boot/grub2: bump to version 2.12
For release announce on mailing list, see [1]. For release general news, see [2]. This commit removes all package patches, as they are all included in this version. The .checkpackageignore file is updated accordingly (the entry for patch 0001 is removed). This commit also removes GRUB2_AVOID_AUTORECONF hooks, since patch 0001 is removed. This commit also removes the GRUB2_IGNORE_CVES entries associated to the removed patches. The version bump should now explicitly exclude those CVEs. For patches 8 and 9, the upstream commit IDs were incorrectly recorded: - patch 8 mentioned d5caac8ab79d068ad9a41030c772d03a4d4fbd7b while the actual commit is 5bff31cdb6b93d738f850834e6291df1d0b136fa - patch 9 mentioned 166a4d61448f74745afe1dac2f2cfb85d04909bf while the actual commit is 347880a13c239b4c2811c94c9a7cf78b607332e3 Finally, this commit introduces a new patch, adding a missing file in the release tarball. [1] https://lists.gnu.org/archive/html/grub-devel/2023-12/msg00052.html [2] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=blob;f=NEWS;hb=refs/tags/grub-2.12 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
parent
fc8eff0c76
commit
5baf1ffe7e
@ -104,7 +104,6 @@ boot/at91bootstrap/0002-gcc-4.6.x-ldscript-fix.patch Upstream
|
||||
boot/at91bootstrap/0003-u-boot-relocation-fix.patch Upstream
|
||||
boot/at91dataflashboot/0001-do-not-install.patch Upstream
|
||||
boot/at91dataflashboot/0002-eabi-fixes.patch Upstream
|
||||
boot/grub2/0001-Makefile-Make-grub_fstest.pp-depend-on-config-util.h.patch Upstream
|
||||
boot/optee-os/3.13.0/0001-core-zlib-fix-build-warning-when-_LFS64_LARGEFILE-is.patch Upstream
|
||||
boot/syslinux/0001-bios-Fix-alignment-change-with-gcc-5.patch Upstream
|
||||
boot/syslinux/0002-Disable-PIE-to-avoid-FTBFS-on-amd64.patch Upstream
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 4d4dae6a52b1749642261a15f5dcc1e3d4150b36 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Olivain <ju.o@free.fr>
|
||||
Date: Fri, 22 Dec 2023 19:02:53 +0100
|
||||
Subject: [PATCH] Add missing grub-core/extra_deps.lst file in release tarball
|
||||
|
||||
A file is missing in the grub-2.12 release tarballs (both .gz and .xz).
|
||||
See [1]. The issue was reported in [2] and fixed upstream in [3].
|
||||
|
||||
This patch adds the missing file, on top of the release tarball. This
|
||||
patch won't apply on upstream git, since the file is present in the
|
||||
source repository. Since the issue is fixed upstream in [3], it is
|
||||
expected upcoming releases tarballs will include the file.
|
||||
|
||||
The file content was fetched from the upstream git repo:
|
||||
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=blob_plain;f=grub-core/extra_deps.lst;hb=refs/tags/grub-2.12
|
||||
|
||||
[1] https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz
|
||||
[2] https://lists.gnu.org/archive/html/grub-devel/2023-12/msg00054.html
|
||||
[3] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b835601c7639ed1890f2d3db91900a8506011a8e
|
||||
|
||||
Signed-off-by: Julien Olivain <ju.o@free.fr>
|
||||
Upstream: Fixed by: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b835601c7639ed1890f2d3db91900a8506011a8e
|
||||
---
|
||||
grub-core/extra_deps.lst | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
create mode 100644 grub-core/extra_deps.lst
|
||||
|
||||
diff --git a/grub-core/extra_deps.lst b/grub-core/extra_deps.lst
|
||||
new file mode 100644
|
||||
index 0000000..f44ad6a
|
||||
--- /dev/null
|
||||
+++ b/grub-core/extra_deps.lst
|
||||
@@ -0,0 +1 @@
|
||||
+depends bli part_gpt
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,45 +0,0 @@
|
||||
From bb08b723fa7bc56439c7bc166cff361628e73453 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <bb08b723fa7bc56439c7bc166cff361628e73453.1659683176.git.stefan@agner.ch>
|
||||
From: Stefan Agner <stefan@agner.ch>
|
||||
Date: Fri, 5 Aug 2022 08:59:52 +0200
|
||||
Subject: [PATCH] Makefile: Make grub_fstest.pp depend on config-util.h
|
||||
|
||||
Warning: This commit does not apply to the GRUB git repository. This
|
||||
patch applies against the release tarballs.
|
||||
|
||||
Upstream status: https://lists.gnu.org/archive/html/grub-devel/2022-08/msg00045.html
|
||||
Signed-off-by: Stefan Agner <stefan@agner.ch>
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
Makefile.in | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index bf9c1ba..f08cfc0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -51,7 +51,7 @@ libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
|
||||
CLEANFILES += libgrub_a_init.c
|
||||
|
||||
# For grub-fstest
|
||||
-grub_fstest.pp: $(grub_fstest_SOURCES)
|
||||
+grub_fstest.pp: config-util.h $(grub_fstest_SOURCES)
|
||||
$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(grub_fstest_CPPFLAGS) $(CPPFLAGS) \
|
||||
-D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
|
||||
CLEANFILES += grub_fstest.pp
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 13f2eef..2c1d20b 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -13312,7 +13312,7 @@ libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
|
||||
sh $(top_srcdir)/geninit.sh `cat $<` > $@ || (rm -f $@; exit 1)
|
||||
|
||||
# For grub-fstest
|
||||
-grub_fstest.pp: $(grub_fstest_SOURCES)
|
||||
+grub_fstest.pp: config-util.h $(grub_fstest_SOURCES)
|
||||
$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(grub_fstest_CPPFLAGS) $(CPPFLAGS) \
|
||||
-D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
|
||||
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 4c1ad500e73d46c83dec369da85db39ae2fe62dd Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Fri, 3 Dec 2021 16:13:28 +0800
|
||||
Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
|
||||
|
||||
The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
|
||||
configuration by grub-mkconfig) has inadvertently discarded umask for
|
||||
creating grub.cfg in the process of running grub-mkconfig. The resulting
|
||||
wrong permission (0644) would allow unprivileged users to read GRUB
|
||||
configuration file content. This presents a low confidentiality risk
|
||||
as grub.cfg may contain non-secured plain-text passwords.
|
||||
|
||||
This patch restores the missing umask and sets the creation file mode
|
||||
to 0600 preventing unprivileged access.
|
||||
|
||||
Fixes: CVE-2021-3981
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
util/grub-mkconfig.in | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||
index f8cbb8d7a..84f356ea4 100644
|
||||
--- a/util/grub-mkconfig.in
|
||||
+++ b/util/grub-mkconfig.in
|
||||
@@ -300,7 +300,10 @@ and /etc/grub.d/* files or please file a bug report with
|
||||
exit 1
|
||||
else
|
||||
# none of the children aborted with error, install the new grub.cfg
|
||||
+ oldumask=$(umask)
|
||||
+ umask 077
|
||||
cat ${grub_cfg}.new > ${grub_cfg}
|
||||
+ umask $oldumask
|
||||
rm -f ${grub_cfg}.new
|
||||
fi
|
||||
fi
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,126 +0,0 @@
|
||||
From dfdc742bdb22be468035f96cce0be5fee23b6df5 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Tue, 5 Apr 2022 10:02:04 +0100
|
||||
Subject: [PATCH] loader/efi/chainloader: Simplify the loader state
|
||||
|
||||
The chainloader command retains the source buffer and device path passed
|
||||
to LoadImage(), requiring the unload hook passed to grub_loader_set() to
|
||||
free them. It isn't required to retain this state though - they aren't
|
||||
required by StartImage() or anything else in the boot hook, so clean them
|
||||
up before grub_cmd_chainloader() finishes.
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 1469983ebb9674753ad333d37087fb8cb20e1dce
|
||||
[Thomas: needed to cherry-pick
|
||||
04c86e0bb7b58fc2f913f798cdb18934933e532d which fixes CVE-2022-28736]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 38 +++++++++++++++++-------------
|
||||
1 file changed, 21 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index 2bd80f4db..d1602c89b 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -44,25 +44,20 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
static grub_dl_t my_mod;
|
||||
|
||||
-static grub_efi_physical_address_t address;
|
||||
-static grub_efi_uintn_t pages;
|
||||
-static grub_efi_device_path_t *file_path;
|
||||
static grub_efi_handle_t image_handle;
|
||||
-static grub_efi_char16_t *cmdline;
|
||||
|
||||
static grub_err_t
|
||||
grub_chainloader_unload (void)
|
||||
{
|
||||
+ grub_efi_loaded_image_t *loaded_image;
|
||||
grub_efi_boot_services_t *b;
|
||||
|
||||
+ loaded_image = grub_efi_get_loaded_image (image_handle);
|
||||
+ if (loaded_image != NULL)
|
||||
+ grub_free (loaded_image->load_options);
|
||||
+
|
||||
b = grub_efi_system_table->boot_services;
|
||||
efi_call_1 (b->unload_image, image_handle);
|
||||
- efi_call_2 (b->free_pages, address, pages);
|
||||
-
|
||||
- grub_free (file_path);
|
||||
- grub_free (cmdline);
|
||||
- cmdline = 0;
|
||||
- file_path = 0;
|
||||
|
||||
grub_dl_unref (my_mod);
|
||||
return GRUB_ERR_NONE;
|
||||
@@ -140,7 +135,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
|
||||
char *dir_start;
|
||||
char *dir_end;
|
||||
grub_size_t size;
|
||||
- grub_efi_device_path_t *d;
|
||||
+ grub_efi_device_path_t *d, *file_path;
|
||||
|
||||
dir_start = grub_strchr (filename, ')');
|
||||
if (! dir_start)
|
||||
@@ -222,11 +217,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
grub_efi_status_t status;
|
||||
grub_efi_boot_services_t *b;
|
||||
grub_device_t dev = 0;
|
||||
- grub_efi_device_path_t *dp = 0;
|
||||
+ grub_efi_device_path_t *dp = NULL, *file_path = NULL;
|
||||
grub_efi_loaded_image_t *loaded_image;
|
||||
char *filename;
|
||||
void *boot_image = 0;
|
||||
grub_efi_handle_t dev_handle = 0;
|
||||
+ grub_efi_physical_address_t address = 0;
|
||||
+ grub_efi_uintn_t pages = 0;
|
||||
+ grub_efi_char16_t *cmdline = NULL;
|
||||
|
||||
if (argc == 0)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||
@@ -234,11 +232,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
|
||||
grub_dl_ref (my_mod);
|
||||
|
||||
- /* Initialize some global variables. */
|
||||
- address = 0;
|
||||
- image_handle = 0;
|
||||
- file_path = 0;
|
||||
-
|
||||
b = grub_efi_system_table->boot_services;
|
||||
|
||||
file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
|
||||
@@ -408,6 +401,10 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
grub_file_close (file);
|
||||
grub_device_close (dev);
|
||||
|
||||
+ /* We're finished with the source image buffer and file path now. */
|
||||
+ efi_call_2 (b->free_pages, address, pages);
|
||||
+ grub_free (file_path);
|
||||
+
|
||||
grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
|
||||
return 0;
|
||||
|
||||
@@ -419,11 +416,18 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
if (file)
|
||||
grub_file_close (file);
|
||||
|
||||
+ grub_free (cmdline);
|
||||
grub_free (file_path);
|
||||
|
||||
if (address)
|
||||
efi_call_2 (b->free_pages, address, pages);
|
||||
|
||||
+ if (image_handle != NULL)
|
||||
+ {
|
||||
+ efi_call_1 (b->unload_image, image_handle);
|
||||
+ image_handle = NULL;
|
||||
+ }
|
||||
+
|
||||
grub_dl_unref (my_mod);
|
||||
|
||||
return grub_errno;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,165 +0,0 @@
|
||||
From 8b6336696d93b51703c2015eff3e2d8a02145e43 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Tue, 5 Apr 2022 10:58:28 +0100
|
||||
Subject: [PATCH] commands/boot: Add API to pass context to loader
|
||||
|
||||
Loaders rely on global variables for saving context which is consumed
|
||||
in the boot hook and freed in the unload hook. In the case where a loader
|
||||
command is executed twice, calling grub_loader_set() a second time executes
|
||||
the unload hook, but in some cases this runs when the loader's global
|
||||
context has already been updated, resulting in the updated context being
|
||||
freed and potential use-after-free bugs when the boot hook is subsequently
|
||||
called.
|
||||
|
||||
This adds a new API, grub_loader_set_ex(), which allows a loader to specify
|
||||
context that is passed to its boot and unload hooks. This is an alternative
|
||||
to requiring that loaders call grub_loader_unset() before mutating their
|
||||
global context.
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 14ceb3b3ff6db664649138442b6562c114dcf56e
|
||||
[Thomas: needed to backport 04c86e0bb7b58fc2f913f798cdb18934933e532d,
|
||||
which fixes CVE-2022-28736]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++++++++++-----
|
||||
include/grub/loader.h | 5 +++
|
||||
2 files changed, 63 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
|
||||
index bbca81e94..61514788e 100644
|
||||
--- a/grub-core/commands/boot.c
|
||||
+++ b/grub-core/commands/boot.c
|
||||
@@ -27,10 +27,20 @@
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
-static grub_err_t (*grub_loader_boot_func) (void);
|
||||
-static grub_err_t (*grub_loader_unload_func) (void);
|
||||
+static grub_err_t (*grub_loader_boot_func) (void *context);
|
||||
+static grub_err_t (*grub_loader_unload_func) (void *context);
|
||||
+static void *grub_loader_context;
|
||||
static int grub_loader_flags;
|
||||
|
||||
+struct grub_simple_loader_hooks
|
||||
+{
|
||||
+ grub_err_t (*boot) (void);
|
||||
+ grub_err_t (*unload) (void);
|
||||
+};
|
||||
+
|
||||
+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
|
||||
+static struct grub_simple_loader_hooks simple_loader_hooks;
|
||||
+
|
||||
struct grub_preboot
|
||||
{
|
||||
grub_err_t (*preboot_func) (int);
|
||||
@@ -44,6 +54,29 @@ static int grub_loader_loaded;
|
||||
static struct grub_preboot *preboots_head = 0,
|
||||
*preboots_tail = 0;
|
||||
|
||||
+static grub_err_t
|
||||
+grub_simple_boot_hook (void *context)
|
||||
+{
|
||||
+ struct grub_simple_loader_hooks *hooks;
|
||||
+
|
||||
+ hooks = (struct grub_simple_loader_hooks *) context;
|
||||
+ return hooks->boot ();
|
||||
+}
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_simple_unload_hook (void *context)
|
||||
+{
|
||||
+ struct grub_simple_loader_hooks *hooks;
|
||||
+ grub_err_t ret;
|
||||
+
|
||||
+ hooks = (struct grub_simple_loader_hooks *) context;
|
||||
+
|
||||
+ ret = hooks->unload ();
|
||||
+ grub_memset (hooks, 0, sizeof (*hooks));
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int
|
||||
grub_loader_is_loaded (void)
|
||||
{
|
||||
@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
|
||||
}
|
||||
|
||||
void
|
||||
-grub_loader_set (grub_err_t (*boot) (void),
|
||||
- grub_err_t (*unload) (void),
|
||||
- int flags)
|
||||
+grub_loader_set_ex (grub_err_t (*boot) (void *context),
|
||||
+ grub_err_t (*unload) (void *context),
|
||||
+ void *context,
|
||||
+ int flags)
|
||||
{
|
||||
if (grub_loader_loaded && grub_loader_unload_func)
|
||||
- grub_loader_unload_func ();
|
||||
+ grub_loader_unload_func (grub_loader_context);
|
||||
|
||||
grub_loader_boot_func = boot;
|
||||
grub_loader_unload_func = unload;
|
||||
+ grub_loader_context = context;
|
||||
grub_loader_flags = flags;
|
||||
|
||||
grub_loader_loaded = 1;
|
||||
}
|
||||
|
||||
+void
|
||||
+grub_loader_set (grub_err_t (*boot) (void),
|
||||
+ grub_err_t (*unload) (void),
|
||||
+ int flags)
|
||||
+{
|
||||
+ grub_loader_set_ex (grub_simple_boot_hook,
|
||||
+ grub_simple_unload_hook,
|
||||
+ &simple_loader_hooks,
|
||||
+ flags);
|
||||
+
|
||||
+ simple_loader_hooks.boot = boot;
|
||||
+ simple_loader_hooks.unload = unload;
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_loader_unset(void)
|
||||
{
|
||||
if (grub_loader_loaded && grub_loader_unload_func)
|
||||
- grub_loader_unload_func ();
|
||||
+ grub_loader_unload_func (grub_loader_context);
|
||||
|
||||
grub_loader_boot_func = 0;
|
||||
grub_loader_unload_func = 0;
|
||||
+ grub_loader_context = 0;
|
||||
|
||||
grub_loader_loaded = 0;
|
||||
}
|
||||
@@ -158,7 +208,7 @@ grub_loader_boot (void)
|
||||
return err;
|
||||
}
|
||||
}
|
||||
- err = (grub_loader_boot_func) ();
|
||||
+ err = (grub_loader_boot_func) (grub_loader_context);
|
||||
|
||||
for (cur = preboots_tail; cur; cur = cur->prev)
|
||||
if (! err)
|
||||
diff --git a/include/grub/loader.h b/include/grub/loader.h
|
||||
index b20864282..97f231054 100644
|
||||
--- a/include/grub/loader.h
|
||||
+++ b/include/grub/loader.h
|
||||
@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
|
||||
grub_err_t (*unload) (void),
|
||||
int flags);
|
||||
|
||||
+void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
|
||||
+ grub_err_t (*unload) (void *context),
|
||||
+ void *context,
|
||||
+ int flags);
|
||||
+
|
||||
/* Unset current loader, if any. */
|
||||
void EXPORT_FUNC (grub_loader_unset) (void);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,80 +0,0 @@
|
||||
From 583fca49f413e00fe26f8ae7abe0837bbc574f79 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Tue, 5 Apr 2022 11:48:58 +0100
|
||||
Subject: [PATCH] loader/efi/chainloader: Use grub_loader_set_ex()
|
||||
|
||||
This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
|
||||
a use-after-free bug that occurs when grub_cmd_chainloader() is executed
|
||||
more than once before a boot attempt is performed.
|
||||
|
||||
Fixes: CVE-2022-28736
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 04c86e0bb7b58fc2f913f798cdb18934933e532d
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index d1602c89b..7557eb269 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -44,11 +44,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
static grub_dl_t my_mod;
|
||||
|
||||
-static grub_efi_handle_t image_handle;
|
||||
-
|
||||
static grub_err_t
|
||||
-grub_chainloader_unload (void)
|
||||
+grub_chainloader_unload (void *context)
|
||||
{
|
||||
+ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
|
||||
grub_efi_loaded_image_t *loaded_image;
|
||||
grub_efi_boot_services_t *b;
|
||||
|
||||
@@ -64,8 +63,9 @@ grub_chainloader_unload (void)
|
||||
}
|
||||
|
||||
static grub_err_t
|
||||
-grub_chainloader_boot (void)
|
||||
+grub_chainloader_boot (void *context)
|
||||
{
|
||||
+ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
|
||||
grub_efi_boot_services_t *b;
|
||||
grub_efi_status_t status;
|
||||
grub_efi_uintn_t exit_data_size;
|
||||
@@ -225,6 +225,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
grub_efi_physical_address_t address = 0;
|
||||
grub_efi_uintn_t pages = 0;
|
||||
grub_efi_char16_t *cmdline = NULL;
|
||||
+ grub_efi_handle_t image_handle = NULL;
|
||||
|
||||
if (argc == 0)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||
@@ -405,7 +406,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
efi_call_2 (b->free_pages, address, pages);
|
||||
grub_free (file_path);
|
||||
|
||||
- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
|
||||
+ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
|
||||
return 0;
|
||||
|
||||
fail:
|
||||
@@ -423,10 +424,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
efi_call_2 (b->free_pages, address, pages);
|
||||
|
||||
if (image_handle != NULL)
|
||||
- {
|
||||
- efi_call_1 (b->unload_image, image_handle);
|
||||
- image_handle = NULL;
|
||||
- }
|
||||
+ efi_call_1 (b->unload_image, image_handle);
|
||||
|
||||
grub_dl_unref (my_mod);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,105 +0,0 @@
|
||||
From 1e1b1271b7a7c6ac20a4c5f8e0dc29614b4975d1 Mon Sep 17 00:00:00 2001
|
||||
From: Julian Andres Klode <julian.klode@canonical.com>
|
||||
Date: Thu, 2 Dec 2021 15:03:53 +0100
|
||||
Subject: [PATCH] kern/efi/sb: Reject non-kernel files in the shim_lock
|
||||
verifier
|
||||
|
||||
We must not allow other verifiers to pass things like the GRUB modules.
|
||||
Instead of maintaining a blocklist, maintain an allowlist of things
|
||||
that we do not care about.
|
||||
|
||||
This allowlist really should be made reusable, and shared by the
|
||||
lockdown verifier, but this is the minimal patch addressing
|
||||
security concerns where the TPM verifier was able to mark modules
|
||||
as verified (or the OpenPGP verifier for that matter), when it
|
||||
should not do so on shim-powered secure boot systems.
|
||||
|
||||
Fixes: CVE-2022-28735
|
||||
|
||||
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 6fe755c5c07bb386fda58306bfd19e4a1c974c53
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++---
|
||||
include/grub/verify.h | 1 +
|
||||
2 files changed, 37 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
|
||||
index c52ec6226..89c4bb3fd 100644
|
||||
--- a/grub-core/kern/efi/sb.c
|
||||
+++ b/grub-core/kern/efi/sb.c
|
||||
@@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
|
||||
void **context __attribute__ ((unused)),
|
||||
enum grub_verify_flags *flags)
|
||||
{
|
||||
- *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||
+ *flags = GRUB_VERIFY_FLAGS_NONE;
|
||||
|
||||
switch (type & GRUB_FILE_TYPE_MASK)
|
||||
{
|
||||
+ /* Files we check. */
|
||||
case GRUB_FILE_TYPE_LINUX_KERNEL:
|
||||
case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
|
||||
case GRUB_FILE_TYPE_BSD_KERNEL:
|
||||
@@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
|
||||
case GRUB_FILE_TYPE_PLAN9_KERNEL:
|
||||
case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
|
||||
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
||||
+ return GRUB_ERR_NONE;
|
||||
|
||||
- /* Fall through. */
|
||||
+ /* Files that do not affect secureboot state. */
|
||||
+ case GRUB_FILE_TYPE_NONE:
|
||||
+ case GRUB_FILE_TYPE_LOOPBACK:
|
||||
+ case GRUB_FILE_TYPE_LINUX_INITRD:
|
||||
+ case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
|
||||
+ case GRUB_FILE_TYPE_XNU_RAMDISK:
|
||||
+ case GRUB_FILE_TYPE_SIGNATURE:
|
||||
+ case GRUB_FILE_TYPE_PUBLIC_KEY:
|
||||
+ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
|
||||
+ case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
|
||||
+ case GRUB_FILE_TYPE_TESTLOAD:
|
||||
+ case GRUB_FILE_TYPE_GET_SIZE:
|
||||
+ case GRUB_FILE_TYPE_FONT:
|
||||
+ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
|
||||
+ case GRUB_FILE_TYPE_CAT:
|
||||
+ case GRUB_FILE_TYPE_HEXCAT:
|
||||
+ case GRUB_FILE_TYPE_CMP:
|
||||
+ case GRUB_FILE_TYPE_HASHLIST:
|
||||
+ case GRUB_FILE_TYPE_TO_HASH:
|
||||
+ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
|
||||
+ case GRUB_FILE_TYPE_PIXMAP:
|
||||
+ case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
|
||||
+ case GRUB_FILE_TYPE_CONFIG:
|
||||
+ case GRUB_FILE_TYPE_THEME:
|
||||
+ case GRUB_FILE_TYPE_GETTEXT_CATALOG:
|
||||
+ case GRUB_FILE_TYPE_FS_SEARCH:
|
||||
+ case GRUB_FILE_TYPE_LOADENV:
|
||||
+ case GRUB_FILE_TYPE_SAVEENV:
|
||||
+ case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
|
||||
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||
+ return GRUB_ERR_NONE;
|
||||
|
||||
+ /* Other files. */
|
||||
default:
|
||||
- return GRUB_ERR_NONE;
|
||||
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||
index cd129c398..672ae1692 100644
|
||||
--- a/include/grub/verify.h
|
||||
+++ b/include/grub/verify.h
|
||||
@@ -24,6 +24,7 @@
|
||||
|
||||
enum grub_verify_flags
|
||||
{
|
||||
+ GRUB_VERIFY_FLAGS_NONE = 0,
|
||||
GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
|
||||
GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
|
||||
/* Defer verification to another authority. */
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,689 +0,0 @@
|
||||
From 1faa412c502c7c4ca1230fc152be30b88847fdd2 Mon Sep 17 00:00:00 2001
|
||||
From: Elyes Haouas <ehaouas@noos.fr>
|
||||
Date: Fri, 4 Mar 2022 07:42:13 +0100
|
||||
Subject: [PATCH] video: Remove trailing whitespaces
|
||||
|
||||
Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 1f48917d8ddb490dcdc70176e0f58136b7f7811a
|
||||
[Thomas: needed to backport patches fixing CVEs in the video code]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/bochs.c | 2 +-
|
||||
grub-core/video/capture.c | 2 +-
|
||||
grub-core/video/cirrus.c | 4 ++--
|
||||
grub-core/video/coreboot/cbfb.c | 2 +-
|
||||
grub-core/video/efi_gop.c | 22 +++++++++----------
|
||||
grub-core/video/fb/fbblit.c | 8 +++----
|
||||
grub-core/video/fb/video_fb.c | 10 ++++-----
|
||||
grub-core/video/i386/pc/vbe.c | 34 ++++++++++++++---------------
|
||||
grub-core/video/i386/pc/vga.c | 6 ++---
|
||||
grub-core/video/ieee1275.c | 4 ++--
|
||||
grub-core/video/radeon_fuloong2e.c | 6 ++---
|
||||
grub-core/video/radeon_yeeloong3a.c | 6 ++---
|
||||
grub-core/video/readers/png.c | 2 +-
|
||||
grub-core/video/readers/tga.c | 2 +-
|
||||
grub-core/video/sis315_init.c | 2 +-
|
||||
grub-core/video/sis315pro.c | 8 +++----
|
||||
grub-core/video/sm712.c | 10 ++++-----
|
||||
grub-core/video/video.c | 8 +++----
|
||||
18 files changed, 69 insertions(+), 69 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/bochs.c b/grub-core/video/bochs.c
|
||||
index 30ea1bd82..edc651697 100644
|
||||
--- a/grub-core/video/bochs.c
|
||||
+++ b/grub-core/video/bochs.c
|
||||
@@ -212,7 +212,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
|
||||
|
||||
if (((class >> 16) & 0xffff) != 0x0300 || pciid != 0x11111234)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
|
||||
framebuffer.base = grub_pci_read (addr) & GRUB_PCI_ADDR_MEM_MASK;
|
||||
if (!framebuffer.base)
|
||||
diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
|
||||
index 4d3195e01..c653d89f9 100644
|
||||
--- a/grub-core/video/capture.c
|
||||
+++ b/grub-core/video/capture.c
|
||||
@@ -92,7 +92,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
|
||||
framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
|
||||
if (!framebuffer.ptr)
|
||||
return grub_errno;
|
||||
-
|
||||
+
|
||||
err = grub_video_fb_create_render_target_from_pointer (&framebuffer.render_target,
|
||||
&framebuffer.mode_info,
|
||||
framebuffer.ptr);
|
||||
diff --git a/grub-core/video/cirrus.c b/grub-core/video/cirrus.c
|
||||
index e2149e8ce..f5542ccdc 100644
|
||||
--- a/grub-core/video/cirrus.c
|
||||
+++ b/grub-core/video/cirrus.c
|
||||
@@ -354,11 +354,11 @@ grub_video_cirrus_setup (unsigned int width, unsigned int height,
|
||||
grub_uint8_t sr_ext = 0, hidden_dac = 0;
|
||||
|
||||
grub_vga_set_geometry (&config, grub_vga_cr_write);
|
||||
-
|
||||
+
|
||||
grub_vga_gr_write (GRUB_VGA_GR_MODE_256_COLOR | GRUB_VGA_GR_MODE_READ_MODE1,
|
||||
GRUB_VGA_GR_MODE);
|
||||
grub_vga_gr_write (GRUB_VGA_GR_GR6_GRAPHICS_MODE, GRUB_VGA_GR_GR6);
|
||||
-
|
||||
+
|
||||
grub_vga_sr_write (GRUB_VGA_SR_MEMORY_MODE_NORMAL, GRUB_VGA_SR_MEMORY_MODE);
|
||||
|
||||
grub_vga_cr_write ((config.pitch >> CIRRUS_CR_EXTENDED_DISPLAY_PITCH_SHIFT)
|
||||
diff --git a/grub-core/video/coreboot/cbfb.c b/grub-core/video/coreboot/cbfb.c
|
||||
index 9af81fa5b..986003c51 100644
|
||||
--- a/grub-core/video/coreboot/cbfb.c
|
||||
+++ b/grub-core/video/coreboot/cbfb.c
|
||||
@@ -106,7 +106,7 @@ grub_video_cbfb_setup (unsigned int width, unsigned int height,
|
||||
|
||||
grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
|
||||
grub_video_fbstd_colors);
|
||||
-
|
||||
+
|
||||
return err;
|
||||
}
|
||||
|
||||
diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
|
||||
index b7590dc6c..7a5054631 100644
|
||||
--- a/grub-core/video/efi_gop.c
|
||||
+++ b/grub-core/video/efi_gop.c
|
||||
@@ -273,7 +273,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
|
||||
grub_efi_status_t status;
|
||||
struct grub_efi_gop_mode_info *info = NULL;
|
||||
struct grub_video_mode_info mode_info;
|
||||
-
|
||||
+
|
||||
status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
|
||||
|
||||
if (status)
|
||||
@@ -390,7 +390,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
found = 1;
|
||||
}
|
||||
}
|
||||
-
|
||||
+
|
||||
if (!found)
|
||||
{
|
||||
unsigned mode;
|
||||
@@ -399,7 +399,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
{
|
||||
grub_efi_uintn_t size;
|
||||
grub_efi_status_t status;
|
||||
-
|
||||
+
|
||||
status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
|
||||
if (status)
|
||||
{
|
||||
@@ -472,11 +472,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
|
||||
framebuffer.offscreen
|
||||
= grub_malloc (framebuffer.mode_info.height
|
||||
- * framebuffer.mode_info.width
|
||||
+ * framebuffer.mode_info.width
|
||||
* sizeof (struct grub_efi_gop_blt_pixel));
|
||||
|
||||
buffer = framebuffer.offscreen;
|
||||
-
|
||||
+
|
||||
if (!buffer)
|
||||
{
|
||||
grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
|
||||
@@ -485,11 +485,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
&framebuffer.mode_info);
|
||||
buffer = framebuffer.ptr;
|
||||
}
|
||||
-
|
||||
+
|
||||
grub_dprintf ("video", "GOP: initialising FB @ %p %dx%dx%d\n",
|
||||
framebuffer.ptr, framebuffer.mode_info.width,
|
||||
framebuffer.mode_info.height, framebuffer.mode_info.bpp);
|
||||
-
|
||||
+
|
||||
err = grub_video_fb_create_render_target_from_pointer
|
||||
(&framebuffer.render_target, &framebuffer.mode_info, buffer);
|
||||
|
||||
@@ -498,15 +498,15 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
grub_dprintf ("video", "GOP: Couldn't create FB target\n");
|
||||
return err;
|
||||
}
|
||||
-
|
||||
+
|
||||
err = grub_video_fb_set_active_render_target (framebuffer.render_target);
|
||||
-
|
||||
+
|
||||
if (err)
|
||||
{
|
||||
grub_dprintf ("video", "GOP: Couldn't set FB target\n");
|
||||
return err;
|
||||
}
|
||||
-
|
||||
+
|
||||
err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
|
||||
grub_video_fbstd_colors);
|
||||
|
||||
@@ -514,7 +514,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
|
||||
grub_dprintf ("video", "GOP: Couldn't set palette\n");
|
||||
else
|
||||
grub_dprintf ("video", "GOP: Success\n");
|
||||
-
|
||||
+
|
||||
return err;
|
||||
}
|
||||
|
||||
diff --git a/grub-core/video/fb/fbblit.c b/grub-core/video/fb/fbblit.c
|
||||
index d55924837..1010ef393 100644
|
||||
--- a/grub-core/video/fb/fbblit.c
|
||||
+++ b/grub-core/video/fb/fbblit.c
|
||||
@@ -466,7 +466,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst,
|
||||
for (i = 0; i < width; i++)
|
||||
{
|
||||
register grub_uint32_t col;
|
||||
- if (*srcptr == 0xf0)
|
||||
+ if (*srcptr == 0xf0)
|
||||
col = palette[16];
|
||||
else
|
||||
col = palette[*srcptr & 0xf];
|
||||
@@ -478,7 +478,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst,
|
||||
*dstptr++ = col >> 0;
|
||||
*dstptr++ = col >> 8;
|
||||
*dstptr++ = col >> 16;
|
||||
-#endif
|
||||
+#endif
|
||||
srcptr++;
|
||||
}
|
||||
|
||||
@@ -651,7 +651,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst,
|
||||
for (i = 0; i < width; i++)
|
||||
{
|
||||
register grub_uint32_t col;
|
||||
- if (*srcptr != 0xf0)
|
||||
+ if (*srcptr != 0xf0)
|
||||
{
|
||||
col = palette[*srcptr & 0xf];
|
||||
#ifdef GRUB_CPU_WORDS_BIGENDIAN
|
||||
@@ -662,7 +662,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst,
|
||||
*dstptr++ = col >> 0;
|
||||
*dstptr++ = col >> 8;
|
||||
*dstptr++ = col >> 16;
|
||||
-#endif
|
||||
+#endif
|
||||
}
|
||||
else
|
||||
dstptr += 3;
|
||||
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
|
||||
index ae6b89f9a..fa4ebde26 100644
|
||||
--- a/grub-core/video/fb/video_fb.c
|
||||
+++ b/grub-core/video/fb/video_fb.c
|
||||
@@ -754,7 +754,7 @@ grub_video_fb_unmap_color_int (struct grub_video_fbblit_info * source,
|
||||
*alpha = 0;
|
||||
return;
|
||||
}
|
||||
-
|
||||
+
|
||||
/* If we have an out-of-bounds color, return transparent black. */
|
||||
if (color > 255)
|
||||
{
|
||||
@@ -1141,7 +1141,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
|
||||
/* If everything is aligned on 32-bit use 32-bit copy. */
|
||||
if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y)
|
||||
% sizeof (grub_uint32_t) == 0
|
||||
- && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y)
|
||||
+ && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y)
|
||||
% sizeof (grub_uint32_t) == 0
|
||||
&& linelen % sizeof (grub_uint32_t) == 0
|
||||
&& linedelta % sizeof (grub_uint32_t) == 0)
|
||||
@@ -1155,7 +1155,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
|
||||
else if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y)
|
||||
% sizeof (grub_uint16_t) == 0
|
||||
&& (grub_addr_t) grub_video_fb_get_video_ptr (&target,
|
||||
- dst_x, dst_y)
|
||||
+ dst_x, dst_y)
|
||||
% sizeof (grub_uint16_t) == 0
|
||||
&& linelen % sizeof (grub_uint16_t) == 0
|
||||
&& linedelta % sizeof (grub_uint16_t) == 0)
|
||||
@@ -1170,7 +1170,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
|
||||
{
|
||||
grub_uint8_t *src, *dst;
|
||||
DO_SCROLL
|
||||
- }
|
||||
+ }
|
||||
}
|
||||
|
||||
/* 4. Fill empty space with specified color. In this implementation
|
||||
@@ -1615,7 +1615,7 @@ grub_video_fb_setup (unsigned int mode_type, unsigned int mode_mask,
|
||||
framebuffer.render_target = framebuffer.back_target;
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
-
|
||||
+
|
||||
mode_info->mode_type &= ~(GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
|
||||
| GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
|
||||
|
||||
diff --git a/grub-core/video/i386/pc/vbe.c b/grub-core/video/i386/pc/vbe.c
|
||||
index b7f911926..0e65b5206 100644
|
||||
--- a/grub-core/video/i386/pc/vbe.c
|
||||
+++ b/grub-core/video/i386/pc/vbe.c
|
||||
@@ -219,7 +219,7 @@ grub_vbe_disable_mtrr (int mtrr)
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f09 to set palette data, return status. */
|
||||
-static grub_vbe_status_t
|
||||
+static grub_vbe_status_t
|
||||
grub_vbe_bios_set_palette_data (grub_uint32_t color_count,
|
||||
grub_uint32_t start_index,
|
||||
struct grub_vbe_palette_data *palette_data)
|
||||
@@ -237,7 +237,7 @@ grub_vbe_bios_set_palette_data (grub_uint32_t color_count,
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f00 to get VBE Controller Information, return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -251,7 +251,7 @@ grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci)
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f01 to get VBE Mode Information, return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_mode_info (grub_uint32_t mode,
|
||||
struct grub_vbe_mode_info_block *mode_info)
|
||||
{
|
||||
@@ -285,7 +285,7 @@ grub_vbe_bios_set_mode (grub_uint32_t mode,
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f03 to return current VBE Mode, return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_mode (grub_uint32_t *mode)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -298,7 +298,7 @@ grub_vbe_bios_get_mode (grub_uint32_t *mode)
|
||||
return regs.eax & 0xffff;
|
||||
}
|
||||
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_getset_dac_palette_width (int set, int *dac_mask_size)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -346,7 +346,7 @@ grub_vbe_bios_get_memory_window (grub_uint32_t window,
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f06 to set scanline length (in bytes), return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_set_scanline_length (grub_uint32_t length)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -354,14 +354,14 @@ grub_vbe_bios_set_scanline_length (grub_uint32_t length)
|
||||
regs.ecx = length;
|
||||
regs.eax = 0x4f06;
|
||||
/* BL = 2, Set Scan Line in Bytes. */
|
||||
- regs.ebx = 0x0002;
|
||||
+ regs.ebx = 0x0002;
|
||||
regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
|
||||
grub_bios_interrupt (0x10, ®s);
|
||||
return regs.eax & 0xffff;
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f06 to return scanline length (in bytes), return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_scanline_length (grub_uint32_t *length)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -377,7 +377,7 @@ grub_vbe_bios_get_scanline_length (grub_uint32_t *length)
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f07 to set display start, return status. */
|
||||
-static grub_vbe_status_t
|
||||
+static grub_vbe_status_t
|
||||
grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -390,7 +390,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
|
||||
regs.edx = y;
|
||||
regs.eax = 0x4f07;
|
||||
/* BL = 80h, Set Display Start during Vertical Retrace. */
|
||||
- regs.ebx = 0x0080;
|
||||
+ regs.ebx = 0x0080;
|
||||
regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
|
||||
grub_bios_interrupt (0x10, ®s);
|
||||
|
||||
@@ -401,7 +401,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f07 to get display start, return status. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_display_start (grub_uint32_t *x,
|
||||
grub_uint32_t *y)
|
||||
{
|
||||
@@ -419,7 +419,7 @@ grub_vbe_bios_get_display_start (grub_uint32_t *x,
|
||||
}
|
||||
|
||||
/* Call VESA BIOS 0x4f0a. */
|
||||
-grub_vbe_status_t
|
||||
+grub_vbe_status_t
|
||||
grub_vbe_bios_get_pm_interface (grub_uint16_t *segment, grub_uint16_t *offset,
|
||||
grub_uint16_t *length)
|
||||
{
|
||||
@@ -896,7 +896,7 @@ vbe2videoinfo (grub_uint32_t mode,
|
||||
case GRUB_VBE_MEMORY_MODEL_YUV:
|
||||
mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_YUV;
|
||||
break;
|
||||
-
|
||||
+
|
||||
case GRUB_VBE_MEMORY_MODEL_DIRECT_COLOR:
|
||||
mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_RGB;
|
||||
break;
|
||||
@@ -923,10 +923,10 @@ vbe2videoinfo (grub_uint32_t mode,
|
||||
break;
|
||||
case 8:
|
||||
mode_info->bytes_per_pixel = 1;
|
||||
- break;
|
||||
+ break;
|
||||
case 4:
|
||||
mode_info->bytes_per_pixel = 0;
|
||||
- break;
|
||||
+ break;
|
||||
}
|
||||
|
||||
if (controller_info.version >= 0x300)
|
||||
@@ -976,7 +976,7 @@ grub_video_vbe_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
|
||||
|
||||
static grub_err_t
|
||||
grub_video_vbe_setup (unsigned int width, unsigned int height,
|
||||
- grub_video_mode_type_t mode_type,
|
||||
+ grub_video_mode_type_t mode_type,
|
||||
grub_video_mode_type_t mode_mask)
|
||||
{
|
||||
grub_uint16_t *p;
|
||||
@@ -1193,7 +1193,7 @@ grub_video_vbe_print_adapter_specific_info (void)
|
||||
controller_info.version & 0xFF,
|
||||
controller_info.oem_software_rev >> 8,
|
||||
controller_info.oem_software_rev & 0xFF);
|
||||
-
|
||||
+
|
||||
/* The total_memory field is in 64 KiB units. */
|
||||
grub_printf_ (N_(" total memory: %d KiB\n"),
|
||||
(controller_info.total_memory << 6));
|
||||
diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
|
||||
index b2f776c99..50d0b5e02 100644
|
||||
--- a/grub-core/video/i386/pc/vga.c
|
||||
+++ b/grub-core/video/i386/pc/vga.c
|
||||
@@ -48,7 +48,7 @@ static struct
|
||||
int back_page;
|
||||
} framebuffer;
|
||||
|
||||
-static unsigned char
|
||||
+static unsigned char
|
||||
grub_vga_set_mode (unsigned char mode)
|
||||
{
|
||||
struct grub_bios_int_registers regs;
|
||||
@@ -182,10 +182,10 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
|
||||
|
||||
is_target = 1;
|
||||
err = grub_video_fb_set_active_render_target (framebuffer.render_target);
|
||||
-
|
||||
+
|
||||
if (err)
|
||||
return err;
|
||||
-
|
||||
+
|
||||
err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
|
||||
grub_video_fbstd_colors);
|
||||
|
||||
diff --git a/grub-core/video/ieee1275.c b/grub-core/video/ieee1275.c
|
||||
index 17a3dbbb5..f8cf94d96 100644
|
||||
--- a/grub-core/video/ieee1275.c
|
||||
+++ b/grub-core/video/ieee1275.c
|
||||
@@ -234,7 +234,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height,
|
||||
/* TODO. */
|
||||
return grub_error (GRUB_ERR_IO, "can't set mode %dx%d", width, height);
|
||||
}
|
||||
-
|
||||
+
|
||||
err = grub_video_ieee1275_fill_mode_info (dev, &framebuffer.mode_info);
|
||||
if (err)
|
||||
{
|
||||
@@ -261,7 +261,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height,
|
||||
|
||||
grub_video_ieee1275_set_palette (0, framebuffer.mode_info.number_of_colors,
|
||||
grub_video_fbstd_colors);
|
||||
-
|
||||
+
|
||||
return err;
|
||||
}
|
||||
|
||||
diff --git a/grub-core/video/radeon_fuloong2e.c b/grub-core/video/radeon_fuloong2e.c
|
||||
index b4da34b5e..40917acb7 100644
|
||||
--- a/grub-core/video/radeon_fuloong2e.c
|
||||
+++ b/grub-core/video/radeon_fuloong2e.c
|
||||
@@ -75,7 +75,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
|
||||
if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
|
||||
|| pciid != 0x515a1002)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
*found = 1;
|
||||
|
||||
addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
|
||||
@@ -139,7 +139,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height,
|
||||
framebuffer.mapped = 1;
|
||||
|
||||
/* Prevent garbage from appearing on the screen. */
|
||||
- grub_memset (framebuffer.ptr, 0x55,
|
||||
+ grub_memset (framebuffer.ptr, 0x55,
|
||||
framebuffer.mode_info.height * framebuffer.mode_info.pitch);
|
||||
|
||||
#ifndef TEST
|
||||
@@ -152,7 +152,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height,
|
||||
return err;
|
||||
|
||||
err = grub_video_fb_set_active_render_target (framebuffer.render_target);
|
||||
-
|
||||
+
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
diff --git a/grub-core/video/radeon_yeeloong3a.c b/grub-core/video/radeon_yeeloong3a.c
|
||||
index 52614feb6..48631c181 100644
|
||||
--- a/grub-core/video/radeon_yeeloong3a.c
|
||||
+++ b/grub-core/video/radeon_yeeloong3a.c
|
||||
@@ -74,7 +74,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
|
||||
if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
|
||||
|| pciid != 0x96151002)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
*found = 1;
|
||||
|
||||
addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
|
||||
@@ -137,7 +137,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height,
|
||||
#endif
|
||||
|
||||
/* Prevent garbage from appearing on the screen. */
|
||||
- grub_memset (framebuffer.ptr, 0,
|
||||
+ grub_memset (framebuffer.ptr, 0,
|
||||
framebuffer.mode_info.height * framebuffer.mode_info.pitch);
|
||||
|
||||
#ifndef TEST
|
||||
@@ -150,7 +150,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height,
|
||||
return err;
|
||||
|
||||
err = grub_video_fb_set_active_render_target (framebuffer.render_target);
|
||||
-
|
||||
+
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
||||
index 0157ff742..54dfedf43 100644
|
||||
--- a/grub-core/video/readers/png.c
|
||||
+++ b/grub-core/video/readers/png.c
|
||||
@@ -916,7 +916,7 @@ grub_png_convert_image (struct grub_png_data *data)
|
||||
}
|
||||
return;
|
||||
}
|
||||
-
|
||||
+
|
||||
if (data->is_gray)
|
||||
{
|
||||
switch (data->bpp)
|
||||
diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c
|
||||
index 7cb9d1d2a..a9ec3a1b6 100644
|
||||
--- a/grub-core/video/readers/tga.c
|
||||
+++ b/grub-core/video/readers/tga.c
|
||||
@@ -127,7 +127,7 @@ tga_load_palette (struct tga_data *data)
|
||||
|
||||
if (len > sizeof (data->palette))
|
||||
len = sizeof (data->palette);
|
||||
-
|
||||
+
|
||||
if (grub_file_read (data->file, &data->palette, len)
|
||||
!= (grub_ssize_t) len)
|
||||
return grub_errno;
|
||||
diff --git a/grub-core/video/sis315_init.c b/grub-core/video/sis315_init.c
|
||||
index ae5c1419c..09c3c7bbe 100644
|
||||
--- a/grub-core/video/sis315_init.c
|
||||
+++ b/grub-core/video/sis315_init.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] =
|
||||
+static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] =
|
||||
{
|
||||
{ 0x28, 0x81 },
|
||||
{ 0x2a, 0x00 },
|
||||
diff --git a/grub-core/video/sis315pro.c b/grub-core/video/sis315pro.c
|
||||
index 22a0c85a6..4d2f9999a 100644
|
||||
--- a/grub-core/video/sis315pro.c
|
||||
+++ b/grub-core/video/sis315pro.c
|
||||
@@ -103,7 +103,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
|
||||
if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
|
||||
|| pciid != GRUB_SIS315PRO_PCIID)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
*found = 1;
|
||||
|
||||
addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
|
||||
@@ -218,7 +218,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
|
||||
|
||||
#ifndef TEST
|
||||
/* Prevent garbage from appearing on the screen. */
|
||||
- grub_memset (framebuffer.ptr, 0,
|
||||
+ grub_memset (framebuffer.ptr, 0,
|
||||
framebuffer.mode_info.height * framebuffer.mode_info.pitch);
|
||||
grub_arch_sync_dma_caches (framebuffer.ptr,
|
||||
framebuffer.mode_info.height
|
||||
@@ -231,7 +231,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
|
||||
| GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0
|
||||
| GRUB_VGA_IO_MISC_28MHZ
|
||||
| GRUB_VGA_IO_MISC_ENABLE_VRAM_ACCESS
|
||||
- | GRUB_VGA_IO_MISC_COLOR,
|
||||
+ | GRUB_VGA_IO_MISC_COLOR,
|
||||
GRUB_VGA_IO_MISC_WRITE + GRUB_MACHINE_PCI_IO_BASE);
|
||||
|
||||
grub_vga_sr_write (0x86, 5);
|
||||
@@ -335,7 +335,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
|
||||
{
|
||||
if (read_sis_cmd (0x5) != 0xa1)
|
||||
write_sis_cmd (0x86, 0x5);
|
||||
-
|
||||
+
|
||||
write_sis_cmd (read_sis_cmd (0x20) | 0xa1, 0x20);
|
||||
write_sis_cmd (read_sis_cmd (0x1e) | 0xda, 0x1e);
|
||||
|
||||
diff --git a/grub-core/video/sm712.c b/grub-core/video/sm712.c
|
||||
index 10c46eb65..65f59f84b 100644
|
||||
--- a/grub-core/video/sm712.c
|
||||
+++ b/grub-core/video/sm712.c
|
||||
@@ -167,7 +167,7 @@ enum
|
||||
GRUB_SM712_CR_SHADOW_VGA_VBLANK_START = 0x46,
|
||||
GRUB_SM712_CR_SHADOW_VGA_VBLANK_END = 0x47,
|
||||
GRUB_SM712_CR_SHADOW_VGA_VRETRACE_START = 0x48,
|
||||
- GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49,
|
||||
+ GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49,
|
||||
GRUB_SM712_CR_SHADOW_VGA_OVERFLOW = 0x4a,
|
||||
GRUB_SM712_CR_SHADOW_VGA_CELL_HEIGHT = 0x4b,
|
||||
GRUB_SM712_CR_SHADOW_VGA_HDISPLAY_END = 0x4c,
|
||||
@@ -375,7 +375,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
|
||||
if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
|
||||
|| pciid != GRUB_SM712_PCIID)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
*found = 1;
|
||||
|
||||
addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
|
||||
@@ -471,7 +471,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
|
||||
|
||||
#if !defined (TEST) && !defined(GENINIT)
|
||||
/* Prevent garbage from appearing on the screen. */
|
||||
- grub_memset ((void *) framebuffer.cached_ptr, 0,
|
||||
+ grub_memset ((void *) framebuffer.cached_ptr, 0,
|
||||
framebuffer.mode_info.height * framebuffer.mode_info.pitch);
|
||||
#endif
|
||||
|
||||
@@ -482,7 +482,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
|
||||
grub_sm712_sr_write (0x2, 0x6b);
|
||||
grub_sm712_write_reg (0, GRUB_VGA_IO_PIXEL_MASK);
|
||||
grub_sm712_sr_write (GRUB_VGA_SR_RESET_ASYNC, GRUB_VGA_SR_RESET);
|
||||
- grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY
|
||||
+ grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY
|
||||
| GRUB_VGA_IO_MISC_NEGATIVE_HORIZ_POLARITY
|
||||
| GRUB_VGA_IO_MISC_UPPER_64K
|
||||
| GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0
|
||||
@@ -694,7 +694,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
|
||||
for (i = 0; i < ARRAY_SIZE (dda_lookups); i++)
|
||||
grub_sm712_write_dda_lookup (i, dda_lookups[i].compare, dda_lookups[i].dda,
|
||||
dda_lookups[i].vcentering);
|
||||
-
|
||||
+
|
||||
/* Undocumented */
|
||||
grub_sm712_cr_write (0, 0x9c);
|
||||
grub_sm712_cr_write (0, 0x9d);
|
||||
diff --git a/grub-core/video/video.c b/grub-core/video/video.c
|
||||
index 983424107..8937da745 100644
|
||||
--- a/grub-core/video/video.c
|
||||
+++ b/grub-core/video/video.c
|
||||
@@ -491,13 +491,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth)
|
||||
current_mode);
|
||||
|
||||
param++;
|
||||
-
|
||||
+
|
||||
*width = grub_strtoul (value, 0, 0);
|
||||
if (grub_errno != GRUB_ERR_NONE)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
N_("invalid video mode specification `%s'"),
|
||||
current_mode);
|
||||
-
|
||||
+
|
||||
/* Find height value. */
|
||||
value = param;
|
||||
param = grub_strchr(param, 'x');
|
||||
@@ -513,13 +513,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth)
|
||||
{
|
||||
/* We have optional color depth value. */
|
||||
param++;
|
||||
-
|
||||
+
|
||||
*height = grub_strtoul (value, 0, 0);
|
||||
if (grub_errno != GRUB_ERR_NONE)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
N_("invalid video mode specification `%s'"),
|
||||
current_mode);
|
||||
-
|
||||
+
|
||||
/* Convert color depth value. */
|
||||
value = param;
|
||||
*depth = grub_strtoul (value, 0, 0);
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,204 +0,0 @@
|
||||
From 91d16e415b79f5080fa2bcc21bff6471f6be9f08 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 6 Jul 2021 14:02:55 +1000
|
||||
Subject: [PATCH] video/readers/png: Abort sooner if a read operation fails
|
||||
|
||||
Fuzzing revealed some inputs that were taking a long time, potentially
|
||||
forever, because they did not bail quickly upon encountering an I/O error.
|
||||
|
||||
Try to catch I/O errors sooner and bail out.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: d5caac8ab79d068ad9a41030c772d03a4d4fbd7b
|
||||
[Thomas: needed to cherry-pick
|
||||
e623866d9286410156e8b9d2c82d6253a1b22d08, which fixes CVE-2021-3695]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/readers/png.c | 55 ++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 47 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
||||
index 54dfedf43..d715c4629 100644
|
||||
--- a/grub-core/video/readers/png.c
|
||||
+++ b/grub-core/video/readers/png.c
|
||||
@@ -142,6 +142,7 @@ static grub_uint8_t
|
||||
grub_png_get_byte (struct grub_png_data *data)
|
||||
{
|
||||
grub_uint8_t r;
|
||||
+ grub_ssize_t bytes_read = 0;
|
||||
|
||||
if ((data->inside_idat) && (data->idat_remain == 0))
|
||||
{
|
||||
@@ -175,7 +176,14 @@ grub_png_get_byte (struct grub_png_data *data)
|
||||
}
|
||||
|
||||
r = 0;
|
||||
- grub_file_read (data->file, &r, 1);
|
||||
+ bytes_read = grub_file_read (data->file, &r, 1);
|
||||
+
|
||||
+ if (bytes_read != 1)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "png: unexpected end of data");
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
if (data->inside_idat)
|
||||
data->idat_remain--;
|
||||
@@ -231,15 +239,16 @@ grub_png_decode_image_palette (struct grub_png_data *data,
|
||||
if (len == 0)
|
||||
return GRUB_ERR_NONE;
|
||||
|
||||
- for (i = 0; 3 * i < len && i < 256; i++)
|
||||
+ grub_errno = GRUB_ERR_NONE;
|
||||
+ for (i = 0; 3 * i < len && i < 256 && grub_errno == GRUB_ERR_NONE; i++)
|
||||
for (j = 0; j < 3; j++)
|
||||
data->palette[i][j] = grub_png_get_byte (data);
|
||||
- for (i *= 3; i < len; i++)
|
||||
+ for (i *= 3; i < len && grub_errno == GRUB_ERR_NONE; i++)
|
||||
grub_png_get_byte (data);
|
||||
|
||||
grub_png_get_dword (data);
|
||||
|
||||
- return GRUB_ERR_NONE;
|
||||
+ return grub_errno;
|
||||
}
|
||||
|
||||
static grub_err_t
|
||||
@@ -256,9 +265,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size");
|
||||
|
||||
color_bits = grub_png_get_byte (data);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
data->is_16bit = (color_bits == 16);
|
||||
|
||||
color_type = grub_png_get_byte (data);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
/* According to PNG spec, no other types are valid. */
|
||||
if ((color_type & ~(PNG_COLOR_MASK_ALPHA | PNG_COLOR_MASK_COLOR))
|
||||
@@ -340,14 +353,20 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
||||
if (grub_png_get_byte (data) != PNG_COMPRESSION_BASE)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"png: compression method not supported");
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
if (grub_png_get_byte (data) != PNG_FILTER_TYPE_BASE)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"png: filter method not supported");
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
if (grub_png_get_byte (data) != PNG_INTERLACE_NONE)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"png: interlace method not supported");
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
/* Skip crc checksum. */
|
||||
grub_png_get_dword (data);
|
||||
@@ -449,7 +468,7 @@ grub_png_get_huff_code (struct grub_png_data *data, struct huff_table *ht)
|
||||
int code, i;
|
||||
|
||||
code = 0;
|
||||
- for (i = 0; i < ht->max_length; i++)
|
||||
+ for (i = 0; i < ht->max_length && grub_errno == GRUB_ERR_NONE; i++)
|
||||
{
|
||||
code = (code << 1) + grub_png_get_bits (data, 1);
|
||||
if (code < ht->maxval[i])
|
||||
@@ -504,8 +523,14 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
|
||||
grub_uint8_t lens[DEFLATE_HCLEN_MAX];
|
||||
|
||||
nl = DEFLATE_HLIT_BASE + grub_png_get_bits (data, 5);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
nd = DEFLATE_HDIST_BASE + grub_png_get_bits (data, 5);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
nb = DEFLATE_HCLEN_BASE + grub_png_get_bits (data, 4);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
if ((nl > DEFLATE_HLIT_MAX) || (nd > DEFLATE_HDIST_MAX) ||
|
||||
(nb > DEFLATE_HCLEN_MAX))
|
||||
@@ -533,7 +558,7 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
|
||||
data->dist_offset);
|
||||
|
||||
prev = 0;
|
||||
- for (i = 0; i < nl + nd; i++)
|
||||
+ for (i = 0; i < nl + nd && grub_errno == GRUB_ERR_NONE; i++)
|
||||
{
|
||||
int n, code;
|
||||
struct huff_table *ht;
|
||||
@@ -721,17 +746,21 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
|
||||
len = cplens[n];
|
||||
if (cplext[n])
|
||||
len += grub_png_get_bits (data, cplext[n]);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
n = grub_png_get_huff_code (data, &data->dist_table);
|
||||
dist = cpdist[n];
|
||||
if (cpdext[n])
|
||||
dist += grub_png_get_bits (data, cpdext[n]);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
pos = data->wp - dist;
|
||||
if (pos < 0)
|
||||
pos += WSIZE;
|
||||
|
||||
- while (len > 0)
|
||||
+ while (len > 0 && grub_errno == GRUB_ERR_NONE)
|
||||
{
|
||||
data->slide[data->wp] = data->slide[pos];
|
||||
grub_png_output_byte (data, data->slide[data->wp]);
|
||||
@@ -759,7 +788,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
|
||||
int final;
|
||||
|
||||
cmf = grub_png_get_byte (data);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
flg = grub_png_get_byte (data);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
if ((cmf & 0xF) != Z_DEFLATED)
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
@@ -774,7 +807,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
|
||||
int block_type;
|
||||
|
||||
final = grub_png_get_bits (data, 1);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
block_type = grub_png_get_bits (data, 2);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
|
||||
switch (block_type)
|
||||
{
|
||||
@@ -790,7 +827,7 @@ grub_png_decode_image_data (struct grub_png_data *data)
|
||||
grub_png_get_byte (data);
|
||||
grub_png_get_byte (data);
|
||||
|
||||
- for (i = 0; i < len; i++)
|
||||
+ for (i = 0; i < len && grub_errno == GRUB_ERR_NONE; i++)
|
||||
grub_png_output_byte (data, grub_png_get_byte (data));
|
||||
|
||||
break;
|
||||
@@ -1045,6 +1082,8 @@ grub_png_decode_png (struct grub_png_data *data)
|
||||
|
||||
len = grub_png_get_dword (data);
|
||||
type = grub_png_get_dword (data);
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ break;
|
||||
data->next_offset = data->file->offset + len + 4;
|
||||
|
||||
switch (type)
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,34 +0,0 @@
|
||||
From e170edd18fcfdd9e6f91ba750fd022cef8d43cd4 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 6 Jul 2021 14:13:40 +1000
|
||||
Subject: [PATCH] video/readers/png: Refuse to handle multiple image headers
|
||||
|
||||
This causes the bitmap to be leaked. Do not permit multiple image headers.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 166a4d61448f74745afe1dac2f2cfb85d04909bf
|
||||
[Thomas: needed to cherry-pick
|
||||
e623866d9286410156e8b9d2c82d6253a1b22d08, which fixes CVE-2021-3695]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/readers/png.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
||||
index d715c4629..35ae553c8 100644
|
||||
--- a/grub-core/video/readers/png.c
|
||||
+++ b/grub-core/video/readers/png.c
|
||||
@@ -258,6 +258,9 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
||||
int color_bits;
|
||||
enum grub_video_blit_format blt;
|
||||
|
||||
+ if (data->image_width || data->image_height)
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: two image headers found");
|
||||
+
|
||||
data->image_width = grub_png_get_dword (data);
|
||||
data->image_height = grub_png_get_dword (data);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,173 +0,0 @@
|
||||
From 5b42d132a029c1d245d94c813a45836522b46226 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 6 Jul 2021 18:51:35 +1000
|
||||
Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
|
||||
out-of-bounds write
|
||||
|
||||
A 16-bit greyscale PNG without alpha is processed in the following loop:
|
||||
|
||||
for (i = 0; i < (data->image_width * data->image_height);
|
||||
i++, d1 += 4, d2 += 2)
|
||||
{
|
||||
d1[R3] = d2[1];
|
||||
d1[G3] = d2[1];
|
||||
d1[B3] = d2[1];
|
||||
}
|
||||
|
||||
The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
|
||||
but there are only 3 bytes allocated for storage. This means that image
|
||||
data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
|
||||
out of every 4 following the end of the image.
|
||||
|
||||
This has existed since greyscale support was added in 2013 in commit
|
||||
3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
|
||||
|
||||
Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
|
||||
and attempting to load it causes grub-emu to crash - I don't think this code
|
||||
has ever worked.
|
||||
|
||||
Delete all PNG greyscale support.
|
||||
|
||||
Fixes: CVE-2021-3695
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: e623866d9286410156e8b9d2c82d6253a1b22d08
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/readers/png.c | 87 +++--------------------------------
|
||||
1 file changed, 7 insertions(+), 80 deletions(-)
|
||||
|
||||
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
||||
index 35ae553c8..a3161e25b 100644
|
||||
--- a/grub-core/video/readers/png.c
|
||||
+++ b/grub-core/video/readers/png.c
|
||||
@@ -100,7 +100,7 @@ struct grub_png_data
|
||||
|
||||
unsigned image_width, image_height;
|
||||
int bpp, is_16bit;
|
||||
- int raw_bytes, is_gray, is_alpha, is_palette;
|
||||
+ int raw_bytes, is_alpha, is_palette;
|
||||
int row_bytes, color_bits;
|
||||
grub_uint8_t *image_data;
|
||||
|
||||
@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
||||
data->bpp = 3;
|
||||
else
|
||||
{
|
||||
- data->is_gray = 1;
|
||||
- data->bpp = 1;
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "png: color type not supported");
|
||||
}
|
||||
|
||||
if ((color_bits != 8) && (color_bits != 16)
|
||||
&& (color_bits != 4
|
||||
- || !(data->is_gray || data->is_palette)))
|
||||
+ || !data->is_palette))
|
||||
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"png: bit depth must be 8 or 16");
|
||||
|
||||
@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
|
||||
}
|
||||
|
||||
#ifndef GRUB_CPU_WORDS_BIGENDIAN
|
||||
- if (data->is_16bit || data->is_gray || data->is_palette)
|
||||
+ if (data->is_16bit || data->is_palette)
|
||||
#endif
|
||||
{
|
||||
data->image_data = grub_calloc (data->image_height, data->row_bytes);
|
||||
@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
|
||||
int shift;
|
||||
int mask = (1 << data->color_bits) - 1;
|
||||
unsigned j;
|
||||
- if (data->is_gray)
|
||||
- {
|
||||
- /* Generic formula is
|
||||
- (0xff * i) / ((1U << data->color_bits) - 1)
|
||||
- but for allowed bit depth of 1, 2 and for it's
|
||||
- equivalent to
|
||||
- (0xff / ((1U << data->color_bits) - 1)) * i
|
||||
- Precompute the multipliers to avoid division.
|
||||
- */
|
||||
-
|
||||
- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
|
||||
- for (i = 0; i < (1U << data->color_bits); i++)
|
||||
- {
|
||||
- grub_uint8_t col = multipliers[data->color_bits] * i;
|
||||
- palette[i][0] = col;
|
||||
- palette[i][1] = col;
|
||||
- palette[i][2] = col;
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- grub_memcpy (palette, data->palette, 3 << data->color_bits);
|
||||
+
|
||||
+ grub_memcpy (palette, data->palette, 3 << data->color_bits);
|
||||
d1c = d1;
|
||||
d2c = d2;
|
||||
for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
|
||||
@@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (data->is_gray)
|
||||
- {
|
||||
- switch (data->bpp)
|
||||
- {
|
||||
- case 4:
|
||||
- /* 16-bit gray with alpha. */
|
||||
- for (i = 0; i < (data->image_width * data->image_height);
|
||||
- i++, d1 += 4, d2 += 4)
|
||||
- {
|
||||
- d1[R4] = d2[3];
|
||||
- d1[G4] = d2[3];
|
||||
- d1[B4] = d2[3];
|
||||
- d1[A4] = d2[1];
|
||||
- }
|
||||
- break;
|
||||
- case 2:
|
||||
- if (data->is_16bit)
|
||||
- /* 16-bit gray without alpha. */
|
||||
- {
|
||||
- for (i = 0; i < (data->image_width * data->image_height);
|
||||
- i++, d1 += 4, d2 += 2)
|
||||
- {
|
||||
- d1[R3] = d2[1];
|
||||
- d1[G3] = d2[1];
|
||||
- d1[B3] = d2[1];
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- /* 8-bit gray with alpha. */
|
||||
- {
|
||||
- for (i = 0; i < (data->image_width * data->image_height);
|
||||
- i++, d1 += 4, d2 += 2)
|
||||
- {
|
||||
- d1[R4] = d2[1];
|
||||
- d1[G4] = d2[1];
|
||||
- d1[B4] = d2[1];
|
||||
- d1[A4] = d2[0];
|
||||
- }
|
||||
- }
|
||||
- break;
|
||||
- /* 8-bit gray without alpha. */
|
||||
- case 1:
|
||||
- for (i = 0; i < (data->image_width * data->image_height);
|
||||
- i++, d1 += 3, d2++)
|
||||
- {
|
||||
- d1[R3] = d2[0];
|
||||
- d1[G3] = d2[0];
|
||||
- d1[B3] = d2[0];
|
||||
- }
|
||||
- break;
|
||||
- }
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
{
|
||||
/* Only copy the upper 8 bit. */
|
||||
#ifndef GRUB_CPU_WORDS_BIGENDIAN
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,44 +0,0 @@
|
||||
From 43a7d9cb829467993ba683a26c980fcfdaa924c8 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 6 Jul 2021 23:25:07 +1000
|
||||
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
|
||||
items
|
||||
|
||||
In fuzzing we observed crashes where a code would attempt to be inserted
|
||||
into a huffman table before the start, leading to a set of heap OOB reads
|
||||
and writes as table entries with negative indices were shifted around and
|
||||
the new code written in.
|
||||
|
||||
Catch the case where we would underflow the array and bail.
|
||||
|
||||
Fixes: CVE-2021-3696
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 210245129c932dc9e1c2748d9d35524fb95b5042
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/readers/png.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
||||
index a3161e25b..d7ed5aa6c 100644
|
||||
--- a/grub-core/video/readers/png.c
|
||||
+++ b/grub-core/video/readers/png.c
|
||||
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
|
||||
for (i = len; i < ht->max_length; i++)
|
||||
n += ht->maxval[i];
|
||||
|
||||
+ if (n > ht->num_values)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "png: out of range inserting huffman table item");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < n; i++)
|
||||
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,78 +0,0 @@
|
||||
From 6be7ccfcc33da513de66f71de63fdc129fa019c2 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Wed, 7 Jul 2021 15:38:19 +1000
|
||||
Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
|
||||
|
||||
Certain 1 px wide images caused a wild pointer write in
|
||||
grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
|
||||
we have the following loop:
|
||||
|
||||
for (; data->r1 < nr1 && (!data->dri || rst);
|
||||
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
||||
|
||||
We did not check if vb * width >= hb * nc1.
|
||||
|
||||
On a 64-bit platform, if that turns out to be negative, it will underflow,
|
||||
be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
|
||||
we see data->bitmap_ptr jump, e.g.:
|
||||
|
||||
0x6180_0000_0480 to
|
||||
0x6181_0000_0498
|
||||
^
|
||||
~--- carry has occurred and this pointer is now far away from
|
||||
any object.
|
||||
|
||||
On a 32-bit platform, it will decrement the pointer, creating a pointer
|
||||
that won't crash but will overwrite random data.
|
||||
|
||||
Catch the underflow and error out.
|
||||
|
||||
Fixes: CVE-2021-3697
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/video/readers/jpeg.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||||
index e31602f76..1d256af01 100644
|
||||
--- a/grub-core/video/readers/jpeg.c
|
||||
+++ b/grub-core/video/readers/jpeg.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/misc.h>
|
||||
#include <grub/bufio.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -639,6 +640,7 @@ static grub_err_t
|
||||
grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
||||
{
|
||||
unsigned c1, vb, hb, nr1, nc1;
|
||||
+ unsigned stride_a, stride_b, stride;
|
||||
int rst = data->dri;
|
||||
|
||||
vb = 8 << data->log_vs;
|
||||
@@ -650,8 +652,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
||||
return grub_error(GRUB_ERR_BAD_FILE_TYPE,
|
||||
"jpeg: attempted to decode data before start of stream");
|
||||
|
||||
+ if (grub_mul(vb, data->image_width, &stride_a) ||
|
||||
+ grub_mul(hb, nc1, &stride_b) ||
|
||||
+ grub_sub(stride_a, stride_b, &stride))
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "jpeg: cannot decode image with these dimensions");
|
||||
+
|
||||
for (; data->r1 < nr1 && (!data->dri || rst);
|
||||
- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
||||
+ data->r1++, data->bitmap_ptr += stride * 3)
|
||||
for (c1 = 0; c1 < nc1 && (!data->dri || rst);
|
||||
c1++, rst--, data->bitmap_ptr += hb * 3)
|
||||
{
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,56 +0,0 @@
|
||||
From cadde7e36b8797060ac8cdf7cca7d8e1e09697e6 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Mon, 20 Dec 2021 19:41:21 +1100
|
||||
Subject: [PATCH] net/ip: Do IP fragment maths safely
|
||||
|
||||
We can receive packets with invalid IP fragmentation information. This
|
||||
can lead to rsm->total_len underflowing and becoming very large.
|
||||
|
||||
Then, in grub_netbuff_alloc(), we add to this very large number, which can
|
||||
cause it to overflow and wrap back around to a small positive number.
|
||||
The allocation then succeeds, but the resulting buffer is too small and
|
||||
subsequent operations can write past the end of the buffer.
|
||||
|
||||
Catch the underflow here.
|
||||
|
||||
Fixes: CVE-2022-28733
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 3e4817538de828319ba6d59ced2fbb9b5ca13287
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/net/ip.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
|
||||
index ea5edf8f1..74e4e8b06 100644
|
||||
--- a/grub-core/net/ip.c
|
||||
+++ b/grub-core/net/ip.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <grub/net/netbuff.h>
|
||||
#include <grub/mm.h>
|
||||
#include <grub/priority_queue.h>
|
||||
+#include <grub/safemath.h>
|
||||
#include <grub/time.h>
|
||||
|
||||
struct iphdr {
|
||||
@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
|
||||
{
|
||||
rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
|
||||
+ (nb->tail - nb->data));
|
||||
- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
|
||||
+
|
||||
+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
|
||||
+ &rsm->total_len))
|
||||
+ {
|
||||
+ grub_dprintf ("net", "IP reassembly size underflow\n");
|
||||
+ return GRUB_ERR_NONE;
|
||||
+ }
|
||||
+
|
||||
rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
|
||||
if (!rsm->asm_netbuff)
|
||||
{
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 6bb49bda656e1121fd303cf3e69709172e267718 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 8 Mar 2022 18:17:03 +1100
|
||||
Subject: [PATCH] net/http: Fix OOB write for split http headers
|
||||
|
||||
GRUB has special code for handling an http header that is split
|
||||
across two packets.
|
||||
|
||||
The code tracks the end of line by looking for a "\n" byte. The
|
||||
code for split headers has always advanced the pointer just past the
|
||||
end of the line, whereas the code that handles unsplit headers does
|
||||
not advance the pointer. This extra advance causes the length to be
|
||||
one greater, which breaks an assumption in parse_line(), leading to
|
||||
it writing a NUL byte one byte past the end of the buffer where we
|
||||
reconstruct the line from the two packets.
|
||||
|
||||
It's conceivable that an attacker controlled set of packets could
|
||||
cause this to zero out the first byte of the "next" pointer of the
|
||||
grub_mm_region structure following the current_line buffer.
|
||||
|
||||
Do not advance the pointer in the split header case.
|
||||
|
||||
Fixes: CVE-2022-28734
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: ec6bfd3237394c1c7dbf2fd73417173318d22f4b
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/net/http.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
|
||||
index b616cf40b..a19b0a205 100644
|
||||
--- a/grub-core/net/http.c
|
||||
+++ b/grub-core/net/http.c
|
||||
@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
|
||||
int have_line = 1;
|
||||
char *t;
|
||||
ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
|
||||
- if (ptr)
|
||||
- ptr++;
|
||||
- else
|
||||
+ if (ptr == NULL)
|
||||
{
|
||||
have_line = 0;
|
||||
ptr = (char *) nb->tail;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 2974684d2f7f85a5c57af8155cc3b70c04ec1d6b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue, 8 Mar 2022 19:04:40 +1100
|
||||
Subject: [PATCH] net/http: Error out on headers with LF without CR
|
||||
|
||||
In a similar vein to the previous patch, parse_line() would write
|
||||
a NUL byte past the end of the buffer if there was an HTTP header
|
||||
with a LF rather than a CRLF.
|
||||
|
||||
RFC-2616 says:
|
||||
|
||||
Many HTTP/1.1 header field values consist of words separated by LWS
|
||||
or special characters. These special characters MUST be in a quoted
|
||||
string to be used within a parameter value (as defined in section 3.6).
|
||||
|
||||
We don't support quoted sections or continuation lines, etc.
|
||||
|
||||
If we see an LF that's not part of a CRLF, bail out.
|
||||
|
||||
Fixes: CVE-2022-28734
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/net/http.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
|
||||
index a19b0a205..1fa62b5cb 100644
|
||||
--- a/grub-core/net/http.c
|
||||
+++ b/grub-core/net/http.c
|
||||
@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
|
||||
char *end = ptr + len;
|
||||
while (end > ptr && *(end - 1) == '\r')
|
||||
end--;
|
||||
+
|
||||
+ /* LF without CR. */
|
||||
+ if (end == ptr + len)
|
||||
+ {
|
||||
+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
|
||||
+ return GRUB_ERR_NONE;
|
||||
+ }
|
||||
*end = 0;
|
||||
+
|
||||
/* Trailing CRLF. */
|
||||
if (data->in_chunk_len == 1)
|
||||
{
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,116 +0,0 @@
|
||||
From 1aefeca0f6304a20c1a3711cb9e89c5fdb901b6b Mon Sep 17 00:00:00 2001
|
||||
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Date: Fri, 5 Aug 2022 00:51:20 +0800
|
||||
Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
|
||||
|
||||
The length of memory allocation and file read may overflow. This patch
|
||||
fixes the problem by using safemath macros.
|
||||
|
||||
There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
|
||||
if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
|
||||
It is safe replacement for such code. It has safemath-like prototype.
|
||||
|
||||
This patch also introduces grub_cast(value, pointer), it casts value to
|
||||
typeof(*pointer) then store the value to *pointer. It returns true when
|
||||
overflow occurs or false if there is no overflow. The semantics of arguments
|
||||
and return value are designed to be consistent with other safemath macros.
|
||||
|
||||
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 9c76ec09ae08155df27cd237eaea150b4f02f532
|
||||
[Thomas: needed to backport 768e1ef2fc159f6e14e7246e4be09363708ac39e,
|
||||
which fixes CVE-2022-2601]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/font/font.c | 17 +++++++++++++----
|
||||
include/grub/bitmap.h | 18 ++++++++++++++++++
|
||||
include/grub/safemath.h | 2 ++
|
||||
3 files changed, 33 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
||||
index d09bb38d8..876b5b695 100644
|
||||
--- a/grub-core/font/font.c
|
||||
+++ b/grub-core/font/font.c
|
||||
@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
|
||||
grub_int16_t xoff;
|
||||
grub_int16_t yoff;
|
||||
grub_int16_t dwidth;
|
||||
- int len;
|
||||
+ grub_ssize_t len;
|
||||
+ grub_size_t sz;
|
||||
|
||||
if (index_entry->glyph)
|
||||
/* Return cached glyph. */
|
||||
@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- len = (width * height + 7) / 8;
|
||||
- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
|
||||
- if (!glyph)
|
||||
+ /* Calculate real struct size of current glyph. */
|
||||
+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
|
||||
+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
|
||||
+ {
|
||||
+ remove_font (font);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Allocate and initialize the glyph struct. */
|
||||
+ glyph = grub_malloc (sz);
|
||||
+ if (glyph == NULL)
|
||||
{
|
||||
remove_font (font);
|
||||
return 0;
|
||||
diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
|
||||
index 5728f8ca3..0d9603f61 100644
|
||||
--- a/include/grub/bitmap.h
|
||||
+++ b/include/grub/bitmap.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <grub/symbol.h>
|
||||
#include <grub/types.h>
|
||||
#include <grub/video.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
struct grub_video_bitmap
|
||||
{
|
||||
@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
|
||||
return bitmap->mode_info.height;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
|
||||
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
|
||||
+ * Return true when overflow occurs or false if there is no overflow.
|
||||
+ * This function is intentionally implemented as a macro instead of
|
||||
+ * an inline function. Although a bit awkward, it preserves data types for
|
||||
+ * safemath macros and reduces macro side effects as much as possible.
|
||||
+ *
|
||||
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
|
||||
+ */
|
||||
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
|
||||
+({ \
|
||||
+ grub_uint64_t _bitmap_pixels; \
|
||||
+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
|
||||
+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
|
||||
+})
|
||||
+
|
||||
void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
|
||||
struct grub_video_mode_info *mode_info);
|
||||
|
||||
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
|
||||
index c17b89bba..bb0f826de 100644
|
||||
--- a/include/grub/safemath.h
|
||||
+++ b/include/grub/safemath.h
|
||||
@@ -30,6 +30,8 @@
|
||||
#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
|
||||
#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
|
||||
|
||||
+#define grub_cast(a, res) grub_add ((a), 0, (res))
|
||||
+
|
||||
#else
|
||||
#error gcc 5.1 or newer or clang 3.8 or newer is required
|
||||
#endif
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,83 +0,0 @@
|
||||
From fefba72d17364d6212cfd3be2232f4ce0ba23b82 Mon Sep 17 00:00:00 2001
|
||||
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Date: Fri, 5 Aug 2022 01:58:27 +0800
|
||||
Subject: [PATCH] font: Fix several integer overflows in
|
||||
grub_font_construct_glyph()
|
||||
|
||||
This patch fixes several integer overflows in grub_font_construct_glyph().
|
||||
Glyphs of invalid size, zero or leading to an overflow, are rejected.
|
||||
The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
|
||||
returns NULL is fixed too.
|
||||
|
||||
Fixes: CVE-2022-2601
|
||||
|
||||
Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 768e1ef2fc159f6e14e7246e4be09363708ac39e
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/font/font.c | 29 +++++++++++++++++------------
|
||||
1 file changed, 17 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
||||
index 876b5b695..0ff552578 100644
|
||||
--- a/grub-core/font/font.c
|
||||
+++ b/grub-core/font/font.c
|
||||
@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
|
||||
struct grub_video_signed_rect bounds;
|
||||
static struct grub_font_glyph *glyph = 0;
|
||||
static grub_size_t max_glyph_size = 0;
|
||||
+ grub_size_t cur_glyph_size;
|
||||
|
||||
ensure_comb_space (glyph_id);
|
||||
|
||||
@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
|
||||
if (!glyph_id->ncomb && !glyph_id->attributes)
|
||||
return main_glyph;
|
||||
|
||||
- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
|
||||
+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
|
||||
+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
|
||||
+ return main_glyph;
|
||||
+
|
||||
+ if (max_glyph_size < cur_glyph_size)
|
||||
{
|
||||
grub_free (glyph);
|
||||
- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
|
||||
- if (max_glyph_size < 8)
|
||||
- max_glyph_size = 8;
|
||||
- glyph = grub_malloc (max_glyph_size);
|
||||
+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
|
||||
+ max_glyph_size = 0;
|
||||
+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
|
||||
}
|
||||
if (!glyph)
|
||||
{
|
||||
+ max_glyph_size = 0;
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
return main_glyph;
|
||||
}
|
||||
|
||||
- grub_memset (glyph, 0, sizeof (*glyph)
|
||||
- + (bounds.width * bounds.height
|
||||
- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
|
||||
+ grub_memset (glyph, 0, cur_glyph_size);
|
||||
|
||||
glyph->font = main_glyph->font;
|
||||
- glyph->width = bounds.width;
|
||||
- glyph->height = bounds.height;
|
||||
- glyph->offset_x = bounds.x;
|
||||
- glyph->offset_y = bounds.y;
|
||||
+ if (bounds.width == 0 || bounds.height == 0 ||
|
||||
+ grub_cast (bounds.width, &glyph->width) ||
|
||||
+ grub_cast (bounds.height, &glyph->height) ||
|
||||
+ grub_cast (bounds.x, &glyph->offset_x) ||
|
||||
+ grub_cast (bounds.y, &glyph->offset_y))
|
||||
+ return main_glyph;
|
||||
|
||||
if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
|
||||
grub_font_blit_glyph_mirror (glyph, main_glyph,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,93 +0,0 @@
|
||||
From 79bd19e078c5053d800b1b4d3a901083da947e70 Mon Sep 17 00:00:00 2001
|
||||
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Date: Mon, 24 Oct 2022 08:05:35 +0800
|
||||
Subject: [PATCH] font: Fix an integer underflow in blit_comb()
|
||||
|
||||
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
|
||||
evaluate to a very big invalid value even if both ctx.bounds.height and
|
||||
combining_glyphs[i]->height are small integers. For example, if
|
||||
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
|
||||
expression evaluates to 2147483647 (expected -1). This is because
|
||||
coordinates are allowed to be negative but ctx.bounds.height is an
|
||||
unsigned int. So, the subtraction operates on unsigned ints and
|
||||
underflows to a very big value. The division makes things even worse.
|
||||
The quotient is still an invalid value even if converted back to int.
|
||||
|
||||
This patch fixes the problem by casting ctx.bounds.height to int. As
|
||||
a result the subtraction will operate on int and grub_uint16_t which
|
||||
will be promoted to an int. So, the underflow will no longer happen. Other
|
||||
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
|
||||
to ensure coordinates are always calculated on signed integers.
|
||||
|
||||
Fixes: CVE-2022-3775
|
||||
|
||||
Reported-by: Daniel Axtens <dja@axtens.net>
|
||||
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 992c06191babc1e109caf40d6a07ec6fdef427af
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
grub-core/font/font.c | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
||||
index 0ff552578..7b1cbde07 100644
|
||||
--- a/grub-core/font/font.c
|
||||
+++ b/grub-core/font/font.c
|
||||
@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||
ctx.bounds.height = main_glyph->height;
|
||||
|
||||
above_rightx = main_glyph->offset_x + main_glyph->width;
|
||||
- above_righty = ctx.bounds.y + ctx.bounds.height;
|
||||
+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
|
||||
|
||||
above_leftx = main_glyph->offset_x;
|
||||
- above_lefty = ctx.bounds.y + ctx.bounds.height;
|
||||
+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
|
||||
|
||||
- below_rightx = ctx.bounds.x + ctx.bounds.width;
|
||||
+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
|
||||
below_righty = ctx.bounds.y;
|
||||
|
||||
comb = grub_unicode_get_comb (glyph_id);
|
||||
@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||
|
||||
if (!combining_glyphs[i])
|
||||
continue;
|
||||
- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
||||
+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
||||
/* CGJ is to avoid diacritics reordering. */
|
||||
if (comb[i].code
|
||||
== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
|
||||
@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||
case GRUB_UNICODE_COMB_OVERLAY:
|
||||
do_blit (combining_glyphs[i],
|
||||
targetx,
|
||||
- (ctx.bounds.height - combining_glyphs[i]->height) / 2
|
||||
- - (ctx.bounds.height + ctx.bounds.y), &ctx);
|
||||
+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
|
||||
+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
|
||||
if (min_devwidth < combining_glyphs[i]->width)
|
||||
min_devwidth = combining_glyphs[i]->width;
|
||||
break;
|
||||
@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||
/* Fallthrough. */
|
||||
case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
|
||||
do_blit (combining_glyphs[i], targetx,
|
||||
- -(ctx.bounds.height + ctx.bounds.y + space
|
||||
+ -((int) ctx.bounds.height + ctx.bounds.y + space
|
||||
+ combining_glyphs[i]->height), &ctx);
|
||||
if (min_devwidth < combining_glyphs[i]->width)
|
||||
min_devwidth = combining_glyphs[i]->width;
|
||||
@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
||||
|
||||
case GRUB_UNICODE_COMB_HEBREW_DAGESH:
|
||||
do_blit (combining_glyphs[i], targetx,
|
||||
- -(ctx.bounds.height / 2 + ctx.bounds.y
|
||||
+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
|
||||
+ combining_glyphs[i]->height / 2), &ctx);
|
||||
if (min_devwidth < combining_glyphs[i]->width)
|
||||
min_devwidth = combining_glyphs[i]->width;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,61 +0,0 @@
|
||||
From 7fd5feff97c4b1f446f8fcf6d37aca0c64e7c763 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Fri, 11 Jun 2021 21:36:16 +0200
|
||||
Subject: [PATCH] fs/ext2: Ignore checksum seed incompat feature
|
||||
|
||||
This incompat feature is used to denote that the filesystem stored its
|
||||
metadata checksum seed in the superblock. This is used to allow tune2fs
|
||||
changing the UUID on a mounted metdata_csum filesystem without having
|
||||
to rewrite all the disk metadata. However, the GRUB doesn't use the
|
||||
metadata checksum at all. So, it can just ignore this feature if it
|
||||
is enabled. This is consistent with the GRUB filesystem code in general
|
||||
which just does a best effort to access the filesystem's data.
|
||||
|
||||
The checksum seed incompat feature has to be removed from the ignore
|
||||
list if the support for metadata checksum verification is added to the
|
||||
GRUB ext2 driver later.
|
||||
|
||||
Suggested-by: Eric Sandeen <esandeen@redhat.com>
|
||||
Suggested-by: Lukas Czerner <lczerner@redhat.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 7fd5feff97c4b1f446f8fcf6d37aca0c64e7c763
|
||||
Signed-off-by: Jens Maus <mail@jens-maus.de>
|
||||
---
|
||||
grub-core/fs/ext2.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
|
||||
index e7dd78e66..4953a1591 100644
|
||||
--- a/grub-core/fs/ext2.c
|
||||
+++ b/grub-core/fs/ext2.c
|
||||
@@ -103,6 +103,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
#define EXT4_FEATURE_INCOMPAT_64BIT 0x0080
|
||||
#define EXT4_FEATURE_INCOMPAT_MMP 0x0100
|
||||
#define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200
|
||||
+#define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000
|
||||
#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000
|
||||
|
||||
/* The set of back-incompatible features this driver DOES support. Add (OR)
|
||||
@@ -123,10 +124,15 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
* mmp: Not really back-incompatible - was added as such to
|
||||
* avoid multiple read-write mounts. Safe to ignore for this
|
||||
* RO driver.
|
||||
+ * checksum seed: Not really back-incompatible - was added to allow tools
|
||||
+ * such as tune2fs to change the UUID on a mounted metadata
|
||||
+ * checksummed filesystem. Safe to ignore for now since the
|
||||
+ * driver doesn't support checksum verification. However, it
|
||||
+ * has to be removed from this list if the support is added later.
|
||||
*/
|
||||
#define EXT2_DRIVER_IGNORED_INCOMPAT ( EXT3_FEATURE_INCOMPAT_RECOVER \
|
||||
- | EXT4_FEATURE_INCOMPAT_MMP)
|
||||
-
|
||||
+ | EXT4_FEATURE_INCOMPAT_MMP \
|
||||
+ | EXT4_FEATURE_INCOMPAT_CSUM_SEED)
|
||||
|
||||
#define EXT3_JOURNAL_MAGIC_NUMBER 0xc03b3998U
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 2e9fa73a040462b81bfbfe56c0bc7ad2d30b446b Mon Sep 17 00:00:00 2001
|
||||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Tue, 30 Aug 2022 22:41:59 -0400
|
||||
Subject: [PATCH] fs/ext2: Ignore the large_dir incompat feature
|
||||
|
||||
Recently, ext4 added the large_dir feature, which adds support for
|
||||
a 3 level htree directory support.
|
||||
|
||||
The GRUB supports existing file systems with htree directories by
|
||||
ignoring their existence, and since the index nodes for the hash tree
|
||||
look like deleted directory entries (by design), the GRUB can simply do
|
||||
a brute force O(n) linear search of directories. The same is true for
|
||||
3 level deep htrees indicated by large_dir feature flag.
|
||||
|
||||
Hence, it is safe for the GRUB to ignore the large_dir incompat feature.
|
||||
|
||||
Fixes: https://savannah.gnu.org/bugs/?61606
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Upstream: 2e9fa73a040462b81bfbfe56c0bc7ad2d30b446b
|
||||
Signed-off-by: Jens Maus <mail@jens-maus.de>
|
||||
---
|
||||
grub-core/fs/ext2.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
|
||||
index 0989e26e1..e1cc5e62a 100644
|
||||
--- a/grub-core/fs/ext2.c
|
||||
+++ b/grub-core/fs/ext2.c
|
||||
@@ -104,6 +104,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
#define EXT4_FEATURE_INCOMPAT_MMP 0x0100
|
||||
#define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200
|
||||
#define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000
|
||||
+#define EXT4_FEATURE_INCOMPAT_LARGEDIR 0x4000 /* >2GB or 3 level htree */
|
||||
#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000
|
||||
|
||||
/* The set of back-incompatible features this driver DOES support. Add (OR)
|
||||
@@ -129,10 +130,17 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||
* checksummed filesystem. Safe to ignore for now since the
|
||||
* driver doesn't support checksum verification. However, it
|
||||
* has to be removed from this list if the support is added later.
|
||||
+ * large_dir: Not back-incompatible given that the GRUB ext2 driver does
|
||||
+ * not implement EXT2_FEATURE_COMPAT_DIR_INDEX. If the GRUB
|
||||
+ * eventually supports the htree feature (aka dir_index)
|
||||
+ * it should support 3 level htrees and then move
|
||||
+ * EXT4_FEATURE_INCOMPAT_LARGEDIR to
|
||||
+ * EXT2_DRIVER_SUPPORTED_INCOMPAT.
|
||||
*/
|
||||
#define EXT2_DRIVER_IGNORED_INCOMPAT ( EXT3_FEATURE_INCOMPAT_RECOVER \
|
||||
| EXT4_FEATURE_INCOMPAT_MMP \
|
||||
- | EXT4_FEATURE_INCOMPAT_CSUM_SEED)
|
||||
+ | EXT4_FEATURE_INCOMPAT_CSUM_SEED \
|
||||
+ | EXT4_FEATURE_INCOMPAT_LARGEDIR)
|
||||
|
||||
#define EXT3_JOURNAL_MAGIC_NUMBER 0xc03b3998U
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Locally calculated after checking signature
|
||||
# https://ftp.gnu.org/gnu/grub/grub-2.06.tar.xz.sig
|
||||
sha256 b79ea44af91b93d17cd3fe80bdae6ed43770678a9a5ae192ccea803ebb657ee1 grub-2.06.tar.xz
|
||||
# https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz.sig
|
||||
sha256 f3c97391f7c4eaa677a78e090c7e97e6dc47b16f655f04683ebd37bef7fe0faa grub-2.12.tar.xz
|
||||
# Locally computed:
|
||||
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
GRUB2_VERSION = 2.06
|
||||
GRUB2_VERSION = 2.12
|
||||
GRUB2_SITE = http://ftp.gnu.org/gnu/grub
|
||||
GRUB2_SOURCE = grub-$(GRUB2_VERSION).tar.xz
|
||||
GRUB2_LICENSE = GPL-3.0+
|
||||
@ -13,13 +13,6 @@ GRUB2_DEPENDENCIES = host-bison host-flex host-grub2
|
||||
HOST_GRUB2_DEPENDENCIES = host-bison host-flex
|
||||
GRUB2_INSTALL_IMAGES = YES
|
||||
|
||||
# 0001-Makefile-Make-grub_fstest.pp-depend-on-config-util.h.patch
|
||||
define GRUB2_AVOID_AUTORECONF
|
||||
$(Q)touch $(@D)/Makefile.in
|
||||
endef
|
||||
GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
|
||||
HOST_GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
|
||||
|
||||
# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which
|
||||
# doesn't exist upstream, but is added by the Redhat/Fedora
|
||||
# packaging. Not applicable to Buildroot.
|
||||
@ -30,29 +23,8 @@ GRUB2_IGNORE_CVES += CVE-2019-14865
|
||||
# grub_linuxefi_secure_validate() is not implemented in the grub2
|
||||
# version available in Buildroot.
|
||||
GRUB2_IGNORE_CVES += CVE-2020-15705
|
||||
# 0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2021-3981
|
||||
# vulnerability is specific to the SUSE distribution
|
||||
GRUB2_IGNORE_CVES += CVE-2021-46705
|
||||
# 0005-loader-efi-chainloader-Use-grub_loader_set_ex.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-28736
|
||||
# 0006-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-28735
|
||||
# 0010-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2021-3695
|
||||
# 0011-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2021-3696
|
||||
# 0012-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2021-3697
|
||||
# 0013-net-ip-Do-IP-fragment-maths-safely.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-28733
|
||||
# 0014-net-http-Fix-OOB-write-for-split-http-headers.patch
|
||||
# 0015-net-http-Error-out-on-headers-with-LF-without-CR.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-28734
|
||||
# 0017-font-Fix-several-integer-overflows-in-grub_font_cons.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-2601
|
||||
# 0018-font-Fix-an-integer-underflow-in-blit_comb.patch
|
||||
GRUB2_IGNORE_CVES += CVE-2022-3775
|
||||
|
||||
ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
|
||||
GRUB2_INSTALL_TARGET = YES
|
||||
|
Loading…
Reference in New Issue
Block a user