On Wed, Jul 29, 2020 at 5:52 PM wrote:
> From: Glenn Washburn
>
> Signed-off-by: Glenn Washburn
> ---
> configure.ac | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/configure.ac b/configure.ac
> index 7c10a4db7..c6b0ef499 100644
> --- a/configure.ac
> +++ b/configure.ac
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/luks2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index 0089d169c..44a73d2b8 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -230,6 +230,7 @@ luk
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/kern/fs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
index fb30da9f4..14c17df74 100644
--- a/grub-core/kern/fs.c
+++ b/grub-core/kern/fs.c
@@ -139,6 +139,7 @@ g
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/loopback.c | 56 +++
1 file changed, 56 insertions(+)
diff --git a/grub-core/disk/loopback.c b/grub-core/disk/loopback.c
index cdf9123fa..6a2be257b 100644
--- a/grub-core/disk/loopback.c
+
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/luks2.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index 44a73d2b8..48600db68 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/lu
From: Glenn Washburn
This is primarily useful to do something like "loopback newdev (dev)8+" to
create a device that skips the first 4K, which may contain a non-standard
RAID1 header that grub does not recognize. This would allow that initial
data to be accessed and potentially mounted by grub up
From: Glenn Washburn
By default, dm-crypt internally uses an IV that corresponds to 512-byte
sectors, even when a larger sector size is specified. What this means is
that when using a larger sector size, the IV is incremented every sector.
However, the amount the IV is incremented is the number o
From: Glenn Washburn
Create grub_uuidcasecmp to compare UUIDs in a case-insensitive manner and
that ignores '-' characters. This is backwards compatible with the old LUKS1
code that stored and compared against UUIDs without dashes. However, the new
LUKS2 code stores and compares UUIDs that contai
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
include/grub/cryptodisk.h | 6 ++
1 file changed, 6 insertions(+)
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index f9e42796e..8d3284aad 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index f460ab838..bc38687e4 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
From: Glenn Washburn
The total_length field is named confusingly because length usually refers to
bytes, whereas in this case its really the total number of sectors on the
device. Also counter-intuitively, grub_disk_get_size returns the total
number of device native sectors sectors. We need to co
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 26 +-
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index fc53ab491..acf87b6c8 100644
--- a/grub-core/disk/cry
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 2791a4870..c21be7d52 100644
--- a/grub-core/disk/cryptodisk.c
+++ b
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index c21be7d52..f6b6302e1 100644
--- a/grub-core/disk/cryptodisk.
From: Glenn Washburn
Hi All,
Here's a list of patches that mostly have to do with cryptodisk and luks2 fixes
or improvements. The odd balls out are the patches adding the ubuntu font path,
a fix an an improvement to blocklists, and adding a procfs entry for loopbacks.
I'm hoping that at least th
From: Glenn Washburn
This makes the creates an alignment with grub_disk_t naming of the same
field and is more intuitive as to how it should be used.
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 2 +-
grub-core/disk/geli.c | 2 +-
grub-core/disk/luks.c | 2 +-
gr
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 7c10a4db7..c6b0ef499 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1678,7 +1678,7 @@ fi
if test x"$starfield_excuse" =
From: Glenn Washburn
Here dev is a grub_cryptodisk_t and dev->offset is offset in sectors of size
native to the cryptodisk device. The sector is correctly transformed into
native grub sector size, but then added to dev->offset which is not
transformed. It would be nice if the type system would he
From: Glenn Washburn
Signed-off-by: Glenn Washburn
---
grub-core/disk/cryptodisk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..d8f66e9ef 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-cor
Hi Dimitri!
On 7/29/20 11:20 PM, Dimitri John Ledkov wrote:
> Disclosures were done to a subset of binary distributions that have a
> trust path to shims signed with Microsoft UEFI CA 2011 db key. Arch
> Linux does not provide shim-signed with keys controlled by Arch Linux
> and it doesn't provide
On Wed, 29 Jul 2020 at 21:20, John Paul Adrian Glaubitz
wrote:
>
> On 7/29/20 10:12 PM, Christian Hesse wrote:
> > This does not apply on top of grub 2.04. Will downstream maintainers have to
> > do their cherry-picking on its own or will a maintenance branch on top of
> > grub-2.04 (or what ever)
On 7/29/20 10:12 PM, Christian Hesse wrote:
> This does not apply on top of grub 2.04. Will downstream maintainers have to
> do their cherry-picking on its own or will a maintenance branch on top of
> grub-2.04 (or what ever) be available?
> I would like to push updates to the Arch Linux repositori
Daniel Kiper on Wed, 2020/07/29 19:00:
> I am posting all the GRUB2 upstream patches which fixes all security bugs
> found and reported up until now. Major Linux distros carry or will carry
> soon one form or another of these patches. Now all the GRUB2 upstream
> patches are in the GRUB2 git repos
On Fri, May 29, 2020 at 02:07:29PM +0200, Daniel Kiper wrote:
> On Wed, Apr 22, 2020 at 12:24:40PM +0200, Daniel Kiper wrote:
> > On Mon, Mar 16, 2020 at 05:41:29PM +0100, Daniel Kiper wrote:
> > > On Wed, Mar 11, 2020 at 11:47:35AM +0100, Daniel Kiper wrote:
> > > > On Tue, Mar 03, 2020 at 06:26:0
From: Alexey Makhalov
Current implementation of grub_relocator_alloc_chunk_align()
does not allow allocation of the top byte.
Assuming input args are:
max_addr = 0xf000;
size = 0x1000;
And this is valid. But following overflow protection will
unnecessarily move max_addr one byte down (t
From: Alexey Makhalov
Use arithmetic macros from safemath.h to accomplish it. In this commit,
I didn't want to be too paranoid to check every possible math equation
for overflow/underflow. Only obvious places (with non zero chance of
overflow/underflow) were refactored.
Signed-off-by: Alexey Mak
From: Alexey Makhalov
commit 92bfc33db984 ("efi: Free malloc regions on exit")
introduced memory freeing in grub_efi_fini(), which is
used not only by exit path but by halt/reboot one as well.
As result of memory freeing, code and data regions used by
modules, such as halt, reboot, acpi (used by
From: Alexey Makhalov
grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
allocated and freed in the caller.
Minor improvement: do prop fields initialization after memory allocations.
Fixes: CID 292442, CID 292457, CID 292460, CID 292466
Signed-off-by: Alexey Makhalov
Rev
From: Peter Jones
Both node->size and node->namelen come from the supplied filesystem,
which may be user-supplied. We can't trust them for the math unless we
know they don't overflow. Making sure they go through grub_add() or
grub_calloc() first will give us that.
Signed-off-by: Peter Jones
Rev
From: Peter Jones
The grub_free() implementation in grub-core/kern/mm.c safely handles
NULL pointers, and code at many places depends on this. We don't know
that the same is true on all host OSes, so we need to handle the same
behavior in grub-emu's implementation.
Signed-off-by: Peter Jones
Re
Without any error propagated to the caller, make_file_path()
would then try to advance the invalid device path node with
GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL
pointer that would subsequently be dereferenced. Hence, propagate
errors from copy_file_path().
Signed-off-by: Ch
From: Peter Jones
Several places we take the length of a device path and subtract 4 from
it, without ever checking that it's >= 4. There are also cases where
this kind of malformation will result in unpredictable iteration,
including treating the length from one dp node as the type in the next
no
From: Alexey Makhalov
There is not need to reassemble the order of blocks. Per RFC 1350,
server must wait for the ACK, before sending next block. Data packets
can be served immediately without putting them to priority queue.
Logic to handle incoming packet is this:
- if packet block id equal t
Hi all,
We have recently been made aware of a problem with GRUB2 by security research
firm Eclypsium that allows a bad actor to circumvent UEFI Secure Boot. Normally,
when Secure Boot is enabled, only modules [1] that have a valid signature can
be loaded. The bug allows this to be circumvented and
From: Alexey Makhalov
This commit introduces integer underflow mitigation in max_addr calculation
in grub_relocator_alloc_chunk_align() invocation.
It consists of 2 fixes:
1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to
perform
sanity check for min/max and size
From: Peter Jones
It appears to be possible to make a (possibly invalid) lvm PV with
a metadata size field that overflows our type when adding it to the
address we've allocated. Even if it doesn't, it may be possible to do so
with the math using the outcome of that as an operand. Check them both.
From: Colin Watson
These could be triggered by a crafted filesystem with very large files.
Fixes: CVE-2020-15707
Signed-off-by: Colin Watson
Reviewed-by: Jan Setje-Eilers
Reviewed-by: Daniel Kiper
---
grub-core/loader/linux.c | 74 +++-
1 file cha
From: Konrad Rzeszutek Wilk
Fixes: CID 73796
Signed-off-by: Konrad Rzeszutek Wilk
Reviewed-by: Daniel Kiper
Reviewed-by: Jan Setje-Eilers
---
grub-core/fs/udf.c | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
inde
From: Chris Coulson
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
include/grub/script_sh.h | 5 -
1 file changed, 5 deletions(-)
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
index 360c2be1f..b382bcf09 100644
--- a/include/grub/script_sh.h
+++ b/include/gru
From: Konrad Rzeszutek Wilk
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
using the GetLenToPosState() macro which checks if len is less than 5,
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
Obviously we don't want to dereference that far out so
From: Chris Coulson
Defining a new function with the same name as a previously defined
function causes the grub_script and associated resources for the
previous function to be freed. If the previous function is currently
executing when a function with the same name is defined, this results
in use
From: Chris Coulson
When grub_json_parse() succeeds, it returns the root object which
contains a pointer to the provided JSON string. Callers are
responsible for ensuring that this string outlives the root
object and for freeing its memory when it's no longer needed.
If grub_json_parse() fails t
From: Konrad Rzeszutek Wilk
Fixes: CID 292468
Signed-off-by: Konrad Rzeszutek Wilk
Reviewed-by: Daniel Kiper
---
grub-core/loader/multiboot_mbi2.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/loader/multiboot_mbi2.c
b/grub-core/loader/multiboot_mbi2.c
in
From: Peter Jones
Signed-off-by: Peter Jones
Reviewed-by: Daniel Kiper
---
grub-core/loader/linux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 471b214d6..4cd8c20c7 100644
--- a/grub-core/loader/linux.c
+++ b/g
From: Peter Jones
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before
The GRUB font file can have one NAME section only. Though if somebody
crafts a broken font file with many NAME sections and loads it then the
GRUB leaks memory. So, prevent against that by loading first NAME
section and failing in controlled way on following one.
Reported-by: Chris Coulson
Signed
From: Alexey Makhalov
self->bitmap should be zeroed after free. Otherwise, there is a chance
to double free (USE_AFTER_FREE) it later in rescale_image().
Fixes: CID 292472
Signed-off-by: Alexey Makhalov
Reviewed-by: Daniel Kiper
---
grub-core/gfxmenu/gui_image.c | 5 -
1 file changed, 4
From: Peter Jones
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luk
From: Konrad Rzeszutek Wilk
This requires a very weird input from the serial interface but can cause
an overflow in input_buf (keys) overwriting the next variable (npending)
with the user choice:
(pahole output)
struct grub_terminfo_input_state {
intinput_buf[6];
From: Peter Jones
Signed-off-by: Peter Jones
Reviewed-by: Daniel Kiper
---
grub-core/fs/iso9660.c | 24
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 7ba5b300b..5ec4433b8 100644
--- a/grub-core/fs/i
From: Peter Jones
This tries to make sure that everywhere in this source tree, we always have
an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
available, and that they all safely check for overflow and return NULL when
it would occur.
Signed-off-by: Peter Jones
Reviewed-
From: Peter Jones
When presented with a command that can't be tokenized to anything
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
expecting that will stop further processing, as such:
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
yyleng = (
From: Peter Jones
This adds a new header, include/grub/safemath.h, that includes easy to
use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
bool OP(a, b, res)
where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
case where the operation would overflow and res i
Add a number of debug logs to the tpm module. The condition tag
for opening debugging is `tpm`. On TPM machines, this will bring
great convenience to diagnosis and debugging.
Signed-off-by: Tianjia Zhang
---
grub-core/commands/efi/tpm.c | 21 +
1 file changed, 17 insertions(+
Although the tpm_execute() series of functions are defined, they
are not used anywhere, and several structures in the header file
`tpm.h` are also not used. Delete them here.
Signed-off-by: Tianjia Zhang
---
grub-core/commands/efi/tpm.c | 97
include/grub/tpm
Like tpm, the module is only enabled for x86_64, but there's nothing
specific to x86_64 in the implementation and can be enabled for all
EFI platforms.
Signed-off-by: Tianjia Zhang
---
grub-core/Makefile.core.def | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/Makef
56 matches
Mail list logo
