grub: patch CVE-2025-0678 and CVE-2025-1125

Cherry-pick patch mentioning these CVEs. (From OE-Core rev: 9d0422bfb97c01e4326dcad59a1fe8842d4cec90) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-03-11 19:10:00 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-03-13 11:00:36 +0000
commit: 42b745435f94b6dfe364ec0ca44653d2ed88ff62 (patch)
tree: c0b0ac308c9e20d5f832c54d4ee93dfca1507658 /meta/recipes-bsp/grub/files
parent: ce5affae93543a0f031b279914fd61fc556f6ed2 (diff)
download: poky-42b745435f94b6dfe364ec0ca44653d2ed88ff62.tar.gz
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
new file mode 100644
index 0000000000..14e67cf35b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
@@ -0,0 +1,87 @@
+From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Tue, 21 Jan 2025 19:02:37 +0000
+Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
+Use grub_calloc() when allocating memory for arrays to ensure proper
+overflow checks are in place.
+The HFS+ and squash4 security vulnerabilities were reported by
+Jonathan Bar Or <jonathanbaror@gmail.com>.
+Fixes: CVE-2025-0678
+Fixes: CVE-2025-1125
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+CVE: CVE-2025-0678
+CVE: CVE-2025-1125
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/btrfs.c       | 4 ++--
+ grub-core/fs/hfspluscomp.c | 9 +++++++--
+ grub-core/fs/squash4.c     | 8 ++++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 0625b1166..9c1e925c9 100644
+--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
+@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
+     }
+ 
+   data->n_devices_allocated = 16;
+-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
+-                                       * data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+                                       sizeof (data->devices_attached[0]));
+   if (!data->devices_attached)
+     {
+       grub_free (data);
+diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
+index 48ae438d8..a80954ee6 100644
+--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
+@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
+          return 0;
+        }
+       node->compress_index_size = grub_le_to_cpu32 (index_size);
+-      node->compress_index = grub_malloc (node->compress_index_size
+-                                         * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+                                         sizeof (node->compress_index[0]));
+       if (!node->compress_index)
+        {
+          node->compressed = 0;
+          grub_free (attr_node);
+          return grub_errno;
+        }
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
+       if (grub_hfsplus_read_file (node, 0, 0,
+                                  0x104 + sizeof (index_size),
+                                  node->compress_index_size
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index f91ff3bfa..cf2bca822 100644
+--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
+@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
+          break;
+        }
+       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
+-      ino->block_sizes = grub_malloc (total_blocks
+-                                     * sizeof (ino->block_sizes[0]));
+-      ino->cumulated_block_sizes = grub_malloc (total_blocks
+-                                               * sizeof (ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+                                     sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+                                               sizeof (ino->cumulated_block_sizes[0]));
+       if (!ino->block_sizes || !ino->cumulated_block_sizes)
+        {
+          grub_free (ino->block_sizes);
author	Peter Marko <peter.marko@siemens.com>	2025-03-11 19:10:00 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-03-13 11:00:36 +0000
commit	42b745435f94b6dfe364ec0ca44653d2ed88ff62 (patch)
tree	c0b0ac308c9e20d5f832c54d4ee93dfca1507658 /meta/recipes-bsp/grub/files
parent	ce5affae93543a0f031b279914fd61fc556f6ed2 (diff)
download	poky-42b745435f94b6dfe364ec0ca44653d2ed88ff62.tar.gz

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch new file mode 100644 index 0000000000..14e67cf35b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
@@ -0,0 +1,87 @@
	1	From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
	2	From: Lidong Chen <lidong.chen@oracle.com>
	3	Date: Tue, 21 Jan 2025 19:02:37 +0000
	4	Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
	5
	6	Use grub_calloc() when allocating memory for arrays to ensure proper
	7	overflow checks are in place.
	8
	9	The HFS+ and squash4 security vulnerabilities were reported by
	10	Jonathan Bar Or <jonathanbaror@gmail.com>.
	11
	12	Fixes: CVE-2025-0678
	13	Fixes: CVE-2025-1125
	14
	15	Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
	16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	17
	18	CVE: CVE-2025-0678
	19	CVE: CVE-2025-1125
	20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
	21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	22	---
	23	grub-core/fs/btrfs.c \| 4 ++--
	24	grub-core/fs/hfspluscomp.c \| 9 +++++++--
	25	grub-core/fs/squash4.c \| 8 ++++----
	26	3 files changed, 13 insertions(+), 8 deletions(-)
	27
	28	diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
	29	index 0625b1166..9c1e925c9 100644
	30	--- a/grub-core/fs/btrfs.c
	31	+++ b/grub-core/fs/btrfs.c
	32	@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
	33	}
	34
	35	data->n_devices_allocated = 16;
	36	- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
	37	- * data->n_devices_allocated);
	38	+ data->devices_attached = grub_calloc (data->n_devices_allocated,
	39	+ sizeof (data->devices_attached[0]));
	40	if (!data->devices_attached)
	41	{
	42	grub_free (data);
	43	diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
	44	index 48ae438d8..a80954ee6 100644
	45	--- a/grub-core/fs/hfspluscomp.c
	46	+++ b/grub-core/fs/hfspluscomp.c
	47	@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
	48	return 0;
	49	}
	50	node->compress_index_size = grub_le_to_cpu32 (index_size);
	51	- node->compress_index = grub_malloc (node->compress_index_size
	52	- * sizeof (node->compress_index[0]));
	53	+ node->compress_index = grub_calloc (node->compress_index_size,
	54	+ sizeof (node->compress_index[0]));
	55	if (!node->compress_index)
	56	{
	57	node->compressed = 0;
	58	grub_free (attr_node);
	59	return grub_errno;
	60	}
	61	+
	62	+ /*
	63	+ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
	64	+ * due to relevant checks done in grub_calloc() above.
	65	+ */
	66	if (grub_hfsplus_read_file (node, 0, 0,
	67	0x104 + sizeof (index_size),
	68	node->compress_index_size
	69	diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
	70	index f91ff3bfa..cf2bca822 100644
	71	--- a/grub-core/fs/squash4.c
	72	+++ b/grub-core/fs/squash4.c
	73	@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
	74	break;
	75	}
	76	total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
	77	- ino->block_sizes = grub_malloc (total_blocks
	78	- * sizeof (ino->block_sizes[0]));
	79	- ino->cumulated_block_sizes = grub_malloc (total_blocks
	80	- * sizeof (ino->cumulated_block_sizes[0]));
	81	+ ino->block_sizes = grub_calloc (total_blocks,
	82	+ sizeof (ino->block_sizes[0]));
	83	+ ino->cumulated_block_sizes = grub_calloc (total_blocks,
	84	+ sizeof (ino->cumulated_block_sizes[0]));
	85	if (!ino->block_sizes \|\| !ino->cumulated_block_sizes)
	86	{
	87	grub_free (ino->block_sizes);