diff options
11 files changed, 1621 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch new file mode 100644 index 0000000000..7f7bb1acfe --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch | |||
| @@ -0,0 +1,179 @@ | |||
| 1 | From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Tue, 6 Jul 2021 18:51:35 +1000 | ||
| 4 | Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap | ||
| 5 | out-of-bounds write | ||
| 6 | |||
| 7 | A 16-bit greyscale PNG without alpha is processed in the following loop: | ||
| 8 | |||
| 9 | for (i = 0; i < (data->image_width * data->image_height); | ||
| 10 | i++, d1 += 4, d2 += 2) | ||
| 11 | { | ||
| 12 | d1[R3] = d2[1]; | ||
| 13 | d1[G3] = d2[1]; | ||
| 14 | d1[B3] = d2[1]; | ||
| 15 | } | ||
| 16 | |||
| 17 | The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, | ||
| 18 | but there are only 3 bytes allocated for storage. This means that image | ||
| 19 | data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes | ||
| 20 | out of every 4 following the end of the image. | ||
| 21 | |||
| 22 | This has existed since greyscale support was added in 2013 in commit | ||
| 23 | 3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). | ||
| 24 | |||
| 25 | Saving starfield.png as a 16-bit greyscale image without alpha in the gimp | ||
| 26 | and attempting to load it causes grub-emu to crash - I don't think this code | ||
| 27 | has ever worked. | ||
| 28 | |||
| 29 | Delete all PNG greyscale support. | ||
| 30 | |||
| 31 | Fixes: CVE-2021-3695 | ||
| 32 | |||
| 33 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 34 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 35 | |||
| 36 | Upstream-Status: Backport | ||
| 37 | CVE: CVE-2021-3695 | ||
| 38 | |||
| 39 | Reference to upstream patch: | ||
| 40 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08 | ||
| 41 | |||
| 42 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 43 | --- | ||
| 44 | grub-core/video/readers/png.c | 87 +++-------------------------------- | ||
| 45 | 1 file changed, 7 insertions(+), 80 deletions(-) | ||
| 46 | |||
| 47 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
| 48 | index 35ae553c8..a3161e25b 100644 | ||
| 49 | --- a/grub-core/video/readers/png.c | ||
| 50 | +++ b/grub-core/video/readers/png.c | ||
| 51 | @@ -100,7 +100,7 @@ struct grub_png_data | ||
| 52 | |||
| 53 | unsigned image_width, image_height; | ||
| 54 | int bpp, is_16bit; | ||
| 55 | - int raw_bytes, is_gray, is_alpha, is_palette; | ||
| 56 | + int raw_bytes, is_alpha, is_palette; | ||
| 57 | int row_bytes, color_bits; | ||
| 58 | grub_uint8_t *image_data; | ||
| 59 | |||
| 60 | @@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
| 61 | data->bpp = 3; | ||
| 62 | else | ||
| 63 | { | ||
| 64 | - data->is_gray = 1; | ||
| 65 | - data->bpp = 1; | ||
| 66 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 67 | + "png: color type not supported"); | ||
| 68 | } | ||
| 69 | |||
| 70 | if ((color_bits != 8) && (color_bits != 16) | ||
| 71 | && (color_bits != 4 | ||
| 72 | - || !(data->is_gray || data->is_palette))) | ||
| 73 | + || !data->is_palette)) | ||
| 74 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 75 | "png: bit depth must be 8 or 16"); | ||
| 76 | |||
| 77 | @@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
| 78 | } | ||
| 79 | |||
| 80 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
| 81 | - if (data->is_16bit || data->is_gray || data->is_palette) | ||
| 82 | + if (data->is_16bit || data->is_palette) | ||
| 83 | #endif | ||
| 84 | { | ||
| 85 | data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
| 86 | @@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data) | ||
| 87 | int shift; | ||
| 88 | int mask = (1 << data->color_bits) - 1; | ||
| 89 | unsigned j; | ||
| 90 | - if (data->is_gray) | ||
| 91 | - { | ||
| 92 | - /* Generic formula is | ||
| 93 | - (0xff * i) / ((1U << data->color_bits) - 1) | ||
| 94 | - but for allowed bit depth of 1, 2 and for it's | ||
| 95 | - equivalent to | ||
| 96 | - (0xff / ((1U << data->color_bits) - 1)) * i | ||
| 97 | - Precompute the multipliers to avoid division. | ||
| 98 | - */ | ||
| 99 | - | ||
| 100 | - const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; | ||
| 101 | - for (i = 0; i < (1U << data->color_bits); i++) | ||
| 102 | - { | ||
| 103 | - grub_uint8_t col = multipliers[data->color_bits] * i; | ||
| 104 | - palette[i][0] = col; | ||
| 105 | - palette[i][1] = col; | ||
| 106 | - palette[i][2] = col; | ||
| 107 | - } | ||
| 108 | - } | ||
| 109 | - else | ||
| 110 | - grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
| 111 | + | ||
| 112 | + grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
| 113 | d1c = d1; | ||
| 114 | d2c = d2; | ||
| 115 | for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, | ||
| 116 | @@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data) | ||
| 117 | return; | ||
| 118 | } | ||
| 119 | |||
| 120 | - if (data->is_gray) | ||
| 121 | - { | ||
| 122 | - switch (data->bpp) | ||
| 123 | - { | ||
| 124 | - case 4: | ||
| 125 | - /* 16-bit gray with alpha. */ | ||
| 126 | - for (i = 0; i < (data->image_width * data->image_height); | ||
| 127 | - i++, d1 += 4, d2 += 4) | ||
| 128 | - { | ||
| 129 | - d1[R4] = d2[3]; | ||
| 130 | - d1[G4] = d2[3]; | ||
| 131 | - d1[B4] = d2[3]; | ||
| 132 | - d1[A4] = d2[1]; | ||
| 133 | - } | ||
| 134 | - break; | ||
| 135 | - case 2: | ||
| 136 | - if (data->is_16bit) | ||
| 137 | - /* 16-bit gray without alpha. */ | ||
| 138 | - { | ||
| 139 | - for (i = 0; i < (data->image_width * data->image_height); | ||
| 140 | - i++, d1 += 4, d2 += 2) | ||
| 141 | - { | ||
| 142 | - d1[R3] = d2[1]; | ||
| 143 | - d1[G3] = d2[1]; | ||
| 144 | - d1[B3] = d2[1]; | ||
| 145 | - } | ||
| 146 | - } | ||
| 147 | - else | ||
| 148 | - /* 8-bit gray with alpha. */ | ||
| 149 | - { | ||
| 150 | - for (i = 0; i < (data->image_width * data->image_height); | ||
| 151 | - i++, d1 += 4, d2 += 2) | ||
| 152 | - { | ||
| 153 | - d1[R4] = d2[1]; | ||
| 154 | - d1[G4] = d2[1]; | ||
| 155 | - d1[B4] = d2[1]; | ||
| 156 | - d1[A4] = d2[0]; | ||
| 157 | - } | ||
| 158 | - } | ||
| 159 | - break; | ||
| 160 | - /* 8-bit gray without alpha. */ | ||
| 161 | - case 1: | ||
| 162 | - for (i = 0; i < (data->image_width * data->image_height); | ||
| 163 | - i++, d1 += 3, d2++) | ||
| 164 | - { | ||
| 165 | - d1[R3] = d2[0]; | ||
| 166 | - d1[G3] = d2[0]; | ||
| 167 | - d1[B3] = d2[0]; | ||
| 168 | - } | ||
| 169 | - break; | ||
| 170 | - } | ||
| 171 | - return; | ||
| 172 | - } | ||
| 173 | - | ||
| 174 | { | ||
| 175 | /* Only copy the upper 8 bit. */ | ||
| 176 | #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
| 177 | -- | ||
| 178 | 2.34.1 | ||
| 179 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch new file mode 100644 index 0000000000..f06514e665 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Tue, 6 Jul 2021 23:25:07 +1000 | ||
| 4 | Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table | ||
| 5 | items | ||
| 6 | |||
| 7 | In fuzzing we observed crashes where a code would attempt to be inserted | ||
| 8 | into a huffman table before the start, leading to a set of heap OOB reads | ||
| 9 | and writes as table entries with negative indices were shifted around and | ||
| 10 | the new code written in. | ||
| 11 | |||
| 12 | Catch the case where we would underflow the array and bail. | ||
| 13 | |||
| 14 | Fixes: CVE-2021-3696 | ||
| 15 | |||
| 16 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 17 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | CVE: CVE-2021-3696 | ||
| 21 | |||
| 22 | Reference to upstream patch: | ||
| 23 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042 | ||
| 24 | |||
| 25 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 26 | --- | ||
| 27 | grub-core/video/readers/png.c | 7 +++++++ | ||
| 28 | 1 file changed, 7 insertions(+) | ||
| 29 | |||
| 30 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
| 31 | index a3161e25b..d7ed5aa6c 100644 | ||
| 32 | --- a/grub-core/video/readers/png.c | ||
| 33 | +++ b/grub-core/video/readers/png.c | ||
| 34 | @@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) | ||
| 35 | for (i = len; i < ht->max_length; i++) | ||
| 36 | n += ht->maxval[i]; | ||
| 37 | |||
| 38 | + if (n > ht->num_values) | ||
| 39 | + { | ||
| 40 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 41 | + "png: out of range inserting huffman table item"); | ||
| 42 | + return; | ||
| 43 | + } | ||
| 44 | + | ||
| 45 | for (i = 0; i < n; i++) | ||
| 46 | ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; | ||
| 47 | |||
| 48 | -- | ||
| 49 | 2.34.1 | ||
| 50 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch new file mode 100644 index 0000000000..e9fc52df86 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Wed, 7 Jul 2021 15:38:19 +1000 | ||
| 4 | Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write | ||
| 5 | |||
| 6 | Certain 1 px wide images caused a wild pointer write in | ||
| 7 | grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
| 8 | we have the following loop: | ||
| 9 | |||
| 10 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
| 11 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| 12 | |||
| 13 | We did not check if vb * width >= hb * nc1. | ||
| 14 | |||
| 15 | On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
| 16 | be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
| 17 | we see data->bitmap_ptr jump, e.g.: | ||
| 18 | |||
| 19 | 0x6180_0000_0480 to | ||
| 20 | 0x6181_0000_0498 | ||
| 21 | ^ | ||
| 22 | ~--- carry has occurred and this pointer is now far away from | ||
| 23 | any object. | ||
| 24 | |||
| 25 | On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
| 26 | that won't crash but will overwrite random data. | ||
| 27 | |||
| 28 | Catch the underflow and error out. | ||
| 29 | |||
| 30 | Fixes: CVE-2021-3697 | ||
| 31 | |||
| 32 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 33 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 34 | |||
| 35 | Upstream-Status: Backport | ||
| 36 | CVE: CVE-2021-3697 | ||
| 37 | |||
| 38 | Reference to upstream patch: | ||
| 39 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 | ||
| 40 | |||
| 41 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 42 | --- | ||
| 43 | grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
| 44 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
| 45 | |||
| 46 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
| 47 | index 579bbe8a4..09596fbf5 100644 | ||
| 48 | --- a/grub-core/video/readers/jpeg.c | ||
| 49 | +++ b/grub-core/video/readers/jpeg.c | ||
| 50 | @@ -23,6 +23,7 @@ | ||
| 51 | #include <grub/mm.h> | ||
| 52 | #include <grub/misc.h> | ||
| 53 | #include <grub/bufio.h> | ||
| 54 | +#include <grub/safemath.h> | ||
| 55 | |||
| 56 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
| 57 | |||
| 58 | @@ -699,6 +700,7 @@ static grub_err_t | ||
| 59 | grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 60 | { | ||
| 61 | unsigned c1, vb, hb, nr1, nc1; | ||
| 62 | + unsigned stride_a, stride_b, stride; | ||
| 63 | int rst = data->dri; | ||
| 64 | grub_err_t err = GRUB_ERR_NONE; | ||
| 65 | |||
| 66 | @@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 67 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 68 | "jpeg: attempted to decode data before start of stream"); | ||
| 69 | |||
| 70 | + if (grub_mul(vb, data->image_width, &stride_a) || | ||
| 71 | + grub_mul(hb, nc1, &stride_b) || | ||
| 72 | + grub_sub(stride_a, stride_b, &stride)) | ||
| 73 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 74 | + "jpeg: cannot decode image with these dimensions"); | ||
| 75 | + | ||
| 76 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
| 77 | - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| 78 | + data->r1++, data->bitmap_ptr += stride * 3) | ||
| 79 | for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
| 80 | c1++, rst--, data->bitmap_ptr += hb * 3) | ||
| 81 | { | ||
| 82 | -- | ||
| 83 | 2.34.1 | ||
| 84 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch new file mode 100644 index 0000000000..8bf9090f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Mon, 20 Dec 2021 19:41:21 +1100 | ||
| 4 | Subject: [PATCH] net/ip: Do IP fragment maths safely | ||
| 5 | |||
| 6 | We can receive packets with invalid IP fragmentation information. This | ||
| 7 | can lead to rsm->total_len underflowing and becoming very large. | ||
| 8 | |||
| 9 | Then, in grub_netbuff_alloc(), we add to this very large number, which can | ||
| 10 | cause it to overflow and wrap back around to a small positive number. | ||
| 11 | The allocation then succeeds, but the resulting buffer is too small and | ||
| 12 | subsequent operations can write past the end of the buffer. | ||
| 13 | |||
| 14 | Catch the underflow here. | ||
| 15 | |||
| 16 | Fixes: CVE-2022-28733 | ||
| 17 | |||
| 18 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 20 | |||
| 21 | Upstream-Status: Backport | ||
| 22 | CVE: CVE-2022-28733 | ||
| 23 | |||
| 24 | Reference to upstream patch: | ||
| 25 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287 | ||
| 26 | |||
| 27 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 28 | |||
| 29 | --- | ||
| 30 | grub-core/net/ip.c | 10 +++++++++- | ||
| 31 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c | ||
| 34 | index e3d62e97f..3c3d0be0e 100644 | ||
| 35 | --- a/grub-core/net/ip.c | ||
| 36 | +++ b/grub-core/net/ip.c | ||
| 37 | @@ -25,6 +25,7 @@ | ||
| 38 | #include <grub/net/netbuff.h> | ||
| 39 | #include <grub/mm.h> | ||
| 40 | #include <grub/priority_queue.h> | ||
| 41 | +#include <grub/safemath.h> | ||
| 42 | #include <grub/time.h> | ||
| 43 | |||
| 44 | struct iphdr { | ||
| 45 | @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, | ||
| 46 | { | ||
| 47 | rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) | ||
| 48 | + (nb->tail - nb->data)); | ||
| 49 | - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); | ||
| 50 | + | ||
| 51 | + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), | ||
| 52 | + &rsm->total_len)) | ||
| 53 | + { | ||
| 54 | + grub_dprintf ("net", "IP reassembly size underflow\n"); | ||
| 55 | + return GRUB_ERR_NONE; | ||
| 56 | + } | ||
| 57 | + | ||
| 58 | rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); | ||
| 59 | if (!rsm->asm_netbuff) | ||
| 60 | { | ||
| 61 | -- | ||
| 62 | 2.34.1 | ||
| 63 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch new file mode 100644 index 0000000000..f31167d315 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch | |||
| @@ -0,0 +1,58 @@ | |||
| 1 | From b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Tue, 8 Mar 2022 19:04:40 +1100 | ||
| 4 | Subject: [PATCH] net/http: Error out on headers with LF without CR | ||
| 5 | |||
| 6 | In a similar vein to the previous patch, parse_line() would write | ||
| 7 | a NUL byte past the end of the buffer if there was an HTTP header | ||
| 8 | with a LF rather than a CRLF. | ||
| 9 | |||
| 10 | RFC-2616 says: | ||
| 11 | |||
| 12 | Many HTTP/1.1 header field values consist of words separated by LWS | ||
| 13 | or special characters. These special characters MUST be in a quoted | ||
| 14 | string to be used within a parameter value (as defined in section 3.6). | ||
| 15 | |||
| 16 | We don't support quoted sections or continuation lines, etc. | ||
| 17 | |||
| 18 | If we see an LF that's not part of a CRLF, bail out. | ||
| 19 | |||
| 20 | Fixes: CVE-2022-28734 | ||
| 21 | |||
| 22 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 23 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 24 | |||
| 25 | Upstream-Status: Backport | ||
| 26 | CVE: CVE-2022-28734 | ||
| 27 | |||
| 28 | Reference to upstream patch: | ||
| 29 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 | ||
| 30 | |||
| 31 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 32 | --- | ||
| 33 | grub-core/net/http.c | 8 ++++++++ | ||
| 34 | 1 file changed, 8 insertions(+) | ||
| 35 | |||
| 36 | diff --git a/grub-core/net/http.c b/grub-core/net/http.c | ||
| 37 | index 33a0a28c4..9291a13e2 100644 | ||
| 38 | --- a/grub-core/net/http.c | ||
| 39 | +++ b/grub-core/net/http.c | ||
| 40 | @@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) | ||
| 41 | char *end = ptr + len; | ||
| 42 | while (end > ptr && *(end - 1) == '\r') | ||
| 43 | end--; | ||
| 44 | + | ||
| 45 | + /* LF without CR. */ | ||
| 46 | + if (end == ptr + len) | ||
| 47 | + { | ||
| 48 | + data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); | ||
| 49 | + return GRUB_ERR_NONE; | ||
| 50 | + } | ||
| 51 | *end = 0; | ||
| 52 | + | ||
| 53 | /* Trailing CRLF. */ | ||
| 54 | if (data->in_chunk_len == 1) | ||
| 55 | { | ||
| 56 | -- | ||
| 57 | 2.34.1 | ||
| 58 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch new file mode 100644 index 0000000000..e0ca1eec44 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch | |||
| @@ -0,0 +1,56 @@ | |||
| 1 | From ec6bfd3237394c1c7dbf2fd73417173318d22f4b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Tue, 8 Mar 2022 18:17:03 +1100 | ||
| 4 | Subject: [PATCH] net/http: Fix OOB write for split http headers | ||
| 5 | |||
| 6 | GRUB has special code for handling an http header that is split | ||
| 7 | across two packets. | ||
| 8 | |||
| 9 | The code tracks the end of line by looking for a "\n" byte. The | ||
| 10 | code for split headers has always advanced the pointer just past the | ||
| 11 | end of the line, whereas the code that handles unsplit headers does | ||
| 12 | not advance the pointer. This extra advance causes the length to be | ||
| 13 | one greater, which breaks an assumption in parse_line(), leading to | ||
| 14 | it writing a NUL byte one byte past the end of the buffer where we | ||
| 15 | reconstruct the line from the two packets. | ||
| 16 | |||
| 17 | It's conceivable that an attacker controlled set of packets could | ||
| 18 | cause this to zero out the first byte of the "next" pointer of the | ||
| 19 | grub_mm_region structure following the current_line buffer. | ||
| 20 | |||
| 21 | Do not advance the pointer in the split header case. | ||
| 22 | |||
| 23 | Fixes: CVE-2022-28734 | ||
| 24 | |||
| 25 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 27 | |||
| 28 | Upstream-Status: Backport | ||
| 29 | CVE: CVE-2022-28734 | ||
| 30 | |||
| 31 | Reference to upstream patch: | ||
| 32 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b | ||
| 33 | |||
| 34 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 35 | --- | ||
| 36 | grub-core/net/http.c | 4 +--- | ||
| 37 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
| 38 | |||
| 39 | diff --git a/grub-core/net/http.c b/grub-core/net/http.c | ||
| 40 | index f8d7bf0cd..33a0a28c4 100644 | ||
| 41 | --- a/grub-core/net/http.c | ||
| 42 | +++ b/grub-core/net/http.c | ||
| 43 | @@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), | ||
| 44 | int have_line = 1; | ||
| 45 | char *t; | ||
| 46 | ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); | ||
| 47 | - if (ptr) | ||
| 48 | - ptr++; | ||
| 49 | - else | ||
| 50 | + if (ptr == NULL) | ||
| 51 | { | ||
| 52 | have_line = 0; | ||
| 53 | ptr = (char *) nb->tail; | ||
| 54 | -- | ||
| 55 | 2.34.1 | ||
| 56 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch new file mode 100644 index 0000000000..7a59f10bfb --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch | |||
| @@ -0,0 +1,111 @@ | |||
| 1 | From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Julian Andres Klode <julian.klode@canonical.com> | ||
| 3 | Date: Thu, 2 Dec 2021 15:03:53 +0100 | ||
| 4 | Subject: [PATCH] kern/efi/sb: Reject non-kernel files in the shim_lock | ||
| 5 | verifier | ||
| 6 | |||
| 7 | We must not allow other verifiers to pass things like the GRUB modules. | ||
| 8 | Instead of maintaining a blocklist, maintain an allowlist of things | ||
| 9 | that we do not care about. | ||
| 10 | |||
| 11 | This allowlist really should be made reusable, and shared by the | ||
| 12 | lockdown verifier, but this is the minimal patch addressing | ||
| 13 | security concerns where the TPM verifier was able to mark modules | ||
| 14 | as verified (or the OpenPGP verifier for that matter), when it | ||
| 15 | should not do so on shim-powered secure boot systems. | ||
| 16 | |||
| 17 | Fixes: CVE-2022-28735 | ||
| 18 | |||
| 19 | Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> | ||
| 20 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 21 | |||
| 22 | Upstream-Status: Backport | ||
| 23 | CVE:CVE-2022-28735 | ||
| 24 | |||
| 25 | Reference to upstream patch: | ||
| 26 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53 | ||
| 27 | |||
| 28 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 29 | --- | ||
| 30 | grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++--- | ||
| 31 | include/grub/verify.h | 1 + | ||
| 32 | 2 files changed, 37 insertions(+), 3 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c | ||
| 35 | index c52ec6226..89c4bb3fd 100644 | ||
| 36 | --- a/grub-core/kern/efi/sb.c | ||
| 37 | +++ b/grub-core/kern/efi/sb.c | ||
| 38 | @@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
| 39 | void **context __attribute__ ((unused)), | ||
| 40 | enum grub_verify_flags *flags) | ||
| 41 | { | ||
| 42 | - *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
| 43 | + *flags = GRUB_VERIFY_FLAGS_NONE; | ||
| 44 | |||
| 45 | switch (type & GRUB_FILE_TYPE_MASK) | ||
| 46 | { | ||
| 47 | + /* Files we check. */ | ||
| 48 | case GRUB_FILE_TYPE_LINUX_KERNEL: | ||
| 49 | case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: | ||
| 50 | case GRUB_FILE_TYPE_BSD_KERNEL: | ||
| 51 | @@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
| 52 | case GRUB_FILE_TYPE_PLAN9_KERNEL: | ||
| 53 | case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: | ||
| 54 | *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; | ||
| 55 | + return GRUB_ERR_NONE; | ||
| 56 | |||
| 57 | - /* Fall through. */ | ||
| 58 | + /* Files that do not affect secureboot state. */ | ||
| 59 | + case GRUB_FILE_TYPE_NONE: | ||
| 60 | + case GRUB_FILE_TYPE_LOOPBACK: | ||
| 61 | + case GRUB_FILE_TYPE_LINUX_INITRD: | ||
| 62 | + case GRUB_FILE_TYPE_OPENBSD_RAMDISK: | ||
| 63 | + case GRUB_FILE_TYPE_XNU_RAMDISK: | ||
| 64 | + case GRUB_FILE_TYPE_SIGNATURE: | ||
| 65 | + case GRUB_FILE_TYPE_PUBLIC_KEY: | ||
| 66 | + case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST: | ||
| 67 | + case GRUB_FILE_TYPE_PRINT_BLOCKLIST: | ||
| 68 | + case GRUB_FILE_TYPE_TESTLOAD: | ||
| 69 | + case GRUB_FILE_TYPE_GET_SIZE: | ||
| 70 | + case GRUB_FILE_TYPE_FONT: | ||
| 71 | + case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: | ||
| 72 | + case GRUB_FILE_TYPE_CAT: | ||
| 73 | + case GRUB_FILE_TYPE_HEXCAT: | ||
| 74 | + case GRUB_FILE_TYPE_CMP: | ||
| 75 | + case GRUB_FILE_TYPE_HASHLIST: | ||
| 76 | + case GRUB_FILE_TYPE_TO_HASH: | ||
| 77 | + case GRUB_FILE_TYPE_KEYBOARD_LAYOUT: | ||
| 78 | + case GRUB_FILE_TYPE_PIXMAP: | ||
| 79 | + case GRUB_FILE_TYPE_GRUB_MODULE_LIST: | ||
| 80 | + case GRUB_FILE_TYPE_CONFIG: | ||
| 81 | + case GRUB_FILE_TYPE_THEME: | ||
| 82 | + case GRUB_FILE_TYPE_GETTEXT_CATALOG: | ||
| 83 | + case GRUB_FILE_TYPE_FS_SEARCH: | ||
| 84 | + case GRUB_FILE_TYPE_LOADENV: | ||
| 85 | + case GRUB_FILE_TYPE_SAVEENV: | ||
| 86 | + case GRUB_FILE_TYPE_VERIFY_SIGNATURE: | ||
| 87 | + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
| 88 | + return GRUB_ERR_NONE; | ||
| 89 | |||
| 90 | + /* Other files. */ | ||
| 91 | default: | ||
| 92 | - return GRUB_ERR_NONE; | ||
| 93 | + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy")); | ||
| 94 | } | ||
| 95 | } | ||
| 96 | |||
| 97 | diff --git a/include/grub/verify.h b/include/grub/verify.h | ||
| 98 | index cd129c398..672ae1692 100644 | ||
| 99 | --- a/include/grub/verify.h | ||
| 100 | +++ b/include/grub/verify.h | ||
| 101 | @@ -24,6 +24,7 @@ | ||
| 102 | |||
| 103 | enum grub_verify_flags | ||
| 104 | { | ||
| 105 | + GRUB_VERIFY_FLAGS_NONE = 0, | ||
| 106 | GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1, | ||
| 107 | GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2, | ||
| 108 | /* Defer verification to another authority. */ | ||
| 109 | -- | ||
| 110 | 2.34.1 | ||
| 111 | |||
diff --git a/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch b/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch new file mode 100644 index 0000000000..2db9bcbbc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch | |||
| @@ -0,0 +1,693 @@ | |||
| 1 | From 1f48917d8ddb490dcdc70176e0f58136b7f7811a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Elyes Haouas <ehaouas@noos.fr> | ||
| 3 | Date: Fri, 4 Mar 2022 07:42:13 +0100 | ||
| 4 | Subject: [PATCH] video: Remove trailing whitespaces | ||
| 5 | |||
| 6 | Signed-off-by: Elyes Haouas <ehaouas@noos.fr> | ||
| 7 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 8 | |||
| 9 | Upstream-Status: Backport | ||
| 10 | |||
| 11 | Reference to upstream patch: | ||
| 12 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1f48917d8ddb490dcdc70176e0f58136b7f7811a | ||
| 13 | |||
| 14 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 15 | --- | ||
| 16 | grub-core/video/bochs.c | 2 +- | ||
| 17 | grub-core/video/capture.c | 2 +- | ||
| 18 | grub-core/video/cirrus.c | 4 ++-- | ||
| 19 | grub-core/video/coreboot/cbfb.c | 2 +- | ||
| 20 | grub-core/video/efi_gop.c | 22 +++++++++---------- | ||
| 21 | grub-core/video/fb/fbblit.c | 8 +++---- | ||
| 22 | grub-core/video/fb/video_fb.c | 10 ++++----- | ||
| 23 | grub-core/video/i386/pc/vbe.c | 34 ++++++++++++++--------------- | ||
| 24 | grub-core/video/i386/pc/vga.c | 6 ++--- | ||
| 25 | grub-core/video/ieee1275.c | 4 ++-- | ||
| 26 | grub-core/video/radeon_fuloong2e.c | 6 ++--- | ||
| 27 | grub-core/video/radeon_yeeloong3a.c | 6 ++--- | ||
| 28 | grub-core/video/readers/png.c | 2 +- | ||
| 29 | grub-core/video/readers/tga.c | 2 +- | ||
| 30 | grub-core/video/sis315_init.c | 2 +- | ||
| 31 | grub-core/video/sis315pro.c | 8 +++---- | ||
| 32 | grub-core/video/sm712.c | 10 ++++----- | ||
| 33 | grub-core/video/video.c | 8 +++---- | ||
| 34 | 18 files changed, 69 insertions(+), 69 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/grub-core/video/bochs.c b/grub-core/video/bochs.c | ||
| 37 | index 30ea1bd82..edc651697 100644 | ||
| 38 | --- a/grub-core/video/bochs.c | ||
| 39 | +++ b/grub-core/video/bochs.c | ||
| 40 | @@ -212,7 +212,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data) | ||
| 41 | |||
| 42 | if (((class >> 16) & 0xffff) != 0x0300 || pciid != 0x11111234) | ||
| 43 | return 0; | ||
| 44 | - | ||
| 45 | + | ||
| 46 | addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0); | ||
| 47 | framebuffer.base = grub_pci_read (addr) & GRUB_PCI_ADDR_MEM_MASK; | ||
| 48 | if (!framebuffer.base) | ||
| 49 | diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c | ||
| 50 | index 4d3195e01..c653d89f9 100644 | ||
| 51 | --- a/grub-core/video/capture.c | ||
| 52 | +++ b/grub-core/video/capture.c | ||
| 53 | @@ -92,7 +92,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info, | ||
| 54 | framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch); | ||
| 55 | if (!framebuffer.ptr) | ||
| 56 | return grub_errno; | ||
| 57 | - | ||
| 58 | + | ||
| 59 | err = grub_video_fb_create_render_target_from_pointer (&framebuffer.render_target, | ||
| 60 | &framebuffer.mode_info, | ||
| 61 | framebuffer.ptr); | ||
| 62 | diff --git a/grub-core/video/cirrus.c b/grub-core/video/cirrus.c | ||
| 63 | index e2149e8ce..f5542ccdc 100644 | ||
| 64 | --- a/grub-core/video/cirrus.c | ||
| 65 | +++ b/grub-core/video/cirrus.c | ||
| 66 | @@ -354,11 +354,11 @@ grub_video_cirrus_setup (unsigned int width, unsigned int height, | ||
| 67 | grub_uint8_t sr_ext = 0, hidden_dac = 0; | ||
| 68 | |||
| 69 | grub_vga_set_geometry (&config, grub_vga_cr_write); | ||
| 70 | - | ||
| 71 | + | ||
| 72 | grub_vga_gr_write (GRUB_VGA_GR_MODE_256_COLOR | GRUB_VGA_GR_MODE_READ_MODE1, | ||
| 73 | GRUB_VGA_GR_MODE); | ||
| 74 | grub_vga_gr_write (GRUB_VGA_GR_GR6_GRAPHICS_MODE, GRUB_VGA_GR_GR6); | ||
| 75 | - | ||
| 76 | + | ||
| 77 | grub_vga_sr_write (GRUB_VGA_SR_MEMORY_MODE_NORMAL, GRUB_VGA_SR_MEMORY_MODE); | ||
| 78 | |||
| 79 | grub_vga_cr_write ((config.pitch >> CIRRUS_CR_EXTENDED_DISPLAY_PITCH_SHIFT) | ||
| 80 | diff --git a/grub-core/video/coreboot/cbfb.c b/grub-core/video/coreboot/cbfb.c | ||
| 81 | index 9af81fa5b..986003c51 100644 | ||
| 82 | --- a/grub-core/video/coreboot/cbfb.c | ||
| 83 | +++ b/grub-core/video/coreboot/cbfb.c | ||
| 84 | @@ -106,7 +106,7 @@ grub_video_cbfb_setup (unsigned int width, unsigned int height, | ||
| 85 | |||
| 86 | grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS, | ||
| 87 | grub_video_fbstd_colors); | ||
| 88 | - | ||
| 89 | + | ||
| 90 | return err; | ||
| 91 | } | ||
| 92 | |||
| 93 | diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c | ||
| 94 | index b7590dc6c..7a5054631 100644 | ||
| 95 | --- a/grub-core/video/efi_gop.c | ||
| 96 | +++ b/grub-core/video/efi_gop.c | ||
| 97 | @@ -273,7 +273,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo | ||
| 98 | grub_efi_status_t status; | ||
| 99 | struct grub_efi_gop_mode_info *info = NULL; | ||
| 100 | struct grub_video_mode_info mode_info; | ||
| 101 | - | ||
| 102 | + | ||
| 103 | status = efi_call_4 (gop->query_mode, gop, mode, &size, &info); | ||
| 104 | |||
| 105 | if (status) | ||
| 106 | @@ -390,7 +390,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 107 | found = 1; | ||
| 108 | } | ||
| 109 | } | ||
| 110 | - | ||
| 111 | + | ||
| 112 | if (!found) | ||
| 113 | { | ||
| 114 | unsigned mode; | ||
| 115 | @@ -399,7 +399,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 116 | { | ||
| 117 | grub_efi_uintn_t size; | ||
| 118 | grub_efi_status_t status; | ||
| 119 | - | ||
| 120 | + | ||
| 121 | status = efi_call_4 (gop->query_mode, gop, mode, &size, &info); | ||
| 122 | if (status) | ||
| 123 | { | ||
| 124 | @@ -472,11 +472,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 125 | framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base; | ||
| 126 | framebuffer.offscreen | ||
| 127 | = grub_malloc (framebuffer.mode_info.height | ||
| 128 | - * framebuffer.mode_info.width | ||
| 129 | + * framebuffer.mode_info.width | ||
| 130 | * sizeof (struct grub_efi_gop_blt_pixel)); | ||
| 131 | |||
| 132 | buffer = framebuffer.offscreen; | ||
| 133 | - | ||
| 134 | + | ||
| 135 | if (!buffer) | ||
| 136 | { | ||
| 137 | grub_dprintf ("video", "GOP: couldn't allocate shadow\n"); | ||
| 138 | @@ -485,11 +485,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 139 | &framebuffer.mode_info); | ||
| 140 | buffer = framebuffer.ptr; | ||
| 141 | } | ||
| 142 | - | ||
| 143 | + | ||
| 144 | grub_dprintf ("video", "GOP: initialising FB @ %p %dx%dx%d\n", | ||
| 145 | framebuffer.ptr, framebuffer.mode_info.width, | ||
| 146 | framebuffer.mode_info.height, framebuffer.mode_info.bpp); | ||
| 147 | - | ||
| 148 | + | ||
| 149 | err = grub_video_fb_create_render_target_from_pointer | ||
| 150 | (&framebuffer.render_target, &framebuffer.mode_info, buffer); | ||
| 151 | |||
| 152 | @@ -498,15 +498,15 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 153 | grub_dprintf ("video", "GOP: Couldn't create FB target\n"); | ||
| 154 | return err; | ||
| 155 | } | ||
| 156 | - | ||
| 157 | + | ||
| 158 | err = grub_video_fb_set_active_render_target (framebuffer.render_target); | ||
| 159 | - | ||
| 160 | + | ||
| 161 | if (err) | ||
| 162 | { | ||
| 163 | grub_dprintf ("video", "GOP: Couldn't set FB target\n"); | ||
| 164 | return err; | ||
| 165 | } | ||
| 166 | - | ||
| 167 | + | ||
| 168 | err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS, | ||
| 169 | grub_video_fbstd_colors); | ||
| 170 | |||
| 171 | @@ -514,7 +514,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height, | ||
| 172 | grub_dprintf ("video", "GOP: Couldn't set palette\n"); | ||
| 173 | else | ||
| 174 | grub_dprintf ("video", "GOP: Success\n"); | ||
| 175 | - | ||
| 176 | + | ||
| 177 | return err; | ||
| 178 | } | ||
| 179 | |||
| 180 | diff --git a/grub-core/video/fb/fbblit.c b/grub-core/video/fb/fbblit.c | ||
| 181 | index d55924837..1010ef393 100644 | ||
| 182 | --- a/grub-core/video/fb/fbblit.c | ||
| 183 | +++ b/grub-core/video/fb/fbblit.c | ||
| 184 | @@ -466,7 +466,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst, | ||
| 185 | for (i = 0; i < width; i++) | ||
| 186 | { | ||
| 187 | register grub_uint32_t col; | ||
| 188 | - if (*srcptr == 0xf0) | ||
| 189 | + if (*srcptr == 0xf0) | ||
| 190 | col = palette[16]; | ||
| 191 | else | ||
| 192 | col = palette[*srcptr & 0xf]; | ||
| 193 | @@ -478,7 +478,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst, | ||
| 194 | *dstptr++ = col >> 0; | ||
| 195 | *dstptr++ = col >> 8; | ||
| 196 | *dstptr++ = col >> 16; | ||
| 197 | -#endif | ||
| 198 | +#endif | ||
| 199 | srcptr++; | ||
| 200 | } | ||
| 201 | |||
| 202 | @@ -651,7 +651,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst, | ||
| 203 | for (i = 0; i < width; i++) | ||
| 204 | { | ||
| 205 | register grub_uint32_t col; | ||
| 206 | - if (*srcptr != 0xf0) | ||
| 207 | + if (*srcptr != 0xf0) | ||
| 208 | { | ||
| 209 | col = palette[*srcptr & 0xf]; | ||
| 210 | #ifdef GRUB_CPU_WORDS_BIGENDIAN | ||
| 211 | @@ -662,7 +662,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst, | ||
| 212 | *dstptr++ = col >> 0; | ||
| 213 | *dstptr++ = col >> 8; | ||
| 214 | *dstptr++ = col >> 16; | ||
| 215 | -#endif | ||
| 216 | +#endif | ||
| 217 | } | ||
| 218 | else | ||
| 219 | dstptr += 3; | ||
| 220 | diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c | ||
| 221 | index ae6b89f9a..fa4ebde26 100644 | ||
| 222 | --- a/grub-core/video/fb/video_fb.c | ||
| 223 | +++ b/grub-core/video/fb/video_fb.c | ||
| 224 | @@ -754,7 +754,7 @@ grub_video_fb_unmap_color_int (struct grub_video_fbblit_info * source, | ||
| 225 | *alpha = 0; | ||
| 226 | return; | ||
| 227 | } | ||
| 228 | - | ||
| 229 | + | ||
| 230 | /* If we have an out-of-bounds color, return transparent black. */ | ||
| 231 | if (color > 255) | ||
| 232 | { | ||
| 233 | @@ -1141,7 +1141,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy) | ||
| 234 | /* If everything is aligned on 32-bit use 32-bit copy. */ | ||
| 235 | if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y) | ||
| 236 | % sizeof (grub_uint32_t) == 0 | ||
| 237 | - && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y) | ||
| 238 | + && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y) | ||
| 239 | % sizeof (grub_uint32_t) == 0 | ||
| 240 | && linelen % sizeof (grub_uint32_t) == 0 | ||
| 241 | && linedelta % sizeof (grub_uint32_t) == 0) | ||
| 242 | @@ -1155,7 +1155,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy) | ||
| 243 | else if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y) | ||
| 244 | % sizeof (grub_uint16_t) == 0 | ||
| 245 | && (grub_addr_t) grub_video_fb_get_video_ptr (&target, | ||
| 246 | - dst_x, dst_y) | ||
| 247 | + dst_x, dst_y) | ||
| 248 | % sizeof (grub_uint16_t) == 0 | ||
| 249 | && linelen % sizeof (grub_uint16_t) == 0 | ||
| 250 | && linedelta % sizeof (grub_uint16_t) == 0) | ||
| 251 | @@ -1170,7 +1170,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy) | ||
| 252 | { | ||
| 253 | grub_uint8_t *src, *dst; | ||
| 254 | DO_SCROLL | ||
| 255 | - } | ||
| 256 | + } | ||
| 257 | } | ||
| 258 | |||
| 259 | /* 4. Fill empty space with specified color. In this implementation | ||
| 260 | @@ -1615,7 +1615,7 @@ grub_video_fb_setup (unsigned int mode_type, unsigned int mode_mask, | ||
| 261 | framebuffer.render_target = framebuffer.back_target; | ||
| 262 | return GRUB_ERR_NONE; | ||
| 263 | } | ||
| 264 | - | ||
| 265 | + | ||
| 266 | mode_info->mode_type &= ~(GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED | ||
| 267 | | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP); | ||
| 268 | |||
| 269 | diff --git a/grub-core/video/i386/pc/vbe.c b/grub-core/video/i386/pc/vbe.c | ||
| 270 | index b7f911926..0e65b5206 100644 | ||
| 271 | --- a/grub-core/video/i386/pc/vbe.c | ||
| 272 | +++ b/grub-core/video/i386/pc/vbe.c | ||
| 273 | @@ -219,7 +219,7 @@ grub_vbe_disable_mtrr (int mtrr) | ||
| 274 | } | ||
| 275 | |||
| 276 | /* Call VESA BIOS 0x4f09 to set palette data, return status. */ | ||
| 277 | -static grub_vbe_status_t | ||
| 278 | +static grub_vbe_status_t | ||
| 279 | grub_vbe_bios_set_palette_data (grub_uint32_t color_count, | ||
| 280 | grub_uint32_t start_index, | ||
| 281 | struct grub_vbe_palette_data *palette_data) | ||
| 282 | @@ -237,7 +237,7 @@ grub_vbe_bios_set_palette_data (grub_uint32_t color_count, | ||
| 283 | } | ||
| 284 | |||
| 285 | /* Call VESA BIOS 0x4f00 to get VBE Controller Information, return status. */ | ||
| 286 | -grub_vbe_status_t | ||
| 287 | +grub_vbe_status_t | ||
| 288 | grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci) | ||
| 289 | { | ||
| 290 | struct grub_bios_int_registers regs; | ||
| 291 | @@ -251,7 +251,7 @@ grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci) | ||
| 292 | } | ||
| 293 | |||
| 294 | /* Call VESA BIOS 0x4f01 to get VBE Mode Information, return status. */ | ||
| 295 | -grub_vbe_status_t | ||
| 296 | +grub_vbe_status_t | ||
| 297 | grub_vbe_bios_get_mode_info (grub_uint32_t mode, | ||
| 298 | struct grub_vbe_mode_info_block *mode_info) | ||
| 299 | { | ||
| 300 | @@ -285,7 +285,7 @@ grub_vbe_bios_set_mode (grub_uint32_t mode, | ||
| 301 | } | ||
| 302 | |||
| 303 | /* Call VESA BIOS 0x4f03 to return current VBE Mode, return status. */ | ||
| 304 | -grub_vbe_status_t | ||
| 305 | +grub_vbe_status_t | ||
| 306 | grub_vbe_bios_get_mode (grub_uint32_t *mode) | ||
| 307 | { | ||
| 308 | struct grub_bios_int_registers regs; | ||
| 309 | @@ -298,7 +298,7 @@ grub_vbe_bios_get_mode (grub_uint32_t *mode) | ||
| 310 | return regs.eax & 0xffff; | ||
| 311 | } | ||
| 312 | |||
| 313 | -grub_vbe_status_t | ||
| 314 | +grub_vbe_status_t | ||
| 315 | grub_vbe_bios_getset_dac_palette_width (int set, int *dac_mask_size) | ||
| 316 | { | ||
| 317 | struct grub_bios_int_registers regs; | ||
| 318 | @@ -346,7 +346,7 @@ grub_vbe_bios_get_memory_window (grub_uint32_t window, | ||
| 319 | } | ||
| 320 | |||
| 321 | /* Call VESA BIOS 0x4f06 to set scanline length (in bytes), return status. */ | ||
| 322 | -grub_vbe_status_t | ||
| 323 | +grub_vbe_status_t | ||
| 324 | grub_vbe_bios_set_scanline_length (grub_uint32_t length) | ||
| 325 | { | ||
| 326 | struct grub_bios_int_registers regs; | ||
| 327 | @@ -354,14 +354,14 @@ grub_vbe_bios_set_scanline_length (grub_uint32_t length) | ||
| 328 | regs.ecx = length; | ||
| 329 | regs.eax = 0x4f06; | ||
| 330 | /* BL = 2, Set Scan Line in Bytes. */ | ||
| 331 | - regs.ebx = 0x0002; | ||
| 332 | + regs.ebx = 0x0002; | ||
| 333 | regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT; | ||
| 334 | grub_bios_interrupt (0x10, ®s); | ||
| 335 | return regs.eax & 0xffff; | ||
| 336 | } | ||
| 337 | |||
| 338 | /* Call VESA BIOS 0x4f06 to return scanline length (in bytes), return status. */ | ||
| 339 | -grub_vbe_status_t | ||
| 340 | +grub_vbe_status_t | ||
| 341 | grub_vbe_bios_get_scanline_length (grub_uint32_t *length) | ||
| 342 | { | ||
| 343 | struct grub_bios_int_registers regs; | ||
| 344 | @@ -377,7 +377,7 @@ grub_vbe_bios_get_scanline_length (grub_uint32_t *length) | ||
| 345 | } | ||
| 346 | |||
| 347 | /* Call VESA BIOS 0x4f07 to set display start, return status. */ | ||
| 348 | -static grub_vbe_status_t | ||
| 349 | +static grub_vbe_status_t | ||
| 350 | grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y) | ||
| 351 | { | ||
| 352 | struct grub_bios_int_registers regs; | ||
| 353 | @@ -390,7 +390,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y) | ||
| 354 | regs.edx = y; | ||
| 355 | regs.eax = 0x4f07; | ||
| 356 | /* BL = 80h, Set Display Start during Vertical Retrace. */ | ||
| 357 | - regs.ebx = 0x0080; | ||
| 358 | + regs.ebx = 0x0080; | ||
| 359 | regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT; | ||
| 360 | grub_bios_interrupt (0x10, ®s); | ||
| 361 | |||
| 362 | @@ -401,7 +401,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y) | ||
| 363 | } | ||
| 364 | |||
| 365 | /* Call VESA BIOS 0x4f07 to get display start, return status. */ | ||
| 366 | -grub_vbe_status_t | ||
| 367 | +grub_vbe_status_t | ||
| 368 | grub_vbe_bios_get_display_start (grub_uint32_t *x, | ||
| 369 | grub_uint32_t *y) | ||
| 370 | { | ||
| 371 | @@ -419,7 +419,7 @@ grub_vbe_bios_get_display_start (grub_uint32_t *x, | ||
| 372 | } | ||
| 373 | |||
| 374 | /* Call VESA BIOS 0x4f0a. */ | ||
| 375 | -grub_vbe_status_t | ||
| 376 | +grub_vbe_status_t | ||
| 377 | grub_vbe_bios_get_pm_interface (grub_uint16_t *segment, grub_uint16_t *offset, | ||
| 378 | grub_uint16_t *length) | ||
| 379 | { | ||
| 380 | @@ -896,7 +896,7 @@ vbe2videoinfo (grub_uint32_t mode, | ||
| 381 | case GRUB_VBE_MEMORY_MODEL_YUV: | ||
| 382 | mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_YUV; | ||
| 383 | break; | ||
| 384 | - | ||
| 385 | + | ||
| 386 | case GRUB_VBE_MEMORY_MODEL_DIRECT_COLOR: | ||
| 387 | mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_RGB; | ||
| 388 | break; | ||
| 389 | @@ -923,10 +923,10 @@ vbe2videoinfo (grub_uint32_t mode, | ||
| 390 | break; | ||
| 391 | case 8: | ||
| 392 | mode_info->bytes_per_pixel = 1; | ||
| 393 | - break; | ||
| 394 | + break; | ||
| 395 | case 4: | ||
| 396 | mode_info->bytes_per_pixel = 0; | ||
| 397 | - break; | ||
| 398 | + break; | ||
| 399 | } | ||
| 400 | |||
| 401 | if (controller_info.version >= 0x300) | ||
| 402 | @@ -976,7 +976,7 @@ grub_video_vbe_iterate (int (*hook) (const struct grub_video_mode_info *info, vo | ||
| 403 | |||
| 404 | static grub_err_t | ||
| 405 | grub_video_vbe_setup (unsigned int width, unsigned int height, | ||
| 406 | - grub_video_mode_type_t mode_type, | ||
| 407 | + grub_video_mode_type_t mode_type, | ||
| 408 | grub_video_mode_type_t mode_mask) | ||
| 409 | { | ||
| 410 | grub_uint16_t *p; | ||
| 411 | @@ -1193,7 +1193,7 @@ grub_video_vbe_print_adapter_specific_info (void) | ||
| 412 | controller_info.version & 0xFF, | ||
| 413 | controller_info.oem_software_rev >> 8, | ||
| 414 | controller_info.oem_software_rev & 0xFF); | ||
| 415 | - | ||
| 416 | + | ||
| 417 | /* The total_memory field is in 64 KiB units. */ | ||
| 418 | grub_printf_ (N_(" total memory: %d KiB\n"), | ||
| 419 | (controller_info.total_memory << 6)); | ||
| 420 | diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c | ||
| 421 | index b2f776c99..50d0b5e02 100644 | ||
| 422 | --- a/grub-core/video/i386/pc/vga.c | ||
| 423 | +++ b/grub-core/video/i386/pc/vga.c | ||
| 424 | @@ -48,7 +48,7 @@ static struct | ||
| 425 | int back_page; | ||
| 426 | } framebuffer; | ||
| 427 | |||
| 428 | -static unsigned char | ||
| 429 | +static unsigned char | ||
| 430 | grub_vga_set_mode (unsigned char mode) | ||
| 431 | { | ||
| 432 | struct grub_bios_int_registers regs; | ||
| 433 | @@ -182,10 +182,10 @@ grub_video_vga_setup (unsigned int width, unsigned int height, | ||
| 434 | |||
| 435 | is_target = 1; | ||
| 436 | err = grub_video_fb_set_active_render_target (framebuffer.render_target); | ||
| 437 | - | ||
| 438 | + | ||
| 439 | if (err) | ||
| 440 | return err; | ||
| 441 | - | ||
| 442 | + | ||
| 443 | err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS, | ||
| 444 | grub_video_fbstd_colors); | ||
| 445 | |||
| 446 | diff --git a/grub-core/video/ieee1275.c b/grub-core/video/ieee1275.c | ||
| 447 | index f437fb0df..ca3d3c3b2 100644 | ||
| 448 | --- a/grub-core/video/ieee1275.c | ||
| 449 | +++ b/grub-core/video/ieee1275.c | ||
| 450 | @@ -233,7 +233,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height, | ||
| 451 | /* TODO. */ | ||
| 452 | return grub_error (GRUB_ERR_IO, "can't set mode %dx%d", width, height); | ||
| 453 | } | ||
| 454 | - | ||
| 455 | + | ||
| 456 | err = grub_video_ieee1275_fill_mode_info (dev, &framebuffer.mode_info); | ||
| 457 | if (err) | ||
| 458 | { | ||
| 459 | @@ -260,7 +260,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height, | ||
| 460 | |||
| 461 | grub_video_ieee1275_set_palette (0, framebuffer.mode_info.number_of_colors, | ||
| 462 | grub_video_fbstd_colors); | ||
| 463 | - | ||
| 464 | + | ||
| 465 | return err; | ||
| 466 | } | ||
| 467 | |||
| 468 | diff --git a/grub-core/video/radeon_fuloong2e.c b/grub-core/video/radeon_fuloong2e.c | ||
| 469 | index b4da34b5e..40917acb7 100644 | ||
| 470 | --- a/grub-core/video/radeon_fuloong2e.c | ||
| 471 | +++ b/grub-core/video/radeon_fuloong2e.c | ||
| 472 | @@ -75,7 +75,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data) | ||
| 473 | if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA | ||
| 474 | || pciid != 0x515a1002) | ||
| 475 | return 0; | ||
| 476 | - | ||
| 477 | + | ||
| 478 | *found = 1; | ||
| 479 | |||
| 480 | addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0); | ||
| 481 | @@ -139,7 +139,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height, | ||
| 482 | framebuffer.mapped = 1; | ||
| 483 | |||
| 484 | /* Prevent garbage from appearing on the screen. */ | ||
| 485 | - grub_memset (framebuffer.ptr, 0x55, | ||
| 486 | + grub_memset (framebuffer.ptr, 0x55, | ||
| 487 | framebuffer.mode_info.height * framebuffer.mode_info.pitch); | ||
| 488 | |||
| 489 | #ifndef TEST | ||
| 490 | @@ -152,7 +152,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height, | ||
| 491 | return err; | ||
| 492 | |||
| 493 | err = grub_video_fb_set_active_render_target (framebuffer.render_target); | ||
| 494 | - | ||
| 495 | + | ||
| 496 | if (err) | ||
| 497 | return err; | ||
| 498 | |||
| 499 | diff --git a/grub-core/video/radeon_yeeloong3a.c b/grub-core/video/radeon_yeeloong3a.c | ||
| 500 | index 52614feb6..48631c181 100644 | ||
| 501 | --- a/grub-core/video/radeon_yeeloong3a.c | ||
| 502 | +++ b/grub-core/video/radeon_yeeloong3a.c | ||
| 503 | @@ -74,7 +74,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data) | ||
| 504 | if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA | ||
| 505 | || pciid != 0x96151002) | ||
| 506 | return 0; | ||
| 507 | - | ||
| 508 | + | ||
| 509 | *found = 1; | ||
| 510 | |||
| 511 | addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0); | ||
| 512 | @@ -137,7 +137,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height, | ||
| 513 | #endif | ||
| 514 | |||
| 515 | /* Prevent garbage from appearing on the screen. */ | ||
| 516 | - grub_memset (framebuffer.ptr, 0, | ||
| 517 | + grub_memset (framebuffer.ptr, 0, | ||
| 518 | framebuffer.mode_info.height * framebuffer.mode_info.pitch); | ||
| 519 | |||
| 520 | #ifndef TEST | ||
| 521 | @@ -150,7 +150,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height, | ||
| 522 | return err; | ||
| 523 | |||
| 524 | err = grub_video_fb_set_active_render_target (framebuffer.render_target); | ||
| 525 | - | ||
| 526 | + | ||
| 527 | if (err) | ||
| 528 | return err; | ||
| 529 | |||
| 530 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
| 531 | index 0157ff742..54dfedf43 100644 | ||
| 532 | --- a/grub-core/video/readers/png.c | ||
| 533 | +++ b/grub-core/video/readers/png.c | ||
| 534 | @@ -916,7 +916,7 @@ grub_png_convert_image (struct grub_png_data *data) | ||
| 535 | } | ||
| 536 | return; | ||
| 537 | } | ||
| 538 | - | ||
| 539 | + | ||
| 540 | if (data->is_gray) | ||
| 541 | { | ||
| 542 | switch (data->bpp) | ||
| 543 | diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c | ||
| 544 | index 7cb9d1d2a..a9ec3a1b6 100644 | ||
| 545 | --- a/grub-core/video/readers/tga.c | ||
| 546 | +++ b/grub-core/video/readers/tga.c | ||
| 547 | @@ -127,7 +127,7 @@ tga_load_palette (struct tga_data *data) | ||
| 548 | |||
| 549 | if (len > sizeof (data->palette)) | ||
| 550 | len = sizeof (data->palette); | ||
| 551 | - | ||
| 552 | + | ||
| 553 | if (grub_file_read (data->file, &data->palette, len) | ||
| 554 | != (grub_ssize_t) len) | ||
| 555 | return grub_errno; | ||
| 556 | diff --git a/grub-core/video/sis315_init.c b/grub-core/video/sis315_init.c | ||
| 557 | index ae5c1419c..09c3c7bbe 100644 | ||
| 558 | --- a/grub-core/video/sis315_init.c | ||
| 559 | +++ b/grub-core/video/sis315_init.c | ||
| 560 | @@ -1,4 +1,4 @@ | ||
| 561 | -static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] = | ||
| 562 | +static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] = | ||
| 563 | { | ||
| 564 | { 0x28, 0x81 }, | ||
| 565 | { 0x2a, 0x00 }, | ||
| 566 | diff --git a/grub-core/video/sis315pro.c b/grub-core/video/sis315pro.c | ||
| 567 | index 22a0c85a6..4d2f9999a 100644 | ||
| 568 | --- a/grub-core/video/sis315pro.c | ||
| 569 | +++ b/grub-core/video/sis315pro.c | ||
| 570 | @@ -103,7 +103,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data) | ||
| 571 | if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA | ||
| 572 | || pciid != GRUB_SIS315PRO_PCIID) | ||
| 573 | return 0; | ||
| 574 | - | ||
| 575 | + | ||
| 576 | *found = 1; | ||
| 577 | |||
| 578 | addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0); | ||
| 579 | @@ -218,7 +218,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height, | ||
| 580 | |||
| 581 | #ifndef TEST | ||
| 582 | /* Prevent garbage from appearing on the screen. */ | ||
| 583 | - grub_memset (framebuffer.ptr, 0, | ||
| 584 | + grub_memset (framebuffer.ptr, 0, | ||
| 585 | framebuffer.mode_info.height * framebuffer.mode_info.pitch); | ||
| 586 | grub_arch_sync_dma_caches (framebuffer.ptr, | ||
| 587 | framebuffer.mode_info.height | ||
| 588 | @@ -231,7 +231,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height, | ||
| 589 | | GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0 | ||
| 590 | | GRUB_VGA_IO_MISC_28MHZ | ||
| 591 | | GRUB_VGA_IO_MISC_ENABLE_VRAM_ACCESS | ||
| 592 | - | GRUB_VGA_IO_MISC_COLOR, | ||
| 593 | + | GRUB_VGA_IO_MISC_COLOR, | ||
| 594 | GRUB_VGA_IO_MISC_WRITE + GRUB_MACHINE_PCI_IO_BASE); | ||
| 595 | |||
| 596 | grub_vga_sr_write (0x86, 5); | ||
| 597 | @@ -335,7 +335,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height, | ||
| 598 | { | ||
| 599 | if (read_sis_cmd (0x5) != 0xa1) | ||
| 600 | write_sis_cmd (0x86, 0x5); | ||
| 601 | - | ||
| 602 | + | ||
| 603 | write_sis_cmd (read_sis_cmd (0x20) | 0xa1, 0x20); | ||
| 604 | write_sis_cmd (read_sis_cmd (0x1e) | 0xda, 0x1e); | ||
| 605 | |||
| 606 | diff --git a/grub-core/video/sm712.c b/grub-core/video/sm712.c | ||
| 607 | index 10c46eb65..65f59f84b 100644 | ||
| 608 | --- a/grub-core/video/sm712.c | ||
| 609 | +++ b/grub-core/video/sm712.c | ||
| 610 | @@ -167,7 +167,7 @@ enum | ||
| 611 | GRUB_SM712_CR_SHADOW_VGA_VBLANK_START = 0x46, | ||
| 612 | GRUB_SM712_CR_SHADOW_VGA_VBLANK_END = 0x47, | ||
| 613 | GRUB_SM712_CR_SHADOW_VGA_VRETRACE_START = 0x48, | ||
| 614 | - GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49, | ||
| 615 | + GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49, | ||
| 616 | GRUB_SM712_CR_SHADOW_VGA_OVERFLOW = 0x4a, | ||
| 617 | GRUB_SM712_CR_SHADOW_VGA_CELL_HEIGHT = 0x4b, | ||
| 618 | GRUB_SM712_CR_SHADOW_VGA_HDISPLAY_END = 0x4c, | ||
| 619 | @@ -375,7 +375,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data) | ||
| 620 | if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA | ||
| 621 | || pciid != GRUB_SM712_PCIID) | ||
| 622 | return 0; | ||
| 623 | - | ||
| 624 | + | ||
| 625 | *found = 1; | ||
| 626 | |||
| 627 | addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0); | ||
| 628 | @@ -471,7 +471,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height, | ||
| 629 | |||
| 630 | #if !defined (TEST) && !defined(GENINIT) | ||
| 631 | /* Prevent garbage from appearing on the screen. */ | ||
| 632 | - grub_memset ((void *) framebuffer.cached_ptr, 0, | ||
| 633 | + grub_memset ((void *) framebuffer.cached_ptr, 0, | ||
| 634 | framebuffer.mode_info.height * framebuffer.mode_info.pitch); | ||
| 635 | #endif | ||
| 636 | |||
| 637 | @@ -482,7 +482,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height, | ||
| 638 | grub_sm712_sr_write (0x2, 0x6b); | ||
| 639 | grub_sm712_write_reg (0, GRUB_VGA_IO_PIXEL_MASK); | ||
| 640 | grub_sm712_sr_write (GRUB_VGA_SR_RESET_ASYNC, GRUB_VGA_SR_RESET); | ||
| 641 | - grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY | ||
| 642 | + grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY | ||
| 643 | | GRUB_VGA_IO_MISC_NEGATIVE_HORIZ_POLARITY | ||
| 644 | | GRUB_VGA_IO_MISC_UPPER_64K | ||
| 645 | | GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0 | ||
| 646 | @@ -694,7 +694,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height, | ||
| 647 | for (i = 0; i < ARRAY_SIZE (dda_lookups); i++) | ||
| 648 | grub_sm712_write_dda_lookup (i, dda_lookups[i].compare, dda_lookups[i].dda, | ||
| 649 | dda_lookups[i].vcentering); | ||
| 650 | - | ||
| 651 | + | ||
| 652 | /* Undocumented */ | ||
| 653 | grub_sm712_cr_write (0, 0x9c); | ||
| 654 | grub_sm712_cr_write (0, 0x9d); | ||
| 655 | diff --git a/grub-core/video/video.c b/grub-core/video/video.c | ||
| 656 | index 983424107..8937da745 100644 | ||
| 657 | --- a/grub-core/video/video.c | ||
| 658 | +++ b/grub-core/video/video.c | ||
| 659 | @@ -491,13 +491,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth) | ||
| 660 | current_mode); | ||
| 661 | |||
| 662 | param++; | ||
| 663 | - | ||
| 664 | + | ||
| 665 | *width = grub_strtoul (value, 0, 0); | ||
| 666 | if (grub_errno != GRUB_ERR_NONE) | ||
| 667 | return grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
| 668 | N_("invalid video mode specification `%s'"), | ||
| 669 | current_mode); | ||
| 670 | - | ||
| 671 | + | ||
| 672 | /* Find height value. */ | ||
| 673 | value = param; | ||
| 674 | param = grub_strchr(param, 'x'); | ||
| 675 | @@ -513,13 +513,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth) | ||
| 676 | { | ||
| 677 | /* We have optional color depth value. */ | ||
| 678 | param++; | ||
| 679 | - | ||
| 680 | + | ||
| 681 | *height = grub_strtoul (value, 0, 0); | ||
| 682 | if (grub_errno != GRUB_ERR_NONE) | ||
| 683 | return grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
| 684 | N_("invalid video mode specification `%s'"), | ||
| 685 | current_mode); | ||
| 686 | - | ||
| 687 | + | ||
| 688 | /* Convert color depth value. */ | ||
| 689 | value = param; | ||
| 690 | *depth = grub_strtoul (value, 0, 0); | ||
| 691 | -- | ||
| 692 | 2.34.1 | ||
| 693 | |||
diff --git a/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch b/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch new file mode 100644 index 0000000000..0c7deae858 --- /dev/null +++ b/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch | |||
| @@ -0,0 +1,264 @@ | |||
| 1 | From d5caac8ab79d068ad9a41030c772d03a4d4fbd7b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Mon, 28 Jun 2021 14:16:14 +1000 | ||
| 4 | Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails | ||
| 5 | |||
| 6 | Fuzzing revealed some inputs that were taking a long time, potentially | ||
| 7 | forever, because they did not bail quickly upon encountering an I/O error. | ||
| 8 | |||
| 9 | Try to catch I/O errors sooner and bail out. | ||
| 10 | |||
| 11 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 13 | |||
| 14 | Upstream-Status: Backport | ||
| 15 | |||
| 16 | Reference to upstream patch: | ||
| 17 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b | ||
| 18 | |||
| 19 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 20 | --- | ||
| 21 | grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++------- | ||
| 22 | 1 file changed, 70 insertions(+), 16 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
| 25 | index c47ffd651..806c56c78 100644 | ||
| 26 | --- a/grub-core/video/readers/jpeg.c | ||
| 27 | +++ b/grub-core/video/readers/jpeg.c | ||
| 28 | @@ -109,9 +109,17 @@ static grub_uint8_t | ||
| 29 | grub_jpeg_get_byte (struct grub_jpeg_data *data) | ||
| 30 | { | ||
| 31 | grub_uint8_t r; | ||
| 32 | + grub_ssize_t bytes_read; | ||
| 33 | |||
| 34 | r = 0; | ||
| 35 | - grub_file_read (data->file, &r, 1); | ||
| 36 | + bytes_read = grub_file_read (data->file, &r, 1); | ||
| 37 | + | ||
| 38 | + if (bytes_read != 1) | ||
| 39 | + { | ||
| 40 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 41 | + "jpeg: unexpected end of data"); | ||
| 42 | + return 0; | ||
| 43 | + } | ||
| 44 | |||
| 45 | return r; | ||
| 46 | } | ||
| 47 | @@ -120,9 +128,17 @@ static grub_uint16_t | ||
| 48 | grub_jpeg_get_word (struct grub_jpeg_data *data) | ||
| 49 | { | ||
| 50 | grub_uint16_t r; | ||
| 51 | + grub_ssize_t bytes_read; | ||
| 52 | |||
| 53 | r = 0; | ||
| 54 | - grub_file_read (data->file, &r, sizeof (grub_uint16_t)); | ||
| 55 | + bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t)); | ||
| 56 | + | ||
| 57 | + if (bytes_read != sizeof (grub_uint16_t)) | ||
| 58 | + { | ||
| 59 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 60 | + "jpeg: unexpected end of data"); | ||
| 61 | + return 0; | ||
| 62 | + } | ||
| 63 | |||
| 64 | return grub_be_to_cpu16 (r); | ||
| 65 | } | ||
| 66 | @@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) | ||
| 67 | if (data->bit_mask == 0) | ||
| 68 | { | ||
| 69 | data->bit_save = grub_jpeg_get_byte (data); | ||
| 70 | + if (grub_errno != GRUB_ERR_NONE) { | ||
| 71 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 72 | + "jpeg: file read error"); | ||
| 73 | + return 0; | ||
| 74 | + } | ||
| 75 | if (data->bit_save == JPEG_ESC_CHAR) | ||
| 76 | { | ||
| 77 | if (grub_jpeg_get_byte (data) != 0) | ||
| 78 | @@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) | ||
| 79 | "jpeg: invalid 0xFF in data stream"); | ||
| 80 | return 0; | ||
| 81 | } | ||
| 82 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 83 | + { | ||
| 84 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error"); | ||
| 85 | + return 0; | ||
| 86 | + } | ||
| 87 | } | ||
| 88 | data->bit_mask = 0x80; | ||
| 89 | } | ||
| 90 | @@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num) | ||
| 91 | return 0; | ||
| 92 | |||
| 93 | msb = value = grub_jpeg_get_bit (data); | ||
| 94 | - for (i = 1; i < num; i++) | ||
| 95 | + for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++) | ||
| 96 | value = (value << 1) + (grub_jpeg_get_bit (data) != 0); | ||
| 97 | if (!msb) | ||
| 98 | value += 1 - (1 << num); | ||
| 99 | @@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data) | ||
| 100 | while (data->file->offset + sizeof (count) + 1 <= next_marker) | ||
| 101 | { | ||
| 102 | id = grub_jpeg_get_byte (data); | ||
| 103 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 104 | + return grub_errno; | ||
| 105 | ac = (id >> 4) & 1; | ||
| 106 | id &= 0xF; | ||
| 107 | if (id > 1) | ||
| 108 | @@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) | ||
| 109 | |||
| 110 | next_marker = data->file->offset; | ||
| 111 | next_marker += grub_jpeg_get_word (data); | ||
| 112 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 113 | + return grub_errno; | ||
| 114 | |||
| 115 | if (next_marker > data->file->size) | ||
| 116 | { | ||
| 117 | @@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) | ||
| 118 | <= next_marker) | ||
| 119 | { | ||
| 120 | id = grub_jpeg_get_byte (data); | ||
| 121 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 122 | + return grub_errno; | ||
| 123 | if (id >= 0x10) /* Upper 4-bit is precision. */ | ||
| 124 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 125 | "jpeg: only 8-bit precision is supported"); | ||
| 126 | @@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) | ||
| 127 | next_marker = data->file->offset; | ||
| 128 | next_marker += grub_jpeg_get_word (data); | ||
| 129 | |||
| 130 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 131 | + return grub_errno; | ||
| 132 | + | ||
| 133 | if (grub_jpeg_get_byte (data) != 8) | ||
| 134 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 135 | "jpeg: only 8-bit precision is supported"); | ||
| 136 | @@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) | ||
| 137 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); | ||
| 138 | |||
| 139 | ss = grub_jpeg_get_byte (data); /* Sampling factor. */ | ||
| 140 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 141 | + return grub_errno; | ||
| 142 | if (!id) | ||
| 143 | { | ||
| 144 | grub_uint8_t vs, hs; | ||
| 145 | @@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du) | ||
| 146 | } | ||
| 147 | } | ||
| 148 | |||
| 149 | -static void | ||
| 150 | +static grub_err_t | ||
| 151 | grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) | ||
| 152 | { | ||
| 153 | int h1, h2, qt; | ||
| 154 | @@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) | ||
| 155 | data->dc_value[id] += | ||
| 156 | grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1)); | ||
| 157 | |||
| 158 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 159 | + return grub_errno; | ||
| 160 | + | ||
| 161 | du[0] = data->dc_value[id] * (int) data->quan_table[qt][0]; | ||
| 162 | pos = 1; | ||
| 163 | while (pos < ARRAY_SIZE (data->quan_table[qt])) | ||
| 164 | @@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) | ||
| 165 | num >>= 4; | ||
| 166 | pos += num; | ||
| 167 | |||
| 168 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 169 | + return grub_errno; | ||
| 170 | + | ||
| 171 | if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) | ||
| 172 | { | ||
| 173 | - grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 174 | - "jpeg: invalid position in zigzag order!?"); | ||
| 175 | - return; | ||
| 176 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 177 | + "jpeg: invalid position in zigzag order!?"); | ||
| 178 | } | ||
| 179 | |||
| 180 | du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; | ||
| 181 | @@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) | ||
| 182 | } | ||
| 183 | |||
| 184 | grub_jpeg_idct_transform (du); | ||
| 185 | + return GRUB_ERR_NONE; | ||
| 186 | } | ||
| 187 | |||
| 188 | static void | ||
| 189 | @@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) | ||
| 190 | data_offset += grub_jpeg_get_word (data); | ||
| 191 | |||
| 192 | cc = grub_jpeg_get_byte (data); | ||
| 193 | - | ||
| 194 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 195 | + return grub_errno; | ||
| 196 | if (cc != 3 && cc != 1) | ||
| 197 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 198 | "jpeg: component count must be 1 or 3"); | ||
| 199 | @@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) | ||
| 200 | id = grub_jpeg_get_byte (data) - 1; | ||
| 201 | if ((id < 0) || (id >= 3)) | ||
| 202 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); | ||
| 203 | - | ||
| 204 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 205 | + return grub_errno; | ||
| 206 | ht = grub_jpeg_get_byte (data); | ||
| 207 | data->comp_index[id][1] = (ht >> 4); | ||
| 208 | data->comp_index[id][2] = (ht & 0xF) + 2; | ||
| 209 | @@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) | ||
| 210 | if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) || | ||
| 211 | (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3)) | ||
| 212 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index"); | ||
| 213 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 214 | + return grub_errno; | ||
| 215 | } | ||
| 216 | |||
| 217 | grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */ | ||
| 218 | grub_jpeg_get_word (data); | ||
| 219 | - | ||
| 220 | + if (grub_errno != GRUB_ERR_NONE) | ||
| 221 | + return grub_errno; | ||
| 222 | if (data->file->offset != data_offset) | ||
| 223 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); | ||
| 224 | |||
| 225 | @@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 226 | { | ||
| 227 | unsigned c1, vb, hb, nr1, nc1; | ||
| 228 | int rst = data->dri; | ||
| 229 | + grub_err_t err = GRUB_ERR_NONE; | ||
| 230 | |||
| 231 | vb = 8 << data->log_vs; | ||
| 232 | hb = 8 << data->log_hs; | ||
| 233 | @@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 234 | |||
| 235 | for (r2 = 0; r2 < (1U << data->log_vs); r2++) | ||
| 236 | for (c2 = 0; c2 < (1U << data->log_hs); c2++) | ||
| 237 | - grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); | ||
| 238 | + { | ||
| 239 | + err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); | ||
| 240 | + if (err != GRUB_ERR_NONE) | ||
| 241 | + return err; | ||
| 242 | + } | ||
| 243 | |||
| 244 | if (data->color_components >= 3) | ||
| 245 | { | ||
| 246 | - grub_jpeg_decode_du (data, 1, data->cbdu); | ||
| 247 | - grub_jpeg_decode_du (data, 2, data->crdu); | ||
| 248 | + err = grub_jpeg_decode_du (data, 1, data->cbdu); | ||
| 249 | + if (err != GRUB_ERR_NONE) | ||
| 250 | + return err; | ||
| 251 | + err = grub_jpeg_decode_du (data, 2, data->crdu); | ||
| 252 | + if (err != GRUB_ERR_NONE) | ||
| 253 | + return err; | ||
| 254 | } | ||
| 255 | |||
| 256 | - if (grub_errno) | ||
| 257 | - return grub_errno; | ||
| 258 | - | ||
| 259 | nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb; | ||
| 260 | nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb; | ||
| 261 | |||
| 262 | -- | ||
| 263 | 2.34.1 | ||
| 264 | |||
diff --git a/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch b/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch new file mode 100644 index 0000000000..91ecaad98a --- /dev/null +++ b/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | From 166a4d61448f74745afe1dac2f2cfb85d04909bf Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Axtens <dja@axtens.net> | ||
| 3 | Date: Mon, 28 Jun 2021 14:25:17 +1000 | ||
| 4 | Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of | ||
| 5 | streams | ||
| 6 | |||
| 7 | An invalid file could contain multiple start of stream blocks, which | ||
| 8 | would cause us to reallocate and leak our bitmap. Refuse to handle | ||
| 9 | multiple start of streams. | ||
| 10 | |||
| 11 | Additionally, fix a grub_error() call formatting. | ||
| 12 | |||
| 13 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| 14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 15 | |||
| 16 | Upstream-Status: Backport | ||
| 17 | |||
| 18 | Reference to upstream patch: | ||
| 19 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=166a4d61448f74745afe1dac2f2cfb85d04909bf | ||
| 20 | |||
| 21 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| 22 | --- | ||
| 23 | grub-core/video/readers/jpeg.c | 7 +++++-- | ||
| 24 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
| 27 | index 2284a6c06..579bbe8a4 100644 | ||
| 28 | --- a/grub-core/video/readers/jpeg.c | ||
| 29 | +++ b/grub-core/video/readers/jpeg.c | ||
| 30 | @@ -683,6 +683,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) | ||
| 31 | if (data->file->offset != data_offset) | ||
| 32 | return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); | ||
| 33 | |||
| 34 | + if (*data->bitmap) | ||
| 35 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks"); | ||
| 36 | + | ||
| 37 | if (grub_video_bitmap_create (data->bitmap, data->image_width, | ||
| 38 | data->image_height, | ||
| 39 | GRUB_VIDEO_BLIT_FORMAT_RGB_888)) | ||
| 40 | @@ -705,8 +708,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| 41 | nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); | ||
| 42 | |||
| 43 | if (data->bitmap_ptr == NULL) | ||
| 44 | - return grub_error(GRUB_ERR_BAD_FILE_TYPE, | ||
| 45 | - "jpeg: attempted to decode data before start of stream"); | ||
| 46 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| 47 | + "jpeg: attempted to decode data before start of stream"); | ||
| 48 | |||
| 49 | for (; data->r1 < nr1 && (!data->dri || rst); | ||
| 50 | data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| 51 | -- | ||
| 52 | 2.34.1 | ||
| 53 | |||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 45852ab9b1..47ea561002 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
| @@ -22,6 +22,16 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
| 22 | file://0001-RISC-V-Restore-the-typcast-to-long.patch \ | 22 | file://0001-RISC-V-Restore-the-typcast-to-long.patch \ |
| 23 | file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \ | 23 | file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \ |
| 24 | file://0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch \ | 24 | file://0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch \ |
| 25 | file://video-Remove-trailing-whitespaces.patch \ | ||
| 26 | file://CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch \ | ||
| 27 | file://CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch \ | ||
| 28 | file://video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch \ | ||
| 29 | file://video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch \ | ||
| 30 | file://CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch \ | ||
| 31 | file://CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch \ | ||
| 32 | file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \ | ||
| 33 | file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \ | ||
| 34 | file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \ | ||
| 25 | " | 35 | " |
| 26 | 36 | ||
| 27 | SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" | 37 | SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" |