Accepting request 823469 from home:michael-chang:branches:Base:System

- Fix for CVE-2020-10713 (bsc#1168994)
  * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
  (bsc#1173812)
  * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
  * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
  * 0004-calloc-Use-calloc-at-most-places.patch
  * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
  * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
  * 0007-font-Do-not-load-more-than-one-NAME-section.patch
- Fix CVE-2020-15706 (bsc#1174463)
  * 0008-script-Remove-unused-fields-from-grub_script_functio.patch
  * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
- Fix CVE-2020-15707 (bsc#1174570)
  * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
- Use overflow checking primitives where the arithmetic expression for buffer
  allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur 
  * 0001-add-support-for-UEFI-network-protocols.patch
  * 0003-bootp-New-net_bootp6-command.patch
  * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
  * grub2-btrfs-09-get-default-subvolume.patch
  * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
  * grub2-grubenv-in-btrfs-header.patch

OBS-URL: https://build.opensuse.org/request/show/823469
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=358
This commit is contained in:
Michael Chang 2020-07-30 01:36:35 +00:00 committed by Git OBS Bridge
parent 1f1692c67a
commit 1f5e046570
18 changed files with 4272 additions and 143 deletions

View File

@ -23,10 +23,16 @@ V3:
* Finish HTTP transaction in one go
* Fix bsc#1076132
V4
V4:
* Add fs_ prefix with upstream commit
ad4bfeec5 Change fs functions to add fs_ prefix
V5:
* Use overflow checking primitives where the arithmetic expression for
buffer allocations may include unvalidated data
* Use grub_calloc for overflow check and return NULL when it would
occur.
---
grub-core/Makefile.core.def | 18 +
grub-core/io/bufio.c | 2 +-
@ -57,10 +63,10 @@ V4
create mode 100644 include/grub/efi/http.h
create mode 100644 include/grub/net/efi.h
Index: grub-2.04~rc1/grub-core/Makefile.core.def
Index: grub-2.04/grub-core/Makefile.core.def
===================================================================
--- grub-2.04~rc1.orig/grub-core/Makefile.core.def
+++ grub-2.04~rc1/grub-core/Makefile.core.def
--- grub-2.04.orig/grub-core/Makefile.core.def
+++ grub-2.04/grub-core/Makefile.core.def
@@ -1854,7 +1854,6 @@ module = {
module = {
name = linuxefi;
@ -82,10 +88,10 @@ Index: grub-2.04~rc1/grub-core/Makefile.core.def
};
module = {
Index: grub-2.04~rc1/grub-core/io/bufio.c
Index: grub-2.04/grub-core/io/bufio.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/io/bufio.c
+++ grub-2.04~rc1/grub-core/io/bufio.c
--- grub-2.04.orig/grub-core/io/bufio.c
+++ grub-2.04/grub-core/io/bufio.c
@@ -139,7 +139,7 @@ grub_bufio_read (grub_file_t file, char
return res;
@ -95,10 +101,10 @@ Index: grub-2.04~rc1/grub-core/io/bufio.c
/* Now read between file->offset + res and bufio->buffer_at. */
if (file->offset + res < next_buf)
{
Index: grub-2.04~rc1/grub-core/kern/efi/efi.c
Index: grub-2.04/grub-core/kern/efi/efi.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/kern/efi/efi.c
+++ grub-2.04~rc1/grub-core/kern/efi/efi.c
--- grub-2.04.orig/grub-core/kern/efi/efi.c
+++ grub-2.04/grub-core/kern/efi/efi.c
@@ -722,7 +722,7 @@ grub_efi_print_device_path (grub_efi_dev
{
grub_efi_ipv4_device_path_t *ipv4
@ -226,10 +232,10 @@ Index: grub-2.04~rc1/grub-core/kern/efi/efi.c
default:
grub_printf ("/UnknownMessaging(%x)", (unsigned) subtype);
break;
Index: grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
Index: grub-2.04/grub-core/net/drivers/efi/efinet.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/net/drivers/efi/efinet.c
+++ grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
--- grub-2.04.orig/grub-core/net/drivers/efi/efinet.c
+++ grub-2.04/grub-core/net/drivers/efi/efinet.c
@@ -24,6 +24,7 @@
#include <grub/efi/efi.h>
#include <grub/i18n.h>
@ -298,11 +304,11 @@ Index: grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c
+ grub_efi_net_config = NULL;
}
Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
Index: grub-2.04/grub-core/net/efi/dhcp.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/dhcp.c
@@ -0,0 +1,397 @@
+++ grub-2.04/grub-core/net/efi/dhcp.c
@@ -0,0 +1,399 @@
+#include <grub/mm.h>
+#include <grub/command.h>
+#include <grub/efi/api.h>
@ -385,7 +391,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
+ if (status != GRUB_EFI_BUFFER_TOO_SMALL)
+ return NULL;
+
+ option_list = grub_malloc (option_count * sizeof(*option_list));
+ option_list = grub_calloc (option_count, sizeof(*option_list));
+ if (!option_list)
+ return NULL;
+
@ -665,7 +671,9 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
+
+ if (status == GRUB_EFI_BUFFER_TOO_SMALL && count)
+ {
+ options = grub_malloc (count * sizeof(*options));
+ options = grub_calloc (count, sizeof(*options));
+ if (!options)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ status = efi_call_4 (dev->dhcp6->parse, dev->dhcp6, mode.ia->reply_packet, &count, options);
+ }
+
@ -700,17 +708,18 @@ Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c
+
+grub_command_func_t grub_efi_net_bootp = grub_cmd_efi_bootp;
+grub_command_func_t grub_efi_net_bootp6 = grub_cmd_efi_bootp6;
Index: grub-2.04~rc1/grub-core/net/efi/http.c
Index: grub-2.04/grub-core/net/efi/http.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/http.c
@@ -0,0 +1,419 @@
+++ grub-2.04/grub-core/net/efi/http.c
@@ -0,0 +1,424 @@
+
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/misc.h>
+#include <grub/net/efi.h>
+#include <grub/charset.h>
+#include <grub/safemath.h>
+
+static void
+http_configure (struct grub_efi_net_device *dev, int prefer_ip6)
@ -835,6 +844,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
+ grub_efi_char16_t *ucs2_url;
+ grub_size_t url_len, ucs2_url_len;
+ const char *protocol = (use_https == 1) ? "https" : "http";
+ grub_size_t sz;
+
+ if (grub_efi_string_to_ip6_address (server, &address, &rest) && *rest == 0)
+ url = grub_xasprintf ("%s://[%s]%s", protocol, server, name);
@ -847,8 +857,11 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
+ }
+
+ url_len = grub_strlen (url);
+ ucs2_url_len = url_len * GRUB_MAX_UTF16_PER_UTF8;
+ ucs2_url = grub_malloc ((ucs2_url_len + 1) * sizeof (ucs2_url[0]));
+ if (grub_mul (url_len, GRUB_MAX_UTF16_PER_UTF8, &ucs2_url_len) ||
+ grub_add (ucs2_url_len, 1, &sz))
+ return GRUB_ERR_OUT_OF_RANGE;
+
+ ucs2_url = grub_calloc (sz, sizeof (ucs2_url[0]));
+
+ if (!ucs2_url)
+ {
@ -1124,26 +1137,30 @@ Index: grub-2.04~rc1/grub-core/net/efi/http.c
+ .read = grub_efihttp_read,
+ .close = grub_efihttp_close
+ };
Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
Index: grub-2.04/grub-core/net/efi/ip4_config.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/ip4_config.c
@@ -0,0 +1,398 @@
+++ grub-2.04/grub-core/net/efi/ip4_config.c
@@ -0,0 +1,409 @@
+
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/misc.h>
+#include <grub/net/efi.h>
+#include <grub/charset.h>
+#include <grub/safemath.h>
+
+char *
+grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
+{
+ char *hw_addr, *p;
+ int sz, s;
+ int s;
+ int i;
+ grub_size_t sz;
+
+ sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
+ if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
+ grub_add (sz, 1, &sz))
+ return NULL;
+
+ hw_addr = grub_malloc (sz);
+ if (!hw_addr)
@ -1359,12 +1376,19 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
+ grub_efi_ip4_config2_interface_info_t *interface_info;
+ char **ret;
+ int i, id;
+ grub_size_t sz;
+
+ interface_info = efi_ip4_config_interface_info (dev->ip4_config);
+ if (!interface_info)
+ return NULL;
+
+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
+ if (grub_add (interface_info->route_table_size, 1, &sz))
+ {
+ grub_free (interface_info);
+ return NULL;
+ }
+
+ ret = grub_calloc (sz, sizeof (*ret));
+
+ if (!ret)
+ {
@ -1527,16 +1551,17 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c
+ .set_gateway = grub_efi_ip4_interface_set_gateway,
+ .set_dns = grub_efi_ip4_interface_set_dns
+ };
Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
Index: grub-2.04/grub-core/net/efi/ip6_config.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/ip6_config.c
@@ -0,0 +1,422 @@
+++ grub-2.04/grub-core/net/efi/ip6_config.c
@@ -0,0 +1,430 @@
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/misc.h>
+#include <grub/net/efi.h>
+#include <grub/charset.h>
+#include <grub/safemath.h>
+
+char *
+grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
@ -1763,12 +1788,19 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
+ grub_efi_ip6_config_interface_info_t *interface_info;
+ char **ret;
+ int i, id;
+ grub_size_t sz;
+
+ interface_info = efi_ip6_config_interface_info (dev->ip6_config);
+ if (!interface_info)
+ return NULL;
+
+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
+ if (grub_add (interface_info->route_count, 1, &sz))
+ {
+ grub_free (interface_info);
+ return NULL;
+ }
+
+ ret = grub_calloc (sz, sizeof (*ret));
+
+ if (!ret)
+ {
@ -1954,11 +1986,11 @@ Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c
+ .set_gateway = grub_efi_ip6_interface_set_gateway,
+ .set_dns = grub_efi_ip6_interface_set_dns
+ };
Index: grub-2.04~rc1/grub-core/net/efi/net.c
Index: grub-2.04/grub-core/net/efi/net.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/net.c
@@ -0,0 +1,1428 @@
+++ grub-2.04/grub-core/net/efi/net.c
@@ -0,0 +1,1437 @@
+#include <grub/net.h>
+#include <grub/env.h>
+#include <grub/mm.h>
@ -1973,6 +2005,7 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
+#include <grub/efi/dhcp.h>
+#include <grub/net/efi.h>
+#include <grub/charset.h>
+#include <grub/safemath.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
@ -2198,7 +2231,15 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
+
+ if (code == GRUB_NET_DHCP6_OPTION_BOOTFILE_URL)
+ {
+ char *url = grub_malloc (len + 1);
+ char *url;
+ grub_size_t sz;
+
+ if (grub_add (len, 1, &sz))
+ return;
+
+ url = grub_malloc (sz);
+ if (!url)
+ return;
+
+ grub_memcpy (url, dhcp_opt->data, len);
+ url[len] = 0;
@ -3387,10 +3428,10 @@ Index: grub-2.04~rc1/grub-core/net/efi/net.c
+ grub_net_open = NULL;
+ grub_fs_unregister (&grub_efi_netfs);
+}
Index: grub-2.04~rc1/grub-core/net/efi/pxe.c
Index: grub-2.04/grub-core/net/efi/pxe.c
===================================================================
--- /dev/null
+++ grub-2.04~rc1/grub-core/net/efi/pxe.c
+++ grub-2.04/grub-core/net/efi/pxe.c
@@ -0,0 +1,424 @@
+
+#include <grub/efi/api.h>
@ -3816,10 +3857,10 @@ Index: grub-2.04~rc1/grub-core/net/efi/pxe.c
+ .close = pxe_close
+ };
+
Index: grub-2.04~rc1/grub-core/net/net.c
Index: grub-2.04/grub-core/net/net.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/net/net.c
+++ grub-2.04~rc1/grub-core/net/net.c
--- grub-2.04.orig/grub-core/net/net.c
+++ grub-2.04/grub-core/net/net.c
@@ -32,6 +32,9 @@
#include <grub/loader.h>
#include <grub/bufio.h>
@ -3926,10 +3967,10 @@ Index: grub-2.04~rc1/grub-core/net/net.c
+ init_mode = INIT_MODE_NONE;
+#endif
}
Index: grub-2.04~rc1/include/grub/efi/api.h
Index: grub-2.04/include/grub/efi/api.h
===================================================================
--- grub-2.04~rc1.orig/include/grub/efi/api.h
+++ grub-2.04~rc1/include/grub/efi/api.h
--- grub-2.04.orig/include/grub/efi/api.h
+++ grub-2.04/include/grub/efi/api.h
@@ -588,6 +588,23 @@ typedef grub_uint16_t grub_efi_ipv6_addr
typedef grub_uint8_t grub_efi_ip_address_t[8] __attribute__ ((aligned(4)));
typedef grub_efi_uint64_t grub_efi_physical_address_t;
@ -4177,10 +4218,10 @@ Index: grub-2.04~rc1/include/grub/efi/api.h
#if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
|| defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \
|| defined(__riscv)
Index: grub-2.04~rc1/include/grub/efi/dhcp.h
Index: grub-2.04/include/grub/efi/dhcp.h
===================================================================
--- /dev/null
+++ grub-2.04~rc1/include/grub/efi/dhcp.h
+++ grub-2.04/include/grub/efi/dhcp.h
@@ -0,0 +1,343 @@
+#ifndef GRUB_EFI_DHCP_HEADER
+#define GRUB_EFI_DHCP_HEADER 1
@ -4525,10 +4566,10 @@ Index: grub-2.04~rc1/include/grub/efi/dhcp.h
+};
+
+#endif /* ! GRUB_EFI_DHCP_HEADER */
Index: grub-2.04~rc1/include/grub/efi/http.h
Index: grub-2.04/include/grub/efi/http.h
===================================================================
--- /dev/null
+++ grub-2.04~rc1/include/grub/efi/http.h
+++ grub-2.04/include/grub/efi/http.h
@@ -0,0 +1,215 @@
+/*
+ * GRUB -- GRand Unified Bootloader
@ -4745,10 +4786,10 @@ Index: grub-2.04~rc1/include/grub/efi/http.h
+typedef struct grub_efi_http grub_efi_http_t;
+
+#endif /* !GRUB_EFI_HTTP_HEADER */
Index: grub-2.04~rc1/include/grub/net/efi.h
Index: grub-2.04/include/grub/net/efi.h
===================================================================
--- /dev/null
+++ grub-2.04~rc1/include/grub/net/efi.h
+++ grub-2.04/include/grub/net/efi.h
@@ -0,0 +1,144 @@
+#ifndef GRUB_NET_EFI_HEADER
+#define GRUB_NET_EFI_HEADER 1

View File

@ -0,0 +1,67 @@
From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 15 Apr 2020 15:45:02 -0400
Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors
actually be fatal
When presented with a command that can't be tokenized to anything
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
expecting that will stop further processing, as such:
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
yyleng = (int) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
if ( yyleng >= YYLMAX ) \
YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
yyg->yy_c_buf_p = yy_cp;
The code flex generates expects that YY_FATAL_ERROR() will either return
for it or do some form of longjmp(), or handle the error in some way at
least, and so the strncpy() call isn't in an "else" clause, and thus if
YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
questionable limit, and predictable results ensue.
Unfortunately, our implementation of YY_FATAL_ERROR() is:
#define YY_FATAL_ERROR(msg) \
do { \
grub_printf (_("fatal error: %s\n"), _(msg)); \
} while (0)
The same pattern exists in yyless(), and similar problems exist in users
of YY_INPUT(), several places in the main parsing loop,
yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
yy_scan_buffer(), etc.
All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
the things they do if it returns after calling it are wildly unsafe.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/script/yylex.l | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
index 7b44c37b7..b7203c823 100644
--- a/grub-core/script/yylex.l
+++ b/grub-core/script/yylex.l
@@ -37,11 +37,11 @@
/*
* As we don't have access to yyscanner, we cannot do much except to
- * print the fatal error.
+ * print the fatal error and exit.
*/
#define YY_FATAL_ERROR(msg) \
do { \
- grub_printf (_("fatal error: %s\n"), _(msg)); \
+ grub_fatal (_("fatal error: %s\n"), _(msg));\
} while (0)
#define COPY(str, hint) \
--
2.11.0

View File

@ -0,0 +1,123 @@
From de1c315841aa6f37357c72e196810484013291d6 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 10:58:42 -0400
Subject: [PATCH 2/7] safemath: Add some arithmetic primitives that check for
overflow
This adds a new header, include/grub/safemath.h, that includes easy to
use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
bool OP(a, b, res)
where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
case where the operation would overflow and res is not modified.
Otherwise, false is returned and the operation is executed.
These arithmetic primitives require newer compiler versions. So, bump
these requirements in the INSTALL file too.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
INSTALL | 22 ++--------------------
include/grub/compiler.h | 8 ++++++++
include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 20 deletions(-)
create mode 100644 include/grub/safemath.h
diff --git a/INSTALL b/INSTALL
index dedf236a8..79a0af7d9 100644
--- a/INSTALL
+++ b/INSTALL
@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If
you don't have any of them, please obtain and install them before
configuring the GRUB.
-* GCC 4.1.3 or later
- Note: older versions may work but support is limited
-
- Experimental support for clang 3.3 or later (results in much bigger binaries)
+* GCC 5.1.0 or later
+ Experimental support for clang 3.8.0 or later (results in much bigger binaries)
for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
- Note: clang 3.2 or later works for i386 and x86_64 targets but results in
- much bigger binaries.
- earlier versions not tested
- Note: clang 3.2 or later works for arm
- earlier versions not tested
- Note: clang on arm64 is not supported due to
- https://llvm.org/bugs/show_bug.cgi?id=26030
- Note: clang 3.3 or later works for mips(el)
- earlier versions fail to generate .reginfo and hence gprel relocations
- fail.
- Note: clang 3.2 or later works for powerpc
- earlier versions not tested
- Note: clang 3.5 or later works for sparc64
- earlier versions return "error: unable to interface with target machine"
- Note: clang has no support for ia64 and hence you can't compile GRUB
- for ia64 with clang
* GNU Make
* GNU Bison 2.3 or later
* GNU gettext 0.17 or later
diff --git a/include/grub/compiler.h b/include/grub/compiler.h
index c9e1d7a73..8f3be3ae7 100644
--- a/include/grub/compiler.h
+++ b/include/grub/compiler.h
@@ -48,4 +48,12 @@
# define WARN_UNUSED_RESULT
#endif
+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
+# define CLANG_PREREQ(maj,min) \
+ ((__clang_major__ > (maj)) || \
+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
+#else
+# define CLANG_PREREQ(maj,min) 0
+#endif
+
#endif /* ! GRUB_COMPILER_HEADER */
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
new file mode 100644
index 000000000..c17b89bba
--- /dev/null
+++ b/include/grub/safemath.h
@@ -0,0 +1,37 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Arithmetic operations that protect against overflow.
+ */
+
+#ifndef GRUB_SAFEMATH_H
+#define GRUB_SAFEMATH_H 1
+
+#include <grub/compiler.h>
+
+/* These appear in gcc 5.1 and clang 3.8. */
+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
+
+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
+#else
+#error gcc 5.1 or newer or clang 3.8 or newer is required
+#endif
+
+#endif /* GRUB_SAFEMATH_H */
--
2.27.0

View File

@ -8,16 +8,21 @@ DHCPv6 protocol (RFC3315).
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
V1:
* Use grub_calloc for overflow check and return NULL when it would
occur.
---
grub-core/net/bootp.c | 908 +++++++++++++++++++++++++++++++++++++++++++++++++-
grub-core/net/ip.c | 39 +++
include/grub/net.h | 72 ++++
3 files changed, 1018 insertions(+), 1 deletion(-)
Index: grub-2.04~rc1/grub-core/net/bootp.c
Index: grub-2.04/grub-core/net/bootp.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/net/bootp.c
+++ grub-2.04~rc1/grub-core/net/bootp.c
--- grub-2.04.orig/grub-core/net/bootp.c
+++ grub-2.04/grub-core/net/bootp.c
@@ -24,6 +24,98 @@
#include <grub/net/netbuff.h>
#include <grub/net/udp.h>
@ -265,7 +270,7 @@ Index: grub-2.04~rc1/grub-core/net/bootp.c
+ break;
+ }
+ dhcp6->num_dns_server = ln = len >> 4;
+ dhcp6->dns_server_addrs = la = grub_zalloc (ln * sizeof (*la));
+ dhcp6->dns_server_addrs = la = grub_calloc (ln, sizeof (*la));
+
+ for (po = opt->data; ln > 0; po += 0x10, la++, ln--)
+ {
@ -966,10 +971,10 @@ Index: grub-2.04~rc1/grub-core/net/bootp.c
grub_unregister_command (cmd_dhcp);
+ grub_unregister_command (cmd_bootp6);
}
Index: grub-2.04~rc1/grub-core/net/ip.c
Index: grub-2.04/grub-core/net/ip.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/net/ip.c
+++ grub-2.04~rc1/grub-core/net/ip.c
--- grub-2.04.orig/grub-core/net/ip.c
+++ grub-2.04/grub-core/net/ip.c
@@ -239,6 +239,45 @@ handle_dgram (struct grub_net_buff *nb,
{
struct udphdr *udph;
@ -1016,10 +1021,10 @@ Index: grub-2.04~rc1/grub-core/net/ip.c
if (proto == GRUB_NET_IP_UDP && grub_be_to_cpu16 (udph->dst) == 68)
{
const struct grub_net_bootp_packet *bootp;
Index: grub-2.04~rc1/include/grub/net.h
Index: grub-2.04/include/grub/net.h
===================================================================
--- grub-2.04~rc1.orig/include/grub/net.h
+++ grub-2.04~rc1/include/grub/net.h
--- grub-2.04.orig/include/grub/net.h
+++ grub-2.04/include/grub/net.h
@@ -448,6 +448,66 @@ struct grub_net_bootp_packet
grub_uint8_t vendor[0];
} GRUB_PACKED;

View File

@ -0,0 +1,239 @@
From 79e51ab7a9a56f60a14f89ef047fd669977b99d1 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 12:15:29 -0400
Subject: [PATCH 3/7] calloc: Make sure we always have an overflow-checking
calloc() available
This tries to make sure that everywhere in this source tree, we always have
an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
available, and that they all safely check for overflow and return NULL when
it would occur.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/emu/misc.c | 12 +++++++++
grub-core/kern/emu/mm.c | 10 ++++++++
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++
grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++--
grub-core/lib/posix_wrap/stdlib.h | 8 +++++-
include/grub/emu/misc.h | 1 +
include/grub/mm.h | 6 +++++
7 files changed, 85 insertions(+), 3 deletions(-)
Index: grub-2.04/grub-core/kern/emu/misc.c
===================================================================
--- grub-2.04.orig/grub-core/kern/emu/misc.c
+++ grub-2.04/grub-core/kern/emu/misc.c
@@ -87,6 +87,18 @@ grub_util_error (const char *fmt, ...)
}
void *
+xcalloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *p;
+
+ p = calloc (nmemb, size);
+ if (!p)
+ grub_util_error ("%s", _("out of memory"));
+
+ return p;
+}
+
+void *
xmalloc (grub_size_t size)
{
void *p;
Index: grub-2.04/grub-core/kern/emu/mm.c
===================================================================
--- grub-2.04.orig/grub-core/kern/emu/mm.c
+++ grub-2.04/grub-core/kern/emu/mm.c
@@ -26,6 +26,16 @@
#include <grub/i18n.h>
void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ ret = calloc (nmemb, size);
+ if (!ret)
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+ return ret;
+}
+
+void *
grub_malloc (grub_size_t size)
{
void *ret;
Index: grub-2.04/grub-core/kern/mm.c
===================================================================
--- grub-2.04.orig/grub-core/kern/mm.c
+++ grub-2.04/grub-core/kern/mm.c
@@ -67,8 +67,10 @@
#include <grub/dl.h>
#include <grub/i18n.h>
#include <grub/mm_private.h>
+#include <grub/safemath.h>
#ifdef MM_DEBUG
+# undef grub_calloc
# undef grub_malloc
# undef grub_zalloc
# undef grub_realloc
@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_s
return 0;
}
+/*
+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
+ * integer overflow.
+ */
+void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ grub_size_t sz = 0;
+
+ if (grub_mul (nmemb, size, &sz))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+
+ ret = grub_memalign (0, sz);
+ if (!ret)
+ return NULL;
+
+ grub_memset (ret, 0, sz);
+ return ret;
+}
+
/* Allocate SIZE bytes and return the pointer. */
void *
grub_malloc (grub_size_t size)
@@ -562,6 +588,20 @@ grub_mm_dump (unsigned lineno)
}
void *
+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
+{
+ void *ptr;
+
+ if (grub_mm_debug)
+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
+ file, line, size);
+ ptr = grub_calloc (nmemb, size);
+ if (grub_mm_debug)
+ grub_printf ("%p\n", ptr);
+ return ptr;
+}
+
+void *
grub_debug_malloc (const char *file, int line, grub_size_t size)
{
void *ptr;
Index: grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c
===================================================================
--- grub-2.04.orig/grub-core/lib/libgcrypt_wrap/mem.c
+++ grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c
@@ -4,6 +4,7 @@
#include <grub/crypto.h>
#include <grub/dl.h>
#include <grub/env.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -36,7 +37,10 @@ void *
gcry_xcalloc (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
@@ -56,7 +60,10 @@ void *
gcry_xcalloc_secure (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
Index: grub-2.04/grub-core/lib/posix_wrap/stdlib.h
===================================================================
--- grub-2.04.orig/grub-core/lib/posix_wrap/stdlib.h
+++ grub-2.04/grub-core/lib/posix_wrap/stdlib.h
@@ -21,6 +21,7 @@
#include <grub/mm.h>
#include <grub/misc.h>
+#include <grub/safemath.h>
static inline void
free (void *ptr)
@@ -37,7 +38,12 @@ malloc (grub_size_t size)
static inline void *
calloc (grub_size_t size, grub_size_t nelem)
{
- return grub_zalloc (size * nelem);
+ grub_size_t sz;
+
+ if (grub_mul (size, nelem, &sz))
+ return NULL;
+
+ return grub_zalloc (sz);
}
static inline void *
Index: grub-2.04/include/grub/emu/misc.h
===================================================================
--- grub-2.04.orig/include/grub/emu/misc.h
+++ grub-2.04/include/grub/emu/misc.h
@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *
#define GRUB_HOST_PRIuLONG_LONG "llu"
#define GRUB_HOST_PRIxLONG_LONG "llx"
+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
Index: grub-2.04/include/grub/mm.h
===================================================================
--- grub-2.04.orig/include/grub/mm.h
+++ grub-2.04/include/grub/mm.h
@@ -29,6 +29,7 @@
#endif
void grub_mm_init_region (void *addr, grub_size_t size);
+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
void EXPORT_FUNC(grub_free) (void *ptr);
@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
void grub_mm_dump_free (void);
void grub_mm_dump (unsigned lineno);
+#define grub_calloc(nmemb, size) \
+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
+
#define grub_malloc(size) \
grub_debug_malloc (GRUB_FILE, __LINE__, size)
@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
#define grub_free(ptr) \
grub_debug_free (GRUB_FILE, __LINE__, ptr)
+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
+ grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
grub_size_t size);
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,67 @@
From 30508bd4692d2e022eff2e7f9c4be9f8abf57977 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 4 Jul 2020 12:25:09 -0400
Subject: [PATCH 6/7] iso9660: Don't leak memory on realloc() failures
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 7ba5b300b..5ec4433b8 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
{
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
grub_size_t sz;
+ char *new;
if (grub_add (size, len2, &sz) ||
grub_add (sz, 1, &sz))
return;
- ctx->symlink = grub_realloc (ctx->symlink, sz);
- if (! ctx->symlink)
- return;
+ new = grub_realloc (ctx->symlink, sz);
+ if (!new)
+ {
+ grub_free (ctx->symlink);
+ ctx->symlink = NULL;
+ return;
+ }
+ ctx->symlink = new;
grub_memcpy (ctx->symlink + size, part, len2);
ctx->symlink[size + len2] = 0;
@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
is the length. Both are part of the `Component
Record'. */
if (ctx->symlink && !ctx->was_continue)
- add_part (ctx, "/", 1);
+ {
+ add_part (ctx, "/", 1);
+ if (grub_errno)
+ return grub_errno;
+ }
+
add_part (ctx, (char *) &entry->data[pos + 2],
entry->data[pos + 1]);
ctx->was_continue = (entry->data[pos] & 1);
@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
add_part (ctx, "/", 1);
break;
}
+
+ /* Check if grub_realloc() failed in add_part(). */
+ if (grub_errno)
+ return grub_errno;
+
/* In pos + 1 the length of the `Component Record' is
stored. */
pos += entry->data[pos + 1] + 2;
--
2.27.0

View File

@ -0,0 +1,35 @@
From e2b5230126b340e1d88a079cd6a5c22dd4c00682 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Tue, 7 Jul 2020 15:36:26 +0200
Subject: [PATCH 7/7] font: Do not load more than one NAME section
The GRUB font file can have one NAME section only. Though if somebody
crafts a broken font file with many NAME sections and loads it then the
GRUB leaks memory. So, prevent against that by loading first NAME
section and failing in controlled way on following one.
Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 5edb477ac..d09bb38d8 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
{
+ if (font->name != NULL)
+ {
+ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
+ goto fail;
+ }
+
font->name = read_section_as_string (&section);
if (!font->name)
goto fail;
--
2.27.0

View File

@ -0,0 +1,33 @@
From 1804acfd35cff2aab9ec9dc586f74f5e3aa83ef2 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 11:21:14 +0100
Subject: [PATCH 18/27] script: Remove unused fields from grub_script_function
struct
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/script_sh.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
index 360c2be1f..b382bcf09 100644
--- a/include/grub/script_sh.h
+++ b/include/grub/script_sh.h
@@ -359,13 +359,8 @@ struct grub_script_function
/* The script function. */
struct grub_script *func;
- /* The flags. */
- unsigned flags;
-
/* The next element. */
struct grub_script_function *next;
-
- int references;
};
typedef struct grub_script_function *grub_script_function_t;
--
2.27.0

View File

@ -0,0 +1,107 @@
From 809f3a26897f5f648325c5741e72dc1b3db828ee Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 14:41:45 +0100
Subject: [PATCH 19/27] script: Avoid a use-after-free when redefining a
function during execution
Defining a new function with the same name as a previously defined
function causes the grub_script and associated resources for the
previous function to be freed. If the previous function is currently
executing when a function with the same name is defined, this results
in use-after-frees when processing subsequent commands in the original
function.
Instead, reject a new function definition if it has the same name as
a previously defined function, and that function is currently being
executed. Although a behavioural change, this should be backwards
compatible with existing configurations because they can't be
dependent on the current behaviour without being broken.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/script/execute.c | 2 ++
grub-core/script/function.c | 16 +++++++++++++---
grub-core/script/parser.y | 3 ++-
include/grub/script_sh.h | 2 ++
4 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index 8a9161cc8..ce83edd4b 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
old_scope = scope;
scope = &new_scope;
+ func->executing++;
ret = grub_script_execute (func->func);
+ func->executing--;
function_return = 0;
active_loops = loops;
diff --git a/grub-core/script/function.c b/grub-core/script/function.c
index d36655e51..3aad04bf9 100644
--- a/grub-core/script/function.c
+++ b/grub-core/script/function.c
@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
func = (grub_script_function_t) grub_malloc (sizeof (*func));
if (! func)
return 0;
+ func->executing = 0;
func->name = grub_strdup (functionname_arg->str);
if (! func->name)
@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
grub_script_function_t q;
q = *p;
- grub_script_free (q->func);
- q->func = cmd;
grub_free (func);
- func = q;
+ if (q->executing > 0)
+ {
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("attempt to redefine a function being executed"));
+ func = NULL;
+ }
+ else
+ {
+ grub_script_free (q->func);
+ q->func = cmd;
+ func = q;
+ }
}
else
{
diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
index 4f0ab8319..f80b86b6f 100644
--- a/grub-core/script/parser.y
+++ b/grub-core/script/parser.y
@@ -289,7 +289,8 @@ function: "function" "name"
grub_script_mem_free (state->func_mem);
else {
script->children = state->scripts;
- grub_script_function_create ($2, script);
+ if (!grub_script_function_create ($2, script))
+ grub_script_free (script);
}
state->scripts = $<scripts>3;
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
index b382bcf09..6c48e0751 100644
--- a/include/grub/script_sh.h
+++ b/include/grub/script_sh.h
@@ -361,6 +361,8 @@ struct grub_script_function
/* The next element. */
struct grub_script_function *next;
+
+ unsigned executing;
};
typedef struct grub_script_function *grub_script_function_t;
--
2.27.0

View File

@ -0,0 +1,164 @@
commit a59b854381d1148d32f74fbb9cf0f384972a5b4b
Author: Colin Watson <cjwatson@debian.org>
Date: Sat Jul 25 12:15:37 2020 +0100
linux: Fix integer overflows in initrd size handling
These could be triggered by a crafted filesystem with very large files.
Fixes: CVE-2020-15707
Signed-off-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 25624ebc1..e9f819ee9 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -4,6 +4,7 @@
#include <grub/misc.h>
#include <grub/file.h>
#include <grub/mm.h>
+#include <grub/safemath.h>
struct newc_head
{
@@ -98,13 +99,13 @@ free_dir (struct dir *root)
grub_free (root);
}
-static grub_size_t
+static grub_err_t
insert_dir (const char *name, struct dir **root,
- grub_uint8_t *ptr)
+ grub_uint8_t *ptr, grub_size_t *size)
{
struct dir *cur, **head = root;
const char *cb, *ce = name;
- grub_size_t size = 0;
+ *size = 0;
while (1)
{
for (cb = ce; *cb == '/'; cb++);
@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
ptr = make_header (ptr, name, ce - name,
040777, 0);
}
- size += ALIGN_UP ((ce - (char *) name)
- + sizeof (struct newc_head), 4);
+ if (grub_add (*size,
+ ALIGN_UP ((ce - (char *) name)
+ + sizeof (struct newc_head), 4),
+ size))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ grub_free (n->name);
+ grub_free (n);
+ return grub_errno;
+ }
*head = n;
cur = n;
}
root = &cur->next;
}
- return size;
+ return GRUB_ERR_NONE;
}
grub_err_t
@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
eptr = grub_strchr (ptr, ':');
if (eptr)
{
+ grub_size_t dir_size, name_len;
+
initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
- if (!initrd_ctx->components[i].newc_name)
+ if (!initrd_ctx->components[i].newc_name ||
+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
+ &dir_size))
{
grub_initrd_close (initrd_ctx);
return grub_errno;
}
- initrd_ctx->size
- += ALIGN_UP (sizeof (struct newc_head)
- + grub_strlen (initrd_ctx->components[i].newc_name),
- 4);
- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
- &root, 0);
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
+ &initrd_ctx->size) ||
+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
+ goto overflow;
newc = 1;
fname = eptr + 1;
}
}
else if (newc)
{
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head)
+ + sizeof ("TRAILER!!!") - 1, 4),
+ &initrd_ctx->size))
+ goto overflow;
free_dir (root);
root = 0;
newc = 0;
@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
initrd_ctx->nfiles++;
initrd_ctx->components[i].size
= grub_file_size (initrd_ctx->components[i].file);
- initrd_ctx->size += initrd_ctx->components[i].size;
+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
+ &initrd_ctx->size))
+ goto overflow;
}
if (newc)
{
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head)
+ + sizeof ("TRAILER!!!") - 1, 4),
+ &initrd_ctx->size))
+ goto overflow;
free_dir (root);
root = 0;
}
return GRUB_ERR_NONE;
+
+overflow:
+ free_dir (root);
+ grub_initrd_close (initrd_ctx);
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
}
grub_size_t
@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
if (initrd_ctx->components[i].newc_name)
{
- ptr += insert_dir (initrd_ctx->components[i].newc_name,
- &root, ptr);
+ grub_size_t dir_size;
+
+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
+ &dir_size))
+ {
+ free_dir (root);
+ grub_initrd_close (initrd_ctx);
+ return grub_errno;
+ }
+ ptr += dir_size;
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
grub_strlen (initrd_ctx->components[i].newc_name),
0100777,

View File

@ -16,15 +16,20 @@ It is possible to boot into a separate GRUB instance by exporting the
variable and loading the config file from the subvolume.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
V1:
* Use overflow checking primitives where the arithmetic expression for
buffer allocations may include unvalidated data
---
grub-core/fs/btrfs.c | 529 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 518 insertions(+), 11 deletions(-)
Index: grub-2.04~rc1/grub-core/fs/btrfs.c
Index: grub-2.04/grub-core/fs/btrfs.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/fs/btrfs.c
+++ grub-2.04~rc1/grub-core/fs/btrfs.c
--- grub-2.04.orig/grub-core/fs/btrfs.c
+++ grub-2.04/grub-core/fs/btrfs.c
@@ -40,6 +40,9 @@
#include <grub/btrfs.h>
#include <grub/crypto.h>
@ -164,7 +169,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
return data;
}
@@ -1654,6 +1739,91 @@ get_root (struct grub_btrfs_data *data,
@@ -1654,6 +1739,98 @@ get_root (struct grub_btrfs_data *data,
}
static grub_err_t
@ -207,8 +212,12 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ key_out.object_id != key_out.offset) {
+ struct grub_btrfs_inode_ref *inode_ref;
+ char *new;
+ grub_size_t sz;
+
+ inode_ref = grub_malloc(elemsize + 1);
+ if (grub_add (elemsize, 1, &sz))
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+ inode_ref = grub_malloc(sz);
+ if (!inode_ref)
+ return grub_error(GRUB_ERR_OUT_OF_MEMORY,
+ "couldn't allocate memory for inode_ref (%"PRIuGRUB_SIZE")\n", elemsize);
@ -217,7 +226,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ if (err)
+ return grub_error(err, "read_logical caught %d\n", err);
+
+ alloc += grub_le_to_cpu16 (inode_ref->n) + 2;
+ if (grub_add (grub_le_to_cpu16 (inode_ref->n), 2, &sz) ||
+ grub_add (alloc, sz, &alloc))
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+ new = grub_malloc(alloc);
+ if (!new)
+ return grub_error(GRUB_ERR_OUT_OF_MEMORY,
@ -256,7 +268,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
find_path (struct grub_btrfs_data *data,
const char *path, struct grub_btrfs_key *key,
grub_uint64_t *tree, grub_uint8_t *type)
@@ -1671,14 +1841,26 @@ find_path (struct grub_btrfs_data *data,
@@ -1671,14 +1848,26 @@ find_path (struct grub_btrfs_data *data,
char *origpath = NULL;
unsigned symlinks_max = 32;
@ -287,7 +299,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
while (1)
{
while (path[0] == '/')
@@ -1851,9 +2033,21 @@ find_path (struct grub_btrfs_data *data,
@@ -1851,9 +2040,21 @@ find_path (struct grub_btrfs_data *data,
path = path_alloc = tmp;
if (path[0] == '/')
{
@ -312,7 +324,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
}
continue;
}
@@ -2094,6 +2288,20 @@ grub_btrfs_read (grub_file_t file, char
@@ -2094,6 +2295,20 @@ grub_btrfs_read (grub_file_t file, char
data->tree, file->offset, buf, len);
}
@ -333,7 +345,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
static grub_err_t
grub_btrfs_uuid (grub_device_t device, char **uuid)
{
@@ -2105,15 +2313,7 @@ grub_btrfs_uuid (grub_device_t device, c
@@ -2105,15 +2320,7 @@ grub_btrfs_uuid (grub_device_t device, c
if (!data)
return grub_errno;
@ -350,7 +362,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
grub_btrfs_unmount (data);
@@ -2170,6 +2370,242 @@ grub_btrfs_embed (grub_device_t device _
@@ -2170,6 +2377,248 @@ grub_btrfs_embed (grub_device_t device _
}
#endif
@ -531,9 +543,15 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+
+ if (elemsize > allocated)
+ {
+ grub_size_t sz;
+
+ grub_free(buf);
+ allocated = 2 * elemsize;
+ buf = grub_malloc(allocated + 1);
+
+ if (grub_mul (elemsize, 2, &allocated) ||
+ grub_add (allocated, 1, &sz))
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+ buf = grub_malloc(sz);
+ if (!buf)
+ {
+ r = -grub_errno;
@ -593,7 +611,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
static struct grub_fs grub_btrfs_fs = {
.name = "btrfs",
.fs_dir = grub_btrfs_dir,
@@ -2185,12 +2621,88 @@ static struct grub_fs grub_btrfs_fs = {
@@ -2185,12 +2634,88 @@ static struct grub_fs grub_btrfs_fs = {
#endif
};
@ -682,10 +700,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
}
+
+// vim: si et sw=2:
Index: grub-2.04~rc1/include/grub/btrfs.h
Index: grub-2.04/include/grub/btrfs.h
===================================================================
--- grub-2.04~rc1.orig/include/grub/btrfs.h
+++ grub-2.04~rc1/include/grub/btrfs.h
--- grub-2.04.orig/include/grub/btrfs.h
+++ grub-2.04/include/grub/btrfs.h
@@ -29,6 +29,7 @@ enum
GRUB_BTRFS_ITEM_TYPE_ROOT_ITEM = 0x84,
GRUB_BTRFS_ITEM_TYPE_ROOT_BACKREF = 0x90,

View File

@ -1,8 +1,13 @@
Index: grub-2.04~rc1/grub-core/fs/btrfs.c
V1:
* Use overflow checking primitives where the arithmetic expression for
buffer allocations may include unvalidated data
Index: grub-2.04/grub-core/fs/btrfs.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/fs/btrfs.c
+++ grub-2.04~rc1/grub-core/fs/btrfs.c
@@ -2867,6 +2867,242 @@ out:
--- grub-2.04.orig/grub-core/fs/btrfs.c
+++ grub-2.04/grub-core/fs/btrfs.c
@@ -2880,6 +2880,254 @@ out:
return 0;
}
@ -26,6 +31,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ grub_disk_addr_t elemaddr;
+ grub_err_t err;
+ char *parent_path;
+ grub_size_t sz;
+
+ *parent_id = 0;
+ *path_out = 0;
@ -44,7 +50,10 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ return grub_error(GRUB_ERR_FILE_NOT_FOUND, N_("can't find root backrefs"));
+ }
+
+ buf = grub_malloc(elemsize + 1);
+ if (grub_add (elemsize, 1, &sz))
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+ buf = grub_malloc(sz);
+ if (!buf)
+ {
+ free_iterator(&desc);
@ -98,6 +107,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ struct grub_btrfs_dir_item *direl = NULL;
+ const char *ctoken = "default";
+ grub_size_t ctokenlen = sizeof ("default") - 1;
+ grub_size_t sz;
+
+ *id = 0;
+ key.object_id = data->sblock.root_dir_objectid;
@ -112,7 +122,14 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("file not found"));
+
+ struct grub_btrfs_dir_item *cdirel;
+ direl = grub_malloc (elemsize + 1);
+
+ if (grub_add (elemsize, 1, &sz))
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+ direl = grub_malloc (sz);
+ if (!direl)
+ return grub_errno;
+
+ err = grub_btrfs_read_logical (data, elemaddr, direl, elemsize, 0);
+ if (err)
+ {
@ -245,7 +262,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
static struct grub_fs grub_btrfs_fs = {
.name = "btrfs",
.fs_dir = grub_btrfs_dir,
@@ -2885,6 +3121,7 @@ static struct grub_fs grub_btrfs_fs = {
@@ -2898,6 +3146,7 @@ static struct grub_fs grub_btrfs_fs = {
static grub_command_t cmd_info;
static grub_command_t cmd_mount_subvol;
static grub_extcmd_t cmd_list_subvols;
@ -253,7 +270,7 @@ Index: grub-2.04~rc1/grub-core/fs/btrfs.c
static char *
subvolid_set_env (struct grub_env_var *var __attribute__ ((unused)),
@@ -2955,6 +3192,11 @@ GRUB_MOD_INIT (btrfs)
@@ -2968,6 +3217,11 @@ GRUB_MOD_INIT (btrfs)
"[-p|-n] [-o var] DEVICE",
"Print list of BtrFS subvolumes on "
"DEVICE.", options);

View File

@ -14,6 +14,10 @@ gfxmenu to make it convenient for viewing the truncated text by pressing
the ctrl+l and ctrl+r to scroll the highlighted text left and right. The
scrolled result will remain in place to help memorizing it after
changing highlight to other entry.
V1:
* Use grub_calloc for overflow check and return NULL when it would
occur.
---
grub-core/gfxmenu/gfxmenu.c | 3 +++
grub-core/gfxmenu/gui_label.c | 2 ++
@ -24,20 +28,27 @@ changing highlight to other entry.
include/grub/menu_viewer.h | 1 +
7 files changed, 112 insertions(+)
diff --git a/grub-core/gfxmenu/gfxmenu.c b/grub-core/gfxmenu/gfxmenu.c
index 8a17dda2c..e834895fb 100644
--- a/grub-core/gfxmenu/gfxmenu.c
+++ b/grub-core/gfxmenu/gfxmenu.c
@@ -108,6 +108,8 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested)
Index: grub-2.04/grub-core/gfxmenu/gfxmenu.c
===================================================================
--- grub-2.04.orig/grub-core/gfxmenu/gfxmenu.c
+++ grub-2.04/grub-core/gfxmenu/gfxmenu.c
@@ -108,6 +108,15 @@ grub_gfxmenu_try (int entry, grub_menu_t
view->menu = menu;
view->nested = nested;
view->first_timeout = -1;
+ if (menu->size)
+ view->menu_title_offset = grub_zalloc (sizeof (*view->menu_title_offset) * menu->size);
+ {
+ view->menu_title_offset = grub_calloc (menu->size, sizeof (*view->menu_title_offset));
+ if (!view->menu_title_offset)
+ {
+ grub_free (instance);
+ return grub_errno;
+ }
+ }
grub_video_set_viewport (0, 0, mode_info.width, mode_info.height);
if (view->double_repaint)
@@ -123,6 +125,7 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested)
@@ -123,6 +132,7 @@ grub_gfxmenu_try (int entry, grub_menu_t
instance->fini = grub_gfxmenu_viewer_fini;
instance->print_timeout = grub_gfxmenu_print_timeout;
instance->clear_timeout = grub_gfxmenu_clear_timeout;
@ -45,11 +56,11 @@ index 8a17dda2c..e834895fb 100644
grub_menu_register_viewer (instance);
diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
index a4c817891..8b1358dd4 100644
--- a/grub-core/gfxmenu/gui_label.c
+++ b/grub-core/gfxmenu/gui_label.c
@@ -192,6 +192,8 @@ label_set_property (void *vself, const char *name, const char *value)
Index: grub-2.04/grub-core/gfxmenu/gui_label.c
===================================================================
--- grub-2.04.orig/grub-core/gfxmenu/gui_label.c
+++ grub-2.04/grub-core/gfxmenu/gui_label.c
@@ -192,6 +192,8 @@ label_set_property (void *vself, const c
"or `c' for a command-line.");
else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0)
value = _("enter: boot, `e': options, `c': cmd-line");
@ -58,10 +69,10 @@ index a4c817891..8b1358dd4 100644
/* FIXME: Add more templates here if needed. */
self->template = grub_strdup (value);
self->text = grub_xasprintf (value, self->value);
diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
index 01477cdf2..90487aef4 100644
--- a/grub-core/gfxmenu/gui_list.c
+++ b/grub-core/gfxmenu/gui_list.c
Index: grub-2.04/grub-core/gfxmenu/gui_list.c
===================================================================
--- grub-2.04.orig/grub-core/gfxmenu/gui_list.c
+++ grub-2.04/grub-core/gfxmenu/gui_list.c
@@ -24,6 +24,7 @@
#include <grub/gfxmenu_view.h>
#include <grub/gfxwidgets.h>
@ -104,7 +115,7 @@ index 01477cdf2..90487aef4 100644
/* Draw the list of items. */
static void
draw_menu (list_impl_t self, int num_shown_items)
@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_shown_items)
@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_sho
const char *item_title =
grub_menu_get_entry (self->view->menu, menu_index)->title;
@ -121,10 +132,10 @@ index 01477cdf2..90487aef4 100644
sviewport.y = item_top + top_pad;
sviewport.width = viewport_width;
grub_gui_set_viewport (&sviewport, &svpsave);
diff --git a/grub-core/gfxmenu/view.c b/grub-core/gfxmenu/view.c
index ad5e82b81..7aed7faa1 100644
--- a/grub-core/gfxmenu/view.c
+++ b/grub-core/gfxmenu/view.c
Index: grub-2.04/grub-core/gfxmenu/view.c
===================================================================
--- grub-2.04.orig/grub-core/gfxmenu/view.c
+++ grub-2.04/grub-core/gfxmenu/view.c
@@ -37,6 +37,7 @@
#include <grub/gui_string_util.h>
#include <grub/icon_manager.h>
@ -133,7 +144,7 @@ index ad5e82b81..7aed7faa1 100644
static void
init_terminal (grub_gfxmenu_view_t view);
@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_view_t view)
@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_
grub_free (view->title_text);
grub_free (view->progress_message_text);
grub_free (view->theme_path);
@ -141,7 +152,7 @@ index ad5e82b81..7aed7faa1 100644
if (view->canvas)
view->canvas->component.ops->destroy (view->canvas);
grub_free (view);
@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry, void *data)
@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry
grub_gfxmenu_redraw_menu (view);
}
@ -194,15 +205,14 @@ index ad5e82b81..7aed7faa1 100644
static void
grub_gfxmenu_draw_terminal_box (void)
{
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index e7a83c2d6..0af20d052 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -376,6 +376,15 @@ menu_set_chosen_entry (int entry)
cur->set_chosen_entry (entry, cur->data);
Index: grub-2.04/grub-core/normal/menu.c
===================================================================
--- grub-2.04.orig/grub-core/normal/menu.c
+++ grub-2.04/grub-core/normal/menu.c
@@ -401,6 +401,15 @@ menu_set_chosen_entry (int entry)
}
+static void
static void
+menu_scroll_chosen_entry (int diren)
+{
+ struct grub_menu_viewer *cur;
@ -211,10 +221,11 @@ index e7a83c2d6..0af20d052 100644
+ cur->scroll_chosen_entry (cur->data, diren);
+}
+
static void
+static void
menu_print_timeout (int timeout)
{
@@ -755,6 +764,13 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
struct grub_menu_viewer *cur;
@@ -828,6 +837,13 @@ run_menu (grub_menu_t menu, int nested,
menu_set_chosen_entry (current_entry);
break;
@ -228,10 +239,10 @@ index e7a83c2d6..0af20d052 100644
case '\n':
case '\r':
case GRUB_TERM_KEY_RIGHT:
diff --git a/include/grub/gfxmenu_view.h b/include/grub/gfxmenu_view.h
index 4203c8fb9..56c0d17ae 100644
--- a/include/grub/gfxmenu_view.h
+++ b/include/grub/gfxmenu_view.h
Index: grub-2.04/include/grub/gfxmenu_view.h
===================================================================
--- grub-2.04.orig/include/grub/gfxmenu_view.h
+++ grub-2.04/include/grub/gfxmenu_view.h
@@ -61,6 +61,8 @@ void
grub_gfxmenu_print_timeout (int timeout, void *data);
void
@ -250,10 +261,10 @@ index 4203c8fb9..56c0d17ae 100644
};
#endif /* ! GRUB_GFXMENU_VIEW_HEADER */
diff --git a/include/grub/menu_viewer.h b/include/grub/menu_viewer.h
index c6513c4e8..5f2a39dc9 100644
--- a/include/grub/menu_viewer.h
+++ b/include/grub/menu_viewer.h
Index: grub-2.04/include/grub/menu_viewer.h
===================================================================
--- grub-2.04.orig/include/grub/menu_viewer.h
+++ grub-2.04/include/grub/menu_viewer.h
@@ -33,6 +33,7 @@ struct grub_menu_viewer
void (*set_chosen_entry) (int entry, void *data);
void (*print_timeout) (int timeout, void *data);
@ -262,6 +273,3 @@ index c6513c4e8..5f2a39dc9 100644
void (*fini) (void *fini);
};
--
2.16.4

View File

@ -4,11 +4,16 @@ As a workaround use the Btrfs header to store known data of the GRUB environment
block.
v2: export env_block and make sure to use the device of grubenv
v3:
* Use xcalloc for overflow check and return NULL when it would
occur.
---
Index: grub-2.02/grub-core/kern/fs.c
Index: grub-2.04/grub-core/kern/fs.c
===================================================================
--- grub-2.02.orig/grub-core/kern/fs.c
+++ grub-2.02/grub-core/kern/fs.c
--- grub-2.04.orig/grub-core/kern/fs.c
+++ grub-2.04/grub-core/kern/fs.c
@@ -27,6 +27,7 @@
#include <grub/mm.h>
#include <grub/term.h>
@ -31,10 +36,10 @@ Index: grub-2.02/grub-core/kern/fs.c
ret += size;
len -= size;
sector -= ((size + offset) >> GRUB_DISK_SECTOR_BITS);
Index: grub-2.02/util/grub-editenv.c
Index: grub-2.04/util/grub-editenv.c
===================================================================
--- grub-2.02.orig/util/grub-editenv.c
+++ grub-2.02/util/grub-editenv.c
--- grub-2.04.orig/util/grub-editenv.c
+++ grub-2.04/util/grub-editenv.c
@@ -23,8 +23,11 @@
#include <grub/util/misc.h>
#include <grub/lib/envblk.h>
@ -207,7 +212,7 @@ Index: grub-2.02/util/grub-editenv.c
}
static void
@@ -202,6 +346,38 @@ write_envblk (const char *name, grub_env
@@ -203,6 +347,38 @@ write_envblk (const char *name, grub_env
}
static void
@ -246,7 +251,7 @@ Index: grub-2.02/util/grub-editenv.c
set_variables (const char *name, int argc, char *argv[])
{
grub_envblk_t envblk;
@@ -217,8 +393,27 @@ set_variables (const char *name, int arg
@@ -218,8 +394,27 @@ set_variables (const char *name, int arg
*(p++) = 0;
@ -276,7 +281,7 @@ Index: grub-2.02/util/grub-editenv.c
argc--;
argv++;
@@ -226,26 +421,158 @@ set_variables (const char *name, int arg
@@ -227,26 +422,158 @@ set_variables (const char *name, int arg
write_envblk (name, envblk);
grub_envblk_close (envblk);
@ -371,7 +376,7 @@ Index: grub-2.02/util/grub-editenv.c
+ ndev++;
+ }
+
+ grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
+ grub_drives = xcalloc ((ndev + 1), sizeof (grub_drives[0]));
+
+ for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
+ curdrive++)
@ -435,7 +440,7 @@ Index: grub-2.02/util/grub-editenv.c
int
main (int argc, char *argv[])
{
@@ -277,6 +604,9 @@ main (int argc, char *argv[])
@@ -278,6 +605,9 @@ main (int argc, char *argv[])
command = argv[curindex++];
}
@ -445,10 +450,10 @@ Index: grub-2.02/util/grub-editenv.c
if (strcmp (command, "create") == 0)
grub_util_create_envblk_file (filename);
else if (strcmp (command, "list") == 0)
Index: grub-2.02/util/grub.d/00_header.in
Index: grub-2.04/util/grub.d/00_header.in
===================================================================
--- grub-2.02.orig/util/grub.d/00_header.in
+++ grub-2.02/util/grub.d/00_header.in
--- grub-2.04.orig/util/grub.d/00_header.in
+++ grub-2.04/util/grub.d/00_header.in
@@ -46,6 +46,13 @@ cat << EOF
if [ -s \$prefix/grubenv ]; then
load_env

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Mon Jul 27 10:04:49 UTC 2020 - Michael Chang <mchang@suse.com>
- Fix for CVE-2020-10713 (bsc#1168994)
* 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
* 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
* 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
* 0004-calloc-Use-calloc-at-most-places.patch
* 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
* 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
* 0007-font-Do-not-load-more-than-one-NAME-section.patch
- Fix CVE-2020-15706 (bsc#1174463)
* 0008-script-Remove-unused-fields-from-grub_script_functio.patch
* 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
- Fix CVE-2020-15707 (bsc#1174570)
* 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
* 0001-add-support-for-UEFI-network-protocols.patch
* 0003-bootp-New-net_bootp6-command.patch
* grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
* grub2-btrfs-09-get-default-subvolume.patch
* grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
* grub2-grubenv-in-btrfs-header.patch
-------------------------------------------------------------------
Thu Jul 16 13:15:27 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>

View File

@ -302,6 +302,24 @@ Patch700: 0001-normal-Move-common-datetime-functions-out-of-the-nor.patch
Patch701: 0002-kern-Add-X-option-to-printf-functions.patch
Patch702: 0003-normal-main-Search-for-specific-config-files-for-net.patch
Patch703: 0004-datetime-Enable-the-datetime-module-for-the-emu-plat.patch
# bsc#1168994 VUL-0: EMBARGOED: CVE-2020-10713: grub2: parsing overflows can
# bypass secure boot restrictions
Patch704: 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
# bsc#1173812 VUL-0: EMBARGOED: CVE-2020-14308, CVE-2020-14309, CVE-2020-14310,
# CVE-2020-14311: grub2: avoid integer overflows
Patch705: 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
Patch706: 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
Patch707: 0004-calloc-Use-calloc-at-most-places.patch
Patch708: 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
Patch709: 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
Patch710: 0007-font-Do-not-load-more-than-one-NAME-section.patch
# bsc#1174463 VUL-0: EMBARGOED: CVE-2020-15706: grub2: script: Avoid a
# use-after-free when redefining a function during execution
Patch711: 0008-script-Remove-unused-fields-from-grub_script_functio.patch
Patch712: 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
# bsc#1174570 VUL-0: EMBARGOED: CVE-2020-15707: grub2: linux: Fix integer
# overflows in initrd size handling
Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@ -607,6 +625,16 @@ swap partition while in resuming
%patch701 -p1
%patch702 -p1
%patch703 -p1
%patch704 -p1
%patch705 -p1
%patch706 -p1
%patch707 -p1
%patch708 -p1
%patch709 -p1
%patch710 -p1
%patch711 -p1
%patch712 -p1
%patch713 -p1
%build
# collect evidence to debug spurious build failure on SLE15