diff --git a/backport-disk-ldm-Fix-resource-leak.patch b/backport-disk-ldm-Fix-resource-leak.patch index e5b7c16e0db2e2b8d40731f728584a01e8ad84cb..1739577642349d5de2d4d30955d1decdaa404aa9 100644 --- a/backport-disk-ldm-Fix-resource-leak.patch +++ b/backport-disk-ldm-Fix-resource-leak.patch @@ -1,38 +1,38 @@ -From 971dd6599d838ed21f38f7261c7bdda59f9bbdae Mon Sep 17 00:00:00 2001 -From: Alec Brown -Date: Wed, 10 Nov 2021 15:49:29 -0500 -Subject: disk/ldm: Fix resource leak - -Commit 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from -make_vg()) fixed several spots in make_vg() where comp data was leaking memory -when an error was being handled but missed one. To avoid leaking memory, comp -should be freed when an error is being handled after comp has been successfully -allocated memory in the for loop. - -Fixes: 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg()) -Fixes: CID 73804 - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=971dd6599d838ed21f38f7261c7bdda59f9bbdae - -Signed-off-by: Alec Brown -Reviewed-by: Daniel Kiper ---- - grub-core/disk/ldm.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c -index 4577a51..337abf7 100644 ---- a/grub-core/disk/ldm.c -+++ b/grub-core/disk/ldm.c -@@ -487,6 +487,7 @@ make_vg (grub_disk_t disk, - ptr = vblk[i].dynamic; - if (ptr + *ptr + 1 >= vblk[i].dynamic + sizeof (vblk[i].dynamic)) - { -+ grub_free (comp); - goto fail2; - } - comp->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2); --- -cgit v1.1 - +From 971dd6599d838ed21f38f7261c7bdda59f9bbdae Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Wed, 10 Nov 2021 15:49:29 -0500 +Subject: disk/ldm: Fix resource leak + +Commit 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from +make_vg()) fixed several spots in make_vg() where comp data was leaking memory +when an error was being handled but missed one. To avoid leaking memory, comp +should be freed when an error is being handled after comp has been successfully +allocated memory in the for loop. + +Fixes: 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg()) +Fixes: CID 73804 + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=971dd6599d838ed21f38f7261c7bdda59f9bbdae + +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/disk/ldm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index 4577a51..337abf7 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -487,6 +487,7 @@ make_vg (grub_disk_t disk, + ptr = vblk[i].dynamic; + if (ptr + *ptr + 1 >= vblk[i].dynamic + sizeof (vblk[i].dynamic)) + { ++ grub_free (comp); + goto fail2; + } + comp->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2); +-- +cgit v1.1 + diff --git a/backport-font-Assign-null_font-to-unknown_glyph.patch b/backport-font-Assign-null_font-to-unknown_glyph.patch new file mode 100644 index 0000000000000000000000000000000000000000..610ed22fa1f5b992310d5c209be79582cd388081 --- /dev/null +++ b/backport-font-Assign-null_font-to-unknown_glyph.patch @@ -0,0 +1,33 @@ +From f6806966478c601a96e1f3e0e5e85cf5036555c0 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 5 Dec 2022 19:29:37 +0800 +Subject: font: Assign null_font to unknown_glyph + +Like glyphs in ascii_font_glyph[], assign null_font to +unknown_glyph->font in order to prevent grub_font_get_*() from +dereferencing NULL pointer. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f6806966478c601a96e1f3e0e5e85cf5036555c0 +Conflict:NA + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 19a47f8..674043d 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -177,6 +177,7 @@ grub_font_loader_init (void) + unknown_glyph->offset_x = 0; + unknown_glyph->offset_y = -3; + unknown_glyph->device_width = 8; ++ unknown_glyph->font = &null_font; + grub_memcpy (unknown_glyph->bitmap, + unknown_glyph_bitmap, sizeof (unknown_glyph_bitmap)); + +-- +cgit v1.1 + diff --git a/backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch b/backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch new file mode 100644 index 0000000000000000000000000000000000000000..e733daa5d0c2f61e8e7f0065f1340956b6a99a83 --- /dev/null +++ b/backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch @@ -0,0 +1,40 @@ +From d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 5 Dec 2022 19:29:36 +0800 +Subject: font: Check return value of grub_malloc() in ascii_glyph_lookup() + +There is a problem in ascii_glyph_lookup(). It doesn't check the return +value of grub_malloc(). If memory can't be allocated, then NULL pointer +will be written to. + +This patch fixes the problem by fallbacking to unknown_glyph when +grub_malloc() returns NULL. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=d7ed2ebcd69df123fde8ae1ba9163e2b93c47bbf +Conflict:NA + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 3821937..19a47f8 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -131,6 +131,11 @@ ascii_glyph_lookup (grub_uint32_t code) + { + ascii_font_glyph[current] = + grub_malloc (sizeof (struct grub_font_glyph) + ASCII_BITMAP_SIZE); ++ if (ascii_font_glyph[current] == NULL) ++ { ++ ascii_font_glyph[current] = unknown_glyph; ++ continue; ++ } + + ascii_font_glyph[current]->width = 8; + ascii_font_glyph[current]->height = 16; +-- +cgit v1.1 + diff --git a/backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch b/backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3bd71fb4be37c288c3bfd088f4931011f66fae1 --- /dev/null +++ b/backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch @@ -0,0 +1,36 @@ +From faca60df7686a9a3ad9693e8a7b2c6a3a823d133 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 5 Dec 2022 19:29:38 +0800 +Subject: font: Reject fonts with negative max_char_width or max_char_height + +If max_char_width or max_char_height are negative wrong values can be propagated +by grub_font_get_max_char_width() or grub_font_get_max_char_height(). Prevent +this from happening. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=faca60df7686a9a3ad9693e8a7b2c6a3a823d133 +Conflict:NA + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 674043d..24adcb3 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -644,8 +644,8 @@ grub_font_load (const char *filename) + font->max_char_width, font->max_char_height, font->num_chars); + #endif + +- if (font->max_char_width == 0 +- || font->max_char_height == 0 ++ if (font->max_char_width <= 0 ++ || font->max_char_height <= 0 + || font->num_chars == 0 + || font->char_index == 0 || font->ascent == 0 || font->descent == 0) + { +-- +cgit v1.1 + diff --git a/backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch b/backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7715501b42654f70d92ccd9e0eb1a9493636470 --- /dev/null +++ b/backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch @@ -0,0 +1,65 @@ +From 4e0bab34ece7b757a1b96be59ba54a009a5cc354 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 20 Jan 2023 19:39:38 +0000 +Subject: fs/iso9660: Add check to prevent infinite loop + +There is no check for the end of block when reading +directory extents. It resulted in read_node() always +read from the same offset in the while loop, thus +caused infinite loop. The fix added a check for the +end of the block and ensure the read is within directory +boundary. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4e0bab34ece7b757a1b96be59ba54a009a5cc354 +Conflict:NA + +Signed-off-by: Lidong Chen +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index df9f778..24d84a5 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -801,6 +801,16 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, + while (dirent.flags & FLAG_MORE_EXTENTS) + { + offset += dirent.len; ++ ++ /* offset should within the dir's len. */ ++ if (offset > len) ++ { ++ if (ctx.filename_alloc) ++ grub_free (ctx.filename); ++ grub_free (node); ++ return 0; ++ } ++ + if (read_node (dir, offset, sizeof (dirent), (char *) &dirent)) + { + if (ctx.filename_alloc) +@@ -808,6 +818,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, + grub_free (node); + return 0; + } ++ ++ /* ++ * It is either the end of block or zero-padded sector, ++ * skip to the next block. ++ */ ++ if (!dirent.len) ++ { ++ offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ; ++ dirent.flags |= FLAG_MORE_EXTENTS; ++ continue; ++ } ++ + if (node->have_dirents >= node->alloc_dirents) + { + struct grub_fshelp_node *new_node; +-- +cgit v1.1 + diff --git a/backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch b/backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch new file mode 100644 index 0000000000000000000000000000000000000000..682d7acf09ea0f318c5949e6fccf631ed52da6df --- /dev/null +++ b/backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch @@ -0,0 +1,54 @@ +From c44b1428c4c7d2bb01359fd885720af87e10b1b2 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 20 Jan 2023 19:39:40 +0000 +Subject: fs/iso9660: Avoid reading past the entry boundary + +Added a check for the SP entry data boundary before reading it. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=c44b1428c4c7d2bb01359fd885720af87e10b1b2 +Conflict:NA + +Signed-off-by: Lidong Chen +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 230048a..ecf6bbe 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -415,6 +415,9 @@ set_rockridge (struct grub_iso9660_data *data) + if (!sua_size) + return GRUB_ERR_NONE; + ++ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) ++ return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size"); ++ + sua = grub_malloc (sua_size); + if (! sua) + return grub_errno; +@@ -441,8 +444,17 @@ set_rockridge (struct grub_iso9660_data *data) + rootnode.have_symlink = 0; + rootnode.dirents[0] = data->voldesc.rootdir; + +- /* The 2nd data byte stored how many bytes are skipped every time +- to get to the SUA (System Usage Area). */ ++ /* The size of SP (version 1) is fixed to 7. */ ++ if (sua_size < 7 || entry->len < 7) ++ { ++ grub_free (sua); ++ return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry"); ++ } ++ ++ /* ++ * The 2nd data byte stored how many bytes are skipped every time ++ * to get to the SUA (System Usage Area). ++ */ + data->susp_skip = entry->data[2]; + entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len); + +-- +cgit v1.1 + diff --git a/backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch b/backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch new file mode 100644 index 0000000000000000000000000000000000000000..ec0d5da42258839d1f8d31fb9238ea5aff8048cc --- /dev/null +++ b/backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch @@ -0,0 +1,53 @@ +From 77f657dc9e67a1fd6b1941609a4ed798e99bcae2 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 20 Jan 2023 19:39:41 +0000 +Subject: fs/iso9660: Incorrect check for entry boundary + +An SL entry consists of the entry info and the component area. +The entry info should take up 5 bytes instead of sizeof(*entry). +The area after the first 5 bytes is the component area. It is +incorrect to use the sizeof(*entry) to check the entry boundary. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=77f657dc9e67a1fd6b1941609a4ed798e99bcae2 +Conflict:NA + +Signed-off-by: Lidong Chen +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index ecf6bbe..64ea3d4 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -669,10 +669,23 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + else if (grub_strncmp ("SL", (char *) entry->sig, 2) == 0) + { + unsigned int pos = 1; ++ unsigned int csize; + +- /* The symlink is not stored as a POSIX symlink, translate it. */ +- while (pos + sizeof (*entry) < entry->len) ++ /* The symlink is not stored as a POSIX symlink, translate it. */ ++ while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ + 1) < entry->len) + { ++ /* ++ * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ + 1 (the FLAGS) + ++ * length of the "Component Area". The length of a component ++ * record is 2 (pos and pos + 1) plus the "Component Content", ++ * of which starts at pos + 2. entry->data[pos] is the ++ * "Component Flags"; entry->data[pos + 1] is the length ++ * of the component. ++ */ ++ csize = entry->data[pos + 1] + 2; ++ if (GRUB_ISO9660_SUSP_HEADER_SZ + 1 + csize > entry->len) ++ break; ++ + /* The current position is the `Component Flag'. */ + switch (entry->data[pos] & 30) + { +-- +cgit v1.1 + diff --git a/backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch b/backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cd79b061dfec53be3fb9b63b3ba011127203363 --- /dev/null +++ b/backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch @@ -0,0 +1,95 @@ +From 8f41d35fcecb65746b60aaa99936cbbdf5fb27ba Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Wed, 1 Feb 2023 17:08:44 +0100 +Subject: fs/iso9660: Prevent read past the end of system use area + +In the code, the for loop advanced the entry pointer to the next entry before +checking if the next entry is within the system use area boundary. Another +issue in the code was that there is no check for the size of system use area. +For a corrupted system, the size of system use area can be less than the size +of minimum SUSP entry size (4 bytes). These can cause buffer overrun. The fixes +added the checks to ensure the read is valid and within the boundary. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=8f41d35fcecb65746b60aaa99936cbbdf5fb27ba +Conflict:NA + +Signed-off-by: Lidong Chen +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 24d84a5..230048a 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -49,6 +49,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define GRUB_ISO9660_VOLDESC_PART 3 + #define GRUB_ISO9660_VOLDESC_END 255 + ++#define GRUB_ISO9660_SUSP_HEADER_SZ 4 ++ + /* The head of a volume descriptor. */ + struct grub_iso9660_voldesc + { +@@ -272,6 +274,9 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + if (sua_size <= 0) + return GRUB_ERR_NONE; + ++ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) ++ return grub_error (GRUB_ERR_BAD_FS, "invalid susp entry size"); ++ + sua = grub_malloc (sua_size); + if (!sua) + return grub_errno; +@@ -284,10 +289,14 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + return err; + } + +- for (entry = (struct grub_iso9660_susp_entry *) sua; (char *) entry < (char *) sua + sua_size - 1 && entry->len > 0; +- entry = (struct grub_iso9660_susp_entry *) +- ((char *) entry + entry->len)) ++ entry = (struct grub_iso9660_susp_entry *) sua; ++ ++ while (entry->len > 0) + { ++ /* Ensure the entry is within System Use Area. */ ++ if ((char *) entry + entry->len > (sua + sua_size)) ++ break; ++ + /* The last entry. */ + if (grub_strncmp ((char *) entry->sig, "ST", 2) == 0) + break; +@@ -303,6 +312,16 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + off = grub_le_to_cpu32 (ce->off); + ce_block = grub_le_to_cpu32 (ce->blk) << GRUB_ISO9660_LOG2_BLKSZ; + ++ if (sua_size <= 0) ++ break; ++ ++ if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ) ++ { ++ grub_free (sua); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "invalid continuation area in CE entry"); ++ } ++ + grub_free (sua); + sua = grub_malloc (sua_size); + if (!sua) +@@ -325,6 +344,11 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + grub_free (sua); + return 0; + } ++ ++ entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len); ++ ++ if (((sua + sua_size) - (char *) entry) < GRUB_ISO9660_SUSP_HEADER_SZ) ++ break; + } + + grub_free (sua); +-- +cgit v1.1 + diff --git a/backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch b/backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch new file mode 100644 index 0000000000000000000000000000000000000000..25f31c3ee5e5e63ef9065dcb2a0692d377980dc0 --- /dev/null +++ b/backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch @@ -0,0 +1,73 @@ +From 2a96eab759aff74c2a214da66eefeb1e770c0820 Mon Sep 17 00:00:00 2001 +From: Thomas Schmitt +Date: Wed, 1 Feb 2023 17:28:49 +0100 +Subject: fs/iso9660: Prevent skipping CE or ST at start of continuation area + +If processing of a SUSP CE entry leads to a continuation area which +begins by entry CE or ST, then these entries were skipped without +interpretation. In case of CE this would lead to premature end of +processing the SUSP entries of the file. In case of ST this could +cause following non-SUSP bytes to be interpreted as SUSP entries. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=2a96eab759aff74c2a214da66eefeb1e770c0820 +Conflict:NA + +Signed-off-by: Thomas Schmitt +Tested-by: Lidong Chen +Reviewed-by: Thomas Schmitt +Reviewed-by: Daniel Kiper +--- + grub-core/fs/iso9660.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 64ea3d4..acccf5f 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -50,6 +50,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define GRUB_ISO9660_VOLDESC_END 255 + + #define GRUB_ISO9660_SUSP_HEADER_SZ 4 ++#define GRUB_ISO9660_MAX_CE_HOPS 100000 + + /* The head of a volume descriptor. */ + struct grub_iso9660_voldesc +@@ -270,6 +271,7 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + char *sua; + struct grub_iso9660_susp_entry *entry; + grub_err_t err; ++ int ce_counter = 0; + + if (sua_size <= 0) + return GRUB_ERR_NONE; +@@ -307,6 +309,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + struct grub_iso9660_susp_ce *ce; + grub_disk_addr_t ce_block; + ++ if (++ce_counter > GRUB_ISO9660_MAX_CE_HOPS) ++ { ++ grub_free (sua); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "suspecting endless CE loop"); ++ } ++ + ce = (struct grub_iso9660_susp_ce *) entry; + sua_size = grub_le_to_cpu32 (ce->len); + off = grub_le_to_cpu32 (ce->off); +@@ -337,6 +346,13 @@ grub_iso9660_susp_iterate (grub_fshelp_node_t node, grub_off_t off, + } + + entry = (struct grub_iso9660_susp_entry *) sua; ++ /* ++ * The hook function will not process CE or ST. ++ * Advancing to the next entry would skip them. ++ */ ++ if (grub_strncmp ((char *) entry->sig, "CE", 2) == 0 ++ || grub_strncmp ((char *) entry->sig, "ST", 2) == 0) ++ continue; + } + + if (hook (entry, hook_arg)) +-- +cgit v1.1 + diff --git a/backport-gentpl_py-Remove-interp-section-from-img-files.patch b/backport-gentpl_py-Remove-interp-section-from-img-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..833bbbee5272a39d6a61bac83223f59ba9725d04 --- /dev/null +++ b/backport-gentpl_py-Remove-interp-section-from-img-files.patch @@ -0,0 +1,35 @@ +From b58aa4e2095943303126fff706d73f18f7caab35 Mon Sep 17 00:00:00 2001 +From: Nicholas Vinson +Date: Fri, 13 Jan 2023 02:56:35 -0500 +Subject: gentpl.py: Remove .interp section from .img files + +When building .img files, a .interp section from the .image files will +sometimes be copied into the .img file. This additional section pushes +the .img file beyond the 512-byte limit and causes grub-install to fail +to run for i386-pc platforms. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=b58aa4e2095943303126fff706d73f18f7caab35 +Conflict:NA + +Signed-off-by: Nicholas Vinson +Reviewed-by: Daniel Kiper +--- + gentpl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gentpl.py b/gentpl.py +index 32cf745..d72c42a 100644 +--- a/gentpl.py ++++ b/gentpl.py +@@ -779,7 +779,7 @@ def image(defn, platform): + if test x$(TARGET_APPLE_LINKER) = x1; then \ + $(MACHO2IMG) $< $@; \ + else \ +- $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .ARM.exidx -R .note.gnu.property $< $@; \ ++ $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .ARM.exidx -R .note.gnu.property -R .interp $< $@; \ + fi + """) + +-- +2.19.1 + diff --git a/backport-io-gzio-Fix-possible-use-of-uninitialized-variable-in-huft_build.patch b/backport-io-gzio-Fix-possible-use-of-uninitialized-variable-in-huft_build.patch index c3a8e5680d3f8a24dedcbbba8cd456a119e844a9..4060a18b9c46bc5e38d77ee5a5551c7ab17e10f3 100644 --- a/backport-io-gzio-Fix-possible-use-of-uninitialized-variable-in-huft_build.patch +++ b/backport-io-gzio-Fix-possible-use-of-uninitialized-variable-in-huft_build.patch @@ -1,35 +1,35 @@ -From 29d44a236a5e939b8ff24e6c31141d5b1e48f693 Mon Sep 17 00:00:00 2001 -From: Darren Kenny -Date: Tue, 26 Oct 2021 15:02:40 +0000 -Subject: io/gzio: Fix possible use of uninitialized variable in huft_build() - -In huft_build() it is possible to reach the for loop where "r" is being -assigned to "q[j]" without "r.v" ever being initialized. - -Fixes: CID 314024 - -Signed-off-by: Darren Kenny -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=29d44a236a5e939b8ff24e6c31141d5b1e48f693 - ---- - grub-core/io/gzio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c -index aea86a0..10156e5 100644 ---- a/grub-core/io/gzio.c -+++ b/grub-core/io/gzio.c -@@ -447,7 +447,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ - int l; /* bits per table (returned in m) */ - register unsigned *p; /* pointer into c[], b[], or v[] */ - register struct huft *q; /* points to current table */ -- struct huft r; /* table entry for structure assignment */ -+ struct huft r = {0}; /* table entry for structure assignment */ - struct huft *u[BMAX]; /* table stack */ - unsigned v[N_MAX]; /* values in order of bit length */ - register int w; /* bits before this table == (l * h) */ --- -cgit v1.1 +From 29d44a236a5e939b8ff24e6c31141d5b1e48f693 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 26 Oct 2021 15:02:40 +0000 +Subject: io/gzio: Fix possible use of uninitialized variable in huft_build() + +In huft_build() it is possible to reach the for loop where "r" is being +assigned to "q[j]" without "r.v" ever being initialized. + +Fixes: CID 314024 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=29d44a236a5e939b8ff24e6c31141d5b1e48f693 + +--- + grub-core/io/gzio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index aea86a0..10156e5 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -447,7 +447,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ + int l; /* bits per table (returned in m) */ + register unsigned *p; /* pointer into c[], b[], or v[] */ + register struct huft *q; /* points to current table */ +- struct huft r; /* table entry for structure assignment */ ++ struct huft r = {0}; /* table entry for structure assignment */ + struct huft *u[BMAX]; /* table stack */ + unsigned v[N_MAX]; /* values in order of bit length */ + register int w; /* bits before this table == (l * h) */ +-- +cgit v1.1 diff --git a/backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch b/backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f2e79367e591e403eb56cfe81cfbc1c3d581975 --- /dev/null +++ b/backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch @@ -0,0 +1,37 @@ +From 1a241e050652472efa62b2b36ad2fa7f82427b83 Mon Sep 17 00:00:00 2001 +From: Maxim Fomin +Date: Wed, 28 Dec 2022 17:40:06 +0000 +Subject: kern/fs: Fix possible integer overflow in i386-pc mode with large + partitions + +The i386-pc mode supports MBR partition scheme where maximum partition +size is 2 TiB. In case of large partitions left shift expression with +unsigned long int "length" object may cause integer overflow making +calculated partition size less than true value. This issue is fixed by +increasing the size of "length" integer type. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=1a241e050652472efa62b2b36ad2fa7f82427b83 +Conflict:NA + +Signed-off-by: Maxim Fomin +Reviewed-by: Daniel Kiper +--- + grub-core/kern/fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c +index b950829..7ad0aaf 100644 +--- a/grub-core/kern/fs.c ++++ b/grub-core/kern/fs.c +@@ -130,7 +130,7 @@ grub_fs_probe (grub_device_t device) + struct grub_fs_block + { + grub_disk_addr_t offset; +- unsigned long length; ++ grub_disk_addr_t length; + }; + + static grub_err_t +-- +cgit v1.1 + diff --git a/backport-net-bootp-Fix-unchecked-return-value.patch b/backport-net-bootp-Fix-unchecked-return-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..96c111d29ddaf553e3c0f872abaf03c1f6ac9e23 --- /dev/null +++ b/backport-net-bootp-Fix-unchecked-return-value.patch @@ -0,0 +1,37 @@ +From 4f7d77d7e0740c1b0d69c7a658b5c4986eda0093 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Fri, 3 Feb 2023 17:18:14 -0500 +Subject: net/bootp: Fix unchecked return value + +In the function send_dhcp_packet(), added an error check for the return +value of grub_netbuff_push(). + +Fixes: CID 404614 + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=4f7d77d7e0740c1b0d69c7a658b5c4986eda0093 +Conflict:NA + +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/net/bootp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c +index 2e3c86e..6b07a4a 100644 +--- a/grub-core/net/bootp.c ++++ b/grub-core/net/bootp.c +@@ -727,7 +727,9 @@ send_dhcp_packet (struct grub_net_network_level_interface *iface) + + grub_memcpy (&pack->mac_addr, &iface->hwaddress.mac, pack->hw_len); + +- grub_netbuff_push (nb, sizeof (*udph)); ++ err = grub_netbuff_push (nb, sizeof (*udph)); ++ if (err) ++ goto out; + + udph = (struct udphdr *) nb->data; + udph->src = grub_cpu_to_be16_compile_time (68); +-- +2.19.1 + diff --git a/backport-osdep-linux-Fix-md-array-device-enumeration.patch b/backport-osdep-linux-Fix-md-array-device-enumeration.patch index 3542a54d9666dbca4642948c1c3f8ef3f25200a7..c833cb5826535fb3ca9edbb530ff621d21b50251 100644 --- a/backport-osdep-linux-Fix-md-array-device-enumeration.patch +++ b/backport-osdep-linux-Fix-md-array-device-enumeration.patch @@ -1,91 +1,91 @@ -From c39f27cd678d61e8e84c1386695a33575c9ded44 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Thu, 7 Oct 2021 16:33:16 -0700 -Subject: osdep/linux: Fix md array device enumeration - -GET_ARRAY_INFO's info.nr_disks does not map to GET_DISK_INFO's -disk.number, which is an internal kernel index. If an array has had drives -added, removed, etc., there may be gaps in GET_DISK_INFO's results. But -since the consumer of devicelist cannot tolerate gaps (it expects to walk -a NULL-terminated list of device name strings), the devicelist index (j) -must be tracked separately from the disk.number index (i). - -As part of this, since GRUB wants to only examine active (i.e. present -and non-failed) disks, the count of remaining disks (remaining) must be -tracked separately from the devicelist index (j). - -Additionally, drop a line with empty spaces only. - -Fixes: 49de079bbe1c (... (grub_util_raid_getmembers): Handle "removed" disks) -Fixes: 2b00217369ac (... Added support for RAID and LVM) -Fixes: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1912043 -Fixes: https://savannah.gnu.org/bugs/index.php?59887 - -Signed-off-by: Kees Cook -Reviewed-by: Petr Vorel -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=c39f27cd678d61e8e84c1386695a33575c9ded44 - ---- - grub-core/osdep/linux/getroot.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c -index cd58858..df422c6 100644 ---- a/grub-core/osdep/linux/getroot.c -+++ b/grub-core/osdep/linux/getroot.c -@@ -130,10 +130,20 @@ struct mountinfo_entry - char fstype[ESCAPED_PATH_MAX + 1], device[ESCAPED_PATH_MAX + 1]; - }; - -+/* -+ * GET_DISK_INFO nr_disks (total count) does not map to disk.number, -+ * which is an internal kernel index. Instead, do what mdadm does -+ * and keep scanning until we find enough valid disks. The limit is -+ * copied from there, which notes that it is sufficiently high given -+ * that the on-disk metadata for v1.x can only support 1920. -+ */ -+#define MD_MAX_DISKS 4096 -+ - static char ** - grub_util_raid_getmembers (const char *name, int bootable) - { - int fd, ret, i, j; -+ int remaining; - char **devicelist; - mdu_version_t version; - mdu_array_info_t info; -@@ -165,22 +175,22 @@ grub_util_raid_getmembers (const char *name, int bootable) - - devicelist = xcalloc (info.nr_disks + 1, sizeof (char *)); - -- for (i = 0, j = 0; j < info.nr_disks; i++) -+ remaining = info.nr_disks; -+ for (i = 0, j = 0; i < MD_MAX_DISKS && remaining > 0; i++) - { - disk.number = i; - ret = ioctl (fd, GET_DISK_INFO, &disk); - if (ret != 0) - grub_util_error (_("ioctl GET_DISK_INFO error: %s"), strerror (errno)); -- -+ -+ /* Skip: MD_DISK_REMOVED slots don't contribute to "remaining" count. */ - if (disk.state & (1 << MD_DISK_REMOVED)) - continue; -+ remaining--; - -+ /* Only record disks that are actively participating in the array. */ - if (disk.state & (1 << MD_DISK_ACTIVE)) -- devicelist[j] = grub_find_device (NULL, -- makedev (disk.major, disk.minor)); -- else -- devicelist[j] = NULL; -- j++; -+ devicelist[j++] = grub_find_device (NULL, makedev (disk.major, disk.minor)); - } - - devicelist[j] = NULL; --- -cgit v1.1 +From c39f27cd678d61e8e84c1386695a33575c9ded44 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 7 Oct 2021 16:33:16 -0700 +Subject: osdep/linux: Fix md array device enumeration + +GET_ARRAY_INFO's info.nr_disks does not map to GET_DISK_INFO's +disk.number, which is an internal kernel index. If an array has had drives +added, removed, etc., there may be gaps in GET_DISK_INFO's results. But +since the consumer of devicelist cannot tolerate gaps (it expects to walk +a NULL-terminated list of device name strings), the devicelist index (j) +must be tracked separately from the disk.number index (i). + +As part of this, since GRUB wants to only examine active (i.e. present +and non-failed) disks, the count of remaining disks (remaining) must be +tracked separately from the devicelist index (j). + +Additionally, drop a line with empty spaces only. + +Fixes: 49de079bbe1c (... (grub_util_raid_getmembers): Handle "removed" disks) +Fixes: 2b00217369ac (... Added support for RAID and LVM) +Fixes: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1912043 +Fixes: https://savannah.gnu.org/bugs/index.php?59887 + +Signed-off-by: Kees Cook +Reviewed-by: Petr Vorel +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=c39f27cd678d61e8e84c1386695a33575c9ded44 + +--- + grub-core/osdep/linux/getroot.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c +index cd58858..df422c6 100644 +--- a/grub-core/osdep/linux/getroot.c ++++ b/grub-core/osdep/linux/getroot.c +@@ -130,10 +130,20 @@ struct mountinfo_entry + char fstype[ESCAPED_PATH_MAX + 1], device[ESCAPED_PATH_MAX + 1]; + }; + ++/* ++ * GET_DISK_INFO nr_disks (total count) does not map to disk.number, ++ * which is an internal kernel index. Instead, do what mdadm does ++ * and keep scanning until we find enough valid disks. The limit is ++ * copied from there, which notes that it is sufficiently high given ++ * that the on-disk metadata for v1.x can only support 1920. ++ */ ++#define MD_MAX_DISKS 4096 ++ + static char ** + grub_util_raid_getmembers (const char *name, int bootable) + { + int fd, ret, i, j; ++ int remaining; + char **devicelist; + mdu_version_t version; + mdu_array_info_t info; +@@ -165,22 +175,22 @@ grub_util_raid_getmembers (const char *name, int bootable) + + devicelist = xcalloc (info.nr_disks + 1, sizeof (char *)); + +- for (i = 0, j = 0; j < info.nr_disks; i++) ++ remaining = info.nr_disks; ++ for (i = 0, j = 0; i < MD_MAX_DISKS && remaining > 0; i++) + { + disk.number = i; + ret = ioctl (fd, GET_DISK_INFO, &disk); + if (ret != 0) + grub_util_error (_("ioctl GET_DISK_INFO error: %s"), strerror (errno)); +- ++ ++ /* Skip: MD_DISK_REMOVED slots don't contribute to "remaining" count. */ + if (disk.state & (1 << MD_DISK_REMOVED)) + continue; ++ remaining--; + ++ /* Only record disks that are actively participating in the array. */ + if (disk.state & (1 << MD_DISK_ACTIVE)) +- devicelist[j] = grub_find_device (NULL, +- makedev (disk.major, disk.minor)); +- else +- devicelist[j] = NULL; +- j++; ++ devicelist[j++] = grub_find_device (NULL, makedev (disk.major, disk.minor)); + } + + devicelist[j] = NULL; +-- +cgit v1.1 diff --git a/backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch b/backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch new file mode 100644 index 0000000000000000000000000000000000000000..a849bf2841d61310983ec005353745f6bc2da6f4 --- /dev/null +++ b/backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch @@ -0,0 +1,75 @@ +From f7564844f82b57078d601befadc438b5bc1fa01b Mon Sep 17 00:00:00 2001 +From: Mukesh Kumar Chaurasiya +Date: Thu, 9 Feb 2023 13:09:16 +0530 +Subject: osdep/linux/hostdisk: Modify sector by sysfs as disk sector + +The disk sector size provided by sysfs file system considers the sector +size of 512 irrespective of disk sector size, thus causing the read by +the GRUB to an incorrect offset from what was originally intended. + +Considering the 512 sector size of sysfs data the actual sector needs to +be modified corresponding to disk sector size. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f7564844f82b57078d601befadc438b5bc1fa01b +Conflict:NA + +Signed-off-by: Mukesh Kumar Chaurasiya +Reviewed-by: Daniel Kiper +--- + grub-core/osdep/linux/hostdisk.c | 7 ++++--- + include/grub/disk.h | 7 +++++++ + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/grub-core/osdep/linux/hostdisk.c b/grub-core/osdep/linux/hostdisk.c +index 7bc99ac..a9ea0bb 100644 +--- a/grub-core/osdep/linux/hostdisk.c ++++ b/grub-core/osdep/linux/hostdisk.c +@@ -240,7 +240,8 @@ have_devfs (void) + #pragma GCC diagnostic ignored "-Wformat-nonliteral" + + static int +-grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector) ++grub_hostdisk_linux_find_partition (const grub_disk_t disk, char *dev, ++ grub_disk_addr_t sector) + { + size_t len = strlen (dev); + const char *format; +@@ -305,7 +306,7 @@ grub_hostdisk_linux_find_partition (char *dev, grub_disk_addr_t sector) + if (fstat (fd, &st) < 0 + || !grub_util_device_is_mapped_stat (&st) + || !grub_util_get_dm_node_linear_info (st.st_rdev, 0, 0, &start)) +- start = grub_util_find_partition_start_os (real_dev); ++ start = grub_disk_to_native_sector (disk, grub_util_find_partition_start_os (real_dev)); + /* We don't care about errors here. */ + grub_errno = GRUB_ERR_NONE; + +@@ -386,7 +387,7 @@ grub_util_fd_open_device (const grub_disk_t disk, grub_disk_addr_t sector, int f + && strncmp (dev, "/dev/", 5) == 0) + { + if (sector >= part_start) +- is_partition = grub_hostdisk_linux_find_partition (dev, part_start); ++ is_partition = grub_hostdisk_linux_find_partition (disk, dev, part_start); + else + *max = part_start - sector; + } +diff --git a/include/grub/disk.h b/include/grub/disk.h +index 316659f..4832fc7 100644 +--- a/include/grub/disk.h ++++ b/include/grub/disk.h +@@ -174,6 +174,13 @@ typedef struct grub_disk_memberlist *grub_disk_memberlist_t; + /* Return value of grub_disk_get_size() in case disk size is unknown. */ + #define GRUB_DISK_SIZE_UNKNOWN 0xffffffffffffffffULL + ++/* Convert from GRUB native disk sized sector to disk sized sector. */ ++static inline grub_disk_addr_t ++grub_disk_to_native_sector (grub_disk_t disk, grub_disk_addr_t sector) ++{ ++ return sector >> (disk->log_sector_size - GRUB_DISK_SECTOR_BITS); ++} ++ + /* This is called from the memory manager. */ + void grub_disk_cache_invalidate_all (void); + +-- +2.19.1 + diff --git a/backport-util-grub-fstest-Fix-resource-leaks-in-cmd_cmp.patch b/backport-util-grub-fstest-Fix-resource-leaks-in-cmd_cmp.patch index 4f15c7c179eb75707a1b8089d1b09c5a9557daf9..1019dda640a519b5318ee827cfed89b2b5ba1c82 100644 --- a/backport-util-grub-fstest-Fix-resource-leaks-in-cmd_cmp.patch +++ b/backport-util-grub-fstest-Fix-resource-leaks-in-cmd_cmp.patch @@ -1,45 +1,45 @@ -From 53f08de12bfdd10207a8e6a062c9778f5ab6df87 Mon Sep 17 00:00:00 2001 -From: Darren Kenny -Date: Tue, 26 Oct 2021 15:02:37 +0000 -Subject: util/grub-fstest: Fix resource leaks in cmd_cmp() - -In the function cmd_cmp() within the while loop, srcnew and destnew are -being allocated but are never freed either before leaving scope or in -the recursive calls being made to cmd_cmp(). - -Fixes: CID 314032 -Fixes: CID 314045 - -Signed-off-by: Darren Kenny -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=53f08de12bfdd10207a8e6a062c9778f5ab6df87 - ---- - util/grub-fstest.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/util/grub-fstest.c b/util/grub-fstest.c -index 8386564..486f1dc 100644 ---- a/util/grub-fstest.c -+++ b/util/grub-fstest.c -@@ -300,9 +300,15 @@ cmd_cmp (char *src, char *dest) - strcpy (ptr, entry->d_name); - - if (grub_util_is_special_file (destnew)) -- continue; -+ { -+ free (srcnew); -+ free (destnew); -+ continue; -+ } - - cmd_cmp (srcnew, destnew); -+ free (srcnew); -+ free (destnew); - } - grub_util_fd_closedir (dir); - return; --- -cgit v1.1 +From 53f08de12bfdd10207a8e6a062c9778f5ab6df87 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 26 Oct 2021 15:02:37 +0000 +Subject: util/grub-fstest: Fix resource leaks in cmd_cmp() + +In the function cmd_cmp() within the while loop, srcnew and destnew are +being allocated but are never freed either before leaving scope or in +the recursive calls being made to cmd_cmp(). + +Fixes: CID 314032 +Fixes: CID 314045 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=53f08de12bfdd10207a8e6a062c9778f5ab6df87 + +--- + util/grub-fstest.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/util/grub-fstest.c b/util/grub-fstest.c +index 8386564..486f1dc 100644 +--- a/util/grub-fstest.c ++++ b/util/grub-fstest.c +@@ -300,9 +300,15 @@ cmd_cmp (char *src, char *dest) + strcpy (ptr, entry->d_name); + + if (grub_util_is_special_file (destnew)) +- continue; ++ { ++ free (srcnew); ++ free (destnew); ++ continue; ++ } + + cmd_cmp (srcnew, destnew); ++ free (srcnew); ++ free (destnew); + } + grub_util_fd_closedir (dir); + return; +-- +cgit v1.1 diff --git a/backport-util-grub-install-common-Fix-memory-leak-in-copy_all.patch b/backport-util-grub-install-common-Fix-memory-leak-in-copy_all.patch index ed3ccedf3ce8e2ed22c4e76281557ba70275bf2d..b73aa5d161fe374fa2cccf6b70c17c76fe3c8c08 100644 --- a/backport-util-grub-install-common-Fix-memory-leak-in-copy_all.patch +++ b/backport-util-grub-install-common-Fix-memory-leak-in-copy_all.patch @@ -1,38 +1,38 @@ -From e07fcea291ac8aa430db6e57d6e8e08894127fe2 Mon Sep 17 00:00:00 2001 -From: Darren Kenny -Date: Tue, 26 Oct 2021 15:02:35 +0000 -Subject: util/grub-install-common: Fix memory leak in copy_all() - -The copy_all() function skips a section of code using continue, but -fails to free the memory in srcf first, leaking it. - -Fixes: CID 314026 - -Signed-off-by: Darren Kenny -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=e07fcea291ac8aa430db6e57d6e8e08894127fe2 - ---- - util/grub-install-common.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/util/grub-install-common.c b/util/grub-install-common.c -index 4e212e6..fe77e39 100644 ---- a/util/grub-install-common.c -+++ b/util/grub-install-common.c -@@ -754,7 +754,10 @@ copy_all (const char *srcd, - srcf = grub_util_path_concat (2, srcd, de->d_name); - if (grub_util_is_special_file (srcf) - || grub_util_is_directory (srcf)) -- continue; -+ { -+ free (srcf); -+ continue; -+ } - dstf = grub_util_path_concat (2, dstd, de->d_name); - grub_install_compress_file (srcf, dstf, 1); - free (srcf); --- -cgit v1.1 +From e07fcea291ac8aa430db6e57d6e8e08894127fe2 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 26 Oct 2021 15:02:35 +0000 +Subject: util/grub-install-common: Fix memory leak in copy_all() + +The copy_all() function skips a section of code using continue, but +fails to free the memory in srcf first, leaking it. + +Fixes: CID 314026 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=e07fcea291ac8aa430db6e57d6e8e08894127fe2 + +--- + util/grub-install-common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/util/grub-install-common.c b/util/grub-install-common.c +index 4e212e6..fe77e39 100644 +--- a/util/grub-install-common.c ++++ b/util/grub-install-common.c +@@ -754,7 +754,10 @@ copy_all (const char *srcd, + srcf = grub_util_path_concat (2, srcd, de->d_name); + if (grub_util_is_special_file (srcf) + || grub_util_is_directory (srcf)) +- continue; ++ { ++ free (srcf); ++ continue; ++ } + dstf = grub_util_path_concat (2, dstd, de->d_name); + grub_install_compress_file (srcf, dstf, 1); + free (srcf); +-- +cgit v1.1 diff --git a/backport-util-grub-mkfont-Fix-memory-leak-in-write_font_pf2.patch b/backport-util-grub-mkfont-Fix-memory-leak-in-write_font_pf2.patch index 0481a86053e5365c5036b97ec4f8cee7fa4979f9..8af7f939b9abdbde18459f738ba6bb355810b412 100644 --- a/backport-util-grub-mkfont-Fix-memory-leak-in-write_font_pf2.patch +++ b/backport-util-grub-mkfont-Fix-memory-leak-in-write_font_pf2.patch @@ -1,35 +1,35 @@ -From b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed Mon Sep 17 00:00:00 2001 -From: Darren Kenny -Date: Tue, 26 Oct 2021 15:02:38 +0000 -Subject: util/grub-mkfont: Fix memory leak in write_font_pf2() - -In the function write_font_pf2() memory is allocated for font_name to -construct a new name, but it is not released before returning from the -function, leaking the allocated memory. - -Fixes: CID 314015 - -Signed-off-by: Darren Kenny -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed - ---- - util/grub-mkfont.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/util/grub-mkfont.c b/util/grub-mkfont.c -index 0fe45a6..fdfd70d 100644 ---- a/util/grub-mkfont.c -+++ b/util/grub-mkfont.c -@@ -928,6 +928,7 @@ write_font_pf2 (struct grub_font_info *font_info, char *output_file) - file, output_file); - } - -+ free (font_name); - fclose (file); - } - --- -cgit v1.1 +From b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 26 Oct 2021 15:02:38 +0000 +Subject: util/grub-mkfont: Fix memory leak in write_font_pf2() + +In the function write_font_pf2() memory is allocated for font_name to +construct a new name, but it is not released before returning from the +function, leaking the allocated memory. + +Fixes: CID 314015 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=b1fae9c1ba1f3ba4c9b4d39ad6eaedf9d77af7ed + +--- + util/grub-mkfont.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/util/grub-mkfont.c b/util/grub-mkfont.c +index 0fe45a6..fdfd70d 100644 +--- a/util/grub-mkfont.c ++++ b/util/grub-mkfont.c +@@ -928,6 +928,7 @@ write_font_pf2 (struct grub_font_info *font_info, char *output_file) + file, output_file); + } + ++ free (font_name); + fclose (file); + } + +-- +cgit v1.1 diff --git a/backport-util-grub-mkrescue-Fix-memory-leak-in-write_part.patch b/backport-util-grub-mkrescue-Fix-memory-leak-in-write_part.patch index 3110e48b62ec7f40550c418129c3ee68e2bcbdb8..84094e8fdda9e066e191d8dea391aa52949dcad4 100644 --- a/backport-util-grub-mkrescue-Fix-memory-leak-in-write_part.patch +++ b/backport-util-grub-mkrescue-Fix-memory-leak-in-write_part.patch @@ -1,34 +1,34 @@ -From eff17a6b2d563fe9a0917e048776ed9ce2da4b80 Mon Sep 17 00:00:00 2001 -From: Darren Kenny -Date: Tue, 26 Oct 2021 15:02:36 +0000 -Subject: util/grub-mkrescue: Fix memory leak in write_part() - -In the function write_part(), the value of inname is not used beyond -the grub_util_fopen() call, so it should be freed to avoid leakage. - -Fixes: CID 314028 - -Signed-off-by: Darren Kenny -Reviewed-by: Daniel Kiper - -Conflict: NA -Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=eff17a6b2d563fe9a0917e048776ed9ce2da4b80 - ---- - util/grub-mkrescue.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c -index fb4dcc6..59c48b1 100644 ---- a/util/grub-mkrescue.c -+++ b/util/grub-mkrescue.c -@@ -229,6 +229,7 @@ write_part (FILE *f, const char *srcdir) - char *inname = grub_util_path_concat (2, srcdir, "partmap.lst"); - char buf[260]; - in = grub_util_fopen (inname, "rb"); -+ free (inname); - if (!in) - return; - while (fgets (buf, 256, in)) --- -cgit v1.1 +From eff17a6b2d563fe9a0917e048776ed9ce2da4b80 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 26 Oct 2021 15:02:36 +0000 +Subject: util/grub-mkrescue: Fix memory leak in write_part() + +In the function write_part(), the value of inname is not used beyond +the grub_util_fopen() call, so it should be freed to avoid leakage. + +Fixes: CID 314028 + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper + +Conflict: NA +Reference: https://git.savannah.gnu.org/cgit/grub.git/commit?id=eff17a6b2d563fe9a0917e048776ed9ce2da4b80 + +--- + util/grub-mkrescue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c +index fb4dcc6..59c48b1 100644 +--- a/util/grub-mkrescue.c ++++ b/util/grub-mkrescue.c +@@ -229,6 +229,7 @@ write_part (FILE *f, const char *srcdir) + char *inname = grub_util_path_concat (2, srcdir, "partmap.lst"); + char buf[260]; + in = grub_util_fopen (inname, "rb"); ++ free (inname); + if (!in) + return; + while (fgets (buf, 256, in)) +-- +cgit v1.1 diff --git a/grub.patches b/grub.patches index aaceedd2459fd61cd756b3a7af33acfe9e9edb35..72406381f36725e7d5e509948fb5b85a96a42ab1 100644 --- a/grub.patches +++ b/grub.patches @@ -435,3 +435,15 @@ Patch0434: backport-kern-file-Fix-error-handling-in-grub_file_open.patch Patch0435: backport-fs-xfs-Fix-memory-leaks-in-XFS-module.patch Patch0436: backport-fs-squash4-Fix-memory-leaks-in-grub_squash_iterate_d.patch Patch0437: backport-fs-iso9660-Fix-memory-leaks-in-grub_iso9660_susp_ite.patch +Patch0438: backport-font-Check-return-value-of-grub_malloc-in-ascii_glyph_lookup.patch +Patch0439: backport-font-Assign-null_font-to-unknown_glyph.patch +Patch0440: backport-font-Reject-fonts-with-negative-max_char_width-or-max_char_height.patch +Patch0441: backport-kern-fs-Fix-possible-integer-overflow-in-i386-pc-mode-with-large.patch +Patch0442: backport-gentpl_py-Remove-interp-section-from-img-files.patch +Patch0443: backport-fs-iso9660-Add-check-to-prevent-infinite-loop.patch +Patch0444: backport-fs-iso9660-Prevent-read-past-the-end-of-system-use-area.patch +Patch0445: backport-fs-iso9660-Prevent-skipping-CE-or-ST-at-start-of-continuation-area.patch +Patch0446: backport-fs-iso9660-Incorrect-check-for-entry-boundary.patch +Patch0447: backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch +Patch0448: backport-net-bootp-Fix-unchecked-return-value.patch +Patch0449: backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch \ No newline at end of file diff --git a/grub2.spec b/grub2.spec index 705f604ac2eac9ebf85b8cfb94e9586b346096a5..5e7fcea7ba2235b6d88260cd703b621fa1f3f120 100644 --- a/grub2.spec +++ b/grub2.spec @@ -8,7 +8,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 31 +Release: 32 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -442,6 +442,23 @@ rm -r /boot/grub2.tmp/ || : %{_datadir}/man/man* %changelog +* Sun Apr 16 2023 zhangqiumiao - 1:2.04-32 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:osdep/linux/hostdisk: Modify sector by sysfs as disk sector + net/bootp: Fix unchecked return value + fs/iso9660: Avoid reading past the entry boundary + fs/iso9660: Incorrect check for entry boundary + fs/iso9660: Prevent skipping CE or ST at start of continuation area + fs/iso9660: Prevent read past the end of system use area + fs/iso9660: Add check to prevent infinite loop + gentpl.py: Remove .interp section from .img files + kern/fs: Fix possible integer overflow in i386-pc mode with large partitions + font: Reject fonts with negative max_char_width or max_char_height + font: Assign null_font to unknown_glyph + font: Check return value of grub_malloc() in ascii_glyph_lookup() + * Wed Mar 22 2023 zhangqiumiao - 1:2.04-31 - Type:bugfix - CVE:NA