packages/grub2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from upstream

Browse Source 
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
This commit is contained in:
Qiumiao Zhang 2023-02-06 23:06:41 +08:00
parent 81fab14a9d
commit 3e10ca701e
13 changed files with 731 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
backport-disk-diskfilter-Check-calloc-result-for-NULL.patch Normal file
View File

@ -0,0 +1,37 @@
From 12e20a6a695f4967b30a95bb52e4e2e0a10c9094 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sun, 21 Aug 2022 22:22:35 +1000
Subject: [PATCH] disk/diskfilter: Check calloc() result for NULL
With wildly corrupt inputs, we can end up trying to calloc a very
large amount of memory, which will fail and give us a NULL pointer.
We need to check that to avoid a crash. (And, even if we blocked
such inputs, it is good practice to check the results of allocations
anyway.)
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=12e20a6a695f4967b30a95bb52e4e2e0a10c9094
Conflict:NA
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/diskfilter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 2edcff6e8..4ac50320e 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -1163,6 +1163,9 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
array->lvs->segments->raid_member_size = disk_size;
array->lvs->segments->nodes
= grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
+ if (array->lvs->segments->nodes == NULL)
+ goto fail;
+
array->lvs->segments->stripe_size = stripe_size;
for (i = 0; i < nmemb; i++)
{
--
2.28.0.windows.1

45
backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch Normal file
View File

@ -0,0 +1,45 @@
From 2a5e3c1f2aed88c2289fb595da8308e898b87915 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Wed, 19 Oct 2022 20:23:22 +1100
Subject: [PATCH] disk/diskfilter: Don't make a RAID array with more than 1024
disks
This is "belt and braces" with commit 12e20a6a695f (disk/diskfilter:
Check calloc() result for NULL): we end up trying to use too much memory
in situations like corrupted Linux software RAID setups purporting to
use a huge number of disks. Simply refuse to permit such configurations.
1024 is a bit arbitrary, yes, and I feel a bit like I'm tempting fate
here, but I think 1024 disks in an array (that GRUB has to read to boot!)
should be enough for anyone.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a5e3c1f2aed88c2289fb595da8308e898b87915
Conflict:NA
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/diskfilter.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 4ac50320e..1c568927b 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -1046,6 +1046,13 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
struct grub_diskfilter_pv *pv;
grub_err_t err;
+ /* We choose not to support more than 1024 disks. */
+ if (nmemb < 1 || nmemb > 1024)
+ {
+ grub_free (uuid);
+ return NULL;
+ }
+
switch (level)
{
case 1:
--
2.28.0.windows.1

48
backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch Normal file
View File

@ -0,0 +1,48 @@
From 7338cbe91a24ee9639597a0d8bebc32b8b46c26c Mon Sep 17 00:00:00 2001
From: "t.feng" <fengtao40@huawei.com>
Date: Tue, 29 Nov 2022 17:14:13 +0800
Subject: [PATCH] fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate()
Fixes: 99373ce47 (* grub-core/fs/iso9660.c: Remove nested functions)
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=7338cbe91a24ee9639597a0d8bebc32b8b46c26c
Conflict:NA
Signed-off-by: t.feng <fengtao40@huawei.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 91817ec1f..df9f7783b 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -279,7 +279,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
/* Load a part of the System Usage Area. */
err = read_node (node, off, sua_size, sua);
if (err)
- return err;
+ {
+ grub_free (sua);
+ return err;
+ }
for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0;
entry = (struct grub_iso9660_susp_entry *)
@@ -309,7 +312,10 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
err = grub_disk_read (node->data->disk, ce_block, off,
sua_size, sua);
if (err)
- return err;
+ {
+ grub_free (sua);
+ return err;
+ }
entry = (struct grub_iso9660_susp_entry *) sua;
}
--
2.28.0.windows.1

67
backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch Normal file
View File

@ -0,0 +1,67 @@
From 98ae234000abdabf9db125c87a2db8b81157af72 Mon Sep 17 00:00:00 2001
From: "t.feng" <fengtao40@huawei.com>
Date: Tue, 29 Nov 2022 17:14:14 +0800
Subject: [PATCH] fs/squash4: Fix memory leaks in grub_squash_iterate_dir()
Fixes: 20dd511c8 (Handle "." and ".." on squashfs)
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=98ae234000abdabf9db125c87a2db8b81157af72
Conflict:NA
Signed-off-by: t.feng <fengtao40@huawei.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/squash4.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index 02b1f9b6d..a30e6ebe1 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -550,7 +550,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ node->stack[node->stsize - 1].ino_chunk,
node->stack[node->stsize - 1].ino_offset);
if (err)
- return 0;
+ {
+ grub_free (node);
+ return 0;
+ }
if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
return 1;
@@ -600,7 +603,10 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
grub_le_to_cpu64 (dir->data->sb.diroffset)
+ chunk, off);
if (err)
- return 0;
+ {
+ grub_free (buf);
+ return 0;
+ }
off += grub_le_to_cpu16 (di.namelen) + 1;
buf[grub_le_to_cpu16 (di.namelen) + 1] = 0;
@@ -612,11 +618,17 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
if (grub_add (dir->stsize, 1, &sz) ||
grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
grub_add (sz, sizeof (*node), &sz))
- return 0;
+ {
+ grub_free (buf);
+ return 0;
+ }
node = grub_malloc (sz);
if (! node)
- return 0;
+ {
+ grub_free (buf);
+ return 0;
+ }
grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
--
2.28.0.windows.1

53
backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch Normal file
View File

@ -0,0 +1,53 @@
From 2e32d2357443d596d8d9067116152ec49be02a4a Mon Sep 17 00:00:00 2001
From: "t.feng" <fengtao40@huawei.com>
Date: Tue, 29 Nov 2022 17:14:15 +0800
Subject: [PATCH] fs/xfs: Fix memory leaks in XFS module
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2e32d2357443d596d8d9067116152ec49be02a4a
Conflict:NA
Signed-off-by: t.feng <fengtao40@huawei.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/xfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index d6de7f1a2..b67407690 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -585,7 +585,10 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
if (grub_disk_read (node->data->disk,
GRUB_XFS_FSB_TO_BLOCK (node->data, get_fsb (keys, i - 1 + recoffset)) << (node->data->sblock.log2_bsize - GRUB_DISK_SECTOR_BITS),
0, node->data->bsize, leaf))
- return 0;
+ {
+ grub_free (leaf);
+ return 0;
+ }
if ((!node->data->hascrc &&
grub_strncmp ((char *) leaf->magic, "BMAP", 4)) ||
@@ -751,6 +754,7 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,
if (err)
{
grub_print_error ();
+ grub_free (fdiro);
return 0;
}
@@ -861,7 +865,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
blk << dirblk_log2,
dirblk_size, dirblock, 0);
if (numread != dirblk_size)
- return 0;
+ {
+ grub_free (dirblock);
+ return 0;
+ }
entries = (grub_be_to_cpu32 (tail->leaf_count)
- grub_be_to_cpu32 (tail->leaf_stale));
--
2.28.0.windows.1

42
backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch Normal file
View File

@ -0,0 +1,42 @@
From 82ff9faa5bff5b3669bc4144bfc9b2279d344483 Mon Sep 17 00:00:00 2001
From: Jagannathan Raman <jag.raman@oracle.com>
Date: Mon, 17 Oct 2022 14:04:39 +0000
Subject: [PATCH] kern/buffer: Handle NULL input pointer in grub_buffer_free()
The grub_buffer_free() should handle NULL input pointer, similar to
grub_free(). If the pointer is not referencing any memory location,
grub_buffer_free() need not perform any function.
Fixes: CID 396931
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=82ff9faa5bff5b3669bc4144bfc9b2279d344483
Conflict:NA
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/buffer.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
index 9f5f8b867..a2587729c 100644
--- a/grub-core/kern/buffer.c
+++ b/grub-core/kern/buffer.c
@@ -49,8 +49,11 @@ grub_buffer_new (grub_size_t sz)
void
grub_buffer_free (grub_buffer_t buf)
{
- grub_free (buf->data);
- grub_free (buf);
+ if (buf != NULL)
+ {
+ grub_free (buf->data);
+ grub_free (buf);
+ }
}
grub_err_t
--
2.28.0.windows.1

41
backport-kern-file-Fix-error-handling-in-grub_file_open.patch Normal file
View File

@ -0,0 +1,41 @@
From e375394fb9233fb1da13f7fb38e38d8aa83d1443 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Tue, 6 Dec 2022 01:45:11 +0000
Subject: kern/file: Fix error handling in grub_file_open()
grub_file_open() calls grub_file_get_device_name(), but doesn't check
the return. Instead, it checks if grub_errno is set.
However, nothing initialises grub_errno here when grub_file_open()
starts. This means that trying to open one file that doesn't exist and
then trying to open another file that does will (incorrectly) also
fail to open that second file.
Let's fix that.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=e375394fb9233fb1da13f7fb38e38d8aa83d1443
Conflict:NA
Signed-off-by: Steve McIntyre <steve@einval.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index ed69fc0..70b3c62 100644
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -66,6 +66,9 @@ grub_file_open (const char *name, enum grub_file_type type)
const char *file_name;
grub_file_filter_id_t filter;
+ /* Reset grub_errno before we start. */
+ grub_errno = GRUB_ERR_NONE;
+
grub_dprintf ("file", "Opening `%s' ...\n", name);
device_name = grub_file_get_device_name (name);
--
2.19.1

157
backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch Normal file
View File

@ -0,0 +1,157 @@
From 544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 25 Nov 2022 15:37:35 +0800
Subject: [PATCH] loader/linux: Ensure the newc pathname is NULL-terminated
Per "man 5 cpio", the namesize in the cpio header includes the trailing
NUL byte of the pathname and the pathname is followed by NUL bytes, but
the current implementation ignores the trailing NUL byte when making
the newc header. Although make_header() tries to pad the pathname string,
the padding won't happen when strlen(name) + sizeof(struct newc_head)
is a multiple of 4, and the non-NULL-terminated pathname may lead to
unexpected results.
Assume that a file is created with 'echo -n aaaa > /boot/test12' and
loaded by grub2:
linux /boot/vmlinuz
initrd newc:test12:/boot/test12 /boot/initrd
The initrd command eventually invoked grub_initrd_load() and sent
't''e''s''t''1''2' to make_header() to generate the header:
00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00|
00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800|
00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163|
000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400|
000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300|
000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
000000d0 30 30 30 30 30 36 30 30 30 30 30 30 30 30 74 65 |00000600000000te|
^namesize
000000e0 73 74 31 32 61 61 61 61 30 37 30 37 30 31 30 30 |st12aaaa07070100|
^^ end of the pathname
Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4,
make_header() didn't pad the pathname, and the file content followed
"test12" immediately. This violates the cpio format and may trigger such
error during linux boot:
Initramfs unpacking failed: ZSTD-compressed data is trunc
To avoid the potential problems, this commit counts the trailing NUL byte
in when calling make_header() and adjusts the initrd size accordingly.
Now the header becomes
00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00|
00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800|
00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163|
000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400|
000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300|
000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
000000d0 30 30 30 30 30 37 30 30 30 30 30 30 30 30 74 65 |00000700000000te|
^namesize
000000e0 73 74 31 32 00 00 00 00 61 61 61 61 30 37 30 37 |st12....aaaa0707|
^^ end of the pathname
Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and
the user can safely read the pathname without a further check.
To conform to the cpio format, the headers for "TRAILER!!!" are also
adjusted to include the trailing NUL byte, not ignore it.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=544fd63f0f7a6b1e270ec88c4ece2c3e76b206f5
Conflict:NA
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/linux.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 830360172..3948302d2 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -127,12 +127,23 @@ insert_dir (const char *name, struct dir **root,
n->name = grub_strndup (cb, ce - cb);
if (ptr)
{
+ /*
+ * Create the substring with the trailing NUL byte
+ * to be included in the cpio header.
+ */
+ char *tmp_name = grub_strndup (name, ce - name);
+ if (!tmp_name) {
+ grub_free (n->name);
+ grub_free (n);
+ return grub_errno;
+ }
grub_dprintf ("linux", "Creating directory %s, %s\n", name, ce);
- ptr = make_header (ptr, name, ce - name,
+ ptr = make_header (ptr, tmp_name, ce - name + 1,
040777, 0);
+ grub_free (tmp_name);
}
if (grub_add (*size,
- ALIGN_UP ((ce - (char *) name)
+ ALIGN_UP ((ce - (char *) name + 1)
+ sizeof (struct newc_head), 4),
size))
{
@@ -191,7 +202,7 @@ grub_initrd_init (int argc, char *argv[],
grub_initrd_close (initrd_ctx);
return grub_errno;
}
- name_len = grub_strlen (initrd_ctx->components[i].newc_name);
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1;
if (grub_add (initrd_ctx->size,
ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
&initrd_ctx->size) ||
@@ -205,7 +216,7 @@ grub_initrd_init (int argc, char *argv[],
{
if (grub_add (initrd_ctx->size,
ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4),
+ + sizeof ("TRAILER!!!"), 4),
&initrd_ctx->size))
goto overflow;
free_dir (root);
@@ -233,7 +244,7 @@ grub_initrd_init (int argc, char *argv[],
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
if (grub_add (initrd_ctx->size,
ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4),
+ + sizeof ("TRAILER!!!"), 4),
&initrd_ctx->size))
goto overflow;
free_dir (root);
@@ -297,14 +308,14 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
}
ptr += dir_size;
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
- grub_strlen (initrd_ctx->components[i].newc_name),
+ grub_strlen (initrd_ctx->components[i].newc_name) + 1,
0100777,
initrd_ctx->components[i].size);
newc = 1;
}
else if (newc)
{
- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1,
+ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"),
0, 0);
free_dir (root);
root = 0;
@@ -327,7 +338,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
{
grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
ptr += ALIGN_UP_OVERHEAD (cursize, 4);
- ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
+ ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), 0, 0);
}
free_dir (root);
root = 0;
--
2.28.0.windows.1

94
backport-loader-multiboot_elfxx-Fix-memory-leak.patch Normal file
View File

@ -0,0 +1,94 @@
From 113142939172bda9759d4d2e5a053911821d2faf Mon Sep 17 00:00:00 2001
From: "t.feng" <fengtao40@huawei.com>
Date: Thu, 10 Nov 2022 15:01:15 +0800
Subject: loader/multiboot_elfxx: Fix memory leak
The commit eb33e61b3 (multiboot: fix memory leak) did not fix all
issues. Fix all of them right now.
Fixes: eb33e61b3 (multiboot: fix memory leak)
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=113142939172bda9759d4d2e5a053911821d2faf
Conflict:NA
Signed-off-by: t.feng <fengtao40@huawei.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/loader/multiboot_elfxx.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
index 87f6e31..57330a0 100644
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -220,10 +220,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
return grub_errno;
if (grub_file_seek (mld->file, ehdr->e_shoff) == (grub_off_t) -1)
- {
- grub_free (shdr);
- return grub_errno;
- }
+ goto fail;
if (grub_file_read (mld->file, shdr, (grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize)
!= (grub_ssize_t) ehdr->e_shnum * ehdr->e_shentsize)
@@ -231,7 +228,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
if (!grub_errno)
grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
mld->filename);
- return grub_errno;
+ goto fail;
}
for (shdrptr = shdr, i = 0; i < ehdr->e_shnum;
@@ -242,7 +239,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
grub_addr_t target;
if (mld->mbi_ver >= 2 && (sh->sh_type == SHT_REL || sh->sh_type == SHT_RELA))
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet");
+ {
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "ELF files with relocs are not supported yet");
+ goto fail;
+ }
/* This section is a loaded section,
so we don't care. */
@@ -261,13 +261,14 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
if (err)
{
grub_dprintf ("multiboot_loader", "Error loading shdr %d\n", i);
- return err;
+ grub_errno = err;
+ goto fail;
}
src = get_virtual_current_address (ch);
target = get_physical_target_address (ch);
if (grub_file_seek (mld->file, sh->sh_offset) == (grub_off_t) -1)
- return grub_errno;
+ goto fail;
if (grub_file_read (mld->file, src, sh->sh_size)
!= (grub_ssize_t) sh->sh_size)
@@ -275,12 +276,16 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
if (!grub_errno)
grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
mld->filename);
- return grub_errno;
+ goto fail;
}
sh->sh_addr = target;
}
GRUB_MULTIBOOT (add_elfsyms) (ehdr->e_shnum, ehdr->e_shentsize,
ehdr->e_shstrndx, shdr);
+ return GRUB_ERR_NONE;
+
+fail:
+ grub_free (shdr);
}
#undef phdr
--
2.19.1

83
backport-normal-cmdline-Fix-two-related-integer-underflows.patch Normal file
View File

@ -0,0 +1,83 @@
From 77afd25f8065bfbf5cc7848855006cd5260aeb9f Mon Sep 17 00:00:00 2001
From: Ryan Cohen <rcohenprogramming@gmail.com>
Date: Sat, 26 Nov 2022 17:22:52 -0500
Subject: [PATCH] normal/cmdline: Fix two related integer underflows
An unchecked decrement operation in cl_print() would cause a few
integers to underflow. Where an output terminal's state is stored in
cl_term, the values cl_term->ystart and cl_term->pos.y both underflow.
This can be replicated with the following steps:
1. Get to the GRUB command line
2. Hold down the "d" key (or any key that enters a visible character)
until it fills the entire row
3. Press "HOME" and then press "CTRL-k". This will clear every
character entered in step 2
4. Continuously press "CTRL-y" until the terminal scrolls the original
prompt ("grub> ") passed the terminal's top row. Now, no prompt
should be visible. This step causes cl_term->ystart to underflow
5. Press "HOME" and then "d" (or any visible character). This can have
different visual effects for different systems, but it will always
cause cl_term->pos.y to underflow
On BIOS systems, these underflows cause the output terminal to
completely stop displaying anything. Characters can still be
entered and commands can be run, but nothing will display on the
terminal. From here, you can only get the display working by running
a command to switch the current output terminal to a different type:
terminal_output <OTHER_TERMINAL>
On UEFI systems, these replication steps do not break the output
terminal. Until you press "ENTER", the cursor stops responding to input,
but you can press "ENTER" after step 5 and the command line will
work properly again. This patch is mostly important for BIOS systems
where the output terminal is rendered unusable after the underflows
occur.
This patch adds two checks, one for each variable. It ensures that
cl_term->ystart does not decrement passed 0. It also ensures that
cl_term->pos.y does not get set passed the terminal's bottom row.
When the previously listed replication steps are followed with this
patch, the terminal's cursor will be set to the top row and the command
line is still usable, even on BIOS systems.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77afd25f8065bfbf5cc7848855006cd5260aeb9f
Conflict:NA
Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/normal/cmdline.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
index 61f098244..9c6d9ade9 100644
--- a/grub-core/normal/cmdline.c
+++ b/grub-core/normal/cmdline.c
@@ -219,6 +219,8 @@ cl_set_pos (struct cmdline_term *cl_term, grub_size_t lpos)
cl_term->pos.x = (cl_term->prompt_len + lpos) % cl_term->width;
cl_term->pos.y = cl_term->ystart
+ (cl_term->prompt_len + lpos) / cl_term->width;
+ if (cl_term->pos.y >= cl_term->height)
+ cl_term->pos.y = cl_term->height - 1;
grub_term_gotoxy (cl_term->term, cl_term->pos);
}
@@ -248,7 +250,10 @@ cl_print (struct cmdline_term *cl_term, grub_uint32_t c,
{
cl_term->pos.x = 0;
if (cl_term->pos.y >= (unsigned) (cl_term->height - 1))
- cl_term->ystart--;
+ {
+ if (cl_term->ystart > 0)
+ cl_term->ystart--;
+ }
else
cl_term->pos.y++;
grub_putcode ('\n', cl_term->term);
--
2.28.0.windows.1

36
backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch Normal file
View File

@ -0,0 +1,36 @@
From 108a3865f43330b581d35b9cf6ecb1e0a1da5d49 Mon Sep 17 00:00:00 2001
From: Ryan Cohen <rcohenprogramming@gmail.com>
Date: Sat, 26 Nov 2022 17:22:51 -0500
Subject: [PATCH] term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA
text buffer
Coordinates passed to screen_write_char() did not have any checks to
ensure they are not out-of-bounds. This adds an if statement to prevent
out-of-bounds writes to the VGA text buffer.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=108a3865f43330b581d35b9cf6ecb1e0a1da5d49
Conflict:NA
Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/term/i386/pc/vga_text.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c
index 669d06fad..b88fa9d2e 100644
--- a/grub-core/term/i386/pc/vga_text.c
+++ b/grub-core/term/i386/pc/vga_text.c
@@ -63,7 +63,8 @@ static grub_uint8_t cur_color = 0x7;
static void
screen_write_char (int x, int y, short c)
{
- VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
+ if (x < COLS && y < ROWS && x >= 0 && y >= 0)
+ VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
}
static short
--
2.28.0.windows.1

11
grub.patches
View File

@ -293,3 +293,14 @@ Patch0291: disable-some-unsupported-filesystems.patch
%ifarch loongarch64 %ifarch loongarch64
Patch0292: loongarch-Modify-the-location-where-initrd-is-loaded.patch Patch0292: loongarch-Modify-the-location-where-initrd-is-loaded.patch
%endif %endif
Patch0293: backport-disk-diskfilter-Check-calloc-result-for-NULL.patch
Patch0294: backport-kern-buffer-Handle-NULL-input-pointer-in-grub_buffer.patch
Patch0295: backport-disk-diskfilter-Don-t-make-a-RAID-array-with-more-th.patch
Patch0296: backport-loader-multiboot_elfxx-Fix-memory-leak.patch
Patch0297: backport-normal-cmdline-Fix-two-related-integer-underflows.patch
Patch0298: backport-term-i386-pc-vga_text-Prevent-out-of-bounds-writes-t.patch
Patch0299: backport-loader-linux-Ensure-the-newc-pathname-is-NULL-termin.patch
Patch0300: backport-kern-file-Fix-error-handling-in-grub_file_open.patch
Patch0301: backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch
Patch0302: backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch
Patch0303: backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch

18
grub2.spec
View File

@ -14,7 +14,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 20 Release: 21
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -439,6 +439,22 @@ fi
%{_datadir}/man/man* %{_datadir}/man/man*
%changelog %changelog
* Mon Feb 6 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-21
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:disk/diskfilter: Check calloc() result for NULL
kern/buffer: Handle NULL input pointer in grub_buffer_free()
disk/diskfilter: Don't make a RAID array with more than 1024 disks
loader/multiboot_elfxx: Fix memory leak
loader/linux: Ensure the newc pathname is NULL-terminated
term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer
normal/cmdline: Fix two related integer underflows
fs/iso9660: Fix memory leaks in grub_iso9660_susp_iterate()
fs/squash4: Fix memory leaks in grub_squash_iterate_dir()
fs/xfs: Fix memory leaks in XFS module
kern/file: Fix error handling in grub_file_open()
* Thu Feb 2 2023 mengyingkun <mengyingkun@loongson.cn> - 1:2.06-20 * Thu Feb 2 2023 mengyingkun <mengyingkun@loongson.cn> - 1:2.06-20
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA