backport some patches from upstream

Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>

backport-disk-diskfilter-Check-calloc-result-for-NULL.patch

@@ -0,0 +1,37 @@
+From 12e20a6a695f4967b30a95bb52e4e2e0a10c9094 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sun, 21 Aug 2022 22:22:35 +1000
+Subject: [PATCH] disk/diskfilter: Check calloc() result for NULL
+
+With wildly corrupt inputs, we can end up trying to calloc a very
+large amount of memory, which will fail and give us a NULL pointer.
+We need to check that to avoid a crash. (And, even if we blocked
+such inputs, it is good practice to check the results of allocations
+anyway.)
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=12e20a6a695f4967b30a95bb52e4e2e0a10c9094
+Conflict:NA
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/diskfilter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
+index 2edcff6e8..4ac50320e 100644
+--- a/grub-core/disk/diskfilter.c
++++ b/grub-core/disk/diskfilter.c
+@@ -1163,6 +1163,9 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
+   array->lvs->segments->raid_member_size = disk_size;
+   array->lvs->segments->nodes
+     = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
++  if (array->lvs->segments->nodes == NULL)
++    goto fail;
++
+   array->lvs->segments->stripe_size = stripe_size;
+   for (i = 0; i < nmemb; i++)
+     {
+-- 
+2.28.0.windows.1
+

backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch

@@ -0,0 +1,45 @@
+From 2a5e3c1f2aed88c2289fb595da8308e898b87915 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 19 Oct 2022 20:23:22 +1100
+Subject: [PATCH] disk/diskfilter: Don't make a RAID array with more than 1024
+ disks
+
+This is "belt and braces" with commit 12e20a6a695f (disk/diskfilter:
+Check calloc() result for NULL): we end up trying to use too much memory
+in situations like corrupted Linux software RAID setups purporting to
+use a huge number of disks. Simply refuse to permit such configurations.
+
+1024 is a bit arbitrary, yes, and I feel a bit like I'm tempting fate
+here, but I think 1024 disks in an array (that GRUB has to read to boot!)
+should be enough for anyone.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a5e3c1f2aed88c2289fb595da8308e898b87915
+Conflict:NA
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/diskfilter.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
+index 4ac50320e..1c568927b 100644
+--- a/grub-core/disk/diskfilter.c
++++ b/grub-core/disk/diskfilter.c
+@@ -1046,6 +1046,13 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
+   struct grub_diskfilter_pv *pv;
+   grub_err_t err;
+ 
++  /* We choose not to support more than 1024 disks. */
++  if (nmemb < 1 || nmemb > 1024)
++    {
++      grub_free (uuid);
++      return NULL;
++    }
++
+   switch (level)
+     {
+     case 1:
+-- 
+2.28.0.windows.1
+

backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch

@@ -0,0 +1,48 @@
+From 7338cbe91a24ee9639597a0d8bebc32b8b46c26c Mon Sep 17 00:00:00 2001
+From: "t.feng" <fengtao40@huawei.com>
+Date: Tue, 29 Nov 2022 17:14:13 +0800
+Subject: [PATCH] fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate()
+
+Fixes: 99373ce47 (* grub-core/fs/iso9660.c: Remove nested functions)
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=7338cbe91a24ee9639597a0d8bebc32b8b46c26c
+Conflict:NA
+
+Signed-off-by: t.feng <fengtao40@huawei.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 91817ec1f..df9f7783b 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -279,7 +279,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+   /* Load a part of the System Usage Area.  */
+   err = read_node (node, off, sua_size, sua);
+   if (err)
+-    return err;
++    {
++      grub_free (sua);
++      return err;
++    }
+ 
+   for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0;
+        entry = (struct grub_iso9660_susp_entry *)
+@@ -309,7 +312,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+ 	  err = grub_disk_read (node->data->disk, ce_block, off,
+ 				sua_size, sua);
+ 	  if (err)
+-	    return err;
++	    {
++	      grub_free (sua);
++	      return err;
++	    }
+ 
+ 	  entry = (struct grub_iso9660_susp_entry *) sua;
+ 	}
+-- 
+2.28.0.windows.1
+

backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch

@@ -0,0 +1,67 @@
+From 98ae234000abdabf9db125c87a2db8b81157af72 Mon Sep 17 00:00:00 2001
+From: "t.feng" <fengtao40@huawei.com>
+Date: Tue, 29 Nov 2022 17:14:14 +0800
+Subject: [PATCH] fs/squash4: Fix memory leaks in grub_squash_iterate_dir()
+
+Fixes: 20dd511c8 (Handle "." and ".." on squashfs)
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=98ae234000abdabf9db125c87a2db8b81157af72
+Conflict:NA
+
+Signed-off-by: t.feng <fengtao40@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/squash4.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 02b1f9b6d..a30e6ebe1 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -550,7 +550,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 			  + node->stack[node->stsize - 1].ino_chunk,
+ 			  node->stack[node->stsize - 1].ino_offset);
+ 	if (err)
+-	  return 0;
++	  {
++	    grub_free (node);
++	    return 0;
++	  }
+ 
+ 	if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ 	  return 1;
+@@ -600,7 +603,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 			    grub_le_to_cpu64 (dir->data->sb.diroffset)
+ 			    + chunk, off);
+ 	  if (err)
+-	    return 0;
++	    {
++	      grub_free (buf);
++	      return 0;
++	    }
+ 
+ 	  off += grub_le_to_cpu16 (di.namelen) + 1;
+ 	  buf[grub_le_to_cpu16 (di.namelen) + 1] = 0;
+@@ -612,11 +618,17 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 	  if (grub_add (dir->stsize, 1, &sz) ||
+ 	      grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
+ 	      grub_add (sz, sizeof (*node), &sz))
+-	    return 0;
++	    {
++	      grub_free (buf);
++	      return 0;
++	    }
+ 
+ 	  node = grub_malloc (sz);
+ 	  if (! node)
+-	    return 0;
++	    {
++	      grub_free (buf);
++	      return 0;
++	    }
+ 
+ 	  grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
+ 
+-- 
+2.28.0.windows.1
+

backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch

@@ -0,0 +1,53 @@
+From 2e32d2357443d596d8d9067116152ec49be02a4a Mon Sep 17 00:00:00 2001
+From: "t.feng" <fengtao40@huawei.com>
+Date: Tue, 29 Nov 2022 17:14:15 +0800
+Subject: [PATCH] fs/xfs: Fix memory leaks in XFS module
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2e32d2357443d596d8d9067116152ec49be02a4a
+Conflict:NA
+
+Signed-off-by: t.feng <fengtao40@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/xfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index d6de7f1a2..b67407690 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -585,7 +585,10 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+           if (grub_disk_read (node->data->disk,
+                               GRUB_XFS_FSB_TO_BLOCK (node->data, get_fsb (keys, i - 1 + recoffset)) << (node->data->sblock.log2_bsize - GRUB_DISK_SECTOR_BITS),
+                               0, node->data->bsize, leaf))
+-            return 0;
++            {
++              grub_free (leaf);
++              return 0;
++            }
+ 
+ 	  if ((!node->data->hascrc &&
+ 	       grub_strncmp ((char *) leaf->magic, "BMAP", 4)) ||
+@@ -751,6 +754,7 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,
+   if (err)
+     {
+       grub_print_error ();
++      grub_free (fdiro);
+       return 0;
+     }
+ 
+@@ -861,7 +865,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
+ 					  blk << dirblk_log2,
+ 					  dirblk_size, dirblock, 0);
+ 	    if (numread != dirblk_size)
+-	      return 0;
++	      {
++	        grub_free (dirblock);
++	        return 0;
++	      }
+ 
+ 	    entries = (grub_be_to_cpu32 (tail->leaf_count)
+ 		       - grub_be_to_cpu32 (tail->leaf_stale));
+-- 
+2.28.0.windows.1
+

backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch

@@ -0,0 +1,42 @@
+From 82ff9faa5bff5b3669bc4144bfc9b2279d344483 Mon Sep 17 00:00:00 2001
+From: Jagannathan Raman <jag.raman@oracle.com>
+Date: Mon, 17 Oct 2022 14:04:39 +0000
+Subject: [PATCH] kern/buffer: Handle NULL input pointer in grub_buffer_free()
+
+The grub_buffer_free() should handle NULL input pointer, similar to
+grub_free(). If the pointer is not referencing any memory location,
+grub_buffer_free() need not perform any function.
+
+Fixes: CID 396931
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=82ff9faa5bff5b3669bc4144bfc9b2279d344483
+Conflict:NA
+
+Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
+Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/buffer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
+index 9f5f8b867..a2587729c 100644
+--- a/grub-core/kern/buffer.c
++++ b/grub-core/kern/buffer.c
+@@ -49,8 +49,11 @@ grub_buffer_new (grub_size_t sz)
+ void
+ grub_buffer_free (grub_buffer_t buf)
+ {
+-  grub_free (buf->data);
+-  grub_free (buf);
++  if (buf != NULL)
++    {
++	grub_free (buf->data);
++	grub_free (buf);
++    }
+ }
+ 
+ grub_err_t
+-- 
+2.28.0.windows.1
+

backport-kern-file-Fix-error-handling-in-grub_file_open.patch

@@ -0,0 +1,41 @@
+From e375394fb9233fb1da13f7fb38e38d8aa83d1443 Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <steve@einval.com>
+Date: Tue, 6 Dec 2022 01:45:11 +0000
+Subject: kern/file: Fix error handling in grub_file_open()
+
+grub_file_open() calls grub_file_get_device_name(), but doesn't check
+the return. Instead, it checks if grub_errno is set.
+
+However, nothing initialises grub_errno here when grub_file_open()
+starts. This means that trying to open one file that doesn't exist and
+then trying to open another file that does will (incorrectly) also
+fail to open that second file.
+
+Let's fix that.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=e375394fb9233fb1da13f7fb38e38d8aa83d1443
+Conflict:NA
+
+Signed-off-by: Steve McIntyre <steve@einval.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index ed69fc0..70b3c62 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -66,6 +66,9 @@ grub_file_open (const char *name, enum grub_file_type type)
+   const char *file_name;
+   grub_file_filter_id_t filter;
+ 
++  /* Reset grub_errno before we start. */
++  grub_errno = GRUB_ERR_NONE;
++
+   grub_dprintf ("file", "Opening `%s' ...\n", name);
+ 
+   device_name = grub_file_get_device_name (name);
+-- 
+2.19.1
+

backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch

@@ -0,0 +1,157 @@
+From 544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 25 Nov 2022 15:37:35 +0800
+Subject: [PATCH] loader/linux: Ensure the newc pathname is NULL-terminated
+
+Per "man 5 cpio", the namesize in the cpio header includes the trailing
+NUL byte of the pathname and the pathname is followed by NUL bytes, but
+the current implementation ignores the trailing NUL byte when making
+the newc header. Although make_header() tries to pad the pathname string,
+the padding won't happen when strlen(name) + sizeof(struct newc_head)
+is a multiple of 4, and the non-NULL-terminated pathname may lead to
+unexpected results.
+
+Assume that a file is created with 'echo -n aaaa > /boot/test12' and
+loaded by grub2:
+
+    linux /boot/vmlinuz
+    initrd newc:test12:/boot/test12 /boot/initrd
+
+The initrd command eventually invoked grub_initrd_load() and sent
+'t''e''s''t''1''2' to make_header() to generate the header:
+
+00000070  30 37 30 37 30 31 33 30  31 43 41 30 44 45 30 30  |070701301CA0DE00|
+00000080  30 30 38 31 41 34 30 30  30 30 30 33 45 38 30 30  |0081A4000003E800|
+00000090  30 30 30 30 36 34 30 30  30 30 30 30 30 31 36 33  |0000640000000163|
+000000a0  37 36 45 34 35 32 30 30  30 30 30 30 30 34 30 30  |76E4520000000400|
+000000b0  30 30 30 30 30 38 30 30  30 30 30 30 31 33 30 30  |0000080000001300|
+000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
+000000d0  30 30 30 30 30 36 30 30  30 30 30 30 30 30 74 65  |00000600000000te|
+                                                                  ^namesize
+000000e0  73 74 31 32 61 61 61 61  30 37 30 37 30 31 30 30  |st12aaaa07070100|
+                   ^^ end of the pathname
+
+Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4,
+make_header() didn't pad the pathname, and the file content followed
+"test12" immediately. This violates the cpio format and may trigger such
+error during linux boot:
+
+    Initramfs unpacking failed: ZSTD-compressed data is trunc
+
+To avoid the potential problems, this commit counts the trailing NUL byte
+in when calling make_header() and adjusts the initrd size accordingly.
+
+Now the header becomes
+
+00000070  30 37 30 37 30 31 33 30  31 43 41 30 44 45 30 30  |070701301CA0DE00|
+00000080  30 30 38 31 41 34 30 30  30 30 30 33 45 38 30 30  |0081A4000003E800|
+00000090  30 30 30 30 36 34 30 30  30 30 30 30 30 31 36 33  |0000640000000163|
+000000a0  37 36 45 34 35 32 30 30  30 30 30 30 30 34 30 30  |76E4520000000400|
+000000b0  30 30 30 30 30 38 30 30  30 30 30 30 31 33 30 30  |0000080000001300|
+000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
+000000d0  30 30 30 30 30 37 30 30  30 30 30 30 30 30 74 65  |00000700000000te|
+                                                                  ^namesize
+000000e0  73 74 31 32 00 00 00 00  61 61 61 61 30 37 30 37  |st12....aaaa0707|
+                      ^^ end of the pathname
+
+Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and
+the user can safely read the pathname without a further check.
+
+To conform to the cpio format, the headers for "TRAILER!!!" are also
+adjusted to include the trailing NUL byte, not ignore it.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5
+Conflict:NA
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/linux.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 830360172..3948302d2 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -127,12 +127,23 @@ insert_dir (const char *name, struct dir **root,
+ 	  n->name = grub_strndup (cb, ce - cb);
+ 	  if (ptr)
+ 	    {
++	      /*
++	       * Create the substring with the trailing NUL byte
++	       * to be included in the cpio header.
++	       */
++	      char *tmp_name = grub_strndup (name, ce - name);
++	      if (!tmp_name) {
++		grub_free (n->name);
++		grub_free (n);
++		return grub_errno;
++	      }
+ 	      grub_dprintf ("linux", "Creating directory %s, %s\n", name, ce);
+-	      ptr = make_header (ptr, name, ce - name,
++	      ptr = make_header (ptr, tmp_name, ce - name + 1,
+ 				 040777, 0);
++	      grub_free (tmp_name);
+ 	    }
+ 	  if (grub_add (*size,
+-		        ALIGN_UP ((ce - (char *) name)
++		        ALIGN_UP ((ce - (char *) name + 1)
+ 				  + sizeof (struct newc_head), 4),
+ 			size))
+ 	    {
+@@ -191,7 +202,7 @@ grub_initrd_init (int argc, char *argv[],
+ 		  grub_initrd_close (initrd_ctx);
+ 		  return grub_errno;
+ 		}
+-	      name_len = grub_strlen (initrd_ctx->components[i].newc_name);
++	      name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1;
+ 	      if (grub_add (initrd_ctx->size,
+ 			    ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
+ 			    &initrd_ctx->size) ||
+@@ -205,7 +216,7 @@ grub_initrd_init (int argc, char *argv[],
+ 	{
+ 	  if (grub_add (initrd_ctx->size,
+ 			ALIGN_UP (sizeof (struct newc_head)
+-				  + sizeof ("TRAILER!!!") - 1, 4),
++				  + sizeof ("TRAILER!!!"), 4),
+ 			&initrd_ctx->size))
+ 	    goto overflow;
+ 	  free_dir (root);
+@@ -233,7 +244,7 @@ grub_initrd_init (int argc, char *argv[],
+       initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+       if (grub_add (initrd_ctx->size,
+ 		    ALIGN_UP (sizeof (struct newc_head)
+-			      + sizeof ("TRAILER!!!") - 1, 4),
++			      + sizeof ("TRAILER!!!"), 4),
+ 		    &initrd_ctx->size))
+ 	goto overflow;
+       free_dir (root);
+@@ -297,14 +308,14 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+ 	    }
+ 	  ptr += dir_size;
+ 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
+-			     grub_strlen (initrd_ctx->components[i].newc_name),
++			     grub_strlen (initrd_ctx->components[i].newc_name) + 1,
+ 			     0100777,
+ 			     initrd_ctx->components[i].size);
+ 	  newc = 1;
+ 	}
+       else if (newc)
+ 	{
+-	  ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1,
++	  ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"),
+ 			     0, 0);
+ 	  free_dir (root);
+ 	  root = 0;
+@@ -327,7 +338,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+     {
+       grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
+       ptr += ALIGN_UP_OVERHEAD (cursize, 4);
+-      ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
++      ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), 0, 0);
+     }
+   free_dir (root);
+   root = 0;
+-- 
+2.28.0.windows.1
+

backport-loader-multiboot_elfxx-Fix-memory-leak.patch

@@ -0,0 +1,94 @@
+From 113142939172bda9759d4d2e5a053911821d2faf Mon Sep 17 00:00:00 2001
+From: "t.feng" <fengtao40@huawei.com>
+Date: Thu, 10 Nov 2022 15:01:15 +0800
+Subject: loader/multiboot_elfxx: Fix memory leak
+
+The commit eb33e61b3 (multiboot: fix memory leak) did not fix all
+issues. Fix all of them right now.
+
+Fixes: eb33e61b3 (multiboot: fix memory leak)
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=113142939172bda9759d4d2e5a053911821d2faf
+Conflict:NA
+
+Signed-off-by: t.feng <fengtao40@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/loader/multiboot_elfxx.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
+index 87f6e31..57330a0 100644
+--- a/grub-core/loader/multiboot_elfxx.c
++++ b/grub-core/loader/multiboot_elfxx.c
+@@ -220,10 +220,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	return grub_errno;
+       
+       if (grub_file_seek (mld->file, ehdr->e_shoff) == (grub_off_t) -1)
+-	{
+-	  grub_free (shdr);
+-	  return grub_errno;
+-	}
++	goto fail;
+ 
+       if (grub_file_read (mld->file, shdr, (grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize)
+               != (grub_ssize_t) ehdr->e_shnum * ehdr->e_shentsize)
+@@ -231,7 +228,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	  if (!grub_errno)
+ 	    grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
+ 			mld->filename);
+-	  return grub_errno;
++	  goto fail;
+ 	}
+       
+       for (shdrptr = shdr, i = 0; i < ehdr->e_shnum;
+@@ -242,7 +239,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	  grub_addr_t target;
+ 
+ 	  if (mld->mbi_ver >= 2 && (sh->sh_type == SHT_REL || sh->sh_type == SHT_RELA))
+-	    return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet");
++	    {
++	      grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet");
++	      goto fail;
++	    }
+ 
+ 	  /* This section is a loaded section,
+ 	     so we don't care.  */
+@@ -261,13 +261,14 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	  if (err)
+ 	    {
+ 	      grub_dprintf ("multiboot_loader", "Error loading shdr %d\n", i);
+-	      return err;
++	      grub_errno = err;
++	      goto fail;
+ 	    }
+ 	  src = get_virtual_current_address (ch);
+ 	  target = get_physical_target_address (ch);
+ 
+ 	  if (grub_file_seek (mld->file, sh->sh_offset) == (grub_off_t) -1)
+-	    return grub_errno;
++	    goto fail;
+ 
+           if (grub_file_read (mld->file, src, sh->sh_size)
+               != (grub_ssize_t) sh->sh_size)
+@@ -275,12 +276,16 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	      if (!grub_errno)
+ 		grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
+ 			    mld->filename);
+-	      return grub_errno;
++	      goto fail;
+ 	    }
+ 	  sh->sh_addr = target;
+ 	}
+       GRUB_MULTIBOOT (add_elfsyms) (ehdr->e_shnum, ehdr->e_shentsize,
+ 				    ehdr->e_shstrndx, shdr);
++      return GRUB_ERR_NONE;
++
++fail:
++      grub_free (shdr);
+     }
+ 
+ #undef phdr
+-- 
+2.19.1
+

backport-normal-cmdline-Fix-two-related-integer-underflows.patch

@@ -0,0 +1,83 @@
+From 77afd25f8065bfbf5cc7848855006cd5260aeb9f Mon Sep 17 00:00:00 2001
+From: Ryan Cohen <rcohenprogramming@gmail.com>
+Date: Sat, 26 Nov 2022 17:22:52 -0500
+Subject: [PATCH] normal/cmdline: Fix two related integer underflows
+
+An unchecked decrement operation in cl_print() would cause a few
+integers to underflow. Where an output terminal's state is stored in
+cl_term, the values cl_term->ystart and cl_term->pos.y both underflow.
+
+This can be replicated with the following steps:
+
+1. Get to the GRUB command line
+2. Hold down the "d" key (or any key that enters a visible character)
+   until it fills the entire row
+3. Press "HOME" and then press "CTRL-k". This will clear every
+   character entered in step 2
+4. Continuously press "CTRL-y" until the terminal scrolls the original
+   prompt ("grub> ") passed the terminal's top row. Now, no prompt
+   should be visible. This step causes cl_term->ystart to underflow
+5. Press "HOME" and then "d" (or any visible character). This can have
+   different visual effects for different systems, but it will always
+   cause cl_term->pos.y to underflow
+
+On BIOS systems, these underflows cause the output terminal to
+completely stop displaying anything. Characters can still be
+entered and commands can be run, but nothing will display on the
+terminal. From here, you can only get the display working by running
+a command to switch the current output terminal to a different type:
+
+terminal_output <OTHER_TERMINAL>
+
+On UEFI systems, these replication steps do not break the output
+terminal. Until you press "ENTER", the cursor stops responding to input,
+but you can press "ENTER" after step 5 and the command line will
+work properly again. This patch is mostly important for BIOS systems
+where the output terminal is rendered unusable after the underflows
+occur.
+
+This patch adds two checks, one for each variable. It ensures that
+cl_term->ystart does not decrement passed 0. It also ensures that
+cl_term->pos.y does not get set passed the terminal's bottom row.
+
+When the previously listed replication steps are followed with this
+patch, the terminal's cursor will be set to the top row and the command
+line is still usable, even on BIOS systems.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77afd25f8065bfbf5cc7848855006cd5260aeb9f
+Conflict:NA
+
+Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/cmdline.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index 61f098244..9c6d9ade9 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -219,6 +219,8 @@ cl_set_pos (struct cmdline_term *cl_term, grub_size_t lpos)
+   cl_term->pos.x = (cl_term->prompt_len + lpos) % cl_term->width;
+   cl_term->pos.y = cl_term->ystart
+     + (cl_term->prompt_len + lpos) / cl_term->width;
++  if (cl_term->pos.y >= cl_term->height)
++    cl_term->pos.y = cl_term->height - 1;
+   grub_term_gotoxy (cl_term->term, cl_term->pos);
+ }
+ 
+@@ -248,7 +250,10 @@ cl_print (struct cmdline_term *cl_term, grub_uint32_t c,
+ 	{
+ 	  cl_term->pos.x = 0;
+ 	  if (cl_term->pos.y >= (unsigned) (cl_term->height - 1))
+-	    cl_term->ystart--;
++	    {
++	      if (cl_term->ystart > 0)
++		cl_term->ystart--;
++	    }
+ 	  else
+ 	    cl_term->pos.y++;
+ 	  grub_putcode ('\n', cl_term->term);
+-- 
+2.28.0.windows.1
+

backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch

@@ -0,0 +1,36 @@
+From 108a3865f43330b581d35b9cf6ecb1e0a1da5d49 Mon Sep 17 00:00:00 2001
+From: Ryan Cohen <rcohenprogramming@gmail.com>
+Date: Sat, 26 Nov 2022 17:22:51 -0500
+Subject: [PATCH] term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA
+ text buffer
+
+Coordinates passed to screen_write_char() did not have any checks to
+ensure they are not out-of-bounds. This adds an if statement to prevent
+out-of-bounds writes to the VGA text buffer.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=108a3865f43330b581d35b9cf6ecb1e0a1da5d49
+Conflict:NA
+
+Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/term/i386/pc/vga_text.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c
+index 669d06fad..b88fa9d2e 100644
+--- a/grub-core/term/i386/pc/vga_text.c
++++ b/grub-core/term/i386/pc/vga_text.c
+@@ -63,7 +63,8 @@ static grub_uint8_t cur_color = 0x7;
+ static void
+ screen_write_char (int x, int y, short c)
+ {
+-  VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
++  if (x < COLS && y < ROWS && x >= 0 && y >= 0)
++    VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
+ }
+ 
+ static short
+-- 
+2.28.0.windows.1
+

grub.patches

@@ -293,3 +293,14 @@ Patch0291: disable-some-unsupported-filesystems.patch
 %ifarch loongarch64
 Patch0292: loongarch-Modify-the-location-where-initrd-is-loaded.patch
 %endif
+Patch0293: backport-disk-diskfilter-Check-calloc-result-for-NULL.patch
+Patch0294: backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch
+Patch0295: backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch
+Patch0296: backport-loader-multiboot_elfxx-Fix-memory-leak.patch
+Patch0297: backport-normal-cmdline-Fix-two-related-integer-underflows.patch
+Patch0298: backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch
+Patch0299: backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
+Patch0300: backport-kern-file-Fix-error-handling-in-grub_file_open.patch
+Patch0301: backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch
+Patch0302: backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch
+Patch0303: backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch

grub2.spec

@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	20
+Release:	21
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -439,6 +439,22 @@ fi
 %{_datadir}/man/man*
 
 %changelog
+* Mon Feb 6 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-21
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:disk/diskfilter: Check calloc() result for NULL
+       kern/buffer: Handle NULL input pointer in grub_buffer_free()
+       disk/diskfilter: Don't make a RAID array with more than 1024 disks
+       loader/multiboot_elfxx: Fix memory leak
+       loader/linux: Ensure the newc pathname is NULL-terminated
+       term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer
+       normal/cmdline: Fix two related integer underflows
+       fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate()
+       fs/squash4: Fix memory leaks in grub_squash_iterate_dir()
+       fs/xfs: Fix memory leaks in XFS module
+       kern/file: Fix error handling in grub_file_open()
+
 * Thu Feb 2 2023 mengyingkun <mengyingkun@loongson.cn> - 1:2.06-20
 - Type:bugfix
 - CVE:NA