Date   

[PATCH 35/46][dunfell] grub: test for malformed jpeg files

Marta Rybczynska
 

This patch adds a fix for handling malformed JPEG files in grub's
video/readers/jpeg. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...eg-Test-for-an-invalid-next-marker-r.patch | 38 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch

diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
new file mode 100644
index 0000000000..3fca2aecb5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
@@ -0,0 +1,38 @@
+From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Fri, 4 Dec 2020 15:39:00 +0000
+Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
+ from a jpeg file
+
+While it may never happen, and potentially could be caught at the end of
+the function, it is worth checking up front for a bad reference to the
+next marker just in case of a maliciously crafted file being provided.
+
+Fixes: CID 73694
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/video/readers/jpeg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..0b6ce3c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
+
++ if (next_marker > data->file->size)
++ {
++ /* Should never be set beyond the size of the file. */
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
++ }
++
+ while (data->file->offset + sizeof (data->quan_table[id]) + 1
+ <= next_marker)
+ {
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 04c9b4c092..75782b7eb2 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -81,6 +81,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \
+ file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 34/46][dunfell] grub: fix a possible integer overflow

Marta Rybczynska
 

This patch adds a fix for a possible integer overflow in grub's
video/fb/video_fb. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...deo_fb-Fix-possible-integer-overflow.patch | 39 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch

diff --git a/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000000..c82b2c7df0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
@@ -0,0 +1,39 @@
+From aac5574ff340a665ccc78d4c3d61596ac67acbbe Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Fri, 4 Dec 2020 14:51:30 +0000
+Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
+
+It is minimal possibility that the values being used here will overflow.
+So, change the code to use the safemath function grub_mul() to ensure
+that doesn't happen.
+
+Fixes: CID 73761
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/video/fb/video_fb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1c9a138..ae6b89f 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
+ volatile void *page1_ptr)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info->pitch * mode_info->height;
++ grub_size_t page_size = 0;
++
++ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
+
+ framebuffer.offscreen_buffer = grub_malloc (page_size);
+ if (! framebuffer.offscreen_buffer)
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 8b5b9e3b3e..04c9b4c092 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -80,6 +80,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
+ file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 33/46][dunfell] grub: fix multiple integer overflows

Marta Rybczynska
 

This patch adds a fix for multiple integer overflows in grub's
video/fb/video_fb. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...eo_fb-Fix-multiple-integer-overflows.patch | 104 ++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 105 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch

diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000000..544e7f31ae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,104 @@
+From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Wed, 4 Nov 2020 14:43:44 +0000
+Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
+
+The calculation of the unsigned 64-bit value is being generated by
+multiplying 2, signed or unsigned, 32-bit integers which may overflow
+before promotion to unsigned 64-bit. Fix all of them.
+
+Fixes: CID 73703, CID 73767, CID 73833
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1a602c8..1c9a138 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -25,6 +25,7 @@
+ #include <grub/fbutil.h>
+ #include <grub/bitmap.h>
+ #include <grub/dl.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
+ {
+ if (framebuffer.current_dirty.first_line
+ <= framebuffer.current_dirty.last_line)
+- grub_memcpy ((char *) framebuffer.pages[0]
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (framebuffer.current_dirty.last_line
+- - framebuffer.current_dirty.first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (framebuffer.current_dirty.last_line,
++ framebuffer.current_dirty.first_line, &copy_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
+ framebuffer.current_dirty.last_line = 0;
+@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
+ volatile void *framebuf)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info.pitch * mode_info.height;
++ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
+
+ framebuffer.offscreen_buffer = grub_zalloc (page_size);
+ if (! framebuffer.offscreen_buffer)
+@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
+ last_line = framebuffer.previous_dirty.last_line;
+
+ if (first_line <= last_line)
+- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (last_line - first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (last_line, first_line, &copy_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
++
+ framebuffer.previous_dirty = framebuffer.current_dirty;
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 710ab5e361..8b5b9e3b3e 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -79,6 +79,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0030-commands-hashsum-Fix-a-memory-leak.patch \
file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
+ file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 32/46][dunfell] grub: fix an integer overflow

Marta Rybczynska
 

This patch adds a fix for a potential integer overflow in grub's
video/fb/fbfill. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...bfill-Fix-potential-integer-overflow.patch | 78 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch

diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..8165ea3f71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
+From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Wed, 4 Nov 2020 15:10:51 +0000
+Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
+
+The multiplication of 2 unsigned 32-bit integers may overflow before
+promotion to unsigned 64-bit. We should ensure that the multiplication
+is done with overflow detection. Additionally, use grub_sub() for
+subtraction.
+
+Fixes: CID 73640, CID 73697, CID 73702, CID 73823
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Signed-off-by: Marco A Benatto <mbenatto@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/video/fb/fbfill.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
+index 11816d0..a37acd1 100644
+--- a/grub-core/video/fb/fbfill.c
++++ b/grub-core/video/fb/fbfill.c
+@@ -31,6 +31,7 @@
+ #include <grub/fbfill.h>
+ #include <grub/fbutil.h>
+ #include <grub/types.h>
++#include <grub/safemath.h>
+ #include <grub/video.h>
+
+ /* Generic filler that works for every supported mode. */
+@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
+ #endif
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 24a269d90d..710ab5e361 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -78,6 +78,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
file://0030-commands-hashsum-Fix-a-memory-leak.patch \
file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
+ file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 31/46][dunfell] grub: remove unneeded return value

Marta Rybczynska
 

This patch removes an uneeded return value in grub's (static)
grub_video_gop_fill_mode_info(). It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...move-unnecessary-return-value-of-gru.patch | 94 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 95 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch

diff --git a/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
new file mode 100644
index 0000000000..7e4e951245
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
@@ -0,0 +1,94 @@
+From 2a1e5659763790201a342f8a897c8c9d8d91b1cc Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Tue, 8 Dec 2020 21:14:31 +0000
+Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
+ grub_video_gop_fill_mode_info()
+
+The return value of grub_video_gop_fill_mode_info() is never able to be
+anything other than GRUB_ERR_NONE. So, rather than continue to return
+a value and checking it each time, it is more correct to redefine the
+function to not return anything and remove checks of its return value
+altogether.
+
+Fixes: CID 96701
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fc5951d3b1616055ef81a019a5affc09d13344d0]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/video/efi_gop.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index 7f9d1c2..db2ee98 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -227,7 +227,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
+ return GRUB_ERR_NONE;
+ }
+
+-static grub_err_t
++static void
+ grub_video_gop_fill_mode_info (unsigned mode,
+ struct grub_efi_gop_mode_info *in,
+ struct grub_video_mode_info *out)
+@@ -252,8 +252,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
+ out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
+ out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
+ | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
+-
+- return GRUB_ERR_NONE;
+ }
+
+ static int
+@@ -266,7 +264,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ grub_efi_uintn_t size;
+ grub_efi_status_t status;
+ struct grub_efi_gop_mode_info *info = NULL;
+- grub_err_t err;
+ struct grub_video_mode_info mode_info;
+
+ status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+@@ -277,12 +274,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ continue;
+ }
+
+- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
+- if (err)
+- {
+- grub_errno = GRUB_ERR_NONE;
+- continue;
+- }
++ grub_video_gop_fill_mode_info (mode, info, &mode_info);
+ if (hook (&mode_info, hook_arg))
+ return 1;
+ }
+@@ -466,13 +458,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+
+ info = gop->mode->info;
+
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
+- if (err)
+- {
+- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
+- return err;
+- }
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+
+ framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
+ framebuffer.offscreen
+@@ -486,8 +473,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ {
+ grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
+ grub_errno = 0;
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+ buffer = framebuffer.ptr;
+ }
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index d18e329b96..24a269d90d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -77,6 +77,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
file://0030-commands-hashsum-Fix-a-memory-leak.patch \
+ file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 30/46][dunfell] grub: fix a memory leak

Marta Rybczynska
 

Add a fix of a memory leak in grub's commands/hashsum. It is a part
of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...0-commands-hashsum-Fix-a-memory-leak.patch | 56 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch

diff --git a/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
new file mode 100644
index 0000000000..e34a19e12c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
@@ -0,0 +1,56 @@
+From b136fa14d26d1833ffcb852f86e65da5960cfb99 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@...>
+Date: Tue, 1 Dec 2020 23:41:24 +0000
+Subject: [PATCH] commands/hashsum: Fix a memory leak
+
+check_list() uses grub_file_getline(), which allocates a buffer.
+If the hash list file contains invalid lines, the function leaks
+this buffer when it returns an error.
+
+Fixes: CID 176635
+
+Signed-off-by: Chris Coulson <chris.coulson@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b6f528e52e18b7a69f90b8dc3671d7b1147d9f3]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/commands/hashsum.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
+index 456ba90..b8a22b0 100644
+--- a/grub-core/commands/hashsum.c
++++ b/grub-core/commands/hashsum.c
+@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+ high = hextoval (*p++);
+ low = hextoval (*p++);
+ if (high < 0 || low < 0)
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ expected[i] = (high << 4) | low;
+ }
+ if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ p += 2;
+ if (prefix)
+ {
+@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+
+ filename = grub_xasprintf ("%s/%s", prefix, p);
+ if (!filename)
+- return grub_errno;
++ {
++ grub_free (buf);
++ return grub_errno;
++ }
+ file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
+ | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
+ : GRUB_FILE_TYPE_NONE));
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 1460e559b9..d18e329b96 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -76,6 +76,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
+ file://0030-commands-hashsum-Fix-a-memory-leak.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 29/46][dunfell] grub: add a fix for a memory leak

Marta Rybczynska
 

This patch adds a fix for a memory leak in grub's normal/completion.
It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...n-Fix-leaking-of-memory-when-process.patch | 52 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch

diff --git a/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
new file mode 100644
index 0000000000..8a26e5bc5b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
@@ -0,0 +1,52 @@
+From 2367049d2021e00d82d19cee923e06a4b04ebc30 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Fri, 4 Dec 2020 18:56:48 +0000
+Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
+ completion
+
+It is possible for the code to reach the end of the function without
+freeing the memory allocated to argv and argc still to be 0.
+
+We should always call grub_free(argv). The grub_free() will handle
+a NULL argument correctly if it reaches that code without the memory
+being allocated.
+
+Fixes: CID 96672
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9213575b7a95b514bce80be5964a28d407d7d56d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/normal/completion.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
+index 5961028..46e473c 100644
+--- a/grub-core/normal/completion.c
++++ b/grub-core/normal/completion.c
+@@ -400,8 +400,8 @@ char *
+ grub_normal_do_completion (char *buf, int *restore,
+ void (*hook) (const char *, grub_completion_type_t, int))
+ {
+- int argc;
+- char **argv;
++ int argc = 0;
++ char **argv = NULL;
+
+ /* Initialize variables. */
+ match = 0;
+@@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore,
+
+ fail:
+ if (argc != 0)
+- {
+- grub_free (argv[0]);
+- grub_free (argv);
+- }
++ grub_free (argv[0]);
++ grub_free (argv);
+ grub_free (match);
+ grub_errno = GRUB_ERR_NONE;
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index c965f0fd15..1460e559b9 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -75,6 +75,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
+ file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 28/46][dunfell] grub: add a fix for a memory leak

Marta Rybczynska
 

This patch fixes a memory leak in grub's syslinux parsing. It is a part of
a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...slinux-Fix-memory-leak-while-parsing.patch | 43 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch

diff --git a/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
new file mode 100644
index 0000000000..d8c21d88f7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
@@ -0,0 +1,43 @@
+From ea12feb69b6af93c7e2fa03df7ac3bd1f4edd599 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Thu, 26 Nov 2020 15:31:53 +0000
+Subject: [PATCH] syslinux: Fix memory leak while parsing
+
+In syslinux_parse_real() the 2 points where return is being called
+didn't release the memory stored in buf which is no longer required.
+
+Fixes: CID 176634
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=95bc016dba94cab3d398dd74160665915cd08ad6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/lib/syslinux_parse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
+index 4afa992..3acc6b4 100644
+--- a/grub-core/lib/syslinux_parse.c
++++ b/grub-core/lib/syslinux_parse.c
+@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
+ {
+ if (helptext (ptr5, file, menu))
+- return 1;
++ {
++ grub_free (buf);
++ return 1;
++ }
+ continue;
+ }
+
+@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ }
+ fail:
+ grub_file_close (file);
++ grub_free (buf);
+ return err;
+ }
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index ef409bdd6a..c965f0fd15 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -74,6 +74,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0025-affs-Fix-memory-leaks.patch \
file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
+ file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 27/46][dunfell] grub: add a fix for a possible NULL dereference

Marta Rybczynska
 

This patch adds a fix for a possible NULL dereference in grub's
libgcrypt/mpi. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...pt-mpi-Fix-possible-NULL-dereference.patch | 33 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch

diff --git a/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
new file mode 100644
index 0000000000..08299d021e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
@@ -0,0 +1,33 @@
+From d26c8771293637b0465f2cb67d97cb58bacc62da Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Thu, 26 Nov 2020 10:41:54 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
+
+The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
+is no explicit check for that, so we add one.
+
+Fixes: CID 73757
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ae0f3fabeba7b393113d5dc185b6aff9b728136d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index 7ecad27..6fe3891 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ unsigned int len;
+ int secure = (buffer && gcry_is_secure (buffer));
+
++ if (!buffer)
++ return gcry_error (GPG_ERR_INV_ARG);
++
+ if (format == GCRYMPI_FMT_SSH)
+ len = 0;
+ else
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index be35ac04ef..ef409bdd6a 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -73,6 +73,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
file://0025-affs-Fix-memory-leaks.patch \
file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
+ file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 26/46][dunfell] grub: add a fix for a possible unintended sign extension

Marta Rybczynska
 

This patch fixes a possible unintended sign extension in grub's
libgcrypt/mpi. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...x-possible-unintended-sign-extension.patch | 36 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch

diff --git a/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
new file mode 100644
index 0000000000..f500f1a296
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
@@ -0,0 +1,36 @@
+From 9b16d7bcad1c7fea7f26eb2fb3af1a5ca70ba34e Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Tue, 3 Nov 2020 16:43:37 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
+
+The array of unsigned char gets promoted to a signed 32-bit int before
+it is finally promoted to a size_t. There is the possibility that this
+may result in the signed-bit being set for the intermediate signed
+32-bit int. We should ensure that the promotion is to the correct type
+before we bitwise-OR the values.
+
+Fixes: CID 96697
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e8814c811132a70f9b55418f7567378a34ad3883]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index a3435ed..7ecad27 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ if (len && len < 4)
+ return gcry_error (GPG_ERR_TOO_SHORT);
+
+- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+ s += 4;
+ if (len)
+ len -= 4;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 13e2b1600d..be35ac04ef 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -72,6 +72,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0023-zfs-Fix-possible-integer-overflows.patch \
file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
file://0025-affs-Fix-memory-leaks.patch \
+ file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 25/46][dunfell] grub: add a fix for a memory leak

Marta Rybczynska
 

This patch fixes a memory leak in grub's affs. It is a part of
a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
.../files/0025-affs-Fix-memory-leaks.patch | 82 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 83 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch

diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000000..435130516c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
+From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+
+Fixes: CID 73759
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 220b371..230e26a 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+ unsigned int i;
+ struct grub_affs_file file;
+- struct grub_fshelp_node *node = 0;
++ struct grub_fshelp_node *node, *orig_node;
+ struct grub_affs_data *data = dir->data;
+ grub_uint32_t *hashtable;
+
+ /* Create the directory entries for `.' and `..'. */
+- node = grub_zalloc (sizeof (*node));
++ node = orig_node = grub_zalloc (sizeof (*node));
+ if (!node)
+ return 1;
+
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ return 1;
+ if (dir->parent)
+ {
+- node = grub_zalloc (sizeof (*node));
+- if (!node)
+- return 1;
+ *node = *dir->parent;
+ if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+
+ if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+ next, &file))
+- return 1;
++ {
++ /* Node has been replaced in function. */
++ grub_free (orig_node);
++ return 1;
++ }
+
+ next = grub_be_to_cpu32 (file.next);
+ }
+ }
+
+- grub_free (hashtable);
+- return 0;
+-
+ fail:
+- grub_free (node);
++ grub_free (orig_node);
+ grub_free (hashtable);
+ return 0;
+ }
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index a660c069db..13e2b1600d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -71,6 +71,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
file://0023-zfs-Fix-possible-integer-overflows.patch \
file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
+ file://0025-affs-Fix-memory-leaks.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 24/46][dunfell] grub: fix an error check

Marta Rybczynska
 

This patch fixes an error check in grub's zfsinfo. It is a part of
a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...-a-check-for-error-allocating-memory.patch | 35 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch

diff --git a/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
new file mode 100644
index 0000000000..555dc19168
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
@@ -0,0 +1,35 @@
+From b085da8efda9b81f94aa197ee045226563554fdf Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Thu, 26 Nov 2020 10:56:45 +0000
+Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
+
+While arguably the check for grub_errno is correct, we should really be
+checking the return value from the function since it is always possible
+that grub_errno was set elsewhere, making this code behave incorrectly.
+
+Fixes: CID 73668
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7aab03418ec6a9b991aa44416cb2585aff4e7972]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/zfs/zfsinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
+index c8a28ac..bf29180 100644
+--- a/grub-core/fs/zfs/zfsinfo.c
++++ b/grub-core/fs/zfs/zfsinfo.c
+@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+
+ devname = grub_file_get_device_name (args[0]);
+- if (grub_errno)
+- return grub_errno;
++ if (devname == NULL)
++ return GRUB_ERR_OUT_OF_MEMORY;
+
+ dev = grub_device_open (devname);
+ grub_free (devname);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 9158fc7f50..a660c069db 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -70,6 +70,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0021-zfs-Fix-possible-negative-shift-operation.patch \
file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
file://0023-zfs-Fix-possible-integer-overflows.patch \
+ file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 23/46][dunfell] grub: add a fix for possible integer overflows

Marta Rybczynska
 

This patch adds a fix for a possible integer overflows in grub's zfs.
It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...3-zfs-Fix-possible-integer-overflows.patch | 56 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch

diff --git a/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
new file mode 100644
index 0000000000..8df758b41f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
@@ -0,0 +1,56 @@
+From ec35d862f3567671048aa0d0d8ad1ded1fd25336 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Tue, 8 Dec 2020 22:17:04 +0000
+Subject: [PATCH] zfs: Fix possible integer overflows
+
+In all cases the problem is that the value being acted upon by
+a left-shift is a 32-bit number which is then being used in the
+context of a 64-bit number.
+
+To avoid overflow we ensure that the number being shifted is 64-bit
+before the shift is done.
+
+Fixes: CID 73684, CID 73695, CID 73764
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=302c12ff5714bc455949117c1c9548ccb324d55b]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/zfs/zfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 9087a72..b078ccc 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
+ ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ + ((i << ub_shift)
+ / sizeof (grub_properly_aligned_t)));
+- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
++ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
+ if (err)
+ {
+ grub_errno = GRUB_ERR_NONE;
+@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ high = grub_divmod64 ((offset >> desc->ashift) + c,
+ desc->n_children, &devn);
+- csize = bsize << desc->ashift;
++ csize = (grub_size_t) bsize << desc->ashift;
+ if (csize > len)
+ csize = len;
+
+@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ while (len > 0)
+ {
+- grub_size_t csize;
+- csize = ((s / (desc->n_children - desc->nparity))
++ grub_size_t csize = s;
++ csize = ((csize / (desc->n_children - desc->nparity))
+ << desc->ashift);
+ if (csize > len)
+ csize = len;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 1630235edd..9158fc7f50 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -69,6 +69,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
file://0021-zfs-Fix-possible-negative-shift-operation.patch \
file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
+ file://0023-zfs-Fix-possible-integer-overflows.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 22/46][dunfell] grub: add a fix for a memory leak

Marta Rybczynska
 

This patch adds a fix for a memory leak in grub's path construction
in zfs. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...source-leaks-while-constructing-path.patch | 121 ++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 122 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch

diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000000..5ded5520e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
+From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@...>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+
+Fixes: CID 73741
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@...>
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0c42cba..9087a72 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+ {
+- grub_free (path_buf);
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ break;
+ }
+ err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+ data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ << SPA_MINBLOCKSHIFT);
+
+ if (blksz == 0)
+- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
++ {
++ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
++ break;
++ }
+
+ sym_value = grub_malloc (sym_sz);
+ if (!sym_value)
+- return grub_errno;
++ {
++ err = grub_errno;
++ break;
++ }
++
+ for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+ {
+ void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (err)
+ {
+ grub_free (sym_value);
+- return err;
++ break;
+ }
+
+ movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_memcpy (sym_value + block * blksz, t, movesize);
+ grub_free (t);
+ }
++ if (err)
++ break;
+ free_symval = 1;
+ }
+ path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_free (oldpathbuf);
+ if (free_symval)
+ grub_free (sym_value);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+ if (err)
+- return err;
++ break;
+ }
+ else
+ {
+- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ break;
+ }
+
+ hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (!path_buf)
+ {
+ grub_free (oldpathbuf);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ path [sym_sz] = 0;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 360e86685b..1630235edd 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -68,6 +68,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
file://0021-zfs-Fix-possible-negative-shift-operation.patch \
+ file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 21/46][dunfell] grub: add a fix for a possible negative shift

Marta Rybczynska
 

This patch adds a fix for a possible negative shift in grub's zfs.
It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...ix-possible-negative-shift-operation.patch | 42 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch

diff --git a/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
new file mode 100644
index 0000000000..12418858f9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
@@ -0,0 +1,42 @@
+From c757779e5d09719666c3b155afd2421978a107bd Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Tue, 24 Nov 2020 16:41:49 +0000
+Subject: [PATCH] zfs: Fix possible negative shift operation
+
+While it is possible for the return value from zfs_log2() to be zero
+(0), it is quite unlikely, given that the previous assignment to blksz
+is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
+assignment to epbs.
+
+But, while unlikely during a normal operation, it may be that a carefully
+crafted ZFS filesystem could result in a zero (0) value to the
+dn_datalbkszsec field, which means that the shift left does nothing
+and assigns zero (0) to blksz, resulting in a negative epbs value.
+
+Fixes: CID 73608
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a02091834d3e167320d8a262ff04b8e83c5e616d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/zfs/zfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 36d0373..0c42cba 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
+ blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
+ mdn->endian) << SPA_MINBLOCKSHIFT;
+ epbs = zfs_log2 (blksz) - DNODE_SHIFT;
++
++ /* While this should never happen, we should check that epbs is not negative. */
++ if (epbs < 0)
++ epbs = 0;
++
+ blkid = objnum >> epbs;
+ idx = objnum & ((1 << epbs) - 1);
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 3c5274fd96..360e86685b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -67,6 +67,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
+ file://0021-zfs-Fix-possible-negative-shift-operation.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 20/46][dunfell] grub: add a fix for a length check

Marta Rybczynska
 

This patch adds a fix for a volume name length check in grub's
hfsplus. It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...that-the-volume-name-length-is-valid.patch | 43 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch

diff --git a/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
new file mode 100644
index 0000000000..eb459c547f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
@@ -0,0 +1,43 @@
+From 7c1813eeec78892fa651046cc224ae4e80d0c94d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Fri, 23 Oct 2020 17:09:31 +0000
+Subject: [PATCH] hfsplus: Check that the volume name length is valid
+
+HFS+ documentation suggests that the maximum filename and volume name is
+255 Unicode characters in length.
+
+So, when converting from big-endian to little-endian, we should ensure
+that the name of the volume has a length that is between 0 and 255,
+inclusive.
+
+Fixes: CID 73641
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2298f6e0d951251bb9ca97d891d1bc8b74515f8c]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/fs/hfsplus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index dae43be..03c3c4c 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1007,6 +1007,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+
+ label_len = grub_be_to_cpu16 (catkey->namelen);
++
++ /* Ensure that the length is >= 0. */
++ if (label_len < 0)
++ label_len = 0;
++
++ /* Ensure label length is at most 255 Unicode characters. */
++ if (label_len > 255)
++ label_len = 255;
++
+ label_name = grub_calloc (label_len, sizeof (*label_name));
+ if (!label_name)
+ {
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 130f32551b..3c5274fd96 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -66,6 +66,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
+ file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 19/46][dunfell] grub: fix an integer overflow

Marta Rybczynska
 

This patch fixes a potential overflow in grub's disk/cryptodisk. It is
a part of a security series [1]

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...odisk-Fix-potential-integer-overflow.patch | 50 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch

diff --git a/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..dd7fda357d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
@@ -0,0 +1,50 @@
+From 2550aaa0c23fdf8b6c54e00c6b838f2e3aa81fe2 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Thu, 21 Jan 2021 11:38:31 +0000
+Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
+
+The encrypt and decrypt functions expect a grub_size_t. So, we need to
+ensure that the constant bit shift is using grub_size_t rather than
+unsigned int when it is performing the shift.
+
+Fixes: CID 307788
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a201ad17caa430aa710654fdf2e6ab4c8166f031]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/disk/cryptodisk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5037768..6883f48 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_CBC:
+ if (do_encrypt)
+ err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
+@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_PCBC:
+ if (do_encrypt)
+ err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 2fccdc2d62..130f32551b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -65,6 +65,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
+ file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 18/46][dunfell] grub: fix a memory leak

Marta Rybczynska
 

Add a fix for a memory leak in grub'd disk/ldm. It is a part of
a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...ory-leak-on-uninserted-lv-references.patch | 50 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch

diff --git a/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
new file mode 100644
index 0000000000..26932f674c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
@@ -0,0 +1,50 @@
+From 3e1d2f1959acbe5152cdd5818d495f6455d1a158 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@...>
+Date: Tue, 8 Dec 2020 10:00:51 +0000
+Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
+
+The problem here is that the memory allocated to the variable lv is not
+yet inserted into the list that is being processed at the label fail2.
+
+As we can already see at line 342, which correctly frees lv before going
+to fail2, we should also be doing that at these earlier jumps to fail2.
+
+Fixes: CID 73824
+
+Signed-off-by: Darren Kenny <darren.kenny@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=156c281a1625dc73fd350530630c6f2d5673d4f6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/disk/ldm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 54713f4..e82e989 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
+ lv->visible = 1;
+ lv->segments = grub_zalloc (sizeof (*lv->segments));
+ if (!lv->segments)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ lv->segments->start_extent = 0;
+ lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ lv->segments->node_count = 0;
+@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+ sizeof (*lv->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ ptr = vblk[i].dynamic;
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index a8ee0dd68a..2fccdc2d62 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -64,6 +64,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \
file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
+ file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 17/46][dunfell] grub: fix a memory leak

Marta Rybczynska
 

This patch adds a fix for a memory leak in grub's disk/ldm.
It is a part of a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...-If-failed-then-free-vg-variable-too.patch | 28 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 29 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch

diff --git a/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
new file mode 100644
index 0000000000..ecdb230f76
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
@@ -0,0 +1,28 @@
+From 253485e8df3c9dedac848567e638157530184295 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@...>
+Date: Mon, 7 Dec 2020 10:07:47 -0300
+Subject: [PATCH] disk/ldm: If failed then free vg variable too
+
+Fixes: CID 73809
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e0b83df5da538d2a38f770e60817b3a4b9d5b4d7]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/disk/ldm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 428415f..54713f4 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
+ {
+ grub_free (vg->uuid);
+ grub_free (vg->name);
++ grub_free (vg);
+ return NULL;
+ }
+ grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 479e2f71f2..a8ee0dd68a 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -63,6 +63,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0014-zstd-Initialize-seq_t-structure-fully.patch \
file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \
file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
+ file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0


[PATCH 16/46][dunfell] grub: fix a memory leak

Marta Rybczynska
 

Add a fix for a memory leak in grub's disk/ldm. It is a part of
a security series [1].

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
---
...re-comp-data-is-freed-before-exiting.patch | 128 ++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 129 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch

diff --git a/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
new file mode 100644
index 0000000000..c1687c75d0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
@@ -0,0 +1,128 @@
+From 0c5d0fd796e6cafba179321de396681a493c4158 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@...>
+Date: Mon, 7 Dec 2020 11:53:03 -0300
+Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
+ make_vg()
+
+Several error handling paths in make_vg() do not free comp data before
+jumping to fail2 label and returning from the function. This will leak
+memory. So, let's fix all issues of that kind.
+
+Fixes: CID 73804
+
+Signed-off-by: Marco A Benatto <mbenatto@...>
+Reviewed-by: Daniel Kiper <daniel.kiper@...>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=23e39f50ca7a107f6b66396ed4d177a914dee035]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@...>
+---
+ grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 58f8a53..428415f 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
+ comp->segments = grub_calloc (comp->segment_alloc,
+ sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+ else
+ {
+@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
+ comp->segment_count = 1;
+ comp->segments = grub_malloc (sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ comp->segments->start_extent = 0;
+ comp->segments->extent_count = lv->size;
+ comp->segments->layout = 0;
+@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
+ comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
+ }
+ else
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ ptr += *ptr + 1;
+ ptr++;
+ if (!(vblk[i].flags & 0x10))
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
+ || ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+ sizeof (*comp->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+
+ if (lv->segments->node_alloc == lv->segments->node_count)
+@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
+
+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+
+ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ lv->segments->nodes = t;
+ }
+ lv->segments->nodes[lv->segments->node_count].pv = 0;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 94b89aa643..479e2f71f2 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -62,6 +62,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch \
file://0014-zstd-Initialize-seq_t-structure-fully.patch \
file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \
+ file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.33.0

12061 - 12080 of 173976