diff -pruN 2.06-2/debian/build-efi-images 2.06-8/debian/build-efi-images --- 2.06-2/debian/build-efi-images 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/build-efi-images 2023-02-09 01:09:00.000000000 +0000 @@ -43,6 +43,16 @@ cleanup () { } trap cleanup EXIT HUP INT QUIT TERM +# Return the number of 1KiB blocks needed to store a file in the +# memdisk, with an extra block for the directory entry +rounded_size () { + BLOCK_SIZE=1024 + size=$(stat -c %s $1) + rounded=$(( ( ($size + $BLOCK_SIZE - 1) / $BLOCK_SIZE) + 1)) + echo "Adding $rounded blocks to memdisk for $1" >&2 + echo $rounded +} + rm -rf "$outdir" mkdir -p "$outdir" @@ -76,11 +86,33 @@ else fi EOF -mkfs.msdos -C "$workdir/memdisk.fat" 64 +# Calculate the size of the embedded filesystem needed +FATFS_SIZE=64 # 64KiB for the embedded grub.cfg and the metadata + +# Only copy in unicode.pf2 for now, we don't want the binary images +# too large +FONTS=$grub_core/../unicode.pf2 +for FONT in $FONTS; do + FATFS_SIZE=$(($FATFS_SIZE + $(rounded_size $FONT))) +done + +mkfs.msdos -C "$workdir/memdisk.fat" $FATFS_SIZE mcopy -i "$workdir/memdisk.fat" "$workdir/grub.cfg" ::grub.cfg +mmd -i "$workdir/memdisk.fat" ::fonts +for FONT in $FONTS; do + mcopy -i "$workdir/memdisk.fat" "$FONT" ::fonts/$(basename $FONT) +done +# Let's show what's here so we have it in build logs +mdir -/ -i "$workdir/memdisk.fat" -mkfs.msdos -C "$workdir/memdisk-netboot.fat" 64 +mkfs.msdos -C "$workdir/memdisk-netboot.fat" $FATFS_SIZE mcopy -i "$workdir/memdisk-netboot.fat" "$workdir/grub-netboot.cfg" ::grub.cfg +mmd -i "$workdir/memdisk-netboot.fat" ::fonts +for FONT in $FONTS; do + mcopy -i "$workdir/memdisk-netboot.fat" "$FONT" ::fonts/$(basename $FONT) +done +# Let's show what's here so we have it in build logs +mdir -/ -i "$workdir/memdisk.fat" CD_MODULES=" all_video @@ -132,7 +164,9 @@ CD_MODULES=" search_fs_uuid search_fs_file search_label + serial sleep + smbios squash4 test true @@ -192,38 +226,52 @@ NET_MODULES="$CD_MODULES # CD boot image echo "Including modules $CD_MODULES in $outdir/gcd$efi_name.efi" -"$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ - -d "$grub_core" \ - -c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \ - -p /boot/grub \ - --sbat "$sbat_csv" \ - $CD_MODULES +"$grub_mkimage" \ + -O "$platform" \ + -o "$outdir/gcd$efi_name.efi" \ + -c "$workdir/grub-bootstrap.cfg" \ + -d "$grub_core" \ + -m "$workdir/memdisk.fat" \ + -p /boot/grub \ + --sbat "$sbat_csv" \ + $CD_MODULES # Normal disk boot image echo "Including modules $GRUB_MODULES in $outdir/grub$efi_name.efi" -"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \ - -d "$grub_core" -p "/EFI/$efi_vendor" \ - --sbat "$sbat_csv" \ - $GRUB_MODULES +"$grub_mkimage" \ + -O "$platform" \ + -o "$outdir/grub$efi_name.efi" \ + -c "$workdir/grub-bootstrap.cfg" \ + -d "$grub_core" \ + -m "$workdir/memdisk.fat" \ + -p "/EFI/$efi_vendor" \ + --sbat "$sbat_csv" \ + $GRUB_MODULES # Normal network boot image echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi" -"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \ - -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ - -m "$workdir/memdisk-netboot.fat" \ - -p /grub \ - --sbat "$sbat_csv" \ - $NET_MODULES +"$grub_mkimage" \ + -O "$platform" \ + -o "$outdir/grubnet$efi_name.efi" \ + -c "$workdir/grub-bootstrap.cfg" \ + -d "$grub_core" \ + -m "$workdir/memdisk-netboot.fat" \ + -p /grub \ + --sbat "$sbat_csv" \ + $NET_MODULES # Special network boot image for d-i to use. Just the same as the # normal network boot image, but with a different value baked in for # the prefix setting echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi" -"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ - -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ - -m "$workdir/memdisk-netboot.fat" \ - -p "/${efi_vendor}-installer/$deb_arch/grub" \ - --sbat "$sbat_csv" \ - $NET_MODULES +"$grub_mkimage" \ + -O "$platform" \ + -o "$outdir/grubnet$efi_name-installer.efi" \ + -c "$workdir/grub-bootstrap.cfg" \ + -d "$grub_core" \ + -m "$workdir/memdisk-netboot.fat" \ + -p "/${efi_vendor}-installer/$deb_arch/grub" \ + --sbat "$sbat_csv" \ + $NET_MODULES exit 0 diff -pruN 2.06-2/debian/changelog 2.06-8/debian/changelog --- 2.06-2/debian/changelog 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/changelog 2023-02-09 01:09:00.000000000 +0000 @@ -1,3 +1,185 @@ +grub2 (2.06-8) unstable; urgency=medium + + [ Steve McIntyre ] + * Fix an issue in an f2fs security fix which caused mount + failures. Closes: #1021846. Thanks to программист некто for helping + to debug the problem! + * Switch build-deps from gcc-10 to gcc-12. Closes: #1022184 + * Include upstream patch to enable EFI zboot support on arm64. + Closes: #1026092 + * grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981 + Closes: #1001414 + * postinst: be more verbose when using grub-install to install onto + devices. + * /etc/default/grub: Fix comment about text-mode console. + Fixes #845683 + * grub-install: Don't install the shim fallback program when called + with --removable. Closes: #1016737 + * grub-install: Don't use our grub CD EFI image for --removable. + Closes: #1026915. Thanks to Pascal Hambourg for the patch. + * Ignore some new ext2 flags to stay compatible with latest mke2fs + defaults. Closes: #1030846 + + [ Colin Watson ] + * Remove myself from Uploaders. + + -- Steve McIntyre <93sam@debian.org> Thu, 09 Feb 2023 01:09:00 +0000 + +grub2 (2.06-7) unstable; urgency=medium + + [ Steve McIntyre ] + * Fix bug in core file code so errors are handled better. This makes + the fallback font-handling patch work properly. + Closes: #1025469, #1025477. + + -- Steve McIntyre <93sam@debian.org> Tue, 06 Dec 2022 03:14:53 +0000 + +grub2 (2.06-6) unstable; urgency=medium + + [ Steve McIntyre ] + * Include fonts in the memdisk build for EFI images. + Closes: #1024395, #1025352, #1024447 + * Bump Debian SBAT level to 4 + - Due to a mistake in the buster upload (2.06-3~deb10u2) that left + the CVE-2022-2601 bugs in place, we need to bump SBAT for all of + the Debian GRUB binaries. :-( + * Switch away from git-dpm + + -- Steve McIntyre <93sam@debian.org> Sun, 04 Dec 2022 20:42:23 +0000 + +grub2 (2.06-5) unstable; urgency=high + + [ Steve McIntyre ] + * Explicitly unset SOURCE_DATE_EPOCH before running fs tests + * Pull in upstream patches to harden font and image handling - + CVE-2022-2601, CVE-2022-3775. + * Bump SBAT level to 3 for grub-efi packages + + -- Steve McIntyre <93sam@debian.org> Sun, 13 Nov 2022 00:33:35 +0000 + +grub2 (2.06-4) unstable; urgency=high + + [ Steve McIntyre ] + * Updated the 2.06-3 changelog to mention closure of CVE-2022-28736 + * Add a commented-out GRUB_DISABLE_OS_PROBER section to + /etc/default/grub to make it easier for users to turn os-prober + back on if they want it. Closes: #1013797, #1009336 + * Add smbios to the signed grub efi images. Closes: #1008106 + * Add serial to the signed grub efi images. Closes: #1013962 + * grub2-common: Remove dependency on install-info, it's apparently + not needed. Closes: #1013698 + * Don't strip Xen binaries so they work again. Closes: #1017944. + Thanks to Valentin Kleibel for the patch. + + -- Steve McIntyre <93sam@debian.org> Wed, 14 Sep 2022 22:35:49 +0100 + +grub2 (2.06-3) unstable; urgency=medium + + [ Colin Watson ] + * Update a few leftover uses of "which" to use "command -v" instead. + * Remove some old Lintian overrides. + * Trim trailing whitespace. + * debian/copyright: use spaces rather than tabs to start continuation lines. + * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template, + grub-efi-amd64-signed-template, grub-efi-arm64-signed-template. + * Bump debhelper from old 10 to 13. + * Set upstream metadata fields: Bug-Submit (from ./configure), Repository, + Repository-Browse. + * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks, + John Paul Adrian Glaubitz; closes: #952815). + + [ Debconf translations ] + * [id] Indonesian (Andika Triwidada; closes: #1007706). + + [ Julian Andres Klode ] + * Add Julian Andres Klode to uploaders + * Disable building with LTO, as used in Ubuntu and possibly other + downstreams (maybe Debian one day), as that breaks the build. + * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds + write in heap. + - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch: + video/readers/png: Drop greyscale support to fix heap out-of-bounds write + - CVE-2021-3695 + * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during + huffman table handling. + - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch: + video/readers/png: Avoid heap OOB R/W inserting huff table items + - CVE-2021-3696 + * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in + the heap. + - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch: + video/readers/jpeg: Block int underflow -> wild pointer write + - CVE-2021-3697 + * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets + - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment + maths safely + - CVE-2022-28733 + * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers + - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix + OOB write for split http headers + - CVE-2022-28734 + * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded + - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch: + kern/efi/sb: Reject non-kernel files in the shim_lock verifier + - CVE-2022-28735 + - Closes: #1001057 + * SECURITY UPDATE: use-after-free in grub_cmd_chainloader() + - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch: + loader/efi/chainloader: simplify the loader state + - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot: + Add API to pass context to loader + - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch: + loader/efi/chainloader: Use grub_loader_set_ex + - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch: + loader/i386/efi/linux: Use grub_loader_set_ex + - CVE-2022-28736 + * Various fixes as a result of fuzzing and static analysis: + - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch: + kern/file: Do not leak device_name on error in grub_file_open() + - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch: + video/readers/png: Abort sooner if a read operation fails + - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch: + video/readers/png: Refuse to handle multiple image headers + - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch: + video/readers/png: Sanity check some huffman codes + - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch: + video/readers/jpeg: Abort sooner if a read operation fails + - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch: + video/readers/jpeg: Do not reallocate a given huff table + - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch: + video/readers/jpeg: Refuse to handle multiple start of streams + - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch: + normal/charset: Fix array out-of-bounds formatting unicode for display + - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch: + net/netbuff: Block overly large netbuff allocs + - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch: + net/dns: Fix double-free addresses on corrupt DNS response + - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch: + net/dns: Don't read past the end of the string we're checking against + - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch: + net/tftp: Prevent a UAF and double-free from a failed seek + - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF + - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch: + net/http: Do not tear down socket if it's already been torn down + - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch: + net/http: Error out on headers with LF without CR + - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch: + fs/f2fs: Do not read past the end of nat journal entries + - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch: + fs/f2fs: Do not read past the end of nat bitmap + - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch: + fs/f2fs: Do not copy file names that are too long + - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch: + fs/btrfs: Fix several fuzz issues with invalid dir item sizing + - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch: + fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing + - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch: + fs/btrfs: Fix more fuzz issues related to chunks + * Bump SBAT generation: + - update debian/sbat.debian.csv.in + + -- Julian Andres Klode Fri, 10 Jun 2022 11:15:11 +0200 + grub2 (2.06-2) unstable; urgency=medium * Update to minilzo-2.10, fixing build failures on armel, mips64el, @@ -891,7 +1073,7 @@ grub2 (2.02~beta3-3) unstable; urgency=m * debian/control: Breaks shim (<< 0.9+1474479173.6c180c6-0ubuntu1~) due to the renamed binaries in the new shim. * debian/postinst.in: call on to update-secureboot-policy on configure to - make sure users can disable shim validation if necessary. + make sure users can disable shim validation if necessary. * debian/build-efi-images: add loopback and squash4 modules to the signed EFI images. @@ -2111,7 +2293,7 @@ grub2 (1.99-18) unstable; urgency=low - Make FAT UUID uppercase to match Linux (LP: #948716). [ Debconf translations ] - * Norwegian Bokmål (Hans Fredrik Nordhaug). + * Norwegian Bokmål (Hans Fredrik Nordhaug). * Gujarati (Kartik Mistry). Closes: #663542 -- Colin Watson Mon, 19 Mar 2012 18:24:33 +0000 @@ -2153,7 +2335,7 @@ grub2 (1.99-15) unstable; urgency=low [ Debconf translations ] * Dutch (Jeroen Schot). Closes: #651275 * Bulgarian (Damyan Ivanov). Closes: #653356 - * Icelandic (Sveinn í Felli). + * Icelandic (Sveinn í Felli). * Ukrainian (Yatsenko Alexandr). Closes: #654294 * Italian (Luca Monducci). Closes: #654304 * Thai (Theppitak Karoonboonyanan). Closes: #656551 @@ -2164,7 +2346,7 @@ grub2 (1.99-15) unstable; urgency=low * Polish (Michał Kułach). Closes: #657265 * Asturian (Mikel González). * Dzongkha (Dawa Pemo) - * Tamil (Dr.T.Vasudevan). + * Tamil (Dr.T.Vasudevan). * Belarusian (Viktar Siarhiejczyk). Closes: #662615 -- Colin Watson Mon, 05 Mar 2012 16:58:01 +0000 @@ -3564,7 +3746,7 @@ grub2 (1.98~20091229-1) unstable; urgenc grub2 (1.98~20091222-1) unstable; urgency=low * New Baazar snapshot. - - Make 30_os-prober again dash compatible. (Closes: #562034) + - Make 30_os-prober again dash compatible. (Closes: #562034) -- Felix Zielcke Tue, 22 Dec 2009 12:50:57 +0100 @@ -3589,7 +3771,7 @@ grub2 (1.98~20091210-1) unstable; urgenc grub2 (1.97+20091210-1) unstable; urgency=low * New Bazaar snapshot. - - patches/02_fix_mountpoints_in_mkrelpath.diff: Remove (merged). + - patches/02_fix_mountpoints_in_mkrelpath.diff: Remove (merged). - Fixes FTBFS on powerpc (again) and sparc. - patches/903_grub_legacy_0_based_partitions.diff: Resync (merged into debian branch). @@ -3677,7 +3859,7 @@ grub2 (1.97+20091115-1) unstable; urgenc * patches/906_grub_extras.diff: Remove. Superseded by GRUB_CONTRIB variable in recent upstream trunk. * rules: Export GRUB_CONTRIB to enable grub-extras add-ons. - * Pass --force to grub-install in the postinst. (Closes: #553415) + * Pass --force to grub-install in the postinst. (Closes: #553415) * Don't strip debug symbols from grub-emu. It's meant for debugging and with them it's much more useful. * Ship grub-mkfloppy in grub-pc. @@ -3920,7 +4102,7 @@ grub2 (1.96+20090808-1) unstable; urgenc also disable UUIDs on LVM over RAID. * Add a debconf prompt to remove all grub2 files from /boot/grub on purge. (Closes: #527068, #470400) - * Move the Suggests: os-prober from grub-pc to grub-common. + * Move the Suggests: os-prober from grub-pc to grub-common. * patches/901_dpkg_version_comparison.diff: Updated. * Update the Replaces on grub-common for the other packages to (<< 1.96+20080831-1). (Closes: #540492) @@ -4108,7 +4290,7 @@ grub2 (1.96+20090609-1) experimental; ur * Add kopensolaris-i386 to arch list. [ Felix Zielcke ] - * Add a NEWS entry about the grub-efi split. + * Add a NEWS entry about the grub-efi split. * Drop the build dependency on gcc-multilib for all *i386. * Change upgrade-from-grub-legacy to use `dpkg-reconfigure grub-pc' to install grub2 into MBR. @@ -5262,7 +5444,7 @@ grub2 (1.94-4) unstable; urgency=low native building. * Remove convert_kernel26 usage since it's not necessary anymore and due initramfs-tools changes it's bug too. - + [ Robert Millan ] * Fork update-grub from grub legacy, and tweak a few commands in output to make it work for grub2. @@ -5296,7 +5478,7 @@ grub2 (1.94-1) unstable; urgency=low * New upstream release. - Fix powerpc building. Closes: #370259 - 01_fix_grub-install.patch: merged upstream. - - Moved modules to /usr/lib/grub since they are architecture + - Moved modules to /usr/lib/grub since they are architecture dependent. * Leave CDBS set debhelper compatibility level. * Allow amd64 build to happen. Closes: #364956 @@ -5332,8 +5514,8 @@ grub2 (1.92-1) unstable; urgency=low - Add support for Apple HFS+ filesystems. * 01_fix_grub-install.patch: Added. Fix grub-install to use /bin/grub-mkimage instead of /sbin/grub-mkimage. Closes: #338824 - * Do not use CDBS tarball mode anymore. Closes: #344272 - + * Do not use CDBS tarball mode anymore. Closes: #344272 + -- Otavio Salvador Thu, 5 Jan 2006 15:20:40 -0200 grub2 (1.91-0) unstable; urgency=low diff -pruN 2.06-2/debian/control 2.06-8/debian/control --- 2.06-2/debian/control 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/control 2023-02-09 01:09:00.000000000 +0000 @@ -2,8 +2,8 @@ Source: grub2 Section: admin Priority: optional Maintainer: GRUB Maintainers -Uploaders: Felix Zielcke , Jordi Mallach , Colin Watson , Steve McIntyre <93sam@debian.org> -Build-Depends: debhelper-compat (= 10), +Uploaders: Felix Zielcke , Jordi Mallach , Steve McIntyre <93sam@debian.org>, Julian Andres Klode +Build-Depends: debhelper-compat (= 13), patchutils, python3, flex, @@ -11,8 +11,8 @@ Build-Depends: debhelper-compat (= 10), po-debconf, help2man, texinfo, - gcc-10, - gcc-10-multilib [i386 kopensolaris-i386 any-amd64 any-ppc64 any-sparc], + gcc-12, + gcc-12-multilib [i386 kopensolaris-i386 any-amd64 any-ppc64 any-sparc], xfonts-unifont, libfreetype6-dev, gettext, @@ -92,7 +92,7 @@ Package: grub2-common # only built when there is a real platform (e.g. grub-install), and the rest # of the package is not very useful in a utilities-only build. Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64 -Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends} +Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4), ${shlibs:Depends}, ${misc:Depends} Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4) Conflicts: grub-legacy Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4) @@ -302,6 +302,7 @@ Description: GRand Unified Bootloader, v Package: grub-efi-ia32-signed-template Architecture: i386 +Depends: ${misc:Depends} Description: GRand Unified Bootloader, version 2 (EFI-IA32 signing template) This package contains template files for grub-efi-ia32-signed. This is only needed for Secure Boot signing. @@ -363,6 +364,7 @@ Description: GRand Unified Bootloader, v Package: grub-efi-amd64-signed-template Architecture: amd64 +Depends: ${misc:Depends} Description: GRand Unified Bootloader, version 2 (EFI-AMD64 signing template) This package contains template files for grub-efi-amd64-signed. This is only needed for Secure Boot signing. @@ -519,6 +521,7 @@ Description: GRand Unified Bootloader, v Package: grub-efi-arm64-signed-template Architecture: arm64 +Depends: ${misc:Depends} Description: GRand Unified Bootloader, version 2 (ARM64 UEFI signing template) This package contains template files for grub-efi-arm64-signed. This is only needed for Secure Boot signing. diff -pruN 2.06-2/debian/copyright 2.06-8/debian/copyright --- 2.06-2/debian/copyright 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/copyright 2023-02-09 01:09:00.000000000 +0000 @@ -9,9 +9,9 @@ License: GPL-3+ Files: debian/* Copyright: 2003, 2004, 2005, 2006, 2007, 2008, 2009, Robert Millan - 2005, 2006, 2007, Otavio Salvador - 2008, 2009, Felix Zielcke - 2009, Jordi Mallach + 2005, 2006, 2007, Otavio Salvador + 2008, 2009, Felix Zielcke + 2009, Jordi Mallach License: GPL-3+ Files: debian/grub-extras/* @@ -162,21 +162,21 @@ License: CC-BY-SA-3.0 to Distribute and Publicly Perform Adaptations. . For the avoidance of doubt: - Non-waivable Compulsory License Schemes. In those jurisdictions in - which the right to collect royalties through any statutory or - compulsory licensing scheme cannot be waived, the Licensor reserves - the exclusive right to collect such royalties for any exercise by - You of the rights granted under this License; - Waivable Compulsory License Schemes. In those jurisdictions in which - the right to collect royalties through any statutory or compulsory - licensing scheme can be waived, the Licensor waives the exclusive - right to collect such royalties for any exercise by You of the - rights granted under this License; and, - Voluntary License Schemes. The Licensor waives the right to collect - royalties, whether individually or, in the event that the Licensor - is a member of a collecting society that administers voluntary - licensing schemes, via that society, from any exercise by You of the - rights granted under this License. + Non-waivable Compulsory License Schemes. In those jurisdictions in + which the right to collect royalties through any statutory or + compulsory licensing scheme cannot be waived, the Licensor reserves + the exclusive right to collect such royalties for any exercise by + You of the rights granted under this License; + Waivable Compulsory License Schemes. In those jurisdictions in which + the right to collect royalties through any statutory or compulsory + licensing scheme can be waived, the Licensor waives the exclusive + right to collect such royalties for any exercise by You of the + rights granted under this License; and, + Voluntary License Schemes. The Licensor waives the right to collect + royalties, whether individually or, in the event that the Licensor + is a member of a collecting society that administers voluntary + licensing schemes, via that society, from any exercise by You of the + rights granted under this License. . The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such diff -pruN 2.06-2/debian/default/grub 2.06-8/debian/default/grub --- 2.06-2/debian/default/grub 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/default/grub 2023-02-09 01:09:00.000000000 +0000 @@ -9,12 +9,16 @@ GRUB_DISTRIBUTOR=`lsb_release -i -s 2> / GRUB_CMDLINE_LINUX_DEFAULT="@DEFAULT_CMDLINE@" GRUB_CMDLINE_LINUX="" +# Uncomment this to run os-prober to search for and add other OS +# installations to the grub boot menu +#GRUB_DISABLE_OS_PROBER=false + # Uncomment to enable BadRAM filtering, modify to suit your needs # This works with Linux (no patch required) and with any kernel that obtains # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" -# Uncomment to disable graphical terminal (grub-pc only) +# Uncomment to disable graphical terminal #GRUB_TERMINAL=console # The resolution used on graphical terminal diff -pruN 2.06-2/debian/.git-dpm 2.06-8/debian/.git-dpm --- 2.06-2/debian/.git-dpm 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/.git-dpm 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -# see git-dpm(1) from git-dpm package -dbcbb3e5b9fac665b92d630eb24de7bd8c43652e -dbcbb3e5b9fac665b92d630eb24de7bd8c43652e -21f954425ffe2a934b6b26c0c948d340c91a16bb -21f954425ffe2a934b6b26c0c948d340c91a16bb -grub2_2.06.orig.tar.xz -c9f93f1e195ec7a5a21d36a13b469788c0b29f0f -6581924 -signature:910db38472f2d654a4816a0c3b7b83415502850f:833:grub2_2.06.orig.tar.xz.asc diff -pruN 2.06-2/debian/.gitignore 2.06-8/debian/.gitignore --- 2.06-2/debian/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -*.bash-completion -*.config -*.debhelper* -*.postinst -*.postrm -*.preinst -*.templates -files -grub-common -grub-common.maintscript -grub-coreboot -grub-coreboot*.dirs -grub-coreboot*.install -grub-coreboot*.links -grub-coreboot*.maintscript -grub-coreboot-bin -grub-coreboot-dbg -grub-efi -grub-efi-amd64 -grub-efi-amd64*.dirs -grub-efi-amd64*.install -grub-efi-amd64*.links -grub-efi-amd64*.maintscript -grub-efi-amd64-bin -grub-efi-amd64-dbg -grub-efi-amd64-signed-template -grub-efi-arm -grub-efi-arm*.dirs -grub-efi-arm*.install -grub-efi-arm*.links -grub-efi-arm*.maintscript -grub-efi-arm-bin -grub-efi-arm-dbg -grub-efi-arm64 -grub-efi-arm64*.dirs -grub-efi-arm64*.install -grub-efi-arm64*.links -grub-efi-arm64*.maintscript -grub-efi-arm64-bin -grub-efi-arm64-dbg -grub-efi-arm64-signed-template -grub-efi-ia32 -grub-efi-ia32*.dirs -grub-efi-ia32*.install -grub-efi-ia32*.links -grub-efi-ia32*.maintscript -grub-efi-ia32-bin -grub-efi-ia32-dbg -grub-efi-ia32-signed-template -grub-efi-ia64 -grub-efi-ia64*.dirs -grub-efi-ia64*.install -grub-efi-ia64*.links -grub-efi-ia64*.maintscript -grub-efi-ia64-bin -grub-efi-ia64-dbg -grub-emu -grub-emu*.dirs -grub-emu*.install -grub-emu*.links -grub-emu*.maintscript -grub-emu-dbg -grub-extras-enabled -grub-extras/*/conf/*.mk -grub-firmware-qemu -grub-ieee1275 -grub-ieee1275*.dirs -grub-ieee1275*.install -grub-ieee1275*.links -grub-ieee1275*.maintscript -grub-ieee1275-bin -grub-ieee1275-dbg -grub-linuxbios -grub-mount-udeb -grub-pc -grub-pc*.dirs -grub-pc*.install -grub-pc*.links -grub-pc*.maintscript -grub-pc-bin -grub-pc-dbg -grub-rescue-pc -grub-theme-starfield -grub-uboot -grub-uboot*.dirs -grub-uboot*.install -grub-uboot*.links -grub-uboot*.maintscript -grub-uboot-bin -grub-uboot-dbg -grub-xen -grub-xen*.dirs -grub-xen*.install -grub-xen*.links -grub-xen*.maintscript -grub-xen-bin -grub-xen-dbg -grub-xen-host -grub-yeeloong -grub-yeeloong*.dirs -grub-yeeloong*.install -grub-yeeloong*.links -grub-yeeloong*.maintscript -grub-yeeloong-bin -grub-yeeloong-dbg -grub2 -grub2-common -prep-bootdev -stamps -tmp-* diff -pruN 2.06-2/debian/grub-common.init 2.06-8/debian/grub-common.init --- 2.06-2/debian/grub-common.init 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-common.init 2023-02-09 01:09:00.000000000 +0000 @@ -11,7 +11,7 @@ # informs it that the system booted successfully. ### END INIT INFO -which grub-editenv >/dev/null 2>&1 || exit 0 +command -v grub-editenv >/dev/null || exit 0 # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. diff -pruN 2.06-2/debian/grub-extras/915resolution/.gitignore 2.06-8/debian/grub-extras/915resolution/.gitignore --- 2.06-2/debian/grub-extras/915resolution/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-extras/915resolution/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -.deps-core -.dirstamp -/Makefile.core.am diff -pruN 2.06-2/debian/grub-extras/disabled/gpxe/.gitignore 2.06-8/debian/grub-extras/disabled/gpxe/.gitignore --- 2.06-2/debian/grub-extras/disabled/gpxe/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-extras/disabled/gpxe/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -.deps-core -.dirstamp -/Makefile.core.am diff -pruN 2.06-2/debian/grub-extras/disabled/zfs/.gitignore 2.06-8/debian/grub-extras/disabled/zfs/.gitignore --- 2.06-2/debian/grub-extras/disabled/zfs/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-extras/disabled/zfs/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -.deps-core -.deps-util -.dirstamp -/Makefile.core.am -/Makefile.util.am diff -pruN 2.06-2/debian/grub-extras/lua/.gitignore 2.06-8/debian/grub-extras/lua/.gitignore --- 2.06-2/debian/grub-extras/lua/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-extras/lua/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -.deps-core -.dirstamp -/Makefile.core.am diff -pruN 2.06-2/debian/grub-extras/ntldr-img/.gitignore 2.06-8/debian/grub-extras/ntldr-img/.gitignore --- 2.06-2/debian/grub-extras/ntldr-img/.gitignore 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/grub-extras/ntldr-img/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -.deps-core -.dirstamp -/Makefile.core.am diff -pruN 2.06-2/debian/kernel/zz-update-grub 2.06-8/debian/kernel/zz-update-grub --- 2.06-2/debian/kernel/zz-update-grub 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/kernel/zz-update-grub 2023-02-09 01:09:00.000000000 +0000 @@ -1,7 +1,7 @@ #! /bin/sh set -e -which update-grub >/dev/null 2>&1 || exit 0 +command -v update-grub >/dev/null || exit 0 if type systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --quiet --container; then diff -pruN 2.06-2/debian/NEWS 2.06-8/debian/NEWS --- 2.06-2/debian/NEWS 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/NEWS 2023-02-09 01:09:00.000000000 +0000 @@ -1,10 +1,10 @@ -grub2 (2.06-1) UNRELEASED; urgency=medium +grub2 (2.06-1) unstable; urgency=medium * Boot menu entries for other operating systems are no longer generated by default. To re-enable this, set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub. - -- Colin Watson Wed, 18 Aug 2021 13:03:23 +0100 + -- Colin Watson Sun, 28 Nov 2021 13:30:32 +0000 grub2 (1.96+20090609-1) experimental; urgency=low diff -pruN 2.06-2/debian/patches/0063-loader-efi-chainloader-Simplify-the-loader-state.patch 2.06-8/debian/patches/0063-loader-efi-chainloader-Simplify-the-loader-state.patch --- 2.06-2/debian/patches/0063-loader-efi-chainloader-Simplify-the-loader-state.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0063-loader-efi-chainloader-Simplify-the-loader-state.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,119 @@ +From 9c8e1c85ec9971f2c6bb9a8a7530e94f7dbec14a Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Tue, 5 Apr 2022 10:02:04 +0100 +Subject: loader/efi/chainloader: Simplify the loader state + +The chainloader command retains the source buffer and device path passed +to LoadImage(), requiring the unload hook passed to grub_loader_set() to +free them. It isn't required to retain this state though - they aren't +required by StartImage() or anything else in the boot hook, so clean them +up before grub_cmd_chainloader() finishes. + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/loader/efi/chainloader.c | 38 +++++++++++++++++------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index 2bd80f4db..d1602c89b 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -44,25 +44,20 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + static grub_dl_t my_mod; + +-static grub_efi_physical_address_t address; +-static grub_efi_uintn_t pages; +-static grub_efi_device_path_t *file_path; + static grub_efi_handle_t image_handle; +-static grub_efi_char16_t *cmdline; + + static grub_err_t + grub_chainloader_unload (void) + { ++ grub_efi_loaded_image_t *loaded_image; + grub_efi_boot_services_t *b; + ++ loaded_image = grub_efi_get_loaded_image (image_handle); ++ if (loaded_image != NULL) ++ grub_free (loaded_image->load_options); ++ + b = grub_efi_system_table->boot_services; + efi_call_1 (b->unload_image, image_handle); +- efi_call_2 (b->free_pages, address, pages); +- +- grub_free (file_path); +- grub_free (cmdline); +- cmdline = 0; +- file_path = 0; + + grub_dl_unref (my_mod); + return GRUB_ERR_NONE; +@@ -140,7 +135,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + char *dir_start; + char *dir_end; + grub_size_t size; +- grub_efi_device_path_t *d; ++ grub_efi_device_path_t *d, *file_path; + + dir_start = grub_strchr (filename, ')'); + if (! dir_start) +@@ -222,11 +217,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_efi_status_t status; + grub_efi_boot_services_t *b; + grub_device_t dev = 0; +- grub_efi_device_path_t *dp = 0; ++ grub_efi_device_path_t *dp = NULL, *file_path = NULL; + grub_efi_loaded_image_t *loaded_image; + char *filename; + void *boot_image = 0; + grub_efi_handle_t dev_handle = 0; ++ grub_efi_physical_address_t address = 0; ++ grub_efi_uintn_t pages = 0; ++ grub_efi_char16_t *cmdline = NULL; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -234,11 +232,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + + grub_dl_ref (my_mod); + +- /* Initialize some global variables. */ +- address = 0; +- image_handle = 0; +- file_path = 0; +- + b = grub_efi_system_table->boot_services; + + file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE); +@@ -408,6 +401,10 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_file_close (file); + grub_device_close (dev); + ++ /* We're finished with the source image buffer and file path now. */ ++ efi_call_2 (b->free_pages, address, pages); ++ grub_free (file_path); ++ + grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); + return 0; + +@@ -419,11 +416,18 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + if (file) + grub_file_close (file); + ++ grub_free (cmdline); + grub_free (file_path); + + if (address) + efi_call_2 (b->free_pages, address, pages); + ++ if (image_handle != NULL) ++ { ++ efi_call_1 (b->unload_image, image_handle); ++ image_handle = NULL; ++ } ++ + grub_dl_unref (my_mod); + + return grub_errno; diff -pruN 2.06-2/debian/patches/0064-commands-boot-Add-API-to-pass-context-to-loader.patch 2.06-8/debian/patches/0064-commands-boot-Add-API-to-pass-context-to-loader.patch --- 2.06-2/debian/patches/0064-commands-boot-Add-API-to-pass-context-to-loader.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0064-commands-boot-Add-API-to-pass-context-to-loader.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,158 @@ +From bb35dbb9bf213bc9dde9a5a653e93b4c4d2bbf22 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Fri, 29 Apr 2022 21:16:02 +0100 +Subject: commands/boot: Add API to pass context to loader + +Loaders rely on global variables for saving context which is consumed +in the boot hook and freed in the unload hook. In the case where a loader +command is executed twice, calling grub_loader_set a second time executes +the unload hook, but in some cases this runs when the loader's global +context has already been updated, resulting in the updated context being +freed and potential use-after-free bugs when the boot hook is subsequently +called. + +This adds a new API (grub_loader_set_ex) which allows a loader to specify +context that is passed to its boot and unload hooks. This is an alternative +to requiring that loaders call grub_loader_unset before mutating their +global context. + +Signed-off-by: Chris Coulson +(cherry picked from commit 4322a64dde7e8fedb58e50b79408667129d45dd3) +--- + grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++++++++++----- + include/grub/loader.h | 5 +++ + 2 files changed, 63 insertions(+), 8 deletions(-) + +diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c +index bbca81e94..53691a62d 100644 +--- a/grub-core/commands/boot.c ++++ b/grub-core/commands/boot.c +@@ -27,10 +27,20 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + +-static grub_err_t (*grub_loader_boot_func) (void); +-static grub_err_t (*grub_loader_unload_func) (void); ++static grub_err_t (*grub_loader_boot_func) (void *); ++static grub_err_t (*grub_loader_unload_func) (void *); ++static void *grub_loader_context; + static int grub_loader_flags; + ++struct grub_simple_loader_hooks ++{ ++ grub_err_t (*boot) (void); ++ grub_err_t (*unload) (void); ++}; ++ ++/* Don't heap allocate this to avoid making grub_loader_set fallible. */ ++static struct grub_simple_loader_hooks simple_loader_hooks; ++ + struct grub_preboot + { + grub_err_t (*preboot_func) (int); +@@ -44,6 +54,29 @@ static int grub_loader_loaded; + static struct grub_preboot *preboots_head = 0, + *preboots_tail = 0; + ++static grub_err_t ++grub_simple_boot_hook (void *context) ++{ ++ struct grub_simple_loader_hooks *hooks; ++ ++ hooks = (struct grub_simple_loader_hooks *) context; ++ return hooks->boot (); ++} ++ ++static grub_err_t ++grub_simple_unload_hook (void *context) ++{ ++ struct grub_simple_loader_hooks *hooks; ++ grub_err_t ret; ++ ++ hooks = (struct grub_simple_loader_hooks *) context; ++ ++ ret = hooks->unload (); ++ grub_memset (hooks, 0, sizeof (*hooks)); ++ ++ return ret; ++} ++ + int + grub_loader_is_loaded (void) + { +@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd) + } + + void +-grub_loader_set (grub_err_t (*boot) (void), +- grub_err_t (*unload) (void), +- int flags) ++grub_loader_set_ex (grub_err_t (*boot) (void *), ++ grub_err_t (*unload) (void *), ++ void *context, ++ int flags) + { + if (grub_loader_loaded && grub_loader_unload_func) +- grub_loader_unload_func (); ++ grub_loader_unload_func (grub_loader_context); + + grub_loader_boot_func = boot; + grub_loader_unload_func = unload; ++ grub_loader_context = context; + grub_loader_flags = flags; + + grub_loader_loaded = 1; + } + ++void ++grub_loader_set (grub_err_t (*boot) (void), ++ grub_err_t (*unload) (void), ++ int flags) ++{ ++ grub_loader_set_ex (grub_simple_boot_hook, ++ grub_simple_unload_hook, ++ &simple_loader_hooks, ++ flags); ++ ++ simple_loader_hooks.boot = boot; ++ simple_loader_hooks.unload = unload; ++} ++ + void + grub_loader_unset(void) + { + if (grub_loader_loaded && grub_loader_unload_func) +- grub_loader_unload_func (); ++ grub_loader_unload_func (grub_loader_context); + + grub_loader_boot_func = 0; + grub_loader_unload_func = 0; ++ grub_loader_context = 0; + + grub_loader_loaded = 0; + } +@@ -158,7 +208,7 @@ grub_loader_boot (void) + return err; + } + } +- err = (grub_loader_boot_func) (); ++ err = (grub_loader_boot_func) (grub_loader_context); + + for (cur = preboots_tail; cur; cur = cur->prev) + if (! err) +diff --git a/include/grub/loader.h b/include/grub/loader.h +index b20864282..1846fa6c5 100644 +--- a/include/grub/loader.h ++++ b/include/grub/loader.h +@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), + grub_err_t (*unload) (void), + int flags); + ++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *), ++ grub_err_t (*unload) (void *), ++ void *context, ++ int flags); ++ + /* Unset current loader, if any. */ + void EXPORT_FUNC (grub_loader_unset) (void); + diff -pruN 2.06-2/debian/patches/0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch 2.06-8/debian/patches/0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch --- 2.06-2/debian/patches/0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,75 @@ +From 19b4f19cfea30655032c978e228d78e056f55f1a Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Tue, 5 Apr 2022 11:48:58 +0100 +Subject: loader/efi/chainloader: Use grub_loader_set_ex() + +This ports the EFI chainloader to use grub_loader_set_ex() in order to fix +a use-after-free bug that occurs when grub_cmd_chainloader() is executed +more than once before a boot attempt is performed. + +Fixes: CVE-2022-28736 + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +--- + grub-core/loader/efi/chainloader.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index d1602c89b..7557eb269 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -44,11 +44,10 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + static grub_dl_t my_mod; + +-static grub_efi_handle_t image_handle; +- + static grub_err_t +-grub_chainloader_unload (void) ++grub_chainloader_unload (void *context) + { ++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context; + grub_efi_loaded_image_t *loaded_image; + grub_efi_boot_services_t *b; + +@@ -64,8 +63,9 @@ grub_chainloader_unload (void) + } + + static grub_err_t +-grub_chainloader_boot (void) ++grub_chainloader_boot (void *context) + { ++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context; + grub_efi_boot_services_t *b; + grub_efi_status_t status; + grub_efi_uintn_t exit_data_size; +@@ -225,6 +225,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_efi_physical_address_t address = 0; + grub_efi_uintn_t pages = 0; + grub_efi_char16_t *cmdline = NULL; ++ grub_efi_handle_t image_handle = NULL; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -405,7 +406,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + efi_call_2 (b->free_pages, address, pages); + grub_free (file_path); + +- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); ++ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0); + return 0; + + fail: +@@ -423,10 +424,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + efi_call_2 (b->free_pages, address, pages); + + if (image_handle != NULL) +- { +- efi_call_1 (b->unload_image, image_handle); +- image_handle = NULL; +- } ++ efi_call_1 (b->unload_image, image_handle); + + grub_dl_unref (my_mod); + diff -pruN 2.06-2/debian/patches/0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch 2.06-8/debian/patches/0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch --- 2.06-2/debian/patches/0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,99 @@ +From 24e6d59ac676791507ff5267bf3bef6cbaff6aef Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode +Date: Thu, 2 Dec 2021 15:03:53 +0100 +Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier + +We must not allow other verifiers to pass things like the GRUB modules. +Instead of maintaining a blocklist, maintain an allowlist of things +that we do not care about. + +This allowlist really should be made reusable, and shared by the +lockdown verifier, but this is the minimal patch addressing +security concerns where the TPM verifier was able to mark modules +as verified (or the OpenPGP verifier for that matter), when it +should not do so on shim-powered secure boot systems. + +Fixes: CVE-2022-28735 + +Signed-off-by: Julian Andres Klode +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++--- + include/grub/verify.h | 1 + + 2 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c +index c52ec6226..89c4bb3fd 100644 +--- a/grub-core/kern/efi/sb.c ++++ b/grub-core/kern/efi/sb.c +@@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), + void **context __attribute__ ((unused)), + enum grub_verify_flags *flags) + { +- *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; ++ *flags = GRUB_VERIFY_FLAGS_NONE; + + switch (type & GRUB_FILE_TYPE_MASK) + { ++ /* Files we check. */ + case GRUB_FILE_TYPE_LINUX_KERNEL: + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: + case GRUB_FILE_TYPE_BSD_KERNEL: +@@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), + case GRUB_FILE_TYPE_PLAN9_KERNEL: + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: + *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; ++ return GRUB_ERR_NONE; + +- /* Fall through. */ ++ /* Files that do not affect secureboot state. */ ++ case GRUB_FILE_TYPE_NONE: ++ case GRUB_FILE_TYPE_LOOPBACK: ++ case GRUB_FILE_TYPE_LINUX_INITRD: ++ case GRUB_FILE_TYPE_OPENBSD_RAMDISK: ++ case GRUB_FILE_TYPE_XNU_RAMDISK: ++ case GRUB_FILE_TYPE_SIGNATURE: ++ case GRUB_FILE_TYPE_PUBLIC_KEY: ++ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST: ++ case GRUB_FILE_TYPE_PRINT_BLOCKLIST: ++ case GRUB_FILE_TYPE_TESTLOAD: ++ case GRUB_FILE_TYPE_GET_SIZE: ++ case GRUB_FILE_TYPE_FONT: ++ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: ++ case GRUB_FILE_TYPE_CAT: ++ case GRUB_FILE_TYPE_HEXCAT: ++ case GRUB_FILE_TYPE_CMP: ++ case GRUB_FILE_TYPE_HASHLIST: ++ case GRUB_FILE_TYPE_TO_HASH: ++ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT: ++ case GRUB_FILE_TYPE_PIXMAP: ++ case GRUB_FILE_TYPE_GRUB_MODULE_LIST: ++ case GRUB_FILE_TYPE_CONFIG: ++ case GRUB_FILE_TYPE_THEME: ++ case GRUB_FILE_TYPE_GETTEXT_CATALOG: ++ case GRUB_FILE_TYPE_FS_SEARCH: ++ case GRUB_FILE_TYPE_LOADENV: ++ case GRUB_FILE_TYPE_SAVEENV: ++ case GRUB_FILE_TYPE_VERIFY_SIGNATURE: ++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; ++ return GRUB_ERR_NONE; + ++ /* Other files. */ + default: +- return GRUB_ERR_NONE; ++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy")); + } + } + +diff --git a/include/grub/verify.h b/include/grub/verify.h +index 6fde244fc..67448165f 100644 +--- a/include/grub/verify.h ++++ b/include/grub/verify.h +@@ -24,6 +24,7 @@ + + enum grub_verify_flags + { ++ GRUB_VERIFY_FLAGS_NONE = 0, + GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1, + GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2, + /* Defer verification to another authority. */ diff -pruN 2.06-2/debian/patches/0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch 2.06-8/debian/patches/0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch --- 2.06-2/debian/patches/0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,37 @@ +From c15fa5fb039cd5062dfa02a03efd924422c4a8ed Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 25 Jun 2021 02:19:05 +1000 +Subject: kern/file: Do not leak device_name on error in grub_file_open() + +If we have an error in grub_file_open() before we free device_name, we +will leak it. + +Free device_name in the error path and null out the pointer in the good +path once we free it there. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/kern/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index 58454458c..ffdcaba05 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -79,6 +79,7 @@ grub_file_open (const char *name, enum grub_file_type type) + + device = grub_device_open (device_name); + grub_free (device_name); ++ device_name = NULL; + if (! device) + goto fail; + +@@ -131,6 +132,7 @@ grub_file_open (const char *name, enum grub_file_type type) + return file; + + fail: ++ grub_free (device_name); + if (device) + grub_device_close (device); + diff -pruN 2.06-2/debian/patches/0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch 2.06-8/debian/patches/0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch --- 2.06-2/debian/patches/0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,197 @@ +From 907f100c841f39e37e4801f726f6b47c2aa9191f Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 14:02:55 +1000 +Subject: video/readers/png: Abort sooner if a read operation fails + +Fuzzing revealed some inputs that were taking a long time, potentially +forever, because they did not bail quickly upon encountering an I/O error. + +Try to catch I/O errors sooner and bail out. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 55 ++++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 8 deletions(-) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 0157ff742..e2a6b1cf3 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -142,6 +142,7 @@ static grub_uint8_t + grub_png_get_byte (struct grub_png_data *data) + { + grub_uint8_t r; ++ grub_ssize_t bytes_read = 0; + + if ((data->inside_idat) && (data->idat_remain == 0)) + { +@@ -175,7 +176,14 @@ grub_png_get_byte (struct grub_png_data *data) + } + + r = 0; +- grub_file_read (data->file, &r, 1); ++ bytes_read = grub_file_read (data->file, &r, 1); ++ ++ if (bytes_read != 1) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: unexpected end of data"); ++ return 0; ++ } + + if (data->inside_idat) + data->idat_remain--; +@@ -231,15 +239,16 @@ grub_png_decode_image_palette (struct grub_png_data *data, + if (len == 0) + return GRUB_ERR_NONE; + +- for (i = 0; 3 * i < len && i < 256; i++) ++ grub_errno = GRUB_ERR_NONE; ++ for (i = 0; 3 * i < len && i < 256 && grub_errno == GRUB_ERR_NONE; i++) + for (j = 0; j < 3; j++) + data->palette[i][j] = grub_png_get_byte (data); +- for (i *= 3; i < len; i++) ++ for (i *= 3; i < len && grub_errno == GRUB_ERR_NONE; i++) + grub_png_get_byte (data); + + grub_png_get_dword (data); + +- return GRUB_ERR_NONE; ++ return grub_errno; + } + + static grub_err_t +@@ -256,9 +265,13 @@ grub_png_decode_image_header (struct grub_png_data *data) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size"); + + color_bits = grub_png_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + data->is_16bit = (color_bits == 16); + + color_type = grub_png_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + /* According to PNG spec, no other types are valid. */ + if ((color_type & ~(PNG_COLOR_MASK_ALPHA | PNG_COLOR_MASK_COLOR)) +@@ -340,14 +353,20 @@ grub_png_decode_image_header (struct grub_png_data *data) + if (grub_png_get_byte (data) != PNG_COMPRESSION_BASE) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: compression method not supported"); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + if (grub_png_get_byte (data) != PNG_FILTER_TYPE_BASE) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: filter method not supported"); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + if (grub_png_get_byte (data) != PNG_INTERLACE_NONE) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: interlace method not supported"); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + /* Skip crc checksum. */ + grub_png_get_dword (data); +@@ -449,7 +468,7 @@ grub_png_get_huff_code (struct grub_png_data *data, struct huff_table *ht) + int code, i; + + code = 0; +- for (i = 0; i < ht->max_length; i++) ++ for (i = 0; i < ht->max_length && grub_errno == GRUB_ERR_NONE; i++) + { + code = (code << 1) + grub_png_get_bits (data, 1); + if (code < ht->maxval[i]) +@@ -504,8 +523,14 @@ grub_png_init_dynamic_block (struct grub_png_data *data) + grub_uint8_t lens[DEFLATE_HCLEN_MAX]; + + nl = DEFLATE_HLIT_BASE + grub_png_get_bits (data, 5); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + nd = DEFLATE_HDIST_BASE + grub_png_get_bits (data, 5); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + nb = DEFLATE_HCLEN_BASE + grub_png_get_bits (data, 4); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + if ((nl > DEFLATE_HLIT_MAX) || (nd > DEFLATE_HDIST_MAX) || + (nb > DEFLATE_HCLEN_MAX)) +@@ -533,7 +558,7 @@ grub_png_init_dynamic_block (struct grub_png_data *data) + data->dist_offset); + + prev = 0; +- for (i = 0; i < nl + nd; i++) ++ for (i = 0; i < nl + nd && grub_errno == GRUB_ERR_NONE; i++) + { + int n, code; + struct huff_table *ht; +@@ -721,17 +746,21 @@ grub_png_read_dynamic_block (struct grub_png_data *data) + len = cplens[n]; + if (cplext[n]) + len += grub_png_get_bits (data, cplext[n]); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + n = grub_png_get_huff_code (data, &data->dist_table); + dist = cpdist[n]; + if (cpdext[n]) + dist += grub_png_get_bits (data, cpdext[n]); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + pos = data->wp - dist; + if (pos < 0) + pos += WSIZE; + +- while (len > 0) ++ while (len > 0 && grub_errno == GRUB_ERR_NONE) + { + data->slide[data->wp] = data->slide[pos]; + grub_png_output_byte (data, data->slide[data->wp]); +@@ -759,7 +788,11 @@ grub_png_decode_image_data (struct grub_png_data *data) + int final; + + cmf = grub_png_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + flg = grub_png_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + if ((cmf & 0xF) != Z_DEFLATED) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, +@@ -774,7 +807,11 @@ grub_png_decode_image_data (struct grub_png_data *data) + int block_type; + + final = grub_png_get_bits (data, 1); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + block_type = grub_png_get_bits (data, 2); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + switch (block_type) + { +@@ -790,7 +827,7 @@ grub_png_decode_image_data (struct grub_png_data *data) + grub_png_get_byte (data); + grub_png_get_byte (data); + +- for (i = 0; i < len; i++) ++ for (i = 0; i < len && grub_errno == GRUB_ERR_NONE; i++) + grub_png_output_byte (data, grub_png_get_byte (data)); + + break; +@@ -1045,6 +1082,8 @@ grub_png_decode_png (struct grub_png_data *data) + + len = grub_png_get_dword (data); + type = grub_png_get_dword (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ break; + data->next_offset = data->file->offset + len + 4; + + switch (type) diff -pruN 2.06-2/debian/patches/0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch 2.06-8/debian/patches/0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch --- 2.06-2/debian/patches/0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,27 @@ +From 5e496e28b3c76666c98b737153f9b0c2bedf489d Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 14:13:40 +1000 +Subject: video/readers/png: Refuse to handle multiple image headers + +This causes the bitmap to be leaked. Do not permit multiple image headers. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index e2a6b1cf3..8955b8ecf 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -258,6 +258,9 @@ grub_png_decode_image_header (struct grub_png_data *data) + int color_bits; + enum grub_video_blit_format blt; + ++ if (data->image_width || data->image_height) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: two image headers found"); ++ + data->image_width = grub_png_get_dword (data); + data->image_height = grub_png_get_dword (data); + diff -pruN 2.06-2/debian/patches/0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch 2.06-8/debian/patches/0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch --- 2.06-2/debian/patches/0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,168 @@ +From 558c69b5d36d14d55bff21e6570205fe73a02ca2 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 18:51:35 +1000 +Subject: video/readers/png: Drop greyscale support to fix heap out-of-bounds + write + +A 16-bit greyscale PNG without alpha is processed in the following loop: + + for (i = 0; i < (data->image_width * data->image_height); + i++, d1 += 4, d2 += 2) + { + d1[R3] = d2[1]; + d1[G3] = d2[1]; + d1[B3] = d2[1]; + } + +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, +but there are only 3 bytes allocated for storage. This means that image +data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes +out of every 4 following the end of the image. + +This has existed since greyscale support was added in 2013 in commit +3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). + +Saving starfield.png as a 16-bit greyscale image without alpha in the gimp +and attempting to load it causes grub-emu to crash - I don't think this code +has ever worked. + +Delete all PNG greyscale support. + +Fixes: CVE-2021-3695 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 87 +++-------------------------------- + 1 file changed, 7 insertions(+), 80 deletions(-) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 8955b8ecf..a3161e25b 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -100,7 +100,7 @@ struct grub_png_data + + unsigned image_width, image_height; + int bpp, is_16bit; +- int raw_bytes, is_gray, is_alpha, is_palette; ++ int raw_bytes, is_alpha, is_palette; + int row_bytes, color_bits; + grub_uint8_t *image_data; + +@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data) + data->bpp = 3; + else + { +- data->is_gray = 1; +- data->bpp = 1; ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: color type not supported"); + } + + if ((color_bits != 8) && (color_bits != 16) + && (color_bits != 4 +- || !(data->is_gray || data->is_palette))) ++ || !data->is_palette)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: bit depth must be 8 or 16"); + +@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data) + } + + #ifndef GRUB_CPU_WORDS_BIGENDIAN +- if (data->is_16bit || data->is_gray || data->is_palette) ++ if (data->is_16bit || data->is_palette) + #endif + { + data->image_data = grub_calloc (data->image_height, data->row_bytes); +@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data) + int shift; + int mask = (1 << data->color_bits) - 1; + unsigned j; +- if (data->is_gray) +- { +- /* Generic formula is +- (0xff * i) / ((1U << data->color_bits) - 1) +- but for allowed bit depth of 1, 2 and for it's +- equivalent to +- (0xff / ((1U << data->color_bits) - 1)) * i +- Precompute the multipliers to avoid division. +- */ +- +- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; +- for (i = 0; i < (1U << data->color_bits); i++) +- { +- grub_uint8_t col = multipliers[data->color_bits] * i; +- palette[i][0] = col; +- palette[i][1] = col; +- palette[i][2] = col; +- } +- } +- else +- grub_memcpy (palette, data->palette, 3 << data->color_bits); ++ ++ grub_memcpy (palette, data->palette, 3 << data->color_bits); + d1c = d1; + d2c = d2; + for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, +@@ -956,60 +937,6 @@ grub_png_convert_image (struct grub_png_data *data) + } + return; + } +- +- if (data->is_gray) +- { +- switch (data->bpp) +- { +- case 4: +- /* 16-bit gray with alpha. */ +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 4) +- { +- d1[R4] = d2[3]; +- d1[G4] = d2[3]; +- d1[B4] = d2[3]; +- d1[A4] = d2[1]; +- } +- break; +- case 2: +- if (data->is_16bit) +- /* 16-bit gray without alpha. */ +- { +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 2) +- { +- d1[R3] = d2[1]; +- d1[G3] = d2[1]; +- d1[B3] = d2[1]; +- } +- } +- else +- /* 8-bit gray with alpha. */ +- { +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 2) +- { +- d1[R4] = d2[1]; +- d1[G4] = d2[1]; +- d1[B4] = d2[1]; +- d1[A4] = d2[0]; +- } +- } +- break; +- /* 8-bit gray without alpha. */ +- case 1: +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 3, d2++) +- { +- d1[R3] = d2[0]; +- d1[G3] = d2[0]; +- d1[B3] = d2[0]; +- } +- break; +- } +- return; +- } + + { + /* Only copy the upper 8 bit. */ diff -pruN 2.06-2/debian/patches/0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch 2.06-8/debian/patches/0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch --- 2.06-2/debian/patches/0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,38 @@ +From 21e3b255f91d9b7711f8346f1e4acf8cc19bf4fb Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 23:25:07 +1000 +Subject: video/readers/png: Avoid heap OOB R/W inserting huff table items + +In fuzzing we observed crashes where a code would attempt to be inserted +into a huffman table before the start, leading to a set of heap OOB reads +and writes as table entries with negative indices were shifted around and +the new code written in. + +Catch the case where we would underflow the array and bail. + +Fixes: CVE-2021-3696 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index a3161e25b..d7ed5aa6c 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) + for (i = len; i < ht->max_length; i++) + n += ht->maxval[i]; + ++ if (n > ht->num_values) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: out of range inserting huffman table item"); ++ return; ++ } ++ + for (i = 0; i < n; i++) + ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; + diff -pruN 2.06-2/debian/patches/0072-video-readers-png-Sanity-check-some-huffman-codes.patch 2.06-8/debian/patches/0072-video-readers-png-Sanity-check-some-huffman-codes.patch --- 2.06-2/debian/patches/0072-video-readers-png-Sanity-check-some-huffman-codes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0072-video-readers-png-Sanity-check-some-huffman-codes.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,39 @@ +From e1c0a986e39ab93954436bcf6e6a9a7ea465e4e7 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 19:19:11 +1000 +Subject: video/readers/png: Sanity check some huffman codes + +ASAN picked up two OOB global reads: we weren't checking if some code +values fit within the cplens or cpdext arrays. Check and throw an error +if not. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index d7ed5aa6c..7f2ba7849 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data) + int len, dist, pos; + + n -= 257; ++ if (((unsigned int) n) >= ARRAY_SIZE (cplens)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: invalid huff code"); + len = cplens[n]; + if (cplext[n]) + len += grub_png_get_bits (data, cplext[n]); +@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data) + return grub_errno; + + n = grub_png_get_huff_code (data, &data->dist_table); ++ if (((unsigned int) n) >= ARRAY_SIZE (cpdist)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: invalid huff code"); + dist = cpdist[n]; + if (cpdext[n]) + dist += grub_png_get_bits (data, cpdext[n]); diff -pruN 2.06-2/debian/patches/0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch 2.06-8/debian/patches/0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch --- 2.06-2/debian/patches/0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,254 @@ +From 40be99c5f8162887d1922fb9428b39de4cdad3af Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 28 Jun 2021 14:16:14 +1000 +Subject: video/readers/jpeg: Abort sooner if a read operation fails + +Fuzzing revealed some inputs that were taking a long time, potentially +forever, because they did not bail quickly upon encountering an I/O error. + +Try to catch I/O errors sooner and bail out. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++------- + 1 file changed, 70 insertions(+), 16 deletions(-) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index e31602f76..10225abd5 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -109,9 +109,17 @@ static grub_uint8_t + grub_jpeg_get_byte (struct grub_jpeg_data *data) + { + grub_uint8_t r; ++ grub_ssize_t bytes_read; + + r = 0; +- grub_file_read (data->file, &r, 1); ++ bytes_read = grub_file_read (data->file, &r, 1); ++ ++ if (bytes_read != 1) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: unexpected end of data"); ++ return 0; ++ } + + return r; + } +@@ -120,9 +128,17 @@ static grub_uint16_t + grub_jpeg_get_word (struct grub_jpeg_data *data) + { + grub_uint16_t r; ++ grub_ssize_t bytes_read; + + r = 0; +- grub_file_read (data->file, &r, sizeof (grub_uint16_t)); ++ bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t)); ++ ++ if (bytes_read != sizeof (grub_uint16_t)) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: unexpected end of data"); ++ return 0; ++ } + + return grub_be_to_cpu16 (r); + } +@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) + if (data->bit_mask == 0) + { + data->bit_save = grub_jpeg_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: file read error"); ++ return 0; ++ } + if (data->bit_save == JPEG_ESC_CHAR) + { + if (grub_jpeg_get_byte (data) != 0) +@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) + "jpeg: invalid 0xFF in data stream"); + return 0; + } ++ if (grub_errno != GRUB_ERR_NONE) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error"); ++ return 0; ++ } + } + data->bit_mask = 0x80; + } +@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num) + return 0; + + msb = value = grub_jpeg_get_bit (data); +- for (i = 1; i < num; i++) ++ for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++) + value = (value << 1) + (grub_jpeg_get_bit (data) != 0); + if (!msb) + value += 1 - (1 << num); +@@ -202,6 +228,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data) + while (data->file->offset + sizeof (count) + 1 <= next_marker) + { + id = grub_jpeg_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + ac = (id >> 4) & 1; + id &= 0xF; + if (id > 1) +@@ -252,6 +280,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) + + next_marker = data->file->offset; + next_marker += grub_jpeg_get_word (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + + if (next_marker > data->file->size) + { +@@ -263,6 +293,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) + <= next_marker) + { + id = grub_jpeg_get_byte (data); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + if (id >= 0x10) /* Upper 4-bit is precision. */ + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: only 8-bit precision is supported"); +@@ -294,6 +326,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + next_marker = data->file->offset; + next_marker += grub_jpeg_get_word (data); + ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; ++ + if (grub_jpeg_get_byte (data) != 8) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: only 8-bit precision is supported"); +@@ -319,6 +354,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); + + ss = grub_jpeg_get_byte (data); /* Sampling factor. */ ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + if (!id) + { + grub_uint8_t vs, hs; +@@ -498,7 +535,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du) + } + } + +-static void ++static grub_err_t + grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) + { + int h1, h2, qt; +@@ -513,6 +550,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) + data->dc_value[id] += + grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1)); + ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; ++ + du[0] = data->dc_value[id] * (int) data->quan_table[qt][0]; + pos = 1; + while (pos < ARRAY_SIZE (data->quan_table[qt])) +@@ -527,11 +567,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) + num >>= 4; + pos += num; + ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; ++ + if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) + { +- grub_error (GRUB_ERR_BAD_FILE_TYPE, +- "jpeg: invalid position in zigzag order!?"); +- return; ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: invalid position in zigzag order!?"); + } + + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; +@@ -539,6 +581,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) + } + + grub_jpeg_idct_transform (du); ++ return GRUB_ERR_NONE; + } + + static void +@@ -597,7 +640,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) + data_offset += grub_jpeg_get_word (data); + + cc = grub_jpeg_get_byte (data); +- ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + if (cc != 3 && cc != 1) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: component count must be 1 or 3"); +@@ -610,7 +654,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) + id = grub_jpeg_get_byte (data) - 1; + if ((id < 0) || (id >= 3)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); +- ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + ht = grub_jpeg_get_byte (data); + data->comp_index[id][1] = (ht >> 4); + data->comp_index[id][2] = (ht & 0xF) + 2; +@@ -618,11 +663,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) + if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) || + (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index"); ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + } + + grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */ + grub_jpeg_get_word (data); +- ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; + if (data->file->offset != data_offset) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); + +@@ -640,6 +688,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + { + unsigned c1, vb, hb, nr1, nc1; + int rst = data->dri; ++ grub_err_t err = GRUB_ERR_NONE; + + vb = 8 << data->log_vs; + hb = 8 << data->log_hs; +@@ -660,17 +709,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + + for (r2 = 0; r2 < (1U << data->log_vs); r2++) + for (c2 = 0; c2 < (1U << data->log_hs); c2++) +- grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); ++ { ++ err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); ++ if (err != GRUB_ERR_NONE) ++ return err; ++ } + + if (data->color_components >= 3) + { +- grub_jpeg_decode_du (data, 1, data->cbdu); +- grub_jpeg_decode_du (data, 2, data->crdu); ++ err = grub_jpeg_decode_du (data, 1, data->cbdu); ++ if (err != GRUB_ERR_NONE) ++ return err; ++ err = grub_jpeg_decode_du (data, 2, data->crdu); ++ if (err != GRUB_ERR_NONE) ++ return err; + } + +- if (grub_errno) +- return grub_errno; +- + nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb; + nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb; + diff -pruN 2.06-2/debian/patches/0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch 2.06-8/debian/patches/0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch --- 2.06-2/debian/patches/0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,28 @@ +From 610c5986058312cfc0375fc04f88fcc116bdd043 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 28 Jun 2021 14:16:58 +1000 +Subject: video/readers/jpeg: Do not reallocate a given huff table + +Fix a memory leak where an invalid file could cause us to reallocate +memory for a huffman table we had already allocated memory for. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 10225abd5..caa211f06 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -245,6 +245,9 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data) + n += count[i]; + + id += ac * 2; ++ if (data->huff_value[id] != NULL) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: attempt to reallocate huffman table"); + data->huff_value[id] = grub_malloc (n); + if (grub_errno) + return grub_errno; diff -pruN 2.06-2/debian/patches/0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch 2.06-8/debian/patches/0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch --- 2.06-2/debian/patches/0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,42 @@ +From 9286f0009b922571c247012e699c3ed5f6e918bc Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 28 Jun 2021 14:25:17 +1000 +Subject: video/readers/jpeg: Refuse to handle multiple start of streams + +An invalid file could contain multiple start of stream blocks, which +would cause us to reallocate and leak our bitmap. Refuse to handle +multiple start of streams. + +Additionally, fix a grub_error() call formatting. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index caa211f06..1df1171d7 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) + if (data->file->offset != data_offset) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); + ++ if (*data->bitmap) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks"); ++ + if (grub_video_bitmap_create (data->bitmap, data->image_width, + data->image_height, + GRUB_VIDEO_BLIT_FORMAT_RGB_888)) +@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); + + if (data->bitmap_ptr == NULL) +- return grub_error(GRUB_ERR_BAD_FILE_TYPE, +- "jpeg: attempted to decode data before start of stream"); ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: attempted to decode data before start of stream"); + + for (; data->r1 < nr1 && (!data->dri || rst); + data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) diff -pruN 2.06-2/debian/patches/0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch 2.06-8/debian/patches/0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch --- 2.06-2/debian/patches/0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,73 @@ +From a10c2350a766f9b315735931a49499a7e2c77bf3 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 7 Jul 2021 15:38:19 +1000 +Subject: video/readers/jpeg: Block int underflow -> wild pointer write + +Certain 1 px wide images caused a wild pointer write in +grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), +we have the following loop: + +for (; data->r1 < nr1 && (!data->dri || rst); + data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) + +We did not check if vb * width >= hb * nc1. + +On a 64-bit platform, if that turns out to be negative, it will underflow, +be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so +we see data->bitmap_ptr jump, e.g.: + +0x6180_0000_0480 to +0x6181_0000_0498 + ^ + ~--- carry has occurred and this pointer is now far away from + any object. + +On a 32-bit platform, it will decrement the pointer, creating a pointer +that won't crash but will overwrite random data. + +Catch the underflow and error out. + +Fixes: CVE-2021-3697 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 1df1171d7..97a533b24 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -693,6 +694,7 @@ static grub_err_t + grub_jpeg_decode_data (struct grub_jpeg_data *data) + { + unsigned c1, vb, hb, nr1, nc1; ++ unsigned stride_a, stride_b, stride; + int rst = data->dri; + grub_err_t err = GRUB_ERR_NONE; + +@@ -705,8 +707,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: attempted to decode data before start of stream"); + ++ if (grub_mul(vb, data->image_width, &stride_a) || ++ grub_mul(hb, nc1, &stride_b) || ++ grub_sub(stride_a, stride_b, &stride)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: cannot decode image with these dimensions"); ++ + for (; data->r1 < nr1 && (!data->dri || rst); +- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) ++ data->r1++, data->bitmap_ptr += stride * 3) + for (c1 = 0; c1 < nc1 && (!data->dri || rst); + c1++, rst--, data->bitmap_ptr += hb * 3) + { diff -pruN 2.06-2/debian/patches/0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch 2.06-8/debian/patches/0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch --- 2.06-2/debian/patches/0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,33 @@ +From 557370849b914110a9efbd7256dc3942a8af8b99 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 13 Jul 2021 13:24:38 +1000 +Subject: normal/charset: Fix array out-of-bounds formatting unicode for + display + +In some cases attempting to display arbitrary binary strings leads +to ASAN splats reading the widthspec array out of bounds. + +Check the index. If it would be out of bounds, return a width of 1. +I don't know if that's strictly correct, but we're not really expecting +great display of arbitrary binary data, and it's certainly not worse than +an OOB read. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/normal/charset.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c +index 4dfcc3107..7a5a7c153 100644 +--- a/grub-core/normal/charset.c ++++ b/grub-core/normal/charset.c +@@ -395,6 +395,8 @@ grub_unicode_estimate_width (const struct grub_unicode_glyph *c) + { + if (grub_unicode_get_comb_type (c->base)) + return 0; ++ if (((unsigned long) (c->base >> 3)) >= ARRAY_SIZE (widthspec)) ++ return 1; + if (widthspec[c->base >> 3] & (1 << (c->base & 7))) + return 2; + else diff -pruN 2.06-2/debian/patches/0078-net-netbuff-Block-overly-large-netbuff-allocs.patch 2.06-8/debian/patches/0078-net-netbuff-Block-overly-large-netbuff-allocs.patch --- 2.06-2/debian/patches/0078-net-netbuff-Block-overly-large-netbuff-allocs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0078-net-netbuff-Block-overly-large-netbuff-allocs.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,45 @@ +From 4ea64c827f8bc57180772fd5671ddd010cb7b2ed Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 8 Mar 2022 23:47:46 +1100 +Subject: net/netbuff: Block overly large netbuff allocs + +A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment +reassembly. + +This helps avoid some bugs (and provides a spot to instrument to catch +them at their source). + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/netbuff.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c +index dbeeefe47..d5e9e9a0d 100644 +--- a/grub-core/net/netbuff.c ++++ b/grub-core/net/netbuff.c +@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len) + + COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0); + ++ /* ++ * The largest size of a TCP packet is 64 KiB, and everything else ++ * should be a lot smaller - most MTUs are 1500 or less. Cap data ++ * size at 64 KiB + a buffer. ++ */ ++ if (len > 0xffffUL + 0x1000UL) ++ { ++ grub_error (GRUB_ERR_BUG, ++ "attempted to allocate a packet that is too big"); ++ return NULL; ++ } ++ + if (len < NETBUFFMINLEN) + len = NETBUFFMINLEN; + + len = ALIGN_UP (len, NETBUFF_ALIGN); ++ + #ifdef GRUB_MACHINE_EMU + data = grub_malloc (len + sizeof (*nb)); + #else diff -pruN 2.06-2/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch 2.06-8/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch --- 2.06-2/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,43 @@ +From 2a4f87df650fd2ef639b48b43fc834b97b6b2bfa Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 20 Dec 2021 19:41:21 +1100 +Subject: net/ip: Do IP fragment maths safely + +This avoids an underflow and subsequent unpleasantness. + +Fixes: CVE-2022-28733 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/ip.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c +index 01410798b..937be8767 100644 +--- a/grub-core/net/ip.c ++++ b/grub-core/net/ip.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + struct iphdr { +@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, + { + rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) + + (nb->tail - nb->data)); +- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); ++ ++ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), ++ &rsm->total_len)) ++ { ++ grub_dprintf ("net", "IP reassembly size underflow\n"); ++ return GRUB_ERR_NONE; ++ } ++ + rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); + if (!rsm->asm_netbuff) + { diff -pruN 2.06-2/debian/patches/0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch 2.06-8/debian/patches/0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch --- 2.06-2/debian/patches/0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,55 @@ +From 21158c5dfb5e0c5015277346128903397d498da4 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 16 Sep 2021 01:29:54 +1000 +Subject: net/dns: Fix double-free addresses on corrupt DNS response + +grub_net_dns_lookup() takes as inputs a pointer to an array of addresses +("addresses") for the given name, and pointer to a number of addresses +("naddresses"). grub_net_dns_lookup() is responsible for allocating +"addresses", and the caller is responsible for freeing it if +"naddresses" > 0. + +The DNS recv_hook will sometimes set and free the addresses array, +for example if the packet is too short: + + if (ptr + 10 >= nb->tail) + { + if (!*data->naddresses) + grub_free (*data->addresses); + grub_netbuff_free (nb); + return GRUB_ERR_NONE; + } + +Later on the nslookup command code unconditionally frees the "addresses" +array. Normally this is fine: the array is either populated with valid +data or is NULL. But in these sorts of error cases it is neither NULL +nor valid and we get a double-free. + +Only free "addresses" if "naddresses" > 0. + +It looks like the other use of grub_net_dns_lookup() is not affected. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 906ec7d67..135faac03 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -667,9 +667,11 @@ grub_cmd_nslookup (struct grub_command *cmd __attribute__ ((unused)), + grub_net_addr_to_str (&addresses[i], buf); + grub_printf ("%s\n", buf); + } +- grub_free (addresses); + if (naddresses) +- return GRUB_ERR_NONE; ++ { ++ grub_free (addresses); ++ return GRUB_ERR_NONE; ++ } + return grub_error (GRUB_ERR_NET_NO_DOMAIN, N_("no DNS record found")); + } + diff -pruN 2.06-2/debian/patches/0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch 2.06-8/debian/patches/0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch --- 2.06-2/debian/patches/0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,69 @@ +From 968febf3a4de5df0f91cc13bc6b6053fc22575e1 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 20 Dec 2021 21:55:43 +1100 +Subject: net/dns: Don't read past the end of the string we're checking against + +I don't really understand what's going on here but fuzzing found +a bug where we read past the end of check_with. That's a C string, +so use grub_strlen() to make sure we don't overread it. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 135faac03..17961a9f1 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head, + int *length, char *set) + { + const char *readable_ptr = check_with; ++ int readable_len; + const grub_uint8_t *ptr; + char *optr = set; + int bytes_processed = 0; + if (length) + *length = 0; ++ ++ if (readable_ptr != NULL) ++ readable_len = grub_strlen (readable_ptr); ++ else ++ readable_len = 0; ++ + for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; ) + { + /* End marker. */ +@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head, + ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]); + continue; + } +- if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0) ++ if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)) + return 0; + if (grub_memchr (ptr + 1, 0, *ptr) + || grub_memchr (ptr + 1, '.', *ptr)) + return 0; + if (readable_ptr) +- readable_ptr += *ptr; ++ { ++ readable_ptr += *ptr; ++ readable_len -= *ptr; ++ } + if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0) + return 0; + bytes_processed += *ptr + 1; +@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head, + if (optr) + *optr++ = '.'; + if (readable_ptr && *readable_ptr) +- readable_ptr++; ++ { ++ readable_ptr++; ++ readable_len--; ++ } + ptr += *ptr + 1; + } + return 0; diff -pruN 2.06-2/debian/patches/0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch 2.06-8/debian/patches/0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch --- 2.06-2/debian/patches/0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,111 @@ +From e7573be61b3cf005cdf0a068652153437daca4b3 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 20 Sep 2021 01:12:24 +1000 +Subject: net/tftp: Prevent a UAF and double-free from a failed seek + +A malicious tftp server can cause UAFs and a double free. + +An attempt to read from a network file is handled by grub_net_fs_read(). If +the read is at an offset other than the current offset, grub_net_seek_real() +is invoked. + +In grub_net_seek_real(), if a backwards seek cannot be satisfied from the +currently received packets, and the underlying transport does not provide +a seek method, then grub_net_seek_real() will close and reopen the network +protocol layer. + +For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t +file->data. The file->data pointer is not nulled out after the free. + +If the ->open() call fails, the file->data will not be reallocated and will +continue point to a freed memory block. This could happen from a server +refusing to send the requisite ack to the new tftp request, for example. + +The seek and the read will then fail, but the grub_file continues to exist: +the failed seek does not necessarily cause the entire file to be thrown +away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc., +a read failure is interpreted as a decompressor passing on the file, not as +an invalidation of the entire grub_file_t structure). + +This means subsequent attempts to read or seek the file will use the old +file->data after free. Eventually, the file will be close()d again and +file->data will be freed again. + +Mark a net_fs file that doesn't reopen as broken. Do not permit read() or +close() on a broken file (seek is not exposed directly to the file API - +it is only called as part of read, so this blocks seeks as well). + +As an additional defence, null out the ->data pointer if tftp_open() fails. +That would have lead to a simple null pointer dereference rather than +a mess of UAFs. + +This may affect other protocols, I haven't checked. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/net.c | 11 +++++++++-- + grub-core/net/tftp.c | 1 + + include/grub/net.h | 1 + + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 15a2f29a9..af7440776 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1548,7 +1548,8 @@ grub_net_fs_close (grub_file_t file) + grub_netbuff_free (file->device->net->packs.first->nb); + grub_net_remove_packet (file->device->net->packs.first); + } +- file->device->net->protocol->close (file); ++ if (!file->device->net->broken) ++ file->device->net->protocol->close (file); + grub_free (file->device->net->name); + return GRUB_ERR_NONE; + } +@@ -1770,7 +1771,10 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset) + file->device->net->stall = 0; + err = file->device->net->protocol->open (file, file->device->net->name); + if (err) +- return err; ++ { ++ file->device->net->broken = 1; ++ return err; ++ } + grub_net_fs_read_real (file, NULL, offset); + return grub_errno; + } +@@ -1779,6 +1783,9 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset) + static grub_ssize_t + grub_net_fs_read (grub_file_t file, char *buf, grub_size_t len) + { ++ if (file->device->net->broken) ++ return -1; ++ + if (file->offset != file->device->net->offset) + { + grub_err_t err; +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index f3e787938..d1afa2535 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -404,6 +404,7 @@ tftp_open (struct grub_file *file, const char *filename) + { + grub_net_udp_close (data->sock); + grub_free (data); ++ file->data = NULL; + return grub_errno; + } + +diff --git a/include/grub/net.h b/include/grub/net.h +index cbcae79b1..8d71ca6cc 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -277,6 +277,7 @@ typedef struct grub_net + grub_fs_t fs; + int eof; + int stall; ++ int broken; + } *grub_net_t; + + extern grub_net_t (*EXPORT_VAR (grub_net_open)) (const char *name); diff -pruN 2.06-2/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch 2.06-8/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch --- 2.06-2/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,34 @@ +From fb66f40ba67b88408a43cb38492053985bfe4968 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 18 Jan 2022 14:29:20 +1100 +Subject: net/tftp: Avoid a trivial UAF + +Under tftp errors, we print a tftp error message from the tftp header. +However, the tftph pointer is a pointer inside nb, the netbuff. Previously, +we were freeing the nb and then dereferencing it. Don't do that, use it +and then free it later. + +This isn't really _bad_ per se, especially as we're single-threaded, but +it trips up fuzzers. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/tftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index d1afa2535..4222d93b6 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + return GRUB_ERR_NONE; + case TFTP_ERROR: + data->have_oack = 1; +- grub_netbuff_free (nb); + grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg); + grub_error_save (&data->save_err); ++ grub_netbuff_free (nb); + return GRUB_ERR_NONE; + default: + grub_netbuff_free (nb); diff -pruN 2.06-2/debian/patches/0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch 2.06-8/debian/patches/0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch --- 2.06-2/debian/patches/0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,40 @@ +From 6df718714dea5043243e367750b5c6abebcf79fe Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 1 Mar 2022 23:14:15 +1100 +Subject: net/http: Do not tear down socket if it's already been torn down + +It's possible for data->sock to get torn down in tcp error handling. +If we unconditionally tear it down again we will end up doing writes +to an offset of the NULL pointer when we go to tear it down again. + +Detect if it has been torn down and don't do it again. + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/http.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/http.c b/grub-core/net/http.c +index 3fe155f1b..ef6eaff0d 100644 +--- a/grub-core/net/http.c ++++ b/grub-core/net/http.c +@@ -422,7 +422,7 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial) + return err; + } + +- for (i = 0; !data->headers_recv && i < 100; i++) ++ for (i = 0; data->sock && !data->headers_recv && i < 100; i++) + { + grub_net_tcp_retransmit (); + grub_net_poll_cards (300, &data->headers_recv); +@@ -430,7 +430,8 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial) + + if (!data->headers_recv) + { +- grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT); ++ if (data->sock) ++ grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT); + if (data->err) + { + char *str = data->errmsg; diff -pruN 2.06-2/debian/patches/0085-net-http-Fix-OOB-write-for-split-http-headers.patch 2.06-8/debian/patches/0085-net-http-Fix-OOB-write-for-split-http-headers.patch --- 2.06-2/debian/patches/0085-net-http-Fix-OOB-write-for-split-http-headers.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0085-net-http-Fix-OOB-write-for-split-http-headers.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,45 @@ +From f407a45bd3483f6bbf58c5e9386a44caa14287e3 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 8 Mar 2022 18:17:03 +1100 +Subject: net/http: Fix OOB write for split http headers + +GRUB has special code for handling an http header that is split +across two packets. + +The code tracks the end of line by looking for a "\n" byte. The +code for split headers has always advanced the pointer just past the +end of the line, whereas the code that handles unsplit headers does +not advance the pointer. This extra advance causes the length to be +one greater, which breaks an assumption in parse_line(), leading to +it writing a NUL byte one byte past the end of the buffer where we +reconstruct the line from the two packets. + +It's conceivable that an attacker controlled set of packets could +cause this to zero out the first byte of the "next" pointer of the +grub_mm_region structure following the current_line buffer. + +Do not advance the pointer in the split header case. + +Fixes: CVE-2022-28734 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/http.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/grub-core/net/http.c b/grub-core/net/http.c +index ef6eaff0d..9f45ad4e8 100644 +--- a/grub-core/net/http.c ++++ b/grub-core/net/http.c +@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), + int have_line = 1; + char *t; + ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); +- if (ptr) +- ptr++; +- else ++ if (ptr == NULL) + { + have_line = 0; + ptr = (char *) nb->tail; diff -pruN 2.06-2/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch 2.06-8/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch --- 2.06-2/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,47 @@ +From 870b94755b6a341d21632293677b346ff033e5f0 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 8 Mar 2022 19:04:40 +1100 +Subject: net/http: Error out on headers with LF without CR + +In a similar vein to the previous patch, parse_line() would write +a NUL byte past the end of the buffer if there was an HTTP header +with a LF rather than a CRLF. + +RFC-2616 says: + + Many HTTP/1.1 header field values consist of words separated by LWS + or special characters. These special characters MUST be in a quoted + string to be used within a parameter value (as defined in section 3.6). + +We don't support quoted sections or continuation lines, etc. + +If we see an LF that's not part of a CRLF, bail out. + +Fixes: CVE-2022-28734 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/net/http.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/net/http.c b/grub-core/net/http.c +index 9f45ad4e8..6988d38fb 100644 +--- a/grub-core/net/http.c ++++ b/grub-core/net/http.c +@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) + char *end = ptr + len; + while (end > ptr && *(end - 1) == '\r') + end--; ++ ++ /* LF without CR. */ ++ if (end == ptr + len) ++ { ++ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); ++ return GRUB_ERR_NONE; ++ } + *end = 0; ++ + /* Trailing CRLF. */ + if (data->in_chunk_len == 1) + { diff -pruN 2.06-2/debian/patches/0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch 2.06-8/debian/patches/0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch --- 2.06-2/debian/patches/0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,71 @@ +From 2d014248d540c7e087934a94b6e7a2aa7fc2c704 Mon Sep 17 00:00:00 2001 +From: Sudhakar Kuppusamy +Date: Wed, 6 Apr 2022 18:03:37 +0530 +Subject: fs/f2fs: Do not read past the end of nat journal entries + +A corrupt f2fs file system could specify a nat journal entry count +that is beyond the maximum NAT_JOURNAL_ENTRIES. + +Check if the specified nat journal entry count before accessing the +array, and throw an error if it is too large. + +Signed-off-by: Sudhakar Kuppusamy +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/f2fs.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c +index 8a9992ca9..63702214b 100644 +--- a/grub-core/fs/f2fs.c ++++ b/grub-core/fs/f2fs.c +@@ -632,23 +632,27 @@ get_nat_journal (struct grub_f2fs_data *data) + return err; + } + +-static grub_uint32_t +-get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid) ++static grub_err_t ++get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid, ++ grub_uint32_t *blkaddr) + { + grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats); +- grub_uint32_t blkaddr = 0; + grub_uint16_t i; + ++ if (n > NAT_JOURNAL_ENTRIES) ++ return grub_error (GRUB_ERR_BAD_FS, ++ "invalid number of nat journal entries"); ++ + for (i = 0; i < n; i++) + { + if (grub_le_to_cpu32 (data->nat_j.entries[i].nid) == nid) + { +- blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr); ++ *blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr); + break; + } + } + +- return blkaddr; ++ return GRUB_ERR_NONE; + } + + static grub_uint32_t +@@ -656,10 +660,13 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid) + { + struct grub_f2fs_nat_block *nat_block; + grub_uint32_t seg_off, block_off, entry_off, block_addr; +- grub_uint32_t blkaddr; ++ grub_uint32_t blkaddr = 0; + grub_err_t err; + +- blkaddr = get_blkaddr_from_nat_journal (data, nid); ++ err = get_blkaddr_from_nat_journal (data, nid, &blkaddr); ++ if (err != GRUB_ERR_NONE) ++ return 0; ++ + if (blkaddr) + return blkaddr; + diff -pruN 2.06-2/debian/patches/0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch 2.06-8/debian/patches/0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch --- 2.06-2/debian/patches/0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,131 @@ +From 9561d7ef621e5e68f12bcd916252ef1c11e60366 Mon Sep 17 00:00:00 2001 +From: Sudhakar Kuppusamy +Date: Wed, 6 Apr 2022 18:49:09 +0530 +Subject: fs/f2fs: Do not read past the end of nat bitmap + +A corrupt f2fs filesystem could have a block offset or a bitmap +offset that would cause us to read beyond the bounds of the nat +bitmap. + +Introduce the nat_bitmap_size member in grub_f2fs_data which holds +the size of nat bitmap. + +Set the size when loading the nat bitmap in nat_bitmap_ptr(), and +catch when an invalid offset would create a pointer past the end of +the allocated space. + +Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid +reading past the end of the nat bitmap. + +Signed-off-by: Sudhakar Kuppusamy +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/f2fs.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c +index 63702214b..8898b235e 100644 +--- a/grub-core/fs/f2fs.c ++++ b/grub-core/fs/f2fs.c +@@ -122,6 +122,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define F2FS_INLINE_DOTS 0x10 /* File having implicit dot dentries. */ + + #define MAX_VOLUME_NAME 512 ++#define MAX_NAT_BITMAP_SIZE 3900 + + enum FILE_TYPE + { +@@ -183,7 +184,7 @@ struct grub_f2fs_checkpoint + grub_uint32_t checksum_offset; + grub_uint64_t elapsed_time; + grub_uint8_t alloc_type[MAX_ACTIVE_LOGS]; +- grub_uint8_t sit_nat_version_bitmap[3900]; ++ grub_uint8_t sit_nat_version_bitmap[MAX_NAT_BITMAP_SIZE]; + grub_uint32_t checksum; + } GRUB_PACKED; + +@@ -302,6 +303,7 @@ struct grub_f2fs_data + + struct grub_f2fs_nat_journal nat_j; + char *nat_bitmap; ++ grub_uint32_t nat_bitmap_size; + + grub_disk_t disk; + struct grub_f2fs_node *inode; +@@ -377,15 +379,20 @@ sum_blk_addr (struct grub_f2fs_data *data, int base, int type) + } + + static void * +-nat_bitmap_ptr (struct grub_f2fs_data *data) ++nat_bitmap_ptr (struct grub_f2fs_data *data, grub_uint32_t *nat_bitmap_size) + { + struct grub_f2fs_checkpoint *ckpt = &data->ckpt; + grub_uint32_t offset; ++ *nat_bitmap_size = MAX_NAT_BITMAP_SIZE; + + if (grub_le_to_cpu32 (data->sblock.cp_payload) > 0) + return ckpt->sit_nat_version_bitmap; + + offset = grub_le_to_cpu32 (ckpt->sit_ver_bitmap_bytesize); ++ if (offset >= MAX_NAT_BITMAP_SIZE) ++ return NULL; ++ ++ *nat_bitmap_size = *nat_bitmap_size - offset; + + return ckpt->sit_nat_version_bitmap + offset; + } +@@ -438,11 +445,15 @@ grub_f2fs_crc_valid (grub_uint32_t blk_crc, void *buf, const grub_uint32_t len) + } + + static int +-grub_f2fs_test_bit (grub_uint32_t nr, const char *p) ++grub_f2fs_test_bit (grub_uint32_t nr, const char *p, grub_uint32_t len) + { + int mask; ++ grub_uint32_t shifted_nr = (nr >> 3); ++ ++ if (shifted_nr >= len) ++ return -1; + +- p += (nr >> 3); ++ p += shifted_nr; + mask = 1 << (7 - (nr & 0x07)); + + return mask & *p; +@@ -662,6 +673,7 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid) + grub_uint32_t seg_off, block_off, entry_off, block_addr; + grub_uint32_t blkaddr = 0; + grub_err_t err; ++ int result_bit; + + err = get_blkaddr_from_nat_journal (data, nid, &blkaddr); + if (err != GRUB_ERR_NONE) +@@ -682,8 +694,15 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid) + ((seg_off * data->blocks_per_seg) << 1) + + (block_off & (data->blocks_per_seg - 1)); + +- if (grub_f2fs_test_bit (block_off, data->nat_bitmap)) ++ result_bit = grub_f2fs_test_bit (block_off, data->nat_bitmap, ++ data->nat_bitmap_size); ++ if (result_bit > 0) + block_addr += data->blocks_per_seg; ++ else if (result_bit == -1) ++ { ++ grub_free (nat_block); ++ return 0; ++ } + + err = grub_f2fs_block_read (data, block_addr, nat_block); + if (err) +@@ -833,7 +852,9 @@ grub_f2fs_mount (grub_disk_t disk) + if (err) + goto fail; + +- data->nat_bitmap = nat_bitmap_ptr (data); ++ data->nat_bitmap = nat_bitmap_ptr (data, &data->nat_bitmap_size); ++ if (data->nat_bitmap == NULL) ++ goto fail; + + err = get_nat_journal (data); + if (err) diff -pruN 2.06-2/debian/patches/0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch 2.06-8/debian/patches/0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch --- 2.06-2/debian/patches/0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,37 @@ +From 998bd74c11c0e00f69fe2f37a8200381faf51061 Mon Sep 17 00:00:00 2001 +From: Sudhakar Kuppusamy +Date: Wed, 6 Apr 2022 18:17:43 +0530 +Subject: fs/f2fs: Do not copy file names that are too long + +A corrupt f2fs file system might specify a name length which is greater +than the maximum name length supported by the GRUB f2fs driver. + +We will allocate enough memory to store the overly long name, but there +are only F2FS_NAME_LEN bytes in the source, so we would read past the end +of the source. + +While checking directory entries, do not copy a file name with an invalid +length. + +Signed-off-by: Sudhakar Kuppusamy +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/fs/f2fs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c +index 8898b235e..df6beb544 100644 +--- a/grub-core/fs/f2fs.c ++++ b/grub-core/fs/f2fs.c +@@ -1003,6 +1003,10 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx) + + ftype = ctx->dentry[i].file_type; + name_len = grub_le_to_cpu16 (ctx->dentry[i].name_len); ++ ++ if (name_len >= F2FS_NAME_LEN) ++ return 0; ++ + filename = grub_malloc (name_len + 1); + if (!filename) + return 0; diff -pruN 2.06-2/debian/patches/0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch 2.06-8/debian/patches/0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch --- 2.06-2/debian/patches/0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,75 @@ +From 23c785c3e965731ac440f9c150fdfeec6dd433e7 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 29 Mar 2022 10:49:56 +0000 +Subject: fs/btrfs: Fix several fuzz issues with invalid dir item sizing + +According to the btrfs code in Linux, the structure of a directory item +leaf should be of the form: + + |struct btrfs_dir_item|name|data| + +in GRUB the name len and data len are in the grub_btrfs_dir_item +structure's n and m fields respectively. + +The combined size of the structure, name and data should be less than +the allocated memory, a difference to the Linux kernel's struct +btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for +where the name is stored, so we adjust for that too. + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/btrfs.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 63203034d..eb9857d74 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -1961,6 +1961,7 @@ grub_btrfs_dir (grub_device_t device, const char *path, + int r = 0; + grub_uint64_t tree; + grub_uint8_t type; ++ grub_size_t est_size = 0; + + if (!data) + return grub_errno; +@@ -2019,6 +2020,18 @@ grub_btrfs_dir (grub_device_t device, const char *path, + break; + } + ++ if (direl == NULL || ++ grub_add (grub_le_to_cpu16 (direl->n), ++ grub_le_to_cpu16 (direl->m), &est_size) || ++ grub_add (est_size, sizeof (*direl), &est_size) || ++ grub_sub (est_size, sizeof (direl->name), &est_size) || ++ est_size > allocated) ++ { ++ grub_errno = GRUB_ERR_OUT_OF_RANGE; ++ r = -grub_errno; ++ goto out; ++ } ++ + for (cdirel = direl; + (grub_uint8_t *) cdirel - (grub_uint8_t *) direl + < (grub_ssize_t) elemsize; +@@ -2029,6 +2042,19 @@ grub_btrfs_dir (grub_device_t device, const char *path, + char c; + struct grub_btrfs_inode inode; + struct grub_dirhook_info info; ++ ++ if (cdirel == NULL || ++ grub_add (grub_le_to_cpu16 (cdirel->n), ++ grub_le_to_cpu16 (cdirel->m), &est_size) || ++ grub_add (est_size, sizeof (*cdirel), &est_size) || ++ grub_sub (est_size, sizeof (cdirel->name), &est_size) || ++ est_size > allocated) ++ { ++ grub_errno = GRUB_ERR_OUT_OF_RANGE; ++ r = -grub_errno; ++ goto out; ++ } ++ + err = grub_btrfs_read_inode (data, &inode, cdirel->key.object_id, + tree); + grub_memset (&info, 0, sizeof (info)); diff -pruN 2.06-2/debian/patches/0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch 2.06-8/debian/patches/0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch --- 2.06-2/debian/patches/0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,133 @@ +From 22976cf1b9864455173e1bfc617bc63f13fbecf7 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 29 Mar 2022 15:52:46 +0000 +Subject: fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing + +The fuzzer is generating btrfs file systems that have chunks with +invalid combinations of stripes and substripes for the given RAID +configurations. + +After examining the Linux kernel fs/btrfs/tree-checker.c code, it +appears that sub-stripes should only be applied to RAID10, and in that +case there should only ever be 2 of them. + +Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4 +should have 2. 3 or 4 stripes respectively, which is what redundancy +corresponds. + +Some of the chunks ended up with a size of 0, which grub_malloc() still +returned memory for and in turn generated ASAN errors later when +accessed. + +While it would be possible to specifically limit the number of stripes, +a more correct test was on the combination of the chunk item, and the +number of stripes by the size of the chunk stripe structure in +comparison to the size of the chunk itself. + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/btrfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index eb9857d74..b3d71cd9e 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -912,6 +912,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + return grub_error (GRUB_ERR_BAD_FS, + "couldn't find the chunk descriptor"); + ++ if (!chsize) ++ { ++ grub_dprintf ("btrfs", "zero-size chunk\n"); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "got an invalid zero-size chunk"); ++ } + chunk = grub_malloc (chsize); + if (!chunk) + return grub_errno; +@@ -970,6 +976,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + stripe_length = grub_divmod64 (grub_le_to_cpu64 (chunk->size), + nstripes, + NULL); ++ ++ /* For single, there should be exactly 1 stripe. */ ++ if (grub_le_to_cpu16 (chunk->nstripes) != 1) ++ { ++ grub_dprintf ("btrfs", "invalid RAID_SINGLE: nstripes != 1 (%u)\n", ++ grub_le_to_cpu16 (chunk->nstripes)); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "invalid RAID_SINGLE: nstripes != 1 (%u)", ++ grub_le_to_cpu16 (chunk->nstripes)); ++ } + if (stripe_length == 0) + stripe_length = 512; + stripen = grub_divmod64 (off, stripe_length, &stripe_offset); +@@ -989,6 +1005,19 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + stripen = 0; + stripe_offset = off; + csize = grub_le_to_cpu64 (chunk->size) - off; ++ ++ /* ++ * Redundancy, and substripes only apply to RAID10, and there ++ * should be exactly 2 sub-stripes. ++ */ ++ if (grub_le_to_cpu16 (chunk->nstripes) != redundancy) ++ { ++ grub_dprintf ("btrfs", "invalid RAID1: nstripes != %u (%u)\n", ++ redundancy, grub_le_to_cpu16 (chunk->nstripes)); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "invalid RAID1: nstripes != %u (%u)", ++ redundancy, grub_le_to_cpu16 (chunk->nstripes)); ++ } + break; + } + case GRUB_BTRFS_CHUNK_TYPE_RAID0: +@@ -1025,6 +1054,20 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + stripe_offset = low + chunk_stripe_length + * high; + csize = chunk_stripe_length - low; ++ ++ /* ++ * Substripes only apply to RAID10, and there ++ * should be exactly 2 sub-stripes. ++ */ ++ if (grub_le_to_cpu16 (chunk->nsubstripes) != 2) ++ { ++ grub_dprintf ("btrfs", "invalid RAID10: nsubstripes != 2 (%u)", ++ grub_le_to_cpu16 (chunk->nsubstripes)); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "invalid RAID10: nsubstripes != 2 (%u)", ++ grub_le_to_cpu16 (chunk->nsubstripes)); ++ } ++ + break; + } + case GRUB_BTRFS_CHUNK_TYPE_RAID5: +@@ -1124,6 +1167,8 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + + for (j = 0; j < 2; j++) + { ++ grub_size_t est_chunk_alloc = 0; ++ + grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T + "+0x%" PRIxGRUB_UINT64_T + " (%d stripes (%d substripes) of %" +@@ -1136,6 +1181,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + grub_dprintf ("btrfs", "reading laddr 0x%" PRIxGRUB_UINT64_T "\n", + addr); + ++ if (grub_mul (sizeof (struct grub_btrfs_chunk_stripe), ++ grub_le_to_cpu16 (chunk->nstripes), &est_chunk_alloc) || ++ grub_add (est_chunk_alloc, ++ sizeof (struct grub_btrfs_chunk_item), &est_chunk_alloc) || ++ est_chunk_alloc > chunk->size) ++ { ++ err = GRUB_ERR_BAD_FS; ++ break; ++ } ++ + if (is_raid56) + { + err = btrfs_read_from_chunk (data, chunk, stripen, diff -pruN 2.06-2/debian/patches/0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch 2.06-8/debian/patches/0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch --- 2.06-2/debian/patches/0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,75 @@ +From 589500ad3777d1335c8e5cb139f7c0c6089112a8 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Thu, 7 Apr 2022 15:18:12 +0000 +Subject: fs/btrfs: Fix more fuzz issues related to chunks + +The corpus was generating issues in grub_btrfs_read_logical() when +attempting to iterate over stripe entries in the superblock's +bootmapping. + +In most cases the reason for the failure was that the number of stripes +in chunk->nstripes exceeded the possible space statically allocated in +superblock bootmapping space. Each stripe entry in the bootmapping block +consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe. + +Another issue that came up was that while calculating the chunk size, +in an earlier piece of code in that function, depending on the data +provided in the btrfs file system, it would end up calculating a size +that was too small to contain even 1 grub_btrfs_chunk_item, which is +obviously invalid too. + +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + grub-core/fs/btrfs.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index b3d71cd9e..54a46b8f8 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -918,6 +918,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + return grub_error (GRUB_ERR_BAD_FS, + "got an invalid zero-size chunk"); + } ++ ++ /* ++ * The space being allocated for a chunk should at least be able to ++ * contain one chunk item. ++ */ ++ if (chsize < sizeof (struct grub_btrfs_chunk_item)) ++ { ++ grub_dprintf ("btrfs", "chunk-size too small\n"); ++ return grub_error (GRUB_ERR_BAD_FS, ++ "got an invalid chunk size"); ++ } + chunk = grub_malloc (chsize); + if (!chunk) + return grub_errno; +@@ -1165,6 +1176,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + if (csize > (grub_uint64_t) size) + csize = size; + ++ /* ++ * The space for a chunk stripe is limited to the space provide in the super-block's ++ * bootstrap mapping with an initial btrfs key at the start of each chunk. ++ */ ++ grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) / ++ (sizeof (struct grub_btrfs_key) + sizeof (struct grub_btrfs_chunk_stripe)); ++ + for (j = 0; j < 2; j++) + { + grub_size_t est_chunk_alloc = 0; +@@ -1191,6 +1209,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr, + break; + } + ++ if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes) ++ { ++ err = GRUB_ERR_BAD_FS; ++ break; ++ } ++ + if (is_raid56) + { + err = btrfs_read_from_chunk (data, chunk, stripen, diff -pruN 2.06-2/debian/patches/arm64_remove_magic_number_check.patch 2.06-8/debian/patches/arm64_remove_magic_number_check.patch --- 2.06-2/debian/patches/arm64_remove_magic_number_check.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/arm64_remove_magic_number_check.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,37 @@ +commit 69edb31205602c29293a8c6e67363bba2a4a1e66 +Author: Ard Biesheuvel +Date: Thu Aug 11 16:51:57 2022 +0200 + + loader/arm64/linux: Remove magic number header field check + + The "ARM\x64" magic number in the file header identifies an image as one + that implements the bare metal boot protocol, allowing the loader to + simply move the file to a suitably aligned address in memory, with + sufficient headroom for the trailing .bss segment (the required memory + size is described in the header as well). + + Note of this matters for GRUB, as it only supports EFI boot. EFI does + not care about this magic number, and nor should GRUB: this prevents us + from booting other PE linux images, such as the generic EFI zboot + decompressor, which is a pure PE/COFF image, and does not implement the + bare metal boot protocol. + + So drop the magic number check. + + Signed-off-by: Ard Biesheuvel + Reviewed-by: Daniel Kiper + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index ef3e9f944..4c92e48ac 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -51,9 +51,6 @@ static grub_addr_t initrd_end; + grub_err_t + grub_arch_efi_linux_check_image (struct linux_arch_kernel_header * lh) + { +- if (lh->magic != GRUB_LINUX_ARMXX_MAGIC_SIGNATURE) +- return grub_error(GRUB_ERR_BAD_OS, "invalid magic number"); +- + if ((lh->code0 & 0xffff) != GRUB_PE32_MAGIC) + return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, + N_("plain image kernel not supported - rebuild with CONFIG_(U)EFI_STUB enabled")); diff -pruN 2.06-2/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch 2.06-8/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch --- 2.06-2/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,109 @@ +From a85714545fe57a86d14ee231a4cd312158101d43 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Wed, 26 Oct 2022 20:16:44 -0400 +Subject: [PATCH 01/14] video/readers: Add artificial limit to image dimensions + +In grub-core/video/readers/jpeg.c, the height and width of a JPEG image don't +have an upper limit for how big the JPEG image can be. In Coverity, this is +getting flagged as an untrusted loop bound. This issue can also seen in PNG and +TGA format images as well but Coverity isn't flagging it. To prevent this, the +constant IMAGE_HW_MAX_PX is being added to include/grub/bitmap.h, which has +a value of 16384, to act as an artificial limit and restrict the height and +width of images. This value was picked as it is double the current max +resolution size, which is 8K. + +Fixes: CID 292450 + +Signed-off-by: Alec Brown +Reviewed-by: Darren Kenny +Reviewed-by: Daniel Kiper +--- + docs/grub.texi | 3 ++- + grub-core/video/readers/jpeg.c | 6 +++++- + grub-core/video/readers/png.c | 6 +++++- + grub-core/video/readers/tga.c | 7 +++++++ + include/grub/bitmap.h | 2 ++ + 5 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/docs/grub.texi b/docs/grub.texi +index 0dbbdc374..2d6cd8358 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -1515,7 +1515,8 @@ resolution. @xref{gfxmode}. + Set a background image for use with the @samp{gfxterm} graphical terminal. + The value of this option must be a file readable by GRUB at boot time, and + it must end with @file{.png}, @file{.tga}, @file{.jpg}, or @file{.jpeg}. +-The image will be scaled if necessary to fit the screen. ++The image will be scaled if necessary to fit the screen. Image height and ++width will be restricted by an artificial limit of 16384. + + @item GRUB_THEME + Set a theme for use with the @samp{gfxterm} graphical terminal. +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 09596fbf5..ae634fd41 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -346,7 +346,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + data->image_height = grub_jpeg_get_word (data); + data->image_width = grub_jpeg_get_word (data); + +- if ((!data->image_height) || (!data->image_width)) ++ grub_dprintf ("jpeg", "image height: %d\n", data->image_height); ++ grub_dprintf ("jpeg", "image width: %d\n", data->image_width); ++ ++ if ((!data->image_height) || (!data->image_width) || ++ (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > IMAGE_HW_MAX_PX)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid image size"); + + cc = grub_jpeg_get_byte (data); +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 7f2ba7849..3163e97bf 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -264,7 +264,11 @@ grub_png_decode_image_header (struct grub_png_data *data) + data->image_width = grub_png_get_dword (data); + data->image_height = grub_png_get_dword (data); + +- if ((!data->image_height) || (!data->image_width)) ++ grub_dprintf ("png", "image height: %d\n", data->image_height); ++ grub_dprintf ("png", "image width: %d\n", data->image_width); ++ ++ if ((!data->image_height) || (!data->image_width) || ++ (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > IMAGE_HW_MAX_PX)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size"); + + color_bits = grub_png_get_byte (data); +diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c +index a9ec3a1b6..9c35bf29d 100644 +--- a/grub-core/video/readers/tga.c ++++ b/grub-core/video/readers/tga.c +@@ -340,6 +340,13 @@ grub_video_reader_tga (struct grub_video_bitmap **bitmap, + data.image_width = grub_le_to_cpu16 (data.hdr.image_width); + data.image_height = grub_le_to_cpu16 (data.hdr.image_height); + ++ grub_dprintf ("tga", "image height: %d\n", data.image_height); ++ grub_dprintf ("tga", "image width: %d\n", data.image_width); ++ ++ /* Check image height and width are within restrictions. */ ++ if ((data.image_height > IMAGE_HW_MAX_PX) || (data.image_width > IMAGE_HW_MAX_PX)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "tga: invalid image size"); ++ + /* Check that bitmap encoding is supported. */ + switch (data.hdr.image_type) + { +diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h +index 5728f8ca3..149d37bfe 100644 +--- a/include/grub/bitmap.h ++++ b/include/grub/bitmap.h +@@ -24,6 +24,8 @@ + #include + #include + ++#define IMAGE_HW_MAX_PX 16384 ++ + struct grub_video_bitmap + { + /* Bitmap format description. */ +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch 2.06-8/debian/patches/cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch --- 2.06-2/debian/patches/cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,33 @@ +From 5760fcfd466cc757540ea0d591bad6a08caeaa16 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Wed, 3 Aug 2022 19:45:33 +0800 +Subject: [PATCH 02/14] font: Reject glyphs exceeds font->max_glyph_width or + font->max_glyph_height + +Check glyph's width and height against limits specified in font's +metadata. Reject the glyph (and font) if such limits are exceeded. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 42189c325..756ca0abf 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + || read_be_uint16 (font->file, &height) != 0 + || read_be_int16 (font->file, &xoff) != 0 + || read_be_int16 (font->file, &yoff) != 0 +- || read_be_int16 (font->file, &dwidth) != 0) ++ || read_be_int16 (font->file, &dwidth) != 0 ++ || width > font->max_char_width ++ || height > font->max_char_height) + { + remove_font (font); + return 0; +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch 2.06-8/debian/patches/cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch --- 2.06-2/debian/patches/cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,110 @@ +From 941d10ad6f1dcbd12fb613002249e29ba035f985 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 00:51:20 +0800 +Subject: [PATCH 03/14] font: Fix size overflow in + grub_font_get_glyph_internal() + +The length of memory allocation and file read may overflow. This patch +fixes the problem by using safemath macros. + +There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe +if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). +It is safe replacement for such code. It has safemath-like prototype. + +This patch also introduces grub_cast(value, pointer), it casts value to +typeof(*pointer) then store the value to *pointer. It returns true when +overflow occurs or false if there is no overflow. The semantics of arguments +and return value are designed to be consistent with other safemath macros. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 17 +++++++++++++---- + include/grub/bitmap.h | 18 ++++++++++++++++++ + include/grub/safemath.h | 2 ++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 2f09a4a55..6a3fbebbd 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + grub_int16_t xoff; + grub_int16_t yoff; + grub_int16_t dwidth; +- int len; ++ grub_ssize_t len; ++ grub_size_t sz; + + if (index_entry->glyph) + /* Return cached glyph. */ +@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + return 0; + } + +- len = (width * height + 7) / 8; +- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); +- if (!glyph) ++ /* Calculate real struct size of current glyph. */ ++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || ++ grub_add (sizeof (struct grub_font_glyph), len, &sz)) ++ { ++ remove_font (font); ++ return 0; ++ } ++ ++ /* Allocate and initialize the glyph struct. */ ++ glyph = grub_malloc (sz); ++ if (glyph == NULL) + { + remove_font (font); + return 0; +diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h +index 149d37bfe..431048936 100644 +--- a/include/grub/bitmap.h ++++ b/include/grub/bitmap.h +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #define IMAGE_HW_MAX_PX 16384 + +@@ -81,6 +82,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) + return bitmap->mode_info.height; + } + ++/* ++ * Calculate and store the size of data buffer of 1bit bitmap in result. ++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. ++ * Return true when overflow occurs or false if there is no overflow. ++ * This function is intentionally implemented as a macro instead of ++ * an inline function. Although a bit awkward, it preserves data types for ++ * safemath macros and reduces macro side effects as much as possible. ++ * ++ * XXX: Will report false overflow if width * height > UINT64_MAX. ++ */ ++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ ++({ \ ++ grub_uint64_t _bitmap_pixels; \ ++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ ++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ ++}) ++ + void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, + struct grub_video_mode_info *mode_info); + +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +index c17b89bba..bb0f826de 100644 +--- a/include/grub/safemath.h ++++ b/include/grub/safemath.h +@@ -30,6 +30,8 @@ + #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) + #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) + ++#define grub_cast(a, res) grub_add ((a), 0, (res)) ++ + #else + #error gcc 5.1 or newer or clang 3.8 or newer is required + #endif diff -pruN 2.06-2/debian/patches/cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch 2.06-8/debian/patches/cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch --- 2.06-2/debian/patches/cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,81 @@ +From b1805f251b31a9d3cfae5c3572ddfa630145dbbf Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 01:58:27 +0800 +Subject: [PATCH 04/14] font: Fix several integer overflows in + grub_font_construct_glyph() + +This patch fixes several integer overflows in grub_font_construct_glyph(). +Glyphs of invalid size, zero or leading to an overflow, are rejected. +The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() +returns NULL is fixed too. + +Fixes: CVE-2022-2601 + +Reported-by: Zhang Boyang +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index e781521a7..e6548892f 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, + struct grub_video_signed_rect bounds; + static struct grub_font_glyph *glyph = 0; + static grub_size_t max_glyph_size = 0; ++ grub_size_t cur_glyph_size; + + ensure_comb_space (glyph_id); + +@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, + if (!glyph_id->ncomb && !glyph_id->attributes) + return main_glyph; + +- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) ++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || ++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) ++ return main_glyph; ++ ++ if (max_glyph_size < cur_glyph_size) + { + grub_free (glyph); +- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; +- if (max_glyph_size < 8) +- max_glyph_size = 8; +- glyph = grub_malloc (max_glyph_size); ++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) ++ max_glyph_size = 0; ++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; + } + if (!glyph) + { ++ max_glyph_size = 0; + grub_errno = GRUB_ERR_NONE; + return main_glyph; + } + +- grub_memset (glyph, 0, sizeof (*glyph) +- + (bounds.width * bounds.height +- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); ++ grub_memset (glyph, 0, cur_glyph_size); + + glyph->font = main_glyph->font; +- glyph->width = bounds.width; +- glyph->height = bounds.height; +- glyph->offset_x = bounds.x; +- glyph->offset_y = bounds.y; ++ if (bounds.width == 0 || bounds.height == 0 || ++ grub_cast (bounds.width, &glyph->width) || ++ grub_cast (bounds.height, &glyph->height) || ++ grub_cast (bounds.x, &glyph->offset_x) || ++ grub_cast (bounds.y, &glyph->offset_y)) ++ return main_glyph; + + if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) + grub_font_blit_glyph_mirror (glyph, main_glyph, +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch 2.06-8/debian/patches/cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch --- 2.06-2/debian/patches/cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,42 @@ +From 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 02:13:29 +0800 +Subject: [PATCH 05/14] font: Remove grub_font_dup_glyph() + +Remove grub_font_dup_glyph() since nobody is using it since 2013, and +I'm too lazy to fix the integer overflow problem in it. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index e6548892f..a8576ffec 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code) + return best_glyph; + } + +-#if 0 +-static struct grub_font_glyph * +-grub_font_dup_glyph (struct grub_font_glyph *glyph) +-{ +- static struct grub_font_glyph *ret; +- ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8); +- if (!ret) +- return NULL; +- grub_memcpy (ret, glyph, sizeof (*ret) +- + (glyph->width * glyph->height + 7) / 8); +- return ret; +-} +-#endif +- + /* FIXME: suboptimal. */ + static void + grub_font_blit_glyph (struct grub_font_glyph *target, +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch 2.06-8/debian/patches/cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch --- 2.06-2/debian/patches/cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,48 @@ +From b2740b7e4a03bb8331d48b54b119afea76bb9d5f Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 02:27:05 +0800 +Subject: [PATCH 06/14] font: Fix integer overflow in ensure_comb_space() + +In fact it can't overflow at all because glyph_id->ncomb is only 8-bit +wide. But let's keep safe if somebody changes the width of glyph_id->ncomb +in the future. This patch also fixes the inconsistency between +render_max_comb_glyphs and render_combining_glyphs when grub_malloc() +returns NULL. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index a8576ffec..9e3e0a94e 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id) + if (glyph_id->ncomb <= render_max_comb_glyphs) + return; + +- render_max_comb_glyphs = 2 * glyph_id->ncomb; +- if (render_max_comb_glyphs < 8) ++ if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs)) ++ render_max_comb_glyphs = 0; ++ if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8) + render_max_comb_glyphs = 8; + grub_free (render_combining_glyphs); +- render_combining_glyphs = grub_malloc (render_max_comb_glyphs +- * sizeof (render_combining_glyphs[0])); ++ render_combining_glyphs = (render_max_comb_glyphs > 0) ? ++ grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL; + if (!render_combining_glyphs) +- grub_errno = 0; ++ { ++ render_max_comb_glyphs = 0; ++ grub_errno = GRUB_ERR_NONE; ++ } + } + + int +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch 2.06-8/debian/patches/cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch --- 2.06-2/debian/patches/cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,65 @@ +From afda8b60ba0712abe01ae1e64c5f7a067a0e6492 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 15 Aug 2022 02:04:58 +0800 +Subject: [PATCH 07/14] font: Fix integer overflow in BMP index + +The BMP index (font->bmp_idx) is designed as a reverse lookup table of +char entries (font->char_index), in order to speed up lookups for BMP +chars (i.e. code < 0x10000). The values in BMP index are the subscripts +of the corresponding char entries, stored in grub_uint16_t, while 0xffff +means not found. + +This patch fixes the problem of large subscript truncated to grub_uint16_t, +leading BMP index to return wrong char entry or report false miss. The +code now checks for bounds and uses BMP index as a hint, and fallbacks +to binary-search if necessary. + +On the occasion add a comment about BMP index is initialized to 0xffff. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 9e3e0a94e..e4cb0d867 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct + font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t)); + if (!font->bmp_idx) + return 1; ++ ++ /* Init the BMP index array to 0xffff. */ + grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t)); + + +@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct + return 1; + } + +- if (entry->code < 0x10000) ++ if (entry->code < 0x10000 && i < 0xffff) + font->bmp_idx[entry->code] = i; + + last_code = entry->code; +@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code) + /* Use BMP index if possible. */ + if (code < 0x10000 && font->bmp_idx) + { +- if (font->bmp_idx[code] == 0xffff) +- return 0; +- return &table[font->bmp_idx[code]]; ++ if (font->bmp_idx[code] < 0xffff) ++ return &table[font->bmp_idx[code]]; ++ /* ++ * When we are here then lookup in BMP index result in miss, ++ * fallthough to binary-search. ++ */ + } + + /* Do a binary search in `char_index', which is ordered by code point. */ +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch 2.06-8/debian/patches/cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch --- 2.06-2/debian/patches/cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,86 @@ +From c140a086838e7c9af87842036f891b8393a8c4bc Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Sun, 14 Aug 2022 18:09:38 +0800 +Subject: [PATCH 08/14] font: Fix integer underflow in binary search of char + index + +If search target is less than all entries in font->index then "hi" +variable is set to -1, which translates to SIZE_MAX and leads to errors. + +This patch fixes the problem by replacing the entire binary search code +with the libstdc++'s std::lower_bound() implementation. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index e4cb0d867..abd412a5e 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value) + static inline struct char_index_entry * + find_glyph (const grub_font_t font, grub_uint32_t code) + { +- struct char_index_entry *table; +- grub_size_t lo; +- grub_size_t hi; +- grub_size_t mid; ++ struct char_index_entry *table, *first, *end; ++ grub_size_t len; + + table = font->char_index; ++ if (table == NULL) ++ return NULL; + + /* Use BMP index if possible. */ + if (code < 0x10000 && font->bmp_idx) +@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code) + */ + } + +- /* Do a binary search in `char_index', which is ordered by code point. */ +- lo = 0; +- hi = font->num_chars - 1; +- +- if (!table) +- return 0; ++ /* ++ * Do a binary search in char_index which is ordered by code point. ++ * The code below is the same as libstdc++'s std::lower_bound(). ++ */ ++ first = table; ++ len = font->num_chars; ++ end = first + len; + +- while (lo <= hi) ++ while (len > 0) + { +- mid = lo + (hi - lo) / 2; +- if (code < table[mid].code) +- hi = mid - 1; +- else if (code > table[mid].code) +- lo = mid + 1; ++ grub_size_t half = len >> 1; ++ struct char_index_entry *middle = first + half; ++ ++ if (middle->code < code) ++ { ++ first = middle + 1; ++ len = len - half - 1; ++ } + else +- return &table[mid]; ++ len = half; + } + +- return 0; ++ return (first < end && first->code == code) ? first : NULL; + } + + /* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch 2.06-8/debian/patches/cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch --- 2.06-2/debian/patches/cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,54 @@ +From 630deb8c0d8b02b670ced4b7030414bcf17aa080 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Sun, 14 Aug 2022 15:51:54 +0800 +Subject: [PATCH 09/14] kern/efi/sb: Enforce verification of font files + +As a mitigation and hardening measure enforce verification of font +files. Then only trusted font files can be load. This will reduce the +attack surface at cost of losing the ability of end-users to customize +fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize +fonts because they have ability to pack fonts into their GRUB bundles. + +This goal is achieved by: + + * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's + skip-verification list. + + * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list, + so font files must be verified by a verifier before they can be loaded. + +Suggested-by: Daniel Kiper +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/sb.c | 1 - + grub-core/kern/lockdown.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c +index 89c4bb3fd..db42c2539 100644 +--- a/grub-core/kern/efi/sb.c ++++ b/grub-core/kern/efi/sb.c +@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), + case GRUB_FILE_TYPE_PRINT_BLOCKLIST: + case GRUB_FILE_TYPE_TESTLOAD: + case GRUB_FILE_TYPE_GET_SIZE: +- case GRUB_FILE_TYPE_FONT: + case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: + case GRUB_FILE_TYPE_CAT: + case GRUB_FILE_TYPE_HEXCAT: +diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c +index 0bc70fd42..af6d493cd 100644 +--- a/grub-core/kern/lockdown.c ++++ b/grub-core/kern/lockdown.c +@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: + case GRUB_FILE_TYPE_ACPI_TABLE: + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: ++ case GRUB_FILE_TYPE_FONT: + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + + /* Fall through. */ +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch 2.06-8/debian/patches/cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch --- 2.06-2/debian/patches/cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,85 @@ +From 50a11a81bc842c58962244a2dc86bbd31a426e12 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Tue, 6 Sep 2022 03:03:21 +0800 +Subject: [PATCH 10/14] fbutil: Fix integer overflow + +Expressions like u64 = u32 * u32 are unsafe because their products are +truncated to u32 even if left hand side is u64. This patch fixes all +problems like that one in fbutil. + +To get right result not only left hand side have to be u64 but it's also +necessary to cast at least one of the operands of all leaf operators of +right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be +u64 = (u64)u32 * u32 + (u64)u32 * u32. + +For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any +combination of values in (grub_uint64_t)u32 * u32 + u32 expression will +not overflow grub_uint64_t. + +Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. +They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32. + +This patch also adds a comment to grub_video_fb_get_video_ptr() which +says it's arguments must be valid and no sanity check is performed +(like its siblings in grub-core/video/fb/fbutil.c). + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/video/fb/fbutil.c | 4 ++-- + include/grub/fbutil.h | 13 +++++++++---- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c +index b98bb51fe..25ef39f47 100644 +--- a/grub-core/video/fb/fbutil.c ++++ b/grub-core/video/fb/fbutil.c +@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source, + case 1: + if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED) + { +- int bit_index = y * source->mode_info->width + x; ++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x; + grub_uint8_t *ptr = source->data + bit_index / 8; + int bit_pos = 7 - bit_index % 8; + color = (*ptr >> bit_pos) & 0x01; +@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source, + case 1: + if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED) + { +- int bit_index = y * source->mode_info->width + x; ++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x; + grub_uint8_t *ptr = source->data + bit_index / 8; + int bit_pos = 7 - bit_index % 8; + *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos); +diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h +index 4205eb917..78a1ab3b4 100644 +--- a/include/grub/fbutil.h ++++ b/include/grub/fbutil.h +@@ -31,14 +31,19 @@ struct grub_video_fbblit_info + grub_uint8_t *data; + }; + +-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level +- and it doesn't make sense, in general, to ask for a pointer +- to a particular pixel's data. */ ++/* ++ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level ++ * and it doesn't make sense, in general, to ask for a pointer ++ * to a particular pixel's data. ++ * ++ * This function assumes that bounds checking has been done in previous phase ++ * and they are opted out in here. ++ */ + static inline void * + grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source, + unsigned int x, unsigned int y) + { +- return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel; ++ return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel; + } + + /* Advance pointer by VAL bytes. If there is no unaligned access available, +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch 2.06-8/debian/patches/cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch --- 2.06-2/debian/patches/cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,91 @@ +From 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH 11/14] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index abd412a5e..3d3d803e8 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch 2.06-8/debian/patches/cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch --- 2.06-2/debian/patches/cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,75 @@ +From fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 07:15:41 +0800 +Subject: [PATCH 12/14] font: Harden grub_font_blit_glyph() and + grub_font_blit_glyph_mirror() + +As a mitigation and hardening measure add sanity checks to +grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch +makes these two functions do nothing if target blitting area isn't fully +contained in target bitmap. Therefore, if complex calculations in caller +overflows and malicious coordinates are given, we are still safe because +any coordinates which result in out-of-bound-write are rejected. However, +this patch only checks for invalid coordinates, and doesn't provide any +protection against invalid source glyph or destination glyph, e.g. +mismatch between glyph size and buffer size. + +This hardening measure is designed to mitigate possible overflows in +blit_comb(). If overflow occurs, it may return invalid bounding box +during dry run and call grub_font_blit_glyph() with malicious +coordinates during actual blitting. However, we are still safe because +the scratch glyph itself is valid, although its size makes no sense, and +any invalid coordinates are rejected. + +It would be better to call grub_fatal() if illegal parameter is detected. +However, doing this may end up in a dangerous recursion because grub_fatal() +would print messages to the screen and we are in the progress of drawing +characters on the screen. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 3d3d803e8..cf15dc2f9 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1069,8 +1069,15 @@ static void + grub_font_blit_glyph (struct grub_font_glyph *target, + struct grub_font_glyph *src, unsigned dx, unsigned dy) + { ++ grub_uint16_t max_x, max_y; + unsigned src_bit, tgt_bit, src_byte, tgt_byte; + unsigned i, j; ++ ++ /* Harden against out-of-bound writes. */ ++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) || ++ (grub_add (dy, src->height, &max_y) || max_y > target->height)) ++ return; ++ + for (i = 0; i < src->height; i++) + { + src_bit = (src->width * i) % 8; +@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target, + struct grub_font_glyph *src, + unsigned dx, unsigned dy) + { ++ grub_uint16_t max_x, max_y; + unsigned tgt_bit, src_byte, tgt_byte; + signed src_bit; + unsigned i, j; ++ ++ /* Harden against out-of-bound writes. */ ++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) || ++ (grub_add (dy, src->height, &max_y) || max_y > target->height)) ++ return; ++ + for (i = 0; i < src->height; i++) + { + src_bit = (src->width * i + src->width - 1) % 8; +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch 2.06-8/debian/patches/cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch --- 2.06-2/debian/patches/cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,36 @@ +From dd539d695482069d28b40f2d3821f710cdcf6ee6 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 28 Oct 2022 17:29:16 +0800 +Subject: [PATCH 13/14] font: Assign null_font to glyphs in ascii_font_glyph[] + +The calculations in blit_comb() need information from glyph's font, e.g. +grub_font_get_xheight(main_glyph->font). However, main_glyph->font is +NULL if main_glyph comes from ascii_font_glyph[]. Therefore +grub_font_get_*() crashes because of NULL pointer. + +There is already a solution, the null_font. So, assign it to those glyphs +in ascii_font_glyph[]. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index cf15dc2f9..3821937e6 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code) + ascii_font_glyph[current]->offset_x = 0; + ascii_font_glyph[current]->offset_y = -2; + ascii_font_glyph[current]->device_width = 8; +- ascii_font_glyph[current]->font = NULL; ++ ascii_font_glyph[current]->font = &null_font; + + grub_memcpy (ascii_font_glyph[current]->bitmap, + &ascii_bitmaps[current * ASCII_BITMAP_SIZE], +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch 2.06-8/debian/patches/cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch --- 2.06-2/debian/patches/cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,55 @@ +From da90d62316a3b105d2fbd7334d6521936bd6dcf6 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 28 Oct 2022 21:31:39 +0800 +Subject: [PATCH 14/14] normal/charset: Fix an integer overflow in + grub_unicode_aglomerate_comb() + +The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255. +However, code in grub_unicode_aglomerate_comb() doesn't check for an +overflow when incrementing out->ncomb. If out->ncomb is already 255, +after incrementing it will get 0 instead of 256, and cause illegal +memory access in subsequent processing. + +This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max +acceptable value of ncomb. The code now checks for this limit and +ignores additional combining characters when limit is reached. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/normal/charset.c | 3 +++ + include/grub/unicode.h | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c +index 000e687bd..4f6647116 100644 +--- a/grub-core/normal/charset.c ++++ b/grub-core/normal/charset.c +@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, + if (!haveout) + continue; + ++ if (out->ncomb == GRUB_UNICODE_NCOMB_MAX) ++ continue; ++ + if (comb_type == GRUB_UNICODE_COMB_MC + || comb_type == GRUB_UNICODE_COMB_ME + || comb_type == GRUB_UNICODE_COMB_MN) +diff --git a/include/grub/unicode.h b/include/grub/unicode.h +index 71a4d1a54..9360b0b97 100644 +--- a/include/grub/unicode.h ++++ b/include/grub/unicode.h +@@ -147,7 +147,9 @@ struct grub_unicode_glyph + grub_uint8_t bidi_level:6; /* minimum: 6 */ + enum grub_bidi_type bidi_type:5; /* minimum: :5 */ + ++#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1) + unsigned ncomb:8; ++ + /* Hint by unicode subsystem how wide this character usually is. + Real width is determined by font. Set only in UTF-8 stream. */ + int estimated_width:8; +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch 2.06-8/debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch --- 2.06-2/debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,76 @@ +From: Chris Coulson +Date: Wed, 16 Nov 2022 14:40:04 +0000 +Subject: font: Try opening fonts from the bundled memdisk + +--- + grub-core/font/font.c | 48 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 17 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index e6616e6..e421d1a 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -409,6 +409,27 @@ read_section_as_short (struct font_file_section *section, + return 0; + } + ++static grub_file_t ++try_open_from_prefix (const char *prefix, const char *filename) ++{ ++ grub_file_t file; ++ char *fullname, *ptr; ++ ++ fullname = grub_malloc (grub_strlen (prefix) + grub_strlen (filename) + 1 ++ + sizeof ("/fonts/") + sizeof (".pf2")); ++ if (!fullname) ++ return 0; ++ ptr = grub_stpcpy (fullname, prefix); ++ ptr = grub_stpcpy (ptr, "/fonts/"); ++ ptr = grub_stpcpy (ptr, filename); ++ ptr = grub_stpcpy (ptr, ".pf2"); ++ *ptr = 0; ++ ++ file = grub_buffile_open (fullname, GRUB_FILE_TYPE_FONT, 1024); ++ grub_free (fullname); ++ return file; ++} ++ + /* Load a font and add it to the beginning of the global font list. + Returns 0 upon success, nonzero upon failure. */ + grub_font_t +@@ -427,25 +448,18 @@ grub_font_load (const char *filename) + file = grub_buffile_open (filename, GRUB_FILE_TYPE_FONT, 1024); + else + { +- const char *prefix = grub_env_get ("prefix"); +- char *fullname, *ptr; +- if (!prefix) ++ file = try_open_from_prefix ("(memdisk)", filename); ++ if (!file) + { +- grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("variable `%s' isn't set"), +- "prefix"); +- goto fail; ++ const char *prefix = grub_env_get ("prefix"); ++ if (!prefix) ++ { ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("variable `%s' isn't set"), ++ "prefix"); ++ goto fail; ++ } ++ file = try_open_from_prefix (prefix, filename); + } +- fullname = grub_malloc (grub_strlen (prefix) + grub_strlen (filename) + 1 +- + sizeof ("/fonts/") + sizeof (".pf2")); +- if (!fullname) +- goto fail; +- ptr = grub_stpcpy (fullname, prefix); +- ptr = grub_stpcpy (ptr, "/fonts/"); +- ptr = grub_stpcpy (ptr, filename); +- ptr = grub_stpcpy (ptr, ".pf2"); +- *ptr = 0; +- file = grub_buffile_open (fullname, GRUB_FILE_TYPE_FONT, 1024); +- grub_free (fullname); + } + if (!file) + goto fail; diff -pruN 2.06-2/debian/patches/fs-tester-time-fail.patch 2.06-8/debian/patches/fs-tester-time-fail.patch --- 2.06-2/debian/patches/fs-tester-time-fail.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/fs-tester-time-fail.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,27 @@ +Explicitly unset SOURCE_DATE_EPOCH before running fs tests. In some +filesystem utils like mksquashfs, it will silently change behaviour +and cause timestamps to unexpectedly change. Reproducible builds are +good and useful for shipped artifacts, but this causes build-time +tests to fail. + +Author: Steve McIntyre + +Patch-Name: fs-tester-time-fail.patch +--- + tests/util/grub-fs-tester.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in +index bfc425e1f..660691302 100644 +--- a/tests/util/grub-fs-tester.in ++++ b/tests/util/grub-fs-tester.in +@@ -4,6 +4,9 @@ set -e + + fs="$1" + ++# We can't have this set, or filesystem tests will fail ++unset SOURCE_DATE_EPOCH ++ + GRUBFSTEST="@builddir@/grub-fstest" + + tempdir=`mktemp -d "${TMPDIR:-/tmp}/tmp.XXXXXXXXXX"` || exit 1 diff -pruN 2.06-2/debian/patches/gcc12_build_array_bounds2.patch 2.06-8/debian/patches/gcc12_build_array_bounds2.patch --- 2.06-2/debian/patches/gcc12_build_array_bounds2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/gcc12_build_array_bounds2.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,46 @@ +commit 3ce13d974b887338ae972c79b41ff6fc0eee6388 +Author: Michael Chang +Date: Mon Mar 28 15:00:54 2022 +0800 + + lib/reed_solomon: Fix array subscript 0 is outside array bounds + + The grub_absolute_pointer() is a compound expression that can only work + within a function. We are out of luck here when the pointer variables + require global definition due to ATTRIBUTE_TEXT that have to use fully + initialized global definition because of the way linkers work. + + static gf_single_t * const gf_powx ATTRIBUTE_TEXT = (void *) 0x100000; + + For the reason given above, use GCC diagnostic pragmas to suppress the + array-bounds warning. + + Signed-off-by: Michael Chang + Reviewed-by: Daniel Kiper + +diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c +index 82779a296..562bd2e3e 100644 +--- a/grub-core/lib/reed_solomon.c ++++ b/grub-core/lib/reed_solomon.c +@@ -102,6 +102,11 @@ static gf_single_t errvals[256]; + static gf_single_t eqstat[65536 + 256]; + #endif + ++#if __GNUC__ == 12 ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Warray-bounds" ++#endif ++ + static gf_single_t + gf_mul (gf_single_t a, gf_single_t b) + { +@@ -319,6 +324,10 @@ decode_block (gf_single_t *ptr, grub_size_t s, + } + } + ++#if __GNUC__ == 12 ++#pragma GCC diagnostic pop ++#endif ++ + #if !defined (STANDALONE) + static void + encode_block (gf_single_t *ptr, grub_size_t s, diff -pruN 2.06-2/debian/patches/gcc12_build_array_bounds.patch 2.06-8/debian/patches/gcc12_build_array_bounds.patch --- 2.06-2/debian/patches/gcc12_build_array_bounds.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/gcc12_build_array_bounds.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,493 @@ +Borrowed and tweaked fix from: + +commit acffb81485e35e1f28152949a1c6e1d4dbf5172e +Author: Michael Chang +Date: Mon Mar 28 15:00:53 2022 +0800 + +build: Fix -Werror=array-bounds array subscript 0 is outside array bounds + +diff --git a/grub-core/bus/cs5536.c b/grub-core/bus/cs5536.c +index 8c90ed598..cd0a45e58 100644 +--- a/grub-core/bus/cs5536.c ++++ b/grub-core/bus/cs5536.c +@@ -331,8 +331,9 @@ grub_cs5536_init_geode (grub_pci_device_t dev) + + { + volatile grub_uint32_t *oc; +- oc = grub_pci_device_map_range (dev, 0x05022000, +- GRUB_CS5536_USB_OPTION_REGS_SIZE); ++ ++ oc = grub_absolute_pointer (grub_pci_device_map_range (dev, 0x05022000, ++ GRUB_CS5536_USB_OPTION_REGS_SIZE)); + + oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX] = + (oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX] +diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c +index 1215f2a62..fda62f4ea 100644 +--- a/grub-core/commands/acpi.c ++++ b/grub-core/commands/acpi.c +@@ -168,7 +168,7 @@ grub_acpi_create_ebda (void) + struct grub_acpi_rsdp_v10 *v1; + struct grub_acpi_rsdp_v20 *v2; + +- ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *)0x40e)) << 4); ++ ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4); + grub_dprintf ("acpi", "EBDA @%p\n", ebda); + if (ebda) + ebda_kb_len = *(grub_uint16_t *) ebda; +@@ -298,7 +298,7 @@ grub_acpi_create_ebda (void) + *target = 0; + + grub_dprintf ("acpi", "Switching EBDA\n"); +- (*((grub_uint16_t *) 0x40e)) = ((grub_addr_t) targetebda) >> 4; ++ (*((grub_uint16_t *) grub_absolute_pointer (0x40e))) = ((grub_addr_t) targetebda) >> 4; + grub_dprintf ("acpi", "EBDA switched\n"); + + return GRUB_ERR_NONE; +diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c +index 5c7725f8b..574e41046 100644 +--- a/grub-core/commands/efi/loadbios.c ++++ b/grub-core/commands/efi/loadbios.c +@@ -46,7 +46,7 @@ enable_rom_area (void) + grub_uint32_t *rom_ptr; + grub_pci_device_t dev = { .bus = 0, .device = 0, .function = 0}; + +- rom_ptr = (grub_uint32_t *) VBIOS_ADDR; ++ rom_ptr = grub_absolute_pointer (VBIOS_ADDR); + if (*rom_ptr != BLANK_MEM) + { + grub_puts_ (N_("ROM image is present.")); +@@ -96,8 +96,8 @@ fake_bios_data (int use_rom) + void *acpi, *smbios; + grub_uint16_t *ebda_seg_ptr, *low_mem_ptr; + +- ebda_seg_ptr = (grub_uint16_t *) EBDA_SEG_ADDR; +- low_mem_ptr = (grub_uint16_t *) LOW_MEM_ADDR; ++ ebda_seg_ptr = grub_absolute_pointer (EBDA_SEG_ADDR); ++ low_mem_ptr = grub_absolute_pointer (LOW_MEM_ADDR); + if ((*ebda_seg_ptr) || (*low_mem_ptr)) + return; + +@@ -132,7 +132,8 @@ fake_bios_data (int use_rom) + *ebda_seg_ptr = FAKE_EBDA_SEG; + *low_mem_ptr = (FAKE_EBDA_SEG >> 6); + +- *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr; ++ /* *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr; */ ++ *((grub_uint16_t *) (grub_absolute_pointer (FAKE_EBDA_SEG << 4))) = 640 - *low_mem_ptr; + + if (acpi) + grub_memcpy ((char *) ((FAKE_EBDA_SEG << 4) + 16), acpi, 1024 - 16); +diff --git a/grub-core/commands/i386/pc/drivemap.c b/grub-core/commands/i386/pc/drivemap.c +index 3fb22dc46..a7ee4c9bd 100644 +--- a/grub-core/commands/i386/pc/drivemap.c ++++ b/grub-core/commands/i386/pc/drivemap.c +@@ -31,9 +31,6 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + +-/* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */ +-static grub_uint32_t *const int13slot = (grub_uint32_t *) (4 * 0x13); +- + /* Remember to update enum opt_idxs accordingly. */ + static const struct grub_arg_option options[] = { + /* TRANSLATORS: In this file "mapping" refers to a change GRUB makes so if +@@ -280,6 +277,8 @@ install_int13_handler (int noret __attribute__ ((unused))) + grub_uint8_t *handler_base = 0; + /* Address of the map within the deployed bundle. */ + int13map_node_t *handler_map; ++ /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */ ++ grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13); + + int i; + int entries = 0; +@@ -354,6 +353,9 @@ install_int13_handler (int noret __attribute__ ((unused))) + static grub_err_t + uninstall_int13_handler (void) + { ++ /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */ ++ grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13); ++ + if (! grub_drivemap_oldhandler) + return GRUB_ERR_NONE; + +diff --git a/grub-core/disk/i386/pc/biosdisk.c b/grub-core/disk/i386/pc/biosdisk.c +index 81fd4e832..49e4e8a14 100644 +--- a/grub-core/disk/i386/pc/biosdisk.c ++++ b/grub-core/disk/i386/pc/biosdisk.c +@@ -367,7 +367,7 @@ grub_biosdisk_open (const char *name, grub_disk_t disk) + if (version) + { + struct grub_biosdisk_drp *drp +- = (struct grub_biosdisk_drp *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ = (struct grub_biosdisk_drp *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + + /* Clear out the DRP. */ + grub_memset (drp, 0, sizeof (*drp)); +@@ -654,7 +654,7 @@ grub_disk_biosdisk_fini (void) + GRUB_MOD_INIT(biosdisk) + { + struct grub_biosdisk_cdrp *cdrp +- = (struct grub_biosdisk_cdrp *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ = (struct grub_biosdisk_cdrp *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + grub_uint8_t boot_drive; + + if (grub_disk_firmware_is_tainted) +diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c +index 581215ef1..8ab7106af 100644 +--- a/grub-core/fs/cbfs.c ++++ b/grub-core/fs/cbfs.c +@@ -342,7 +342,7 @@ init_cbfsdisk (void) + grub_uint32_t ptr; + struct cbfs_header *head; + +- ptr = *(grub_uint32_t *) 0xfffffffc; ++ ptr = *((grub_uint32_t *) grub_absolute_pointer (0xfffffffc)); + head = (struct cbfs_header *) (grub_addr_t) ptr; + grub_dprintf ("cbfs", "head=%p\n", head); + +diff --git a/grub-core/kern/i386/pc/acpi.c b/grub-core/kern/i386/pc/acpi.c +index 297f5d05f..0a69eba7b 100644 +--- a/grub-core/kern/i386/pc/acpi.c ++++ b/grub-core/kern/i386/pc/acpi.c +@@ -27,7 +27,7 @@ grub_machine_acpi_get_rsdpv1 (void) + grub_uint8_t *ebda, *ptr; + + grub_dprintf ("acpi", "Looking for RSDP. Scanning EBDA\n"); +- ebda = (grub_uint8_t *) ((* ((grub_uint16_t *) 0x40e)) << 4); ++ ebda = (grub_uint8_t *) ((* ((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4); + ebda_len = * (grub_uint16_t *) ebda; + if (! ebda_len) /* FIXME do we really need this check? */ + goto scan_bios; +@@ -55,7 +55,7 @@ grub_machine_acpi_get_rsdpv2 (void) + grub_uint8_t *ebda, *ptr; + + grub_dprintf ("acpi", "Looking for RSDP. Scanning EBDA\n"); +- ebda = (grub_uint8_t *) ((* ((grub_uint16_t *) 0x40e)) << 4); ++ ebda = (grub_uint8_t *) ((* ((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4); + ebda_len = * (grub_uint16_t *) ebda; + if (! ebda_len) /* FIXME do we really need this check? */ + goto scan_bios; +diff --git a/grub-core/kern/i386/pc/mmap.c b/grub-core/kern/i386/pc/mmap.c +index ef2faa2ab..53fcf45af 100644 +--- a/grub-core/kern/i386/pc/mmap.c ++++ b/grub-core/kern/i386/pc/mmap.c +@@ -143,7 +143,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data) + { + grub_uint32_t cont = 0; + struct grub_machine_mmap_entry *entry +- = (struct grub_machine_mmap_entry *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ = (struct grub_machine_mmap_entry *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + int e820_works = 0; + + while (1) +diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c +index 6d680d671..00a48413c 100644 +--- a/grub-core/loader/multiboot_mbi2.c ++++ b/grub-core/loader/multiboot_mbi2.c +@@ -504,7 +504,7 @@ static void + fill_vbe_tag (struct multiboot_tag_vbe *tag) + { + grub_vbe_status_t status; +- void *scratch = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ void *scratch = grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + + tag->type = MULTIBOOT_TAG_TYPE_VBE; + tag->size = 0; +@@ -577,7 +577,7 @@ retrieve_video_parameters (grub_properly_aligned_t **ptrorig) + #if defined (GRUB_MACHINE_PCBIOS) + { + grub_vbe_status_t status; +- void *scratch = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ void *scratch = grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + status = grub_vbe_bios_get_mode (scratch); + vbe_mode = *(grub_uint32_t *) scratch; + if (status != GRUB_VBE_STATUS_OK) +diff --git a/grub-core/mmap/i386/pc/mmap.c b/grub-core/mmap/i386/pc/mmap.c +index 6ab4f6730..b9c5b0a00 100644 +--- a/grub-core/mmap/i386/pc/mmap.c ++++ b/grub-core/mmap/i386/pc/mmap.c +@@ -80,13 +80,13 @@ preboot (int noreturn __attribute__ ((unused))) + = min (grub_mmap_get_post64 (), 0xfc000000ULL) >> 16; + + /* Correct BDA. */ +- *((grub_uint16_t *) 0x413) = grub_mmap_get_lower () >> 10; ++ *((grub_uint16_t *) grub_absolute_pointer (0x413)) = grub_mmap_get_lower () >> 10; + + /* Save old interrupt handlers. */ +- grub_machine_mmaphook_int12offset = *((grub_uint16_t *) 0x48); +- grub_machine_mmaphook_int12segment = *((grub_uint16_t *) 0x4a); +- grub_machine_mmaphook_int15offset = *((grub_uint16_t *) 0x54); +- grub_machine_mmaphook_int15segment = *((grub_uint16_t *) 0x56); ++ grub_machine_mmaphook_int12offset = *((grub_uint16_t *) grub_absolute_pointer (0x48)); ++ grub_machine_mmaphook_int12segment = *((grub_uint16_t *) grub_absolute_pointer (0x4a)); ++ grub_machine_mmaphook_int15offset = *((grub_uint16_t *) grub_absolute_pointer (0x54)); ++ grub_machine_mmaphook_int15segment = *((grub_uint16_t *) grub_absolute_pointer (0x56)); + + grub_dprintf ("mmap", "hooktarget = %p\n", hooktarget); + +@@ -94,11 +94,11 @@ preboot (int noreturn __attribute__ ((unused))) + grub_memcpy (hooktarget, &grub_machine_mmaphook_start, + &grub_machine_mmaphook_end - &grub_machine_mmaphook_start); + +- *((grub_uint16_t *) 0x4a) = ((grub_addr_t) hooktarget) >> 4; +- *((grub_uint16_t *) 0x56) = ((grub_addr_t) hooktarget) >> 4; +- *((grub_uint16_t *) 0x48) = &grub_machine_mmaphook_int12 ++ *((grub_uint16_t *) grub_absolute_pointer (0x4a)) = ((grub_addr_t) hooktarget) >> 4; ++ *((grub_uint16_t *) grub_absolute_pointer (0x56)) = ((grub_addr_t) hooktarget) >> 4; ++ *((grub_uint16_t *) grub_absolute_pointer (0x48)) = &grub_machine_mmaphook_int12 + - &grub_machine_mmaphook_start; +- *((grub_uint16_t *) 0x54) = &grub_machine_mmaphook_int15 ++ *((grub_uint16_t *) grub_absolute_pointer (0x54)) = &grub_machine_mmaphook_int15 + - &grub_machine_mmaphook_start; + + return GRUB_ERR_NONE; +@@ -108,10 +108,10 @@ static grub_err_t + preboot_rest (void) + { + /* Restore old interrupt handlers. */ +- *((grub_uint16_t *) 0x48) = grub_machine_mmaphook_int12offset; +- *((grub_uint16_t *) 0x4a) = grub_machine_mmaphook_int12segment; +- *((grub_uint16_t *) 0x54) = grub_machine_mmaphook_int15offset; +- *((grub_uint16_t *) 0x56) = grub_machine_mmaphook_int15segment; ++ *((grub_uint16_t *) grub_absolute_pointer (0x48)) = grub_machine_mmaphook_int12offset; ++ *((grub_uint16_t *) grub_absolute_pointer (0x4a)) = grub_machine_mmaphook_int12segment; ++ *((grub_uint16_t *) grub_absolute_pointer (0x54)) = grub_machine_mmaphook_int15offset; ++ *((grub_uint16_t *) grub_absolute_pointer (0x56)) = grub_machine_mmaphook_int15segment; + + return GRUB_ERR_NONE; + } +diff --git a/grub-core/net/drivers/i386/pc/pxe.c b/grub-core/net/drivers/i386/pc/pxe.c +index 997010cf1..db17186ee 100644 +--- a/grub-core/net/drivers/i386/pc/pxe.c ++++ b/grub-core/net/drivers/i386/pc/pxe.c +@@ -174,7 +174,7 @@ grub_pxe_recv (struct grub_net_card *dev __attribute__ ((unused))) + grub_uint8_t *ptr, *end; + struct grub_net_buff *buf; + +- isr = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ isr = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + + if (!in_progress) + { +@@ -256,11 +256,11 @@ grub_pxe_send (struct grub_net_card *dev __attribute__ ((unused)), + struct grub_pxe_undi_tbd *tbd; + char *buf; + +- trans = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ trans = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + grub_memset (trans, 0, sizeof (*trans)); +- tbd = (void *) (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + 128); ++ tbd = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + 128); + grub_memset (tbd, 0, sizeof (*tbd)); +- buf = (void *) (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + 256); ++ buf = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + 256); + grub_memcpy (buf, pack->data, pack->tail - pack->data); + + trans->tbd = SEGOFS ((grub_addr_t) tbd); +@@ -287,7 +287,7 @@ static grub_err_t + grub_pxe_open (struct grub_net_card *dev __attribute__ ((unused))) + { + struct grub_pxe_undi_open *ou; +- ou = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ ou = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + grub_memset (ou, 0, sizeof (*ou)); + ou->pkt_filter = 4; + grub_pxe_call (GRUB_PXENV_UNDI_OPEN, ou, pxe_rm_entry); +@@ -382,7 +382,7 @@ GRUB_MOD_INIT(pxe) + if (! pxenv) + return; + +- ui = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ ui = (void *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + grub_memset (ui, 0, sizeof (*ui)); + grub_pxe_call (GRUB_PXENV_UNDI_GET_INFORMATION, ui, pxe_rm_entry); + +diff --git a/grub-core/term/i386/pc/console.c b/grub-core/term/i386/pc/console.c +index d44937c30..9403390f1 100644 +--- a/grub-core/term/i386/pc/console.c ++++ b/grub-core/term/i386/pc/console.c +@@ -238,12 +238,11 @@ grub_console_getkey (struct grub_term_input *term __attribute__ ((unused))) + return (regs.eax & 0xff) + (('a' - 1) | GRUB_TERM_CTRL); + } + +-static const struct grub_machine_bios_data_area *bios_data_area = +- (struct grub_machine_bios_data_area *) GRUB_MEMORY_MACHINE_BIOS_DATA_AREA_ADDR; +- + static int + grub_console_getkeystatus (struct grub_term_input *term __attribute__ ((unused))) + { ++ const struct grub_machine_bios_data_area *bios_data_area = ++ (struct grub_machine_bios_data_area *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_BIOS_DATA_AREA_ADDR); + /* conveniently GRUB keystatus is modelled after BIOS one. */ + return bios_data_area->keyboard_flag_lower & ~0x80; + } +diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c +index 88fecc5ea..669d06fad 100644 +--- a/grub-core/term/i386/pc/vga_text.c ++++ b/grub-core/term/i386/pc/vga_text.c +@@ -45,15 +45,15 @@ GRUB_MOD_LICENSE ("GPLv3+"); + static struct grub_term_coordinate grub_curr_pos; + + #ifdef __mips__ +-#define VGA_TEXT_SCREEN ((grub_uint16_t *) 0xb00b8000) ++#define VGA_TEXT_SCREEN ((grub_uint16_t *) grub_absolute_pointer (0xb00b8000)) + #define cr_read grub_vga_cr_read + #define cr_write grub_vga_cr_write + #elif defined (MODE_MDA) +-#define VGA_TEXT_SCREEN ((grub_uint16_t *) 0xb0000) ++#define VGA_TEXT_SCREEN ((grub_uint16_t *) grub_absolute_pointer (0xb0000)) + #define cr_read grub_vga_cr_bw_read + #define cr_write grub_vga_cr_bw_write + #else +-#define VGA_TEXT_SCREEN ((grub_uint16_t *) 0xb8000) ++#define VGA_TEXT_SCREEN ((grub_uint16_t *) grub_absolute_pointer (0xb8000)) + #define cr_read grub_vga_cr_read + #define cr_write grub_vga_cr_write + #endif +diff --git a/grub-core/term/ns8250.c b/grub-core/term/ns8250.c +index 59801839b..83b25990c 100644 +--- a/grub-core/term/ns8250.c ++++ b/grub-core/term/ns8250.c +@@ -28,7 +28,6 @@ + + #ifdef GRUB_MACHINE_PCBIOS + #include +-static const unsigned short *serial_hw_io_addr = (const unsigned short *) GRUB_MEMORY_MACHINE_BIOS_DATA_AREA_ADDR; + #define GRUB_SERIAL_PORT_NUM 4 + #else + #include +@@ -237,6 +236,9 @@ static struct grub_serial_port com_ports[GRUB_SERIAL_PORT_NUM]; + void + grub_ns8250_init (void) + { ++#ifdef GRUB_MACHINE_PCBIOS ++ const unsigned short *serial_hw_io_addr = (const unsigned short *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_BIOS_DATA_AREA_ADDR); ++#endif + unsigned i; + for (i = 0; i < GRUB_SERIAL_PORT_NUM; i++) + if (serial_hw_io_addr[i]) +@@ -272,6 +274,9 @@ grub_ns8250_init (void) + grub_port_t + grub_ns8250_hw_get_port (const unsigned int unit) + { ++#ifdef GRUB_MACHINE_PCBIOS ++ const unsigned short *serial_hw_io_addr = (const unsigned short *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_BIOS_DATA_AREA_ADDR); ++#endif + if (unit < GRUB_SERIAL_PORT_NUM + && !(dead_ports & (1 << unit))) + return serial_hw_io_addr[unit]; +diff --git a/grub-core/video/i386/pc/vbe.c b/grub-core/video/i386/pc/vbe.c +index 0e65b5206..a0bb9af09 100644 +--- a/grub-core/video/i386/pc/vbe.c ++++ b/grub-core/video/i386/pc/vbe.c +@@ -514,7 +514,7 @@ grub_vbe_probe (struct grub_vbe_info_block *info_block) + + /* Use low memory scratch area as temporary storage + for VESA BIOS call. */ +- vbe_ib = (struct grub_vbe_info_block *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ vbe_ib = (struct grub_vbe_info_block *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + + /* Prepare info block. */ + grub_memset (vbe_ib, 0, sizeof (*vbe_ib)); +@@ -574,7 +574,7 @@ grub_vbe_get_preferred_mode (unsigned int *width, unsigned int *height) + + /* Use low memory scratch area as temporary storage for VESA BIOS calls. */ + flat_panel_info = (struct grub_vbe_flat_panel_info *) +- (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + sizeof (struct grub_video_edid_info)); ++ grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR + sizeof (struct grub_video_edid_info)); + + if (controller_info.version >= 0x200 + && (grub_vbe_bios_get_ddc_capabilities (&ddc_level) & 0xff) +@@ -676,7 +676,7 @@ grub_vbe_set_video_mode (grub_uint32_t vbe_mode, + == GRUB_VBE_MEMORY_MODEL_PACKED_PIXEL) + { + struct grub_vbe_palette_data *palette +- = (struct grub_vbe_palette_data *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ = (struct grub_vbe_palette_data *) grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + unsigned i; + + /* Make sure that the BIOS can reach the palette. */ +diff --git a/include/grub/types.h b/include/grub/types.h +index 0a3ff1591..5ae0ced38 100644 +--- a/include/grub/types.h ++++ b/include/grub/types.h +@@ -340,4 +340,28 @@ static inline void grub_set_unaligned64 (void *ptr, grub_uint64_t val) + dd->d = val; + } + ++/* ++ * The grub_absolute_pointer() macro borrows the idea from Linux kernel of using ++ * RELOC_HIDE() macro to stop GCC from checking the result of pointer arithmetic ++ * and also it's conversion to be inside the symbol's boundary [1]. The check ++ * is sometimes false positive, especially it is controversial to emit the array ++ * bounds [-Warray-bounds] warning on all hardwired literal pointers since GCC ++ * 11/12 [2]. Unless a good solution can be settled, for the time being we ++ * would be in favor of the macro instead of GCC pragmas which cannot match the ++ * places the warning needs to be ignored in an exact way. ++ * ++ * [1] https://lists.linuxcoding.com/kernel/2006-q3/msg17979.html ++ * [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578 ++ */ ++#if defined(__GNUC__) ++# define grub_absolute_pointer(val) \ ++({ \ ++ grub_addr_t __ptr; \ ++ asm ("" : "=r" (__ptr) : "0" ((void *) (val))); \ ++ (void *) (__ptr); \ ++}) ++#else ++# define grub_absolute_pointer(val) ((void *) (val)) ++#endif ++ + #endif /* ! GRUB_TYPES_HEADER */ +diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c +index a67d9d0a8..434e694ff 100644 +--- a/grub-core/loader/i386/multiboot_mbi.c ++++ b/grub-core/loader/i386/multiboot_mbi.c +@@ -293,7 +293,7 @@ fill_vbe_info (struct multiboot_info *mbi, grub_uint8_t *ptrorig, + struct grub_vbe_mode_info_block *mode_info; + #if GRUB_MACHINE_HAS_VBE + grub_vbe_status_t status; +- void *scratch = (void *) GRUB_MEMORY_MACHINE_SCRATCH_ADDR; ++ void *scratch = grub_absolute_pointer (GRUB_MEMORY_MACHINE_SCRATCH_ADDR); + + status = grub_vbe_bios_get_controller_info (scratch); + if (status != GRUB_VBE_STATUS_OK) +diff --git a/grub-core/commands/i386/pc/sendkey.c b/grub-core/commands/i386/pc/sendkey.c +index 26d9acd3d..9fbd8cb2c 100644 +--- a/grub-core/commands/i386/pc/sendkey.c ++++ b/grub-core/commands/i386/pc/sendkey.c +@@ -216,12 +216,12 @@ static grub_err_t + grub_sendkey_postboot (void) + { + /* For convention: pointer to flags. */ +- grub_uint32_t *flags = (grub_uint32_t *) 0x417; ++ grub_uint32_t *flags = grub_absolute_pointer (0x417); + + *flags = oldflags; + +- *((char *) 0x41a) = 0x1e; +- *((char *) 0x41c) = 0x1e; ++ *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e; ++ *((volatile char *) grub_absolute_pointer (0x41c)) = 0x1e; + + return GRUB_ERR_NONE; + } +@@ -231,13 +231,13 @@ static grub_err_t + grub_sendkey_preboot (int noret __attribute__ ((unused))) + { + /* For convention: pointer to flags. */ +- grub_uint32_t *flags = (grub_uint32_t *) 0x417; ++ grub_uint32_t *flags = grub_absolute_pointer (0x417); + + oldflags = *flags; + + /* Set the sendkey. */ +- *((char *) 0x41a) = 0x1e; +- *((char *) 0x41c) = keylen + 0x1e; ++ *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e; ++ *((volatile char *) grub_absolute_pointer (0x41c)) = keylen + 0x1e; + grub_memcpy ((char *) 0x41e, sendkey, 0x20); + + /* Transform "any ctrl" to "right ctrl" flag. */ diff -pruN 2.06-2/debian/patches/gcc12_build_dangling_pointer.patch 2.06-8/debian/patches/gcc12_build_dangling_pointer.patch --- 2.06-2/debian/patches/gcc12_build_dangling_pointer.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/gcc12_build_dangling_pointer.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,67 @@ +Borrowed and tweaked fix from: + +commit be8eb0eed69f8bc9ac20837eae58e55218011880 +Author: Michael Chang +Date: Mon Mar 28 15:00:52 2022 +0800 + + util/mkimage: Fix dangling pointer may be used error + +diff --git a/util/mkimage.c b/util/mkimage.c +index a26cf76f7..58c199f7c 100644 +--- a/util/mkimage 2022-12-11 15:41:56.717934782 +0000 ++++ b/util/mkimage.c 2022-12-11 15:43:05.318432532 +0000 +@@ -1383,6 +1383,10 @@ + section = (struct grub_pe32_section_table *)(o64 + 1); + } + ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdangling-pointer" ++#endif + PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size); + PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (layout.start_address); + PE_OHDR (o32, o64, image_base) = 0; +@@ -1402,6 +1406,9 @@ + /* The sections. */ + PE_OHDR (o32, o64, code_base) = grub_host_to_target32 (vma); + PE_OHDR (o32, o64, code_size) = grub_host_to_target32 (layout.exec_size); ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic pop ++#endif + section = init_pe_section (image_target, section, ".text", + &vma, layout.exec_size, + image_target->section_align, +@@ -1413,10 +1420,17 @@ + raw_size = layout.kernel_size - layout.exec_size; + scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT); + /* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */ ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdangling-pointer" ++#endif + PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size + + ALIGN_UP (total_module_size, + GRUB_PE32_FILE_ALIGNMENT)); + ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic pop ++#endif + section = init_pe_section (image_target, section, ".data", + &vma, scn_size, image_target->section_align, + &raw_data, raw_size, +@@ -1448,8 +1462,15 @@ + } + + scn_size = ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT); ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdangling-pointer" ++#endif + PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma); + PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size); ++#if __GNUC__ >= 12 ++#pragma GCC diagnostic pop ++#endif + memcpy (pe_img + raw_data, layout.reloc_section, scn_size); + init_pe_section (image_target, section, ".reloc", + &vma, scn_size, image_target->section_align, diff -pruN 2.06-2/debian/patches/grub-install-removable-shim.patch 2.06-8/debian/patches/grub-install-removable-shim.patch --- 2.06-2/debian/patches/grub-install-removable-shim.patch 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/patches/grub-install-removable-shim.patch 2023-02-09 01:09:00.000000000 +0000 @@ -21,10 +21,10 @@ Patch-Name: grub-install-removable-shim. util/grub-install.c | 83 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 17 deletions(-) -diff --git a/util/grub-install.c b/util/grub-install.c -index 05b695226..43fc27c55 100644 ---- a/util/grub-install.c -+++ b/util/grub-install.c +Index: grub.git/util/grub-install.c +=================================================================== +--- grub.git.orig/util/grub-install.c ++++ grub.git/util/grub-install.c @@ -891,17 +891,13 @@ check_component_exists(const char *dir, static void also_install_removable(const char *src, @@ -107,10 +107,10 @@ index 05b695226..43fc27c55 100644 fb_src = grub_util_path_concat (2, "/usr/lib/shim/", fb_signed); -@@ -2153,30 +2151,81 @@ main (int argc, char *argv[]) - fb_file); - grub_install_copy_file (fb_src, - fb_dst, 0); +@@ -2154,30 +2152,81 @@ main (int argc, char *argv[]) + if (!removable) + grub_install_copy_file (fb_src, + fb_dst, 0); + + csv_src = grub_util_path_concat (2, "/usr/lib/shim/", + csv_file); diff -pruN 2.06-2/debian/patches/grub_mkconfig_restore_umask.patch 2.06-8/debian/patches/grub_mkconfig_restore_umask.patch --- 2.06-2/debian/patches/grub_mkconfig_restore_umask.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/grub_mkconfig_restore_umask.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,36 @@ +commit 0adec29674561034771c13e446069b41ef41e4d4 +Author: Michael Chang +Date: Fri Dec 3 16:13:28 2021 +0800 + + grub-mkconfig: Restore umask for the grub.cfg + + The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating + configuration by grub-mkconfig) has inadvertently discarded umask for + creating grub.cfg in the process of running grub-mkconfig. The resulting + wrong permission (0644) would allow unprivileged users to read GRUB + configuration file content. This presents a low confidentiality risk + as grub.cfg may contain non-secured plain-text passwords. + + This patch restores the missing umask and sets the creation file mode + to 0600 preventing unprivileged access. + + Fixes: CVE-2021-3981 + + Signed-off-by: Michael Chang + Reviewed-by: Daniel Kiper + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea7612e..62335d027 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++ oldumask=$(umask) ++ umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++ umask $oldumask + rm -f ${grub_cfg}.new + fi + fi diff -pruN 2.06-2/debian/patches/ignore_checksum_seed_incompat_feature.patch 2.06-8/debian/patches/ignore_checksum_seed_incompat_feature.patch --- 2.06-2/debian/patches/ignore_checksum_seed_incompat_feature.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/ignore_checksum_seed_incompat_feature.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,54 @@ +commit 7fd5feff97c4b1f446f8fcf6d37aca0c64e7c763 +Author: Javier Martinez Canillas +Date: Fri Jun 11 21:36:16 2021 +0200 + + fs/ext2: Ignore checksum seed incompat feature + + This incompat feature is used to denote that the filesystem stored its + metadata checksum seed in the superblock. This is used to allow tune2fs + changing the UUID on a mounted metdata_csum filesystem without having + to rewrite all the disk metadata. However, the GRUB doesn't use the + metadata checksum at all. So, it can just ignore this feature if it + is enabled. This is consistent with the GRUB filesystem code in general + which just does a best effort to access the filesystem's data. + + The checksum seed incompat feature has to be removed from the ignore + list if the support for metadata checksum verification is added to the + GRUB ext2 driver later. + + Suggested-by: Eric Sandeen + Suggested-by: Lukas Czerner + Signed-off-by: Javier Martinez Canillas + Reviewed-by: Lukas Czerner + Reviewed-by: Daniel Kiper + +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index e7dd78e66..4953a1591 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -103,6 +103,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT4_FEATURE_INCOMPAT_64BIT 0x0080 + #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 + #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 ++#define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000 + #define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 + + /* The set of back-incompatible features this driver DOES support. Add (OR) +@@ -123,10 +124,15 @@ GRUB_MOD_LICENSE ("GPLv3+"); + * mmp: Not really back-incompatible - was added as such to + * avoid multiple read-write mounts. Safe to ignore for this + * RO driver. ++ * checksum seed: Not really back-incompatible - was added to allow tools ++ * such as tune2fs to change the UUID on a mounted metadata ++ * checksummed filesystem. Safe to ignore for now since the ++ * driver doesn't support checksum verification. However, it ++ * has to be removed from this list if the support is added later. + */ + #define EXT2_DRIVER_IGNORED_INCOMPAT ( EXT3_FEATURE_INCOMPAT_RECOVER \ +- | EXT4_FEATURE_INCOMPAT_MMP) +- ++ | EXT4_FEATURE_INCOMPAT_MMP \ ++ | EXT4_FEATURE_INCOMPAT_CSUM_SEED) + + #define EXT3_JOURNAL_MAGIC_NUMBER 0xc03b3998U + diff -pruN 2.06-2/debian/patches/ignore_the_large_dir_incompat_feature.patch 2.06-8/debian/patches/ignore_the_large_dir_incompat_feature.patch --- 2.06-2/debian/patches/ignore_the_large_dir_incompat_feature.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/ignore_the_large_dir_incompat_feature.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,53 @@ +commit 2e9fa73a040462b81bfbfe56c0bc7ad2d30b446b +Author: Theodore Ts'o +Date: Tue Aug 30 22:41:59 2022 -0400 + + fs/ext2: Ignore the large_dir incompat feature + + Recently, ext4 added the large_dir feature, which adds support for + a 3 level htree directory support. + + The GRUB supports existing file systems with htree directories by + ignoring their existence, and since the index nodes for the hash tree + look like deleted directory entries (by design), the GRUB can simply do + a brute force O(n) linear search of directories. The same is true for + 3 level deep htrees indicated by large_dir feature flag. + + Hence, it is safe for the GRUB to ignore the large_dir incompat feature. + + Fixes: https://savannah.gnu.org/bugs/?61606 + + Signed-off-by: Theodore Ts'o + Reviewed-by: Daniel Kiper + +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index 0989e26e1..e1cc5e62a 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -104,6 +104,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 + #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 + #define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000 ++#define EXT4_FEATURE_INCOMPAT_LARGEDIR 0x4000 /* >2GB or 3 level htree */ + #define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 + + /* The set of back-incompatible features this driver DOES support. Add (OR) +@@ -129,10 +130,17 @@ GRUB_MOD_LICENSE ("GPLv3+"); + * checksummed filesystem. Safe to ignore for now since the + * driver doesn't support checksum verification. However, it + * has to be removed from this list if the support is added later. ++ * large_dir: Not back-incompatible given that the GRUB ext2 driver does ++ * not implement EXT2_FEATURE_COMPAT_DIR_INDEX. If the GRUB ++ * eventually supports the htree feature (aka dir_index) ++ * it should support 3 level htrees and then move ++ * EXT4_FEATURE_INCOMPAT_LARGEDIR to ++ * EXT2_DRIVER_SUPPORTED_INCOMPAT. + */ + #define EXT2_DRIVER_IGNORED_INCOMPAT ( EXT3_FEATURE_INCOMPAT_RECOVER \ + | EXT4_FEATURE_INCOMPAT_MMP \ +- | EXT4_FEATURE_INCOMPAT_CSUM_SEED) ++ | EXT4_FEATURE_INCOMPAT_CSUM_SEED \ ++ | EXT4_FEATURE_INCOMPAT_LARGEDIR) + + #define EXT3_JOURNAL_MAGIC_NUMBER 0xc03b3998U + diff -pruN 2.06-2/debian/patches/install-signed.patch 2.06-8/debian/patches/install-signed.patch --- 2.06-2/debian/patches/install-signed.patch 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/patches/install-signed.patch 2023-02-09 01:09:00.000000000 +0000 @@ -11,18 +11,18 @@ Author: Steve Langasek Author: Mathieu Trudel-Lapierre Forwarded: no -Last-Update: 2021-09-24 +Last-Update: 2023-01-15 Patch-Name: install-signed.patch --- util/grub-install.c | 212 ++++++++++++++++++++++++++++++++------------ 1 file changed, 153 insertions(+), 59 deletions(-) -diff --git a/util/grub-install.c b/util/grub-install.c -index 48e2d3779..f49c78d0b 100644 ---- a/util/grub-install.c -+++ b/util/grub-install.c -@@ -80,6 +80,7 @@ static char *label_color; +Index: grub.git/util/grub-install.c +=================================================================== +--- grub.git.orig/util/grub-install.c ++++ grub.git/util/grub-install.c +@@ -79,6 +79,7 @@ static char *label_color; static char *label_bgcolor; static char *product_version; static int add_rs_codes = 1; @@ -30,7 +30,7 @@ index 48e2d3779..f49c78d0b 100644 enum { -@@ -110,7 +111,9 @@ enum +@@ -109,7 +110,9 @@ enum OPTION_LABEL_FONT, OPTION_LABEL_COLOR, OPTION_LABEL_BGCOLOR, @@ -41,7 +41,7 @@ index 48e2d3779..f49c78d0b 100644 }; static int fs_probe = 1; -@@ -234,6 +237,14 @@ argp_parser (int key, char *arg, struct argp_state *state) +@@ -233,6 +236,14 @@ argp_parser (int key, char *arg, struct bootloader_id = xstrdup (arg); return 0; @@ -56,7 +56,7 @@ index 48e2d3779..f49c78d0b 100644 case ARGP_KEY_ARG: if (install_device) grub_util_error ("%s", _("More than one install device?")); -@@ -303,6 +314,14 @@ static struct argp_option options[] = { +@@ -302,6 +313,14 @@ static struct argp_option options[] = { {"label-color", OPTION_LABEL_COLOR, N_("COLOR"), 0, N_("use COLOR for label"), 2}, {"label-bgcolor", OPTION_LABEL_BGCOLOR, N_("COLOR"), 0, N_("use COLOR for label background"), 2}, {"product-version", OPTION_PRODUCT_VERSION, N_("STRING"), 0, N_("use STRING as product version"), 2}, @@ -71,7 +71,7 @@ index 48e2d3779..f49c78d0b 100644 {0, 0, 0, 0, 0, 0} }; -@@ -833,7 +852,8 @@ main (int argc, char *argv[]) +@@ -832,7 +851,8 @@ main (int argc, char *argv[]) { int is_efi = 0; const char *efi_distributor = NULL; @@ -81,7 +81,7 @@ index 48e2d3779..f49c78d0b 100644 char **grub_devices; grub_fs_t grub_fs; grub_device_t grub_dev = NULL; -@@ -1103,6 +1123,39 @@ main (int argc, char *argv[]) +@@ -1102,6 +1122,39 @@ main (int argc, char *argv[]) */ char *t; efi_distributor = bootloader_id; @@ -121,7 +121,7 @@ index 48e2d3779..f49c78d0b 100644 if (removable) { /* The specification makes stricter requirements of removable -@@ -1111,66 +1164,16 @@ main (int argc, char *argv[]) +@@ -1110,66 +1163,16 @@ main (int argc, char *argv[]) must have a specific file name depending on the architecture. */ efi_distributor = "BOOT"; @@ -192,7 +192,7 @@ index 48e2d3779..f49c78d0b 100644 } t = grub_util_path_concat (3, efidir, "EFI", efi_distributor); free (efidir); -@@ -1376,14 +1379,41 @@ main (int argc, char *argv[]) +@@ -1375,14 +1378,38 @@ main (int argc, char *argv[]) } } @@ -208,10 +208,7 @@ index 48e2d3779..f49c78d0b 100644 + { + char *dir = xasprintf ("%s-signed", grub_install_source_directory); + char *signed_image; -+ if (removable) -+ signed_image = xasprintf ("gcd%s.efi.signed", efi_suffix); -+ else -+ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix); ++ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix); + efi_signed = grub_util_path_concat (2, dir, signed_image); + break; + } @@ -236,7 +233,7 @@ index 48e2d3779..f49c78d0b 100644 { char *uuid = NULL; /* generic method (used on coreboot and ata mod). */ -@@ -1941,7 +1971,71 @@ main (int argc, char *argv[]) +@@ -1927,7 +1957,72 @@ main (int argc, char *argv[]) case GRUB_INSTALL_PLATFORM_IA64_EFI: { char *dst = grub_util_path_concat (2, efidir, efi_file); @@ -289,8 +286,9 @@ index 48e2d3779..f49c78d0b 100644 + fb_signed); + fb_dst = grub_util_path_concat (2, efidir, + fb_file); -+ grub_install_copy_file (fb_src, -+ fb_dst, 0); ++ if (!removable) ++ grub_install_copy_file (fb_src, ++ fb_dst, 0); + free (fb_src); + free (fb_dst); + } diff -pruN 2.06-2/debian/patches/kern-file-Fix-error-handling-in-grub_file_open.patch 2.06-8/debian/patches/kern-file-Fix-error-handling-in-grub_file_open.patch --- 2.06-2/debian/patches/kern-file-Fix-error-handling-in-grub_file_open.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/patches/kern-file-Fix-error-handling-in-grub_file_open.patch 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,37 @@ +From aee575ddefd35f0fd6592171ae48ab6a4bb27464 Mon Sep 17 00:00:00 2001 +From: Steve McIntyre +Date: Mon, 5 Dec 2022 23:14:10 +0000 +Subject: [PATCH] kern/file: Fix error handling in grub_file_open() + +grub_file_open() calls grub_file_get_device_name(), but doesn't check +the return. Instead, it checks if grub_errno is set. + +However, nothing initialises grub_errno here when grub_file_open() +starts. This means that trying to open one file that doesn't exist and +then trying to open another file that does will (incorrectly) also +fail to open that second file. + +Let's fix that. + +Signed-off-by: Steve McIntyre +--- + grub-core/kern/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index 8d48fd50d..668b149c3 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -66,6 +66,9 @@ grub_file_open (const char *name, enum grub_file_type type) + const char *file_name; + grub_file_filter_id_t filter; + ++ /* Reset grub_errno before we start */ ++ grub_errno = GRUB_ERR_NONE; ++ + device_name = grub_file_get_device_name (name); + if (grub_errno) + goto fail; +-- +2.30.2 + diff -pruN 2.06-2/debian/patches/series 2.06-8/debian/patches/series --- 2.06-2/debian/patches/series 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/patches/series 2023-02-09 01:09:00.000000000 +0000 @@ -60,3 +60,57 @@ tpm-unknown-error-non-fatal.patch xfs-fix-v4-superblock.patch tests-ahci-update-qemu-device-name.patch minilzo-2.10.patch +0063-loader-efi-chainloader-Simplify-the-loader-state.patch +0064-commands-boot-Add-API-to-pass-context-to-loader.patch +0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch +0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch +0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch +0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch +0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch +0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch +0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch +0072-video-readers-png-Sanity-check-some-huffman-codes.patch +0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch +0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch +0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch +0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch +0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch +0078-net-netbuff-Block-overly-large-netbuff-allocs.patch +0079-net-ip-Do-IP-fragment-maths-safely.patch +0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch +0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch +0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch +0083-net-tftp-Avoid-a-trivial-UAF.patch +0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch +0085-net-http-Fix-OOB-write-for-split-http-headers.patch +0086-net-http-Error-out-on-headers-with-LF-without-CR.patch +0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch +0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch +0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch +0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch +0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch +0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch +fs-tester-time-fail.patch +cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch +cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch +cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch +cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch +cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch +cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch +cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch +cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch +cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch +cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch +cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch +cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch +cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch +cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch +font-Try-opening-fonts-from-the-bundled-memdisk.patch +kern-file-Fix-error-handling-in-grub_file_open.patch +gcc12_build_dangling_pointer.patch +gcc12_build_array_bounds.patch +gcc12_build_array_bounds2.patch +arm64_remove_magic_number_check.patch +grub_mkconfig_restore_umask.patch +ignore_checksum_seed_incompat_feature.patch +ignore_the_large_dir_incompat_feature.patch diff -pruN 2.06-2/debian/po/id.po 2.06-8/debian/po/id.po --- 2.06-2/debian/po/id.po 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/po/id.po 2023-02-09 01:09:00.000000000 +0000 @@ -2,23 +2,23 @@ # Copyright (C) Grub2 Developer # This file is distributed under the same license as the Grub2 package. # Arief S Fitrianto , 2010. +# Andika Triwidada , 2022. # msgid "" msgstr "" "Project-Id-Version: grub2\n" "Report-Msgid-Bugs-To: grub2@packages.debian.org\n" "POT-Creation-Date: 2019-02-26 09:54+0000\n" -"PO-Revision-Date: 2012-01-20 12:28+0700\n" -"Last-Translator: Mahyuddin Susanto \n" +"PO-Revision-Date: 2022-03-15 17:45+0700\n" +"Last-Translator: Andika Triwidada \n" "Language-Team: Debian Indonesian Translation Team \n" "Language: id\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -"X-Poedit-Language: Indonesian\n" -"X-Poedit-Country: INDONESIA\n" "X-Poedit-SourceCharset: utf-8\n" +"X-Generator: Poedit 3.0\n" #. Type: boolean #. Description @@ -31,7 +31,7 @@ msgstr "Chainload dari menu.lst?" #: ../grub-pc.templates.in:2001 msgid "GRUB upgrade scripts have detected a GRUB Legacy setup in /boot/grub." msgstr "" -"Script pemutakhiran GRUB menemukan konfigurasi GRUB jadul di /boot/grub." +"Skrip peningkatan GRUB telah mendeteksi setup GRUB Warisan di /boot/grub." #. Type: boolean #. Description @@ -42,9 +42,10 @@ msgid "" "from your existing GRUB Legacy setup. This step can be automatically " "performed now." msgstr "" -"Untuk mengganti GRUB jadul pada sistem Anda, sangat disarankan menyesuaikan /" -"boot/grub/menu.lst agar memuat citra boot GRUB2 dari konfigurasi GRUB Jadul. " -"Langkah ini mungkin akan dilakukan otomatis sekarang." +"Untuk mengganti GRUB versi Warisan pada sistem Anda, sangat disarankan " +"menyesuaikan /boot/grub/menu.lst agar memuat citra boot GRUB2 dari " +"konfigurasi GRUB Warisan. Langkah ini sekarang dapat dilakukan secara " +"otomatis." #. Type: boolean #. Description @@ -54,9 +55,9 @@ msgid "" "verify that the new GRUB 2 setup works before it is written to the MBR " "(Master Boot Record)." msgstr "" -"Sangat disarankan Anda menerima hasil penyesuaian GRUB 2 dari menu.lst dan " -"memastikan bahwa konfigurasi GRUB 2 bekerja dengan baik sebelum Anda " -"memasangnya pada MBR (Master Boot Record)." +"Sangat disarankan Anda menerima chainloading GRUB 2 dari menu.lst, dan " +"memastikan bahwa setup GRUB 2 yang baru bekerja sebelum Anda memasangnya " +"pada MBR (Master Boot Record)." #. Type: boolean #. Description @@ -65,8 +66,8 @@ msgid "" "Whatever your decision, you can replace the old MBR image with GRUB 2 later " "by issuing the following command as root:" msgstr "" -"Apapun pilihan Anda, Anda dapat mengganti citra MBR lama dengan GRUB2 di " -"lain waktu dengan menjalankan perintah berikut sebagai root: " +"Apapun pilihan Anda, Anda dapat mengganti citra MBR lama dengan GRUB 2 nanti " +"dengan menjalankan perintah berikut sebagai root:" #. Type: multiselect #. Description @@ -83,8 +84,9 @@ msgid "" "The grub-pc package is being upgraded. This menu allows you to select which " "devices you'd like grub-install to be automatically run for, if any." msgstr "" -"Paket grub-pc sedang diperbaharui. Menu ini memungkinkan Anda memilih " -"piranti yang Anda inginkan untuk menjalankan grub-install." +"Paket grub-pc sedang ditingkatkan. Menu ini memungkinkan Anda memilih " +"piranti yang Anda inginkan untuk menjalankan grub-install secara otomatis, " +"bila ada." #. Type: multiselect #. Description @@ -95,8 +97,8 @@ msgid "" "modules or grub.cfg." msgstr "" "Menjalankan grub-install secara otomatis sangat disarankan dalam kebanyakan " -"kasus. Hal ini untuk mencegah citra inti GRUB yang terpasang tidak sesuai " -"dengan modul GRUB atau grub.cfg" +"kasus, untuk mencegah citra inti GRUB yang terpasang tidak selaras dengan " +"modul GRUB atau grub.cfg." #. Type: multiselect #. Description @@ -107,8 +109,8 @@ msgid "" "If you're unsure which drive is designated as boot drive by your BIOS, it is " "often a good idea to install GRUB to all of them." msgstr "" -"Jika Anda tidak yakin piranti yang dijadikan piranti boot oleh BIOS, sangat " -"disarankan untuk memasang GRUB di semua piranti dimaksud." +"Jika Anda tidak yakin piranti yang dijadikan piranti boot oleh BIOS, ide " +"yang baik untuk memasang GRUB di semua piranti itu." #. Type: multiselect #. Description @@ -161,7 +163,7 @@ msgstr "- ${DEVICE} (${SIZE} MB; ${PATH} #. Description #: ../grub-pc.templates.in:7001 msgid "Writing GRUB to boot device failed - continue?" -msgstr "Gagal menulis GRUB ke piranti boot -- lanjutkan?" +msgstr "Gagal menulis GRUB ke piranti boot - lanjutkan?" #. Type: boolean #. Description @@ -179,13 +181,13 @@ msgid "" "properly." msgstr "" "Anda yakin akan lanjut terus? Jika ya, komputer Anda mungkin tidak dapat " -"beroperasi." +"dijalankan dengan benar." #. Type: boolean #. Description #: ../grub-pc.templates.in:8001 msgid "Writing GRUB to boot device failed - try again?" -msgstr "Gagal menulis GRUB ke piranti boot. Coba lagi?" +msgstr "Gagal menulis GRUB ke piranti boot - coba lagi?" #. Type: boolean #. Description @@ -196,8 +198,8 @@ msgid "" "from GRUB Legacy will be canceled." msgstr "" "Anda dapat memasang GRUB pada piranti lainnya. Tetapi, Anda harus memastikan " -"komputer dapat boot dari piranti tersebut. Jika tidak, pemutakhiran dari " -"GRUB jadul akan dibatalkan." +"komputer dapat boot dari piranti tersebut. Jika tidak, peningkatan dari GRUB " +"Warisan akan dibatalkan." #. Type: boolean #. Description @@ -216,10 +218,10 @@ msgid "" "modules or handle the current configuration file." msgstr "" "Anda memilih tidak memasang GRUB di piranti apapun. Jika Anda lanjutkan, " -"pemuat boot mungkin tidak terkonfigurasi dengan benar. Jika komputer ini " -"dinyalakan kembali, maka apapun yang sebelumnya ada di bootsector akan " -"digunakan. Jika ada versi awal GRUB2 di bootsector, mungkin tidak dapat " -"memuat modul-modul atau menangani berkas konfigurasi mutakhir." +"pemuat boot mungkin tidak terkonfigurasi dengan benar, dan ketika komputer " +"ini dinyalakan kembali, maka apapun yang sebelumnya ada di bootsector akan " +"digunakan. Jika ada versi lebih lama GRUB 2 di bootsector, mungkin tidak " +"dapat memuat modul-modul atau menangani berkas konfigurasi mutakhir." #. Type: boolean #. Description @@ -253,14 +255,14 @@ msgstr "Yakinkah Anda ingin menghapus se msgid "" "This will make the system unbootable unless another boot loader is installed." msgstr "" -"Hal ini akan membuat sistem tidak dapat booting kecuali Anda memasang pemuat " +"Hal ini akan membuat sistem tidak dapat boot kecuali Anda memasang pemuat " "boot lainnya." #. Type: boolean #. Description #: ../grub-pc.templates.in:11001 msgid "Finish conversion to GRUB 2 now?" -msgstr "Selesaikan proses konversi ke GRUB2 sekarang?" +msgstr "Selesaikan proses konversi ke GRUB 2 sekarang?" #. Type: boolean #. Description @@ -269,8 +271,8 @@ msgid "" "This system still has files from the GRUB Legacy boot loader installed, but " "it now also has GRUB 2 boot records installed on these disks:" msgstr "" -"Sistem ini masih memiliki berkas-berkas dari pemuat boot GRUB Jadul, tapi " -"sekarang juga memiliki rekam boot GRUB2 di piranti berikut:" +"Sistem ini masih memiliki berkas-berkas dari pemuat boot GRUB Warisan, tapi " +"sekarang juga memiliki rekam boot GRUB 2 di piranti berikut:" #. Type: boolean #. Description @@ -282,11 +284,11 @@ msgid "" "GRUB 2 images, then they may be incompatible with the new packages and cause " "your system to stop booting properly." msgstr "" -"Tampaknya GRUB Jadul sudah tidak terpakai, dan Anda sebaiknya memasang citra " -"GRUB2 pada harddisk ini, lalu menyelesaikan proses konversi ke GRUB2 dengan " -"menghapus berkas-berkas GRUB Jadul. Jika Anda tidak memutakhirkan citra " -"GRUB2, maka mungkin akan ada masalah inkompatibilitas dengan paket-paket " -"baru dan membuat sistem Anda tidak dapat booting dengan benar." +"Tampaknya GRUB Warisan sudah tidak terpakai, dan Anda sebaiknya memasang " +"citra GRUB 2 pada harddisk ini, lalu menyelesaikan proses konversi ke GRUB 2 " +"dengan menghapus berkas-berkas GRUB Warisan. Jika Anda tidak memutakhirkan " +"citra GRUB 2, maka mungkin akan ada masalah inkompatibilitas dengan paket-" +"paket baru dan membuat sistem Anda tidak dapat boot dengan benar." #. Type: boolean #. Description @@ -295,8 +297,8 @@ msgid "" "You should generally finish the conversion to GRUB 2 unless these boot " "records were created by a GRUB 2 installation on some other operating system." msgstr "" -"Anda sebaiknya menyelesaikan konversi ke GRUB2 kecuali jika rekam boot ini " -"dibuat melalui pemasangan GRUB2 pada sistem operasi lain." +"Anda sebaiknya menyelesaikan konversi ke GRUB 2 kecuali jika rekam boot ini " +"dibuat melalui pemasangan GRUB 2 pada sistem operasi lain." #. Type: string #. Description @@ -313,14 +315,14 @@ msgid "" "correct, and modify it if necessary. The command line is allowed to be empty." msgstr "" "Baris perintah Linux berikut ini disadur dari /etc/default/grub atau " -"parameter 'kopt' di menu.lst pada GRUB jadul. Pastikan kebenarannya dan " -"suntinglah bila perlu. Baris perintahnya diperbolehkan dikosongi." +"parameter 'kopt' di menu.lst pada GRUB Warisan. Pastikan kebenarannya dan " +"suntinglah bila perlu. Baris perintahnya diperbolehkan kosong." #. Type: string #. Description #: ../templates.in:2001 msgid "Linux default command line:" -msgstr "Baris perintah standar Linux:" +msgstr "Baris perintah baku Linux:" #. Type: string #. Description @@ -329,14 +331,14 @@ msgid "" "The following string will be used as Linux parameters for the default menu " "entry but not for the recovery mode." msgstr "" -"String berikut ini akan digunakan sebagai parameter Linux untuk menu standar " -"tetapi tidak digunakan untuk modus darurat." +"String berikut ini akan digunakan sebagai parameter Linux untuk menu baku " +"tetapi tidak digunakan untuk modus pemulihan." #. Type: boolean #. Description #: ../templates.in:3001 msgid "Force extra installation to the EFI removable media path?" -msgstr "" +msgstr "Paksakan instalasi ekstra ke path media lepasan EFI?" #. Type: boolean #. Description @@ -350,12 +352,20 @@ msgid "" "make sure that GRUB is configured successfully to be able to boot any other " "OS installations correctly." msgstr "" +"Beberapa sistem berbasis EFI memiliki bug dan tidak menangani bootloader " +"baru dengan benar. Jika Anda memaksa instalasi tambahan GRUB ke path media " +"lepasan EFI, ini harus memastikan bahwa sistem ini akan mem-boot Debian " +"dengan benar meskipun ada masalah seperti itu. Namun, itu dapat " +"menghilangkan kemampuan untuk mem-boot sistem operasi lain yang juga " +"bergantung pada path ini. Jika demikian, Anda perlu memastikan bahwa GRUB " +"dikonfigurasi dengan sukses untuk dapat mem-boot instalasi OS lainnya dengan " +"benar." #. Type: boolean #. Description #: ../templates.in:4001 msgid "Update NVRAM variables to automatically boot into Debian?" -msgstr "" +msgstr "Perbarui variabel NVRAM untuk boot secara otomatis ke Debian?" #. Type: boolean #. Description @@ -367,6 +377,12 @@ msgid "" "your NVRAM variables have been set up such that your system contacts a PXE " "server on every boot, this would preserve that behavior." msgstr "" +"GRUB dapat mengonfigurasi variabel NVRAM platform Anda sehingga boot ke " +"Debian secara otomatis saat dinyalakan. Namun, Anda mungkin lebih suka " +"menonaktifkan perilaku ini dan menghindari perubahan pada konfigurasi boot " +"Anda. Misalnya, jika variabel NVRAM Anda telah diatur sedemikian rupa " +"sehingga sistem Anda menghubungi server PXE pada setiap boot, ini akan " +"mempertahankan perilaku itu." #. Type: string #. Description @@ -383,14 +399,14 @@ msgid "" "correct, and modify it if necessary. The command line is allowed to be empty." msgstr "" "Baris perintah kFreeBSD berikut ini disadur dari /etc/default/grub atau " -"parameter 'kopt' di menu.lst pada GRUB jadul. Pastikan kebenarannya dan " -"suntinglah bila perlu. Baris perintahnya diperbolehkan dikosongi." +"parameter 'kopt' di menu.lst pada GRUB Warisan. Pastikan kebenarannya dan " +"suntinglah bila perlu. Baris perintahnya diperbolehkan kosong." #. Type: string #. Description #: ../templates.in:6001 msgid "kFreeBSD default command line:" -msgstr "Baris perintah standar kFreeBSD:" +msgstr "Baris perintah baku kFreeBSD:" #. Type: string #. Description @@ -399,47 +415,5 @@ msgid "" "The following string will be used as kFreeBSD parameters for the default " "menu entry but not for the recovery mode." msgstr "" -"String berikut ini digunakan sebagai parameter kFreeBSD untuk menu standar, " -"tetapi tidak digunakan untuk modus darurat." - -#~ msgid "/boot/grub/device.map has been regenerated" -#~ msgstr "/boot/grub/device.map telah dibuat ulang." - -#~ msgid "" -#~ "The file /boot/grub/device.map has been rewritten to use stable device " -#~ "names. In most cases, this should significantly reduce the need to change " -#~ "it in future, and boot menu entries generated by GRUB should not be " -#~ "affected." -#~ msgstr "" -#~ "Berkas /boot/grub/device.map telah ditulis ulang agar menggunakan nama " -#~ "piranti yang stabil. Dalam kebanyakan kasus, hal ini berarti mengurangi " -#~ "kemungkinan perubahan di masa datang, dan isian menu boot yang dibuat " -#~ "oleh GRUB tidak akan terpengaruh." - -#~ msgid "" -#~ "However, since more than one disk is present in the system, it is " -#~ "possible that the system is depending on the old device map. Please check " -#~ "whether there are any custom boot menu entries that rely on GRUB's (hdN) " -#~ "drive numbering, and update them if necessary." -#~ msgstr "" -#~ "Akan tetapi, karena ada lebih dari satu harddisk pada sistem ini, sangat " -#~ "mungkin bahwa Anda bergantung pada peta piranti yang lama. Mohon periksa " -#~ "apakah Anda memiliki isian menu boot GRUB secara manual yang menggunakan " -#~ "penomoran harddisk (hdN). Jika ya, perbaiki yang diperlukan. " - -#~ msgid "" -#~ "If you do not understand this message, or if there are no custom boot " -#~ "menu entries, you can ignore this message." -#~ msgstr "" -#~ "Jika Anda tidak mengerti pesan ini atau jika tidak memiliki isian menu " -#~ "boot secara manual, Anda bisa mengabaikan pesan ini." - -#~ msgid "" -#~ "In either case, whenever you want GRUB 2 to be loaded directly from MBR, " -#~ "you can do so by issuing (as root) the following command:" -#~ msgstr "" -#~ "Di semua kasus, ketika Anda ingin agar GRUB 2 dimuatkan langsung dari " -#~ "MBR, Anda dapat melakukan (sebagai root) perintah berikut:" - -#~ msgid "GRUB installation failed. Continue?" -#~ msgstr "Gagal memasang GRUB. Lanjutkan?" +"String berikut ini digunakan sebagai parameter kFreeBSD untuk menu baku, " +"tetapi tidak digunakan untuk modus pemulihan." diff -pruN 2.06-2/debian/postinst.in 2.06-8/debian/postinst.in --- 2.06-2/debian/postinst.in 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/postinst.in 2023-02-09 01:09:00.000000000 +0000 @@ -568,16 +568,21 @@ case "$1" in db_go db_get "$question" failed_devices= + echo "@PACKAGE@: Running grub-install ..." for i in $RET; do real_device="$(readlink -f "${i%,}")" if [ ! -e "$real_device" ]; then echo "$real_device does not exist, so cannot grub-install to it!" >&2 failed_devices="$failed_devices $real_device" - elif grub-install --target=i386-pc --force --no-floppy $real_device ; then - # We just installed GRUB 2; then also generate grub.cfg. - touch /boot/grub/grub.cfg else - failed_devices="$failed_devices $real_device" + if grub-install --target=i386-pc --force --no-floppy $real_device ; then + echo " grub-install success for $real_device" + # We just installed GRUB 2; then also generate grub.cfg. + touch /boot/grub/grub.cfg + else + echo " grub-install failure for $real_device" + failed_devices="$failed_devices $real_device" + fi fi done diff -pruN 2.06-2/debian/rules 2.06-8/debian/rules --- 2.06-2/debian/rules 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/rules 2023-02-09 01:09:00.000000000 +0000 @@ -10,6 +10,8 @@ DEB_HOST_ARCH ?= $(shell dpkg-architectu DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) DEB_HOST_ARCH_CPU ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) +export DEB_BUILD_MAINT_OPTIONS = optimize=-lto + HOST_CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) # -O3 (default on Ubuntu ppc64el) introduces various -Werror failures, and # isn't worth it here. @@ -23,23 +25,19 @@ export HOST_LDFLAGS export TARGET_CPPFLAGS := -Wno-unused-but-set-variable export TARGET_LDFLAGS := -no-pie -ifneq (,$(filter sparc sparc64,$(DEB_HOST_ARCH_CPU))) -export TARGET_CCASFLAGS := -fno-PIE -endif - # Ensure that debhelper doesn't try to set these; we need to be careful # about HOST_* vs. TARGET_*. export CPPFLAGS := export CFLAGS := export LDFLAGS := -ifeq (,$(shell which qemu-system-i386 2>/dev/null)) +ifeq (,$(shell command -v qemu-system-i386)) with_check := no else with_check := yes endif -CC := gcc-10 +CC := gcc-12 confflags = \ PACKAGE_VERSION="$(deb_version)" PACKAGE_STRING="GRUB $(deb_version)" \ @@ -411,9 +409,6 @@ install/grub-pc install/grub-efi-ia32 in cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img \ | sed -e "s%.*%$(package_bin): statically-linked-binary &%g" \ >> $(CURDIR)/debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) - cd debian/tmp-$(package) && find ./usr/lib/grub -name kernel.img \ - | sed -e "s%.*%$(package_bin): statically-linked-binary &%g" \ - >> $(CURDIR)/debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img \ | sed -e "s%.*%$(package_bin): unstripped-binary-or-object &%g" \ >> $(CURDIR)/debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) @@ -549,7 +544,7 @@ override_dh_bugfiles: dh_bugfiles $(patsubst %,-N%,$(filter grub-efi-%-signed-template,$(BUILD_PACKAGES))) -A override_dh_strip: - dh_strip -X/usr/bin/grub-emu + dh_strip -X/usr/bin/grub-emu -X/usr/lib/grub-xen/grub-x86_64-xen.bin -X/usr/lib/grub-xen/grub-i386-xen_pvh.bin -X/usr/lib/grub-xen/grub-i386-xen.bin override_dh_shlibdeps: dh_shlibdeps -X.module diff -pruN 2.06-2/debian/sbat.debian.csv.in 2.06-8/debian/sbat.debian.csv.in --- 2.06-2/debian/sbat.debian.csv.in 2021-11-29 00:10:09.000000000 +0000 +++ 2.06-8/debian/sbat.debian.csv.in 2023-02-09 01:09:00.000000000 +0000 @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,1,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/ -grub.debian,1,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2 +grub,3,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/ +grub.debian,4,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2 diff -pruN 2.06-2/debian/upstream/metadata 2.06-8/debian/upstream/metadata --- 2.06-2/debian/upstream/metadata 1970-01-01 00:00:00.000000000 +0000 +++ 2.06-8/debian/upstream/metadata 2023-02-09 01:09:00.000000000 +0000 @@ -0,0 +1,4 @@ +--- +Bug-Submit: bug-grub@gnu.org +Repository: https://git.savannah.gnu.org/git/grub.git +Repository-Browse: https://git.savannah.gnu.org/cgit/grub.git