summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaveen Saini <naveen.kumar.saini@intel.com>2021-03-19 15:14:33 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-03-20 18:54:56 +0000
commitda9b0583de455b48b91d2afe73200dcc0d778da3 (patch)
tree27bc885f4749712e2514924f195bc86cee41096e
parent9825a860eef8b6003c917969805cc2975ffeb3dc (diff)
downloadpoky-da9b0583de455b48b91d2afe73200dcc0d778da3.tar.gz
grub: upgrade 2.04 -> 2.06~rc1
2.06 RC1 release have a number of CVEs fixed: CVE-2020-15705 CVE-2021-3418 CVE-2020-27749 CVE-2021-20233 CVE-2021-20225 CVE-2020-25647 CVE-2020-25632 CVE-2020-27779 CVE-2020-14372 CVE-2020-15707 CVE-2020-15706 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-14308 CVE-2020-10713 CVE-2014-4607 Dropped backported patches. (From OE-Core rev: 36a59d63619c2225fe48aa1d8fb1cdabedfffc03) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/recipes-bsp/grub/files/6643507ce30f775008e093580f0c9499dfb2c485.patch47
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-10713.patch73
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch1863
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch1330
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch117
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch177
-rw-r--r--meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch15
-rw-r--r--meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch246
-rw-r--r--meta/recipes-bsp/grub/files/determinism.patch58
-rw-r--r--meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch287
-rw-r--r--meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch94
-rw-r--r--meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch37
-rw-r--r--meta/recipes-bsp/grub/grub-efi_git.bb (renamed from meta/recipes-bsp/grub/grub-efi_2.04.bb)2
-rw-r--r--meta/recipes-bsp/grub/grub2.inc24
-rw-r--r--meta/recipes-bsp/grub/grub_git.bb (renamed from meta/recipes-bsp/grub/grub_2.04.bb)0
15 files changed, 54 insertions, 4316 deletions
diff --git a/meta/recipes-bsp/grub/files/6643507ce30f775008e093580f0c9499dfb2c485.patch b/meta/recipes-bsp/grub/files/6643507ce30f775008e093580f0c9499dfb2c485.patch
deleted file mode 100644
index 8aa2091444..0000000000
--- a/meta/recipes-bsp/grub/files/6643507ce30f775008e093580f0c9499dfb2c485.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1From 6643507ce30f775008e093580f0c9499dfb2c485 Mon Sep 17 00:00:00 2001
2From: Simon Hardy <simon.hardy@itdev.co.uk>
3Date: Tue, 24 Mar 2020 13:29:12 +0000
4Subject: build: Fix GRUB i386-pc build with Ubuntu gcc
5
6With recent versions of gcc on Ubuntu a very large lzma_decompress.img file is
7output. (e.g. 134479600 bytes instead of 2864.) This causes grub-mkimage to
8fail with: "error: Decompressor is too big."
9
10This seems to be caused by a section .note.gnu.property that is placed at an
11offset such that objcopy needs to pad the img file with zeros.
12
13This issue is present on:
14Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0
15Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008
16
17This issue is not present on:
18Ubuntu 19.10 with gcc (Ubuntu 7.5.0-3ubuntu1~19.10) 7.5.0
19RHEL 8.0 with gcc 8.3.1 20190507 (Red Hat 8.3.1-4)
20
21The issue can be fixed by removing the section using objcopy as shown in
22this patch.
23
24Signed-off-by: Simon Hardy <simon.hardy@itdev.co.uk>
25Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
26---
27 gentpl.py | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30Upstream-Status: Backport
31
32diff --git a/gentpl.py b/gentpl.py
33index 387588c05..c86550d4f 100644
34--- a/gentpl.py
35+++ b/gentpl.py
36@@ -766,7 +766,7 @@ def image(defn, platform):
37 if test x$(TARGET_APPLE_LINKER) = x1; then \
38 $(MACHO2IMG) $< $@; \
39 else \
40- $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .ARM.exidx $< $@; \
41+ $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx $< $@; \
42 fi
43 """)
44
45--
46cgit v1.2.1
47
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
deleted file mode 100644
index c507ed3ea8..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Wed, 15 Apr 2020 15:45:02 -0400
4Subject: yylex: Make lexer fatal errors actually be fatal
5
6When presented with a command that can't be tokenized to anything
7smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
8expecting that will stop further processing, as such:
9
10 #define YY_DO_BEFORE_ACTION \
11 yyg->yytext_ptr = yy_bp; \
12 yyleng = (int) (yy_cp - yy_bp); \
13 yyg->yy_hold_char = *yy_cp; \
14 *yy_cp = '\0'; \
15 if ( yyleng >= YYLMAX ) \
16 YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
17 yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
18 yyg->yy_c_buf_p = yy_cp;
19
20The code flex generates expects that YY_FATAL_ERROR() will either return
21for it or do some form of longjmp(), or handle the error in some way at
22least, and so the strncpy() call isn't in an "else" clause, and thus if
23YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
24questionable limit, and predictable results ensue.
25
26Unfortunately, our implementation of YY_FATAL_ERROR() is:
27
28 #define YY_FATAL_ERROR(msg) \
29 do { \
30 grub_printf (_("fatal error: %s\n"), _(msg)); \
31 } while (0)
32
33The same pattern exists in yyless(), and similar problems exist in users
34of YY_INPUT(), several places in the main parsing loop,
35yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
36yy_scan_buffer(), etc.
37
38All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
39the things they do if it returns after calling it are wildly unsafe.
40
41Fixes: CVE-2020-10713
42
43Signed-off-by: Peter Jones <pjones@redhat.com>
44Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
45
46Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
47CVE: CVE-2020-10713
48Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
49---
50 grub-core/script/yylex.l | 4 ++--
51 1 file changed, 2 insertions(+), 2 deletions(-)
52
53diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
54index 7b44c37b7..b7203c823 100644
55--- a/grub-core/script/yylex.l
56+++ b/grub-core/script/yylex.l
57@@ -37,11 +37,11 @@
58
59 /*
60 * As we don't have access to yyscanner, we cannot do much except to
61- * print the fatal error.
62+ * print the fatal error and exit.
63 */
64 #define YY_FATAL_ERROR(msg) \
65 do { \
66- grub_printf (_("fatal error: %s\n"), _(msg)); \
67+ grub_fatal (_("fatal error: %s\n"), _(msg));\
68 } while (0)
69
70 #define COPY(str, hint) \
71--
72cgit v1.2.1
73
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch b/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
deleted file mode 100644
index 637e368cb0..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
+++ /dev/null
@@ -1,1863 +0,0 @@
1From bcdd6a55952222ec9829a59348240a4f983b0b56 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:26:01 -0400
4Subject: [PATCH 4/9] calloc: Use calloc() at most places
5
6This modifies most of the places we do some form of:
7
8 X = malloc(Y * Z);
9
10to use calloc(Y, Z) instead.
11
12Among other issues, this fixes:
13 - allocation of integer overflow in grub_png_decode_image_header()
14 reported by Chris Coulson,
15 - allocation of integer overflow in luks_recover_key()
16 reported by Chris Coulson,
17 - allocation of integer overflow in grub_lvm_detect()
18 reported by Chris Coulson.
19
20Fixes: CVE-2020-14308
21
22Signed-off-by: Peter Jones <pjones@redhat.com>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24
25Upstream-Status: Backport
26CVE: CVE-2020-14308
27
28Reference to upstream patch:
29https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f725fa7cb2ece547c5af01eeeecfe8d95802ed41
30
31[YL: don't patch on grub-core/lib/json/json.c, which is not existing in grub 2.04]
32Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
33---
34 grub-core/bus/usb/usbhub.c | 8 ++++----
35 grub-core/commands/efi/lsefisystab.c | 3 ++-
36 grub-core/commands/legacycfg.c | 6 +++---
37 grub-core/commands/menuentry.c | 2 +-
38 grub-core/commands/nativedisk.c | 2 +-
39 grub-core/commands/parttool.c | 12 +++++++++---
40 grub-core/commands/regexp.c | 2 +-
41 grub-core/commands/search_wrap.c | 2 +-
42 grub-core/disk/diskfilter.c | 4 ++--
43 grub-core/disk/ieee1275/ofdisk.c | 2 +-
44 grub-core/disk/ldm.c | 14 +++++++-------
45 grub-core/disk/luks.c | 2 +-
46 grub-core/disk/lvm.c | 12 ++++++------
47 grub-core/disk/xen/xendisk.c | 2 +-
48 grub-core/efiemu/loadcore.c | 2 +-
49 grub-core/efiemu/mm.c | 6 +++---
50 grub-core/font/font.c | 3 +--
51 grub-core/fs/affs.c | 6 +++---
52 grub-core/fs/btrfs.c | 6 +++---
53 grub-core/fs/hfs.c | 2 +-
54 grub-core/fs/hfsplus.c | 6 +++---
55 grub-core/fs/iso9660.c | 2 +-
56 grub-core/fs/ntfs.c | 4 ++--
57 grub-core/fs/sfs.c | 2 +-
58 grub-core/fs/tar.c | 2 +-
59 grub-core/fs/udf.c | 4 ++--
60 grub-core/fs/zfs/zfs.c | 4 ++--
61 grub-core/gfxmenu/gui_string_util.c | 2 +-
62 grub-core/gfxmenu/widget-box.c | 4 ++--
63 grub-core/io/gzio.c | 2 +-
64 grub-core/kern/efi/efi.c | 6 +++---
65 grub-core/kern/emu/hostdisk.c | 2 +-
66 grub-core/kern/fs.c | 2 +-
67 grub-core/kern/misc.c | 2 +-
68 grub-core/kern/parser.c | 2 +-
69 grub-core/kern/uboot/uboot.c | 2 +-
70 grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++----
71 grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++--
72 grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++--
73 grub-core/lib/priority_queue.c | 2 +-
74 grub-core/lib/reed_solomon.c | 7 +++----
75 grub-core/lib/relocator.c | 10 +++++-----
76 grub-core/lib/zstd/fse_decompress.c | 2 +-
77 grub-core/loader/arm/linux.c | 2 +-
78 grub-core/loader/efi/chainloader.c | 2 +-
79 grub-core/loader/i386/bsdXX.c | 2 +-
80 grub-core/loader/i386/xnu.c | 4 ++--
81 grub-core/loader/macho.c | 2 +-
82 grub-core/loader/multiboot_elfxx.c | 2 +-
83 grub-core/loader/xnu.c | 2 +-
84 grub-core/mmap/mmap.c | 4 ++--
85 grub-core/net/bootp.c | 2 +-
86 grub-core/net/dns.c | 10 +++++-----
87 grub-core/net/net.c | 4 ++--
88 grub-core/normal/charset.c | 10 +++++-----
89 grub-core/normal/cmdline.c | 14 +++++++-------
90 grub-core/normal/menu_entry.c | 14 +++++++-------
91 grub-core/normal/menu_text.c | 4 ++--
92 grub-core/normal/term.c | 4 ++--
93 grub-core/osdep/linux/getroot.c | 6 +++---
94 grub-core/osdep/unix/config.c | 2 +-
95 grub-core/osdep/windows/getroot.c | 2 +-
96 grub-core/osdep/windows/hostdisk.c | 4 ++--
97 grub-core/osdep/windows/init.c | 2 +-
98 grub-core/osdep/windows/platform.c | 4 ++--
99 grub-core/osdep/windows/relpath.c | 2 +-
100 grub-core/partmap/gpt.c | 2 +-
101 grub-core/partmap/msdos.c | 2 +-
102 grub-core/script/execute.c | 2 +-
103 grub-core/tests/fake_input.c | 2 +-
104 grub-core/tests/video_checksum.c | 6 +++---
105 grub-core/video/capture.c | 2 +-
106 grub-core/video/emu/sdl.c | 2 +-
107 grub-core/video/i386/pc/vga.c | 2 +-
108 grub-core/video/readers/png.c | 2 +-
109 include/grub/unicode.h | 4 ++--
110 util/getroot.c | 2 +-
111 util/grub-file.c | 2 +-
112 util/grub-fstest.c | 4 ++--
113 util/grub-install-common.c | 2 +-
114 util/grub-install.c | 4 ++--
115 util/grub-mkimagexx.c | 6 ++----
116 util/grub-mkrescue.c | 4 ++--
117 util/grub-mkstandalone.c | 2 +-
118 util/grub-pe2elf.c | 12 +++++-------
119 util/grub-probe.c | 4 ++--
120 86 files changed, 178 insertions(+), 177 deletions(-)
121
122diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
123index 34a7ff1..a06cce3 100644
124--- a/grub-core/bus/usb/usbhub.c
125+++ b/grub-core/bus/usb/usbhub.c
126@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
127 grub_usb_set_configuration (dev, 1);
128
129 dev->nports = hubdesc.portcnt;
130- dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
131- dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
132+ dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
133+ dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
134 if (!dev->children || !dev->ports)
135 {
136 grub_free (dev->children);
137@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
138
139 /* Query the number of ports the root Hub has. */
140 hub->nports = controller->dev->hubports (controller);
141- hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
142- hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
143+ hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
144+ hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
145 if (!hub->devices || !hub->ports)
146 {
147 grub_free (hub->devices);
148diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c
149index df10302..cd81507 100644
150--- a/grub-core/commands/efi/lsefisystab.c
151+++ b/grub-core/commands/efi/lsefisystab.c
152@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
153 grub_printf ("Vendor: ");
154
155 for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
156- vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
157+ /* Allocate extra 3 bytes to simplify math. */
158+ vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
159 if (!vendor)
160 return grub_errno;
161 *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
162diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
163index db7a8f0..5e3ec0d 100644
164--- a/grub-core/commands/legacycfg.c
165+++ b/grub-core/commands/legacycfg.c
166@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
167 if (argc < 2)
168 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
169
170- cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
171+ cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
172 if (!cutargs)
173 return grub_errno;
174 cutargc = argc - 1;
175@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
176 {
177 char rbuf[3] = "-r";
178 bsdargc = cutargc + 2;
179- bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
180+ bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
181 if (!bsdargs)
182 {
183 err = grub_errno;
184@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
185 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
186 "module");
187
188- newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
189+ newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
190 if (!newargs)
191 return grub_errno;
192 grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
193diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
194index 2c5363d..9164df7 100644
195--- a/grub-core/commands/menuentry.c
196+++ b/grub-core/commands/menuentry.c
197@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
198 goto fail;
199
200 /* Save argc, args to pass as parameters to block arg later. */
201- menu_args = grub_malloc (sizeof (char*) * (argc + 1));
202+ menu_args = grub_calloc (argc + 1, sizeof (char *));
203 if (! menu_args)
204 goto fail;
205
206diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c
207index 699447d..7c8f97f 100644
208--- a/grub-core/commands/nativedisk.c
209+++ b/grub-core/commands/nativedisk.c
210@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
211 else
212 path_prefix = prefix;
213
214- mods = grub_malloc (argc * sizeof (mods[0]));
215+ mods = grub_calloc (argc, sizeof (mods[0]));
216 if (!mods)
217 return grub_errno;
218
219diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c
220index 22b46b1..051e313 100644
221--- a/grub-core/commands/parttool.c
222+++ b/grub-core/commands/parttool.c
223@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
224 for (nargs = 0; args[nargs].name != 0; nargs++);
225 cur->nargs = nargs;
226 cur->args = (struct grub_parttool_argdesc *)
227- grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
228+ grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
229+ if (!cur->args)
230+ {
231+ grub_free (cur);
232+ curhandle--;
233+ return -1;
234+ }
235 grub_memcpy (cur->args, args,
236 (nargs + 1) * sizeof (struct grub_parttool_argdesc));
237
238@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
239 return err;
240 }
241
242- parsed = (int *) grub_zalloc (argc * sizeof (int));
243+ parsed = (int *) grub_calloc (argc, sizeof (int));
244
245 for (i = 1; i < argc; i++)
246 if (! parsed[i])
247@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
248 }
249 ptool = cur;
250 pargs = (struct grub_parttool_args *)
251- grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
252+ grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
253 for (j = i; j < argc; j++)
254 if (! parsed[j])
255 {
256diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c
257index f00b184..4019164 100644
258--- a/grub-core/commands/regexp.c
259+++ b/grub-core/commands/regexp.c
260@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
261 if (ret)
262 goto fail;
263
264- matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
265+ matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
266 if (! matches)
267 goto fail;
268
269diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
270index d7fd26b..47fc8eb 100644
271--- a/grub-core/commands/search_wrap.c
272+++ b/grub-core/commands/search_wrap.c
273@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
274 for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
275 nhints++;
276
277- hints = grub_malloc (sizeof (hints[0]) * nhints);
278+ hints = grub_calloc (nhints, sizeof (hints[0]));
279 if (!hints)
280 return grub_errno;
281 j = 0;
282diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
283index c3b578a..68ca9e0 100644
284--- a/grub-core/disk/diskfilter.c
285+++ b/grub-core/disk/diskfilter.c
286@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
287 array->lvs->segments->node_count = nmemb;
288 array->lvs->segments->raid_member_size = disk_size;
289 array->lvs->segments->nodes
290- = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
291+ = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
292 array->lvs->segments->stripe_size = stripe_size;
293 for (i = 0; i < nmemb; i++)
294 {
295@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
296 grub_partition_t p;
297 for (p = disk->partition; p; p = p->parent)
298 s++;
299- pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
300+ pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
301 s = 0;
302 for (p = disk->partition; p; p = p->parent)
303 pv->partmaps[s++] = xstrdup (p->partmap->name);
304diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
305index f73257e..03674cb 100644
306--- a/grub-core/disk/ieee1275/ofdisk.c
307+++ b/grub-core/disk/ieee1275/ofdisk.c
308@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
309 /* Power machines documentation specify 672 as maximum SAS disks in
310 one system. Using a slightly larger value to be safe. */
311 table_size = 768;
312- table = grub_malloc (table_size * sizeof (grub_uint64_t));
313+ table = grub_calloc (table_size, sizeof (grub_uint64_t));
314
315 if (!table)
316 {
317diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
318index 2a22d2d..e632370 100644
319--- a/grub-core/disk/ldm.c
320+++ b/grub-core/disk/ldm.c
321@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
322 lv->segments->type = GRUB_DISKFILTER_MIRROR;
323 lv->segments->node_count = 0;
324 lv->segments->node_alloc = 8;
325- lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
326- * lv->segments->node_alloc);
327+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
328+ sizeof (*lv->segments->nodes));
329 if (!lv->segments->nodes)
330 goto fail2;
331 ptr = vblk[i].dynamic;
332@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
333 {
334 comp->segment_alloc = 8;
335 comp->segment_count = 0;
336- comp->segments = grub_malloc (sizeof (*comp->segments)
337- * comp->segment_alloc);
338+ comp->segments = grub_calloc (comp->segment_alloc,
339+ sizeof (*comp->segments));
340 if (!comp->segments)
341 goto fail2;
342 }
343@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
344 }
345 comp->segments->node_count = read_int (ptr + 1, *ptr);
346 comp->segments->node_alloc = comp->segments->node_count;
347- comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
348- * comp->segments->node_alloc);
349+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
350+ sizeof (*comp->segments->nodes));
351 if (!lv->segments->nodes)
352 goto fail2;
353 }
354@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
355 *nsectors = lv->size;
356 if (*nsectors > max_nsectors)
357 *nsectors = max_nsectors;
358- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
359+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
360 if (!*sectors)
361 return grub_errno;
362 for (i = 0; i < *nsectors; i++)
363diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
364index 86c50c6..18b3a8b 100644
365--- a/grub-core/disk/luks.c
366+++ b/grub-core/disk/luks.c
367@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source,
368 && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
369 max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
370
371- split_key = grub_malloc (keysize * max_stripes);
372+ split_key = grub_calloc (keysize, max_stripes);
373 if (!split_key)
374 return grub_errno;
375
376diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
377index dc6b83b..7b5fbbc 100644
378--- a/grub-core/disk/lvm.c
379+++ b/grub-core/disk/lvm.c
380@@ -209,7 +209,7 @@ grub_lvm_detect (grub_disk_t disk,
381 first one. */
382
383 /* Allocate buffer space for the circular worst-case scenario. */
384- metadatabuf = grub_malloc (2 * mda_size);
385+ metadatabuf = grub_calloc (2, mda_size);
386 if (! metadatabuf)
387 goto fail;
388
389@@ -464,7 +464,7 @@ grub_lvm_detect (grub_disk_t disk,
390 #endif
391 goto lvs_fail;
392 }
393- lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
394+ lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
395 seg = lv->segments;
396
397 for (i = 0; i < lv->segment_count; i++)
398@@ -521,8 +521,8 @@ grub_lvm_detect (grub_disk_t disk,
399 if (seg->node_count != 1)
400 seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
401
402- seg->nodes = grub_zalloc (sizeof (*stripe)
403- * seg->node_count);
404+ seg->nodes = grub_calloc (seg->node_count,
405+ sizeof (*stripe));
406 stripe = seg->nodes;
407
408 p = grub_strstr (p, "stripes = [");
409@@ -898,7 +898,7 @@ grub_lvm_detect (grub_disk_t disk,
410 break;
411 if (lv)
412 {
413- cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
414+ cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments));
415 if (!cache->lv->segments)
416 {
417 grub_lvm_free_cache_lvs (cache_lvs);
418@@ -911,7 +911,7 @@ grub_lvm_detect (grub_disk_t disk,
419 struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
420 grub_size_t node_count = lv->segments[i].node_count;
421
422- cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
423+ cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes));
424 if (!cache->lv->segments[i].nodes)
425 {
426 for (j = 0; j < i; ++j)
427diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c
428index 48476cb..d6612ee 100644
429--- a/grub-core/disk/xen/xendisk.c
430+++ b/grub-core/disk/xen/xendisk.c
431@@ -426,7 +426,7 @@ grub_xendisk_init (void)
432 if (!ctr)
433 return;
434
435- virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
436+ virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
437 if (!virtdisks)
438 return;
439 if (grub_xenstore_dir ("device/vbd", fill, &ctr))
440diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c
441index 44085ef..2b92462 100644
442--- a/grub-core/efiemu/loadcore.c
443+++ b/grub-core/efiemu/loadcore.c
444@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
445
446 grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
447 grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
448- grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
449+ grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
450
451 /* Relocators */
452 for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
453diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c
454index 52a032f..9b8e0d0 100644
455--- a/grub-core/efiemu/mm.c
456+++ b/grub-core/efiemu/mm.c
457@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
458 /* Initialize variables*/
459 grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
460 scanline_events = (struct grub_efiemu_mmap_scan *)
461- grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
462+ grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
463
464 /* Number of chunks can't increase more than by factor of 2 */
465 result = (grub_efi_memory_descriptor_t *)
466- grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
467+ grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
468 if (!result || !scanline_events)
469 {
470 grub_free (result);
471@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
472
473 /* Preallocate mmap */
474 efiemu_mmap = (grub_efi_memory_descriptor_t *)
475- grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
476+ grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
477 if (!efiemu_mmap)
478 {
479 grub_efiemu_unload ();
480diff --git a/grub-core/font/font.c b/grub-core/font/font.c
481index 85a2925..8e118b3 100644
482--- a/grub-core/font/font.c
483+++ b/grub-core/font/font.c
484@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
485 font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
486
487 /* Allocate the character index array. */
488- font->char_index = grub_malloc (font->num_chars
489- * sizeof (struct char_index_entry));
490+ font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
491 if (!font->char_index)
492 return 1;
493 font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
494diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
495index 6b6a2bc..220b371 100644
496--- a/grub-core/fs/affs.c
497+++ b/grub-core/fs/affs.c
498@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
499 return 0;
500 }
501 latin1[symlink_size] = 0;
502- utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
503+ utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
504 if (!utf8)
505 {
506 grub_free (latin1);
507@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
508 return 1;
509 }
510
511- hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
512+ hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
513 if (!hashtable)
514 return 1;
515
516@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
517 len = file.namelen;
518 if (len > sizeof (file.name))
519 len = sizeof (file.name);
520- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
521+ *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
522 if (*label)
523 *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
524 }
525diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
526index 48bd3d0..11272ef 100644
527--- a/grub-core/fs/btrfs.c
528+++ b/grub-core/fs/btrfs.c
529@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data,
530 {
531 desc->allocated = 16;
532 desc->depth = 0;
533- desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
534+ desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
535 if (!desc->data)
536 return grub_errno;
537 }
538@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
539 grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
540 grub_uint64_t i, failed_devices;
541
542- buffers = grub_zalloc (sizeof(*buffers) * nstripes);
543+ buffers = grub_calloc (nstripes, sizeof (*buffers));
544 if (!buffers)
545 goto cleanup;
546
547@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
548 *nsectors = 64 * 2 - 1;
549 if (*nsectors > max_nsectors)
550 *nsectors = max_nsectors;
551- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
552+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
553 if (!*sectors)
554 return grub_errno;
555 for (i = 0; i < *nsectors; i++)
556diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
557index ac0a409..3fe842b 100644
558--- a/grub-core/fs/hfs.c
559+++ b/grub-core/fs/hfs.c
560@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
561 grub_size_t len = data->sblock.volname[0];
562 if (len > sizeof (data->sblock.volname) - 1)
563 len = sizeof (data->sblock.volname) - 1;
564- *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
565+ *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
566 if (*label)
567 macroman_to_utf8 (*label, data->sblock.volname + 1,
568 len + 1, 0);
569diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
570index 54786bb..dae43be 100644
571--- a/grub-core/fs/hfsplus.c
572+++ b/grub-core/fs/hfsplus.c
573@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
574 if (! filename)
575 return 0;
576
577- keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
578+ keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
579 if (!keyname)
580 {
581 grub_free (filename);
582@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
583 grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
584
585 label_len = grub_be_to_cpu16 (catkey->namelen);
586- label_name = grub_malloc (label_len * sizeof (*label_name));
587+ label_name = grub_calloc (label_len, sizeof (*label_name));
588 if (!label_name)
589 {
590 grub_free (node);
591@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
592 }
593 }
594
595- *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
596+ *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
597 if (! *label)
598 {
599 grub_free (label_name);
600diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
601index 49c0c63..4f1b52a 100644
602--- a/grub-core/fs/iso9660.c
603+++ b/grub-core/fs/iso9660.c
604@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len)
605 int i;
606 grub_uint16_t t[MAX_NAMELEN / 2 + 1];
607
608- p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
609+ p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
610 if (! p)
611 return NULL;
612
613diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
614index fc4e1f6..2f34f76 100644
615--- a/grub-core/fs/ntfs.c
616+++ b/grub-core/fs/ntfs.c
617@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
618 grub_uint16_t *tmp;
619 grub_size_t i;
620
621- buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
622- tmp = grub_malloc (len * sizeof (tmp[0]));
623+ buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
624+ tmp = grub_calloc (len, sizeof (tmp[0]));
625 if (!buf || !tmp)
626 {
627 grub_free (buf);
628diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
629index 50c1fe7..90f7fb3 100644
630--- a/grub-core/fs/sfs.c
631+++ b/grub-core/fs/sfs.c
632@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
633 node->next_extent = node->block;
634 node->cache_size = 0;
635
636- node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size);
637+ node->cache = grub_calloc (cache_size, sizeof (node->cache[0]));
638 if (!node->cache)
639 {
640 grub_errno = 0;
641diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
642index 7d63e0c..c551ed6 100644
643--- a/grub-core/fs/tar.c
644+++ b/grub-core/fs/tar.c
645@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
646 if (data->linkname_alloc < linksize + 1)
647 {
648 char *n;
649- n = grub_malloc (2 * (linksize + 1));
650+ n = grub_calloc (2, linksize + 1);
651 if (!n)
652 return grub_errno;
653 grub_free (data->linkname);
654diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
655index dc8b6e2..a837616 100644
656--- a/grub-core/fs/udf.c
657+++ b/grub-core/fs/udf.c
658@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
659 {
660 unsigned i;
661 utf16len = sz - 1;
662- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
663+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
664 if (!utf16)
665 return NULL;
666 for (i = 0; i < utf16len; i++)
667@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
668 {
669 unsigned i;
670 utf16len = (sz - 1) / 2;
671- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
672+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
673 if (!utf16)
674 return NULL;
675 for (i = 0; i < utf16len; i++)
676diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
677index 2f72e42..381dde5 100644
678--- a/grub-core/fs/zfs/zfs.c
679+++ b/grub-core/fs/zfs/zfs.c
680@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,
681 }
682 subvol->nkeys = 0;
683 zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data);
684- subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0]));
685+ subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0]));
686 if (!subvol->keyring)
687 {
688 grub_free (fsname);
689@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)),
690 *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS);
691 if (*nsectors > max_nsectors)
692 *nsectors = max_nsectors;
693- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
694+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
695 if (!*sectors)
696 return grub_errno;
697 for (i = 0; i < *nsectors; i++)
698diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c
699index a9a415e..ba1e1ea 100644
700--- a/grub-core/gfxmenu/gui_string_util.c
701+++ b/grub-core/gfxmenu/gui_string_util.c
702@@ -55,7 +55,7 @@ canonicalize_path (const char *path)
703 if (*p == '/')
704 components++;
705
706- char **path_array = grub_malloc (components * sizeof (*path_array));
707+ char **path_array = grub_calloc (components, sizeof (*path_array));
708 if (! path_array)
709 return 0;
710
711diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c
712index b606028..470597d 100644
713--- a/grub-core/gfxmenu/widget-box.c
714+++ b/grub-core/gfxmenu/widget-box.c
715@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix,
716 box->content_height = 0;
717 box->raw_pixmaps =
718 (struct grub_video_bitmap **)
719- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
720+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
721 box->scaled_pixmaps =
722 (struct grub_video_bitmap **)
723- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
724+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
725
726 /* Initialize all pixmap pointers to NULL so that proper destruction can
727 be performed if an error is encountered partway through construction. */
728diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
729index 6208a97..43d98a7 100644
730--- a/grub-core/io/gzio.c
731+++ b/grub-core/io/gzio.c
732@@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
733 z = 1 << j; /* table entries for j-bit table */
734
735 /* allocate and link in new table */
736- q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft));
737+ q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft));
738 if (! q)
739 {
740 if (h)
741diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
742index 6e1ceb9..dc31caa 100644
743--- a/grub-core/kern/efi/efi.c
744+++ b/grub-core/kern/efi/efi.c
745@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
746
747 len = grub_strlen (var);
748 len16 = len * GRUB_MAX_UTF16_PER_UTF8;
749- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
750+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
751 if (!var16)
752 return grub_errno;
753 len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
754@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
755
756 len = grub_strlen (var);
757 len16 = len * GRUB_MAX_UTF16_PER_UTF8;
758- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
759+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
760 if (!var16)
761 return NULL;
762 len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
763@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
764 while (len > 0 && fp->path_name[len - 1] == 0)
765 len--;
766
767- dup_name = grub_malloc (len * sizeof (*dup_name));
768+ dup_name = grub_calloc (len, sizeof (*dup_name));
769 if (!dup_name)
770 {
771 grub_free (name);
772diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c
773index e9ec680..d975265 100644
774--- a/grub-core/kern/emu/hostdisk.c
775+++ b/grub-core/kern/emu/hostdisk.c
776@@ -615,7 +615,7 @@ static char *
777 grub_util_path_concat_real (size_t n, int ext, va_list ap)
778 {
779 size_t totlen = 0;
780- char **l = xmalloc ((n + ext) * sizeof (l[0]));
781+ char **l = xcalloc (n + ext, sizeof (l[0]));
782 char *r, *p, *pi;
783 size_t i;
784 int first = 1;
785diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
786index 2b85f49..f90be65 100644
787--- a/grub-core/kern/fs.c
788+++ b/grub-core/kern/fs.c
789@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name)
790 while (p);
791
792 /* Allocate a block list. */
793- blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1));
794+ blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block));
795 if (! blocks)
796 return 0;
797
798diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
799index 3b633d5..a7abd36 100644
800--- a/grub-core/kern/misc.c
801+++ b/grub-core/kern/misc.c
802@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
803 args->ptr = args->prealloc;
804 else
805 {
806- args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
807+ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
808 if (!args->ptr)
809 {
810 grub_errno = GRUB_ERR_NONE;
811diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
812index 78175aa..619db31 100644
813--- a/grub-core/kern/parser.c
814+++ b/grub-core/kern/parser.c
815@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline,
816 return grub_errno;
817 grub_memcpy (args, buffer, bp - buffer);
818
819- *argv = grub_malloc (sizeof (char *) * (*argc + 1));
820+ *argv = grub_calloc (*argc + 1, sizeof (char *));
821 if (!*argv)
822 {
823 grub_free (args);
824diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c
825index be4816f..aac8f9a 100644
826--- a/grub-core/kern/uboot/uboot.c
827+++ b/grub-core/kern/uboot/uboot.c
828@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void)
829 return num_devices;
830
831 max_devices = 2;
832- enum_devices = grub_malloc (sizeof(struct device_info) * max_devices);
833+ enum_devices = grub_calloc (max_devices, sizeof(struct device_info));
834 if (!enum_devices)
835 return 0;
836
837diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c
838index f5e946a..63f6fcd 100644
839--- a/grub-core/lib/libgcrypt/cipher/ac.c
840+++ b/grub-core/lib/libgcrypt/cipher/ac.c
841@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n,
842 gcry_mpi_t mpi;
843 char *label;
844
845- data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n);
846+ data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new));
847 if (! data_mpis_new)
848 {
849 err = gcry_error_from_errno (errno);
850@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp,
851 }
852
853 /* Add MPI list. */
854- arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1));
855+ arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list));
856 if (! arg_list)
857 {
858 err = gcry_error_from_errno (errno);
859@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags,
860 /* We build a list of arguments to pass to
861 gcry_sexp_build_array(). */
862 data_length = _gcry_ac_data_length (data);
863- arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2));
864+ arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2);
865 if (! arg_list)
866 {
867 err = gcry_error_from_errno (errno);
868@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits,
869 arg_list_n += 2;
870
871 /* Allocate list. */
872- arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n);
873+ arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list));
874 if (! arg_list)
875 {
876 err = gcry_error_from_errno (errno);
877diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c
878index 2788e34..b12e79b 100644
879--- a/grub-core/lib/libgcrypt/cipher/primegen.c
880+++ b/grub-core/lib/libgcrypt/cipher/primegen.c
881@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor,
882 }
883
884 /* Allocate an array to track pool usage. */
885- pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
886+ pool_in_use = gcry_calloc (n, sizeof *pool_in_use);
887 if (!pool_in_use)
888 {
889 err = gpg_err_code_from_errno (errno);
890@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
891 if (nbits < 16)
892 log_fatal ("can't generate a prime with less than %d bits\n", 16);
893
894- mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
895+ mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods);
896 /* Make nbits fit into gcry_mpi_t implementation. */
897 val_2 = mpi_alloc_set_ui( 2 );
898 val_3 = mpi_alloc_set_ui( 3);
899diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c
900index 9109821..ca087ad 100644
901--- a/grub-core/lib/libgcrypt/cipher/pubkey.c
902+++ b/grub-core/lib/libgcrypt/cipher/pubkey.c
903@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey)
904 * array to a format string, so we have to do it this way :-(. */
905 /* FIXME: There is now such a format specifier, so we can
906 change the code to be more clear. */
907- arg_list = malloc (nelem * sizeof *arg_list);
908+ arg_list = calloc (nelem, sizeof *arg_list);
909 if (!arg_list)
910 {
911 rc = gpg_err_code_from_syserror ();
912@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
913 }
914 strcpy (p, "))");
915
916- arg_list = malloc (nelem * sizeof *arg_list);
917+ arg_list = calloc (nelem, sizeof *arg_list);
918 if (!arg_list)
919 {
920 rc = gpg_err_code_from_syserror ();
921diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c
922index 659be0b..7d5e7c0 100644
923--- a/grub-core/lib/priority_queue.c
924+++ b/grub-core/lib/priority_queue.c
925@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize,
926 {
927 struct grub_priority_queue *ret;
928 void *els;
929- els = grub_malloc (elsize * 8);
930+ els = grub_calloc (8, elsize);
931 if (!els)
932 return 0;
933 ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret));
934diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c
935index ee9fa7b..467305b 100644
936--- a/grub-core/lib/reed_solomon.c
937+++ b/grub-core/lib/reed_solomon.c
938@@ -20,6 +20,7 @@
939 #include <stdio.h>
940 #include <string.h>
941 #include <stdlib.h>
942+#define xcalloc calloc
943 #define xmalloc malloc
944 #define grub_memset memset
945 #define grub_memcpy memcpy
946@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs)
947 gf_single_t *rs_polynomial;
948 int i, j;
949 gf_single_t *m;
950- m = xmalloc ((s + rs) * sizeof (gf_single_t));
951+ m = xcalloc (s + rs, sizeof (gf_single_t));
952 grub_memcpy (m, data, s * sizeof (gf_single_t));
953- grub_memset (m + s, 0, rs * sizeof (gf_single_t));
954- rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t));
955- grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t));
956+ rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t));
957 rs_polynomial[rs] = 1;
958 /* Multiply with X - a^r */
959 for (j = 0; j < rs; j++)
960diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
961index ea3ebc7..5847aac 100644
962--- a/grub-core/lib/relocator.c
963+++ b/grub-core/lib/relocator.c
964@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel,
965 }
966 #endif
967
968- eventt = grub_malloc (maxevents * sizeof (events[0]));
969+ eventt = grub_calloc (maxevents, sizeof (events[0]));
970 counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0]));
971- events = grub_malloc (maxevents * sizeof (events[0]));
972+ events = grub_calloc (maxevents, sizeof (events[0]));
973 if (!events || !eventt || !counter)
974 {
975 grub_dprintf ("relocator", "events or counter allocation failed %d\n",
976@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel,
977 #endif
978 unsigned cural = 0;
979 int oom = 0;
980- res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs);
981+ res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0]));
982 if (!res->subchunks)
983 oom = 1;
984 res->nsubchunks = nallocs;
985@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr,
986 count[(chunk->src & 0xff) + 1]++;
987 }
988 }
989- from = grub_malloc (nchunks * sizeof (sorted[0]));
990- to = grub_malloc (nchunks * sizeof (sorted[0]));
991+ from = grub_calloc (nchunks, sizeof (sorted[0]));
992+ to = grub_calloc (nchunks, sizeof (sorted[0]));
993 if (!from || !to)
994 {
995 grub_free (from);
996diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c
997index 72bbead..2227b84 100644
998--- a/grub-core/lib/zstd/fse_decompress.c
999+++ b/grub-core/lib/zstd/fse_decompress.c
1000@@ -82,7 +82,7 @@
1001 FSE_DTable* FSE_createDTable (unsigned tableLog)
1002 {
1003 if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX;
1004- return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) );
1005+ return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) );
1006 }
1007
1008 void FSE_freeDTable (FSE_DTable* dt)
1009diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
1010index 5168491..d70c174 100644
1011--- a/grub-core/loader/arm/linux.c
1012+++ b/grub-core/loader/arm/linux.c
1013@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag)
1014
1015 /* some place for cmdline, initrd and terminator. */
1016 tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4;
1017- tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t));
1018+ tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t));
1019 if (!tmp_atag)
1020 return grub_errno;
1021
1022diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
1023index cd92ea3..daf8c6b 100644
1024--- a/grub-core/loader/efi/chainloader.c
1025+++ b/grub-core/loader/efi/chainloader.c
1026@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
1027 fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
1028 fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
1029
1030- path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
1031+ path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
1032 if (!path_name)
1033 return;
1034
1035diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c
1036index af6741d..a8d8bf7 100644
1037--- a/grub-core/loader/i386/bsdXX.c
1038+++ b/grub-core/loader/i386/bsdXX.c
1039@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr)
1040 if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS))
1041 return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic"));
1042
1043- *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize);
1044+ *shdr = grub_calloc (e->e_shnum, e->e_shentsize);
1045 if (! *shdr)
1046 return grub_errno;
1047
1048diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
1049index e64ed08..b7d176b 100644
1050--- a/grub-core/loader/i386/xnu.c
1051+++ b/grub-core/loader/i386/xnu.c
1052@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d
1053 return grub_errno;
1054
1055 len = grub_strlen (name);
1056- utf16 = grub_malloc (sizeof (grub_uint16_t) * len);
1057+ utf16 = grub_calloc (len, sizeof (grub_uint16_t));
1058 if (!utf16)
1059 {
1060 grub_free (utf8);
1061@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor *
1062 grub_uint16_t *utf16;
1063 grub_err_t err;
1064
1065- utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen);
1066+ utf16 = grub_calloc (namelen, sizeof (grub_uint16_t));
1067 if (!utf16)
1068 return grub_errno;
1069 grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen);
1070diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c
1071index 085f9c6..05710c4 100644
1072--- a/grub-core/loader/macho.c
1073+++ b/grub-core/loader/macho.c
1074@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit)
1075 if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header))
1076 == (grub_off_t) -1)
1077 goto fail;
1078- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
1079+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
1080 if (!archs)
1081 goto fail;
1082 if (grub_file_read (macho->file, archs,
1083diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
1084index 70cd1db..cc68536 100644
1085--- a/grub-core/loader/multiboot_elfxx.c
1086+++ b/grub-core/loader/multiboot_elfxx.c
1087@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
1088 {
1089 grub_uint8_t *shdr, *shdrptr;
1090
1091- shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize);
1092+ shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize);
1093 if (!shdr)
1094 return grub_errno;
1095
1096diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
1097index 7f74d1d..77d7060 100644
1098--- a/grub-core/loader/xnu.c
1099+++ b/grub-core/loader/xnu.c
1100@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)),
1101 if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC)
1102 {
1103 narchs = grub_be_to_cpu32 (head.nfat_arch);
1104- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
1105+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
1106 if (! archs)
1107 {
1108 grub_file_close (file);
1109diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
1110index 6a31cba..57b4e9a 100644
1111--- a/grub-core/mmap/mmap.c
1112+++ b/grub-core/mmap/mmap.c
1113@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
1114
1115 /* Initialize variables. */
1116 ctx.scanline_events = (struct grub_mmap_scan *)
1117- grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num);
1118+ grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2);
1119
1120- present = grub_zalloc (sizeof (present[0]) * current_priority);
1121+ present = grub_calloc (current_priority, sizeof (present[0]));
1122
1123 if (! ctx.scanline_events || !present)
1124 {
1125diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
1126index 04cfbb0..6539572 100644
1127--- a/grub-core/net/bootp.c
1128+++ b/grub-core/net/bootp.c
1129@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
1130 if (ncards == 0)
1131 return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found"));
1132
1133- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
1134+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
1135 if (!ifaces)
1136 return grub_errno;
1137
1138diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
1139index 5d9afe0..e332d5e 100644
1140--- a/grub-core/net/dns.c
1141+++ b/grub-core/net/dns.c
1142@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
1143 ptr++;
1144 ptr += 4;
1145 }
1146- *data->addresses = grub_malloc (sizeof ((*data->addresses)[0])
1147- * grub_be_to_cpu16 (head->ancount));
1148+ *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount),
1149+ sizeof ((*data->addresses)[0]));
1150 if (!*data->addresses)
1151 {
1152 grub_errno = GRUB_ERR_NONE;
1153@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
1154 dns_cache[h].addresses = 0;
1155 dns_cache[h].name = grub_strdup (data->oname);
1156 dns_cache[h].naddresses = *data->naddresses;
1157- dns_cache[h].addresses = grub_malloc (*data->naddresses
1158- * sizeof (dns_cache[h].addresses[0]));
1159+ dns_cache[h].addresses = grub_calloc (*data->naddresses,
1160+ sizeof (dns_cache[h].addresses[0]));
1161 dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all;
1162 if (!dns_cache[h].addresses || !dns_cache[h].name)
1163 {
1164@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name,
1165 }
1166 }
1167
1168- sockets = grub_malloc (sizeof (sockets[0]) * n_servers);
1169+ sockets = grub_calloc (n_servers, sizeof (sockets[0]));
1170 if (!sockets)
1171 return grub_errno;
1172
1173diff --git a/grub-core/net/net.c b/grub-core/net/net.c
1174index d5d726a..38f19df 100644
1175--- a/grub-core/net/net.c
1176+++ b/grub-core/net/net.c
1177@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)),
1178 ncards++;
1179 }
1180
1181- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
1182- slaacs = grub_zalloc (ncards * sizeof (slaacs[0]));
1183+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
1184+ slaacs = grub_calloc (ncards, sizeof (slaacs[0]));
1185 if (!ifaces || !slaacs)
1186 {
1187 grub_free (ifaces);
1188diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
1189index b0ab47d..d57fb72 100644
1190--- a/grub-core/normal/charset.c
1191+++ b/grub-core/normal/charset.c
1192@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg,
1193 {
1194 grub_size_t msg_len = grub_strlen (msg);
1195
1196- *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1197+ *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1198
1199 if (!*unicode_msg)
1200 return -1;
1201@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1202 }
1203 else
1204 {
1205- n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1));
1206+ n = grub_calloc (out->ncomb + 1, sizeof (n[0]));
1207 if (!n)
1208 {
1209 grub_errno = GRUB_ERR_NONE;
1210@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical,
1211 } \
1212 }
1213
1214- visual = grub_malloc (sizeof (visual[0]) * logical_len);
1215+ visual = grub_calloc (logical_len, sizeof (visual[0]));
1216 if (!visual)
1217 return -1;
1218
1219@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical,
1220 {
1221 const grub_uint32_t *line_start = logical, *ptr;
1222 struct grub_unicode_glyph *visual_ptr;
1223- *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0])
1224- * (logical_len + 2));
1225+ *visual_out = visual_ptr = grub_calloc (logical_len + 2,
1226+ 3 * sizeof (visual_ptr[0]));
1227 if (!visual_ptr)
1228 return -1;
1229 for (ptr = logical; ptr <= logical + logical_len; ptr++)
1230diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
1231index c037d50..c57242e 100644
1232--- a/grub-core/normal/cmdline.c
1233+++ b/grub-core/normal/cmdline.c
1234@@ -41,7 +41,7 @@ grub_err_t
1235 grub_set_history (int newsize)
1236 {
1237 grub_uint32_t **old_hist_lines = hist_lines;
1238- hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize);
1239+ hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *));
1240
1241 /* Copy the old lines into the new buffer. */
1242 if (old_hist_lines)
1243@@ -114,7 +114,7 @@ static void
1244 grub_history_set (int pos, grub_uint32_t *s, grub_size_t len)
1245 {
1246 grub_free (hist_lines[pos]);
1247- hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t));
1248+ hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t));
1249 if (!hist_lines[pos])
1250 {
1251 grub_print_error ();
1252@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated)
1253 char *ret;
1254 unsigned nterms;
1255
1256- buf = grub_malloc (max_len * sizeof (grub_uint32_t));
1257+ buf = grub_calloc (max_len, sizeof (grub_uint32_t));
1258 if (!buf)
1259 return 0;
1260
1261@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated)
1262 FOR_ACTIVE_TERM_OUTPUTS(cur)
1263 nterms++;
1264
1265- cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms);
1266+ cl_terms = grub_calloc (nterms, sizeof (cl_terms[0]));
1267 if (!cl_terms)
1268 {
1269 grub_free (buf);
1270@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated)
1271 }
1272 cl_term_cur = cl_terms;
1273
1274- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1275+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1276 if (!unicode_msg)
1277 {
1278 grub_free (buf);
1279@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated)
1280 grub_uint32_t *insert;
1281
1282 insertlen = grub_strlen (insertu8);
1283- insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t));
1284+ insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t));
1285 if (!insert)
1286 {
1287 grub_free (insertu8);
1288@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated)
1289
1290 grub_free (kill_buf);
1291
1292- kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t));
1293+ kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t));
1294 if (grub_errno)
1295 {
1296 grub_print_error ();
1297diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
1298index cdf3590..1993995 100644
1299--- a/grub-core/normal/menu_entry.c
1300+++ b/grub-core/normal/menu_entry.c
1301@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep)
1302 {
1303 linep->len = 0;
1304 linep->max_len = 80;
1305- linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0]));
1306- linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0]));
1307+ linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0]));
1308+ linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0]));
1309 if (! linep->buf || !linep->pos)
1310 {
1311 grub_free (linep->buf);
1312@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen,
1313 pos = linep->pos + (term_screen - screen->terms);
1314
1315 if (!*pos)
1316- *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos));
1317+ *pos = grub_calloc (linep->len + 1, sizeof (**pos));
1318
1319 if (i == region_start || linep == screen->lines + screen->line
1320 || (i > region_start && mode == ALL_LINES))
1321@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update)
1322
1323 /* Insert the string. */
1324 current_linep = screen->lines + screen->line;
1325- unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t));
1326+ unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t));
1327
1328 if (!unicode_msg)
1329 return 0;
1330@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update)
1331 if (completion_buffer.buf)
1332 {
1333 buflen = grub_strlen (completion_buffer.buf);
1334- ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1));
1335+ ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t));
1336
1337 if (!ucs4)
1338 {
1339@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
1340 for (i = 0; i < (unsigned) screen->num_lines; i++)
1341 {
1342 grub_free (screen->lines[i].pos);
1343- screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0]));
1344+ screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0]));
1345 if (! screen->lines[i].pos)
1346 {
1347 grub_print_error ();
1348@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
1349 }
1350 }
1351
1352- screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0]));
1353+ screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0]));
1354 if (!screen->terms)
1355 {
1356 grub_print_error ();
1357diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
1358index e22bb91..18240e7 100644
1359--- a/grub-core/normal/menu_text.c
1360+++ b/grub-core/normal/menu_text.c
1361@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left,
1362 grub_size_t msg_len = grub_strlen (msg) + 2;
1363 int ret = 0;
1364
1365- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
1366+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
1367
1368 if (!unicode_msg)
1369 return 0;
1370@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry,
1371
1372 title = entry ? entry->title : "";
1373 title_len = grub_strlen (title);
1374- unicode_title = grub_malloc (title_len * sizeof (*unicode_title));
1375+ unicode_title = grub_calloc (title_len, sizeof (*unicode_title));
1376 if (! unicode_title)
1377 /* XXX How to show this error? */
1378 return;
1379diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c
1380index a1e5c5a..cc8c173 100644
1381--- a/grub-core/normal/term.c
1382+++ b/grub-core/normal/term.c
1383@@ -264,7 +264,7 @@ grub_term_save_pos (void)
1384 FOR_ACTIVE_TERM_OUTPUTS(cur)
1385 cnt++;
1386
1387- ret = grub_malloc (cnt * sizeof (ret[0]));
1388+ ret = grub_calloc (cnt, sizeof (ret[0]));
1389 if (!ret)
1390 return NULL;
1391
1392@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len)
1393
1394 grub_error_push ();
1395
1396- unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t));
1397+ unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t));
1398
1399 grub_error_pop ();
1400
1401diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
1402index 90d92d3..5b41ad0 100644
1403--- a/grub-core/osdep/linux/getroot.c
1404+++ b/grub-core/osdep/linux/getroot.c
1405@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable)
1406 if (ret != 0)
1407 grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno));
1408
1409- devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *));
1410+ devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
1411
1412 for (i = 0, j = 0; j < info.nr_disks; i++)
1413 {
1414@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir)
1415 return NULL;
1416 }
1417
1418- ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0]));
1419+ ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0]));
1420
1421 for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++)
1422 {
1423@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
1424 if (relroot)
1425 *relroot = NULL;
1426
1427- entries = xmalloc (entry_max * sizeof (*entries));
1428+ entries = xcalloc (entry_max, sizeof (*entries));
1429
1430 again:
1431 fp = grub_util_fopen ("/proc/self/mountinfo", "r");
1432diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c
1433index 65effa9..7d63251 100644
1434--- a/grub-core/osdep/unix/config.c
1435+++ b/grub-core/osdep/unix/config.c
1436@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg)
1437 argv[0] = "sh";
1438 argv[1] = "-c";
1439
1440- script = xmalloc (4 * strlen (cfgfile) + 300);
1441+ script = xcalloc (4, strlen (cfgfile) + 300);
1442
1443 ptr = script;
1444 memcpy (ptr, ". '", 3);
1445diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c
1446index 661d954..eada663 100644
1447--- a/grub-core/osdep/windows/getroot.c
1448+++ b/grub-core/osdep/windows/getroot.c
1449@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path)
1450
1451 for (ptr = path; *ptr; ptr++);
1452 allocsize = (ptr - path + 10) * 2;
1453- out = xmalloc (allocsize * sizeof (out[0]));
1454+ out = xcalloc (allocsize, sizeof (out[0]));
1455
1456 /* When pointing to EFI system partition GetVolumePathName fails
1457 for ESP root and returns abberant information for everything
1458diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c
1459index 3551007..0be3273 100644
1460--- a/grub-core/osdep/windows/hostdisk.c
1461+++ b/grub-core/osdep/windows/hostdisk.c
1462@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path)
1463
1464 while (1)
1465 {
1466- fpa = xmalloc (alloc * sizeof (fpa[0]));
1467+ fpa = xcalloc (alloc, sizeof (fpa[0]));
1468
1469 len = GetFullPathName (tpath, alloc, fpa, NULL);
1470 if (len >= alloc)
1471@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name)
1472 for (l = 0; name_windows[l]; l++);
1473 for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--);
1474 l++;
1475- pattern = xmalloc ((l + 3) * sizeof (pattern[0]));
1476+ pattern = xcalloc (l + 3, sizeof (pattern[0]));
1477 memcpy (pattern, name_windows, l * sizeof (pattern[0]));
1478 pattern[l] = '\\';
1479 pattern[l + 1] = '*';
1480diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c
1481index e8ffd62..6297de6 100644
1482--- a/grub-core/osdep/windows/init.c
1483+++ b/grub-core/osdep/windows/init.c
1484@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)),
1485 LPWSTR *targv;
1486
1487 targv = CommandLineToArgvW (tcmdline, argc);
1488- *argv = xmalloc ((*argc + 1) * sizeof (argv[0]));
1489+ *argv = xcalloc (*argc + 1, sizeof (argv[0]));
1490
1491 for (i = 0; i < *argc; i++)
1492 (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]);
1493diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c
1494index 7eb53fe..1ef86bf 100644
1495--- a/grub-core/osdep/windows/platform.c
1496+++ b/grub-core/osdep/windows/platform.c
1497@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev,
1498 grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode"));
1499
1500 distrib8_len = grub_strlen (efi_distributor);
1501- distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8
1502- * sizeof (grub_uint16_t));
1503+ distributor16 = xcalloc (distrib8_len + 1,
1504+ GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t));
1505 distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8,
1506 (const grub_uint8_t *) efi_distributor,
1507 distrib8_len, 0);
1508diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c
1509index cb08617..478e8ef 100644
1510--- a/grub-core/osdep/windows/relpath.c
1511+++ b/grub-core/osdep/windows/relpath.c
1512@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path)
1513 if (dirwindows[0] && dirwindows[1] == ':')
1514 offset = 2;
1515 }
1516- ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2));
1517+ ret = xcalloc (flen - offset + 2, sizeof (ret[0]));
1518 if (dirwindows[offset] != '\\'
1519 && dirwindows[offset] != '/'
1520 && dirwindows[offset])
1521diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
1522index 103f679..72a2e37 100644
1523--- a/grub-core/partmap/gpt.c
1524+++ b/grub-core/partmap/gpt.c
1525@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
1526 *nsectors = ctx.len;
1527 if (*nsectors > max_nsectors)
1528 *nsectors = max_nsectors;
1529- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
1530+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
1531 if (!*sectors)
1532 return grub_errno;
1533 for (i = 0; i < *nsectors; i++)
1534diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
1535index 7b8e450..ee3f249 100644
1536--- a/grub-core/partmap/msdos.c
1537+++ b/grub-core/partmap/msdos.c
1538@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
1539 avail_nsectors = *nsectors;
1540 if (*nsectors > max_nsectors)
1541 *nsectors = max_nsectors;
1542- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
1543+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
1544 if (!*sectors)
1545 return grub_errno;
1546 for (i = 0; i < *nsectors; i++)
1547diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
1548index ee299fd..c8d6806 100644
1549--- a/grub-core/script/execute.c
1550+++ b/grub-core/script/execute.c
1551@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
1552 for (iptr = orig_str; *iptr; iptr++)
1553 if (*iptr == '$')
1554 dollar_cnt++;
1555- ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt);
1556+ ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
1557
1558 if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
1559 goto fail;
1560diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c
1561index 2d60852..b5eb516 100644
1562--- a/grub-core/tests/fake_input.c
1563+++ b/grub-core/tests/fake_input.c
1564@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in)
1565 saved = grub_term_inputs;
1566 if (seq)
1567 grub_free (seq);
1568- seq = grub_malloc (nseq_in * sizeof (seq[0]));
1569+ seq = grub_calloc (nseq_in, sizeof (seq[0]));
1570 if (!seq)
1571 return;
1572
1573diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c
1574index 74d5b65..44d0810 100644
1575--- a/grub-core/tests/video_checksum.c
1576+++ b/grub-core/tests/video_checksum.c
1577@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname,
1578 {
1579 case 4:
1580 {
1581- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1582+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1583 grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
1584 grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
1585 grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1586@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname,
1587 }
1588 case 3:
1589 {
1590- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1591+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1592 grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
1593 grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
1594 grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1595@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname,
1596 }
1597 case 2:
1598 {
1599- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
1600+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
1601 grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1);
1602 grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1);
1603 grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1);
1604diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
1605index 4f83c74..4d3195e 100644
1606--- a/grub-core/video/capture.c
1607+++ b/grub-core/video/capture.c
1608@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
1609 framebuffer.mode_info = *mode_info;
1610 framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info);
1611
1612- framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch);
1613+ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
1614 if (!framebuffer.ptr)
1615 return grub_errno;
1616
1617diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c
1618index a2f639f..0ebab6f 100644
1619--- a/grub-core/video/emu/sdl.c
1620+++ b/grub-core/video/emu/sdl.c
1621@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count,
1622 if (start + count > mode_info.number_of_colors)
1623 count = mode_info.number_of_colors - start;
1624
1625- tmp = grub_malloc (count * sizeof (tmp[0]));
1626+ tmp = grub_calloc (count, sizeof (tmp[0]));
1627 for (i = 0; i < count; i++)
1628 {
1629 tmp[i].r = palette_data[i].r;
1630diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
1631index 01f4711..b2f776c 100644
1632--- a/grub-core/video/i386/pc/vga.c
1633+++ b/grub-core/video/i386/pc/vga.c
1634@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
1635
1636 vga_height = height ? : 480;
1637
1638- framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH);
1639+ framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH);
1640 framebuffer.front_page = 0;
1641 framebuffer.back_page = 0;
1642 if (!framebuffer.temporary_buffer)
1643diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
1644index 777e713..61bd645 100644
1645--- a/grub-core/video/readers/png.c
1646+++ b/grub-core/video/readers/png.c
1647@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
1648 if (data->is_16bit || data->is_gray || data->is_palette)
1649 #endif
1650 {
1651- data->image_data = grub_malloc (data->image_height * data->row_bytes);
1652+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
1653 if (grub_errno)
1654 return grub_errno;
1655
1656diff --git a/include/grub/unicode.h b/include/grub/unicode.h
1657index a0403e9..4de986a 100644
1658--- a/include/grub/unicode.h
1659+++ b/include/grub/unicode.h
1660@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in)
1661 grub_memcpy (out, in, sizeof (*in));
1662 if (in->ncomb > ARRAY_SIZE (out->combining_inline))
1663 {
1664- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
1665+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
1666 if (!out->combining_ptr)
1667 {
1668 grub_free (out);
1669@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out,
1670 grub_memcpy (out, in, sizeof (*in));
1671 if (in->ncomb > ARRAY_SIZE (out->combining_inline))
1672 {
1673- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
1674+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
1675 if (!out->combining_ptr)
1676 return;
1677 grub_memcpy (out->combining_ptr, in->combining_ptr,
1678diff --git a/util/getroot.c b/util/getroot.c
1679index 847406f..a5eaa64 100644
1680--- a/util/getroot.c
1681+++ b/util/getroot.c
1682@@ -200,7 +200,7 @@ make_device_name (const char *drive)
1683 char *ret, *ptr;
1684 const char *iptr;
1685
1686- ret = xmalloc (strlen (drive) * 2);
1687+ ret = xcalloc (2, strlen (drive));
1688 ptr = ret;
1689 for (iptr = drive; *iptr; iptr++)
1690 {
1691diff --git a/util/grub-file.c b/util/grub-file.c
1692index 50c18b6..b2e7dd6 100644
1693--- a/util/grub-file.c
1694+++ b/util/grub-file.c
1695@@ -54,7 +54,7 @@ main (int argc, char *argv[])
1696
1697 grub_util_host_init (&argc, &argv);
1698
1699- argv2 = xmalloc (argc * sizeof (argv2[0]));
1700+ argv2 = xcalloc (argc, sizeof (argv2[0]));
1701
1702 if (argc == 2 && strcmp (argv[1], "--version") == 0)
1703 {
1704diff --git a/util/grub-fstest.c b/util/grub-fstest.c
1705index f14e02d..57246af 100644
1706--- a/util/grub-fstest.c
1707+++ b/util/grub-fstest.c
1708@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
1709 if (args_count < num_disks)
1710 {
1711 if (args_count == 0)
1712- images = xmalloc (num_disks * sizeof (images[0]));
1713+ images = xcalloc (num_disks, sizeof (images[0]));
1714 images[args_count] = grub_canonicalize_file_name (arg);
1715 args_count++;
1716 return 0;
1717@@ -734,7 +734,7 @@ main (int argc, char *argv[])
1718
1719 grub_util_host_init (&argc, &argv);
1720
1721- args = xmalloc (argc * sizeof (args[0]));
1722+ args = xcalloc (argc, sizeof (args[0]));
1723
1724 argp_parse (&argp, argc, argv, 0, 0, 0);
1725
1726diff --git a/util/grub-install-common.c b/util/grub-install-common.c
1727index ca0ac61..0295d40 100644
1728--- a/util/grub-install-common.c
1729+++ b/util/grub-install-common.c
1730@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val,
1731 il->n_entries++;
1732 }
1733 il->n_alloc = il->n_entries + 1;
1734- il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0]));
1735+ il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0]));
1736 ptr = val;
1737 for (ce = il->entries; ; ce++)
1738 {
1739diff --git a/util/grub-install.c b/util/grub-install.c
1740index 8a55ad4..a82725f 100644
1741--- a/util/grub-install.c
1742+++ b/util/grub-install.c
1743@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map)
1744 if (! fp)
1745 return;
1746
1747- d = xmalloc (alloced * sizeof (d[0]));
1748+ d = xcalloc (alloced, sizeof (d[0]));
1749
1750 while (fgets (buf, sizeof (buf), fp))
1751 {
1752@@ -1260,7 +1260,7 @@ main (int argc, char *argv[])
1753 ndev++;
1754 }
1755
1756- grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
1757+ grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0]));
1758
1759 for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
1760 curdrive++)
1761diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
1762index bc087c2..d97d0e7 100644
1763--- a/util/grub-mkimagexx.c
1764+++ b/util/grub-mkimagexx.c
1765@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path,
1766 + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize);
1767 smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset);
1768
1769- smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections);
1770- memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections);
1771- smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections);
1772- memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections);
1773+ smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs));
1774+ smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs));
1775
1776 SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target);
1777
1778diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
1779index ce2cbc4..5183102 100644
1780--- a/util/grub-mkrescue.c
1781+++ b/util/grub-mkrescue.c
1782@@ -441,8 +441,8 @@ main (int argc, char *argv[])
1783 xorriso = xstrdup ("xorriso");
1784 label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2");
1785
1786- argp_argv = xmalloc (sizeof (argp_argv[0]) * argc);
1787- xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc);
1788+ argp_argv = xcalloc (argc, sizeof (argp_argv[0]));
1789+ xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0]));
1790
1791 xorriso_tail_argc = 0;
1792 /* Program name */
1793diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c
1794index 4907d44..edf3097 100644
1795--- a/util/grub-mkstandalone.c
1796+++ b/util/grub-mkstandalone.c
1797@@ -296,7 +296,7 @@ main (int argc, char *argv[])
1798 grub_util_host_init (&argc, &argv);
1799 grub_util_disable_fd_syncs ();
1800
1801- files = xmalloc ((argc + 1) * sizeof (files[0]));
1802+ files = xcalloc (argc + 1, sizeof (files[0]));
1803
1804 argp_parse (&argp, argc, argv, 0, 0, 0);
1805
1806diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c
1807index 0d4084a..1133129 100644
1808--- a/util/grub-pe2elf.c
1809+++ b/util/grub-pe2elf.c
1810@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image,
1811 char *pe_strtab = (image + pe_chdr->symtab_offset
1812 + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol));
1813
1814- section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int));
1815+ section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int));
1816 section_map[0] = 0;
1817- shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0]));
1818+ shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0]));
1819 idx = 1;
1820 idx_reloc = pe_chdr->num_sections + 1;
1821
1822@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image,
1823
1824 pe_sec = pe_shdr + shdr[i].sh_link;
1825 pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset);
1826- rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t));
1827+ rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t));
1828 num_rels = 0;
1829 modified = 0;
1830
1831@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image,
1832 pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset);
1833 pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols);
1834
1835- symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) *
1836- sizeof (Elf_Sym));
1837- memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym));
1838+ symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym));
1839 num_syms = 1;
1840
1841- symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int));
1842+ symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int));
1843
1844 for (i = 0; i < (int) pe_chdr->num_symbols;
1845 i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1)
1846diff --git a/util/grub-probe.c b/util/grub-probe.c
1847index 81d27ee..cbe6ed9 100644
1848--- a/util/grub-probe.c
1849+++ b/util/grub-probe.c
1850@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim)
1851 grub_util_pull_device (*curdev);
1852 ndev++;
1853 }
1854-
1855- drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1));
1856+
1857+ drives_names = xcalloc (ndev + 1, sizeof (drives_names[0]));
1858
1859 for (curdev = device_names, curdrive = drives_names; *curdev; curdev++,
1860 curdrive++)
1861--
18622.14.4
1863
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
deleted file mode 100644
index 7214ead9a7..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
+++ /dev/null
@@ -1,1330 +0,0 @@
1From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:28:27 -0400
4Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
5 complex allocations
6
7This attempts to fix the places where we do the following where
8arithmetic_expr may include unvalidated data:
9
10 X = grub_malloc(arithmetic_expr);
11
12It accomplishes this by doing the arithmetic ahead of time using grub_add(),
13grub_sub(), grub_mul() and testing for overflow before proceeding.
14
15Among other issues, this fixes:
16 - allocation of integer overflow in grub_video_bitmap_create()
17 reported by Chris Coulson,
18 - allocation of integer overflow in grub_png_decode_image_header()
19 reported by Chris Coulson,
20 - allocation of integer overflow in grub_squash_read_symlink()
21 reported by Chris Coulson,
22 - allocation of integer overflow in grub_ext2_read_symlink()
23 reported by Chris Coulson,
24 - allocation of integer overflow in read_section_as_string()
25 reported by Chris Coulson.
26
27Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
28
29Signed-off-by: Peter Jones <pjones@redhat.com>
30Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
31
32Upstream-Status: Backport
33CVE: CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
34
35Reference to upstream patch:
36https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
37
38Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
39---
40 grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
41 grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
42 grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
43 grub-core/font/font.c | 7 +++++-
44 grub-core/fs/btrfs.c | 28 +++++++++++++++--------
45 grub-core/fs/ext2.c | 10 ++++++++-
46 grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
47 grub-core/fs/sfs.c | 27 +++++++++++++++++-----
48 grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
49 grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
50 grub-core/fs/xfs.c | 11 +++++----
51 grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
52 grub-core/fs/zfs/zfscrypt.c | 7 +++++-
53 grub-core/lib/arg.c | 20 +++++++++++++++--
54 grub-core/loader/i386/bsd.c | 8 ++++++-
55 grub-core/net/dns.c | 9 +++++++-
56 grub-core/normal/charset.c | 10 +++++++--
57 grub-core/normal/cmdline.c | 14 ++++++++++--
58 grub-core/normal/menu_entry.c | 13 +++++++++--
59 grub-core/script/argv.c | 16 +++++++++++--
60 grub-core/script/lexer.c | 21 ++++++++++++++---
61 grub-core/video/bitmap.c | 25 +++++++++++++--------
62 grub-core/video/readers/png.c | 13 +++++++++--
63 23 files changed, 382 insertions(+), 113 deletions(-)
64
65diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
66index 5e3ec0d..cc5971f 100644
67--- a/grub-core/commands/legacycfg.c
68+++ b/grub-core/commands/legacycfg.c
69@@ -32,6 +32,7 @@
70 #include <grub/auth.h>
71 #include <grub/disk.h>
72 #include <grub/partition.h>
73+#include <grub/safemath.h>
74
75 GRUB_MOD_LICENSE ("GPLv3+");
76
77@@ -104,13 +105,22 @@ legacy_file (const char *filename)
78 if (newsuffix)
79 {
80 char *t;
81-
82+ grub_size_t sz;
83+
84+ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
85+ grub_add (sz, 1, &sz))
86+ {
87+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
88+ goto fail_0;
89+ }
90+
91 t = suffix;
92- suffix = grub_realloc (suffix, grub_strlen (suffix)
93- + grub_strlen (newsuffix) + 1);
94+ suffix = grub_realloc (suffix, sz);
95 if (!suffix)
96 {
97 grub_free (t);
98+
99+ fail_0:
100 grub_free (entrysrc);
101 grub_free (parsed);
102 grub_free (newsuffix);
103@@ -154,13 +164,22 @@ legacy_file (const char *filename)
104 else
105 {
106 char *t;
107+ grub_size_t sz;
108+
109+ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
110+ grub_add (sz, 1, &sz))
111+ {
112+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
113+ goto fail_1;
114+ }
115
116 t = entrysrc;
117- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
118- + grub_strlen (parsed) + 1);
119+ entrysrc = grub_realloc (entrysrc, sz);
120 if (!entrysrc)
121 {
122 grub_free (t);
123+
124+ fail_1:
125 grub_free (parsed);
126 grub_free (suffix);
127 return grub_errno;
128diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
129index 4a106ca..cc32903 100644
130--- a/grub-core/commands/wildcard.c
131+++ b/grub-core/commands/wildcard.c
132@@ -23,6 +23,7 @@
133 #include <grub/file.h>
134 #include <grub/device.h>
135 #include <grub/script_sh.h>
136+#include <grub/safemath.h>
137
138 #include <regex.h>
139
140@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
141 int i;
142 int j;
143 char **p;
144+ grub_size_t sz;
145
146 if (! dest)
147 return ps;
148@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
149 for (j = 0; ps[j]; j++)
150 ;
151
152- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
153+ if (grub_add (i, j, &sz) ||
154+ grub_add (sz, 1, &sz) ||
155+ grub_mul (sz, sizeof (char *), &sz))
156+ return dest;
157+
158+ p = grub_realloc (dest, sz);
159 if (! p)
160 {
161 grub_free (dest);
162@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
163 char ch;
164 int i = 0;
165 unsigned len = end - start;
166- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
167+ char *buffer;
168+ grub_size_t sz;
169
170+ /* Worst case size is (len * 2 + 2 + 1). */
171+ if (grub_mul (len, 2, &sz) ||
172+ grub_add (sz, 3, &sz))
173+ return 1;
174+
175+ buffer = grub_malloc (sz);
176 if (! buffer)
177 return 1;
178
179@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
180 struct match_devices_ctx *ctx = data;
181 char **t;
182 char *buffer;
183+ grub_size_t sz;
184
185 /* skip partitions if asked to. */
186 if (ctx->noparts && grub_strchr (name, ','))
187@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
188 if (regexec (ctx->regexp, buffer, 0, 0, 0))
189 {
190 grub_dprintf ("expand", "not matched\n");
191+ fail:
192 grub_free (buffer);
193 return 0;
194 }
195
196- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
197+ if (grub_add (ctx->ndev, 2, &sz) ||
198+ grub_mul (sz, sizeof (char *), &sz))
199+ goto fail;
200+
201+ t = grub_realloc (ctx->devs, sz);
202 if (! t)
203 {
204 grub_free (buffer);
205@@ -300,6 +320,7 @@ match_files_iter (const char *name,
206 struct match_files_ctx *ctx = data;
207 char **t;
208 char *buffer;
209+ grub_size_t sz;
210
211 /* skip . and .. names */
212 if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
213@@ -315,9 +336,14 @@ match_files_iter (const char *name,
214 if (! buffer)
215 return 1;
216
217- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
218- if (! t)
219+ if (grub_add (ctx->nfile, 2, &sz) ||
220+ grub_mul (sz, sizeof (char *), &sz))
221+ goto fail;
222+
223+ t = grub_realloc (ctx->files, sz);
224+ if (!t)
225 {
226+ fail:
227 grub_free (buffer);
228 return 1;
229 }
230diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
231index e632370..58f8a53 100644
232--- a/grub-core/disk/ldm.c
233+++ b/grub-core/disk/ldm.c
234@@ -25,6 +25,7 @@
235 #include <grub/msdos_partition.h>
236 #include <grub/gpt_partition.h>
237 #include <grub/i18n.h>
238+#include <grub/safemath.h>
239
240 #ifdef GRUB_UTIL
241 #include <grub/emu/misc.h>
242@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
243 struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
244 / sizeof (struct grub_ldm_vblk)];
245 unsigned i;
246+ grub_size_t sz;
247 err = grub_disk_read (disk, cursec, 0,
248 sizeof(vblk), &vblk);
249 if (err)
250@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
251 grub_free (lv);
252 goto fail2;
253 }
254- lv->name = grub_malloc (*ptr + 1);
255+ if (grub_add (*ptr, 1, &sz))
256+ {
257+ grub_free (lv->internal_id);
258+ grub_free (lv);
259+ goto fail2;
260+ }
261+ lv->name = grub_malloc (sz);
262 if (!lv->name)
263 {
264 grub_free (lv->internal_id);
265@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
266 if (lv->segments->node_alloc == lv->segments->node_count)
267 {
268 void *t;
269- lv->segments->node_alloc *= 2;
270- t = grub_realloc (lv->segments->nodes,
271- sizeof (*lv->segments->nodes)
272- * lv->segments->node_alloc);
273+ grub_size_t sz;
274+
275+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
276+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
277+ goto fail2;
278+
279+ t = grub_realloc (lv->segments->nodes, sz);
280 if (!t)
281 goto fail2;
282 lv->segments->nodes = t;
283@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
284 if (comp->segment_alloc == comp->segment_count)
285 {
286 void *t;
287- comp->segment_alloc *= 2;
288- t = grub_realloc (comp->segments,
289- comp->segment_alloc
290- * sizeof (*comp->segments));
291+ grub_size_t sz;
292+
293+ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
294+ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
295+ goto fail2;
296+
297+ t = grub_realloc (comp->segments, sz);
298 if (!t)
299 goto fail2;
300 comp->segments = t;
301diff --git a/grub-core/font/font.c b/grub-core/font/font.c
302index 8e118b3..5edb477 100644
303--- a/grub-core/font/font.c
304+++ b/grub-core/font/font.c
305@@ -30,6 +30,7 @@
306 #include <grub/unicode.h>
307 #include <grub/fontformat.h>
308 #include <grub/env.h>
309+#include <grub/safemath.h>
310
311 GRUB_MOD_LICENSE ("GPLv3+");
312
313@@ -360,9 +361,13 @@ static char *
314 read_section_as_string (struct font_file_section *section)
315 {
316 char *str;
317+ grub_size_t sz;
318 grub_ssize_t ret;
319
320- str = grub_malloc (section->length + 1);
321+ if (grub_add (section->length, 1, &sz))
322+ return NULL;
323+
324+ str = grub_malloc (sz);
325 if (!str)
326 return 0;
327
328diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
329index 11272ef..2b65bd5 100644
330--- a/grub-core/fs/btrfs.c
331+++ b/grub-core/fs/btrfs.c
332@@ -40,6 +40,7 @@
333 #include <grub/btrfs.h>
334 #include <grub/crypto.h>
335 #include <grub/diskfilter.h>
336+#include <grub/safemath.h>
337
338 GRUB_MOD_LICENSE ("GPLv3+");
339
340@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
341 if (desc->allocated < desc->depth)
342 {
343 void *newdata;
344- desc->allocated *= 2;
345- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
346- * desc->allocated);
347+ grub_size_t sz;
348+
349+ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
350+ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
351+ return GRUB_ERR_OUT_OF_RANGE;
352+
353+ newdata = grub_realloc (desc->data, sz);
354 if (!newdata)
355 return grub_errno;
356 desc->data = newdata;
357@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
358 if (data->n_devices_attached > data->n_devices_allocated)
359 {
360 void *tmp;
361- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
362- data->devices_attached
363- = grub_realloc (tmp = data->devices_attached,
364- data->n_devices_allocated
365- * sizeof (data->devices_attached[0]));
366+ grub_size_t sz;
367+
368+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
369+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
370+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
371+ goto fail;
372+
373+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
374 if (!data->devices_attached)
375 {
376+ data->devices_attached = tmp;
377+
378+ fail:
379 if (ctx.dev_found)
380 grub_device_close (ctx.dev_found);
381- data->devices_attached = tmp;
382 return NULL;
383 }
384 }
385diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
386index 9b38980..ac33bcd 100644
387--- a/grub-core/fs/ext2.c
388+++ b/grub-core/fs/ext2.c
389@@ -46,6 +46,7 @@
390 #include <grub/dl.h>
391 #include <grub/types.h>
392 #include <grub/fshelp.h>
393+#include <grub/safemath.h>
394
395 GRUB_MOD_LICENSE ("GPLv3+");
396
397@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
398 {
399 char *symlink;
400 struct grub_fshelp_node *diro = node;
401+ grub_size_t sz;
402
403 if (! diro->inode_read)
404 {
405@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
406 }
407 }
408
409- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
410+ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
411+ {
412+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
413+ return NULL;
414+ }
415+
416+ symlink = grub_malloc (sz);
417 if (! symlink)
418 return 0;
419
420diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
421index 4f1b52a..7ba5b30 100644
422--- a/grub-core/fs/iso9660.c
423+++ b/grub-core/fs/iso9660.c
424@@ -28,6 +28,7 @@
425 #include <grub/fshelp.h>
426 #include <grub/charset.h>
427 #include <grub/datetime.h>
428+#include <grub/safemath.h>
429
430 GRUB_MOD_LICENSE ("GPLv3+");
431
432@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
433 int len2)
434 {
435 int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
436+ grub_size_t sz;
437
438- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
439+ if (grub_add (size, len2, &sz) ||
440+ grub_add (sz, 1, &sz))
441+ return;
442+
443+ ctx->symlink = grub_realloc (ctx->symlink, sz);
444 if (! ctx->symlink)
445 return;
446
447@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
448 {
449 grub_size_t off = 0, csize = 1;
450 char *old;
451+ grub_size_t sz;
452+
453 csize = entry->len - 5;
454 old = ctx->filename;
455 if (ctx->filename_alloc)
456 {
457 off = grub_strlen (ctx->filename);
458- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
459+ if (grub_add (csize, off, &sz) ||
460+ grub_add (sz, 1, &sz))
461+ return GRUB_ERR_OUT_OF_RANGE;
462+ ctx->filename = grub_realloc (ctx->filename, sz);
463 }
464 else
465 {
466 off = 0;
467- ctx->filename = grub_zalloc (csize + 1);
468+ if (grub_add (csize, 1, &sz))
469+ return GRUB_ERR_OUT_OF_RANGE;
470+ ctx->filename = grub_zalloc (sz);
471 }
472 if (!ctx->filename)
473 {
474@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
475 if (node->have_dirents >= node->alloc_dirents)
476 {
477 struct grub_fshelp_node *new_node;
478- node->alloc_dirents *= 2;
479- new_node = grub_realloc (node,
480- sizeof (struct grub_fshelp_node)
481- + ((node->alloc_dirents
482- - ARRAY_SIZE (node->dirents))
483- * sizeof (node->dirents[0])));
484+ grub_size_t sz;
485+
486+ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
487+ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
488+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
489+ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
490+ goto fail_0;
491+
492+ new_node = grub_realloc (node, sz);
493 if (!new_node)
494 {
495+ fail_0:
496 if (ctx.filename_alloc)
497 grub_free (ctx.filename);
498 grub_free (node);
499@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
500 * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
501 {
502 struct grub_fshelp_node *new_node;
503- new_node = grub_realloc (node,
504- sizeof (struct grub_fshelp_node)
505- + ((node->alloc_dirents
506- - ARRAY_SIZE (node->dirents))
507- * sizeof (node->dirents[0]))
508- + grub_strlen (ctx.symlink) + 1);
509+ grub_size_t sz;
510+
511+ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
512+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
513+ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
514+ grub_add (sz, grub_strlen (ctx.symlink), &sz))
515+ goto fail_1;
516+
517+ new_node = grub_realloc (node, sz);
518 if (!new_node)
519 {
520+ fail_1:
521 if (ctx.filename_alloc)
522 grub_free (ctx.filename);
523 grub_free (node);
524diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
525index 90f7fb3..de2b107 100644
526--- a/grub-core/fs/sfs.c
527+++ b/grub-core/fs/sfs.c
528@@ -26,6 +26,7 @@
529 #include <grub/types.h>
530 #include <grub/fshelp.h>
531 #include <grub/charset.h>
532+#include <grub/safemath.h>
533
534 GRUB_MOD_LICENSE ("GPLv3+");
535
536@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
537 if (node->cache && node->cache_size >= node->cache_allocated)
538 {
539 struct cache_entry *e = node->cache;
540- e = grub_realloc (node->cache,node->cache_allocated * 2
541- * sizeof (e[0]));
542+ grub_size_t sz;
543+
544+ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
545+ goto fail;
546+
547+ e = grub_realloc (node->cache, sz);
548 if (!e)
549 {
550+ fail:
551 grub_errno = 0;
552 grub_free (node->cache);
553 node->cache = 0;
554@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
555 grub_size_t len = grub_strlen (name);
556 grub_uint8_t *name_u8;
557 int ret;
558+ grub_size_t sz;
559+
560+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
561+ grub_add (sz, 1, &sz))
562+ return 1;
563+
564 *node = grub_malloc (sizeof (**node));
565 if (!*node)
566 return 1;
567- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
568+ name_u8 = grub_malloc (sz);
569 if (!name_u8)
570 {
571 grub_free (*node);
572@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
573 data = grub_sfs_mount (disk);
574 if (data)
575 {
576- grub_size_t len = grub_strlen (data->label);
577- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
578+ grub_size_t sz, len = grub_strlen (data->label);
579+
580+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
581+ grub_add (sz, 1, &sz))
582+ return GRUB_ERR_OUT_OF_RANGE;
583+
584+ *label = grub_malloc (sz);
585 if (*label)
586 *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
587 (const grub_uint8_t *) data->label,
588diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
589index 95d5c1e..7851238 100644
590--- a/grub-core/fs/squash4.c
591+++ b/grub-core/fs/squash4.c
592@@ -26,6 +26,7 @@
593 #include <grub/types.h>
594 #include <grub/fshelp.h>
595 #include <grub/deflate.h>
596+#include <grub/safemath.h>
597 #include <minilzo.h>
598
599 #include "xz.h"
600@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
601 {
602 char *ret;
603 grub_err_t err;
604- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
605+ grub_size_t sz;
606+
607+ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
608+ {
609+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
610+ return NULL;
611+ }
612+
613+ ret = grub_malloc (sz);
614+ if (!ret)
615+ return NULL;
616
617 err = read_chunk (node->data, ret,
618 grub_le_to_cpu32 (node->ino.symlink.namelen),
619@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
620
621 {
622 grub_fshelp_node_t node;
623- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
624+ grub_size_t sz;
625+
626+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
627+ grub_add (sz, sizeof (*node), &sz))
628+ return 0;
629+
630+ node = grub_malloc (sz);
631 if (!node)
632 return 0;
633- grub_memcpy (node, dir,
634- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
635+ grub_memcpy (node, dir, sz);
636 if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
637 return 1;
638
639@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
640 {
641 grub_err_t err;
642
643- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
644+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
645+ grub_add (sz, sizeof (*node), &sz))
646+ return 0;
647+
648+ node = grub_malloc (sz);
649 if (!node)
650 return 0;
651
652- grub_memcpy (node, dir,
653- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
654+ grub_memcpy (node, dir, sz);
655
656 node->stsize--;
657 err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
658@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
659 enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
660 struct grub_squash_dirent di;
661 struct grub_squash_inode ino;
662+ grub_size_t sz;
663
664 err = read_chunk (dir->data, &di, sizeof (di),
665 grub_le_to_cpu64 (dir->data->sb.diroffset)
666@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
667 if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
668 filetype = GRUB_FSHELP_SYMLINK;
669
670- node = grub_malloc (sizeof (*node)
671- + (dir->stsize + 1) * sizeof (dir->stack[0]));
672+ if (grub_add (dir->stsize, 1, &sz) ||
673+ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
674+ grub_add (sz, sizeof (*node), &sz))
675+ return 0;
676+
677+ node = grub_malloc (sz);
678 if (! node)
679 return 0;
680
681- grub_memcpy (node, dir,
682- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
683+ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
684
685 node->ino = ino;
686 node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
687diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
688index a837616..21ac7f4 100644
689--- a/grub-core/fs/udf.c
690+++ b/grub-core/fs/udf.c
691@@ -28,6 +28,7 @@
692 #include <grub/charset.h>
693 #include <grub/datetime.h>
694 #include <grub/udf.h>
695+#include <grub/safemath.h>
696
697 GRUB_MOD_LICENSE ("GPLv3+");
698
699@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
700 utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
701 }
702 if (!outbuf)
703- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
704+ {
705+ grub_size_t size;
706+
707+ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
708+ grub_add (size, 1, &size))
709+ goto fail;
710+
711+ outbuf = grub_malloc (size);
712+ }
713 if (outbuf)
714 *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
715+
716+ fail:
717 grub_free (utf16);
718 return outbuf;
719 }
720@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
721 grub_size_t sz = U64 (node->block.fe.file_size);
722 grub_uint8_t *raw;
723 const grub_uint8_t *ptr;
724- char *out, *optr;
725+ char *out = NULL, *optr;
726
727 if (sz < 4)
728 return NULL;
729@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
730 if (!raw)
731 return NULL;
732 if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
733- {
734- grub_free (raw);
735- return NULL;
736- }
737+ goto fail_1;
738
739- out = grub_malloc (sz * 2 + 1);
740+ if (grub_mul (sz, 2, &sz) ||
741+ grub_add (sz, 1, &sz))
742+ goto fail_0;
743+
744+ out = grub_malloc (sz);
745 if (!out)
746 {
747+ fail_0:
748 grub_free (raw);
749 return NULL;
750 }
751@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
752 {
753 grub_size_t s;
754 if ((grub_size_t) (ptr - raw + 4) > sz)
755- goto fail;
756+ goto fail_1;
757 if (!(ptr[2] == 0 && ptr[3] == 0))
758- goto fail;
759+ goto fail_1;
760 s = 4 + ptr[1];
761 if ((grub_size_t) (ptr - raw + s) > sz)
762- goto fail;
763+ goto fail_1;
764 switch (*ptr)
765 {
766 case 1:
767 if (ptr[1])
768- goto fail;
769+ goto fail_1;
770 /* Fallthrough. */
771 case 2:
772 /* in 4 bytes. out: 1 byte. */
773@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
774 if (optr != out)
775 *optr++ = '/';
776 if (!read_string (ptr + 4, s - 4, optr))
777- goto fail;
778+ goto fail_1;
779 optr += grub_strlen (optr);
780 break;
781 default:
782- goto fail;
783+ goto fail_1;
784 }
785 ptr += s;
786 }
787@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
788 grub_free (raw);
789 return out;
790
791- fail:
792+ fail_1:
793 grub_free (raw);
794 grub_free (out);
795 grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
796diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
797index 96ffecb..ea65902 100644
798--- a/grub-core/fs/xfs.c
799+++ b/grub-core/fs/xfs.c
800@@ -25,6 +25,7 @@
801 #include <grub/dl.h>
802 #include <grub/types.h>
803 #include <grub/fshelp.h>
804+#include <grub/safemath.h>
805
806 GRUB_MOD_LICENSE ("GPLv3+");
807
808@@ -899,6 +900,7 @@ static struct grub_xfs_data *
809 grub_xfs_mount (grub_disk_t disk)
810 {
811 struct grub_xfs_data *data = 0;
812+ grub_size_t sz;
813
814 data = grub_zalloc (sizeof (struct grub_xfs_data));
815 if (!data)
816@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
817 if (!grub_xfs_sb_valid(data))
818 goto fail;
819
820- data = grub_realloc (data,
821- sizeof (struct grub_xfs_data)
822- - sizeof (struct grub_xfs_inode)
823- + grub_xfs_inode_size(data) + 1);
824+ if (grub_add (grub_xfs_inode_size (data),
825+ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
826+ goto fail;
827+
828+ data = grub_realloc (data, sz);
829
830 if (! data)
831 goto fail;
832diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
833index 381dde5..36d0373 100644
834--- a/grub-core/fs/zfs/zfs.c
835+++ b/grub-core/fs/zfs/zfs.c
836@@ -55,6 +55,7 @@
837 #include <grub/deflate.h>
838 #include <grub/crypto.h>
839 #include <grub/i18n.h>
840+#include <grub/safemath.h>
841
842 GRUB_MOD_LICENSE ("GPLv3+");
843
844@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
845 if (data->n_devices_attached > data->n_devices_allocated)
846 {
847 void *tmp;
848- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
849- data->devices_attached
850- = grub_realloc (tmp = data->devices_attached,
851- data->n_devices_allocated
852- * sizeof (data->devices_attached[0]));
853+ grub_size_t sz;
854+
855+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
856+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
857+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
858+ return GRUB_ERR_OUT_OF_RANGE;
859+
860+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
861 if (!data->devices_attached)
862 {
863 data->devices_attached = tmp;
864@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
865 {
866 char *nvpair;
867 char *ret;
868- grub_size_t size;
869+ grub_size_t size, sz;
870 int found;
871
872 found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
873 &size, 0);
874 if (!found)
875 return 0;
876- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
877+
878+ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
879+ return 0;
880+
881+ ret = grub_zalloc (sz);
882 if (!ret)
883 return 0;
884 grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
885diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
886index 1402e0b..de3b015 100644
887--- a/grub-core/fs/zfs/zfscrypt.c
888+++ b/grub-core/fs/zfs/zfscrypt.c
889@@ -22,6 +22,7 @@
890 #include <grub/misc.h>
891 #include <grub/disk.h>
892 #include <grub/partition.h>
893+#include <grub/safemath.h>
894 #include <grub/dl.h>
895 #include <grub/types.h>
896 #include <grub/zfs/zfs.h>
897@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
898 int passphrase)
899 {
900 struct grub_zfs_wrap_key *key;
901+ grub_size_t sz;
902+
903 if (!passphrase && keylen > 32)
904 keylen = 32;
905- key = grub_malloc (sizeof (*key) + keylen);
906+ if (grub_add (sizeof (*key), keylen, &sz))
907+ return GRUB_ERR_OUT_OF_RANGE;
908+ key = grub_malloc (sz);
909 if (!key)
910 return grub_errno;
911 key->is_passphrase = passphrase;
912diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
913index fd7744a..3288609 100644
914--- a/grub-core/lib/arg.c
915+++ b/grub-core/lib/arg.c
916@@ -23,6 +23,7 @@
917 #include <grub/term.h>
918 #include <grub/extcmd.h>
919 #include <grub/i18n.h>
920+#include <grub/safemath.h>
921
922 /* Built-in parser for default options. */
923 static const struct grub_arg_option help_options[] =
924@@ -216,7 +217,13 @@ static inline grub_err_t
925 add_arg (char ***argl, int *num, char *s)
926 {
927 char **p = *argl;
928- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
929+ grub_size_t sz;
930+
931+ if (grub_add (++(*num), 1, &sz) ||
932+ grub_mul (sz, sizeof (char *), &sz))
933+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
934+
935+ *argl = grub_realloc (*argl, sz);
936 if (! *argl)
937 {
938 grub_free (p);
939@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
940 grub_size_t argcnt;
941 struct grub_arg_list *list;
942 const struct grub_arg_option *options;
943+ grub_size_t sz0, sz1;
944
945 options = extcmd->options;
946 if (! options)
947@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
948 argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
949 }
950
951- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
952+ if (grub_mul (sizeof (*list), i, &sz0) ||
953+ grub_mul (sizeof (char *), argcnt, &sz1) ||
954+ grub_add (sz0, sz1, &sz0))
955+ {
956+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
957+ return 0;
958+ }
959+
960+ list = grub_zalloc (sz0);
961 if (! list)
962 return 0;
963
964diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
965index 3730ed3..b92cbe9 100644
966--- a/grub-core/loader/i386/bsd.c
967+++ b/grub-core/loader/i386/bsd.c
968@@ -35,6 +35,7 @@
969 #include <grub/ns8250.h>
970 #include <grub/bsdlabel.h>
971 #include <grub/crypto.h>
972+#include <grub/safemath.h>
973 #include <grub/verify.h>
974 #ifdef GRUB_MACHINE_PCBIOS
975 #include <grub/machine/int.h>
976@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
977 struct grub_netbsd_btinfo_modules *mods;
978 unsigned i;
979 grub_err_t err;
980+ grub_size_t sz;
981
982 for (mod = netbsd_mods; mod; mod = mod->next)
983 modcnt++;
984
985- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
986+ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
987+ grub_add (sz, sizeof (*mods), &sz))
988+ return GRUB_ERR_OUT_OF_RANGE;
989+
990+ mods = grub_malloc (sz);
991 if (!mods)
992 return grub_errno;
993
994diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
995index e332d5e..906ec7d 100644
996--- a/grub-core/net/dns.c
997+++ b/grub-core/net/dns.c
998@@ -22,6 +22,7 @@
999 #include <grub/i18n.h>
1000 #include <grub/err.h>
1001 #include <grub/time.h>
1002+#include <grub/safemath.h>
1003
1004 struct dns_cache_element
1005 {
1006@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
1007 {
1008 int na = dns_servers_alloc * 2;
1009 struct grub_net_network_level_address *ns;
1010+ grub_size_t sz;
1011+
1012 if (na < 8)
1013 na = 8;
1014- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
1015+
1016+ if (grub_mul (na, sizeof (ns[0]), &sz))
1017+ return GRUB_ERR_OUT_OF_RANGE;
1018+
1019+ ns = grub_realloc (dns_servers, sz);
1020 if (!ns)
1021 return grub_errno;
1022 dns_servers_alloc = na;
1023diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
1024index d57fb72..4dfcc31 100644
1025--- a/grub-core/normal/charset.c
1026+++ b/grub-core/normal/charset.c
1027@@ -48,6 +48,7 @@
1028 #include <grub/unicode.h>
1029 #include <grub/term.h>
1030 #include <grub/normal.h>
1031+#include <grub/safemath.h>
1032
1033 #if HAVE_FONT_SOURCE
1034 #include "widthspec.h"
1035@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1036 {
1037 struct grub_unicode_combining *n;
1038 unsigned j;
1039+ grub_size_t sz;
1040
1041 if (!haveout)
1042 continue;
1043@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
1044 n = out->combining_inline;
1045 else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
1046 {
1047- n = grub_realloc (out->combining_ptr,
1048- sizeof (n[0]) * (out->ncomb + 1));
1049+ if (grub_add (out->ncomb, 1, &sz) ||
1050+ grub_mul (sz, sizeof (n[0]), &sz))
1051+ goto fail;
1052+
1053+ n = grub_realloc (out->combining_ptr, sz);
1054 if (!n)
1055 {
1056+ fail:
1057 grub_errno = GRUB_ERR_NONE;
1058 continue;
1059 }
1060diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
1061index c57242e..de03fe6 100644
1062--- a/grub-core/normal/cmdline.c
1063+++ b/grub-core/normal/cmdline.c
1064@@ -28,6 +28,7 @@
1065 #include <grub/env.h>
1066 #include <grub/i18n.h>
1067 #include <grub/charset.h>
1068+#include <grub/safemath.h>
1069
1070 static grub_uint32_t *kill_buf;
1071
1072@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
1073 if (len + (*llen) >= (*max_len))
1074 {
1075 grub_uint32_t *nbuf;
1076- (*max_len) *= 2;
1077- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
1078+ grub_size_t sz;
1079+
1080+ if (grub_mul (*max_len, 2, max_len) ||
1081+ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
1082+ {
1083+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
1084+ goto fail;
1085+ }
1086+
1087+ nbuf = grub_realloc ((*buf), sz);
1088 if (nbuf)
1089 (*buf) = nbuf;
1090 else
1091 {
1092+ fail:
1093 grub_print_error ();
1094 grub_errno = GRUB_ERR_NONE;
1095 (*max_len) /= 2;
1096diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
1097index 1993995..50eef91 100644
1098--- a/grub-core/normal/menu_entry.c
1099+++ b/grub-core/normal/menu_entry.c
1100@@ -27,6 +27,7 @@
1101 #include <grub/auth.h>
1102 #include <grub/i18n.h>
1103 #include <grub/charset.h>
1104+#include <grub/safemath.h>
1105
1106 enum update_mode
1107 {
1108@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
1109 {
1110 if (linep->max_len < linep->len + extra)
1111 {
1112- linep->max_len = 2 * (linep->len + extra);
1113- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
1114+ grub_size_t sz0, sz1;
1115+
1116+ if (grub_add (linep->len, extra, &sz0) ||
1117+ grub_mul (sz0, 2, &sz0) ||
1118+ grub_add (sz0, 1, &sz1) ||
1119+ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
1120+ return 0;
1121+
1122+ linep->buf = grub_realloc (linep->buf, sz1);
1123 if (! linep->buf)
1124 return 0;
1125+ linep->max_len = sz0;
1126 }
1127
1128 return 1;
1129diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
1130index 217ec5d..5751fdd 100644
1131--- a/grub-core/script/argv.c
1132+++ b/grub-core/script/argv.c
1133@@ -20,6 +20,7 @@
1134 #include <grub/mm.h>
1135 #include <grub/misc.h>
1136 #include <grub/script_sh.h>
1137+#include <grub/safemath.h>
1138
1139 /* Return nearest power of two that is >= v. */
1140 static unsigned
1141@@ -81,11 +82,16 @@ int
1142 grub_script_argv_next (struct grub_script_argv *argv)
1143 {
1144 char **p = argv->args;
1145+ grub_size_t sz;
1146
1147 if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
1148 return 0;
1149
1150- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
1151+ if (grub_add (argv->argc, 2, &sz) ||
1152+ grub_mul (sz, sizeof (char *), &sz))
1153+ return 1;
1154+
1155+ p = grub_realloc (p, round_up_exp (sz));
1156 if (! p)
1157 return 1;
1158
1159@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
1160 {
1161 grub_size_t a;
1162 char *p = argv->args[argv->argc - 1];
1163+ grub_size_t sz;
1164
1165 if (! s)
1166 return 0;
1167
1168 a = p ? grub_strlen (p) : 0;
1169
1170- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
1171+ if (grub_add (a, slen, &sz) ||
1172+ grub_add (sz, 1, &sz) ||
1173+ grub_mul (sz, sizeof (char), &sz))
1174+ return 1;
1175+
1176+ p = grub_realloc (p, round_up_exp (sz));
1177 if (! p)
1178 return 1;
1179
1180diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
1181index c6bd317..5fb0cbd 100644
1182--- a/grub-core/script/lexer.c
1183+++ b/grub-core/script/lexer.c
1184@@ -24,6 +24,7 @@
1185 #include <grub/mm.h>
1186 #include <grub/script_sh.h>
1187 #include <grub/i18n.h>
1188+#include <grub/safemath.h>
1189
1190 #define yytext_ptr char *
1191 #include "grub_script.tab.h"
1192@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
1193 old = lexer->recording;
1194 if (lexer->recordlen < len)
1195 lexer->recordlen = len;
1196- lexer->recordlen *= 2;
1197+
1198+ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
1199+ goto fail;
1200+
1201 lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
1202 if (!lexer->recording)
1203 {
1204+ fail:
1205 grub_free (old);
1206 lexer->recordpos = 0;
1207 lexer->recordlen = 0;
1208@@ -130,7 +135,7 @@ int
1209 grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
1210 const char *input)
1211 {
1212- grub_size_t len = 0;
1213+ grub_size_t len = 0, sz;
1214 char *p = 0;
1215 char *line = 0;
1216 YY_BUFFER_STATE buffer;
1217@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
1218 }
1219 else if (len && line[len - 1] != '\n')
1220 {
1221- p = grub_realloc (line, len + 2);
1222+ if (grub_add (len, 2, &sz))
1223+ {
1224+ grub_free (line);
1225+ grub_script_yyerror (parserstate, N_("overflow is detected"));
1226+ return 1;
1227+ }
1228+
1229+ p = grub_realloc (line, sz);
1230 if (p)
1231 {
1232 p[len++] = '\n';
1233 p[len] = '\0';
1234 }
1235+ else
1236+ grub_free (line);
1237+
1238 line = p;
1239 }
1240
1241diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
1242index b2e0315..6256e20 100644
1243--- a/grub-core/video/bitmap.c
1244+++ b/grub-core/video/bitmap.c
1245@@ -23,6 +23,7 @@
1246 #include <grub/mm.h>
1247 #include <grub/misc.h>
1248 #include <grub/i18n.h>
1249+#include <grub/safemath.h>
1250
1251 GRUB_MOD_LICENSE ("GPLv3+");
1252
1253@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
1254 enum grub_video_blit_format blit_format)
1255 {
1256 struct grub_video_mode_info *mode_info;
1257- unsigned int size;
1258+ grub_size_t size;
1259
1260 if (!bitmap)
1261 return grub_error (GRUB_ERR_BUG, "invalid argument");
1262@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
1263
1264 mode_info->pitch = width * mode_info->bytes_per_pixel;
1265
1266- /* Calculate size needed for the data. */
1267- size = (width * mode_info->bytes_per_pixel) * height;
1268+ /* Calculate size needed for the data. */
1269+ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
1270+ grub_mul (size, height, &size))
1271+ {
1272+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1273+ goto fail;
1274+ }
1275
1276 (*bitmap)->data = grub_zalloc (size);
1277 if (! (*bitmap)->data)
1278- {
1279- grub_free (*bitmap);
1280- *bitmap = 0;
1281-
1282- return grub_errno;
1283- }
1284+ goto fail;
1285
1286 return GRUB_ERR_NONE;
1287+
1288+ fail:
1289+ grub_free (*bitmap);
1290+ *bitmap = NULL;
1291+
1292+ return grub_errno;
1293 }
1294
1295 /* Frees all resources allocated by bitmap. */
1296diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
1297index 61bd645..0157ff7 100644
1298--- a/grub-core/video/readers/png.c
1299+++ b/grub-core/video/readers/png.c
1300@@ -23,6 +23,7 @@
1301 #include <grub/mm.h>
1302 #include <grub/misc.h>
1303 #include <grub/bufio.h>
1304+#include <grub/safemath.h>
1305
1306 GRUB_MOD_LICENSE ("GPLv3+");
1307
1308@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
1309 data->bpp <<= 1;
1310
1311 data->color_bits = color_bits;
1312- data->row_bytes = data->image_width * data->bpp;
1313+
1314+ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
1315+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1316+
1317 if (data->color_bits <= 4)
1318- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
1319+ {
1320+ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
1321+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
1322+
1323+ data->row_bytes >>= 3;
1324+ }
1325
1326 #ifndef GRUB_CPU_WORDS_BIGENDIAN
1327 if (data->is_16bit || data->is_gray || data->is_palette)
1328--
13292.14.4
1330
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
deleted file mode 100644
index 329e554a68..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
+++ /dev/null
@@ -1,117 +0,0 @@
1From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Fri, 10 Jul 2020 14:41:45 +0100
4Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
5 during execution
6
7Defining a new function with the same name as a previously defined
8function causes the grub_script and associated resources for the
9previous function to be freed. If the previous function is currently
10executing when a function with the same name is defined, this results
11in use-after-frees when processing subsequent commands in the original
12function.
13
14Instead, reject a new function definition if it has the same name as
15a previously defined function, and that function is currently being
16executed. Although a behavioural change, this should be backwards
17compatible with existing configurations because they can't be
18dependent on the current behaviour without being broken.
19
20Fixes: CVE-2020-15706
21
22Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24
25Upstream-Status: Backport
26CVE: CVE-2020-15706
27
28Reference to upstream patch:
29https://git.savannah.gnu.org/cgit/grub.git/commit/?id=426f57383d647406ae9c628c472059c27cd6e040
30
31Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
32---
33 grub-core/script/execute.c | 2 ++
34 grub-core/script/function.c | 16 +++++++++++++---
35 grub-core/script/parser.y | 3 ++-
36 include/grub/script_sh.h | 2 ++
37 4 files changed, 19 insertions(+), 4 deletions(-)
38
39diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
40index c8d6806..7e028e1 100644
41--- a/grub-core/script/execute.c
42+++ b/grub-core/script/execute.c
43@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
44 old_scope = scope;
45 scope = &new_scope;
46
47+ func->executing++;
48 ret = grub_script_execute (func->func);
49+ func->executing--;
50
51 function_return = 0;
52 active_loops = loops;
53diff --git a/grub-core/script/function.c b/grub-core/script/function.c
54index d36655e..3aad04b 100644
55--- a/grub-core/script/function.c
56+++ b/grub-core/script/function.c
57@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
58 func = (grub_script_function_t) grub_malloc (sizeof (*func));
59 if (! func)
60 return 0;
61+ func->executing = 0;
62
63 func->name = grub_strdup (functionname_arg->str);
64 if (! func->name)
65@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
66 grub_script_function_t q;
67
68 q = *p;
69- grub_script_free (q->func);
70- q->func = cmd;
71 grub_free (func);
72- func = q;
73+ if (q->executing > 0)
74+ {
75+ grub_error (GRUB_ERR_BAD_ARGUMENT,
76+ N_("attempt to redefine a function being executed"));
77+ func = NULL;
78+ }
79+ else
80+ {
81+ grub_script_free (q->func);
82+ q->func = cmd;
83+ func = q;
84+ }
85 }
86 else
87 {
88diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
89index 4f0ab83..f80b86b 100644
90--- a/grub-core/script/parser.y
91+++ b/grub-core/script/parser.y
92@@ -289,7 +289,8 @@ function: "function" "name"
93 grub_script_mem_free (state->func_mem);
94 else {
95 script->children = state->scripts;
96- grub_script_function_create ($2, script);
97+ if (!grub_script_function_create ($2, script))
98+ grub_script_free (script);
99 }
100
101 state->scripts = $<scripts>3;
102diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
103index b382bcf..6c48e07 100644
104--- a/include/grub/script_sh.h
105+++ b/include/grub/script_sh.h
106@@ -361,6 +361,8 @@ struct grub_script_function
107
108 /* The next element. */
109 struct grub_script_function *next;
110+
111+ unsigned executing;
112 };
113 typedef struct grub_script_function *grub_script_function_t;
114
115--
1162.14.4
117
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
deleted file mode 100644
index d4f9300c0a..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+++ /dev/null
@@ -1,177 +0,0 @@
1From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sat, 25 Jul 2020 12:15:37 +0100
4Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling
5
6These could be triggered by a crafted filesystem with very large files.
7
8Fixes: CVE-2020-15707
9
10Signed-off-by: Colin Watson <cjwatson@debian.org>
11Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport
15CVE: CVE-2020-15707
16
17Reference to upstream patch:
18https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
19
20Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
21---
22 grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
23 1 file changed, 54 insertions(+), 20 deletions(-)
24
25diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
26index 471b214..8c8565a 100644
27--- a/grub-core/loader/linux.c
28+++ b/grub-core/loader/linux.c
29@@ -4,6 +4,7 @@
30 #include <grub/misc.h>
31 #include <grub/file.h>
32 #include <grub/mm.h>
33+#include <grub/safemath.h>
34
35 struct newc_head
36 {
37@@ -98,13 +99,13 @@ free_dir (struct dir *root)
38 grub_free (root);
39 }
40
41-static grub_size_t
42+static grub_err_t
43 insert_dir (const char *name, struct dir **root,
44- grub_uint8_t *ptr)
45+ grub_uint8_t *ptr, grub_size_t *size)
46 {
47 struct dir *cur, **head = root;
48 const char *cb, *ce = name;
49- grub_size_t size = 0;
50+ *size = 0;
51 while (1)
52 {
53 for (cb = ce; *cb == '/'; cb++);
54@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
55 ptr = make_header (ptr, name, ce - name,
56 040777, 0);
57 }
58- size += ALIGN_UP ((ce - (char *) name)
59- + sizeof (struct newc_head), 4);
60+ if (grub_add (*size,
61+ ALIGN_UP ((ce - (char *) name)
62+ + sizeof (struct newc_head), 4),
63+ size))
64+ {
65+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
66+ grub_free (n->name);
67+ grub_free (n);
68+ return grub_errno;
69+ }
70 *head = n;
71 cur = n;
72 }
73 root = &cur->next;
74 }
75- return size;
76+ return GRUB_ERR_NONE;
77 }
78
79 grub_err_t
80@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
81 eptr = grub_strchr (ptr, ':');
82 if (eptr)
83 {
84+ grub_size_t dir_size, name_len;
85+
86 initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
87- if (!initrd_ctx->components[i].newc_name)
88+ if (!initrd_ctx->components[i].newc_name ||
89+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
90+ &dir_size))
91 {
92 grub_initrd_close (initrd_ctx);
93 return grub_errno;
94 }
95- initrd_ctx->size
96- += ALIGN_UP (sizeof (struct newc_head)
97- + grub_strlen (initrd_ctx->components[i].newc_name),
98- 4);
99- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
100- &root, 0);
101+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
102+ if (grub_add (initrd_ctx->size,
103+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
104+ &initrd_ctx->size) ||
105+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
106+ goto overflow;
107 newc = 1;
108 fname = eptr + 1;
109 }
110 }
111 else if (newc)
112 {
113- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
114- + sizeof ("TRAILER!!!") - 1, 4);
115+ if (grub_add (initrd_ctx->size,
116+ ALIGN_UP (sizeof (struct newc_head)
117+ + sizeof ("TRAILER!!!") - 1, 4),
118+ &initrd_ctx->size))
119+ goto overflow;
120 free_dir (root);
121 root = 0;
122 newc = 0;
123@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
124 initrd_ctx->nfiles++;
125 initrd_ctx->components[i].size
126 = grub_file_size (initrd_ctx->components[i].file);
127- initrd_ctx->size += initrd_ctx->components[i].size;
128+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
129+ &initrd_ctx->size))
130+ goto overflow;
131 }
132
133 if (newc)
134 {
135 initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
136- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
137- + sizeof ("TRAILER!!!") - 1, 4);
138+ if (grub_add (initrd_ctx->size,
139+ ALIGN_UP (sizeof (struct newc_head)
140+ + sizeof ("TRAILER!!!") - 1, 4),
141+ &initrd_ctx->size))
142+ goto overflow;
143 free_dir (root);
144 root = 0;
145 }
146
147 return GRUB_ERR_NONE;
148+
149+ overflow:
150+ free_dir (root);
151+ grub_initrd_close (initrd_ctx);
152+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
153 }
154
155 grub_size_t
156@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
157
158 if (initrd_ctx->components[i].newc_name)
159 {
160- ptr += insert_dir (initrd_ctx->components[i].newc_name,
161- &root, ptr);
162+ grub_size_t dir_size;
163+
164+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
165+ &dir_size))
166+ {
167+ free_dir (root);
168+ grub_initrd_close (initrd_ctx);
169+ return grub_errno;
170+ }
171+ ptr += dir_size;
172 ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
173 grub_strlen (initrd_ctx->components[i].newc_name),
174 0100777,
175--
1762.14.4
177
diff --git a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch b/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
index faa7fde232..1323a54a59 100644
--- a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
+++ b/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
@@ -1,6 +1,6 @@
1From 72c30928d3d461e0e2d20c5ff33bd96b6991d585 Mon Sep 17 00:00:00 2001 1From 8790aa8bea736f52341a0430ff3e317d3be0f99b Mon Sep 17 00:00:00 2001
2From: Robert Yang <liezhi.yang@windriver.com> 2From: Naveen Saini <naveen.kumar.saini@intel.com>
3Date: Sat, 25 Jan 2014 23:49:44 -0500 3Date: Mon, 15 Mar 2021 14:44:15 +0800
4Subject: [PATCH] autogen.sh: exclude .pc from po/POTFILES.in 4Subject: [PATCH] autogen.sh: exclude .pc from po/POTFILES.in
5 5
6Exclude the .pc from po/POTFILES.in since quilt uses "patch --backup", 6Exclude the .pc from po/POTFILES.in since quilt uses "patch --backup",
@@ -13,23 +13,24 @@ Upstream-Status: Inappropriate [OE specific]
13 13
14Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 14Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
15Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 15Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
16Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
16--- 17---
17 autogen.sh | 2 +- 18 autogen.sh | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
19 20
20diff --git a/autogen.sh b/autogen.sh 21diff --git a/autogen.sh b/autogen.sh
21index ef43270..a7067a7 100755 22index 31b0ced7e..c63ae766c 100755
22--- a/autogen.sh 23--- a/autogen.sh
23+++ b/autogen.sh 24+++ b/autogen.sh
24@@ -13,7 +13,7 @@ fi 25@@ -13,7 +13,7 @@ fi
25 export LC_COLLATE=C 26 export LC_COLLATE=C
26 unset LC_ALL 27 unset LC_ALL
27 28
28-find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' |sort > po/POTFILES.in 29-find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
29+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' ! -path './.pc/*' |sort > po/POTFILES.in 30+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' ! -path './.pc/*' |sort > po/POTFILES.in
30 find util -iname '*.in' ! -name Makefile.in |sort > po/POTFILES-shell.in 31 find util -iname '*.in' ! -name Makefile.in |sort > po/POTFILES-shell.in
31 32
32 echo "Importing unicode..." 33 echo "Importing unicode..."
33-- 34--
342.7.4 352.17.1
35 36
diff --git a/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch b/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
deleted file mode 100644
index c9536e68ef..0000000000
--- a/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
+++ /dev/null
@@ -1,246 +0,0 @@
1From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 12:15:29 -0400
4Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking
5 calloc() available
6
7This tries to make sure that everywhere in this source tree, we always have
8an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
9available, and that they all safely check for overflow and return NULL when
10it would occur.
11
12Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8
13from https://git.savannah.gnu.org/git/grub.git]
14
15Signed-off-by: Peter Jones <pjones@redhat.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
18---
19 grub-core/kern/emu/misc.c | 12 ++++++++++++
20 grub-core/kern/emu/mm.c | 10 ++++++++++
21 grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
22 grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
23 grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
24 include/grub/emu/misc.h | 1 +
25 include/grub/mm.h | 6 ++++++
26 7 files changed, 85 insertions(+), 3 deletions(-)
27
28diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
29index 65db79b..dfd8a8e 100644
30--- a/grub-core/kern/emu/misc.c
31+++ b/grub-core/kern/emu/misc.c
32@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
33 exit (1);
34 }
35
36+void *
37+xcalloc (grub_size_t nmemb, grub_size_t size)
38+{
39+ void *p;
40+
41+ p = calloc (nmemb, size);
42+ if (!p)
43+ grub_util_error ("%s", _("out of memory"));
44+
45+ return p;
46+}
47+
48 void *
49 xmalloc (grub_size_t size)
50 {
51diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
52index f262e95..145b01d 100644
53--- a/grub-core/kern/emu/mm.c
54+++ b/grub-core/kern/emu/mm.c
55@@ -25,6 +25,16 @@
56 #include <string.h>
57 #include <grub/i18n.h>
58
59+void *
60+grub_calloc (grub_size_t nmemb, grub_size_t size)
61+{
62+ void *ret;
63+ ret = calloc (nmemb, size);
64+ if (!ret)
65+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
66+ return ret;
67+}
68+
69 void *
70 grub_malloc (grub_size_t size)
71 {
72diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
73index ee88ff6..f2822a8 100644
74--- a/grub-core/kern/mm.c
75+++ b/grub-core/kern/mm.c
76@@ -67,8 +67,10 @@
77 #include <grub/dl.h>
78 #include <grub/i18n.h>
79 #include <grub/mm_private.h>
80+#include <grub/safemath.h>
81
82 #ifdef MM_DEBUG
83+# undef grub_calloc
84 # undef grub_malloc
85 # undef grub_zalloc
86 # undef grub_realloc
87@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
88 return 0;
89 }
90
91+/*
92+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
93+ * integer overflow.
94+ */
95+void *
96+grub_calloc (grub_size_t nmemb, grub_size_t size)
97+{
98+ void *ret;
99+ grub_size_t sz = 0;
100+
101+ if (grub_mul (nmemb, size, &sz))
102+ {
103+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
104+ return NULL;
105+ }
106+
107+ ret = grub_memalign (0, sz);
108+ if (!ret)
109+ return NULL;
110+
111+ grub_memset (ret, 0, sz);
112+ return ret;
113+}
114+
115 /* Allocate SIZE bytes and return the pointer. */
116 void *
117 grub_malloc (grub_size_t size)
118@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
119 grub_printf ("\n");
120 }
121
122+void *
123+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
124+{
125+ void *ptr;
126+
127+ if (grub_mm_debug)
128+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
129+ file, line, size);
130+ ptr = grub_calloc (nmemb, size);
131+ if (grub_mm_debug)
132+ grub_printf ("%p\n", ptr);
133+ return ptr;
134+}
135+
136 void *
137 grub_debug_malloc (const char *file, int line, grub_size_t size)
138 {
139diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
140index beeb661..74c6eaf 100644
141--- a/grub-core/lib/libgcrypt_wrap/mem.c
142+++ b/grub-core/lib/libgcrypt_wrap/mem.c
143@@ -4,6 +4,7 @@
144 #include <grub/crypto.h>
145 #include <grub/dl.h>
146 #include <grub/env.h>
147+#include <grub/safemath.h>
148
149 GRUB_MOD_LICENSE ("GPLv3+");
150
151@@ -36,7 +37,10 @@ void *
152 gcry_xcalloc (size_t n, size_t m)
153 {
154 void *ret;
155- ret = grub_zalloc (n * m);
156+ size_t sz;
157+ if (grub_mul (n, m, &sz))
158+ grub_fatal ("gcry_xcalloc would overflow");
159+ ret = grub_zalloc (sz);
160 if (!ret)
161 grub_fatal ("gcry_xcalloc failed");
162 return ret;
163@@ -56,7 +60,10 @@ void *
164 gcry_xcalloc_secure (size_t n, size_t m)
165 {
166 void *ret;
167- ret = grub_zalloc (n * m);
168+ size_t sz;
169+ if (grub_mul (n, m, &sz))
170+ grub_fatal ("gcry_xcalloc would overflow");
171+ ret = grub_zalloc (sz);
172 if (!ret)
173 grub_fatal ("gcry_xcalloc failed");
174 return ret;
175diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
176index 3b46f47..7a8d385 100644
177--- a/grub-core/lib/posix_wrap/stdlib.h
178+++ b/grub-core/lib/posix_wrap/stdlib.h
179@@ -21,6 +21,7 @@
180
181 #include <grub/mm.h>
182 #include <grub/misc.h>
183+#include <grub/safemath.h>
184
185 static inline void
186 free (void *ptr)
187@@ -37,7 +38,12 @@ malloc (grub_size_t size)
188 static inline void *
189 calloc (grub_size_t size, grub_size_t nelem)
190 {
191- return grub_zalloc (size * nelem);
192+ grub_size_t sz;
193+
194+ if (grub_mul (size, nelem, &sz))
195+ return NULL;
196+
197+ return grub_zalloc (sz);
198 }
199
200 static inline void *
201diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
202index ce464cf..ff9c48a 100644
203--- a/include/grub/emu/misc.h
204+++ b/include/grub/emu/misc.h
205@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
206 #define GRUB_HOST_PRIuLONG_LONG "llu"
207 #define GRUB_HOST_PRIxLONG_LONG "llx"
208
209+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
210 void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
211 void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
212 char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
213diff --git a/include/grub/mm.h b/include/grub/mm.h
214index 28e2e53..9c38dd3 100644
215--- a/include/grub/mm.h
216+++ b/include/grub/mm.h
217@@ -29,6 +29,7 @@
218 #endif
219
220 void grub_mm_init_region (void *addr, grub_size_t size);
221+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
222 void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
223 void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
224 void EXPORT_FUNC(grub_free) (void *ptr);
225@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
226 void grub_mm_dump_free (void);
227 void grub_mm_dump (unsigned lineno);
228
229+#define grub_calloc(nmemb, size) \
230+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
231+
232 #define grub_malloc(size) \
233 grub_debug_malloc (GRUB_FILE, __LINE__, size)
234
235@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
236 #define grub_free(ptr) \
237 grub_debug_free (GRUB_FILE, __LINE__, ptr)
238
239+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
240+ grub_size_t nmemb, grub_size_t size);
241 void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
242 grub_size_t size);
243 void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
244--
2452.14.4
246
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
index 3c1f562c71..2828e80975 100644
--- a/meta/recipes-bsp/grub/files/determinism.patch
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -1,6 +1,9 @@
1The output in moddep.lst generated from syminfo.lst using genmoddep.awk is 1From b6f9b3f6fa782807c4a7ec16ee8ef868cdfbf468 Mon Sep 17 00:00:00 2001
2not deterministic since the order of the dependencies on each line can vary 2From: Naveen Saini <naveen.kumar.saini@intel.com>
3depending on how awk sorts the values in the array. 3Date: Mon, 15 Mar 2021 14:56:18 +0800
4Subject: [PATCH] The output in moddep.lst generated from syminfo.lst using
5 genmoddep.awk is not deterministic since the order of the dependencies on
6 each line can vary depending on how awk sorts the values in the array.
4 7
5Be deterministic in the output by sorting the dependencies on each line. 8Be deterministic in the output by sorting the dependencies on each line.
6 9
@@ -13,11 +16,29 @@ keys of the dict.
13 16
14Upstream-Status: Pending 17Upstream-Status: Pending
15Richard Purdie <richard.purdie@linuxfoundation.org> 18Richard Purdie <richard.purdie@linuxfoundation.org>
19Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
20---
21 gentpl.py | 1 +
22 grub-core/genmoddep.awk | 4 +++-
23 util/import_unicode.py | 2 +-
24 3 files changed, 5 insertions(+), 2 deletions(-)
16 25
17Index: grub-2.04/grub-core/genmoddep.awk 26diff --git a/gentpl.py b/gentpl.py
18=================================================================== 27index c86550d4f..589285192 100644
19--- grub-2.04.orig/grub-core/genmoddep.awk 28--- a/gentpl.py
20+++ grub-2.04/grub-core/genmoddep.awk 29+++ b/gentpl.py
30@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platform, suffix, closure):
31 for group in RMAP[platform]:
32 for value in defn.find_all(group + suffix):
33 r.append(closure(value))
34+ r.sort()
35 return ''.join(r)
36
37 def platform_conditional(platform, closure):
38diff --git a/grub-core/genmoddep.awk b/grub-core/genmoddep.awk
39index 04c2863e5..247436392 100644
40--- a/grub-core/genmoddep.awk
41+++ b/grub-core/genmoddep.awk
21@@ -59,7 +59,9 @@ END { 42@@ -59,7 +59,9 @@ END {
22 } 43 }
23 modlist = "" 44 modlist = ""
@@ -29,22 +50,10 @@ Index: grub-2.04/grub-core/genmoddep.awk
29 modlist = modlist " " depmod; 50 modlist = modlist " " depmod;
30 inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod 51 inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod
31 depcount[mod]++ 52 depcount[mod]++
32Index: grub-2.04/gentpl.py 53diff --git a/util/import_unicode.py b/util/import_unicode.py
33=================================================================== 54index 08f80591e..1f434a069 100644
34--- grub-2.04.orig/gentpl.py 55--- a/util/import_unicode.py
35+++ grub-2.04/gentpl.py 56+++ b/util/import_unicode.py
36@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platfor
37 for group in RMAP[platform]:
38 for value in defn.find_all(group + suffix):
39 r.append(closure(value))
40+ r.sort()
41 return ''.join(r)
42
43 def platform_conditional(platform, closure):
44Index: grub-2.04/util/import_unicode.py
45===================================================================
46--- grub-2.04.orig/util/import_unicode.py
47+++ grub-2.04/util/import_unicode.py
48@@ -174,7 +174,7 @@ infile.close () 57@@ -174,7 +174,7 @@ infile.close ()
49 58
50 outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ") 59 outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ")
@@ -54,3 +63,6 @@ Index: grub-2.04/util/import_unicode.py
54 try: 63 try:
55 if arabicsubst[x]['join'] == "DUAL": 64 if arabicsubst[x]['join'] == "DUAL":
56 outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4])) 65 outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4]))
66--
672.17.1
68
diff --git a/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch b/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
deleted file mode 100644
index 2b8157f592..0000000000
--- a/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
+++ /dev/null
@@ -1,287 +0,0 @@
1From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001
2From: Michael Chang <mchang@suse.com>
3Date: Thu, 19 Mar 2020 13:56:13 +0800
4Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling
5
6The LVM cache logical volume is the logical volume consisting of the original
7and the cache pool logical volume. The original is usually on a larger and
8slower storage device while the cache pool is on a smaller and faster one. The
9performance of the original volume can be improved by storing the frequently
10used data on the cache pool to utilize the greater performance of faster
11device.
12
13The default cache mode "writethrough" ensures that any data written will be
14stored both in the cache and on the origin LV, therefore grub can be straight
15to read the original lv as no data loss is guarenteed.
16
17The second cache mode is "writeback", which delays writing from the cache pool
18back to the origin LV to have increased performance. The drawback is potential
19data loss if losing the associated cache device.
20
21During the boot time grub reads the LVM offline i.e. LVM volumes are not
22activated and mounted, hence it should be fine to read directly from original
23lv since all cached data should have been flushed back in the process of taking
24it offline.
25
26It is also not much helpful to the situation by adding fsync calls to the
27install code. The fsync did not force to write back dirty cache to the original
28device and rather it would update associated cache metadata to complete the
29write transaction with the cache device. IOW the writes to cached blocks still
30go only to the cache device.
31
32To write back dirty cache, as LVM cache did not support dirty cache flush per
33block range, there'no way to do it for file. On the other hand the "cleaner"
34policy is implemented and can be used to write back "all" dirty blocks in a
35cache, which effectively drain all dirty cache gradually to attain and last in
36the "clean" state, which can be useful for shrinking or decommissioning a
37cache. The result and effect is not what we are looking for here.
38
39In conclusion, as it seems no way to enforce file writes to the original
40device, grub may suffer from power failure as it cannot assemble the cache
41device and read the dirty data from it. However since the case is only
42applicable to writeback mode which is sensitive to data lost in nature, I'd
43still like to propose my (relatively simple) patch and treat reading dirty
44cache as improvement.
45
46Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135
47from https://git.savannah.gnu.org/git/grub.git]
48
49Signed-off-by: Michael Chang <mchang@suse.com>
50Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
51Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
52---
53 grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++
54 1 file changed, 190 insertions(+)
55
56diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
57index 7b265c7..dc6b83b 100644
58--- a/grub-core/disk/lvm.c
59+++ b/grub-core/disk/lvm.c
60@@ -33,6 +33,14 @@
61
62 GRUB_MOD_LICENSE ("GPLv3+");
63
64+struct cache_lv
65+{
66+ struct grub_diskfilter_lv *lv;
67+ char *cache_pool;
68+ char *origin;
69+ struct cache_lv *next;
70+};
71+
72
73 /* Go the string STR and return the number after STR. *P will point
74 at the number. In case STR is not found, *P will be NULL and the
75@@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag)
76 }
77 }
78
79+static void
80+grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
81+{
82+ struct cache_lv *cache;
83+
84+ while ((cache = cache_lvs))
85+ {
86+ cache_lvs = cache_lvs->next;
87+
88+ if (cache->lv)
89+ {
90+ unsigned int i;
91+
92+ for (i = 0; i < cache->lv->segment_count; ++i)
93+ if (cache->lv->segments)
94+ grub_free (cache->lv->segments[i].nodes);
95+ grub_free (cache->lv->segments);
96+ grub_free (cache->lv->fullname);
97+ grub_free (cache->lv->idname);
98+ grub_free (cache->lv->name);
99+ }
100+ grub_free (cache->lv);
101+ grub_free (cache->origin);
102+ grub_free (cache->cache_pool);
103+ grub_free (cache);
104+ }
105+}
106+
107 static struct grub_diskfilter_vg *
108 grub_lvm_detect (grub_disk_t disk,
109 struct grub_diskfilter_pv_id *id,
110@@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk,
111
112 if (! vg)
113 {
114+ struct cache_lv *cache_lvs = NULL;
115+
116 /* First time we see this volume group. We've to create the
117 whole volume group structure. */
118 vg = grub_malloc (sizeof (*vg));
119@@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk,
120 seg->nodes[seg->node_count - 1].name = tmp;
121 }
122 }
123+ else if (grub_memcmp (p, "cache\"",
124+ sizeof ("cache\"") - 1) == 0)
125+ {
126+ struct cache_lv *cache = NULL;
127+
128+ char *p2, *p3;
129+ grub_size_t sz;
130+
131+ cache = grub_zalloc (sizeof (*cache));
132+ if (!cache)
133+ goto cache_lv_fail;
134+ cache->lv = grub_zalloc (sizeof (*cache->lv));
135+ if (!cache->lv)
136+ goto cache_lv_fail;
137+ grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
138+
139+ if (lv->fullname)
140+ {
141+ cache->lv->fullname = grub_strdup (lv->fullname);
142+ if (!cache->lv->fullname)
143+ goto cache_lv_fail;
144+ }
145+ if (lv->idname)
146+ {
147+ cache->lv->idname = grub_strdup (lv->idname);
148+ if (!cache->lv->idname)
149+ goto cache_lv_fail;
150+ }
151+ if (lv->name)
152+ {
153+ cache->lv->name = grub_strdup (lv->name);
154+ if (!cache->lv->name)
155+ goto cache_lv_fail;
156+ }
157+
158+ skip_lv = 1;
159+
160+ p2 = grub_strstr (p, "cache_pool = \"");
161+ if (!p2)
162+ goto cache_lv_fail;
163+
164+ p2 = grub_strchr (p2, '"');
165+ if (!p2)
166+ goto cache_lv_fail;
167+
168+ p3 = ++p2;
169+ p3 = grub_strchr (p3, '"');
170+ if (!p3)
171+ goto cache_lv_fail;
172+
173+ sz = p3 - p2;
174+
175+ cache->cache_pool = grub_malloc (sz + 1);
176+ if (!cache->cache_pool)
177+ goto cache_lv_fail;
178+ grub_memcpy (cache->cache_pool, p2, sz);
179+ cache->cache_pool[sz] = '\0';
180+
181+ p2 = grub_strstr (p, "origin = \"");
182+ if (!p2)
183+ goto cache_lv_fail;
184+
185+ p2 = grub_strchr (p2, '"');
186+ if (!p2)
187+ goto cache_lv_fail;
188+
189+ p3 = ++p2;
190+ p3 = grub_strchr (p3, '"');
191+ if (!p3)
192+ goto cache_lv_fail;
193+
194+ sz = p3 - p2;
195+
196+ cache->origin = grub_malloc (sz + 1);
197+ if (!cache->origin)
198+ goto cache_lv_fail;
199+ grub_memcpy (cache->origin, p2, sz);
200+ cache->origin[sz] = '\0';
201+
202+ cache->next = cache_lvs;
203+ cache_lvs = cache;
204+ break;
205+
206+ cache_lv_fail:
207+ if (cache)
208+ {
209+ grub_free (cache->origin);
210+ grub_free (cache->cache_pool);
211+ if (cache->lv)
212+ {
213+ grub_free (cache->lv->fullname);
214+ grub_free (cache->lv->idname);
215+ grub_free (cache->lv->name);
216+ }
217+ grub_free (cache->lv);
218+ grub_free (cache);
219+ }
220+ grub_lvm_free_cache_lvs (cache_lvs);
221+ goto fail4;
222+ }
223 else
224 {
225 #ifdef GRUB_UTIL
226@@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk,
227 }
228
229 }
230+
231+ {
232+ struct cache_lv *cache;
233+
234+ for (cache = cache_lvs; cache; cache = cache->next)
235+ {
236+ struct grub_diskfilter_lv *lv;
237+
238+ for (lv = vg->lvs; lv; lv = lv->next)
239+ if (grub_strcmp (lv->name, cache->origin) == 0)
240+ break;
241+ if (lv)
242+ {
243+ cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
244+ if (!cache->lv->segments)
245+ {
246+ grub_lvm_free_cache_lvs (cache_lvs);
247+ goto fail4;
248+ }
249+ grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments));
250+
251+ for (i = 0; i < lv->segment_count; ++i)
252+ {
253+ struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
254+ grub_size_t node_count = lv->segments[i].node_count;
255+
256+ cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
257+ if (!cache->lv->segments[i].nodes)
258+ {
259+ for (j = 0; j < i; ++j)
260+ grub_free (cache->lv->segments[j].nodes);
261+ grub_free (cache->lv->segments);
262+ cache->lv->segments = NULL;
263+ grub_lvm_free_cache_lvs (cache_lvs);
264+ goto fail4;
265+ }
266+ grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes));
267+ }
268+
269+ if (cache->lv->segments)
270+ {
271+ cache->lv->segment_count = lv->segment_count;
272+ cache->lv->vg = vg;
273+ cache->lv->next = vg->lvs;
274+ vg->lvs = cache->lv;
275+ cache->lv = NULL;
276+ }
277+ }
278+ }
279+ }
280+
281+ grub_lvm_free_cache_lvs (cache_lvs);
282 if (grub_diskfilter_vg_register (vg))
283 goto fail4;
284 }
285--
2862.14.4
287
diff --git a/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch b/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
deleted file mode 100644
index 29021e8d8f..0000000000
--- a/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
+++ /dev/null
@@ -1,94 +0,0 @@
1From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Mon, 15 Jun 2020 10:58:42 -0400
4Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for
5 overflow
6
7This adds a new header, include/grub/safemath.h, that includes easy to
8use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
9
10 bool OP(a, b, res)
11
12where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
13case where the operation would overflow and res is not modified.
14Otherwise, false is returned and the operation is executed.
15
16These arithmetic primitives require newer compiler versions. So, bump
17these requirements in the INSTALL file too.
18
19Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d
20from https://git.savannah.gnu.org/git/grub.git]
21
22Signed-off-by: Peter Jones <pjones@redhat.com>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24[YL: omit the change to INSTALL from original patch]
25Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
26---
27 include/grub/compiler.h | 8 ++++++++
28 include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
29 2 files changed, 45 insertions(+)
30 create mode 100644 include/grub/safemath.h
31
32diff --git a/include/grub/compiler.h b/include/grub/compiler.h
33index c9e1d7a..8f3be3a 100644
34--- a/include/grub/compiler.h
35+++ b/include/grub/compiler.h
36@@ -48,4 +48,12 @@
37 # define WARN_UNUSED_RESULT
38 #endif
39
40+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
41+# define CLANG_PREREQ(maj,min) \
42+ ((__clang_major__ > (maj)) || \
43+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
44+#else
45+# define CLANG_PREREQ(maj,min) 0
46+#endif
47+
48 #endif /* ! GRUB_COMPILER_HEADER */
49diff --git a/include/grub/safemath.h b/include/grub/safemath.h
50new file mode 100644
51index 0000000..c17b89b
52--- /dev/null
53+++ b/include/grub/safemath.h
54@@ -0,0 +1,37 @@
55+/*
56+ * GRUB -- GRand Unified Bootloader
57+ * Copyright (C) 2020 Free Software Foundation, Inc.
58+ *
59+ * GRUB is free software: you can redistribute it and/or modify
60+ * it under the terms of the GNU General Public License as published by
61+ * the Free Software Foundation, either version 3 of the License, or
62+ * (at your option) any later version.
63+ *
64+ * GRUB is distributed in the hope that it will be useful,
65+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
66+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
67+ * GNU General Public License for more details.
68+ *
69+ * You should have received a copy of the GNU General Public License
70+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
71+ *
72+ * Arithmetic operations that protect against overflow.
73+ */
74+
75+#ifndef GRUB_SAFEMATH_H
76+#define GRUB_SAFEMATH_H 1
77+
78+#include <grub/compiler.h>
79+
80+/* These appear in gcc 5.1 and clang 3.8. */
81+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
82+
83+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
84+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
85+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
86+
87+#else
88+#error gcc 5.1 or newer or clang 3.8 or newer is required
89+#endif
90+
91+#endif /* GRUB_SAFEMATH_H */
92--
932.14.4
94
diff --git a/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch b/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
deleted file mode 100644
index 84a80d5ffd..0000000000
--- a/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Fri, 10 Jul 2020 11:21:14 +0100
4Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function
5 struct
6
7Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96
8from https://git.savannah.gnu.org/git/grub.git]
9
10Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
13---
14 include/grub/script_sh.h | 5 -----
15 1 file changed, 5 deletions(-)
16
17diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
18index 360c2be..b382bcf 100644
19--- a/include/grub/script_sh.h
20+++ b/include/grub/script_sh.h
21@@ -359,13 +359,8 @@ struct grub_script_function
22 /* The script function. */
23 struct grub_script *func;
24
25- /* The flags. */
26- unsigned flags;
27-
28 /* The next element. */
29 struct grub_script_function *next;
30-
31- int references;
32 };
33 typedef struct grub_script_function *grub_script_function_t;
34
35--
362.14.4
37
diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb b/meta/recipes-bsp/grub/grub-efi_git.bb
index 287845c507..240fde7dbf 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_git.bb
@@ -11,8 +11,6 @@ SRC_URI += " \
11 file://cfg \ 11 file://cfg \
12 " 12 "
13 13
14S = "${WORKDIR}/grub-${PV}"
15
16# Determine the target arch for the grub modules 14# Determine the target arch for the grub modules
17python __anonymous () { 15python __anonymous () {
18 import re 16 import re
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index f870d41f6a..bcff676c26 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -13,25 +13,23 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
13 13
14CVE_PRODUCT = "grub2" 14CVE_PRODUCT = "grub2"
15 15
16SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ 16SRC_URI = "https://alpha.gnu.org/gnu/grub/grub-${REALPV}.tar.xz \
17 file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \ 17 file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \
18 file://autogen.sh-exclude-pc.patch \ 18 file://autogen.sh-exclude-pc.patch \
19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \ 19 file://grub-module-explicitly-keeps-symbole-.module_license.patch \
20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ 20 file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
21 file://CVE-2020-10713.patch \
22 file://calloc-Make-sure-we-always-have-an-overflow-checking.patch \
23 file://lvm-Add-LVM-cache-logical-volume-handling.patch \
24 file://CVE-2020-14308-calloc-Use-calloc-at-most-places.patch \
25 file://safemath-Add-some-arithmetic-primitives-that-check-f.patch \
26 file://CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch \
27 file://script-Remove-unused-fields-from-grub_script_functio.patch \
28 file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
29 file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
30 file://6643507ce30f775008e093580f0c9499dfb2c485.patch \
31 file://determinism.patch \ 21 file://determinism.patch \
32" 22"
33SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" 23
34SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" 24SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074145484"
25
26REALPV = "2.06~rc1"
27PV = "2.04+${REALPV}"
28
29S = "${WORKDIR}/grub-${REALPV}"
30
31UPSTREAM_CHECK_URI = "${GNU_MIRROR}/grub"
32UPSTREAM_CHECK_REGEX = "grub-(?P<pver>\d+(\.\d+)+)\.tar\.(gz|xz)"
35 33
36DEPENDS = "flex-native bison-native gettext-native" 34DEPENDS = "flex-native bison-native gettext-native"
37 35
diff --git a/meta/recipes-bsp/grub/grub_2.04.bb b/meta/recipes-bsp/grub/grub_git.bb
index d4e09faa40..d4e09faa40 100644
--- a/meta/recipes-bsp/grub/grub_2.04.bb
+++ b/meta/recipes-bsp/grub/grub_git.bb
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-01-24 10:02:24 +0000