diff --git a/backport-disk-diskfilter-Check-calloc-result-for-NULL.patch b/backport-disk-diskfilter-Check-calloc-result-for-NULL.patch new file mode 100644 index 0000000..fc392f2 --- /dev/null +++ b/backport-disk-diskfilter-Check-calloc-result-for-NULL.patch @@ -0,0 +1,37 @@ +From 12e20a6a695f4967b30a95bb52e4e2e0a10c9094 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sun, 21 Aug 2022 22:22:35 +1000 +Subject: [PATCH] disk/diskfilter: Check calloc() result for NULL + +With wildly corrupt inputs, we can end up trying to calloc a very +large amount of memory, which will fail and give us a NULL pointer. +We need to check that to avoid a crash. (And, even if we blocked +such inputs, it is good practice to check the results of allocations +anyway.) + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=12e20a6a695f4967b30a95bb52e4e2e0a10c9094 +Conflict:NA + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/diskfilter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c +index 2edcff6e8..4ac50320e 100644 +--- a/grub-core/disk/diskfilter.c ++++ b/grub-core/disk/diskfilter.c +@@ -1163,6 +1163,9 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb, + array->lvs->segments->raid_member_size = disk_size; + array->lvs->segments->nodes + = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0])); ++ if (array->lvs->segments->nodes == NULL) ++ goto fail; ++ + array->lvs->segments->stripe_size = stripe_size; + for (i = 0; i < nmemb; i++) + { +-- +2.28.0.windows.1 + diff --git a/backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch b/backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch new file mode 100644 index 0000000..4326f32 --- /dev/null +++ b/backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch @@ -0,0 +1,45 @@ +From 2a5e3c1f2aed88c2289fb595da8308e898b87915 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 19 Oct 2022 20:23:22 +1100 +Subject: [PATCH] disk/diskfilter: Don't make a RAID array with more than 1024 + disks + +This is "belt and braces" with commit 12e20a6a695f (disk/diskfilter: +Check calloc() result for NULL): we end up trying to use too much memory +in situations like corrupted Linux software RAID setups purporting to +use a huge number of disks. Simply refuse to permit such configurations. + +1024 is a bit arbitrary, yes, and I feel a bit like I'm tempting fate +here, but I think 1024 disks in an array (that GRUB has to read to boot!) +should be enough for anyone. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a5e3c1f2aed88c2289fb595da8308e898b87915 +Conflict:NA + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/disk/diskfilter.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c +index 4ac50320e..1c568927b 100644 +--- a/grub-core/disk/diskfilter.c ++++ b/grub-core/disk/diskfilter.c +@@ -1046,6 +1046,13 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb, + struct grub_diskfilter_pv *pv; + grub_err_t err; + ++ /* We choose not to support more than 1024 disks. */ ++ if (nmemb < 1 || nmemb > 1024) ++ { ++ grub_free (uuid); ++ return NULL; ++ } ++ + switch (level) + { + case 1: +-- +2.28.0.windows.1 + diff --git a/backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch b/backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch new file mode 100644 index 0000000..81bb3fa --- /dev/null +++ b/backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch @@ -0,0 +1,48 @@ +From 7338cbe91a24ee9639597a0d8bebc32b8b46c26c Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Tue, 29 Nov 2022 17:14:13 +0800 +Subject: [PATCH] fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate() + +Fixes: 99373ce47 (* grub-core/fs/iso9660.c: Remove nested functions) + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=7338cbe91a24ee9639597a0d8bebc32b8b46c26c +Conflict:NA + +Signed-off-by: t.feng +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 91817ec1f..df9f7783b 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -279,7 +279,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + /* Load a part of the System Usage Area. */ + err = read_node (node, off, sua_size, sua); + if (err) +- return err; ++ { ++ grub_free (sua); ++ return err; ++ } + + for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0; + entry = (struct grub_iso9660_susp_entry *) +@@ -309,7 +312,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + err = grub_disk_read (node->data->disk, ce_block, off, + sua_size, sua); + if (err) +- return err; ++ { ++ grub_free (sua); ++ return err; ++ } + + entry = (struct grub_iso9660_susp_entry *) sua; + } +-- +2.28.0.windows.1 + diff --git a/backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch b/backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch new file mode 100644 index 0000000..532b850 --- /dev/null +++ b/backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch @@ -0,0 +1,67 @@ +From 98ae234000abdabf9db125c87a2db8b81157af72 Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Tue, 29 Nov 2022 17:14:14 +0800 +Subject: [PATCH] fs/squash4: Fix memory leaks in grub_squash_iterate_dir() + +Fixes: 20dd511c8 (Handle "." and ".." on squashfs) + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=98ae234000abdabf9db125c87a2db8b81157af72 +Conflict:NA + +Signed-off-by: t.feng +Reviewed-by: Daniel Kiper +--- + grub-core/fs/squash4.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c +index 02b1f9b6d..a30e6ebe1 100644 +--- a/grub-core/fs/squash4.c ++++ b/grub-core/fs/squash4.c +@@ -550,7 +550,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + + node->stack[node->stsize - 1].ino_chunk, + node->stack[node->stsize - 1].ino_offset); + if (err) +- return 0; ++ { ++ grub_free (node); ++ return 0; ++ } + + if (hook ("..", GRUB_FSHELP_DIR, node, hook_data)) + return 1; +@@ -600,7 +603,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + grub_le_to_cpu64 (dir->data->sb.diroffset) + + chunk, off); + if (err) +- return 0; ++ { ++ grub_free (buf); ++ return 0; ++ } + + off += grub_le_to_cpu16 (di.namelen) + 1; + buf[grub_le_to_cpu16 (di.namelen) + 1] = 0; +@@ -612,11 +618,17 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + if (grub_add (dir->stsize, 1, &sz) || + grub_mul (sz, sizeof (dir->stack[0]), &sz) || + grub_add (sz, sizeof (*node), &sz)) +- return 0; ++ { ++ grub_free (buf); ++ return 0; ++ } + + node = grub_malloc (sz); + if (! node) +- return 0; ++ { ++ grub_free (buf); ++ return 0; ++ } + + grub_memcpy (node, dir, sz - sizeof(dir->stack[0])); + +-- +2.28.0.windows.1 + diff --git a/backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch b/backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch new file mode 100644 index 0000000..d5c229d --- /dev/null +++ b/backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch @@ -0,0 +1,53 @@ +From 2e32d2357443d596d8d9067116152ec49be02a4a Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Tue, 29 Nov 2022 17:14:15 +0800 +Subject: [PATCH] fs/xfs: Fix memory leaks in XFS module + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2e32d2357443d596d8d9067116152ec49be02a4a +Conflict:NA + +Signed-off-by: t.feng +Reviewed-by: Daniel Kiper +--- + grub-core/fs/xfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c +index d6de7f1a2..b67407690 100644 +--- a/grub-core/fs/xfs.c ++++ b/grub-core/fs/xfs.c +@@ -585,7 +585,10 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + if (grub_disk_read (node->data->disk, + GRUB_XFS_FSB_TO_BLOCK (node->data, get_fsb (keys, i - 1 + recoffset)) << (node->data->sblock.log2_bsize - GRUB_DISK_SECTOR_BITS), + 0, node->data->bsize, leaf)) +- return 0; ++ { ++ grub_free (leaf); ++ return 0; ++ } + + if ((!node->data->hascrc && + grub_strncmp ((char *) leaf->magic, "BMAP", 4)) || +@@ -751,6 +754,7 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename, + if (err) + { + grub_print_error (); ++ grub_free (fdiro); + return 0; + } + +@@ -861,7 +865,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + blk << dirblk_log2, + dirblk_size, dirblock, 0); + if (numread != dirblk_size) +- return 0; ++ { ++ grub_free (dirblock); ++ return 0; ++ } + + entries = (grub_be_to_cpu32 (tail->leaf_count) + - grub_be_to_cpu32 (tail->leaf_stale)); +-- +2.28.0.windows.1 + diff --git a/backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch b/backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch new file mode 100644 index 0000000..bca97f3 --- /dev/null +++ b/backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch @@ -0,0 +1,42 @@ +From 82ff9faa5bff5b3669bc4144bfc9b2279d344483 Mon Sep 17 00:00:00 2001 +From: Jagannathan Raman +Date: Mon, 17 Oct 2022 14:04:39 +0000 +Subject: [PATCH] kern/buffer: Handle NULL input pointer in grub_buffer_free() + +The grub_buffer_free() should handle NULL input pointer, similar to +grub_free(). If the pointer is not referencing any memory location, +grub_buffer_free() need not perform any function. + +Fixes: CID 396931 + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=82ff9faa5bff5b3669bc4144bfc9b2279d344483 +Conflict:NA + +Signed-off-by: Jagannathan Raman +Reviewed-by: Ross Philipson +Reviewed-by: Daniel Kiper +--- + grub-core/kern/buffer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c +index 9f5f8b867..a2587729c 100644 +--- a/grub-core/kern/buffer.c ++++ b/grub-core/kern/buffer.c +@@ -49,8 +49,11 @@ grub_buffer_new (grub_size_t sz) + void + grub_buffer_free (grub_buffer_t buf) + { +- grub_free (buf->data); +- grub_free (buf); ++ if (buf != NULL) ++ { ++ grub_free (buf->data); ++ grub_free (buf); ++ } + } + + grub_err_t +-- +2.28.0.windows.1 + diff --git a/backport-kern-file-Fix-error-handling-in-grub_file_open.patch b/backport-kern-file-Fix-error-handling-in-grub_file_open.patch new file mode 100644 index 0000000..fba00f9 --- /dev/null +++ b/backport-kern-file-Fix-error-handling-in-grub_file_open.patch @@ -0,0 +1,41 @@ +From e375394fb9233fb1da13f7fb38e38d8aa83d1443 Mon Sep 17 00:00:00 2001 +From: Steve McIntyre +Date: Tue, 6 Dec 2022 01:45:11 +0000 +Subject: kern/file: Fix error handling in grub_file_open() + +grub_file_open() calls grub_file_get_device_name(), but doesn't check +the return. Instead, it checks if grub_errno is set. + +However, nothing initialises grub_errno here when grub_file_open() +starts. This means that trying to open one file that doesn't exist and +then trying to open another file that does will (incorrectly) also +fail to open that second file. + +Let's fix that. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=e375394fb9233fb1da13f7fb38e38d8aa83d1443 +Conflict:NA + +Signed-off-by: Steve McIntyre +Reviewed-by: Daniel Kiper +--- + grub-core/kern/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index ed69fc0..70b3c62 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -66,6 +66,9 @@ grub_file_open (const char *name, enum grub_file_type type) + const char *file_name; + grub_file_filter_id_t filter; + ++ /* Reset grub_errno before we start. */ ++ grub_errno = GRUB_ERR_NONE; ++ + grub_dprintf ("file", "Opening `%s' ...\n", name); + + device_name = grub_file_get_device_name (name); +-- +2.19.1 + diff --git a/backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch b/backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch new file mode 100644 index 0000000..6612272 --- /dev/null +++ b/backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch @@ -0,0 +1,157 @@ +From 544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 25 Nov 2022 15:37:35 +0800 +Subject: [PATCH] loader/linux: Ensure the newc pathname is NULL-terminated + +Per "man 5 cpio", the namesize in the cpio header includes the trailing +NUL byte of the pathname and the pathname is followed by NUL bytes, but +the current implementation ignores the trailing NUL byte when making +the newc header. Although make_header() tries to pad the pathname string, +the padding won't happen when strlen(name) + sizeof(struct newc_head) +is a multiple of 4, and the non-NULL-terminated pathname may lead to +unexpected results. + +Assume that a file is created with 'echo -n aaaa > /boot/test12' and +loaded by grub2: + + linux /boot/vmlinuz + initrd newc:test12:/boot/test12 /boot/initrd + +The initrd command eventually invoked grub_initrd_load() and sent +'t''e''s''t''1''2' to make_header() to generate the header: + +00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00| +00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800| +00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163| +000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400| +000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300| +000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| +000000d0 30 30 30 30 30 36 30 30 30 30 30 30 30 30 74 65 |00000600000000te| + ^namesize +000000e0 73 74 31 32 61 61 61 61 30 37 30 37 30 31 30 30 |st12aaaa07070100| + ^^ end of the pathname + +Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4, +make_header() didn't pad the pathname, and the file content followed +"test12" immediately. This violates the cpio format and may trigger such +error during linux boot: + + Initramfs unpacking failed: ZSTD-compressed data is trunc + +To avoid the potential problems, this commit counts the trailing NUL byte +in when calling make_header() and adjusts the initrd size accordingly. + +Now the header becomes + +00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00| +00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800| +00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163| +000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400| +000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300| +000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| +000000d0 30 30 30 30 30 37 30 30 30 30 30 30 30 30 74 65 |00000700000000te| + ^namesize +000000e0 73 74 31 32 00 00 00 00 61 61 61 61 30 37 30 37 |st12....aaaa0707| + ^^ end of the pathname + +Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and +the user can safely read the pathname without a further check. + +To conform to the cpio format, the headers for "TRAILER!!!" are also +adjusted to include the trailing NUL byte, not ignore it. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5 +Conflict:NA + +Signed-off-by: Gary Lin +Reviewed-by: Daniel Kiper +--- + grub-core/loader/linux.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 830360172..3948302d2 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -127,12 +127,23 @@ insert_dir (const char *name, struct dir **root, + n->name = grub_strndup (cb, ce - cb); + if (ptr) + { ++ /* ++ * Create the substring with the trailing NUL byte ++ * to be included in the cpio header. ++ */ ++ char *tmp_name = grub_strndup (name, ce - name); ++ if (!tmp_name) { ++ grub_free (n->name); ++ grub_free (n); ++ return grub_errno; ++ } + grub_dprintf ("linux", "Creating directory %s, %s\n", name, ce); +- ptr = make_header (ptr, name, ce - name, ++ ptr = make_header (ptr, tmp_name, ce - name + 1, + 040777, 0); ++ grub_free (tmp_name); + } + if (grub_add (*size, +- ALIGN_UP ((ce - (char *) name) ++ ALIGN_UP ((ce - (char *) name + 1) + + sizeof (struct newc_head), 4), + size)) + { +@@ -191,7 +202,7 @@ grub_initrd_init (int argc, char *argv[], + grub_initrd_close (initrd_ctx); + return grub_errno; + } +- name_len = grub_strlen (initrd_ctx->components[i].newc_name); ++ name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1; + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) + name_len, 4), + &initrd_ctx->size) || +@@ -205,7 +216,7 @@ grub_initrd_init (int argc, char *argv[], + { + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4), ++ + sizeof ("TRAILER!!!"), 4), + &initrd_ctx->size)) + goto overflow; + free_dir (root); +@@ -233,7 +244,7 @@ grub_initrd_init (int argc, char *argv[], + initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4), ++ + sizeof ("TRAILER!!!"), 4), + &initrd_ctx->size)) + goto overflow; + free_dir (root); +@@ -297,14 +308,14 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + } + ptr += dir_size; + ptr = make_header (ptr, initrd_ctx->components[i].newc_name, +- grub_strlen (initrd_ctx->components[i].newc_name), ++ grub_strlen (initrd_ctx->components[i].newc_name) + 1, + 0100777, + initrd_ctx->components[i].size); + newc = 1; + } + else if (newc) + { +- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, ++ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), + 0, 0); + free_dir (root); + root = 0; +@@ -327,7 +338,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + { + grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4)); + ptr += ALIGN_UP_OVERHEAD (cursize, 4); +- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0); ++ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), 0, 0); + } + free_dir (root); + root = 0; +-- +2.28.0.windows.1 + diff --git a/backport-loader-multiboot_elfxx-Fix-memory-leak.patch b/backport-loader-multiboot_elfxx-Fix-memory-leak.patch new file mode 100644 index 0000000..4a7fb04 --- /dev/null +++ b/backport-loader-multiboot_elfxx-Fix-memory-leak.patch @@ -0,0 +1,94 @@ +From 113142939172bda9759d4d2e5a053911821d2faf Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Thu, 10 Nov 2022 15:01:15 +0800 +Subject: loader/multiboot_elfxx: Fix memory leak + +The commit eb33e61b3 (multiboot: fix memory leak) did not fix all +issues. Fix all of them right now. + +Fixes: eb33e61b3 (multiboot: fix memory leak) + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=113142939172bda9759d4d2e5a053911821d2faf +Conflict:NA + +Signed-off-by: t.feng +Reviewed-by: Daniel Kiper +--- + grub-core/loader/multiboot_elfxx.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c +index 87f6e31..57330a0 100644 +--- a/grub-core/loader/multiboot_elfxx.c ++++ b/grub-core/loader/multiboot_elfxx.c +@@ -220,10 +220,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + return grub_errno; + + if (grub_file_seek (mld->file, ehdr->e_shoff) == (grub_off_t) -1) +- { +- grub_free (shdr); +- return grub_errno; +- } ++ goto fail; + + if (grub_file_read (mld->file, shdr, (grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize) + != (grub_ssize_t) ehdr->e_shnum * ehdr->e_shentsize) +@@ -231,7 +228,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + if (!grub_errno) + grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"), + mld->filename); +- return grub_errno; ++ goto fail; + } + + for (shdrptr = shdr, i = 0; i < ehdr->e_shnum; +@@ -242,7 +239,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + grub_addr_t target; + + if (mld->mbi_ver >= 2 && (sh->sh_type == SHT_REL || sh->sh_type == SHT_RELA)) +- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet"); ++ { ++ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet"); ++ goto fail; ++ } + + /* This section is a loaded section, + so we don't care. */ +@@ -261,13 +261,14 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + if (err) + { + grub_dprintf ("multiboot_loader", "Error loading shdr %d\n", i); +- return err; ++ grub_errno = err; ++ goto fail; + } + src = get_virtual_current_address (ch); + target = get_physical_target_address (ch); + + if (grub_file_seek (mld->file, sh->sh_offset) == (grub_off_t) -1) +- return grub_errno; ++ goto fail; + + if (grub_file_read (mld->file, src, sh->sh_size) + != (grub_ssize_t) sh->sh_size) +@@ -275,12 +276,16 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + if (!grub_errno) + grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"), + mld->filename); +- return grub_errno; ++ goto fail; + } + sh->sh_addr = target; + } + GRUB_MULTIBOOT (add_elfsyms) (ehdr->e_shnum, ehdr->e_shentsize, + ehdr->e_shstrndx, shdr); ++ return GRUB_ERR_NONE; ++ ++fail: ++ grub_free (shdr); + } + + #undef phdr +-- +2.19.1 + diff --git a/backport-normal-cmdline-Fix-two-related-integer-underflows.patch b/backport-normal-cmdline-Fix-two-related-integer-underflows.patch new file mode 100644 index 0000000..f86b2b4 --- /dev/null +++ b/backport-normal-cmdline-Fix-two-related-integer-underflows.patch @@ -0,0 +1,83 @@ +From 77afd25f8065bfbf5cc7848855006cd5260aeb9f Mon Sep 17 00:00:00 2001 +From: Ryan Cohen +Date: Sat, 26 Nov 2022 17:22:52 -0500 +Subject: [PATCH] normal/cmdline: Fix two related integer underflows + +An unchecked decrement operation in cl_print() would cause a few +integers to underflow. Where an output terminal's state is stored in +cl_term, the values cl_term->ystart and cl_term->pos.y both underflow. + +This can be replicated with the following steps: + +1. Get to the GRUB command line +2. Hold down the "d" key (or any key that enters a visible character) + until it fills the entire row +3. Press "HOME" and then press "CTRL-k". This will clear every + character entered in step 2 +4. Continuously press "CTRL-y" until the terminal scrolls the original + prompt ("grub> ") passed the terminal's top row. Now, no prompt + should be visible. This step causes cl_term->ystart to underflow +5. Press "HOME" and then "d" (or any visible character). This can have + different visual effects for different systems, but it will always + cause cl_term->pos.y to underflow + +On BIOS systems, these underflows cause the output terminal to +completely stop displaying anything. Characters can still be +entered and commands can be run, but nothing will display on the +terminal. From here, you can only get the display working by running +a command to switch the current output terminal to a different type: + +terminal_output + +On UEFI systems, these replication steps do not break the output +terminal. Until you press "ENTER", the cursor stops responding to input, +but you can press "ENTER" after step 5 and the command line will +work properly again. This patch is mostly important for BIOS systems +where the output terminal is rendered unusable after the underflows +occur. + +This patch adds two checks, one for each variable. It ensures that +cl_term->ystart does not decrement passed 0. It also ensures that +cl_term->pos.y does not get set passed the terminal's bottom row. + +When the previously listed replication steps are followed with this +patch, the terminal's cursor will be set to the top row and the command +line is still usable, even on BIOS systems. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77afd25f8065bfbf5cc7848855006cd5260aeb9f +Conflict:NA + +Signed-off-by: Ryan Cohen +Reviewed-by: Daniel Kiper +--- + grub-core/normal/cmdline.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c +index 61f098244..9c6d9ade9 100644 +--- a/grub-core/normal/cmdline.c ++++ b/grub-core/normal/cmdline.c +@@ -219,6 +219,8 @@ cl_set_pos (struct cmdline_term *cl_term, grub_size_t lpos) + cl_term->pos.x = (cl_term->prompt_len + lpos) % cl_term->width; + cl_term->pos.y = cl_term->ystart + + (cl_term->prompt_len + lpos) / cl_term->width; ++ if (cl_term->pos.y >= cl_term->height) ++ cl_term->pos.y = cl_term->height - 1; + grub_term_gotoxy (cl_term->term, cl_term->pos); + } + +@@ -248,7 +250,10 @@ cl_print (struct cmdline_term *cl_term, grub_uint32_t c, + { + cl_term->pos.x = 0; + if (cl_term->pos.y >= (unsigned) (cl_term->height - 1)) +- cl_term->ystart--; ++ { ++ if (cl_term->ystart > 0) ++ cl_term->ystart--; ++ } + else + cl_term->pos.y++; + grub_putcode ('\n', cl_term->term); +-- +2.28.0.windows.1 + diff --git a/backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch b/backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch new file mode 100644 index 0000000..93b53f9 --- /dev/null +++ b/backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch @@ -0,0 +1,36 @@ +From 108a3865f43330b581d35b9cf6ecb1e0a1da5d49 Mon Sep 17 00:00:00 2001 +From: Ryan Cohen +Date: Sat, 26 Nov 2022 17:22:51 -0500 +Subject: [PATCH] term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA + text buffer + +Coordinates passed to screen_write_char() did not have any checks to +ensure they are not out-of-bounds. This adds an if statement to prevent +out-of-bounds writes to the VGA text buffer. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=108a3865f43330b581d35b9cf6ecb1e0a1da5d49 +Conflict:NA + +Signed-off-by: Ryan Cohen +Reviewed-by: Daniel Kiper +--- + grub-core/term/i386/pc/vga_text.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c +index 669d06fad..b88fa9d2e 100644 +--- a/grub-core/term/i386/pc/vga_text.c ++++ b/grub-core/term/i386/pc/vga_text.c +@@ -63,7 +63,8 @@ static grub_uint8_t cur_color = 0x7; + static void + screen_write_char (int x, int y, short c) + { +- VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c); ++ if (x < COLS && y < ROWS && x >= 0 && y >= 0) ++ VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c); + } + + static short +-- +2.28.0.windows.1 + diff --git a/grub.patches b/grub.patches index 0dcd85d..201e68a 100644 --- a/grub.patches +++ b/grub.patches @@ -293,3 +293,14 @@ Patch0291: disable-some-unsupported-filesystems.patch %ifarch loongarch64 Patch0292: loongarch-Modify-the-location-where-initrd-is-loaded.patch %endif +Patch0293: backport-disk-diskfilter-Check-calloc-result-for-NULL.patch +Patch0294: backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch +Patch0295: backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch +Patch0296: backport-loader-multiboot_elfxx-Fix-memory-leak.patch +Patch0297: backport-normal-cmdline-Fix-two-related-integer-underflows.patch +Patch0298: backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch +Patch0299: backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch +Patch0300: backport-kern-file-Fix-error-handling-in-grub_file_open.patch +Patch0301: backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch +Patch0302: backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch +Patch0303: backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch diff --git a/grub2.spec b/grub2.spec index 57b0738..8502523 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 20 +Release: 21 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -439,6 +439,22 @@ fi %{_datadir}/man/man* %changelog +* Mon Feb 6 2023 zhangqiumiao - 1:2.06-21 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:disk/diskfilter: Check calloc() result for NULL + kern/buffer: Handle NULL input pointer in grub_buffer_free() + disk/diskfilter: Don't make a RAID array with more than 1024 disks + loader/multiboot_elfxx: Fix memory leak + loader/linux: Ensure the newc pathname is NULL-terminated + term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer + normal/cmdline: Fix two related integer underflows + fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate() + fs/squash4: Fix memory leaks in grub_squash_iterate_dir() + fs/xfs: Fix memory leaks in XFS module + kern/file: Fix error handling in grub_file_open() + * Thu Feb 2 2023 mengyingkun - 1:2.06-20 - Type:bugfix - CVE:NA