1 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
new file mode 100644
index 0000000000..9a2ca50d02
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,75 @@
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+Fixes: CVE-2025-0690
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index fe3e88b..f3ff826 100644
+--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
+@@ -25,19 +25,21 @@
+ #include <grub/types.h>
+ #include <grub/command.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static char *
+ grub_getline (void)
+ {
+-  int i;
+  grub_size_t i;
+   char *line;
+   char *tmp;
+   char c;
+  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -50,8 +52,17 @@ grub_getline (void)
+       line[i] = c;
+       if (grub_isprint (c))
+        grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+        {
+          grub_free (line);
+-- 
+2.25.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch new file mode 100644 index 0000000000..9a2ca50d02 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,75 @@
	1	From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
	2	From: Jonathan Bar Or <jonathanbaror@gmail.com>
	3	Date: Thu, 23 Jan 2025 19:17:05 +0100
	4	Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
	5	than 2^31 characters
	6
	7	The grub_getline() function currently has a signed integer variable "i"
	8	that can be overflown when user supplies more than 2^31 characters.
	9	It results in a memory corruption of the allocated line buffer as well
	10	as supplying large negative values to grub_realloc().
	11
	12	Fixes: CVE-2025-0690
	13
	14	Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
	15	Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
	16	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	17
	18	CVE: CVE-2025-0690
	19	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
	20	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	21	---
	22	grub-core/commands/read.c \| 19 +++++++++++++++----
	23	1 file changed, 15 insertions(+), 4 deletions(-)
	24
	25	diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
	26	index fe3e88b..f3ff826 100644
	27	--- a/grub-core/commands/read.c
	28	+++ b/grub-core/commands/read.c
	29	@@ -25,19 +25,21 @@
	30	#include <grub/types.h>
	31	#include <grub/command.h>
	32	#include <grub/i18n.h>
	33	+#include <grub/safemath.h>
	34
	35	GRUB_MOD_LICENSE ("GPLv3+");
	36
	37	static char *
	38	grub_getline (void)
	39	{
	40	- int i;
	41	+ grub_size_t i;
	42	char *line;
	43	char *tmp;
	44	char c;
	45	+ grub_size_t alloc_size;
	46
	47	i = 0;
	48	- line = grub_malloc (1 + i + sizeof('\0'));
	49	+ line = grub_malloc (1 + sizeof('\0'));
	50	if (! line)
	51	return NULL;
	52
	53	@@ -50,8 +52,17 @@ grub_getline (void)
	54	line[i] = c;
	55	if (grub_isprint (c))
	56	grub_printf ("%c", c);
	57	- i++;
	58	- tmp = grub_realloc (line, 1 + i + sizeof('\0'));
	59	+ if (grub_add (i, 1, &i))
	60	+ {
	61	+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
	62	+ return NULL;
	63	+ }
	64	+ if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
	65	+ {
	66	+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
	67	+ return NULL;
	68	+ }
	69	+ tmp = grub_realloc (line, alloc_size);
	70	if (! tmp)
	71	{
	72	grub_free (line);
	73	--
	74	2.25.1
	75