I used grub_printf 3 times, because for some reason (line wrapping I
guess) if you print "\b \b" at once the backspace key doesn't work on
the second last character in the terminal line. The visual cursor gets
stuck there and doesn't remove characters anymore, although you can
still type more.
Dear Glenn,
Am 01.03.21 um 20:36 schrieb Glenn Washburn:
This error message comes from the grub_print_error in
grub_pata_device_initialize, which does not pass on the error, and is
raised in check_device. The function check_device needs to return this as
an error because check_device is also us
Le 02/03/2021 à 19:02, Daniel Kiper a écrit :
From: Alex Burmashev
diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
index 1b91c102f..80685b15f 100644
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@"
Hi Adrian,
On Tue, Mar 02, 2021 at 08:37:14PM +0100, John Paul Adrian Glaubitz wrote:
> Hi Daniel!
>
> On 3/2/21 7:00 PM, Daniel Kiper wrote:
> > The BootHole vulnerability [1][2] announced last year encouraged many
> > people to
> > take a closer look at the security of boot process in general a
On 3/2/21 1:37 PM, John Paul Adrian Glaubitz wrote:
Hi Daniel!
On 3/2/21 7:00 PM, Daniel Kiper wrote:
The BootHole vulnerability [1][2] announced last year encouraged many people to
take a closer look at the security of boot process in general and the GRUB
bootloader in particular. Due to that,
Hi Daniel!
On 3/2/21 7:00 PM, Daniel Kiper wrote:
> The BootHole vulnerability [1][2] announced last year encouraged many people
> to
> take a closer look at the security of boot process in general and the GRUB
> bootloader in particular. Due to that, during past few months we were getting
> repo
From: Peter Jones
This makes the PE32 and PE32+ header fields set-up easier to follow by
setting them closer to the initialization of their related sections.
Signed-off-by: Peter Jones
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
util/mkimage.c | 16
From: Thomas Frauendorfer | Miray Software
This patch is preparing for a follow up patch which will use
the format parsing part to compare the arguments in a printf()
format from an external source against a printf() format with
expected arguments.
Signed-off-by: Thomas Frauendorfer | Miray Soft
From: Peter Jones
Add a init_pe_section() helper function to setup PE sections. This makes
the code simpler and easier to read.
Signed-off-by: Peter Jones
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
util/mkimage.c | 141 +++---
From: Peter Jones
There's quite a bit of code duplication in the code that sets the optional
header for PE32 and PE32+. The two are very similar with the exception of
a few fields that have type grub_uint64_t instead of grub_uint32_t.
Factor out the common code and add a PE_OHDR() macro that sim
From: Peter Jones
This change does not impact final result of initialization itself.
However, it eases PE code unification in subsequent patches.
Signed-off-by: Peter Jones
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
util/mkimage.c | 8
1 file changed, 4 in
From: Chris Coulson
Introduce a common function epilogue used for cleaning up on all
return paths, which will simplify additional error handling to be
introduced in a subsequent commit.
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
grub-core/kern/parser.c | 35 +++
From: Chris Coulson
Add a new variable sized heap buffer type (grub_buffer_t) with simple
operations for appending data, accessing the data and maintaining
a read cursor.
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 1 +
grub-core/kern/buffer.c
From: Daniel Axtens
NILFS2 reads the number of children a node has from the node. Unfortunately,
that's not trustworthy. Check if it's beyond what the filesystem permits and
reject it if so.
This blocks some OOB reads. I'm not sure how controllable the read is and what
could be done with invalid
From: Daniel Axtens
rlocn->offset is read directly from disk and added to the metadatabuf
pointer to create a pointer to a block of metadata. It's a 64-bit
quantity so as long as you don't overflow you can set subsequent
pointers to point anywhere in memory.
Require that rlocn->offset fits withi
From: Daniel Axtens
We just introduced an error return in grub_nilfs2_btree_node_lookup().
Make sure the callers catch it.
At the same time, make sure that grub_nilfs2_btree_node_lookup() always
inits the index pointer passed to it.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
From: Dimitri John Ledkov
Signed-off-by: Dimitri John Ledkov
Reviewed-by: Daniel Kiper
---
include/grub/util/install.h | 5 -
util/grub-install-common.c | 12 ++--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/include/grub/util/install.h b/include/grub/util/inst
From: Daniel Axtens
If huft_build() fails, gzio->tl or gzio->td could contain pointers that
are no longer valid. Zero them out.
This prevents a double free when grub_gzio_close() comes through and
attempts to free them again.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-co
From: Alex Burmashev
The os-prober is enabled by default what may lead to potentially
dangerous use cases and borderline opening attack vectors. This
patch disables the os-prober, adds warning messages and updates
GRUB_DISABLE_OS_PROBER configuration option documentation. This
way we make it clea
From: Daniel Axtens
getblk() implicitly trusts that treehead->count is an accurate count of
the number of extents. However, that value is read from disk and is not
trustworthy, leading to OOB reads and crashes. I am not sure to what
extent the data read from OOB can influence subsequent program e
From: Dimitri John Ledkov
Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled) reintroduced CVE-2020-15705 which
previously only existed in the out-of-tree linuxefi patches and was
fixed as part of the BootHole patch series.
Under Secure Boot enfo
From: Daniel Axtens
This can be triggered with:
ls -l (0 0*)
and causes a NULL deref in grub_normal_print_device_info().
I'm not sure if there's any implication with the IEEE 1275 platform.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/commands/ls.c | 2 +-
1 file ch
From: Javier Martinez Canillas
The code is compiled out so there is no reason to keep it.
Additionally, don't set bss_size field since we do not add a BSS section.
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
util/mkimage.c | 17 -
1 file changed, 17
From: Daniel Axtens
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/script/execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index ce83edd4b..3ad468fce 100644
--- a/grub-core/script/execute
From: Peter Jones
The latter doesn't take into account the target image endianness. There is
a grub_cpu_to_le32_compile_time() but no compile time variant for function
grub_host_to_target32(). So, let's keep using the other one for this case.
Signed-off-by: Peter Jones
Signed-off-by: Javier Mar
From: Darren Kenny
It is possible for the ftell() function to return a negative value,
although it is fairly unlikely here, we should be checking for
a negative value before we assign it to an unsigned value.
Fixes: CID 73744
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
util/glu
From: Darren Kenny
The code here is finished with the memory stored in name, but it only
frees it if there curvalue is valid, while it could actually free it
regardless.
The fix is a simple relocation of the grub_free() to before the test
of curvalue.
Fixes: CID 96646
Signed-off-by: Darren Ken
From: Daniel Axtens
This prevents infinite recursion in the diskfilter verification code.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/disk/lvm.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
From: Daniel Axtens
HFS has issues such as infinite mutual recursion that are simply too
complex to fix for such a legacy format. So simply do not permit
it to be loaded under lockdown.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/fs/hfs.c | 7 +--
1 file changed,
From: Darren Kenny
It is minimal possibility that the values being used here will overflow.
So, change the code to use the safemath function grub_mul() to ensure
that doesn't happen.
Fixes: CID 73761
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/video/fb/video_fb.c | 8
From: Darren Kenny
Every other return statement in this code is calling grub_device_close()
to clean up dev before returning. This one should do that too.
Fixes: CID 292443
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/commands/probe.c | 6 +-
1 file changed, 5 inse
From: Daniel Axtens
This prevents a divide by zero if nstripes == nparities, and
also prevents propagation of invalid values if nstripes ends up
less than nparities.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/fs/btrfs.c | 3 +++
1 file changed, 3 insertions(+)
diff
From: Darren Kenny
The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
is no explicit check for that, so we add one.
Fixes: CID 73757
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
1 file changed, 3 insertions(+)
From: Daniel Axtens
There's an if block for the presence of "physical_volumes {", but if
that block is absent, then p remains NULL and a NULL-deref will result
when looking for logical volumes.
It doesn't seem like LVM makes sense without physical volumes, so error
out rather than crashing.
Sig
From: Darren Kenny
It is possible for the code to reach the end of the function without
freeing the memory allocated to argv and argc still to be 0.
We should always call grub_free(argv). The grub_free() will handle
a NULL argument correctly if it reaches that code without the memory
being alloc
From: Daniel Axtens
We unconditionally trusted offset_xl from the LVM label header, even if
it told us that the PV header/disk locations were way off past the end
of the data we read from disk.
Require that the offset be sane, fixing an OOB read and crash.
Fixes: CID 314367, CID 314371
Signed-
From: Paulo Flabiano Smorigo
There are several exit points in dnode_get_path() that are causing possible
memory leaks.
In the while(1) the correct exit mechanism should not be to do a direct return,
but to instead break out of the loop, setting err first if it is not already
set.
The reason be
From: Daniel Axtens
In huft_build(), "v" is a table of values in order of bit length.
The code later (when setting up table entries in "r") assumes that all
elements of this array corresponding to a code are initialized and less
than N_MAX. However, it doesn't enforce this.
With sufficiently man
From: Darren Kenny
The encrypt and decrypt functions expect a grub_size_t. So, we need to
ensure that the constant bit shift is using grub_size_t rather than
unsigned int when it is performing the shift.
Fixes: CID 307788
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/di
From: Daniel Axtens
It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
the same data over and over again, leading to stack exhaustion.
Check if we'd be calling the function with exactly the same data as
was passed in, and if so abort.
I'm not sure what the performance impact of
From: Daniel Axtens
This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
However, it seems to be sufficient to patch up a bunch of NULL derefs.
It would be good to revisit this in future and see if we can have
a cleaner solution that addresses some of the causes of the unexpec
From: Thomas Frauendorfer | Miray Software
Set printf() argument type for "%s" to new type STRING. This is in
preparation for a follow up patch to compare a printf() format string
against an expected printf() format string.
For "%s" the corresponding printf() argument is dereferenced as pointer
From: Darren Kenny
The static code analysis tool, Parfait, reported that the valid of
file->data was left referencing memory that was freed by the call to
grub_free(data) where data was initialized from file->data.
To ensure that there is no unintentional access to this memory
referenced by file
From: Daniel Axtens
A fuzzed HFS+ filesystem had log2blocksize = 22. This gave
log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x8000,
which is -1 as an int. This caused some wacky behavior later on in
the function, leading to out-of-bounds writes on the destination buffer.
Catch log2b
From: Marco A Benatto
Fix compilation error due to missing parameter to
grub_printf() when MM_DEBUG is defined.
Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking
calloc() available)
Signed-off-by: Marco A Benatto
Reviewed-by: Daniel Kiper
---
grub-core/kern/mm.c | 2 +-
From: Darren Kenny
Free the memory allocated to name before returning on failure.
Fixes: CID 296222
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/kern/efi/efi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index
From: Daniel Axtens
Our decoder only supports 2 quantization tables. If a file asks for
a quantization table with index > 1, reject it.
Similarly, our decoder only supports 4 Huffman tables. If a file asks
for a Huffman table with index > 3, reject it.
This fixes some out of bounds reads. It's
From: Thomas Frauendorfer | Miray Software
The grub_printf_fmt_check() function parses the arguments of an untrusted
printf() format and an expected printf() format and then compares the
arguments counts and arguments types. The arguments count in the untrusted
format string must be less or equal
From: Javier Martinez Canillas
The command is not present in the docs/grub.texi user documentation.
Reported-by: Daniel Kiper
Signed-off-by: Javier Martinez Canillas
Signed-off-by: Daniel Kiper
Reviewed-by: Javier Martinez Canillas
---
docs/grub.texi | 21 +
1 file chang
From: Daniel Axtens
"$#" represents the number of arguments to a function. It is only
defined in a function scope, where "scope" is non-NULL. Currently,
if we attempt to evaluate "$#" outside a function scope, "scope" will
be NULL and we will crash with a NULL pointer dereference.
Do not attempt
From: Thomas Frauendorfer | Miray Software
The gui_progress_bar and gui_label components can display the timeout
value. The format string can be set through a theme file. This patch
adds a validation step to the format string.
If a user loads a theme file into the GRUB without this patch then
a
From: Javier Martinez Canillas
The gdbstub* commands allow to start and control a GDB stub running on
local host that can be used to connect from a remote debugger. Restrict
this functionality when the GRUB is locked down.
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
From: Darren Kenny
The return value of ftell() may be negative (-1) on error. While it is
probably unlikely to occur, we should not blindly cast to an unsigned
value without first testing that it is not negative.
Fixes: CID 73856
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
util
From: Peter Jones
According to "Microsoft Portable Executable and Common Object File Format
Specification", the Optional Header SizeOfInitializedData field contains:
Size of the initialized data section, or the sum of all such sections if
there are multiple data sections.
Make this explicit
From: Javier Martinez Canillas
This command can set PCI devices register values, which makes it dangerous
in a locked down configuration. Restrict it so can't be used on this setup.
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
grub-core/commands/setpci.c | 8
Two grub_device_open() calls does not have associated NULL checks
for returned values. Fix that and appease the Coverity.
Fixes: CID 314583
Signed-off-by: Daniel Kiper
Reviewed-by: Javier Martinez Canillas
---
util/grub-install.c | 4
1 file changed, 4 insertions(+)
diff --git a/util/gru
From: Daniel Axtens
We could reach the end of valid metadata and not realize, leading to
some buffer overreads. Check if we have reached the end and bail.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/disk/lvm.c | 35 +--
1 file changed,
From: Javier Martinez Canillas
When the GRUB starts on a secure boot platform, some commands can be
used to subvert the protections provided by the verification mechanism and
could lead to booting untrusted system.
To prevent that situation, allow GRUB to be locked down. That way the code
may ch
From: Paulo Flabiano Smorigo
Fixes: CID 73654
Signed-off-by: Paulo Flabiano Smorigo
Reviewed-by: Daniel Kiper
---
grub-core/loader/xnu.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index 1a590dbc0..1c0cf6a43 10064
From: Chris Coulson
process_char() and grub_parser_split_cmdline() use similar code for
terminating the most recent argument. Add a helper function for this.
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
grub-core/kern/parser.c | 23 +--
1 file changed, 13 ins
From: Javier Martinez Canillas
It may be useful for scripts to determine whether the GRUB is locked
down or not. Add the lockdown variable which is set to "y" when the GRUB
is locked down.
Suggested-by: Dimitri John Ledkov
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
From: Darren Kenny
The code in the next block suggests that it is possible for .set to be
true but .arg may still be NULL.
This code assumes that it is never NULL, yet later is testing if it is
NULL - that is inconsistent.
So we should check first if .arg is not NULL, and remove this check that
From: Chris Coulson
grub_parser_split_cmdline() iterates over each command line character.
In order to add error checking and to simplify the subsequent error
handling, split the character processing in to a separate function.
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
grub-co
From: Peter Jones
Add a --sbat option to the grub-mkimage tool which allows us to import
an SBAT metadata formatted as a CSV file into a .sbat section of the
EFI binary.
Signed-off-by: Peter Jones
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
docs/grub.texi
From: Marco A Benatto
Move the shim_lock verifier from its own module into the core image. The
Secure Boot lockdown mechanism has the intent to prevent the load of any
unsigned code or binary when Secure Boot is enabled.
The reason is that GRUB must be able to prevent executing untrusted code
if
From: Darren Kenny
The return value of grub_video_gop_fill_mode_info() is never able to be
anything other than GRUB_ERR_NONE. So, rather than continue to return
a value and checking it each time, it is more correct to redefine the
function to not return anything and remove checks of its return va
From: Chris Coulson
It works only on UEFI platforms but can be quite easily extended to
others architectures and platforms if needed.
Signed-off-by: Chris Coulson
Signed-off-by: Daniel Kiper
Reviewed-by: Marco A Benatto
Reviewed-by: Javier Martinez Canillas
---
acinclude.m4
From: Daniel Axtens
Clean up a bunch of cases where we could have strstr() fail and lead to
us dereferencing NULL.
We'll still leak memory in some cases (loops don't clean up allocations
from earlier iterations if a later iteration fails) but at least we're
not crashing.
Signed-off-by: Daniel A
From: Marco A Benatto
Move verifiers API from a module to the kernel image, so it can be
used there as well. There are no functional changes in this patch.
Signed-off-by: Marco A Benatto
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.am
From: Chris Coulson
grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1 kiB
stack buffer for temporary storage without sufficient bounds checking. If
the function is called with a command line that refere
From: Darren Kenny
The node structure reference is being allocated but not freed if it
reaches the end of the function. If any of the hooks had returned
a non-zero value, then node would have been copied in to the context
reference, but otherwise node is not stored and should be freed.
Similarly
From: Daniel Axtens
There's a read of the name of the root object that assumes that the name
is nul-terminated within the root block. This isn't guaranteed - it seems
SFS would require you to read multiple blocks to get a full name in general,
but maybe that doesn't apply to the root object.
Eit
From: Daniel Axtens
We need to check errors before calling into a function that uses the result.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/fs/btrfs.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrf
From: Darren Kenny
In all cases the problem is that the value being acted upon by
a left-shift is a 32-bit number which is then being used in the
context of a 64-bit number.
To avoid overflow we ensure that the number being shifted is 64-bit
before the shift is done.
Fixes: CID 73684, CID 73695
From: Daniel Axtens
The key line is:
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
jpeg_zigzag_order is grub_uint8_t[64].
I don't understand JPEG decoders quite well enough to explain what's
going on here. However, I observe sometimes pos=64, which leads to an
OOB read
From: Chris Coulson
The getline() function supplied to grub_parser_split_cmdline() returns
a newly allocated buffer and can be called multiple times, but the
returned buffer is never freed.
Signed-off-by: Chris Coulson
Reviewed-by: Daniel Kiper
---
grub-core/kern/parser.c | 20 +++
From: Darren Kenny
While arguably the check for grub_errno is correct, we should really be
checking the return value from the function since it is always possible
that grub_errno was set elsewhere, making this code behave incorrectly.
Fixes: CID 73668
Signed-off-by: Darren Kenny
Reviewed-by: D
From: Daniel Axtens
When a start of stream marker is encountered, we call grub_jpeg_decode_sos()
which allocates space for a bitmap.
When a restart marker is encountered, we call grub_jpeg_decode_data() which
then fills in that bitmap.
If we get a restart marker before the start of stream marke
From: Daniel Axtens
Fuzzing JFS revealed crashes where a negative number would be passed
to le_to_cpu16_copy(). There it would be cast to a large positive number
and the copy would read and write off the end of the respective buffers.
Catch this at the top as well as the bottom of the loop.
Sig
From: Darren Kenny
The problem here is that the memory allocated to the variable lv is not
yet inserted into the list that is being processed at the label fail2.
As we can already see at line 342, which correctly frees lv before going
to fail2, we should also be doing that at these earlier jumps
From: Daniel Axtens
The following crashes the parser:
for x in; do
0
done
This is because grub_script_arglist_to_argv() doesn't consider the
possibility that arglist is NULL. Catch that explicitly.
This avoids a NULL pointer dereference.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel
From: Daniel Axtens
This catches at least some OOB reads, and it's possible I suppose that
if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some
OOB writes too (although that hasn't showed up as a crash in fuzzing yet).
It's a bit ugly and I'd appreciate better suggestions.
From: Daniel Axtens
Catch the case where we have a font so big that it causes the number of
rows or columns to be 0. Currently we continue and allocate a
virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
and things go badly.
On the emu platform, malloc() may give us a vali
From: Darren Kenny
This issue has been fixed in the latest version of gnulib, so to
maintain consistency, I've backported that change rather than doing
something different.
Fixes: CID 73828
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
bootstrap.conf
From: Daniel Axtens
NILFS2 has up to 7 keys, per the data structure. Do not permit array
indices in excess of that.
This catches some OOB reads. I don't know how controllable the invalidly
read data is or if that could be used later in the program.
Signed-off-by: Daniel Axtens
Reviewed-by: Dan
From: Darren Kenny
This is a really minor issue where a variable is being assigned to but
not checked before it is overwritten again.
The reason for this issue is that we are not building with DEBUG set and
this in turn means that the assert() that reads the value of the
variable match_last is b
From: Daniel Axtens
Fuzzing found the following crash:
search -hf
We didn't allocate enough option space for 13 hints because the
allocation code counts the number of discrete arguments (i.e. argc).
However, the shortopt parsing code will happily keep processing
a combination of s
From: Daniel Axtens
init_dynamic_block() didn't clean up gzio->tl and td in some error
paths. This left td pointing to part of tl. Then in grub_gzio_close(),
when tl was freed the storage for td would also be freed. The code then
attempts to free td explicitly, performing a UAF and then a double
From: Darren Kenny
The test of value for NULL before calling grub_strdup() is not required,
since the if condition prior to this has already tested for value being
NULL and cannot reach this code if it is.
Fixes: CID 73659
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/g
From: Daniel Axtens
Valgrind identified the following use of uninitialized data:
==2782220== Conditional jump or move depends on uninitialised value(s)
==2782220==at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566)
==2782220==by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185)
From: Darren Kenny
While it may never happen, and potentially could be caught at the end of
the function, it is worth checking up front for a bad reference to the
next marker just in case of a maliciously crafted file being provided.
Fixes: CID 73694
Signed-off-by: Darren Kenny
Reviewed-by: Da
From: Daniel Axtens
Otherwise you get a wild pointer, leading to a bunch of invalid reads.
Check it falls inside the given node.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/fs/hfsplus.c | 4
1 file changed, 4 insertions(+)
diff --git a/grub-core/fs/hfsplus.c b/g
From: Darren Kenny
When returning from grub_mmap_iterate() the memory allocated to present
is not being released causing it to leak.
Fixes: CID 96655
Signed-off-by: Darren Kenny
Reviewed-by: Daniel Kiper
---
grub-core/mmap/mmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-cor
From: Darren Kenny
The array of unsigned char gets promoted to a signed 32-bit int before
it is finally promoted to a size_t. There is the possibility that this
may result in the signed-bit being set for the intermediate signed
32-bit int. We should ensure that the promotion is to the correct typ
From: Daniel Axtens
Currently, if there is an error in grub_strtoull(), *end is not set.
This differs from the usual behavior of strtoull(), and also means that
some callers may use an uninitialized value for *end.
Set *end unconditionally.
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kipe
From: Darren Kenny
HFS+ documentation suggests that the maximum filename and volume name is
255 Unicode characters in length.
So, when converting from big-endian to little-endian, we should ensure
that the name of the volume has a length that is between 0 and 255,
inclusive.
Fixes: CID 73641
S
From: Daniel Axtens
Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
says that expressing a quoted single quote will require 3 characters. It
actually requires (and always did require!) 4 characters:
str: a'b => a'\''b
len: 3 => 6 (2 for the letters + 4 for the quote)
From: Marco A Benatto
Several error handling paths in make_vg() do not free comp data before
jumping to fail2 label and returning from the function. This will leak
memory. So, let's fix all issues of that kind.
Fixes: CID 73804
Signed-off-by: Marco A Benatto
Reviewed-by: Daniel Kiper
---
gru
From: Darren Kenny
There is the possibility that the value of str comes from an external
source and continuing to use it before ever checking its validity is
wrong. So, needs fixing.
Additionally, drop unneeded part initialization.
Fixes: CID 292444
Signed-off-by: Darren Kenny
Reviewed-by: Da
From: Javier Martinez Canillas
The shim_lock verifier validates the XNU kernels but no its extensions
and packages. Prevent these to be loaded when the GRUB is locked down.
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Daniel Kiper
---
grub-core/loader/xnu.c | 31 +-
1 - 100 of 124 matches
Mail list logo
