grub: patch CVE-2024-45778 and CVE-2024-45779

Cherry-pick patch mentioning these CVEs. (From OE-Core rev: 9ecee5f950f249d982b307bbdbe0e13e55f27b24) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-11 19:14:22 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-03-15 06:44:47 -0700
commit: 51a7eb11928fcae51837095ef557e8ec6cf7eeb8 (patch)
tree: 154d4db69c34441718c63a6c197b44ceb84f5e0a
parent: 7b009013fc93e3c2f2974973067e8e46f87e0345 (diff)
download: poky-51a7eb11928fcae51837095ef557e8ec6cf7eeb8.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
new file mode 100644
index 0000000000..eba013897f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
@@ -0,0 +1,55 @@
+From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 15:59:43 +1100
+Subject: [PATCH] fs/bfs: Disable under lockdown
+The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
+This will also disable the AFS.
+Fixes: CVE-2024-45778
+Fixes: CVE-2024-45779
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+CVE: CVE-2024-45778
+CVE: CVE-2024-45779
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/bfs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
+index 022f69fe2..78aeb051f 100644
+--- a/grub-core/fs/bfs.c
+++ b/grub-core/fs/bfs.c
+@@ -30,6 +30,7 @@
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+ #include <grub/fshelp.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs)
+ {
+   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
+                       sizeof (struct grub_bfs_extent));
+-  grub_fs_register (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_bfs_fs);
+    }
+ }
+ 
+ #ifdef MODE_AFS
+@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs)
+ GRUB_MOD_FINI (bfs)
+ #endif
+ {
+-  grub_fs_unregister (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_bfs_fs);
+ }
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index bd0c9d2601..d187ffedc4 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -33,6 +33,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2024-45777.patch \
           file://CVE-2025-0690.patch \
           file://CVE-2025-1118.patch \
+           file://CVE-2024-45778_CVE-2024-45779.patch \
 "
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
author	Peter Marko <peter.marko@siemens.com>	2025-03-11 19:14:22 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-03-15 06:44:47 -0700
commit	51a7eb11928fcae51837095ef557e8ec6cf7eeb8 (patch)
tree	154d4db69c34441718c63a6c197b44ceb84f5e0a
parent	7b009013fc93e3c2f2974973067e8e46f87e0345 (diff)
download	poky-51a7eb11928fcae51837095ef557e8ec6cf7eeb8.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch new file mode 100644 index 0000000000..eba013897f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
@@ -0,0 +1,55 @@
		1	From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
		2	From: Daniel Axtens <dja@axtens.net>
		3	Date: Sat, 23 Mar 2024 15:59:43 +1100
		4	Subject: [PATCH] fs/bfs: Disable under lockdown
		5
		6	The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
		7	This will also disable the AFS.
		8
		9	Fixes: CVE-2024-45778
		10	Fixes: CVE-2024-45779
		11
		12	Reported-by: Nils Langius <nils@langius.de>
		13	Signed-off-by: Daniel Axtens <dja@axtens.net>
		14	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		15
		16	CVE: CVE-2024-45778
		17	CVE: CVE-2024-45779
		18	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	grub-core/fs/bfs.c \| 9 +++++++--
		22	1 file changed, 7 insertions(+), 2 deletions(-)
		23
		24	diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
		25	index 022f69fe2..78aeb051f 100644
		26	--- a/grub-core/fs/bfs.c
		27	+++ b/grub-core/fs/bfs.c
		28	@@ -30,6 +30,7 @@
		29	#include <grub/types.h>
		30	#include <grub/i18n.h>
		31	#include <grub/fshelp.h>
		32	+#include <grub/lockdown.h>
		33
		34	GRUB_MOD_LICENSE ("GPLv3+");
		35
		36	@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs)
		37	{
		38	COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
		39	sizeof (struct grub_bfs_extent));
		40	- grub_fs_register (&grub_bfs_fs);
		41	+ if (!grub_is_lockdown ())
		42	+ {
		43	+ grub_fs_register (&grub_bfs_fs);
		44	+ }
		45	}
		46
		47	#ifdef MODE_AFS
		48	@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs)
		49	GRUB_MOD_FINI (bfs)
		50	#endif
		51	{
		52	- grub_fs_unregister (&grub_bfs_fs);
		53	+ if (!grub_is_lockdown ())
		54	+ grub_fs_unregister (&grub_bfs_fs);
		55	}


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bd0c9d2601..d187ffedc4 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -33,6 +33,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
33	file://CVE-2024-45777.patch \	33	file://CVE-2024-45777.patch \
34	file://CVE-2025-0690.patch \	34	file://CVE-2025-0690.patch \
35	file://CVE-2025-1118.patch \	35	file://CVE-2025-1118.patch \
		36	file://CVE-2024-45778_CVE-2024-45779.patch \
36	"	37	"
37		38
38	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"	39	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"