fix-possible-negative-shift-operation.patch \ | ||
73 | file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \ | ||
74 | file://0023-zfs-Fix-possible-integer-overflows.patch \ | ||
75 | file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \ | ||
76 | file://0025-affs-Fix-memory-leaks.patch \ | ||
77 | file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \ | ||
78 | file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \ | ||
79 | file://0028-syslinux-Fix-memory-leak-while-parsing.patch \ | ||
80 | file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \ | ||
81 | file://0030-commands-hashsum-Fix-a-memory-leak.patch \ | ||
82 | file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \ | ||
83 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ | ||
84 | file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \ | ||
85 | file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \ | ||
86 | file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \ | ||
87 | file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \ | ||
88 | file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \ | ||
89 | file://0038-loader-xnu-Fix-memory-leak.patch \ | ||
90 | file://0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch \ | ||
91 | file://0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch \ | ||
92 | file://0041-util-grub-install-Fix-NULL-pointer-dereferences.patch \ | ||
93 | file://0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch \ | ||
94 | file://0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch \ | ||
95 | file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \ | ||
96 | file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \ | ||
97 | file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \ | ||
98 | file://CVE-2021-3981.patch \ | ||
99 | file://CVE-2021-3695.patch \ | ||
100 | file://CVE-2021-3696.patch \ | ||
101 | file://CVE-2021-3697.patch \ | ||
102 | file://CVE-2022-28733.patch \ | ||
103 | file://CVE-2022-28734.patch \ | ||
104 | file://CVE-2022-28736.patch \ | ||
105 | file://CVE-2022-28735.patch \ | ||
106 | file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \ | ||
107 | file://CVE-2022-2601.patch \ | ||
108 | file://CVE-2022-3775.patch \ | ||
109 | file://CVE-2020-27749.patch \ | ||
110 | file://CVE-2021-20225.patch \ | ||
111 | file://CVE-2021-20233.patch \ | ||
112 | file://CVE-2023-4692.patch \ | ||
113 | file://CVE-2023-4693.patch \ | ||
114 | " | ||
32 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 115 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
33 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 116 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |
34 | 117 | ||
@@ -47,6 +130,8 @@ GRUBPLATFORM ??= "pc" | |||
47 | 130 | ||
48 | inherit autotools gettext texinfo pkgconfig | 131 | inherit autotools gettext texinfo pkgconfig |
49 | 132 | ||
133 | CFLAGS_remove = "-O2" | ||
134 | |||
50 | EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \ | 135 | EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \ |
51 | --disable-grub-mkfont \ | 136 | --disable-grub-mkfont \ |
52 | --program-prefix="" \ | 137 | --program-prefix="" \ |
diff --git a/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch new file mode 100644 index 0000000000..47c7ec4170 --- /dev/null +++ b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From ecdcf0df6c28c65ca6d1e5638726e13e373c76c5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Khem Raj <raj.khem@gmail.com> | ||
3 | Date: Wed, 11 Nov 2020 22:58:55 -0800 | ||
4 | Subject: [PATCH] Fix cross compilation using autoconf detected AR | ||
5 | |||
6 | currently its using 'ar' program from build host, which is not expected, | ||
7 | we need to respect AR passed in environment | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | |||
11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
12 | --- | ||
13 | configure.in | 7 +++++++ | ||
14 | 1 file changed, 7 insertions(+) | ||
15 | |||
16 | diff --git a/configure.in b/configure.in | ||
17 | index 4ddbe8b..b7c3c31 100644 | ||
18 | --- a/configure.in | ||
19 | +++ b/configure.in | ||
20 | @@ -84,6 +84,13 @@ AC_ARG_ENABLE(syslog, | ||
21 | ]) | ||
22 | |||
23 | dnl Checks for programs. | ||
24 | +m4_ifndef([AC_PROG_AR],[dnl | ||
25 | + AN_MAKEVAR([AR], [AC_PROG_AR]) | ||
26 | + AN_PROGRAM([ar], [AC_PROG_AR]) | ||
27 | + AC_DEFUN([AC_PROG_AR], | ||
28 | + [AC_CHECK_TOOL(AR, ar, :)]) | ||
29 | +]) | ||
30 | +AC_PROG_AR | ||
31 | AC_PROG_CC | ||
32 | AC_PROG_GCC_TRADITIONAL | ||
33 | dnl AC_PROG_INSTALL included in AM_INIT_AUTOMAKE | ||
34 | -- | ||
35 | 2.29.2 | ||
36 | |||
diff --git a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb index 4129237c59..54c431eeb3 100644 --- a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb +++ b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb | |||
@@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \ | |||
19 | file://lrzsz-check-locale.h.patch \ | 19 | file://lrzsz-check-locale.h.patch \ |
20 | file://cve-2018-10195.patch \ | 20 | file://cve-2018-10195.patch \ |
21 | file://include.patch \ | 21 | file://include.patch \ |
22 | file://0001-Fix-cross-compilation-using-autoconf-detected-AR.patch \ | ||
22 | " | 23 | " |
23 | 24 | ||
24 | SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4" | 25 | SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4" |
diff --git a/meta/recipes-bsp/opensbi/opensbi_0.6.bb b/meta/recipes-bsp/opensbi/opensbi_0.6.bb index 56f2d4b915..972d8de17d 100644 --- a/meta/recipes-bsp/opensbi/opensbi_0.6.bb +++ b/meta/recipes-bsp/opensbi/opensbi_0.6.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "RISC-V Open Source Supervisor Binary Interface (OpenSBI)" | 1 | SUMMARY = "RISC-V Open Source Supervisor Binary Interface (OpenSBI)" |
2 | DESCRIPTION = "OpenSBI aims to provide an open-source and extensible implementation of the RISC-V SBI specification for a platform specific firmware (M-mode) and a general purpose OS, hypervisor or bootloader (S-mode or HS-mode). OpenSBI implementation can be easily extended by RISC-V platform or System-on-Chip vendors to fit a particular hadware configuration." | 2 | DESCRIPTION = "OpenSBI aims to provide an open-source and extensible implementation of the RISC-V SBI specification for a platform specific firmware (M-mode) and a general purpose OS, hypervisor or bootloader (S-mode or HS-mode). OpenSBI implementation can be easily extended by RISC-V platform or System-on-Chip vendors to fit a particular hadware configuration." |
3 | HOMEPAGE = "https://github.com/riscv/opensbi" | ||
3 | LICENSE = "BSD-2-Clause" | 4 | LICENSE = "BSD-2-Clause" |
4 | LIC_FILES_CHKSUM = "file://COPYING.BSD;md5=42dd9555eb177f35150cf9aa240b61e5" | 5 | LIC_FILES_CHKSUM = "file://COPYING.BSD;md5=42dd9555eb177f35150cf9aa240b61e5" |
5 | 6 | ||
@@ -8,7 +9,7 @@ require opensbi-payloads.inc | |||
8 | inherit autotools-brokensep deploy | 9 | inherit autotools-brokensep deploy |
9 | 10 | ||
10 | SRCREV = "ac5e821d50be631f26274765a59bc1b444ffd862" | 11 | SRCREV = "ac5e821d50be631f26274765a59bc1b444ffd862" |
11 | SRC_URI = "git://github.com/riscv/opensbi.git \ | 12 | SRC_URI = "git://github.com/riscv/opensbi.git;branch=master;protocol=https \ |
12 | file://0001-Makefile-Don-t-specify-mabi-or-march.patch \ | 13 | file://0001-Makefile-Don-t-specify-mabi-or-march.patch \ |
13 | " | 14 | " |
14 | 15 | ||
diff --git a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb index cac09101c4..fa3b993788 100644 --- a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb +++ b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb | |||
@@ -19,9 +19,12 @@ PACKAGECONFIG[manpages] = "--enable-doc, --disable-doc, libxslt-native xmlto-nat | |||
19 | 19 | ||
20 | RDEPENDS_${PN} = "grep bash" | 20 | RDEPENDS_${PN} = "grep bash" |
21 | 21 | ||
22 | EXTRA_OECONF = "--libdir=${nonarch_libdir}" | ||
23 | |||
22 | do_configure_prepend () { | 24 | do_configure_prepend () { |
23 | ( cd ${S}; autoreconf -f -i -s ) | 25 | ( cd ${S}; autoreconf -f -i -s ) |
24 | } | 26 | } |
25 | 27 | ||
26 | FILES_${PN} += "${libdir}/${BPN}/*" | 28 | FILES_${PN} += "${nonarch_libdir}/${BPN}/*" |
27 | FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging" | 29 | FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging" |
30 | FILES_${PN}-dev += "${nonarch_libdir}/pkgconfig/pm-utils.pc" | ||
diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb index 613e3161fb..8234b86162 100644 --- a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb +++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb | |||
@@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1" | |||
10 | LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c" | 10 | LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c" |
11 | SECTION = "libs" | 11 | SECTION = "libs" |
12 | 12 | ||
13 | SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https" | 13 | SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master" |
14 | SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754" | 14 | SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754" |
15 | 15 | ||
16 | S = "${WORKDIR}/git" | 16 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 198ed52c7c..91fe08966b 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc | |||
@@ -14,13 +14,13 @@ PE = "1" | |||
14 | # repo during parse | 14 | # repo during parse |
15 | SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd" | 15 | SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd" |
16 | 16 | ||
17 | SRC_URI = "git://git.denx.de/u-boot.git \ | 17 | SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \ |
18 | file://remove-redundant-yyloc-global.patch \ | 18 | file://remove-redundant-yyloc-global.patch \ |
19 | file://CVE-2020-8432.patch \ | 19 | file://CVE-2020-8432.patch \ |
20 | file://CVE-2020-10648-1.patch \ | 20 | file://CVE-2020-10648-1.patch \ |
21 | file://CVE-2020-10648-2.patch \ | 21 | file://CVE-2020-10648-2.patch \ |
22 | " | 22 | " |
23 | 23 | ||
24 | S = "${WORKDIR}/git" | 24 | S = "${WORKDIR}/git" |
25 | B = "${WORKDIR}/build" | 25 | B = "${WORKDIR}/build" |
26 | do_configure[cleandirs] = "${B}" | 26 | do_configure[cleandirs] = "${B}" |
diff --git a/meta/recipes-bsp/v86d/v86d_0.1.10.bb b/meta/recipes-bsp/v86d/v86d_0.1.10.bb index a8df80fdd6..e614de0c48 100644 --- a/meta/recipes-bsp/v86d/v86d_0.1.10.bb +++ b/meta/recipes-bsp/v86d/v86d_0.1.10.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "User support binary for the uvesafb kernel module" | 1 | SUMMARY = "User support binary for the uvesafb kernel module" |
2 | HOMEPAGE = "https://tracker.debian.org/pkg/v86d" | 2 | HOMEPAGE = "https://tracker.debian.org/pkg/v86d" |
3 | DESCRIPTION = "v86d provides a backend for kernel drivers that need to execute x86 BIOS code. The code is executed in a controlled environment and the results are passed back to the kernel via the netlink interface." | ||
3 | 4 | ||
4 | # the copyright info is at the bottom of README, expect break | 5 | # the copyright info is at the bottom of README, expect break |
5 | LICENSE = "GPLv2" | 6 | LICENSE = "GPLv2" |