Accepting request 823469 from home:michael-chang:branches:Base:System
- Fix for CVE-2020-10713 (bsc#1168994) * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch * 0004-calloc-Use-calloc-at-most-places.patch * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch * 0007-font-Do-not-load-more-than-one-NAME-section.patch - Fix CVE-2020-15706 (bsc#1174463) * 0008-script-Remove-unused-fields-from-grub_script_functio.patch * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch - Fix CVE-2020-15707 (bsc#1174570) * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch - Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data - Use grub_calloc for overflow check and return NULL when it would occur * 0001-add-support-for-UEFI-network-protocols.patch * 0003-bootp-New-net_bootp6-command.patch * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch * grub2-btrfs-09-get-default-subvolume.patch * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch * grub2-grubenv-in-btrfs-header.patch OBS-URL: https://build.opensuse.org/request/show/823469 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=358
This commit is contained in:
parent
1f1692c67a
commit
1f5e046570
@ -23,10 +23,16 @@ V3:
|
||||
* Finish HTTP transaction in one go
|
||||
* Fix bsc#1076132
|
||||
|
||||
V4
|
||||
V4:
|
||||
* Add fs_ prefix with upstream commit
|
||||
ad4bfeec5 Change fs functions to add fs_ prefix
|
||||
|
||||
V5:
|
||||
* Use overflow checking primitives where the arithmetic expression for
|
||||
buffer allocations may include unvalidated data
|
||||
* Use grub_calloc for overflow check and return NULL when it would
|
||||
occur.
|
||||
|
||||
---
|
||||
grub-core/Makefile.core.def | 18 +
|
||||
grub-core/io/bufio.c | 2 +-
|
||||
@ -57,10 +63,10 @@ V4
|
||||
create mode 100644 include/grub/efi/http.h
|
||||
create mode 100644 include/grub/net/efi.h
|
||||
|
||||
Index: grub-2.04~rc1/grub-core/Makefile.core.def
|
||||
Index: grub-2.04/grub-core/Makefile.core.def
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/Makefile.core.def
|
||||
+++ grub-2.04~rc1/grub-core/Makefile.core.def
|
||||
--- grub-2.04.orig/grub-core/Makefile.core.def
|
||||
+++ grub-2.04/grub-core/Makefile.core.def
|
||||
@@ -1854,7 +1854,6 @@ module = {
|
||||
module = {
|
||||
name = linuxefi;
|
||||
@ -82,10 +88,10 @@ Index: grub-2.04~rc1/grub-core/Makefile.core.def
|
||||
};
|
||||
|
||||
module = {
|
||||
Index: grub-2.04~rc1/grub-core/io/bufio.c
|
||||
Index: grub-2.04/grub-core/io/bufio.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/io/bufio.c
|
||||
+++ grub-2.04~rc1/grub-core/io/bufio.c
|
||||
--- grub-2.04.orig/grub-core/io/bufio.c
|
||||
+++ grub-2.04/grub-core/io/bufio.c
|
||||
@@ -139,7 +139,7 @@ grub_bufio_read (grub_file_t file, char
|
||||
return res;
|
||||
|
||||
@ -95,10 +101,10 @@ Index: grub-2.04~rc1/grub-core/io/bufio.c
|
||||
/* Now read between file->offset + res and bufio->buffer_at. */
|
||||
if (file->offset + res < next_buf)
|
||||
{
|
||||
Index: grub-2.04~rc1/grub-core/kern/efi/efi.c
|
||||
Index: grub-2.04/grub-core/kern/efi/efi.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/kern/efi/efi.c
|
||||
+++ grub-2.04~rc1/grub-core/kern/efi/efi.c
|
||||
--- grub-2.04.orig/grub-core/kern/efi/efi.c
|
||||
+++ grub-2.04/grub-core/kern/efi/efi.c
|
||||
@@ -722,7 +722,7 @@ grub_efi_print_device_path (grub_efi_dev
|
||||
{
|
||||
grub_efi_ipv4_device_path_t *ipv4
|
||||
@ -226,10 +232,10 @@ Index: grub-2.04~rc1/grub-core/kern/efi/efi.c
|
||||
default:
|
||||
grub_printf ("/UnknownMessaging(%x)", (unsigned) subtype);
|
||||
break;
|
||||
Index: grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
|
||||
Index: grub-2.04/grub-core/net/drivers/efi/efinet.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/net/drivers/efi/efinet.c
|
||||
+++ grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
|
||||
--- grub-2.04.orig/grub-core/net/drivers/efi/efinet.c
|
||||
+++ grub-2.04/grub-core/net/drivers/efi/efinet.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <grub/efi/efi.h>
|
||||
#include <grub/i18n.h>
|
||||
@ -298,11 +304,11 @@ Index: grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
|
||||
+ grub_efi_net_config = NULL;
|
||||
}
|
||||
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
|
||||
Index: grub-2.04/grub-core/net/efi/dhcp.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/dhcp.c
|
||||
@@ -0,0 +1,397 @@
|
||||
+++ grub-2.04/grub-core/net/efi/dhcp.c
|
||||
@@ -0,0 +1,399 @@
|
||||
+#include <grub/mm.h>
|
||||
+#include <grub/command.h>
|
||||
+#include <grub/efi/api.h>
|
||||
@ -385,7 +391,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
|
||||
+ if (status != GRUB_EFI_BUFFER_TOO_SMALL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ option_list = grub_malloc (option_count * sizeof(*option_list));
|
||||
+ option_list = grub_calloc (option_count, sizeof(*option_list));
|
||||
+ if (!option_list)
|
||||
+ return NULL;
|
||||
+
|
||||
@ -665,7 +671,9 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
|
||||
+
|
||||
+ if (status == GRUB_EFI_BUFFER_TOO_SMALL && count)
|
||||
+ {
|
||||
+ options = grub_malloc (count * sizeof(*options));
|
||||
+ options = grub_calloc (count, sizeof(*options));
|
||||
+ if (!options)
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+ status = efi_call_4 (dev->dhcp6->parse, dev->dhcp6, mode.ia->reply_packet, &count, options);
|
||||
+ }
|
||||
+
|
||||
@ -700,17 +708,18 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
|
||||
+
|
||||
+grub_command_func_t grub_efi_net_bootp = grub_cmd_efi_bootp;
|
||||
+grub_command_func_t grub_efi_net_bootp6 = grub_cmd_efi_bootp6;
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/http.c
|
||||
Index: grub-2.04/grub-core/net/efi/http.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/http.c
|
||||
@@ -0,0 +1,419 @@
|
||||
+++ grub-2.04/grub-core/net/efi/http.c
|
||||
@@ -0,0 +1,424 @@
|
||||
+
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/misc.h>
|
||||
+#include <grub/net/efi.h>
|
||||
+#include <grub/charset.h>
|
||||
+#include <grub/safemath.h>
|
||||
+
|
||||
+static void
|
||||
+http_configure (struct grub_efi_net_device *dev, int prefer_ip6)
|
||||
@ -835,6 +844,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
|
||||
+ grub_efi_char16_t *ucs2_url;
|
||||
+ grub_size_t url_len, ucs2_url_len;
|
||||
+ const char *protocol = (use_https == 1) ? "https" : "http";
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ if (grub_efi_string_to_ip6_address (server, &address, &rest) && *rest == 0)
|
||||
+ url = grub_xasprintf ("%s://[%s]%s", protocol, server, name);
|
||||
@ -847,8 +857,11 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
|
||||
+ }
|
||||
+
|
||||
+ url_len = grub_strlen (url);
|
||||
+ ucs2_url_len = url_len * GRUB_MAX_UTF16_PER_UTF8;
|
||||
+ ucs2_url = grub_malloc ((ucs2_url_len + 1) * sizeof (ucs2_url[0]));
|
||||
+ if (grub_mul (url_len, GRUB_MAX_UTF16_PER_UTF8, &ucs2_url_len) ||
|
||||
+ grub_add (ucs2_url_len, 1, &sz))
|
||||
+ return GRUB_ERR_OUT_OF_RANGE;
|
||||
+
|
||||
+ ucs2_url = grub_calloc (sz, sizeof (ucs2_url[0]));
|
||||
+
|
||||
+ if (!ucs2_url)
|
||||
+ {
|
||||
@ -1124,26 +1137,30 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
|
||||
+ .read = grub_efihttp_read,
|
||||
+ .close = grub_efihttp_close
|
||||
+ };
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
|
||||
Index: grub-2.04/grub-core/net/efi/ip4_config.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/ip4_config.c
|
||||
@@ -0,0 +1,398 @@
|
||||
+++ grub-2.04/grub-core/net/efi/ip4_config.c
|
||||
@@ -0,0 +1,409 @@
|
||||
+
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/misc.h>
|
||||
+#include <grub/net/efi.h>
|
||||
+#include <grub/charset.h>
|
||||
+#include <grub/safemath.h>
|
||||
+
|
||||
+char *
|
||||
+grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
|
||||
+{
|
||||
+ char *hw_addr, *p;
|
||||
+ int sz, s;
|
||||
+ int s;
|
||||
+ int i;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
|
||||
+ if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
|
||||
+ grub_add (sz, 1, &sz))
|
||||
+ return NULL;
|
||||
+
|
||||
+ hw_addr = grub_malloc (sz);
|
||||
+ if (!hw_addr)
|
||||
@ -1359,12 +1376,19 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
|
||||
+ grub_efi_ip4_config2_interface_info_t *interface_info;
|
||||
+ char **ret;
|
||||
+ int i, id;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ interface_info = efi_ip4_config_interface_info (dev->ip4_config);
|
||||
+ if (!interface_info)
|
||||
+ return NULL;
|
||||
+
|
||||
+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
|
||||
+ if (grub_add (interface_info->route_table_size, 1, &sz))
|
||||
+ {
|
||||
+ grub_free (interface_info);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret = grub_calloc (sz, sizeof (*ret));
|
||||
+
|
||||
+ if (!ret)
|
||||
+ {
|
||||
@ -1527,16 +1551,17 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
|
||||
+ .set_gateway = grub_efi_ip4_interface_set_gateway,
|
||||
+ .set_dns = grub_efi_ip4_interface_set_dns
|
||||
+ };
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
|
||||
Index: grub-2.04/grub-core/net/efi/ip6_config.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/ip6_config.c
|
||||
@@ -0,0 +1,422 @@
|
||||
+++ grub-2.04/grub-core/net/efi/ip6_config.c
|
||||
@@ -0,0 +1,430 @@
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/misc.h>
|
||||
+#include <grub/net/efi.h>
|
||||
+#include <grub/charset.h>
|
||||
+#include <grub/safemath.h>
|
||||
+
|
||||
+char *
|
||||
+grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
|
||||
@ -1763,12 +1788,19 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
|
||||
+ grub_efi_ip6_config_interface_info_t *interface_info;
|
||||
+ char **ret;
|
||||
+ int i, id;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ interface_info = efi_ip6_config_interface_info (dev->ip6_config);
|
||||
+ if (!interface_info)
|
||||
+ return NULL;
|
||||
+
|
||||
+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
|
||||
+ if (grub_add (interface_info->route_count, 1, &sz))
|
||||
+ {
|
||||
+ grub_free (interface_info);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret = grub_calloc (sz, sizeof (*ret));
|
||||
+
|
||||
+ if (!ret)
|
||||
+ {
|
||||
@ -1954,11 +1986,11 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
|
||||
+ .set_gateway = grub_efi_ip6_interface_set_gateway,
|
||||
+ .set_dns = grub_efi_ip6_interface_set_dns
|
||||
+ };
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/net.c
|
||||
Index: grub-2.04/grub-core/net/efi/net.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/net.c
|
||||
@@ -0,0 +1,1428 @@
|
||||
+++ grub-2.04/grub-core/net/efi/net.c
|
||||
@@ -0,0 +1,1437 @@
|
||||
+#include <grub/net.h>
|
||||
+#include <grub/env.h>
|
||||
+#include <grub/mm.h>
|
||||
@ -1973,6 +2005,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
|
||||
+#include <grub/efi/dhcp.h>
|
||||
+#include <grub/net/efi.h>
|
||||
+#include <grub/charset.h>
|
||||
+#include <grub/safemath.h>
|
||||
+
|
||||
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||
+
|
||||
@ -2198,7 +2231,15 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
|
||||
+
|
||||
+ if (code == GRUB_NET_DHCP6_OPTION_BOOTFILE_URL)
|
||||
+ {
|
||||
+ char *url = grub_malloc (len + 1);
|
||||
+ char *url;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ if (grub_add (len, 1, &sz))
|
||||
+ return;
|
||||
+
|
||||
+ url = grub_malloc (sz);
|
||||
+ if (!url)
|
||||
+ return;
|
||||
+
|
||||
+ grub_memcpy (url, dhcp_opt->data, len);
|
||||
+ url[len] = 0;
|
||||
@ -3387,10 +3428,10 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
|
||||
+ grub_net_open = NULL;
|
||||
+ grub_fs_unregister (&grub_efi_netfs);
|
||||
+}
|
||||
Index: grub-2.04~rc1/grub-core/net/efi/pxe.c
|
||||
Index: grub-2.04/grub-core/net/efi/pxe.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/grub-core/net/efi/pxe.c
|
||||
+++ grub-2.04/grub-core/net/efi/pxe.c
|
||||
@@ -0,0 +1,424 @@
|
||||
+
|
||||
+#include <grub/efi/api.h>
|
||||
@ -3816,10 +3857,10 @@ Index: grub-2.04~rc1/grub-core/net/efi/pxe.c
|
||||
+ .close = pxe_close
|
||||
+ };
|
||||
+
|
||||
Index: grub-2.04~rc1/grub-core/net/net.c
|
||||
Index: grub-2.04/grub-core/net/net.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/net/net.c
|
||||
+++ grub-2.04~rc1/grub-core/net/net.c
|
||||
--- grub-2.04.orig/grub-core/net/net.c
|
||||
+++ grub-2.04/grub-core/net/net.c
|
||||
@@ -32,6 +32,9 @@
|
||||
#include <grub/loader.h>
|
||||
#include <grub/bufio.h>
|
||||
@ -3926,10 +3967,10 @@ Index: grub-2.04~rc1/grub-core/net/net.c
|
||||
+ init_mode = INIT_MODE_NONE;
|
||||
+#endif
|
||||
}
|
||||
Index: grub-2.04~rc1/include/grub/efi/api.h
|
||||
Index: grub-2.04/include/grub/efi/api.h
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/include/grub/efi/api.h
|
||||
+++ grub-2.04~rc1/include/grub/efi/api.h
|
||||
--- grub-2.04.orig/include/grub/efi/api.h
|
||||
+++ grub-2.04/include/grub/efi/api.h
|
||||
@@ -588,6 +588,23 @@ typedef grub_uint16_t grub_efi_ipv6_addr
|
||||
typedef grub_uint8_t grub_efi_ip_address_t[8] __attribute__ ((aligned(4)));
|
||||
typedef grub_efi_uint64_t grub_efi_physical_address_t;
|
||||
@ -4177,10 +4218,10 @@ Index: grub-2.04~rc1/include/grub/efi/api.h
|
||||
#if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
|
||||
|| defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \
|
||||
|| defined(__riscv)
|
||||
Index: grub-2.04~rc1/include/grub/efi/dhcp.h
|
||||
Index: grub-2.04/include/grub/efi/dhcp.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/include/grub/efi/dhcp.h
|
||||
+++ grub-2.04/include/grub/efi/dhcp.h
|
||||
@@ -0,0 +1,343 @@
|
||||
+#ifndef GRUB_EFI_DHCP_HEADER
|
||||
+#define GRUB_EFI_DHCP_HEADER 1
|
||||
@ -4525,10 +4566,10 @@ Index: grub-2.04~rc1/include/grub/efi/dhcp.h
|
||||
+};
|
||||
+
|
||||
+#endif /* ! GRUB_EFI_DHCP_HEADER */
|
||||
Index: grub-2.04~rc1/include/grub/efi/http.h
|
||||
Index: grub-2.04/include/grub/efi/http.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/include/grub/efi/http.h
|
||||
+++ grub-2.04/include/grub/efi/http.h
|
||||
@@ -0,0 +1,215 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
@ -4745,10 +4786,10 @@ Index: grub-2.04~rc1/include/grub/efi/http.h
|
||||
+typedef struct grub_efi_http grub_efi_http_t;
|
||||
+
|
||||
+#endif /* !GRUB_EFI_HTTP_HEADER */
|
||||
Index: grub-2.04~rc1/include/grub/net/efi.h
|
||||
Index: grub-2.04/include/grub/net/efi.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ grub-2.04~rc1/include/grub/net/efi.h
|
||||
+++ grub-2.04/include/grub/net/efi.h
|
||||
@@ -0,0 +1,144 @@
|
||||
+#ifndef GRUB_NET_EFI_HEADER
|
||||
+#define GRUB_NET_EFI_HEADER 1
|
||||
|
67
0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
Normal file
67
0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
Normal file
@ -0,0 +1,67 @@
|
||||
From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 15 Apr 2020 15:45:02 -0400
|
||||
Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors
|
||||
actually be fatal
|
||||
|
||||
When presented with a command that can't be tokenized to anything
|
||||
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
|
||||
expecting that will stop further processing, as such:
|
||||
|
||||
#define YY_DO_BEFORE_ACTION \
|
||||
yyg->yytext_ptr = yy_bp; \
|
||||
yyleng = (int) (yy_cp - yy_bp); \
|
||||
yyg->yy_hold_char = *yy_cp; \
|
||||
*yy_cp = '\0'; \
|
||||
if ( yyleng >= YYLMAX ) \
|
||||
YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
|
||||
yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
|
||||
yyg->yy_c_buf_p = yy_cp;
|
||||
|
||||
The code flex generates expects that YY_FATAL_ERROR() will either return
|
||||
for it or do some form of longjmp(), or handle the error in some way at
|
||||
least, and so the strncpy() call isn't in an "else" clause, and thus if
|
||||
YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
|
||||
questionable limit, and predictable results ensue.
|
||||
|
||||
Unfortunately, our implementation of YY_FATAL_ERROR() is:
|
||||
|
||||
#define YY_FATAL_ERROR(msg) \
|
||||
do { \
|
||||
grub_printf (_("fatal error: %s\n"), _(msg)); \
|
||||
} while (0)
|
||||
|
||||
The same pattern exists in yyless(), and similar problems exist in users
|
||||
of YY_INPUT(), several places in the main parsing loop,
|
||||
yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
|
||||
yy_scan_buffer(), etc.
|
||||
|
||||
All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
|
||||
the things they do if it returns after calling it are wildly unsafe.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/script/yylex.l | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
|
||||
index 7b44c37b7..b7203c823 100644
|
||||
--- a/grub-core/script/yylex.l
|
||||
+++ b/grub-core/script/yylex.l
|
||||
@@ -37,11 +37,11 @@
|
||||
|
||||
/*
|
||||
* As we don't have access to yyscanner, we cannot do much except to
|
||||
- * print the fatal error.
|
||||
+ * print the fatal error and exit.
|
||||
*/
|
||||
#define YY_FATAL_ERROR(msg) \
|
||||
do { \
|
||||
- grub_printf (_("fatal error: %s\n"), _(msg)); \
|
||||
+ grub_fatal (_("fatal error: %s\n"), _(msg));\
|
||||
} while (0)
|
||||
|
||||
#define COPY(str, hint) \
|
||||
--
|
||||
2.11.0
|
123
0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
Normal file
123
0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
Normal file
@ -0,0 +1,123 @@
|
||||
From de1c315841aa6f37357c72e196810484013291d6 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 10:58:42 -0400
|
||||
Subject: [PATCH 2/7] safemath: Add some arithmetic primitives that check for
|
||||
overflow
|
||||
|
||||
This adds a new header, include/grub/safemath.h, that includes easy to
|
||||
use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
|
||||
|
||||
bool OP(a, b, res)
|
||||
|
||||
where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
|
||||
case where the operation would overflow and res is not modified.
|
||||
Otherwise, false is returned and the operation is executed.
|
||||
|
||||
These arithmetic primitives require newer compiler versions. So, bump
|
||||
these requirements in the INSTALL file too.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
INSTALL | 22 ++--------------------
|
||||
include/grub/compiler.h | 8 ++++++++
|
||||
include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 47 insertions(+), 20 deletions(-)
|
||||
create mode 100644 include/grub/safemath.h
|
||||
|
||||
diff --git a/INSTALL b/INSTALL
|
||||
index dedf236a8..79a0af7d9 100644
|
||||
--- a/INSTALL
|
||||
+++ b/INSTALL
|
||||
@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If
|
||||
you don't have any of them, please obtain and install them before
|
||||
configuring the GRUB.
|
||||
|
||||
-* GCC 4.1.3 or later
|
||||
- Note: older versions may work but support is limited
|
||||
-
|
||||
- Experimental support for clang 3.3 or later (results in much bigger binaries)
|
||||
+* GCC 5.1.0 or later
|
||||
+ Experimental support for clang 3.8.0 or later (results in much bigger binaries)
|
||||
for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
|
||||
- Note: clang 3.2 or later works for i386 and x86_64 targets but results in
|
||||
- much bigger binaries.
|
||||
- earlier versions not tested
|
||||
- Note: clang 3.2 or later works for arm
|
||||
- earlier versions not tested
|
||||
- Note: clang on arm64 is not supported due to
|
||||
- https://llvm.org/bugs/show_bug.cgi?id=26030
|
||||
- Note: clang 3.3 or later works for mips(el)
|
||||
- earlier versions fail to generate .reginfo and hence gprel relocations
|
||||
- fail.
|
||||
- Note: clang 3.2 or later works for powerpc
|
||||
- earlier versions not tested
|
||||
- Note: clang 3.5 or later works for sparc64
|
||||
- earlier versions return "error: unable to interface with target machine"
|
||||
- Note: clang has no support for ia64 and hence you can't compile GRUB
|
||||
- for ia64 with clang
|
||||
* GNU Make
|
||||
* GNU Bison 2.3 or later
|
||||
* GNU gettext 0.17 or later
|
||||
diff --git a/include/grub/compiler.h b/include/grub/compiler.h
|
||||
index c9e1d7a73..8f3be3ae7 100644
|
||||
--- a/include/grub/compiler.h
|
||||
+++ b/include/grub/compiler.h
|
||||
@@ -48,4 +48,12 @@
|
||||
# define WARN_UNUSED_RESULT
|
||||
#endif
|
||||
|
||||
+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
|
||||
+# define CLANG_PREREQ(maj,min) \
|
||||
+ ((__clang_major__ > (maj)) || \
|
||||
+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
|
||||
+#else
|
||||
+# define CLANG_PREREQ(maj,min) 0
|
||||
+#endif
|
||||
+
|
||||
#endif /* ! GRUB_COMPILER_HEADER */
|
||||
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
|
||||
new file mode 100644
|
||||
index 000000000..c17b89bba
|
||||
--- /dev/null
|
||||
+++ b/include/grub/safemath.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ *
|
||||
+ * Arithmetic operations that protect against overflow.
|
||||
+ */
|
||||
+
|
||||
+#ifndef GRUB_SAFEMATH_H
|
||||
+#define GRUB_SAFEMATH_H 1
|
||||
+
|
||||
+#include <grub/compiler.h>
|
||||
+
|
||||
+/* These appear in gcc 5.1 and clang 3.8. */
|
||||
+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
|
||||
+
|
||||
+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
|
||||
+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
|
||||
+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
|
||||
+
|
||||
+#else
|
||||
+#error gcc 5.1 or newer or clang 3.8 or newer is required
|
||||
+#endif
|
||||
+
|
||||
+#endif /* GRUB_SAFEMATH_H */
|
||||
--
|
||||
2.27.0
|
@ -8,16 +8,21 @@ DHCPv6 protocol (RFC3315).
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
Signed-off-by: Ken Lin <ken.lin@hpe.com>
|
||||
|
||||
V1:
|
||||
* Use grub_calloc for overflow check and return NULL when it would
|
||||
occur.
|
||||
|
||||
---
|
||||
grub-core/net/bootp.c | 908 +++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
grub-core/net/ip.c | 39 +++
|
||||
include/grub/net.h | 72 ++++
|
||||
3 files changed, 1018 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: grub-2.04~rc1/grub-core/net/bootp.c
|
||||
Index: grub-2.04/grub-core/net/bootp.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/net/bootp.c
|
||||
+++ grub-2.04~rc1/grub-core/net/bootp.c
|
||||
--- grub-2.04.orig/grub-core/net/bootp.c
|
||||
+++ grub-2.04/grub-core/net/bootp.c
|
||||
@@ -24,6 +24,98 @@
|
||||
#include <grub/net/netbuff.h>
|
||||
#include <grub/net/udp.h>
|
||||
@ -265,7 +270,7 @@ Index: grub-2.04~rc1/grub-core/net/bootp.c
|
||||
+ break;
|
||||
+ }
|
||||
+ dhcp6->num_dns_server = ln = len >> 4;
|
||||
+ dhcp6->dns_server_addrs = la = grub_zalloc (ln * sizeof (*la));
|
||||
+ dhcp6->dns_server_addrs = la = grub_calloc (ln, sizeof (*la));
|
||||
+
|
||||
+ for (po = opt->data; ln > 0; po += 0x10, la++, ln--)
|
||||
+ {
|
||||
@ -966,10 +971,10 @@ Index: grub-2.04~rc1/grub-core/net/bootp.c
|
||||
grub_unregister_command (cmd_dhcp);
|
||||
+ grub_unregister_command (cmd_bootp6);
|
||||
}
|
||||
Index: grub-2.04~rc1/grub-core/net/ip.c
|
||||
Index: grub-2.04/grub-core/net/ip.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/net/ip.c
|
||||
+++ grub-2.04~rc1/grub-core/net/ip.c
|
||||
--- grub-2.04.orig/grub-core/net/ip.c
|
||||
+++ grub-2.04/grub-core/net/ip.c
|
||||
@@ -239,6 +239,45 @@ handle_dgram (struct grub_net_buff *nb,
|
||||
{
|
||||
struct udphdr *udph;
|
||||
@ -1016,10 +1021,10 @@ Index: grub-2.04~rc1/grub-core/net/ip.c
|
||||
if (proto == GRUB_NET_IP_UDP && grub_be_to_cpu16 (udph->dst) == 68)
|
||||
{
|
||||
const struct grub_net_bootp_packet *bootp;
|
||||
Index: grub-2.04~rc1/include/grub/net.h
|
||||
Index: grub-2.04/include/grub/net.h
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/include/grub/net.h
|
||||
+++ grub-2.04~rc1/include/grub/net.h
|
||||
--- grub-2.04.orig/include/grub/net.h
|
||||
+++ grub-2.04/include/grub/net.h
|
||||
@@ -448,6 +448,66 @@ struct grub_net_bootp_packet
|
||||
grub_uint8_t vendor[0];
|
||||
} GRUB_PACKED;
|
||||
|
239
0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
Normal file
239
0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
Normal file
@ -0,0 +1,239 @@
|
||||
From 79e51ab7a9a56f60a14f89ef047fd669977b99d1 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 12:15:29 -0400
|
||||
Subject: [PATCH 3/7] calloc: Make sure we always have an overflow-checking
|
||||
calloc() available
|
||||
|
||||
This tries to make sure that everywhere in this source tree, we always have
|
||||
an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
|
||||
available, and that they all safely check for overflow and return NULL when
|
||||
it would occur.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/kern/emu/misc.c | 12 +++++++++
|
||||
grub-core/kern/emu/mm.c | 10 ++++++++
|
||||
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++
|
||||
grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++--
|
||||
grub-core/lib/posix_wrap/stdlib.h | 8 +++++-
|
||||
include/grub/emu/misc.h | 1 +
|
||||
include/grub/mm.h | 6 +++++
|
||||
7 files changed, 85 insertions(+), 3 deletions(-)
|
||||
|
||||
Index: grub-2.04/grub-core/kern/emu/misc.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/kern/emu/misc.c
|
||||
+++ grub-2.04/grub-core/kern/emu/misc.c
|
||||
@@ -87,6 +87,18 @@ grub_util_error (const char *fmt, ...)
|
||||
}
|
||||
|
||||
void *
|
||||
+xcalloc (grub_size_t nmemb, grub_size_t size)
|
||||
+{
|
||||
+ void *p;
|
||||
+
|
||||
+ p = calloc (nmemb, size);
|
||||
+ if (!p)
|
||||
+ grub_util_error ("%s", _("out of memory"));
|
||||
+
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
xmalloc (grub_size_t size)
|
||||
{
|
||||
void *p;
|
||||
Index: grub-2.04/grub-core/kern/emu/mm.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/kern/emu/mm.c
|
||||
+++ grub-2.04/grub-core/kern/emu/mm.c
|
||||
@@ -26,6 +26,16 @@
|
||||
#include <grub/i18n.h>
|
||||
|
||||
void *
|
||||
+grub_calloc (grub_size_t nmemb, grub_size_t size)
|
||||
+{
|
||||
+ void *ret;
|
||||
+ ret = calloc (nmemb, size);
|
||||
+ if (!ret)
|
||||
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
grub_malloc (grub_size_t size)
|
||||
{
|
||||
void *ret;
|
||||
Index: grub-2.04/grub-core/kern/mm.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/kern/mm.c
|
||||
+++ grub-2.04/grub-core/kern/mm.c
|
||||
@@ -67,8 +67,10 @@
|
||||
#include <grub/dl.h>
|
||||
#include <grub/i18n.h>
|
||||
#include <grub/mm_private.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
#ifdef MM_DEBUG
|
||||
+# undef grub_calloc
|
||||
# undef grub_malloc
|
||||
# undef grub_zalloc
|
||||
# undef grub_realloc
|
||||
@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_s
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
|
||||
+ * integer overflow.
|
||||
+ */
|
||||
+void *
|
||||
+grub_calloc (grub_size_t nmemb, grub_size_t size)
|
||||
+{
|
||||
+ void *ret;
|
||||
+ grub_size_t sz = 0;
|
||||
+
|
||||
+ if (grub_mul (nmemb, size, &sz))
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret = grub_memalign (0, sz);
|
||||
+ if (!ret)
|
||||
+ return NULL;
|
||||
+
|
||||
+ grub_memset (ret, 0, sz);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* Allocate SIZE bytes and return the pointer. */
|
||||
void *
|
||||
grub_malloc (grub_size_t size)
|
||||
@@ -562,6 +588,20 @@ grub_mm_dump (unsigned lineno)
|
||||
}
|
||||
|
||||
void *
|
||||
+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
|
||||
+{
|
||||
+ void *ptr;
|
||||
+
|
||||
+ if (grub_mm_debug)
|
||||
+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
|
||||
+ file, line, size);
|
||||
+ ptr = grub_calloc (nmemb, size);
|
||||
+ if (grub_mm_debug)
|
||||
+ grub_printf ("%p\n", ptr);
|
||||
+ return ptr;
|
||||
+}
|
||||
+
|
||||
+void *
|
||||
grub_debug_malloc (const char *file, int line, grub_size_t size)
|
||||
{
|
||||
void *ptr;
|
||||
Index: grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/lib/libgcrypt_wrap/mem.c
|
||||
+++ grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c
|
||||
@@ -4,6 +4,7 @@
|
||||
#include <grub/crypto.h>
|
||||
#include <grub/dl.h>
|
||||
#include <grub/env.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -36,7 +37,10 @@ void *
|
||||
gcry_xcalloc (size_t n, size_t m)
|
||||
{
|
||||
void *ret;
|
||||
- ret = grub_zalloc (n * m);
|
||||
+ size_t sz;
|
||||
+ if (grub_mul (n, m, &sz))
|
||||
+ grub_fatal ("gcry_xcalloc would overflow");
|
||||
+ ret = grub_zalloc (sz);
|
||||
if (!ret)
|
||||
grub_fatal ("gcry_xcalloc failed");
|
||||
return ret;
|
||||
@@ -56,7 +60,10 @@ void *
|
||||
gcry_xcalloc_secure (size_t n, size_t m)
|
||||
{
|
||||
void *ret;
|
||||
- ret = grub_zalloc (n * m);
|
||||
+ size_t sz;
|
||||
+ if (grub_mul (n, m, &sz))
|
||||
+ grub_fatal ("gcry_xcalloc would overflow");
|
||||
+ ret = grub_zalloc (sz);
|
||||
if (!ret)
|
||||
grub_fatal ("gcry_xcalloc failed");
|
||||
return ret;
|
||||
Index: grub-2.04/grub-core/lib/posix_wrap/stdlib.h
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/lib/posix_wrap/stdlib.h
|
||||
+++ grub-2.04/grub-core/lib/posix_wrap/stdlib.h
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <grub/mm.h>
|
||||
#include <grub/misc.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
static inline void
|
||||
free (void *ptr)
|
||||
@@ -37,7 +38,12 @@ malloc (grub_size_t size)
|
||||
static inline void *
|
||||
calloc (grub_size_t size, grub_size_t nelem)
|
||||
{
|
||||
- return grub_zalloc (size * nelem);
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ if (grub_mul (size, nelem, &sz))
|
||||
+ return NULL;
|
||||
+
|
||||
+ return grub_zalloc (sz);
|
||||
}
|
||||
|
||||
static inline void *
|
||||
Index: grub-2.04/include/grub/emu/misc.h
|
||||
===================================================================
|
||||
--- grub-2.04.orig/include/grub/emu/misc.h
|
||||
+++ grub-2.04/include/grub/emu/misc.h
|
||||
@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *
|
||||
#define GRUB_HOST_PRIuLONG_LONG "llu"
|
||||
#define GRUB_HOST_PRIxLONG_LONG "llx"
|
||||
|
||||
+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
|
||||
void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
|
||||
void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
|
||||
char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
|
||||
Index: grub-2.04/include/grub/mm.h
|
||||
===================================================================
|
||||
--- grub-2.04.orig/include/grub/mm.h
|
||||
+++ grub-2.04/include/grub/mm.h
|
||||
@@ -29,6 +29,7 @@
|
||||
#endif
|
||||
|
||||
void grub_mm_init_region (void *addr, grub_size_t size);
|
||||
+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
|
||||
void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
|
||||
void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
|
||||
void EXPORT_FUNC(grub_free) (void *ptr);
|
||||
@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
|
||||
void grub_mm_dump_free (void);
|
||||
void grub_mm_dump (unsigned lineno);
|
||||
|
||||
+#define grub_calloc(nmemb, size) \
|
||||
+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
|
||||
+
|
||||
#define grub_malloc(size) \
|
||||
grub_debug_malloc (GRUB_FILE, __LINE__, size)
|
||||
|
||||
@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
|
||||
#define grub_free(ptr) \
|
||||
grub_debug_free (GRUB_FILE, __LINE__, ptr)
|
||||
|
||||
+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
|
||||
+ grub_size_t nmemb, grub_size_t size);
|
||||
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
|
||||
grub_size_t size);
|
||||
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
|
1825
0004-calloc-Use-calloc-at-most-places.patch
Normal file
1825
0004-calloc-Use-calloc-at-most-places.patch
Normal file
File diff suppressed because it is too large
Load Diff
1319
0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
Normal file
1319
0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
Normal file
File diff suppressed because it is too large
Load Diff
67
0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
Normal file
67
0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
Normal file
@ -0,0 +1,67 @@
|
||||
From 30508bd4692d2e022eff2e7f9c4be9f8abf57977 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sat, 4 Jul 2020 12:25:09 -0400
|
||||
Subject: [PATCH 6/7] iso9660: Don't leak memory on realloc() failures
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
|
||||
index 7ba5b300b..5ec4433b8 100644
|
||||
--- a/grub-core/fs/iso9660.c
|
||||
+++ b/grub-core/fs/iso9660.c
|
||||
@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
|
||||
{
|
||||
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
|
||||
grub_size_t sz;
|
||||
+ char *new;
|
||||
|
||||
if (grub_add (size, len2, &sz) ||
|
||||
grub_add (sz, 1, &sz))
|
||||
return;
|
||||
|
||||
- ctx->symlink = grub_realloc (ctx->symlink, sz);
|
||||
- if (! ctx->symlink)
|
||||
- return;
|
||||
+ new = grub_realloc (ctx->symlink, sz);
|
||||
+ if (!new)
|
||||
+ {
|
||||
+ grub_free (ctx->symlink);
|
||||
+ ctx->symlink = NULL;
|
||||
+ return;
|
||||
+ }
|
||||
+ ctx->symlink = new;
|
||||
|
||||
grub_memcpy (ctx->symlink + size, part, len2);
|
||||
ctx->symlink[size + len2] = 0;
|
||||
@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
|
||||
is the length. Both are part of the `Component
|
||||
Record'. */
|
||||
if (ctx->symlink && !ctx->was_continue)
|
||||
- add_part (ctx, "/", 1);
|
||||
+ {
|
||||
+ add_part (ctx, "/", 1);
|
||||
+ if (grub_errno)
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
+
|
||||
add_part (ctx, (char *) &entry->data[pos + 2],
|
||||
entry->data[pos + 1]);
|
||||
ctx->was_continue = (entry->data[pos] & 1);
|
||||
@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
|
||||
add_part (ctx, "/", 1);
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ /* Check if grub_realloc() failed in add_part(). */
|
||||
+ if (grub_errno)
|
||||
+ return grub_errno;
|
||||
+
|
||||
/* In pos + 1 the length of the `Component Record' is
|
||||
stored. */
|
||||
pos += entry->data[pos + 1] + 2;
|
||||
--
|
||||
2.27.0
|
35
0007-font-Do-not-load-more-than-one-NAME-section.patch
Normal file
35
0007-font-Do-not-load-more-than-one-NAME-section.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From e2b5230126b340e1d88a079cd6a5c22dd4c00682 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
Date: Tue, 7 Jul 2020 15:36:26 +0200
|
||||
Subject: [PATCH 7/7] font: Do not load more than one NAME section
|
||||
|
||||
The GRUB font file can have one NAME section only. Though if somebody
|
||||
crafts a broken font file with many NAME sections and loads it then the
|
||||
GRUB leaks memory. So, prevent against that by loading first NAME
|
||||
section and failing in controlled way on following one.
|
||||
|
||||
Reported-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/font/font.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
||||
index 5edb477ac..d09bb38d8 100644
|
||||
--- a/grub-core/font/font.c
|
||||
+++ b/grub-core/font/font.c
|
||||
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
|
||||
if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
|
||||
sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
|
||||
{
|
||||
+ if (font->name != NULL)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
font->name = read_section_as_string (§ion);
|
||||
if (!font->name)
|
||||
goto fail;
|
||||
--
|
||||
2.27.0
|
@ -0,0 +1,33 @@
|
||||
From 1804acfd35cff2aab9ec9dc586f74f5e3aa83ef2 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Fri, 10 Jul 2020 11:21:14 +0100
|
||||
Subject: [PATCH 18/27] script: Remove unused fields from grub_script_function
|
||||
struct
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
include/grub/script_sh.h | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
|
||||
index 360c2be1f..b382bcf09 100644
|
||||
--- a/include/grub/script_sh.h
|
||||
+++ b/include/grub/script_sh.h
|
||||
@@ -359,13 +359,8 @@ struct grub_script_function
|
||||
/* The script function. */
|
||||
struct grub_script *func;
|
||||
|
||||
- /* The flags. */
|
||||
- unsigned flags;
|
||||
-
|
||||
/* The next element. */
|
||||
struct grub_script_function *next;
|
||||
-
|
||||
- int references;
|
||||
};
|
||||
typedef struct grub_script_function *grub_script_function_t;
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
107
0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
Normal file
107
0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
Normal file
@ -0,0 +1,107 @@
|
||||
From 809f3a26897f5f648325c5741e72dc1b3db828ee Mon Sep 17 00:00:00 2001
|
||||
From: Chris Coulson <chris.coulson@canonical.com>
|
||||
Date: Fri, 10 Jul 2020 14:41:45 +0100
|
||||
Subject: [PATCH 19/27] script: Avoid a use-after-free when redefining a
|
||||
function during execution
|
||||
|
||||
Defining a new function with the same name as a previously defined
|
||||
function causes the grub_script and associated resources for the
|
||||
previous function to be freed. If the previous function is currently
|
||||
executing when a function with the same name is defined, this results
|
||||
in use-after-frees when processing subsequent commands in the original
|
||||
function.
|
||||
|
||||
Instead, reject a new function definition if it has the same name as
|
||||
a previously defined function, and that function is currently being
|
||||
executed. Although a behavioural change, this should be backwards
|
||||
compatible with existing configurations because they can't be
|
||||
dependent on the current behaviour without being broken.
|
||||
|
||||
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/script/execute.c | 2 ++
|
||||
grub-core/script/function.c | 16 +++++++++++++---
|
||||
grub-core/script/parser.y | 3 ++-
|
||||
include/grub/script_sh.h | 2 ++
|
||||
4 files changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
|
||||
index 8a9161cc8..ce83edd4b 100644
|
||||
--- a/grub-core/script/execute.c
|
||||
+++ b/grub-core/script/execute.c
|
||||
@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
|
||||
old_scope = scope;
|
||||
scope = &new_scope;
|
||||
|
||||
+ func->executing++;
|
||||
ret = grub_script_execute (func->func);
|
||||
+ func->executing--;
|
||||
|
||||
function_return = 0;
|
||||
active_loops = loops;
|
||||
diff --git a/grub-core/script/function.c b/grub-core/script/function.c
|
||||
index d36655e51..3aad04bf9 100644
|
||||
--- a/grub-core/script/function.c
|
||||
+++ b/grub-core/script/function.c
|
||||
@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
|
||||
func = (grub_script_function_t) grub_malloc (sizeof (*func));
|
||||
if (! func)
|
||||
return 0;
|
||||
+ func->executing = 0;
|
||||
|
||||
func->name = grub_strdup (functionname_arg->str);
|
||||
if (! func->name)
|
||||
@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
|
||||
grub_script_function_t q;
|
||||
|
||||
q = *p;
|
||||
- grub_script_free (q->func);
|
||||
- q->func = cmd;
|
||||
grub_free (func);
|
||||
- func = q;
|
||||
+ if (q->executing > 0)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("attempt to redefine a function being executed"));
|
||||
+ func = NULL;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ grub_script_free (q->func);
|
||||
+ q->func = cmd;
|
||||
+ func = q;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
{
|
||||
diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
|
||||
index 4f0ab8319..f80b86b6f 100644
|
||||
--- a/grub-core/script/parser.y
|
||||
+++ b/grub-core/script/parser.y
|
||||
@@ -289,7 +289,8 @@ function: "function" "name"
|
||||
grub_script_mem_free (state->func_mem);
|
||||
else {
|
||||
script->children = state->scripts;
|
||||
- grub_script_function_create ($2, script);
|
||||
+ if (!grub_script_function_create ($2, script))
|
||||
+ grub_script_free (script);
|
||||
}
|
||||
|
||||
state->scripts = $<scripts>3;
|
||||
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
|
||||
index b382bcf09..6c48e0751 100644
|
||||
--- a/include/grub/script_sh.h
|
||||
+++ b/include/grub/script_sh.h
|
||||
@@ -361,6 +361,8 @@ struct grub_script_function
|
||||
|
||||
/* The next element. */
|
||||
struct grub_script_function *next;
|
||||
+
|
||||
+ unsigned executing;
|
||||
};
|
||||
typedef struct grub_script_function *grub_script_function_t;
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
164
0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Normal file
164
0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Normal file
@ -0,0 +1,164 @@
|
||||
commit a59b854381d1148d32f74fbb9cf0f384972a5b4b
|
||||
Author: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sat Jul 25 12:15:37 2020 +0100
|
||||
|
||||
linux: Fix integer overflows in initrd size handling
|
||||
|
||||
These could be triggered by a crafted filesystem with very large files.
|
||||
|
||||
Fixes: CVE-2020-15707
|
||||
|
||||
Signed-off-by: Colin Watson <cjwatson@debian.org>
|
||||
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
|
||||
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
|
||||
index 25624ebc1..e9f819ee9 100644
|
||||
--- a/grub-core/loader/linux.c
|
||||
+++ b/grub-core/loader/linux.c
|
||||
@@ -4,6 +4,7 @@
|
||||
#include <grub/misc.h>
|
||||
#include <grub/file.h>
|
||||
#include <grub/mm.h>
|
||||
+#include <grub/safemath.h>
|
||||
|
||||
struct newc_head
|
||||
{
|
||||
@@ -98,13 +99,13 @@ free_dir (struct dir *root)
|
||||
grub_free (root);
|
||||
}
|
||||
|
||||
-static grub_size_t
|
||||
+static grub_err_t
|
||||
insert_dir (const char *name, struct dir **root,
|
||||
- grub_uint8_t *ptr)
|
||||
+ grub_uint8_t *ptr, grub_size_t *size)
|
||||
{
|
||||
struct dir *cur, **head = root;
|
||||
const char *cb, *ce = name;
|
||||
- grub_size_t size = 0;
|
||||
+ *size = 0;
|
||||
while (1)
|
||||
{
|
||||
for (cb = ce; *cb == '/'; cb++);
|
||||
@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
|
||||
ptr = make_header (ptr, name, ce - name,
|
||||
040777, 0);
|
||||
}
|
||||
- size += ALIGN_UP ((ce - (char *) name)
|
||||
- + sizeof (struct newc_head), 4);
|
||||
+ if (grub_add (*size,
|
||||
+ ALIGN_UP ((ce - (char *) name)
|
||||
+ + sizeof (struct newc_head), 4),
|
||||
+ size))
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+ grub_free (n->name);
|
||||
+ grub_free (n);
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
*head = n;
|
||||
cur = n;
|
||||
}
|
||||
root = &cur->next;
|
||||
}
|
||||
- return size;
|
||||
+ return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
grub_err_t
|
||||
@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
|
||||
eptr = grub_strchr (ptr, ':');
|
||||
if (eptr)
|
||||
{
|
||||
+ grub_size_t dir_size, name_len;
|
||||
+
|
||||
initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
|
||||
- if (!initrd_ctx->components[i].newc_name)
|
||||
+ if (!initrd_ctx->components[i].newc_name ||
|
||||
+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
|
||||
+ &dir_size))
|
||||
{
|
||||
grub_initrd_close (initrd_ctx);
|
||||
return grub_errno;
|
||||
}
|
||||
- initrd_ctx->size
|
||||
- += ALIGN_UP (sizeof (struct newc_head)
|
||||
- + grub_strlen (initrd_ctx->components[i].newc_name),
|
||||
- 4);
|
||||
- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
|
||||
- &root, 0);
|
||||
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
|
||||
+ if (grub_add (initrd_ctx->size,
|
||||
+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
|
||||
+ &initrd_ctx->size) ||
|
||||
+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
|
||||
+ goto overflow;
|
||||
newc = 1;
|
||||
fname = eptr + 1;
|
||||
}
|
||||
}
|
||||
else if (newc)
|
||||
{
|
||||
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
|
||||
- + sizeof ("TRAILER!!!") - 1, 4);
|
||||
+ if (grub_add (initrd_ctx->size,
|
||||
+ ALIGN_UP (sizeof (struct newc_head)
|
||||
+ + sizeof ("TRAILER!!!") - 1, 4),
|
||||
+ &initrd_ctx->size))
|
||||
+ goto overflow;
|
||||
free_dir (root);
|
||||
root = 0;
|
||||
newc = 0;
|
||||
@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
|
||||
initrd_ctx->nfiles++;
|
||||
initrd_ctx->components[i].size
|
||||
= grub_file_size (initrd_ctx->components[i].file);
|
||||
- initrd_ctx->size += initrd_ctx->components[i].size;
|
||||
+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
|
||||
+ &initrd_ctx->size))
|
||||
+ goto overflow;
|
||||
}
|
||||
|
||||
if (newc)
|
||||
{
|
||||
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
|
||||
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
|
||||
- + sizeof ("TRAILER!!!") - 1, 4);
|
||||
+ if (grub_add (initrd_ctx->size,
|
||||
+ ALIGN_UP (sizeof (struct newc_head)
|
||||
+ + sizeof ("TRAILER!!!") - 1, 4),
|
||||
+ &initrd_ctx->size))
|
||||
+ goto overflow;
|
||||
free_dir (root);
|
||||
root = 0;
|
||||
}
|
||||
|
||||
return GRUB_ERR_NONE;
|
||||
+
|
||||
+overflow:
|
||||
+ free_dir (root);
|
||||
+ grub_initrd_close (initrd_ctx);
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
}
|
||||
|
||||
grub_size_t
|
||||
@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
||||
|
||||
if (initrd_ctx->components[i].newc_name)
|
||||
{
|
||||
- ptr += insert_dir (initrd_ctx->components[i].newc_name,
|
||||
- &root, ptr);
|
||||
+ grub_size_t dir_size;
|
||||
+
|
||||
+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
|
||||
+ &dir_size))
|
||||
+ {
|
||||
+ free_dir (root);
|
||||
+ grub_initrd_close (initrd_ctx);
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
+ ptr += dir_size;
|
||||
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
|
||||
grub_strlen (initrd_ctx->components[i].newc_name),
|
||||
0100777,
|
||||
|
@ -16,15 +16,20 @@ It is possible to boot into a separate GRUB instance by exporting the
|
||||
variable and loading the config file from the subvolume.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
V1:
|
||||
* Use overflow checking primitives where the arithmetic expression for
|
||||
buffer allocations may include unvalidated data
|
||||
|
||||
---
|
||||
|
||||
grub-core/fs/btrfs.c | 529 +++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 518 insertions(+), 11 deletions(-)
|
||||
|
||||
Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
Index: grub-2.04/grub-core/fs/btrfs.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/fs/btrfs.c
|
||||
+++ grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
--- grub-2.04.orig/grub-core/fs/btrfs.c
|
||||
+++ grub-2.04/grub-core/fs/btrfs.c
|
||||
@@ -40,6 +40,9 @@
|
||||
#include <grub/btrfs.h>
|
||||
#include <grub/crypto.h>
|
||||
@ -164,7 +169,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
return data;
|
||||
}
|
||||
|
||||
@@ -1654,6 +1739,91 @@ get_root (struct grub_btrfs_data *data,
|
||||
@@ -1654,6 +1739,98 @@ get_root (struct grub_btrfs_data *data,
|
||||
}
|
||||
|
||||
static grub_err_t
|
||||
@ -207,8 +212,12 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ key_out.object_id != key_out.offset) {
|
||||
+ struct grub_btrfs_inode_ref *inode_ref;
|
||||
+ char *new;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ inode_ref = grub_malloc(elemsize + 1);
|
||||
+ if (grub_add (elemsize, 1, &sz))
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+
|
||||
+ inode_ref = grub_malloc(sz);
|
||||
+ if (!inode_ref)
|
||||
+ return grub_error(GRUB_ERR_OUT_OF_MEMORY,
|
||||
+ "couldn't allocate memory for inode_ref (%"PRIuGRUB_SIZE")\n", elemsize);
|
||||
@ -217,7 +226,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ if (err)
|
||||
+ return grub_error(err, "read_logical caught %d\n", err);
|
||||
+
|
||||
+ alloc += grub_le_to_cpu16 (inode_ref->n) + 2;
|
||||
+ if (grub_add (grub_le_to_cpu16 (inode_ref->n), 2, &sz) ||
|
||||
+ grub_add (alloc, sz, &alloc))
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+
|
||||
+ new = grub_malloc(alloc);
|
||||
+ if (!new)
|
||||
+ return grub_error(GRUB_ERR_OUT_OF_MEMORY,
|
||||
@ -256,7 +268,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
find_path (struct grub_btrfs_data *data,
|
||||
const char *path, struct grub_btrfs_key *key,
|
||||
grub_uint64_t *tree, grub_uint8_t *type)
|
||||
@@ -1671,14 +1841,26 @@ find_path (struct grub_btrfs_data *data,
|
||||
@@ -1671,14 +1848,26 @@ find_path (struct grub_btrfs_data *data,
|
||||
char *origpath = NULL;
|
||||
unsigned symlinks_max = 32;
|
||||
|
||||
@ -287,7 +299,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
while (1)
|
||||
{
|
||||
while (path[0] == '/')
|
||||
@@ -1851,9 +2033,21 @@ find_path (struct grub_btrfs_data *data,
|
||||
@@ -1851,9 +2040,21 @@ find_path (struct grub_btrfs_data *data,
|
||||
path = path_alloc = tmp;
|
||||
if (path[0] == '/')
|
||||
{
|
||||
@ -312,7 +324,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
}
|
||||
continue;
|
||||
}
|
||||
@@ -2094,6 +2288,20 @@ grub_btrfs_read (grub_file_t file, char
|
||||
@@ -2094,6 +2295,20 @@ grub_btrfs_read (grub_file_t file, char
|
||||
data->tree, file->offset, buf, len);
|
||||
}
|
||||
|
||||
@ -333,7 +345,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
static grub_err_t
|
||||
grub_btrfs_uuid (grub_device_t device, char **uuid)
|
||||
{
|
||||
@@ -2105,15 +2313,7 @@ grub_btrfs_uuid (grub_device_t device, c
|
||||
@@ -2105,15 +2320,7 @@ grub_btrfs_uuid (grub_device_t device, c
|
||||
if (!data)
|
||||
return grub_errno;
|
||||
|
||||
@ -350,7 +362,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
|
||||
grub_btrfs_unmount (data);
|
||||
|
||||
@@ -2170,6 +2370,242 @@ grub_btrfs_embed (grub_device_t device _
|
||||
@@ -2170,6 +2377,248 @@ grub_btrfs_embed (grub_device_t device _
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -531,9 +543,15 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+
|
||||
+ if (elemsize > allocated)
|
||||
+ {
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ grub_free(buf);
|
||||
+ allocated = 2 * elemsize;
|
||||
+ buf = grub_malloc(allocated + 1);
|
||||
+
|
||||
+ if (grub_mul (elemsize, 2, &allocated) ||
|
||||
+ grub_add (allocated, 1, &sz))
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+
|
||||
+ buf = grub_malloc(sz);
|
||||
+ if (!buf)
|
||||
+ {
|
||||
+ r = -grub_errno;
|
||||
@ -593,7 +611,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
static struct grub_fs grub_btrfs_fs = {
|
||||
.name = "btrfs",
|
||||
.fs_dir = grub_btrfs_dir,
|
||||
@@ -2185,12 +2621,88 @@ static struct grub_fs grub_btrfs_fs = {
|
||||
@@ -2185,12 +2634,88 @@ static struct grub_fs grub_btrfs_fs = {
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -682,10 +700,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
}
|
||||
+
|
||||
+// vim: si et sw=2:
|
||||
Index: grub-2.04~rc1/include/grub/btrfs.h
|
||||
Index: grub-2.04/include/grub/btrfs.h
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/include/grub/btrfs.h
|
||||
+++ grub-2.04~rc1/include/grub/btrfs.h
|
||||
--- grub-2.04.orig/include/grub/btrfs.h
|
||||
+++ grub-2.04/include/grub/btrfs.h
|
||||
@@ -29,6 +29,7 @@ enum
|
||||
GRUB_BTRFS_ITEM_TYPE_ROOT_ITEM = 0x84,
|
||||
GRUB_BTRFS_ITEM_TYPE_ROOT_BACKREF = 0x90,
|
||||
|
@ -1,8 +1,13 @@
|
||||
Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
|
||||
V1:
|
||||
* Use overflow checking primitives where the arithmetic expression for
|
||||
buffer allocations may include unvalidated data
|
||||
|
||||
Index: grub-2.04/grub-core/fs/btrfs.c
|
||||
===================================================================
|
||||
--- grub-2.04~rc1.orig/grub-core/fs/btrfs.c
|
||||
+++ grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
@@ -2867,6 +2867,242 @@ out:
|
||||
--- grub-2.04.orig/grub-core/fs/btrfs.c
|
||||
+++ grub-2.04/grub-core/fs/btrfs.c
|
||||
@@ -2880,6 +2880,254 @@ out:
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -26,6 +31,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ grub_disk_addr_t elemaddr;
|
||||
+ grub_err_t err;
|
||||
+ char *parent_path;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ *parent_id = 0;
|
||||
+ *path_out = 0;
|
||||
@ -44,7 +50,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ return grub_error(GRUB_ERR_FILE_NOT_FOUND, N_("can't find root backrefs"));
|
||||
+ }
|
||||
+
|
||||
+ buf = grub_malloc(elemsize + 1);
|
||||
+ if (grub_add (elemsize, 1, &sz))
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+
|
||||
+ buf = grub_malloc(sz);
|
||||
+ if (!buf)
|
||||
+ {
|
||||
+ free_iterator(&desc);
|
||||
@ -98,6 +107,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ struct grub_btrfs_dir_item *direl = NULL;
|
||||
+ const char *ctoken = "default";
|
||||
+ grub_size_t ctokenlen = sizeof ("default") - 1;
|
||||
+ grub_size_t sz;
|
||||
+
|
||||
+ *id = 0;
|
||||
+ key.object_id = data->sblock.root_dir_objectid;
|
||||
@ -112,7 +122,14 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("file not found"));
|
||||
+
|
||||
+ struct grub_btrfs_dir_item *cdirel;
|
||||
+ direl = grub_malloc (elemsize + 1);
|
||||
+
|
||||
+ if (grub_add (elemsize, 1, &sz))
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
||||
+
|
||||
+ direl = grub_malloc (sz);
|
||||
+ if (!direl)
|
||||
+ return grub_errno;
|
||||
+
|
||||
+ err = grub_btrfs_read_logical (data, elemaddr, direl, elemsize, 0);
|
||||
+ if (err)
|
||||
+ {
|
||||
@ -245,7 +262,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
static struct grub_fs grub_btrfs_fs = {
|
||||
.name = "btrfs",
|
||||
.fs_dir = grub_btrfs_dir,
|
||||
@@ -2885,6 +3121,7 @@ static struct grub_fs grub_btrfs_fs = {
|
||||
@@ -2898,6 +3146,7 @@ static struct grub_fs grub_btrfs_fs = {
|
||||
static grub_command_t cmd_info;
|
||||
static grub_command_t cmd_mount_subvol;
|
||||
static grub_extcmd_t cmd_list_subvols;
|
||||
@ -253,7 +270,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
|
||||
|
||||
static char *
|
||||
subvolid_set_env (struct grub_env_var *var __attribute__ ((unused)),
|
||||
@@ -2955,6 +3192,11 @@ GRUB_MOD_INIT (btrfs)
|
||||
@@ -2968,6 +3217,11 @@ GRUB_MOD_INIT (btrfs)
|
||||
"[-p|-n] [-o var] DEVICE",
|
||||
"Print list of BtrFS subvolumes on "
|
||||
"DEVICE.", options);
|
||||
|
@ -14,6 +14,10 @@ gfxmenu to make it convenient for viewing the truncated text by pressing
|
||||
the ctrl+l and ctrl+r to scroll the highlighted text left and right. The
|
||||
scrolled result will remain in place to help memorizing it after
|
||||
changing highlight to other entry.
|
||||
|
||||
V1:
|
||||
* Use grub_calloc for overflow check and return NULL when it would
|
||||
occur.
|
||||
---
|
||||
grub-core/gfxmenu/gfxmenu.c | 3 +++
|
||||
grub-core/gfxmenu/gui_label.c | 2 ++
|
||||
@ -24,20 +28,27 @@ changing highlight to other entry.
|
||||
include/grub/menu_viewer.h | 1 +
|
||||
7 files changed, 112 insertions(+)
|
||||
|
||||
diff --git a/grub-core/gfxmenu/gfxmenu.c b/grub-core/gfxmenu/gfxmenu.c
|
||||
index 8a17dda2c..e834895fb 100644
|
||||
--- a/grub-core/gfxmenu/gfxmenu.c
|
||||
+++ b/grub-core/gfxmenu/gfxmenu.c
|
||||
@@ -108,6 +108,8 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested)
|
||||
Index: grub-2.04/grub-core/gfxmenu/gfxmenu.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/gfxmenu/gfxmenu.c
|
||||
+++ grub-2.04/grub-core/gfxmenu/gfxmenu.c
|
||||
@@ -108,6 +108,15 @@ grub_gfxmenu_try (int entry, grub_menu_t
|
||||
view->menu = menu;
|
||||
view->nested = nested;
|
||||
view->first_timeout = -1;
|
||||
+ if (menu->size)
|
||||
+ view->menu_title_offset = grub_zalloc (sizeof (*view->menu_title_offset) * menu->size);
|
||||
+ {
|
||||
+ view->menu_title_offset = grub_calloc (menu->size, sizeof (*view->menu_title_offset));
|
||||
+ if (!view->menu_title_offset)
|
||||
+ {
|
||||
+ grub_free (instance);
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
grub_video_set_viewport (0, 0, mode_info.width, mode_info.height);
|
||||
if (view->double_repaint)
|
||||
@@ -123,6 +125,7 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested)
|
||||
@@ -123,6 +132,7 @@ grub_gfxmenu_try (int entry, grub_menu_t
|
||||
instance->fini = grub_gfxmenu_viewer_fini;
|
||||
instance->print_timeout = grub_gfxmenu_print_timeout;
|
||||
instance->clear_timeout = grub_gfxmenu_clear_timeout;
|
||||
@ -45,11 +56,11 @@ index 8a17dda2c..e834895fb 100644
|
||||
|
||||
grub_menu_register_viewer (instance);
|
||||
|
||||
diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
|
||||
index a4c817891..8b1358dd4 100644
|
||||
--- a/grub-core/gfxmenu/gui_label.c
|
||||
+++ b/grub-core/gfxmenu/gui_label.c
|
||||
@@ -192,6 +192,8 @@ label_set_property (void *vself, const char *name, const char *value)
|
||||
Index: grub-2.04/grub-core/gfxmenu/gui_label.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/gfxmenu/gui_label.c
|
||||
+++ grub-2.04/grub-core/gfxmenu/gui_label.c
|
||||
@@ -192,6 +192,8 @@ label_set_property (void *vself, const c
|
||||
"or `c' for a command-line.");
|
||||
else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0)
|
||||
value = _("enter: boot, `e': options, `c': cmd-line");
|
||||
@ -58,10 +69,10 @@ index a4c817891..8b1358dd4 100644
|
||||
/* FIXME: Add more templates here if needed. */
|
||||
self->template = grub_strdup (value);
|
||||
self->text = grub_xasprintf (value, self->value);
|
||||
diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
|
||||
index 01477cdf2..90487aef4 100644
|
||||
--- a/grub-core/gfxmenu/gui_list.c
|
||||
+++ b/grub-core/gfxmenu/gui_list.c
|
||||
Index: grub-2.04/grub-core/gfxmenu/gui_list.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/gfxmenu/gui_list.c
|
||||
+++ grub-2.04/grub-core/gfxmenu/gui_list.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <grub/gfxmenu_view.h>
|
||||
#include <grub/gfxwidgets.h>
|
||||
@ -104,7 +115,7 @@ index 01477cdf2..90487aef4 100644
|
||||
/* Draw the list of items. */
|
||||
static void
|
||||
draw_menu (list_impl_t self, int num_shown_items)
|
||||
@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_shown_items)
|
||||
@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_sho
|
||||
const char *item_title =
|
||||
grub_menu_get_entry (self->view->menu, menu_index)->title;
|
||||
|
||||
@ -121,10 +132,10 @@ index 01477cdf2..90487aef4 100644
|
||||
sviewport.y = item_top + top_pad;
|
||||
sviewport.width = viewport_width;
|
||||
grub_gui_set_viewport (&sviewport, &svpsave);
|
||||
diff --git a/grub-core/gfxmenu/view.c b/grub-core/gfxmenu/view.c
|
||||
index ad5e82b81..7aed7faa1 100644
|
||||
--- a/grub-core/gfxmenu/view.c
|
||||
+++ b/grub-core/gfxmenu/view.c
|
||||
Index: grub-2.04/grub-core/gfxmenu/view.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/gfxmenu/view.c
|
||||
+++ grub-2.04/grub-core/gfxmenu/view.c
|
||||
@@ -37,6 +37,7 @@
|
||||
#include <grub/gui_string_util.h>
|
||||
#include <grub/icon_manager.h>
|
||||
@ -133,7 +144,7 @@ index ad5e82b81..7aed7faa1 100644
|
||||
|
||||
static void
|
||||
init_terminal (grub_gfxmenu_view_t view);
|
||||
@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_view_t view)
|
||||
@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_
|
||||
grub_free (view->title_text);
|
||||
grub_free (view->progress_message_text);
|
||||
grub_free (view->theme_path);
|
||||
@ -141,7 +152,7 @@ index ad5e82b81..7aed7faa1 100644
|
||||
if (view->canvas)
|
||||
view->canvas->component.ops->destroy (view->canvas);
|
||||
grub_free (view);
|
||||
@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry, void *data)
|
||||
@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry
|
||||
grub_gfxmenu_redraw_menu (view);
|
||||
}
|
||||
|
||||
@ -194,15 +205,14 @@ index ad5e82b81..7aed7faa1 100644
|
||||
static void
|
||||
grub_gfxmenu_draw_terminal_box (void)
|
||||
{
|
||||
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
|
||||
index e7a83c2d6..0af20d052 100644
|
||||
--- a/grub-core/normal/menu.c
|
||||
+++ b/grub-core/normal/menu.c
|
||||
@@ -376,6 +376,15 @@ menu_set_chosen_entry (int entry)
|
||||
cur->set_chosen_entry (entry, cur->data);
|
||||
Index: grub-2.04/grub-core/normal/menu.c
|
||||
===================================================================
|
||||
--- grub-2.04.orig/grub-core/normal/menu.c
|
||||
+++ grub-2.04/grub-core/normal/menu.c
|
||||
@@ -401,6 +401,15 @@ menu_set_chosen_entry (int entry)
|
||||
}
|
||||
|
||||
+static void
|
||||
static void
|
||||
+menu_scroll_chosen_entry (int diren)
|
||||
+{
|
||||
+ struct grub_menu_viewer *cur;
|
||||
@ -211,10 +221,11 @@ index e7a83c2d6..0af20d052 100644
|
||||
+ cur->scroll_chosen_entry (cur->data, diren);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
+static void
|
||||
menu_print_timeout (int timeout)
|
||||
{
|
||||
@@ -755,6 +764,13 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
|
||||
struct grub_menu_viewer *cur;
|
||||
@@ -828,6 +837,13 @@ run_menu (grub_menu_t menu, int nested,
|
||||
menu_set_chosen_entry (current_entry);
|
||||
break;
|
||||
|
||||
@ -228,10 +239,10 @@ index e7a83c2d6..0af20d052 100644
|
||||
case '\n':
|
||||
case '\r':
|
||||
case GRUB_TERM_KEY_RIGHT:
|
||||
diff --git a/include/grub/gfxmenu_view.h b/include/grub/gfxmenu_view.h
|
||||
index 4203c8fb9..56c0d17ae 100644
|
||||
--- a/include/grub/gfxmenu_view.h
|
||||
+++ b/include/grub/gfxmenu_view.h
|
||||
Index: grub-2.04/include/grub/gfxmenu_view.h
|
||||
===================================================================
|
||||
--- grub-2.04.orig/include/grub/gfxmenu_view.h
|
||||
+++ grub-2.04/include/grub/gfxmenu_view.h
|
||||
@@ -61,6 +61,8 @@ void
|
||||
grub_gfxmenu_print_timeout (int timeout, void *data);
|
||||
void
|
||||
@ -250,10 +261,10 @@ index 4203c8fb9..56c0d17ae 100644
|
||||
};
|
||||
|
||||
#endif /* ! GRUB_GFXMENU_VIEW_HEADER */
|
||||
diff --git a/include/grub/menu_viewer.h b/include/grub/menu_viewer.h
|
||||
index c6513c4e8..5f2a39dc9 100644
|
||||
--- a/include/grub/menu_viewer.h
|
||||
+++ b/include/grub/menu_viewer.h
|
||||
Index: grub-2.04/include/grub/menu_viewer.h
|
||||
===================================================================
|
||||
--- grub-2.04.orig/include/grub/menu_viewer.h
|
||||
+++ grub-2.04/include/grub/menu_viewer.h
|
||||
@@ -33,6 +33,7 @@ struct grub_menu_viewer
|
||||
void (*set_chosen_entry) (int entry, void *data);
|
||||
void (*print_timeout) (int timeout, void *data);
|
||||
@ -262,6 +273,3 @@ index c6513c4e8..5f2a39dc9 100644
|
||||
void (*fini) (void *fini);
|
||||
};
|
||||
|
||||
--
|
||||
2.16.4
|
||||
|
||||
|
@ -4,11 +4,16 @@ As a workaround use the Btrfs header to store known data of the GRUB environment
|
||||
block.
|
||||
|
||||
v2: export env_block and make sure to use the device of grubenv
|
||||
|
||||
v3:
|
||||
* Use xcalloc for overflow check and return NULL when it would
|
||||
occur.
|
||||
|
||||
---
|
||||
Index: grub-2.02/grub-core/kern/fs.c
|
||||
Index: grub-2.04/grub-core/kern/fs.c
|
||||
===================================================================
|
||||
--- grub-2.02.orig/grub-core/kern/fs.c
|
||||
+++ grub-2.02/grub-core/kern/fs.c
|
||||
--- grub-2.04.orig/grub-core/kern/fs.c
|
||||
+++ grub-2.04/grub-core/kern/fs.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/term.h>
|
||||
@ -31,10 +36,10 @@ Index: grub-2.02/grub-core/kern/fs.c
|
||||
ret += size;
|
||||
len -= size;
|
||||
sector -= ((size + offset) >> GRUB_DISK_SECTOR_BITS);
|
||||
Index: grub-2.02/util/grub-editenv.c
|
||||
Index: grub-2.04/util/grub-editenv.c
|
||||
===================================================================
|
||||
--- grub-2.02.orig/util/grub-editenv.c
|
||||
+++ grub-2.02/util/grub-editenv.c
|
||||
--- grub-2.04.orig/util/grub-editenv.c
|
||||
+++ grub-2.04/util/grub-editenv.c
|
||||
@@ -23,8 +23,11 @@
|
||||
#include <grub/util/misc.h>
|
||||
#include <grub/lib/envblk.h>
|
||||
@ -207,7 +212,7 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -202,6 +346,38 @@ write_envblk (const char *name, grub_env
|
||||
@@ -203,6 +347,38 @@ write_envblk (const char *name, grub_env
|
||||
}
|
||||
|
||||
static void
|
||||
@ -246,7 +251,7 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
set_variables (const char *name, int argc, char *argv[])
|
||||
{
|
||||
grub_envblk_t envblk;
|
||||
@@ -217,8 +393,27 @@ set_variables (const char *name, int arg
|
||||
@@ -218,8 +394,27 @@ set_variables (const char *name, int arg
|
||||
|
||||
*(p++) = 0;
|
||||
|
||||
@ -276,7 +281,7 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
|
||||
argc--;
|
||||
argv++;
|
||||
@@ -226,26 +421,158 @@ set_variables (const char *name, int arg
|
||||
@@ -227,26 +422,158 @@ set_variables (const char *name, int arg
|
||||
|
||||
write_envblk (name, envblk);
|
||||
grub_envblk_close (envblk);
|
||||
@ -371,7 +376,7 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
+ ndev++;
|
||||
+ }
|
||||
+
|
||||
+ grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
|
||||
+ grub_drives = xcalloc ((ndev + 1), sizeof (grub_drives[0]));
|
||||
+
|
||||
+ for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
|
||||
+ curdrive++)
|
||||
@ -435,7 +440,7 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
int
|
||||
main (int argc, char *argv[])
|
||||
{
|
||||
@@ -277,6 +604,9 @@ main (int argc, char *argv[])
|
||||
@@ -278,6 +605,9 @@ main (int argc, char *argv[])
|
||||
command = argv[curindex++];
|
||||
}
|
||||
|
||||
@ -445,10 +450,10 @@ Index: grub-2.02/util/grub-editenv.c
|
||||
if (strcmp (command, "create") == 0)
|
||||
grub_util_create_envblk_file (filename);
|
||||
else if (strcmp (command, "list") == 0)
|
||||
Index: grub-2.02/util/grub.d/00_header.in
|
||||
Index: grub-2.04/util/grub.d/00_header.in
|
||||
===================================================================
|
||||
--- grub-2.02.orig/util/grub.d/00_header.in
|
||||
+++ grub-2.02/util/grub.d/00_header.in
|
||||
--- grub-2.04.orig/util/grub.d/00_header.in
|
||||
+++ grub-2.04/util/grub.d/00_header.in
|
||||
@@ -46,6 +46,13 @@ cat << EOF
|
||||
if [ -s \$prefix/grubenv ]; then
|
||||
load_env
|
||||
|
@ -1,3 +1,31 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 27 10:04:49 UTC 2020 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix for CVE-2020-10713 (bsc#1168994)
|
||||
* 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
|
||||
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
|
||||
(bsc#1173812)
|
||||
* 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
|
||||
* 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
|
||||
* 0004-calloc-Use-calloc-at-most-places.patch
|
||||
* 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
|
||||
* 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
|
||||
* 0007-font-Do-not-load-more-than-one-NAME-section.patch
|
||||
- Fix CVE-2020-15706 (bsc#1174463)
|
||||
* 0008-script-Remove-unused-fields-from-grub_script_functio.patch
|
||||
* 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
|
||||
- Fix CVE-2020-15707 (bsc#1174570)
|
||||
* 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
|
||||
- Use overflow checking primitives where the arithmetic expression for buffer
|
||||
allocations may include unvalidated data
|
||||
- Use grub_calloc for overflow check and return NULL when it would occur
|
||||
* 0001-add-support-for-UEFI-network-protocols.patch
|
||||
* 0003-bootp-New-net_bootp6-command.patch
|
||||
* grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
|
||||
* grub2-btrfs-09-get-default-subvolume.patch
|
||||
* grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
|
||||
* grub2-grubenv-in-btrfs-header.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 16 13:15:27 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
|
||||
|
||||
|
28
grub2.spec
28
grub2.spec
@ -302,6 +302,24 @@ Patch700: 0001-normal-Move-common-datetime-functions-out-of-the-nor.patch
|
||||
Patch701: 0002-kern-Add-X-option-to-printf-functions.patch
|
||||
Patch702: 0003-normal-main-Search-for-specific-config-files-for-net.patch
|
||||
Patch703: 0004-datetime-Enable-the-datetime-module-for-the-emu-plat.patch
|
||||
# bsc#1168994 VUL-0: EMBARGOED: CVE-2020-10713: grub2: parsing overflows can
|
||||
# bypass secure boot restrictions
|
||||
Patch704: 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
|
||||
# bsc#1173812 VUL-0: EMBARGOED: CVE-2020-14308, CVE-2020-14309, CVE-2020-14310,
|
||||
# CVE-2020-14311: grub2: avoid integer overflows
|
||||
Patch705: 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
|
||||
Patch706: 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
|
||||
Patch707: 0004-calloc-Use-calloc-at-most-places.patch
|
||||
Patch708: 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
|
||||
Patch709: 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
|
||||
Patch710: 0007-font-Do-not-load-more-than-one-NAME-section.patch
|
||||
# bsc#1174463 VUL-0: EMBARGOED: CVE-2020-15706: grub2: script: Avoid a
|
||||
# use-after-free when redefining a function during execution
|
||||
Patch711: 0008-script-Remove-unused-fields-from-grub_script_functio.patch
|
||||
Patch712: 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
|
||||
# bsc#1174570 VUL-0: EMBARGOED: CVE-2020-15707: grub2: linux: Fix integer
|
||||
# overflows in initrd size handling
|
||||
Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
|
||||
|
||||
Requires: gettext-runtime
|
||||
%if 0%{?suse_version} >= 1140
|
||||
@ -607,6 +625,16 @@ swap partition while in resuming
|
||||
%patch701 -p1
|
||||
%patch702 -p1
|
||||
%patch703 -p1
|
||||
%patch704 -p1
|
||||
%patch705 -p1
|
||||
%patch706 -p1
|
||||
%patch707 -p1
|
||||
%patch708 -p1
|
||||
%patch709 -p1
|
||||
%patch710 -p1
|
||||
%patch711 -p1
|
||||
%patch712 -p1
|
||||
%patch713 -p1
|
||||
|
||||
%build
|
||||
# collect evidence to debug spurious build failure on SLE15
|
||||
|
Loading…
Reference in New Issue
Block a user