!263 backport some patches from upstream and covert some patches to Unix text format

From: @zhangqiumiao 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-font-Assign-null_font-to-unknown_glyph.patch

@@ -0,0 +1,33 @@
+From f6806966478c601a96e1f3e0e5e85cf5036555c0 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 5 Dec 2022 19:29:37 +0800
+Subject: font: Assign null_font to unknown_glyph
+
+Like glyphs in ascii_font_glyph[], assign null_font to
+unknown_glyph->font in order to prevent grub_font_get_*() from
+dereferencing NULL pointer.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f6806966478c601a96e1f3e0e5e85cf5036555c0
+Conflict:NA
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/font/font.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 19a47f8..674043d 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -177,6 +177,7 @@ grub_font_loader_init (void)
+   unknown_glyph->offset_x = 0;
+   unknown_glyph->offset_y = -3;
+   unknown_glyph->device_width = 8;
++  unknown_glyph->font = &null_font;
+   grub_memcpy (unknown_glyph->bitmap,
+ 	       unknown_glyph_bitmap, sizeof (unknown_glyph_bitmap));
+ 
+-- 
+cgit v1.1
+

backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch

@@ -0,0 +1,40 @@
+From d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 5 Dec 2022 19:29:36 +0800
+Subject: font: Check return value of grub_malloc() in ascii_glyph_lookup()
+
+There is a problem in ascii_glyph_lookup(). It doesn't check the return
+value of grub_malloc(). If memory can't be allocated, then NULL pointer
+will be written to.
+
+This patch fixes the problem by fallbacking to unknown_glyph when
+grub_malloc() returns NULL.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf
+Conflict:NA
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/font/font.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 3821937..19a47f8 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -131,6 +131,11 @@ ascii_glyph_lookup (grub_uint32_t code)
+ 	{
+ 	  ascii_font_glyph[current] =
+ 	    grub_malloc (sizeof (struct grub_font_glyph) + ASCII_BITMAP_SIZE);
++	  if (ascii_font_glyph[current] == NULL)
++	    {
++	      ascii_font_glyph[current] = unknown_glyph;
++	      continue;
++	    }
+ 
+ 	  ascii_font_glyph[current]->width = 8;
+ 	  ascii_font_glyph[current]->height = 16;
+-- 
+cgit v1.1
+

backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch

@@ -0,0 +1,36 @@
+From faca60df7686a9a3ad9693e8a7b2c6a3a823d133 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 5 Dec 2022 19:29:38 +0800
+Subject: font: Reject fonts with negative max_char_width or max_char_height
+
+If max_char_width or max_char_height are negative wrong values can be propagated
+by grub_font_get_max_char_width() or grub_font_get_max_char_height(). Prevent
+this from happening.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=faca60df7686a9a3ad9693e8a7b2c6a3a823d133
+Conflict:NA
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/font/font.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 674043d..24adcb3 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -644,8 +644,8 @@ grub_font_load (const char *filename)
+ 	       font->max_char_width, font->max_char_height, font->num_chars);
+ #endif
+ 
+-  if (font->max_char_width == 0
+-      || font->max_char_height == 0
++  if (font->max_char_width <= 0
++      || font->max_char_height <= 0
+       || font->num_chars == 0
+       || font->char_index == 0 || font->ascent == 0 || font->descent == 0)
+     {
+-- 
+cgit v1.1
+

backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch

@@ -0,0 +1,65 @@
+From 4e0bab34ece7b757a1b96be59ba54a009a5cc354 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 20 Jan 2023 19:39:38 +0000
+Subject: fs/iso9660: Add check to prevent infinite loop
+
+There is no check for the end of block when reading
+directory extents. It resulted in read_node() always
+read from the same offset in the while loop, thus
+caused infinite loop. The fix added a check for the
+end of the block and ensure the read is within directory
+boundary.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4e0bab34ece7b757a1b96be59ba54a009a5cc354
+Conflict:NA
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index df9f778..24d84a5 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -801,6 +801,16 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ 	while (dirent.flags & FLAG_MORE_EXTENTS)
+ 	  {
+ 	    offset += dirent.len;
++
++	    /* offset should within the dir's len. */
++	    if (offset > len)
++	      {
++		if (ctx.filename_alloc)
++		  grub_free (ctx.filename);
++		grub_free (node);
++		return 0;
++	      }
++
+ 	    if (read_node (dir, offset, sizeof (dirent), (char *) &dirent))
+ 	      {
+ 		if (ctx.filename_alloc)
+@@ -808,6 +818,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ 		grub_free (node);
+ 		return 0;
+ 	      }
++
++	    /*
++	     * It is either the end of block or zero-padded sector,
++	     * skip to the next block.
++	     */
++	    if (!dirent.len)
++	      {
++		offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ;
++		dirent.flags |= FLAG_MORE_EXTENTS;
++		continue;
++	      }
++
+ 	    if (node->have_dirents >= node->alloc_dirents)
+ 	      {
+ 		struct grub_fshelp_node *new_node;
+-- 
+cgit v1.1
+

backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch

@@ -0,0 +1,54 @@
+From c44b1428c4c7d2bb01359fd885720af87e10b1b2 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 20 Jan 2023 19:39:40 +0000
+Subject: fs/iso9660: Avoid reading past the entry boundary
+
+Added a check for the SP entry data boundary before reading it.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=c44b1428c4c7d2bb01359fd885720af87e10b1b2
+Conflict:NA
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 230048a..ecf6bbe 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -415,6 +415,9 @@ set_rockridge (struct grub_iso9660_data *data)
+   if (!sua_size)
+     return GRUB_ERR_NONE;
+ 
++  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
++    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
++
+   sua = grub_malloc (sua_size);
+   if (! sua)
+     return grub_errno;
+@@ -441,8 +444,17 @@ set_rockridge (struct grub_iso9660_data *data)
+       rootnode.have_symlink = 0;
+       rootnode.dirents[0] = data->voldesc.rootdir;
+ 
+-      /* The 2nd data byte stored how many bytes are skipped every time
+-	 to get to the SUA (System Usage Area).  */
++      /* The size of SP (version 1) is fixed to 7. */
++      if (sua_size < 7 || entry->len < 7)
++	{
++	  grub_free (sua);
++	  return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
++	}
++
++      /*
++       * The 2nd data byte stored how many bytes are skipped every time
++       * to get to the SUA (System Usage Area).
++       */
+       data->susp_skip = entry->data[2];
+       entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
+ 
+-- 
+cgit v1.1
+

backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch

@@ -0,0 +1,53 @@
+From 77f657dc9e67a1fd6b1941609a4ed798e99bcae2 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 20 Jan 2023 19:39:41 +0000
+Subject: fs/iso9660: Incorrect check for entry boundary
+
+An SL entry consists of the entry info and the component area.
+The entry info should take up 5 bytes instead of sizeof(*entry).
+The area after the first 5 bytes is the component area. It is
+incorrect to use the sizeof(*entry) to check the entry boundary.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77f657dc9e67a1fd6b1941609a4ed798e99bcae2
+Conflict:NA
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index ecf6bbe..64ea3d4 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -669,10 +669,23 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+   else if (grub_strncmp ("SL", (char *) entry->sig, 2) == 0)
+     {
+       unsigned int pos = 1;
++      unsigned int csize;
+ 
+-      /* The symlink is not stored as a POSIX symlink, translate it.  */
+-      while (pos + sizeof (*entry) < entry->len)
++      /* The symlink is not stored as a POSIX symlink, translate it. */
++      while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ + 1) < entry->len)
+ 	{
++	  /*
++	   * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ + 1 (the FLAGS) +
++	   * length of the "Component Area". The length of a component
++	   * record is 2 (pos and pos + 1) plus the "Component Content",
++	   * of which starts at pos + 2. entry->data[pos] is the
++	   * "Component Flags"; entry->data[pos + 1] is the length
++	   * of the component.
++	   */
++          csize = entry->data[pos + 1] + 2;
++          if (GRUB_ISO9660_SUSP_HEADER_SZ + 1 + csize > entry->len)
++            break;
++
+ 	  /* The current position is the `Component Flag'.  */
+ 	  switch (entry->data[pos] & 30)
+ 	    {
+-- 
+cgit v1.1
+

backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch

@@ -0,0 +1,95 @@
+From 8f41d35fcecb65746b60aaa99936cbbdf5fb27ba Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Wed, 1 Feb 2023 17:08:44 +0100
+Subject: fs/iso9660: Prevent read past the end of system use area
+
+In the code, the for loop advanced the entry pointer to the next entry before
+checking if the next entry is within the system use area boundary. Another
+issue in the code was that there is no check for the size of system use area.
+For a corrupted system, the size of system use area can be less than the size
+of minimum SUSP entry size (4 bytes). These can cause buffer overrun. The fixes
+added the checks to ensure the read is valid and within the boundary.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=8f41d35fcecb65746b60aaa99936cbbdf5fb27ba
+Conflict:NA
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 24d84a5..230048a 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -49,6 +49,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define GRUB_ISO9660_VOLDESC_PART	3
+ #define GRUB_ISO9660_VOLDESC_END	255
+ 
++#define GRUB_ISO9660_SUSP_HEADER_SZ	4
++
+ /* The head of a volume descriptor.  */
+ struct grub_iso9660_voldesc
+ {
+@@ -272,6 +274,9 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+   if (sua_size <= 0)
+     return GRUB_ERR_NONE;
+ 
++  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
++    return grub_error (GRUB_ERR_BAD_FS, "invalid susp entry size");
++
+   sua = grub_malloc (sua_size);
+   if (!sua)
+     return grub_errno;
+@@ -284,10 +289,14 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+       return err;
+     }
+ 
+-  for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0;
+-       entry = (struct grub_iso9660_susp_entry *)
+-	 ((char *) entry + entry->len))
++  entry = (struct grub_iso9660_susp_entry *) sua;
++
++  while (entry->len > 0)
+     {
++      /* Ensure the entry is within System Use Area. */
++      if ((char *) entry + entry->len > (sua + sua_size))
++        break;
++
+       /* The last entry.  */
+       if (grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
+ 	break;
+@@ -303,6 +312,16 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+ 	  off = grub_le_to_cpu32 (ce->off);
+ 	  ce_block = grub_le_to_cpu32 (ce->blk) << GRUB_ISO9660_LOG2_BLKSZ;
+ 
++	  if (sua_size <= 0)
++	    break;
++
++	  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
++	    {
++	      grub_free (sua);
++	      return grub_error (GRUB_ERR_BAD_FS,
++			         "invalid continuation area in CE entry");
++	    }
++
+ 	  grub_free (sua);
+ 	  sua = grub_malloc (sua_size);
+ 	  if (!sua)
+@@ -325,6 +344,11 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+ 	  grub_free (sua);
+ 	  return 0;
+ 	}
++
++      entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
++
++      if (((sua + sua_size) - (char *) entry) < GRUB_ISO9660_SUSP_HEADER_SZ)
++        break;
+     }
+ 
+   grub_free (sua);
+-- 
+cgit v1.1
+

backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch

@@ -0,0 +1,73 @@
+From 2a96eab759aff74c2a214da66eefeb1e770c0820 Mon Sep 17 00:00:00 2001
+From: Thomas Schmitt <scdbackup@gmx.net>
+Date: Wed, 1 Feb 2023 17:28:49 +0100
+Subject: fs/iso9660: Prevent skipping CE or ST at start of continuation area
+
+If processing of a SUSP CE entry leads to a continuation area which
+begins by entry CE or ST, then these entries were skipped without
+interpretation. In case of CE this would lead to premature end of
+processing the SUSP entries of the file. In case of ST this could
+cause following non-SUSP bytes to be interpreted as SUSP entries.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a96eab759aff74c2a214da66eefeb1e770c0820
+Conflict:NA
+
+Signed-off-by: Thomas Schmitt <scdbackup@gmx.net>
+Tested-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Thomas Schmitt <scdbackup@gmx.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/iso9660.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 64ea3d4..acccf5f 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -50,6 +50,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define GRUB_ISO9660_VOLDESC_END	255
+ 
+ #define GRUB_ISO9660_SUSP_HEADER_SZ	4
++#define GRUB_ISO9660_MAX_CE_HOPS	100000
+ 
+ /* The head of a volume descriptor.  */
+ struct grub_iso9660_voldesc
+@@ -270,6 +271,7 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+   char *sua;
+   struct grub_iso9660_susp_entry *entry;
+   grub_err_t err;
++  int ce_counter = 0;
+ 
+   if (sua_size <= 0)
+     return GRUB_ERR_NONE;
+@@ -307,6 +309,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+ 	  struct grub_iso9660_susp_ce *ce;
+ 	  grub_disk_addr_t ce_block;
+ 
++	  if (++ce_counter > GRUB_ISO9660_MAX_CE_HOPS)
++	    {
++	      grub_free (sua);
++	      return grub_error (GRUB_ERR_BAD_FS,
++	                         "suspecting endless CE loop");
++	    }
++
+ 	  ce = (struct grub_iso9660_susp_ce *) entry;
+ 	  sua_size = grub_le_to_cpu32 (ce->len);
+ 	  off = grub_le_to_cpu32 (ce->off);
+@@ -337,6 +346,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off,
+ 	    }
+ 
+ 	  entry = (struct grub_iso9660_susp_entry *) sua;
++	  /*
++	   * The hook function will not process CE or ST.
++	   * Advancing to the next entry would skip them.
++	   */
++	  if (grub_strncmp ((char *) entry->sig, "CE", 2) == 0
++	      || grub_strncmp ((char *) entry->sig, "ST", 2) == 0)
++	    continue;
+ 	}
+ 
+       if (hook (entry, hook_arg))
+-- 
+cgit v1.1
+

backport-gentpl_py-Remove-interp-section-from-img-files.patch

@@ -0,0 +1,35 @@
+From b58aa4e2095943303126fff706d73f18f7caab35 Mon Sep 17 00:00:00 2001
+From: Nicholas Vinson <nvinson234@gmail.com>
+Date: Fri, 13 Jan 2023 02:56:35 -0500
+Subject: gentpl.py: Remove .interp section from .img files
+
+When building .img files, a .interp section from the .image files will
+sometimes be copied into the .img file. This additional section pushes
+the .img file beyond the 512-byte limit and causes grub-install to fail
+to run for i386-pc platforms.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=b58aa4e2095943303126fff706d73f18f7caab35
+Conflict:NA
+
+Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ gentpl.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gentpl.py b/gentpl.py
+index 9f51e4f..88abe5b 100644
+--- a/gentpl.py
++++ b/gentpl.py
+@@ -766,7 +766,7 @@ def image(defn, platform):
+ if test x$(TARGET_APPLE_LINKER) = x1; then \
+   $(MACHO2IMG) $< $@; \
+ else \
+-  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx $< $@; \
++  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \
+ fi
+ """)
+ 
+-- 
+cgit v1.1
+

backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch

@@ -0,0 +1,37 @@
+From 1a241e050652472efa62b2b36ad2fa7f82427b83 Mon Sep 17 00:00:00 2001
+From: Maxim Fomin <maxim@fomin.one>
+Date: Wed, 28 Dec 2022 17:40:06 +0000
+Subject: kern/fs: Fix possible integer overflow in i386-pc mode with large
+ partitions
+
+The i386-pc mode supports MBR partition scheme where maximum partition
+size is 2 TiB. In case of large partitions left shift expression with
+unsigned long int "length" object may cause integer overflow making
+calculated partition size less than true value. This issue is fixed by
+increasing the size of "length" integer type.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=1a241e050652472efa62b2b36ad2fa7f82427b83
+Conflict:NA
+
+Signed-off-by: Maxim Fomin <maxim@fomin.one>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
+index b950829..7ad0aaf 100644
+--- a/grub-core/kern/fs.c
++++ b/grub-core/kern/fs.c
+@@ -130,7 +130,7 @@ grub_fs_probe (grub_device_t device)
+ struct grub_fs_block
+ {
+   grub_disk_addr_t offset;
+-  unsigned long length;
++  grub_disk_addr_t length;
+ };
+ 
+ static grub_err_t
+-- 
+cgit v1.1
+

backport-net-bootp-Fix-unchecked-return-value.patch

@@ -0,0 +1,37 @@
+From 4f7d77d7e0740c1b0d69c7a658b5c4986eda0093 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Fri, 3 Feb 2023 17:18:14 -0500
+Subject: net/bootp: Fix unchecked return value
+
+In the function send_dhcp_packet(), added an error check for the return
+value of grub_netbuff_push().
+
+Fixes: CID 404614
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=4f7d77d7e0740c1b0d69c7a658b5c4986eda0093
+Conflict:NA
+
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/bootp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
+index 2e3c86e..6b07a4a 100644
+--- a/grub-core/net/bootp.c
++++ b/grub-core/net/bootp.c
+@@ -727,7 +727,9 @@ send_dhcp_packet (struct grub_net_network_level_interface *iface)
+ 
+   grub_memcpy (&pack->mac_addr, &iface->hwaddress.mac, pack->hw_len);
+ 
+-  grub_netbuff_push (nb, sizeof (*udph));
++  err = grub_netbuff_push (nb, sizeof (*udph));
++  if (err)
++    goto out;
+ 
+   udph = (struct udphdr *) nb->data;
+   udph->src = grub_cpu_to_be16_compile_time (68);
+-- 
+2.19.1
+

backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch

@@ -0,0 +1,75 @@
+From f7564844f82b57078d601befadc438b5bc1fa01b Mon Sep 17 00:00:00 2001
+From: Mukesh Kumar Chaurasiya <mchauras@linux.vnet.ibm.com>
+Date: Thu, 9 Feb 2023 13:09:16 +0530
+Subject: osdep/linux/hostdisk: Modify sector by sysfs as disk sector
+
+The disk sector size provided by sysfs file system considers the sector
+size of 512 irrespective of disk sector size, thus causing the read by
+the GRUB to an incorrect offset from what was originally intended.
+
+Considering the 512 sector size of sysfs data the actual sector needs to
+be modified corresponding to disk sector size.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f7564844f82b57078d601befadc438b5bc1fa01b
+Conflict:NA
+
+Signed-off-by: Mukesh Kumar Chaurasiya <mchauras@linux.vnet.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/osdep/linux/hostdisk.c | 7 ++++---
+ include/grub/disk.h              | 7 +++++++
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/osdep/linux/hostdisk.c b/grub-core/osdep/linux/hostdisk.c
+index 07058f6..7e24ae6 100644
+--- a/grub-core/osdep/linux/hostdisk.c
++++ b/grub-core/osdep/linux/hostdisk.c
+@@ -198,7 +198,8 @@ have_devfs (void)
+ #pragma GCC diagnostic ignored "-Wformat-nonliteral"
+ 
+ static int
+-grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector)
++grub_hostdisk_linux_find_partition (const grub_disk_t disk, char *dev,
++                                    grub_disk_addr_t sector)
+ {
+   size_t len = strlen (dev);
+   const char *format;
+@@ -263,7 +264,7 @@ grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector)
+       if (fstat (fd, &st) < 0
+ 	  || !grub_util_device_is_mapped_stat (&st)
+ 	  || !grub_util_get_dm_node_linear_info (st.st_rdev, 0, 0, &start))
+-	start = grub_util_find_partition_start_os (real_dev);
++	start = grub_disk_to_native_sector (disk, grub_util_find_partition_start_os (real_dev));
+       /* We don't care about errors here.  */
+       grub_errno = GRUB_ERR_NONE;
+ 
+@@ -344,7 +345,7 @@ grub_util_fd_open_device (const grub_disk_t disk, grub_disk_addr_t sector, int f
+ 	&& strncmp (dev, "/dev/", 5) == 0)
+       {
+ 	if (sector >= part_start)
+-	  is_partition = grub_hostdisk_linux_find_partition (dev, part_start);
++	  is_partition = grub_hostdisk_linux_find_partition (disk, dev, part_start);
+ 	else
+ 	  *max = part_start - sector;
+       }
+diff --git a/include/grub/disk.h b/include/grub/disk.h
+index 25c141e..071b2f7 100644
+--- a/include/grub/disk.h
++++ b/include/grub/disk.h
+@@ -208,6 +208,13 @@ grub_disk_from_native_sector (grub_disk_t disk, grub_disk_addr_t sector)
+   return sector << (disk->log_sector_size - GRUB_DISK_SECTOR_BITS);
+ }
+ 
++/* Convert from GRUB native disk sized sector to disk sized sector. */
++static inline grub_disk_addr_t
++grub_disk_to_native_sector (grub_disk_t disk, grub_disk_addr_t sector)
++{
++  return sector >> (disk->log_sector_size - GRUB_DISK_SECTOR_BITS);
++}
++
+ /* This is called from the memory manager.  */
+ void grub_disk_cache_invalidate_all (void);
+ 
+-- 
+cgit v1.1
+

grub.patches

@@ -314,3 +314,15 @@ Patch0307: 0202-rpm-sort-add-prereqs-for-declaration-of-strchrnul.patch
 Patch0308: loongarch-Force-initrd-load-address-64KiB-alignment.patch
 Patch0309: loongarch-Implement-cache-synchronization-operation.patch
 %endif
+Patch0310: backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch
+Patch0311: backport-font-Assign-null_font-to-unknown_glyph.patch
+Patch0312: backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch
+Patch0313: backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch
+Patch0314: backport-gentpl_py-Remove-interp-section-from-img-files.patch
+Patch0315: backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch
+Patch0316: backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch
+Patch0317: backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch
+Patch0318: backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch
+Patch0319: backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch
+Patch0320: backport-net-bootp-Fix-unchecked-return-value.patch
+Patch0321: backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch

grub2.spec

@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	27
+Release:	28
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -439,6 +439,23 @@ fi
 %{_datadir}/man/man*
 
 %changelog
+* Mon Apr 10 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-28
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:osdep/linux/hostdisk: Modify sector by sysfs as disk sector
+       net/bootp: Fix unchecked return value
+       fs/iso9660: Avoid reading past the entry boundary
+       fs/iso9660: Incorrect check for entry boundary
+       fs/iso9660: Prevent skipping CE or ST at start of continuation area
+       fs/iso9660: Prevent read past the end of system use area
+       fs/iso9660: Add check to prevent infinite loop
+       gentpl.py: Remove .interp section from .img files
+       kern/fs: Fix possible integer overflow in i386-pc mode with large partitions
+       font: Reject fonts with negative max_char_width or max_char_height
+       font: Assign null_font to unknown_glyph
+       font: Check return value of grub_malloc() in ascii_glyph_lookup()
+
 * Wed Mar 22 2023 mengyingkun <mengyingkun@loongson.cn> - 1:2.06-27
 - Type:bugfix
 - CVE:NA