From 5257b67cc7b0367df2e336c3da142bb7df940f66 Mon Sep 17 00:00:00 2001
From: sa-buc <zjl02254423@alibaba-inc.com>
Date: Tue, 29 Jul 2025 16:01:41 +0800
Subject: [PATCH] fix cve

---
 1015-misc-Implement-grub_strlcpy.patch        | 67 +++++++++++++++
 ...write-in-grub_net_search_config_file.patch | 82 +++++++++++++++++++
 grub.patches                                  |  2 +
 grub2.spec                                    |  5 +-
 4 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 1015-misc-Implement-grub_strlcpy.patch
 create mode 100644 1016-CVE-2025-0624-net-Fix-OOB-write-in-grub_net_search_config_file.patch

diff --git a/1015-misc-Implement-grub_strlcpy.patch b/1015-misc-Implement-grub_strlcpy.patch
new file mode 100644
index 0000000..2343fae
--- /dev/null
+++ b/1015-misc-Implement-grub_strlcpy.patch
@@ -0,0 +1,67 @@
+From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 1578f36..14d8f37 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
++static inline grub_size_t
++grub_strlcpy (char *dest, const char *src, grub_size_t size)
++{
++  char *d = dest;
++  grub_size_t res = 0;
++  /*
++   * We do not subtract one from size here to avoid dealing with underflowing
++   * the value, which is why to_copy is always checked to be greater than one
++   * throughout this function.
++   */
++  grub_size_t to_copy = size;
++
++  /* Copy size - 1 bytes to dest. */
++  if (to_copy > 1)
++    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
++      ;
++
++  /*
++   * NUL terminate if size != 0. The previous step may have copied a NUL byte
++   * if it reached the end of the string, but we know dest[size - 1] must always
++   * be a NUL byte.
++   */
++  if (size != 0)
++    dest[size - 1] = '\0';
++
++  /* If there is still space in dest, but are here, we reached the end of src. */
++  if (to_copy > 1)
++    return res;
++
++  /*
++   * If we haven't reached the end of the string, iterate through to determine
++   * the strings total length.
++   */
++  while (*src++ != '\0' && ++res)
++   ;
++
++  return res;
++}
++
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
+-- 
+cgit v1.1
diff --git a/1016-CVE-2025-0624-net-Fix-OOB-write-in-grub_net_search_config_file.patch b/1016-CVE-2025-0624-net-Fix-OOB-write-in-grub_net_search_config_file.patch
new file mode 100644
index 0000000..3144daf
--- /dev/null
+++ b/1016-CVE-2025-0624-net-Fix-OOB-write-in-grub_net_search_config_file.patch
@@ -0,0 +1,82 @@
+From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 15 Nov 2024 13:12:09 +0000
+Subject: net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index ace0991..1bcbf05 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -2023,14 +2023,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
++grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
++  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
++  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -2056,7 +2057,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
++          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 7056517..5c90d02 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
+          return err;
+ 
+        grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+-       err = grub_net_search_config_file (config);
++       err = grub_net_search_config_file (config, config_len);
+       }
+ 
+     if (err != GRUB_ERR_NONE)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 273afbd..d280acd 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -655,7 +655,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
++grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
+-- 
+2.43.5
diff --git a/grub.patches b/grub.patches
index 0bbaf27..2806751 100644
--- a/grub.patches
+++ b/grub.patches
@@ -212,3 +212,5 @@ Patch1008: 1008-loongarch-add-back-compatibility-for-linux-kernel.patch
 Patch1009: 1009-configure-Add-GRUB_CPU_LOONGARCH64-support.patch
 Patch1012: 1012-Clear-buffer-to-zero-for-screen-information.patch
 Patch1014: 1014-loongarch-Disable-vector-instructions.patch
+Patch1015: 1015-misc-Implement-grub_strlcpy.patch
+Patch1016: 1016-CVE-2025-0624-net-Fix-OOB-write-in-grub_net_search_config_file.patch
diff --git a/grub2.spec b/grub2.spec
index 3e561cb..a6ff615 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 13
+%define anolis_release 14
 %global _lto_cflags %{nil}
 
 %undefine _hardened_build
@@ -506,6 +506,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Tue Jul 29 2025 zjl002254423 <zjl02254423@alibaba-inc.com> -2.12-14
+- Fix CVE-2025-0624
+
 * Thu Jun 5 2025 Xue Liu<liuxue@loongson.cn> - 2.12-13
 - Disable vector instructions for loongarch
 
-- 
Gitee