diff --git a/backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch b/backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e06a1fab0165270225301eede8d083c65247a35 --- /dev/null +++ b/backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch @@ -0,0 +1,50 @@ +From d09387287b7bbd7770bc9d172cc0e06181183e02 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Fri, 26 May 2023 13:35:50 +0200 +Subject: kern: Check for NULL when closing devices and disks + +Add checks for NULL pointers to grub_device_close() and +grub_disk_close() to make these functions more robust. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=d09387287b7bbd7770bc9d172cc0e06181183e02 +Conflict:NA + +Signed-off-by: Oliver Steffen +Reviewed-by: Daniel Kiper +--- + grub-core/kern/device.c | 3 +++ + grub-core/kern/disk.c | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/kern/device.c b/grub-core/kern/device.c +index f58b58c..2a6d81f 100644 +--- a/grub-core/kern/device.c ++++ b/grub-core/kern/device.c +@@ -72,6 +72,9 @@ grub_device_open (const char *name) + grub_err_t + grub_device_close (grub_device_t device) + { ++ if (device == NULL) ++ return GRUB_ERR_NONE; ++ + if (device->disk) + grub_disk_close (device->disk); + +diff --git a/grub-core/kern/disk.c b/grub-core/kern/disk.c +index 05a28ab..3ca8528 100644 +--- a/grub-core/kern/disk.c ++++ b/grub-core/kern/disk.c +@@ -294,6 +294,10 @@ void + grub_disk_close (grub_disk_t disk) + { + grub_partition_t part; ++ ++ if (disk == NULL) ++ return; ++ + grub_dprintf ("disk", "Closing `%s'...\n", disk->name); + + if (disk->dev && disk->dev->disk_close) +-- +2.19.1 + diff --git a/backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch b/backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..532a0a689f7755165b9e99f70955928868da3973 --- /dev/null +++ b/backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch @@ -0,0 +1,47 @@ +From 6f05a277961dc801ba6de4f0f3bc22184ae80b0f Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Mon, 22 May 2023 16:52:49 -0400 +Subject: kern/efi/mm: Fix use-after-free in finish boot services + +In grub-core/kern/efi/mm.c, grub_efi_finish_boot_services() has an instance +where the memory for the variable finish_mmap_buf is freed, but on the next +iteration of a while loop, grub_efi_get_memory_map() uses finish_mmap_buf. To +prevent this, we can set finish_mmap_buf to NULL after the free. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=6f05a277961dc801ba6de4f0f3bc22184ae80b0f +Conflict:NA + +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/mm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c +index 2be0e69..6a6fba8 100644 +--- a/grub-core/kern/efi/mm.c ++++ b/grub-core/kern/efi/mm.c +@@ -263,6 +263,7 @@ grub_efi_finish_boot_services (grub_efi_uintn_t *outbuf_size, void *outbuf, + &finish_desc_size, &finish_desc_version) <= 0) + { + grub_free (finish_mmap_buf); ++ finish_mmap_buf = NULL; + return grub_error (GRUB_ERR_IO, "couldn't retrieve memory map"); + } + +@@ -274,10 +275,12 @@ grub_efi_finish_boot_services (grub_efi_uintn_t *outbuf_size, void *outbuf, + if (status != GRUB_EFI_INVALID_PARAMETER) + { + grub_free (finish_mmap_buf); ++ finish_mmap_buf = NULL; + return grub_error (GRUB_ERR_IO, "couldn't terminate EFI services"); + } + + grub_free (finish_mmap_buf); ++ finish_mmap_buf = NULL; + grub_printf ("Trying to terminate EFI services again\n"); + } + grub_efi_is_finished = 1; +-- +cgit v1.1 + diff --git a/backport-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch b/backport-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch new file mode 100644 index 0000000000000000000000000000000000000000..c64ec85febbe4e19e5254abc57d1d30e03e416b7 --- /dev/null +++ b/backport-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch @@ -0,0 +1,102 @@ +From 1be86fae1587cb8c53c2327971c8fc94fcb3234e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 3 May 2023 12:21:31 +0200 +Subject: net/dns: Fix lookup error when no IPv6 is returned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When trying to resolve DNS names into IP addresses, the DNS code fails +from time to time with the following error: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +error: ../../grub-core/net/dns.c:688:no DNS record found. +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +This happens when both IPv4 and IPv6 queries are performed against the +DNS server (e.g. 8.8.8.8) but there is no IP returned for IPv6 query, as +shown below: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +grub> net_del_dns 192.168.122.1 +grub> net_add_dns 8.8.8.8 +grub> net_nslookup ipv4.test-ipv6.com +error: ../../grub-core/net/dns.c:688:no DNS record found. +grub> net_nslookup ipv4.test-ipv6.com +216.218.228.115 +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +The root cause is the code exiting prematurely when the data->addresses +buffer has been allocated in recv_hook(), even if there was no address +returned last time recv_hook() executed. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=1be86fae1587cb8c53c2327971c8fc94fcb3234e +Conflict:NA + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 9760980..fcc09aa 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -261,7 +261,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + /* Code apparently assumed that only one packet is received as response. + We may get multiple responses due to network condition, so check here + and quit early. */ +- if (*data->addresses) ++ if (*data->naddresses) + goto out; + + head = (struct dns_header *) nb->data; +@@ -305,11 +305,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + grub_uint32_t ttl = 0; + grub_uint16_t length; + if (ptr >= nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + ignored = !check_name (ptr, nb->data, nb->tail, data->name); + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) + ptr += *ptr + 1; +@@ -317,11 +313,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + ptr++; + ptr++; + if (ptr + 10 >= nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + if (*ptr++ != 0) + ignored = 1; + class = *ptr++; +@@ -337,11 +329,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + length = *ptr++ << 8; + length |= *ptr++; + if (ptr + length > nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + if (!ignored) + { + if (ttl_all > ttl) +@@ -428,6 +416,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + out: + grub_netbuff_free (nb); + grub_free (redirect_save); ++ if (!*data->naddresses) ++ grub_free (*data->addresses); + return GRUB_ERR_NONE; + } + +-- +cgit v1.1 diff --git a/backport-net-dns-Fix-removal-of-DNS-server.patch b/backport-net-dns-Fix-removal-of-DNS-server.patch new file mode 100644 index 0000000000000000000000000000000000000000..182a3ccafd2ee60677d17f964e74d1ba98707369 --- /dev/null +++ b/backport-net-dns-Fix-removal-of-DNS-server.patch @@ -0,0 +1,49 @@ +From f301a9356b6338e983eae38debe69bbd3a417b1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 28 Apr 2023 13:05:37 +0200 +Subject: net/dns: Fix removal of DNS server +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When deleting the DNS server, we get the following error message: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +grub> net_del_dns 192.168.122.1 +error: ../../grub-core/net/dns.c:646:no DNS reply received. +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +This happens because the implementation is broken, it does a "add" +internally instead of a "delete". + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=f301a9356b6338e983eae38debe69bbd3a417b1a +Conflict:NA + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index afa3894..e51682d 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -765,11 +765,14 @@ grub_cmd_del_dns (struct grub_command *cmd __attribute__ ((unused)), + + if (argc != 1) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); +- err = grub_net_resolve_address (args[1], &server); ++ ++ err = grub_net_resolve_address (args[0], &server); + if (err) + return err; + +- return grub_net_add_dns_server (&server); ++ grub_net_remove_dns_server (&server); ++ ++ return GRUB_ERR_NONE; + } + + static grub_command_t cmd, cmd_add, cmd_del, cmd_list; +-- +cgit v1.1 diff --git a/backport-net-dns-Simplify-error-handling-of-recv_hook-function.patch b/backport-net-dns-Simplify-error-handling-of-recv_hook-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad693a13e94d114a3a4314a95efff2714445b085 --- /dev/null +++ b/backport-net-dns-Simplify-error-handling-of-recv_hook-function.patch @@ -0,0 +1,141 @@ +From 6c0edcdc27568bb7ae9e5bd89ebc7b8c137f6bc0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 3 May 2023 12:21:29 +0200 +Subject: net/dns: Simplify error handling of recv_hook() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/grub-core/net/dns.c?id=6c0edcdc27568bb7ae9e5bd89ebc7b8c137f6bc0 +Conflict:NA + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 50 +++++++++++++++------------------------------ + 1 file changed, 16 insertions(+), 34 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index e9edf5d..0aba533 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -262,42 +262,26 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + We may get multiple responses due to network condition, so check here + and quit early. */ + if (*data->addresses) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + + head = (struct dns_header *) nb->data; + ptr = (grub_uint8_t *) (head + 1); + if (ptr >= nb->tail) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } +- ++ goto out; ++ + if (head->id != data->id) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + if (!(head->flags & FLAGS_RESPONSE) || (head->flags & FLAGS_OPCODE)) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + if (head->ra_z_r_code & ERRCODE_MASK) + { + data->dns_err = 1; +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + for (i = 0; i < grub_be_to_cpu16 (head->qdcount); i++) + { + if (ptr >= nb->tail) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) + ptr += *ptr + 1; + if (ptr < nb->tail && (*ptr & 0xc0)) +@@ -310,8 +294,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + if (!*data->addresses) + { + grub_errno = GRUB_ERR_NONE; +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + reparse_ptr = ptr; + reparse: +@@ -325,7 +308,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- return GRUB_ERR_NONE; ++ goto out; + } + ignored = !check_name (ptr, nb->data, nb->tail, data->name); + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) +@@ -337,8 +320,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + if (*ptr++ != 0) + ignored = 1; +@@ -358,8 +340,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + if (!ignored) + { +@@ -400,15 +381,14 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + if (!data->name) + { + data->dns_err = 1; +- grub_errno = 0; +- return GRUB_ERR_NONE; ++ grub_errno = GRUB_ERR_NONE; ++ goto out; + } + grub_dprintf ("dns", "CNAME %s\n", data->name); + if (grub_strcmp (redirect_save, data->name) == 0) + { + data->dns_err = 1; +- grub_free (redirect_save); +- return GRUB_ERR_NONE; ++ goto out; + } + goto reparse; + } +@@ -440,6 +420,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + *data->naddresses + * sizeof (dns_cache[h].addresses[0])); + } ++ ++ out: + grub_netbuff_free (nb); + grub_free (redirect_save); + return GRUB_ERR_NONE; +-- +2.19.1 + diff --git a/backport-util-grub-install-common-Fix-the-key-of.patch b/backport-util-grub-install-common-Fix-the-key-of.patch new file mode 100644 index 0000000000000000000000000000000000000000..b250a97005baf5825f97dcdeb59e739b15f75ecc --- /dev/null +++ b/backport-util-grub-install-common-Fix-the-key-of.patch @@ -0,0 +1,43 @@ +From a6eba8f1276e58d94b4134b2488768349c8f37dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=81kos=20Nagy?= +Date: Fri, 5 May 2023 14:04:28 +0200 +Subject: util/grub-install-common: Fix the key of the --core-compress option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit f23bc6510 (Transform -C option to grub-mkstandalone to +--core-compress available in all grub-install flavours.) declared +a new long option for specifying the compression method to use for +the core image. + +However, the option key has not been replaced in the parser function, +it still expects the old one formerly used by grub-mkstandalone. +Because of this the option is not recognized by any of the utils for +which it is listed as supported. + +Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=a6eba8f1276e58d94b4134b2488768349c8f37dc +Conflict:NA + +Signed-off-by: Ákos Nagy +Reviewed-by: Daniel Kiper +--- + util/grub-install-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-install-common.c b/util/grub-install-common.c +index 57ac445..52a29d1 100644 +--- a/util/grub-install-common.c ++++ b/util/grub-install-common.c +@@ -472,7 +472,7 @@ grub_install_parse (int key, char *arg) + const char *end; + switch (key) + { +- case 'C': ++ case GRUB_INSTALL_OPTIONS_INSTALL_CORE_COMPRESS: + if (grub_strcmp (arg, "xz") == 0) + { + #ifdef HAVE_LIBLZMA +-- +cgit v1.1 + diff --git a/grub.patches b/grub.patches index 619f7d774304766b0b6c5f8bf197ddf39b5dd673..5bcecfae35a7ffd56ffccc1dc8cd39dd5af644d8 100644 --- a/grub.patches +++ b/grub.patches @@ -334,3 +334,9 @@ Patch0326: remove-the-items-of-unsupported-filesystems-in-fs.ls.patch %ifarch loongarch64 Patch0327: loongarch-Fix-the-initrd-parameter-passing.patch %endif +Patch0328: backport-net-dns-Fix-removal-of-DNS-server.patch +Patch0329: backport-net-dns-Simplify-error-handling-of-recv_hook-function.patch +Patch0330: backport-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch +Patch0331: backport-util-grub-install-common-Fix-the-key-of.patch +Patch0332: backport-kern-efi-mm-Fix-use-after-free-in-finish-boot-services.patch +Patch0333: backport-kern-Check-for-NULL-when-closing-devices-and-disks.patch diff --git a/grub2.spec b/grub2.spec index 647a9ff72c86a382dda51f7e5fbcf40a13719c0a..a893abb0f8f8f2ac72cd55bbc4a7a2abeb25667b 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 34 +Release: 35 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -440,6 +440,17 @@ fi %{_datadir}/man/man* %changelog +* Thu Aug 17 2023 zhangqiumiao - 1:2.06-35 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:kern: Check for NULL when closing devices and disks + kern/efi/mm: Fix use-after-free in finish boot services + util/grub-install-common: Fix the key of the --core-compress option + net/dns: Fix lookup error when no IPv6 is returned + net/dns: Simplify error handling of recv_hook() function + net/dns: Fix removal of DNS server + * Mon Aug 7 2023 mengyingkun - 1:2.06-34 - Type:bugfix - CVE:NA