packages/grub2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!263 backport some patches from upstream and covert some patches to Unix text format

Browse Source 
From: @zhangqiumiao 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2023-04-17 03:37:17 +00:00 committed by Gitee
commit 951168b83a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
21 changed files with 979 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
backport-disk-ldm-Fix-resource-leak.patch
View File

@ -1,38 +1,38 @@
From 971dd6599d838ed21f38f7261c7bdda59f9bbdae Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Wed, 10 Nov 2021 15:49:29 -0500
Subject: disk/ldm: Fix resource leak
Commit 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from
make_vg()) fixed several spots in make_vg() where comp data was leaking memory
when an error was being handled but missed one. To avoid leaking memory, comp
should be freed when an error is being handled after comp has been successfully
allocated memory in the for loop.
Fixes: 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg())
Fixes: CID 73804
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=971dd6599d838ed21f38f7261c7bdda59f9bbdae
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/ldm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
index 4577a51..337abf7 100644
--- a/grub-core/disk/ldm.c
+++ b/grub-core/disk/ldm.c
@@ -487,6 +487,7 @@ make_vg (grub_disk_t disk,
ptr = vblk[i].dynamic;
if (ptr + *ptr + 1 >= vblk[i].dynamic + sizeof (vblk[i].dynamic))
{
+ grub_free (comp);
goto fail2;
}
comp->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2);
--
cgit v1.1
From 971dd6599d838ed21f38f7261c7bdda59f9bbdae Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Wed, 10 Nov 2021 15:49:29 -0500
Subject: disk/ldm: Fix resource leak
Commit 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from
make_vg()) fixed several spots in make_vg() where comp data was leaking memory
when an error was being handled but missed one. To avoid leaking memory, comp
should be freed when an error is being handled after comp has been successfully
allocated memory in the for loop.
Fixes: 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg())
Fixes: CID 73804
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=971dd6599d838ed21f38f7261c7bdda59f9bbdae
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/ldm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
index 4577a51..337abf7 100644
--- a/grub-core/disk/ldm.c
+++ b/grub-core/disk/ldm.c
@@ -487,6 +487,7 @@ make_vg (grub_disk_t disk,
ptr = vblk[i].dynamic;
if (ptr + *ptr + 1 >= vblk[i].dynamic + sizeof (vblk[i].dynamic))
{
+ grub_free (comp);
goto fail2;
}
comp->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2);
--
cgit v1.1

33
backport-font-Assign-null_font-to-unknown_glyph.patch Normal file
View File

@ -0,0 +1,33 @@
From f6806966478c601a96e1f3e0e5e85cf5036555c0 Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Mon, 5 Dec 2022 19:29:37 +0800
Subject: font: Assign null_font to unknown_glyph
Like glyphs in ascii_font_glyph[], assign null_font to
unknown_glyph->font in order to prevent grub_font_get_*() from
dereferencing NULL pointer.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f6806966478c601a96e1f3e0e5e85cf5036555c0
Conflict:NA
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 19a47f8..674043d 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -177,6 +177,7 @@ grub_font_loader_init (void)
unknown_glyph->offset_x = 0;
unknown_glyph->offset_y = -3;
unknown_glyph->device_width = 8;
+ unknown_glyph->font = &null_font;
grub_memcpy (unknown_glyph->bitmap,
unknown_glyph_bitmap, sizeof (unknown_glyph_bitmap));
--
cgit v1.1

40
backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch Normal file
View File

@ -0,0 +1,40 @@
From d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Mon, 5 Dec 2022 19:29:36 +0800
Subject: font: Check return value of grub_malloc() in ascii_glyph_lookup()
There is a problem in ascii_glyph_lookup(). It doesn't check the return
value of grub_malloc(). If memory can't be allocated, then NULL pointer
will be written to.
This patch fixes the problem by fallbacking to unknown_glyph when
grub_malloc() returns NULL.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf
Conflict:NA
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 3821937..19a47f8 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -131,6 +131,11 @@ ascii_glyph_lookup (grub_uint32_t code)
{
ascii_font_glyph[current] =
grub_malloc (sizeof (struct grub_font_glyph) + ASCII_BITMAP_SIZE);
+ if (ascii_font_glyph[current] == NULL)
+ {
+ ascii_font_glyph[current] = unknown_glyph;
+ continue;
+ }
ascii_font_glyph[current]->width = 8;
ascii_font_glyph[current]->height = 16;
--
cgit v1.1

36
backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch Normal file
View File

@ -0,0 +1,36 @@
From faca60df7686a9a3ad9693e8a7b2c6a3a823d133 Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Mon, 5 Dec 2022 19:29:38 +0800
Subject: font: Reject fonts with negative max_char_width or max_char_height
If max_char_width or max_char_height are negative wrong values can be propagated
by grub_font_get_max_char_width() or grub_font_get_max_char_height(). Prevent
this from happening.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=faca60df7686a9a3ad9693e8a7b2c6a3a823d133
Conflict:NA
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 674043d..24adcb3 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -644,8 +644,8 @@ grub_font_load (const char *filename)
font->max_char_width, font->max_char_height, font->num_chars);
#endif
- if (font->max_char_width == 0
- || font->max_char_height == 0
+ if (font->max_char_width <= 0
+ || font->max_char_height <= 0
|| font->num_chars == 0
|| font->char_index == 0 || font->ascent == 0 || font->descent == 0)
{
--
cgit v1.1

65
backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch Normal file
View File

@ -0,0 +1,65 @@
From 4e0bab34ece7b757a1b96be59ba54a009a5cc354 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 20 Jan 2023 19:39:38 +0000
Subject: fs/iso9660: Add check to prevent infinite loop
There is no check for the end of block when reading
directory extents. It resulted in read_node() always
read from the same offset in the while loop, thus
caused infinite loop. The fix added a check for the
end of the block and ensure the read is within directory
boundary.
Reference:https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4e0bab34ece7b757a1b96be59ba54a009a5cc354
Conflict:NA
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index df9f778..24d84a5 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -801,6 +801,16 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
while (dirent.flags & FLAG_MORE_EXTENTS)
{
offset += dirent.len;
+
+ /* offset should within the dir's len. */
+ if (offset > len)
+ {
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+ return 0;
+ }
+
if (read_node (dir, offset, sizeof (dirent), (char *) &dirent))
{
if (ctx.filename_alloc)
@@ -808,6 +818,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
grub_free (node);
return 0;
}
+
+ /*
+ * It is either the end of block or zero-padded sector,
+ * skip to the next block.
+ */
+ if (!dirent.len)
+ {
+ offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ;
+ dirent.flags |= FLAG_MORE_EXTENTS;
+ continue;
+ }
+
if (node->have_dirents >= node->alloc_dirents)
{
struct grub_fshelp_node *new_node;
--
cgit v1.1

54
backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch Normal file
View File

@ -0,0 +1,54 @@
From c44b1428c4c7d2bb01359fd885720af87e10b1b2 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 20 Jan 2023 19:39:40 +0000
Subject: fs/iso9660: Avoid reading past the entry boundary
Added a check for the SP entry data boundary before reading it.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=c44b1428c4c7d2bb01359fd885720af87e10b1b2
Conflict:NA
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 230048a..ecf6bbe 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -415,6 +415,9 @@ set_rockridge (struct grub_iso9660_data *data)
if (!sua_size)
return GRUB_ERR_NONE;
+ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
+ return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
+
sua = grub_malloc (sua_size);
if (! sua)
return grub_errno;
@@ -441,8 +444,17 @@ set_rockridge (struct grub_iso9660_data *data)
rootnode.have_symlink = 0;
rootnode.dirents[0] = data->voldesc.rootdir;
- /* The 2nd data byte stored how many bytes are skipped every time
- to get to the SUA (System Usage Area). */
+ /* The size of SP (version 1) is fixed to 7. */
+ if (sua_size < 7 || entry->len < 7)
+ {
+ grub_free (sua);
+ return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
+ }
+
+ /*
+ * The 2nd data byte stored how many bytes are skipped every time
+ * to get to the SUA (System Usage Area).
+ */
data->susp_skip = entry->data[2];
entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
--
cgit v1.1

53
backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch Normal file
View File

@ -0,0 +1,53 @@
From 77f657dc9e67a1fd6b1941609a4ed798e99bcae2 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 20 Jan 2023 19:39:41 +0000
Subject: fs/iso9660: Incorrect check for entry boundary
An SL entry consists of the entry info and the component area.
The entry info should take up 5 bytes instead of sizeof(*entry).
The area after the first 5 bytes is the component area. It is
incorrect to use the sizeof(*entry) to check the entry boundary.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77f657dc9e67a1fd6b1941609a4ed798e99bcae2
Conflict:NA
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index ecf6bbe..64ea3d4 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -669,10 +669,23 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
else if (grub_strncmp ("SL", (char *) entry->sig, 2) == 0)
{
unsigned int pos = 1;
+ unsigned int csize;
- /* The symlink is not stored as a POSIX symlink, translate it. */
- while (pos + sizeof (*entry) < entry->len)
+ /* The symlink is not stored as a POSIX symlink, translate it. */
+ while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ + 1) < entry->len)
{
+ /*
+ * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ + 1 (the FLAGS) +
+ * length of the "Component Area". The length of a component
+ * record is 2 (pos and pos + 1) plus the "Component Content",
+ * of which starts at pos + 2. entry->data[pos] is the
+ * "Component Flags"; entry->data[pos + 1] is the length
+ * of the component.
+ */
+ csize = entry->data[pos + 1] + 2;
+ if (GRUB_ISO9660_SUSP_HEADER_SZ + 1 + csize > entry->len)
+ break;
+
/* The current position is the `Component Flag'. */
switch (entry->data[pos] & 30)
{
--
cgit v1.1

95
backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch Normal file
View File

@ -0,0 +1,95 @@
From 8f41d35fcecb65746b60aaa99936cbbdf5fb27ba Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Wed, 1 Feb 2023 17:08:44 +0100
Subject: fs/iso9660: Prevent read past the end of system use area
In the code, the for loop advanced the entry pointer to the next entry before
checking if the next entry is within the system use area boundary. Another
issue in the code was that there is no check for the size of system use area.
For a corrupted system, the size of system use area can be less than the size
of minimum SUSP entry size (4 bytes). These can cause buffer overrun. The fixes
added the checks to ensure the read is valid and within the boundary.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=8f41d35fcecb65746b60aaa99936cbbdf5fb27ba
Conflict:NA
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 24d84a5..230048a 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -49,6 +49,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define GRUB_ISO9660_VOLDESC_PART 3
#define GRUB_ISO9660_VOLDESC_END 255
+#define GRUB_ISO9660_SUSP_HEADER_SZ 4
+
/* The head of a volume descriptor. */
struct grub_iso9660_voldesc
{
@@ -272,6 +274,9 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
if (sua_size <= 0)
return GRUB_ERR_NONE;
+ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
+ return grub_error (GRUB_ERR_BAD_FS, "invalid susp entry size");
+
sua = grub_malloc (sua_size);
if (!sua)
return grub_errno;
@@ -284,10 +289,14 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
return err;
}
- for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0;
- entry = (struct grub_iso9660_susp_entry *)
- ((char *) entry + entry->len))
+ entry = (struct grub_iso9660_susp_entry *) sua;
+
+ while (entry->len > 0)
{
+ /* Ensure the entry is within System Use Area. */
+ if ((char *) entry + entry->len > (sua + sua_size))
+ break;
+
/* The last entry. */
if (grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
break;
@@ -303,6 +312,16 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
off = grub_le_to_cpu32 (ce->off);
ce_block = grub_le_to_cpu32 (ce->blk) << GRUB_ISO9660_LOG2_BLKSZ;
+ if (sua_size <= 0)
+ break;
+
+ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
+ {
+ grub_free (sua);
+ return grub_error (GRUB_ERR_BAD_FS,
+ "invalid continuation area in CE entry");
+ }
+
grub_free (sua);
sua = grub_malloc (sua_size);
if (!sua)
@@ -325,6 +344,11 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
grub_free (sua);
return 0;
}
+
+ entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
+
+ if (((sua + sua_size) - (char *) entry) < GRUB_ISO9660_SUSP_HEADER_SZ)
+ break;
}
grub_free (sua);
--
cgit v1.1

73
backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch Normal file
View File

@ -0,0 +1,73 @@
From 2a96eab759aff74c2a214da66eefeb1e770c0820 Mon Sep 17 00:00:00 2001
From: Thomas Schmitt <scdbackup@gmx.net>
Date: Wed, 1 Feb 2023 17:28:49 +0100
Subject: fs/iso9660: Prevent skipping CE or ST at start of continuation area
If processing of a SUSP CE entry leads to a continuation area which
begins by entry CE or ST, then these entries were skipped without
interpretation. In case of CE this would lead to premature end of
processing the SUSP entries of the file. In case of ST this could
cause following non-SUSP bytes to be interpreted as SUSP entries.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a96eab759aff74c2a214da66eefeb1e770c0820
Conflict:NA
Signed-off-by: Thomas Schmitt <scdbackup@gmx.net>
Tested-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 64ea3d4..acccf5f 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -50,6 +50,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define GRUB_ISO9660_VOLDESC_END 255
#define GRUB_ISO9660_SUSP_HEADER_SZ 4
+#define GRUB_ISO9660_MAX_CE_HOPS 100000
/* The head of a volume descriptor. */
struct grub_iso9660_voldesc
@@ -270,6 +271,7 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
char *sua;
struct grub_iso9660_susp_entry *entry;
grub_err_t err;
+ int ce_counter = 0;
if (sua_size <= 0)
return GRUB_ERR_NONE;
@@ -307,6 +309,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
struct grub_iso9660_susp_ce *ce;
grub_disk_addr_t ce_block;
+ if (++ce_counter > GRUB_ISO9660_MAX_CE_HOPS)
+ {
+ grub_free (sua);
+ return grub_error (GRUB_ERR_BAD_FS,
+ "suspecting endless CE loop");
+ }
+
ce = (struct grub_iso9660_susp_ce *) entry;
sua_size = grub_le_to_cpu32 (ce->len);
off = grub_le_to_cpu32 (ce->off);
@@ -337,6 +346,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
}
entry = (struct grub_iso9660_susp_entry *) sua;
+ /*
+ * The hook function will not process CE or ST.
+ * Advancing to the next entry would skip them.
+ */
+ if (grub_strncmp ((char *) entry->sig, "CE", 2) == 0
+ || grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
+ continue;
}
if (hook (entry, hook_arg))
--
cgit v1.1

35
backport-gentpl_py-Remove-interp-section-from-img-files.patch Normal file
View File

@ -0,0 +1,35 @@
From b58aa4e2095943303126fff706d73f18f7caab35 Mon Sep 17 00:00:00 2001
From: Nicholas Vinson <nvinson234@gmail.com>
Date: Fri, 13 Jan 2023 02:56:35 -0500
Subject: gentpl.py: Remove .interp section from .img files
When building .img files, a .interp section from the .image files will
sometimes be copied into the .img file. This additional section pushes
the .img file beyond the 512-byte limit and causes grub-install to fail
to run for i386-pc platforms.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=b58aa4e2095943303126fff706d73f18f7caab35
Conflict:NA
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
gentpl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gentpl.py b/gentpl.py
index 9f51e4f..88abe5b 100644
--- a/gentpl.py
+++ b/gentpl.py
@@ -766,7 +766,7 @@ def image(defn, platform):
if test x$(TARGET_APPLE_LINKER) = x1; then \
$(MACHO2IMG) $< $@; \
else \
- $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx $< $@; \
+ $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \
fi
""")
--
cgit v1.1

70
backport-io-gzio-Fix-possible-use-of-uninitialized-variable-in-huft_build.patch
View File

@ -1,35 +1,35 @@
From 29d44a236a5e939b8ff24e6c31141d5b1e48f693 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:40 +0000
Subject: io/gzio: Fix possible use of uninitialized variable in huft_build()
In huft_build() it is possible to reach the for loop where "r" is being
assigned to "q[j]" without "r.v" ever being initialized.
Fixes: CID 314024
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=29d44a236a5e939b8ff24e6c31141d5b1e48f693
---
grub-core/io/gzio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
index aea86a0..10156e5 100644
--- a/grub-core/io/gzio.c
+++ b/grub-core/io/gzio.c
@@ -447,7 +447,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
int l; /* bits per table (returned in m) */
register unsigned *p; /* pointer into c[], b[], or v[] */
register struct huft *q; /* points to current table */
- struct huft r; /* table entry for structure assignment */
+ struct huft r = {0}; /* table entry for structure assignment */
struct huft *u[BMAX]; /* table stack */
unsigned v[N_MAX]; /* values in order of bit length */
register int w; /* bits before this table == (l * h) */
--
cgit v1.1
From 29d44a236a5e939b8ff24e6c31141d5b1e48f693 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:40 +0000
Subject: io/gzio: Fix possible use of uninitialized variable in huft_build()
In huft_build() it is possible to reach the for loop where "r" is being
assigned to "q[j]" without "r.v" ever being initialized.
Fixes: CID 314024
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=29d44a236a5e939b8ff24e6c31141d5b1e48f693
---
grub-core/io/gzio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
index aea86a0..10156e5 100644
--- a/grub-core/io/gzio.c
+++ b/grub-core/io/gzio.c
@@ -447,7 +447,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
int l; /* bits per table (returned in m) */
register unsigned *p; /* pointer into c[], b[], or v[] */
register struct huft *q; /* points to current table */
- struct huft r; /* table entry for structure assignment */
+ struct huft r = {0}; /* table entry for structure assignment */
struct huft *u[BMAX]; /* table stack */
unsigned v[N_MAX]; /* values in order of bit length */
register int w; /* bits before this table == (l * h) */
--
cgit v1.1

37
backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch Normal file
View File

@ -0,0 +1,37 @@
From 1a241e050652472efa62b2b36ad2fa7f82427b83 Mon Sep 17 00:00:00 2001
From: Maxim Fomin <maxim@fomin.one>
Date: Wed, 28 Dec 2022 17:40:06 +0000
Subject: kern/fs: Fix possible integer overflow in i386-pc mode with large
partitions
The i386-pc mode supports MBR partition scheme where maximum partition
size is 2 TiB. In case of large partitions left shift expression with
unsigned long int "length" object may cause integer overflow making
calculated partition size less than true value. This issue is fixed by
increasing the size of "length" integer type.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=1a241e050652472efa62b2b36ad2fa7f82427b83
Conflict:NA
Signed-off-by: Maxim Fomin <maxim@fomin.one>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
index b950829..7ad0aaf 100644
--- a/grub-core/kern/fs.c
+++ b/grub-core/kern/fs.c
@@ -130,7 +130,7 @@ grub_fs_probe (grub_device_t device)
struct grub_fs_block
{
grub_disk_addr_t offset;
- unsigned long length;
+ grub_disk_addr_t length;
};
static grub_err_t
--
cgit v1.1

37
backport-net-bootp-Fix-unchecked-return-value.patch Normal file
View File

@ -0,0 +1,37 @@
From 4f7d77d7e0740c1b0d69c7a658b5c4986eda0093 Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Fri, 3 Feb 2023 17:18:14 -0500
Subject: net/bootp: Fix unchecked return value
In the function send_dhcp_packet(), added an error check for the return
value of grub_netbuff_push().
Fixes: CID 404614
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=4f7d77d7e0740c1b0d69c7a658b5c4986eda0093
Conflict:NA
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/bootp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
index 2e3c86e..6b07a4a 100644
--- a/grub-core/net/bootp.c
+++ b/grub-core/net/bootp.c
@@ -727,7 +727,9 @@ send_dhcp_packet (struct grub_net_network_level_interface *iface)
grub_memcpy (&pack->mac_addr, &iface->hwaddress.mac, pack->hw_len);
- grub_netbuff_push (nb, sizeof (*udph));
+ err = grub_netbuff_push (nb, sizeof (*udph));
+ if (err)
+ goto out;
udph = (struct udphdr *) nb->data;
udph->src = grub_cpu_to_be16_compile_time (68);
--
2.19.1

182
backport-osdep-linux-Fix-md-array-device-enumeration.patch
View File

@ -1,91 +1,91 @@
From c39f27cd678d61e8e84c1386695a33575c9ded44 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@ubuntu.com>
Date: Thu, 7 Oct 2021 16:33:16 -0700
Subject: osdep/linux: Fix md array device enumeration
GET_ARRAY_INFO's info.nr_disks does not map to GET_DISK_INFO's
disk.number, which is an internal kernel index. If an array has had drives
added, removed, etc., there may be gaps in GET_DISK_INFO's results. But
since the consumer of devicelist cannot tolerate gaps (it expects to walk
a NULL-terminated list of device name strings), the devicelist index (j)
must be tracked separately from the disk.number index (i).
As part of this, since GRUB wants to only examine active (i.e. present
and non-failed) disks, the count of remaining disks (remaining) must be
tracked separately from the devicelist index (j).
Additionally, drop a line with empty spaces only.
Fixes: 49de079bbe1c (... (grub_util_raid_getmembers): Handle "removed" disks)
Fixes: 2b00217369ac (... Added support for RAID and LVM)
Fixes: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1912043
Fixes: https://savannah.gnu.org/bugs/index.php?59887
Signed-off-by: Kees Cook <kees@ubuntu.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=c39f27cd678d61e8e84c1386695a33575c9ded44
---
grub-core/osdep/linux/getroot.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
index cd58858..df422c6 100644
--- a/grub-core/osdep/linux/getroot.c
+++ b/grub-core/osdep/linux/getroot.c
@@ -130,10 +130,20 @@ struct mountinfo_entry
char fstype[ESCAPED_PATH_MAX + 1], device[ESCAPED_PATH_MAX + 1];
};
+/*
+ * GET_DISK_INFO nr_disks (total count) does not map to disk.number,
+ * which is an internal kernel index. Instead, do what mdadm does
+ * and keep scanning until we find enough valid disks. The limit is
+ * copied from there, which notes that it is sufficiently high given
+ * that the on-disk metadata for v1.x can only support 1920.
+ */
+#define MD_MAX_DISKS 4096
+
static char **
grub_util_raid_getmembers (const char *name, int bootable)
{
int fd, ret, i, j;
+ int remaining;
char **devicelist;
mdu_version_t version;
mdu_array_info_t info;
@@ -165,22 +175,22 @@ grub_util_raid_getmembers (const char *name, int bootable)
devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
- for (i = 0, j = 0; j < info.nr_disks; i++)
+ remaining = info.nr_disks;
+ for (i = 0, j = 0; i < MD_MAX_DISKS && remaining > 0; i++)
{
disk.number = i;
ret = ioctl (fd, GET_DISK_INFO, &disk);
if (ret != 0)
grub_util_error (_("ioctl GET_DISK_INFO error: %s"), strerror (errno));
-
+
+ /* Skip: MD_DISK_REMOVED slots don't contribute to "remaining" count. */
if (disk.state & (1 << MD_DISK_REMOVED))
continue;
+ remaining--;
+ /* Only record disks that are actively participating in the array. */
if (disk.state & (1 << MD_DISK_ACTIVE))
- devicelist[j] = grub_find_device (NULL,
- makedev (disk.major, disk.minor));
- else
- devicelist[j] = NULL;
- j++;
+ devicelist[j++] = grub_find_device (NULL, makedev (disk.major, disk.minor));
}
devicelist[j] = NULL;
--
cgit v1.1
From c39f27cd678d61e8e84c1386695a33575c9ded44 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@ubuntu.com>
Date: Thu, 7 Oct 2021 16:33:16 -0700
Subject: osdep/linux: Fix md array device enumeration
GET_ARRAY_INFO's info.nr_disks does not map to GET_DISK_INFO's
disk.number, which is an internal kernel index. If an array has had drives
added, removed, etc., there may be gaps in GET_DISK_INFO's results. But
since the consumer of devicelist cannot tolerate gaps (it expects to walk
a NULL-terminated list of device name strings), the devicelist index (j)
must be tracked separately from the disk.number index (i).
As part of this, since GRUB wants to only examine active (i.e. present
and non-failed) disks, the count of remaining disks (remaining) must be
tracked separately from the devicelist index (j).
Additionally, drop a line with empty spaces only.
Fixes: 49de079bbe1c (... (grub_util_raid_getmembers): Handle "removed" disks)
Fixes: 2b00217369ac (... Added support for RAID and LVM)
Fixes: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1912043
Fixes: https://savannah.gnu.org/bugs/index.php?59887
Signed-off-by: Kees Cook <kees@ubuntu.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=c39f27cd678d61e8e84c1386695a33575c9ded44
---
grub-core/osdep/linux/getroot.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
index cd58858..df422c6 100644
--- a/grub-core/osdep/linux/getroot.c
+++ b/grub-core/osdep/linux/getroot.c
@@ -130,10 +130,20 @@ struct mountinfo_entry
char fstype[ESCAPED_PATH_MAX + 1], device[ESCAPED_PATH_MAX + 1];
};
+/*
+ * GET_DISK_INFO nr_disks (total count) does not map to disk.number,
+ * which is an internal kernel index. Instead, do what mdadm does
+ * and keep scanning until we find enough valid disks. The limit is
+ * copied from there, which notes that it is sufficiently high given
+ * that the on-disk metadata for v1.x can only support 1920.
+ */
+#define MD_MAX_DISKS 4096
+
static char **
grub_util_raid_getmembers (const char *name, int bootable)
{
int fd, ret, i, j;
+ int remaining;
char **devicelist;
mdu_version_t version;
mdu_array_info_t info;
@@ -165,22 +175,22 @@ grub_util_raid_getmembers (const char *name, int bootable)
devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
- for (i = 0, j = 0; j < info.nr_disks; i++)
+ remaining = info.nr_disks;
+ for (i = 0, j = 0; i < MD_MAX_DISKS && remaining > 0; i++)
{
disk.number = i;
ret = ioctl (fd, GET_DISK_INFO, &disk);
if (ret != 0)
grub_util_error (_("ioctl GET_DISK_INFO error: %s"), strerror (errno));
-
+
+ /* Skip: MD_DISK_REMOVED slots don't contribute to "remaining" count. */
if (disk.state & (1 << MD_DISK_REMOVED))
continue;
+ remaining--;
+ /* Only record disks that are actively participating in the array. */
if (disk.state & (1 << MD_DISK_ACTIVE))
- devicelist[j] = grub_find_device (NULL,
- makedev (disk.major, disk.minor));
- else
- devicelist[j] = NULL;
- j++;
+ devicelist[j++] = grub_find_device (NULL, makedev (disk.major, disk.minor));
}
devicelist[j] = NULL;
--
cgit v1.1

75
backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch Normal file
View File

@ -0,0 +1,75 @@
From f7564844f82b57078d601befadc438b5bc1fa01b Mon Sep 17 00:00:00 2001
From: Mukesh Kumar Chaurasiya <mchauras@linux.vnet.ibm.com>
Date: Thu, 9 Feb 2023 13:09:16 +0530
Subject: osdep/linux/hostdisk: Modify sector by sysfs as disk sector
The disk sector size provided by sysfs file system considers the sector
size of 512 irrespective of disk sector size, thus causing the read by
the GRUB to an incorrect offset from what was originally intended.
Considering the 512 sector size of sysfs data the actual sector needs to
be modified corresponding to disk sector size.
Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f7564844f82b57078d601befadc438b5bc1fa01b
Conflict:NA
Signed-off-by: Mukesh Kumar Chaurasiya <mchauras@linux.vnet.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/osdep/linux/hostdisk.c | 7 ++++---
include/grub/disk.h | 7 +++++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/grub-core/osdep/linux/hostdisk.c b/grub-core/osdep/linux/hostdisk.c
index 07058f6..7e24ae6 100644
--- a/grub-core/osdep/linux/hostdisk.c
+++ b/grub-core/osdep/linux/hostdisk.c
@@ -198,7 +198,8 @@ have_devfs (void)
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
static int
-grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector)
+grub_hostdisk_linux_find_partition (const grub_disk_t disk, char *dev,
+ grub_disk_addr_t sector)
{
size_t len = strlen (dev);
const char *format;
@@ -263,7 +264,7 @@ grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector)
if (fstat (fd, &st) < 0
|| !grub_util_device_is_mapped_stat (&st)
|| !grub_util_get_dm_node_linear_info (st.st_rdev, 0, 0, &start))
- start = grub_util_find_partition_start_os (real_dev);
+ start = grub_disk_to_native_sector (disk, grub_util_find_partition_start_os (real_dev));
/* We don't care about errors here. */
grub_errno = GRUB_ERR_NONE;
@@ -344,7 +345,7 @@ grub_util_fd_open_device (const grub_disk_t disk, grub_disk_addr_t sector, int f
&& strncmp (dev, "/dev/", 5) == 0)
{
if (sector >= part_start)
- is_partition = grub_hostdisk_linux_find_partition (dev, part_start);
+ is_partition = grub_hostdisk_linux_find_partition (disk, dev, part_start);
else
*max = part_start - sector;
}
diff --git a/include/grub/disk.h b/include/grub/disk.h
index 25c141e..071b2f7 100644
--- a/include/grub/disk.h
+++ b/include/grub/disk.h
@@ -208,6 +208,13 @@ grub_disk_from_native_sector (grub_disk_t disk, grub_disk_addr_t sector)
return sector << (disk->log_sector_size - GRUB_DISK_SECTOR_BITS);
}
+/* Convert from GRUB native disk sized sector to disk sized sector. */
+static inline grub_disk_addr_t
+grub_disk_to_native_sector (grub_disk_t disk, grub_disk_addr_t sector)
+{
+ return sector >> (disk->log_sector_size - GRUB_DISK_SECTOR_BITS);
+}
+
/* This is called from the memory manager. */
void grub_disk_cache_invalidate_all (void);
--
cgit v1.1

90
backport-util-grub-fstest-Fix-resource-leaks-in-cmd_cmp.patch
View File

@ -1,45 +1,45 @@
From 53f08de12bfdd10207a8e6a062c9778f5ab6df87 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:37 +0000
Subject: util/grub-fstest: Fix resource leaks in cmd_cmp()
In the function cmd_cmp() within the while loop, srcnew and destnew are
being allocated but are never freed either before leaving scope or in
the recursive calls being made to cmd_cmp().
Fixes: CID 314032
Fixes: CID 314045
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=53f08de12bfdd10207a8e6a062c9778f5ab6df87
---
util/grub-fstest.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/util/grub-fstest.c b/util/grub-fstest.c
index 8386564..486f1dc 100644
--- a/util/grub-fstest.c
+++ b/util/grub-fstest.c
@@ -300,9 +300,15 @@ cmd_cmp (char *src, char *dest)
strcpy (ptr, entry->d_name);
if (grub_util_is_special_file (destnew))
- continue;
+ {
+ free (srcnew);
+ free (destnew);
+ continue;
+ }
cmd_cmp (srcnew, destnew);
+ free (srcnew);
+ free (destnew);
}
grub_util_fd_closedir (dir);
return;
--
cgit v1.1
From 53f08de12bfdd10207a8e6a062c9778f5ab6df87 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:37 +0000
Subject: util/grub-fstest: Fix resource leaks in cmd_cmp()
In the function cmd_cmp() within the while loop, srcnew and destnew are
being allocated but are never freed either before leaving scope or in
the recursive calls being made to cmd_cmp().
Fixes: CID 314032
Fixes: CID 314045
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=53f08de12bfdd10207a8e6a062c9778f5ab6df87
---
util/grub-fstest.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/util/grub-fstest.c b/util/grub-fstest.c
index 8386564..486f1dc 100644
--- a/util/grub-fstest.c
+++ b/util/grub-fstest.c
@@ -300,9 +300,15 @@ cmd_cmp (char *src, char *dest)
strcpy (ptr, entry->d_name);
if (grub_util_is_special_file (destnew))
- continue;
+ {
+ free (srcnew);
+ free (destnew);
+ continue;
+ }
cmd_cmp (srcnew, destnew);
+ free (srcnew);
+ free (destnew);
}
grub_util_fd_closedir (dir);
return;
--
cgit v1.1

76
backport-util-grub-install-common-Fix-memory-leak-in-copy_all.patch
View File

@ -1,38 +1,38 @@
From e07fcea291ac8aa430db6e57d6e8e08894127fe2 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:35 +0000
Subject: util/grub-install-common: Fix memory leak in copy_all()
The copy_all() function skips a section of code using continue, but
fails to free the memory in srcf first, leaking it.
Fixes: CID 314026
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=e07fcea291ac8aa430db6e57d6e8e08894127fe2
---
util/grub-install-common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 4e212e6..fe77e39 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -754,7 +754,10 @@ copy_all (const char *srcd,
srcf = grub_util_path_concat (2, srcd, de->d_name);
if (grub_util_is_special_file (srcf)
|| grub_util_is_directory (srcf))
- continue;
+ {
+ free (srcf);
+ continue;
+ }
dstf = grub_util_path_concat (2, dstd, de->d_name);
grub_install_compress_file (srcf, dstf, 1);
free (srcf);
--
cgit v1.1
From e07fcea291ac8aa430db6e57d6e8e08894127fe2 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:35 +0000
Subject: util/grub-install-common: Fix memory leak in copy_all()
The copy_all() function skips a section of code using continue, but
fails to free the memory in srcf first, leaking it.
Fixes: CID 314026
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=e07fcea291ac8aa430db6e57d6e8e08894127fe2
---
util/grub-install-common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 4e212e6..fe77e39 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -754,7 +754,10 @@ copy_all (const char *srcd,
srcf = grub_util_path_concat (2, srcd, de->d_name);
if (grub_util_is_special_file (srcf)
|| grub_util_is_directory (srcf))
- continue;
+ {
+ free (srcf);
+ continue;
+ }
dstf = grub_util_path_concat (2, dstd, de->d_name);
grub_install_compress_file (srcf, dstf, 1);
free (srcf);
--
cgit v1.1

70
backport-util-grub-mkfont-Fix-memory-leak-in-write_font_pf2.patch
View File

@ -1,35 +1,35 @@
From b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:38 +0000
Subject: util/grub-mkfont: Fix memory leak in write_font_pf2()
In the function write_font_pf2() memory is allocated for font_name to
construct a new name, but it is not released before returning from the
function, leaking the allocated memory.
Fixes: CID 314015
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed
---
util/grub-mkfont.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/util/grub-mkfont.c b/util/grub-mkfont.c
index 0fe45a6..fdfd70d 100644
--- a/util/grub-mkfont.c
+++ b/util/grub-mkfont.c
@@ -928,6 +928,7 @@ write_font_pf2 (struct grub_font_info *font_info, char *output_file)
file, output_file);
}
+ free (font_name);
fclose (file);
}
--
cgit v1.1
From b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:38 +0000
Subject: util/grub-mkfont: Fix memory leak in write_font_pf2()
In the function write_font_pf2() memory is allocated for font_name to
construct a new name, but it is not released before returning from the
function, leaking the allocated memory.
Fixes: CID 314015
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed
---
util/grub-mkfont.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/util/grub-mkfont.c b/util/grub-mkfont.c
index 0fe45a6..fdfd70d 100644
--- a/util/grub-mkfont.c
+++ b/util/grub-mkfont.c
@@ -928,6 +928,7 @@ write_font_pf2 (struct grub_font_info *font_info, char *output_file)
file, output_file);
}
+ free (font_name);
fclose (file);
}
--
cgit v1.1

68
backport-util-grub-mkrescue-Fix-memory-leak-in-write_part.patch
View File

@ -1,34 +1,34 @@
From eff17a6b2d563fe9a0917e048776ed9ce2da4b80 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:36 +0000
Subject: util/grub-mkrescue: Fix memory leak in write_part()
In the function write_part(), the value of inname is not used beyond
the grub_util_fopen() call, so it should be freed to avoid leakage.
Fixes: CID 314028
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=eff17a6b2d563fe9a0917e048776ed9ce2da4b80
---
util/grub-mkrescue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
index fb4dcc6..59c48b1 100644
--- a/util/grub-mkrescue.c
+++ b/util/grub-mkrescue.c
@@ -229,6 +229,7 @@ write_part (FILE *f, const char *srcdir)
char *inname = grub_util_path_concat (2, srcdir, "partmap.lst");
char buf[260];
in = grub_util_fopen (inname, "rb");
+ free (inname);
if (!in)
return;
while (fgets (buf, 256, in))
--
cgit v1.1
From eff17a6b2d563fe9a0917e048776ed9ce2da4b80 Mon Sep 17 00:00:00 2001
From: Darren Kenny <darren.kenny@oracle.com>
Date: Tue, 26 Oct 2021 15:02:36 +0000
Subject: util/grub-mkrescue: Fix memory leak in write_part()
In the function write_part(), the value of inname is not used beyond
the grub_util_fopen() call, so it should be freed to avoid leakage.
Fixes: CID 314028
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflict: NA
Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=eff17a6b2d563fe9a0917e048776ed9ce2da4b80
---
util/grub-mkrescue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
index fb4dcc6..59c48b1 100644
--- a/util/grub-mkrescue.c
+++ b/util/grub-mkrescue.c
@@ -229,6 +229,7 @@ write_part (FILE *f, const char *srcdir)
char *inname = grub_util_path_concat (2, srcdir, "partmap.lst");
char buf[260];
in = grub_util_fopen (inname, "rb");
+ free (inname);
if (!in)
return;
while (fgets (buf, 256, in))
--
cgit v1.1

12
grub.patches
View File

@ -314,3 +314,15 @@ Patch0307: 0202-rpm-sort-add-prereqs-for-declaration-of-strchrnul.patch
Patch0308: loongarch-Force-initrd-load-address-64KiB-alignment.patch
Patch0309: loongarch-Implement-cache-synchronization-operation.patch
%endif
Patch0310: backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch
Patch0311: backport-font-Assign-null_font-to-unknown_glyph.patch
Patch0312: backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch
Patch0313: backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch
Patch0314: backport-gentpl_py-Remove-interp-section-from-img-files.patch
Patch0315: backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch
Patch0316: backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch
Patch0317: backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch
Patch0318: backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch
Patch0319: backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch
Patch0320: backport-net-bootp-Fix-unchecked-return-value.patch
Patch0321: backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch

19
grub2.spec
View File

@ -14,7 +14,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 27
Release: 28
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -439,6 +439,23 @@ fi
%{_datadir}/man/man*
%changelog
* Mon Apr 10 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-28
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:osdep/linux/hostdisk: Modify sector by sysfs as disk sector
net/bootp: Fix unchecked return value
fs/iso9660: Avoid reading past the entry boundary
fs/iso9660: Incorrect check for entry boundary
fs/iso9660: Prevent skipping CE or ST at start of continuation area
fs/iso9660: Prevent read past the end of system use area
fs/iso9660: Add check to prevent infinite loop
gentpl.py: Remove .interp section from .img files
kern/fs: Fix possible integer overflow in i386-pc mode with large partitions
font: Reject fonts with negative max_char_width or max_char_height
font: Assign null_font to unknown_glyph
font: Check return value of grub_malloc() in ascii_glyph_lookup()
* Wed Mar 22 2023 mengyingkun <mengyingkun@loongson.cn> - 1:2.06-27
- Type:bugfix
- CVE:NA