kumquat-buildroot/boot/grub2
Thomas Petazzoni a490687571 boot/grub2: ignore the last 3 remaining CVEs
An analysis of the last 3 remaining CVEs that are reported to affect
the grub2 package has allowed to ensure that we can safely ignore
them:

 * CVE-2020-14372 is already fixed by a patch we have in our patch
   stack for grub2

 * CVE-2019-14865 and CVE-2020-15705 are both distro-specific and do
   not affect grub2 upstream, nor grub2 with the stack of patches we
   have in Buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:36:48 +02:00
..
0001-build-Fix-GRUB-i386-pc-build-with-Ubuntu-gcc.patch
0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch
0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch
0005-calloc-Use-calloc-at-most-places.patch
0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch
0008-font-Do-not-load-more-than-one-NAME-section.patch
0009-gfxmenu-Fix-double-free-in-load_image.patch
0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
0012-term-Fix-overflow-on-user-inputs.patch
0013-udf-Fix-memory-leak.patch
0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch
0015-tftp-Do-not-use-priority-queue.patch
0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
0018-script-Remove-unused-fields-from-grub_script_functio.patch
0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
0021-hfsplus-Fix-two-more-overflows.patch
0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
0023-emu-Make-grub_free-NULL-safe.patch
0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
0029-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
0030-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
0031-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
0032-efi-Add-secure-boot-detection.patch
0033-verifiers-Move-verifiers-API-to-kernel-image.patch
0034-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
0035-kern-Add-lockdown-support.patch
0036-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
0037-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
0038-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
0039-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
0040-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
0041-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
0042-commands-setpci-Restrict-setpci-command-when-locked-.patch
0043-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
0044-gdb-Restrict-GDB-access-when-locked-down.patch
0045-loader-xnu-Don-t-allow-loading-extension-and-package.patch
0046-docs-Document-the-cutmem-command.patch
0047-dl-Only-allow-unloading-modules-that-are-not-depende.patch
0048-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
0049-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
0050-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
0051-net-tftp-Fix-dangling-memory-pointer.patch
0052-kern-parser-Fix-resource-leak-if-argc-0.patch
0053-kern-efi-Fix-memory-leak-on-failure.patch
0054-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
0055-gnulib-regexec-Resolve-unused-variable.patch
0056-gnulib-regcomp-Fix-uninitialized-token-structure.patch
0057-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
0058-gnulib-regexec-Fix-possible-null-dereference.patch
0059-gnulib-regcomp-Fix-uninitialized-re_token.patch
0060-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
0061-zstd-Initialize-seq_t-structure-fully.patch
0062-kern-partition-Check-for-NULL-before-dereferencing-i.patch
0063-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
0064-disk-ldm-If-failed-then-free-vg-variable-too.patch
0065-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
0066-disk-cryptodisk-Fix-potential-integer-overflow.patch
0067-hfsplus-Check-that-the-volume-name-length-is-valid.patch
0068-zfs-Fix-possible-negative-shift-operation.patch
0069-zfs-Fix-resource-leaks-while-constructing-path.patch
0070-zfs-Fix-possible-integer-overflows.patch
0071-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
0072-affs-Fix-memory-leaks.patch
0073-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
0074-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
0075-syslinux-Fix-memory-leak-while-parsing.patch
0076-normal-completion-Fix-leaking-of-memory-when-process.patch
0077-commands-hashsum-Fix-a-memory-leak.patch
0079-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
0080-video-fb-fbfill-Fix-potential-integer-overflow.patch
0081-video-fb-video_fb-Fix-multiple-integer-overflows.patch
0082-video-fb-video_fb-Fix-possible-integer-overflow.patch
0083-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
0084-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
0085-loader-bsd-Check-for-NULL-arg-up-front.patch
0086-loader-xnu-Fix-memory-leak.patch
0087-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
0088-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
0089-util-grub-install-Fix-NULL-pointer-dereferences.patch
0090-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
0091-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
0092-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
0093-commands-ls-Require-device_name-is-not-NULL-before-p.patch
0094-script-execute-Avoid-crash-when-using-outside-a-func.patch
0095-lib-arg-Block-repeated-short-options-that-require-an.patch
0096-script-execute-Don-t-crash-on-a-for-loop-with-no-ite.patch
0097-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
0098-kern-misc-Always-set-end-in-grub_strtoull.patch
0099-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
0100-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
0101-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
0102-term-gfxterm-Don-t-set-up-a-font-with-glyphs-that-ar.patch
0103-fs-fshelp-Catch-impermissibly-large-block-sizes-in-r.patch
0104-fs-hfsplus-Don-t-fetch-a-key-beyond-the-end-of-the-n.patch
0105-fs-hfsplus-Don-t-use-uninitialized-data-on-corrupt-f.patch
0106-fs-hfs-Disable-under-lockdown.patch
0107-fs-sfs-Fix-over-read-of-root-object-name.patch
0108-fs-jfs-Do-not-move-to-leaf-level-if-name-length-is-n.patch
0109-fs-jfs-Limit-the-extents-that-getblk-can-consider.patch
0110-fs-jfs-Catch-infinite-recursion.patch
0111-fs-nilfs2-Reject-too-large-keys.patch
0112-fs-nilfs2-Don-t-search-children-if-provided-number-i.patch
0113-fs-nilfs2-Properly-bail-on-errors-in-grub_nilfs2_btr.patch
0114-io-gzio-Bail-if-gzio-tl-td-is-NULL.patch
0115-io-gzio-Add-init_dynamic_block-clean-up-if-unpacking.patch
0116-io-gzio-Catch-missing-values-in-huft_build-and-bail.patch
0117-io-gzio-Zero-gzio-tl-td-in-init_dynamic_block-if-huf.patch
0118-disk-lvm-Don-t-go-beyond-the-end-of-the-data-we-read.patch
0119-disk-lvm-Don-t-blast-past-the-end-of-the-circular-me.patch
0120-disk-lvm-Bail-on-missing-PV-list.patch
0121-disk-lvm-Do-not-crash-if-an-expected-string-is-not-f.patch
0122-disk-lvm-Do-not-overread-metadata.patch
0123-disk-lvm-Sanitize-rlocn-offset-to-prevent-wild-read.patch
0124-disk-lvm-Do-not-allow-a-LV-to-be-it-s-own-segment-s-.patch
0125-fs-btrfs-Validate-the-number-of-stripes-parities-in-.patch
0126-fs-btrfs-Squash-some-uninitialized-reads.patch
0127-kern-parser-Fix-a-memory-leak.patch
0128-kern-parser-Introduce-process_char-helper.patch
0129-kern-parser-Introduce-terminate_arg-helper.patch
0130-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
0131-kern-buffer-Add-variable-sized-heap-buffer.patch
0132-kern-parser-Fix-a-stack-buffer-overflow.patch
0133-kern-efi-Add-initial-stack-protector-implementation.patch
0134-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
0135-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
0136-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
0137-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
0138-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
0139-util-mkimage-Improve-data_size-value-calculation.patch
0140-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
0141-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
0142-grub-install-common-Add-sbat-option.patch
0143-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
0144-kern-misc-Split-parse_printf_args-into-format-parsin.patch
0145-kern-misc-Add-STRING-type-for-internal-printf-format.patch
0146-kern-misc-Add-function-to-check-printf-format-agains.patch
0147-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
0148-templates-Disable-the-os-prober-by-default.patch
0149-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
Config.in
grub2.hash
grub2.mk boot/grub2: ignore the last 3 remaining CVEs 2021-04-06 09:36:48 +02:00
grub.cfg
readme.txt

Notes on using Grub2 for BIOS-based platforms
=============================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it (either legacy or GPT style partitions work)
   cfdisk disk.img
    - Create one partition, type Linux, for the root
      filesystem. The only constraint is to make sure there
      is enough free space *before* the first partition to
      store Grub2. Leaving 1 MB of free space is safe.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
5. Install Grub2
   sudo ./output/host/sbin/grub-bios-setup \
        -b ./output/host/lib/grub/i386-pc/boot.img \
        -c ./output/images/grub.img -d . /dev/loop0
6. Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

Using genimage
--------------

If you use genimage to generate your complete image,
installing Grub can be tricky. Here is how to achieve Grub's
installation with genimage:

partition boot {
    in-partition-table = "no"
    image = "path_to_boot.img"
    offset = 0
    size = 512
}
partition grub {
    in-partition-table = "no"
    image = "path_to_grub.img"
    offset = 512
}

The result is not byte to byte identical to what
grub-bios-setup does but it works anyway.

To test your BIOS image in Qemu
-------------------------------

qemu-system-{i386,x86-64} -hda disk.img

Notes on using Grub2 for x86/x86_64 EFI-based platforms
=======================================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it with GPT partitions
   cgdisk disk.img
    - Create a first partition, type EF00, for the
      bootloader and kernel image
    - Create a second partition, type 8300, for the root
      filesystem.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the boot partition
   sudo mkfs.vfat -n boot /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo cp -a output/images/efi-part/* /mnt/
   sudo cp output/images/bzImage /mnt/
   sudo umount /mnt
5. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p2
   sudo mount /dev/loop0p2 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
6  Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

To test your i386/x86-64 EFI image in Qemu
------------------------------------------

1. Download the EFI BIOS for Qemu
   Version IA32 or X64 depending on the chosen Grub2
   platform (i386-efi vs. x86-64-efi)
   https://www.kraxel.org/repos/jenkins/edk2/
   (or use one provided by your distribution as OVMF)
2. Extract, and rename OVMF.fd to bios.bin and
   CirrusLogic5446.rom to vgabios-cirrus.bin.
3. qemu-system-{i386,x86-64} -L ovmf-dir/ -hda disk.img
4. Make sure to pass pci=nocrs to the kernel command line,
   to workaround a bug in the EFI BIOS regarding the
   EFI framebuffer.

Notes on using Grub2 for ARM u-boot-based platforms
===================================================

The following steps show how to use the Grub2 arm-uboot platform
support in the simplest way possible and with a single
buildroot-generated filesystem.

 1. Load qemu_arm_vexpress_defconfig

 2. Enable u-boot with the vexpress_ca9x4 board name and with
    u-boot.elf image format.

 3. Enable grub2 for the arm-uboot platform.

 4. Enable "Install kernel image to /boot in target" in the kernel
    menu to populate a /boot directory with zImage in it.

 5. The upstream u-boot vexpress_ca9x4 doesn't have CONFIG_API enabled
    by default, which is required.

    Before building, patch u-boot (for example, make u-boot-extract to
    edit the source before building) file
    include/configs/vexpress_common.h to define:

    #define CONFIG_API
    #define CONFIG_SYS_MMC_MAX_DEVICE   1

 6. Create a custom grub2 config file with the following contents and
    set its path in BR2_TARGET_GRUB2_CFG:

    set default="0"
    set timeout="5"

    menuentry "Buildroot" {
        set root='(hd0)'
        linux /boot/zImage root=/dev/mmcblk0 console=ttyAMA0
        devicetree /boot/vexpress-v2p-ca9.dtb
    }

 7. Create a custom builtin config file with the following contents
    and set its path in BR2_TARGET_GRUB2_BUILTIN_CONFIG:

    set root=(hd0)
    set prefix=/boot/grub

 8. Create a custom post-build script which copies files from
    ${BINARIES_DIR}/boot-part to $(TARGET_DIR)/boot (set its path in
    BR2_ROOTFS_POST_BUILD_SCRIPT):

    #!/bin/sh
    cp -r ${BINARIES_DIR}/boot-part/* ${TARGET_DIR}/boot/

 9. make

10. Run qemu with:

    qemu-system-arm -M vexpress-a9 -kernel output/images/u-boot -m 1024 \
    -nographic -sd output/images/rootfs.ext2

11. In u-boot, stop at the prompt and run grub2 with:

  => ext2load mmc 0:0 ${loadaddr} /boot/grub/grub.img
  => bootm

12. This should bring the grub2 menu, upon which selecting the "Buildroot"
    entry should boot Linux.


Notes on using Grub2 for Aarch64 EFI-based platforms
====================================================

The following steps show how to use the Grub2 arm64-efi platform,
using qemu and EFI firmware built for qemu.

 1. Load aarch64_efi_defconfig

 2. make

 3. Download the EFI firmware for qemu aarch64
    https://www.kraxel.org/repos/jenkins/edk2/
    (or use one provided by your distribution as OVMF-aarch64 or AAVMF)

 4. Run qemu with:

    qemu-system-aarch64 -M virt -cpu cortex-a57 -m 512 -nographic \
    -bios <path/to/EDK2>/QEMU_EFI.fd -hda output/images/disk.img \
    -netdev user,id=eth0 -device virtio-net-device,netdev=eth0

 5. This should bring the grub2 menu, upon which selecting the
    "Buildroot" entry should boot Linux.