forked from pool/grub2
e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
126 lines
3.9 KiB
Diff
126 lines
3.9 KiB
Diff
From c111176648717645284865e15d7c6713cf29e982 Mon Sep 17 00:00:00 2001
|
|
From: Chris Coulson <chris.coulson@canonical.com>
|
|
Date: Tue, 5 Apr 2022 10:02:04 +0100
|
|
Subject: [PATCH 02/32] loader/efi/chainloader: Simplify the loader state
|
|
|
|
The chainloader command retains the source buffer and device path passed
|
|
to LoadImage(), requiring the unload hook passed to grub_loader_set() to
|
|
free them. It isn't required to retain this state though - they aren't
|
|
required by StartImage() or anything else in the boot hook, so clean them
|
|
up before grub_cmd_chainloader() finishes.
|
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/loader/efi/chainloader.c | 37 ++++++++++++++++--------------
|
|
1 file changed, 20 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
index 625f1d26da..1ec09a166c 100644
|
|
--- a/grub-core/loader/efi/chainloader.c
|
|
+++ b/grub-core/loader/efi/chainloader.c
|
|
@@ -53,12 +53,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
static grub_dl_t my_mod;
|
|
|
|
-static grub_efi_physical_address_t address;
|
|
-static grub_efi_uintn_t pages;
|
|
static grub_ssize_t fsize;
|
|
-static grub_efi_device_path_t *file_path;
|
|
static grub_efi_handle_t image_handle;
|
|
-static grub_efi_char16_t *cmdline;
|
|
static grub_ssize_t cmdline_len;
|
|
static grub_efi_handle_t dev_handle;
|
|
|
|
@@ -70,16 +66,16 @@ static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_e
|
|
static grub_err_t
|
|
grub_chainloader_unload (void)
|
|
{
|
|
+ grub_efi_loaded_image_t *loaded_image;
|
|
grub_efi_boot_services_t *b;
|
|
|
|
+ loaded_image = grub_efi_get_loaded_image (image_handle);
|
|
+ if (loaded_image != NULL)
|
|
+ grub_free (loaded_image->load_options);
|
|
+
|
|
b = grub_efi_system_table->boot_services;
|
|
efi_call_1 (b->unload_image, image_handle);
|
|
- efi_call_2 (b->free_pages, address, pages);
|
|
|
|
- grub_free (file_path);
|
|
- grub_free (cmdline);
|
|
- cmdline = 0;
|
|
- file_path = 0;
|
|
dev_handle = 0;
|
|
|
|
grub_dl_unref (my_mod);
|
|
@@ -158,7 +154,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
|
|
char *dir_start;
|
|
char *dir_end;
|
|
grub_size_t size;
|
|
- grub_efi_device_path_t *d;
|
|
+ grub_efi_device_path_t *d, *file_path;
|
|
|
|
dir_start = grub_strchr (filename, ')');
|
|
if (! dir_start)
|
|
@@ -641,10 +637,13 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_efi_status_t status;
|
|
grub_efi_boot_services_t *b;
|
|
grub_device_t dev = 0;
|
|
- grub_efi_device_path_t *dp = 0;
|
|
+ grub_efi_device_path_t *dp = NULL, *file_path = NULL;
|
|
grub_efi_loaded_image_t *loaded_image;
|
|
char *filename;
|
|
void *boot_image = 0;
|
|
+ grub_efi_physical_address_t address = 0;
|
|
+ grub_efi_uintn_t pages = 0;
|
|
+ grub_efi_char16_t *cmdline = NULL;
|
|
|
|
if (argc == 0)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
|
@@ -652,10 +651,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
grub_dl_ref (my_mod);
|
|
|
|
- /* Initialize some global variables. */
|
|
- address = 0;
|
|
- image_handle = 0;
|
|
- file_path = 0;
|
|
dev_handle = 0;
|
|
|
|
b = grub_efi_system_table->boot_services;
|
|
@@ -857,6 +852,10 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_file_close (file);
|
|
grub_device_close (dev);
|
|
|
|
+ /* We're finished with the source image buffer and file path now. */
|
|
+ efi_call_2 (b->free_pages, address, pages);
|
|
+ grub_free (file_path);
|
|
+
|
|
grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
|
|
return 0;
|
|
|
|
@@ -868,13 +867,17 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
if (file)
|
|
grub_file_close (file);
|
|
|
|
+ grub_free (cmdline);
|
|
grub_free (file_path);
|
|
|
|
if (address)
|
|
efi_call_2 (b->free_pages, address, pages);
|
|
|
|
- if (cmdline)
|
|
- grub_free (cmdline);
|
|
+ if (image_handle != NULL)
|
|
+ {
|
|
+ efi_call_1 (b->unload_image, image_handle);
|
|
+ image_handle = NULL;
|
|
+ }
|
|
|
|
grub_dl_unref (my_mod);
|
|
|
|
--
|
|
2.34.1
|
|
|