2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
new file mode 100644
index 0000000000..be585c96ad
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,73 @@
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+Fixes: CVE-2025-0690
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index 597c90706..8d72e45c9 100644
+--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
+@@ -25,6 +25,7 @@
+ #include <grub/types.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
+ static char *
+ grub_getline (int silent)
+ {
+-  int i;
+  grub_size_t i;
+   char *line;
+   char *tmp;
+   int c;
+  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -59,8 +61,17 @@ grub_getline (int silent)
+       line[i] = (char) c;
+       if (!silent)
+        grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+        {
+          grub_free (line);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 160dfc5d2b..2c61fb66bc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2025-0622-03.patch \
           file://CVE-2024-45776.patch \
           file://CVE-2024-45777.patch \
+           file://CVE-2025-0690.patch \
 "
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch new file mode 100644 index 0000000000..be585c96ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,73 @@
		1	From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
		2	From: Jonathan Bar Or <jonathanbaror@gmail.com>
		3	Date: Thu, 23 Jan 2025 19:17:05 +0100
		4	Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
		5	than 2^31 characters
		6
		7	The grub_getline() function currently has a signed integer variable "i"
		8	that can be overflown when user supplies more than 2^31 characters.
		9	It results in a memory corruption of the allocated line buffer as well
		10	as supplying large negative values to grub_realloc().
		11
		12	Fixes: CVE-2025-0690
		13
		14	Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
		15	Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
		16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		17
		18	CVE: CVE-2025-0690
		19	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
		20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		21	---
		22	grub-core/commands/read.c \| 19 +++++++++++++++----
		23	1 file changed, 15 insertions(+), 4 deletions(-)
		24
		25	diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
		26	index 597c90706..8d72e45c9 100644
		27	--- a/grub-core/commands/read.c
		28	+++ b/grub-core/commands/read.c
		29	@@ -25,6 +25,7 @@
		30	#include <grub/types.h>
		31	#include <grub/extcmd.h>
		32	#include <grub/i18n.h>
		33	+#include <grub/safemath.h>
		34
		35	GRUB_MOD_LICENSE ("GPLv3+");
		36
		37	@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
		38	static char *
		39	grub_getline (int silent)
		40	{
		41	- int i;
		42	+ grub_size_t i;
		43	char *line;
		44	char *tmp;
		45	int c;
		46	+ grub_size_t alloc_size;
		47
		48	i = 0;
		49	- line = grub_malloc (1 + i + sizeof('\0'));
		50	+ line = grub_malloc (1 + sizeof('\0'));
		51	if (! line)
		52	return NULL;
		53
		54	@@ -59,8 +61,17 @@ grub_getline (int silent)
		55	line[i] = (char) c;
		56	if (!silent)
		57	grub_printf ("%c", c);
		58	- i++;
		59	- tmp = grub_realloc (line, 1 + i + sizeof('\0'));
		60	+ if (grub_add (i, 1, &i))
		61	+ {
		62	+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
		63	+ return NULL;
		64	+ }
		65	+ if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
		66	+ {
		67	+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
		68	+ return NULL;
		69	+ }
		70	+ tmp = grub_realloc (line, alloc_size);
		71	if (! tmp)
		72	{
		73	grub_free (line);


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 160dfc5d2b..2c61fb66bc 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
31	file://CVE-2025-0622-03.patch \	31	file://CVE-2025-0622-03.patch \
32	file://CVE-2024-45776.patch \	32	file://CVE-2024-45776.patch \
33	file://CVE-2024-45777.patch \	33	file://CVE-2024-45777.patch \
		34	file://CVE-2025-0690.patch \
34	"	35	"
35		36
36	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"	37	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"