backport some patches from upstream

Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>

backport-fs-udf-Fix-out-of-bounds-access.patch

@@ -0,0 +1,119 @@
+From a24ea9241cb42e8ba670ac8d8ce54275df73a271 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Wed, 7 Jun 2023 01:31:06 +0000
+Subject: fs/udf: Fix out of bounds access
+
+Implemented a boundary check before advancing the allocation
+descriptors pointer.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=a24ea9241cb42e8ba670ac8d8ce54275df73a271
+Conflict:NA
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/udf.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index 7679ea3..b836e61 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -114,6 +114,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define GRUB_UDF_PARTMAP_TYPE_1		1
+ #define GRUB_UDF_PARTMAP_TYPE_2		2
+ 
++#define GRUB_UDF_INVALID_STRUCT_PTR(_ptr, _struct)	\
++  ((char *) (_ptr) >= end_ptr || \
++   ((grub_ssize_t) (end_ptr - (char *) (_ptr)) < (grub_ssize_t) sizeof (_struct)))
++
+ struct grub_udf_lb_addr
+ {
+   grub_uint32_t block_num;
+@@ -458,6 +462,7 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+   char *ptr;
+   grub_ssize_t len;
+   grub_disk_addr_t filebytes;
++  char *end_ptr;
+ 
+   switch (U16 (node->block.fe.tag.tag_ident))
+     {
+@@ -476,9 +481,17 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+       return 0;
+     }
+ 
++  end_ptr = (char *) node + get_fshelp_size (node->data);
++
+   if ((U16 (node->block.fe.icbtag.flags) & GRUB_UDF_ICBTAG_FLAG_AD_MASK)
+       == GRUB_UDF_ICBTAG_FLAG_AD_SHORT)
+     {
++      if (GRUB_UDF_INVALID_STRUCT_PTR (ptr, struct grub_udf_short_ad))
++	{
++	  grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
++	  return 0;
++	}
++
+       struct grub_udf_short_ad *ad = (struct grub_udf_short_ad *) ptr;
+ 
+       filebytes = fileblock * U32 (node->data->lvd.bsize);
+@@ -542,10 +555,22 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ 	  filebytes -= adlen;
+ 	  ad++;
+ 	  len -= sizeof (struct grub_udf_short_ad);
++
++	  if (GRUB_UDF_INVALID_STRUCT_PTR (ad, struct grub_udf_short_ad))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
++	      return 0;
++	    }
+ 	}
+     }
+   else
+     {
++      if (GRUB_UDF_INVALID_STRUCT_PTR (ptr, struct grub_udf_long_ad))
++	{
++	  grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
++	  return 0;
++	}
++
+       struct grub_udf_long_ad *ad = (struct grub_udf_long_ad *) ptr;
+ 
+       filebytes = fileblock * U32 (node->data->lvd.bsize);
+@@ -611,6 +636,12 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ 	  filebytes -= adlen;
+ 	  ad++;
+ 	  len -= sizeof (struct grub_udf_long_ad);
++
++	  if (GRUB_UDF_INVALID_STRUCT_PTR (ad, struct grub_udf_long_ad))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
++	      return 0;
++	    }
+ 	}
+     }
+ 
+@@ -630,6 +661,7 @@ grub_udf_read_file (grub_fshelp_node_t node,
+     case GRUB_UDF_ICBTAG_FLAG_AD_IN_ICB:
+       {
+ 	char *ptr;
++	char *end_ptr = (char *) node + get_fshelp_size (node->data);
+ 
+ 	ptr = ((U16 (node->block.fe.tag.tag_ident) == GRUB_UDF_TAG_IDENT_FE) ?
+ 	       ((char *) &node->block.fe.ext_attr[0]
+@@ -637,6 +669,12 @@ grub_udf_read_file (grub_fshelp_node_t node,
+ 	       ((char *) &node->block.efe.ext_attr[0]
+                 + U32 (node->block.efe.ext_attr_length)));
+ 
++	if ((ptr + pos + len) > end_ptr)
++	  {
++	    grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system");
++	    return 0;
++	  }
++
+ 	grub_memcpy (buf, ptr + pos, len);
+ 
+ 	return len;
+-- 
+cgit v1.1
+

backport-lib-relocator-Fix-OOB-write-when-initializing-lo-freebytes.patch

@@ -0,0 +1,38 @@
+From 9dbfbcd660470c3b951d15af0f6ce5a423185ad2 Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Fri, 23 Jun 2023 00:02:24 +0200
+Subject: lib/relocator: Fix OOB write when initializing lo->freebytes[]
+
+Fixes: CID 96636
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=9dbfbcd660470c3b951d15af0f6ce5a423185ad2
+Conflict:NA
+
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
+---
+ grub-core/lib/relocator.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
+index 568fc0b..e0478ae 100644
+--- a/grub-core/lib/relocator.c
++++ b/grub-core/lib/relocator.c
+@@ -881,9 +881,11 @@ malloc_in_range (struct grub_relocator *rel,
+ 			offend = GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT;
+ 		      lo->freebytes[offstart / 8]
+ 			&= ((1 << (8 - (start % 8))) - 1);
+-		      grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
+-				   offend / 8 - (offstart + 7) / 8);
+-		      lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
++		      if (offend / 8 > (offstart + 7) / 8)
++			grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
++				     offend / 8 - (offstart + 7) / 8);
++		      if (offend < GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT)
++			lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
+ 		    }
+ 		    break;
+ #endif
+-- 
+cgit v1.1
+

backport-util-grub-mount-Fix-memory-leak-in-fuse_getattr.patch

@@ -0,0 +1,29 @@
+From 3077b39baef99afe534b582b9024bba877786e40 Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Tue, 25 Jul 2023 11:18:59 +0800
+Subject: util/grub-mount: Fix memory leak in fuse_getattr()
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=3077b39baef99afe534b582b9024bba877786e40
+Conflict:NA
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/grub-mount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/util/grub-mount.c b/util/grub-mount.c
+index 1c35b6a..c69889d 100644
+--- a/util/grub-mount.c
++++ b/util/grub-mount.c
+@@ -198,6 +198,7 @@ fuse_getattr (const char *path, struct stat *st,
+   (fs->fs_dir) (dev, path2, fuse_getattr_find_file, &ctx);
+ 
+   grub_free (path2);
++  free (pathname);
+   if (!ctx.file_exists)
+     {
+       grub_errno = GRUB_ERR_NONE;
+-- 
+cgit v1.1
+

grub.patches

@@ -341,3 +341,6 @@ Patch0331: backport-util-grub-install-common-Fix-the-key-of.patch
 Patch0332: backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch
 Patch0333: backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch
 Patch0334: backport-RISC-V-Handle-R_RISCV_CALL_PLT-reloc.patch
+Patch0335: backport-fs-udf-Fix-out-of-bounds-access.patch
+Patch0336: backport-lib-relocator-Fix-OOB-write-when-initializing-lo-freebytes.patch
+Patch0337: backport-util-grub-mount-Fix-memory-leak-in-fuse_getattr.patch

grub2.spec

@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	36
+Release:	37
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -440,6 +440,14 @@ fi
 %{_datadir}/man/man*
 
 %changelog
+* Wed Sep 13 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.06-37
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fs/udf: Fix out of bounds access
+       lib/relocator: Fix OOB write when initializing lo->freebytes[]
+       util/grub-mount: Fix memory leak in fuse_getattr()
+
 * Fri Sep 1 2023 ouuleilei <wangliu@iscas.ac.cn> - 1:2.06-36
 add a patch to fix build error
 

sbat.csv.in

@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,1,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
+grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
 grub.openeuler,1,The openEuler Project,grub2,@@VERSION_RELEASE@@,https://gitee.com/src-openeuler/grub2