On Thu, May 15, 2025 at 12:44:27PM +0530, Shreenidhi Shedi wrote:
> From: Shreenidhi Shedi
>
> Signed-off-by: Shreenidhi Shedi
Both patches are missing explanations why they are needed and/or what
kind of issues they are fixing. I do not mention cover letter...
Daniel
_
On Fri, May 09, 2025 at 09:47:05AM +0200, Christian Hesse wrote:
> Daniel Kiper on Thu, 2025/05/08 19:02:
> > [...] Now all the GRUB2 upstream patches are in
> > the GRUB2 git repository [2] too.
> >
> > [...]
> >
> > [2] https://git.savannah.gnu.org/gitweb/?p=grub.git
> > https://git.savannah
From: Maxim Suhanov
This commit adds the grub_cryptodisk_erasesecrets() function to wipe
master keys from all cryptodisks. This function is EFI-only.
Since there is no easy way to "force unmount" a given encrypted disk,
this function renders all mounted cryptodisks unusable. An attempt to
read t
From: Maxim Suhanov
This command examines a given diskfilter device, e.g., an LVM disk,
and checks if underlying disks, physical volumes, are cryptodisks,
e.g., LUKS disks, this layout is called "LVM-on-LUKS".
The return value is 0 when all underlying disks (of a given device)
are cryptodisks (1
From: Michael Chang
The option can be used to suppress output if we only want to test the
return value of the command.
Also, mention this option in the documentation.
Signed-off-by: Michael Chang
Signed-off-by: Maxim Suhanov
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 4 +++
From: Maxim Suhanov
When the --cryptodisk-only argument is given, also check the target
device using the "cryptocheck" command, if available.
This extends the checks to common layouts like LVM-on-LUKS, so the
--cryptodisk-only argument transparently handles such setups.
Signed-off-by: Maxim Suh
From: Maxim Suhanov
Switching to another EFI boot application while there are secrets in
RAM is dangerous, because not all firmware is wiping memory on free.
To reduce the attack surface, wipe the passphrase acquired when
unlocking an encrypted volume.
Signed-off-by: Maxim Suhanov
Reviewed-by:
From: Maxim Suhanov
Document the --cryptodisk-only argument. Also, document the
"cryptocheck" command invoked when that argument is processed.
Signed-off-by: Maxim Suhanov
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 24 +++-
1 file changed, 23 insertions(+), 1 deletion(
Hi all,
This patch set contains a bundle of fixes for various security flaws
discovered, as part of a pro-active hardening effort, in the GRUB2 code
recently. The most severe one, i.e. potentially exploitable, has CVE
assigned and is listed at the end of this email.
Details of exactly what needs
From: Maxim Suhanov
This allows users to restrict the "search" command's scope to
encrypted disks only.
Typically, this command is used to "rebase" $root and $prefix
before loading additional configuration files via "source" or
"configfile". Unfortunately, this leads to security problems,
like C
From: Maxim Suhanov
This further mitigates potential misuse of the CLI after the
root device has been successfully unlocked via TPM.
Fixes: CVE-2025-4382
Signed-off-by: Maxim Suhanov
Reviewed-by: Daniel Kiper
---
grub-core/kern/rescue_reader.c | 2 +-
1 file changed, 1 insertion(+), 1 deleti
From: Maxim Suhanov
This further mitigates potential misuse of the CLI after the
root device has been successfully unlocked via TPM.
Fixes: CVE-2025-4382
Signed-off-by: Maxim Suhanov
Reviewed-by: Daniel Kiper
---
grub-core/kern/rescue_reader.c | 2 +-
1 file changed, 1 insertion(+), 1 deleti
On Sat, Apr 12, 2025 at 03:53:11AM +, Alec Brown wrote:
> A Unified Kernel Image is a single UEFI PE file that combines a UEFI boot
> stub,
> a Linux kernel image, an initrd, and further resources. The uki command will
> locate where the uki file is and create a GRUB menu entry to load it.
Li
On Sat, Apr 12, 2025 at 03:53:10AM +, Alec Brown wrote:
> Irritatingly, BLS defines paths relatives to the mountpoint of the
> filesystem which contains its snippets, not / or any other fixed
> location. So grub2-emu needs to know whether /boot is a separate
> filesystem from / and conditionall
On Fri, Apr 18, 2025 at 07:54:01PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> > +module = {
> > + name = blsuki;
> > + common = commands/blsuki.c;
> > + common = lib/vercmp.c;
>
> Probably this should be a part of the kernel.
>
> > + enable = powerpc_ieee1275;
>
Missing From:...
On Sat, Apr 12, 2025 at 03:53:09AM +, Alec Brown wrote:
> The BootLoaderSpec (BLS) defines a scheme where different bootloaders can
> share a format for boot items and a configuration directory that accepts
> these common configurations as drop-in files.
Please add links to t
On Thu, Apr 17, 2025 at 07:37:13AM -0400, Neal Gompa wrote:
> On Fri, Apr 11, 2025 at 11:55 PM Alec Brown via Grub-devel
> wrote:
> >
> > v3:
> > - Added --enable-fallback option to check the default directory if the
> > --path
> >option isn't able to find entries.
> > - Added the function
On Mon, Apr 07, 2025 at 04:29:25PM +0800, Gary Lin wrote:
> This commit updates the NV index mode section and the grub-protect
> section to reflect the recent changes in TPM2 key protector and
> grub-protect.
>
> Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
Daniel
On Mon, Apr 07, 2025 at 04:29:24PM +0800, Gary Lin wrote:
> Two more NV index test cases are added to test key sealing and
> unsealing with the NV index handle 0x100.
>
> Signed-off-by: Gary Lin
> Reviewed-by: Stefan Berger
Reviewed-by: Daniel Kiper
Daniel
On Mon, Apr 07, 2025 at 04:29:27PM +0800, Gary Lin wrote:
> Add the long options of tpm2_key_protect_init along with the short
> options.
>
> Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
Daniel
___
Grub-devel mailing list
Grub-devel@gnu.org
http
On Mon, Apr 07, 2025 at 09:26:00AM -0400, Stefan Berger wrote:
> On 4/7/25 4:29 AM, Gary Lin wrote:
> > Reset 'ret' to 0 when a test case fails so that the other test cases
> > could continue.
> >
> > Also set the exit status to 1 when encountering a failure to reflect the
> > test result.
> >
> >
On Mon, Apr 07, 2025 at 04:29:19PM +0800, Gary Lin wrote:
> Extract the logic to handle the file buffer from the SRK recover
> function to prepare to load the sealed key from the NV index handle,
> so the NV index mode can share the same code path in the later patch.
> The SRK recover function now
On Thu, Mar 27, 2025 at 05:56:30PM +, Lidong Chen wrote:
> These patches address memory leaks identified by Coverity.
>
> Lidong Chen (5):
> disk/ldm: Fix memory leaks
> lib/reloacator: Fix memory leaks
> loader/i386/linux: Fix resource leak
> fs/btrfs: Fix memory leaks
> loader/xnu:
On Thu, Mar 27, 2025 at 09:19:03PM +0300, Vladimir 'phcoder' Serbinenko wrote:
>
> + {
> + grub_errno = err;
> + goto fail;
> + }
> grub_errno is already set. No need to set it again
I proposed that assignment to make it explicit but I am not going to ins
On Fri, Mar 21, 2025 at 03:59:08PM +0800, Gary Lin wrote:
> The TPM2 key protector tests require two external packages: swtpm-tools
> and tpm2-tools. Add those two packages to the INSTALL file to inform
> the user to install those packages before starting the TPM2 key protector
> tests.
>
> Signed-
On Fri, Mar 21, 2025 at 03:59:04PM +0800, Gary Lin wrote:
> Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> replaced with one 'grub-protect' command to simplify the test script.
>
> 'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
>
> Signed-off-by: Ga
On Fri, Mar 21, 2025 at 03:59:03PM +0800, Gary Lin wrote:
> This commit implements the missing NV index mode support in
> 'grub-protect'. NV index mode stores the sealed key in the TPM
> non-volatile memory (NVRAM) instead of a file. There are two supported
> types of TPM handles.
>
> 1. Persistent
On Fri, Mar 21, 2025 at 03:59:01PM +0800, Gary Lin wrote:
> Extract the logic to handle the file buffer from the SRK recover
> function to prepare to load the sealed key from the NV index handle,
> so the NV index mode can share the same code path in the later patch.
> The SRK recover function now
On Mon, Jan 13, 2025 at 11:07:08AM +0800, Gary Lin wrote:
> The following TPM 2.0 commands are introduced to tss2 to access the
> TPM non-volatile memory associated with the NV index handles.
>
> - TPM2_NV_DefineSpace
> - TPM2_NV_UndefineSpace
> - TPM2_NV_ReadPublic
> - TPM2_NV_Read
> - TPM2_NV_Wri
On Thu, Mar 13, 2025 at 07:45:50PM +0530, Avnish Chouhan wrote:
> Change RMA size from 512 MB to 768 MB which will result
> in more memory at boot time for PowerPC. When vTPM, Secure Boot or
> FADump are enabled on PowerPC, the 512 MB RMA memory is not sufficient for
> booting. With this 512 MB RMA
On Wed, Mar 12, 2025 at 10:06:15PM +0530, Avnish Chouhan wrote:
> Change RMA size from 512 MB to 768 MB which will result
> in more memory at boot time for PowerPC. When vTPM, Secure Boot or
> FADump are enabled on PowerPC, the 512 MB RMA memory is not sufficient for
> booting. With this 512 MB RMA
On Fri, Feb 28, 2025 at 03:55:22PM -0600, Andrew Hamilton wrote:
> Make some updates to the GRUB documentation around which file systems
> are allowed / disallowed in lockdown, as well as additional Commands
> now blocked in lockdown mode.
>
> Andrew Hamilton (2):
> docs: Document Restricted File
On Mon, Mar 03, 2025 at 08:55:45AM +0100, Christian Hesse wrote:
> Daniel Kiper on Fri, 2025/02/28 13:57:
> > On Thu, Feb 27, 2025 at 11:03:44AM +0100, Christian Hesse wrote:
> > > Daniel Kiper via Grub-devel on Mon, 2025/02/24
> > > 15:34:
> > > > > [..
Adding Daniel Axtens, Lidong and Nils...
On Thu, Feb 27, 2025 at 01:22:15PM -0500, Andrew Hamilton wrote:
> Hello,
>
> I’m looking for feedback on whether there would be project interest / support
> on me creating an initial fuzz test suite for some core GRUB functions and
> then
> integrating th
&& *at->attr_cur != 0xFF)
>
> but I don't understand half of what that code actually does,
> so I can't vouch for correctness (not sending it as a patch).
>
> Also filed here https://savannah.gnu.org/bugs/index.php?66855
>
> and here
> https://gitlab.archlinux
On Thu, Feb 27, 2025 at 11:03:44AM +0100, Christian Hesse wrote:
> Daniel Kiper via Grub-devel on Mon, 2025/02/24 15:34:
> > > [...]
> > > The current situation is just insane.
> >
> > I can understand your frustration but I am afraid we are not able to do
>
On Fri, Feb 21, 2025 at 11:06:54AM +0100, Christian Hesse wrote:
> Daniel Kiper via Grub-devel on Tue, 2025/02/18 19:00:
> > I am posting all the GRUB2 upstream patches which fix all security bugs
> > found and reported up until now. Major Linux distros carry or will carry
>
On Wed, Feb 19, 2025 at 09:43:59AM -0600, Andrew Hamilton wrote:
> It seems this may impact some users attempting to use secure boot, I think I
> understand the reasoning behind this but maybe we should have something on the
> roadmap or issue tracker for what it would take to get these file system
On Thu, Jan 16, 2025 at 06:45:29AM -0800, ross.philip...@oracle.com wrote:
> On 1/16/25 4:25 AM, Heinrich Schuchardt wrote:
> > %s/hueristic/heuristic/
> >
> > Signed-off-by: Heinrich Schuchardt
> > ---
> > grub-core/gdb_helper.py.in | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
Hi Didier,
On Tue, Feb 18, 2025 at 07:33:03PM +, Didier Spaier wrote:
> Hi Daniel and all,
>
> sorry for top posting but this is a question and a request, not a comment.
>
> maintaining a distribution alone I can't afford to carry as many patches as
> Debian, so: could please mention the commi
From: Alec Brown
The Coverity complains that we might overflow into a negative value when
setting linux_params.kernel_alignment to (1 << align). We can remedy
this by casting it to grub_uint32_t.
Fixes: CID 473876
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/loader/i386/
From: Lidong Chen
Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/net/dns.c | 4 ++--
grub-core/net/net.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --gi
From: Lidong Chen
The entry_len is initialized in grub_find_root_devices_from_mountinfo()
to 0 before the while loop iterates through /proc/self/mountinfo. If the
file is empty or contains only invalid entries entry_len remains
0 causing entry_len - 1 in the subsequent for loop initialization
to
From: B Horn
With the rest of module being blocked in lockdown mode it does not make
a lot of sense to leave memory reading enabled. This also goes in par
with disabling the dump command.
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/commands/memrw.c | 21
From: B Horn
The grub_disk_read() may trigger other disk reads, e.g. via loopbacks.
This may lead to very deep recursion which can corrupt the heap. So, fix
the issue by limiting reads depth.
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/kern/disk.c | 27 +
From: Lidong Chen
When using grub_malloc() or grub_zalloc(), these functions can fail if
we are out of memory. After allocating memory we should check if these
functions returned NULL and handle this error if they did.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/zfs/
From: B Horn
It was possible for a grub_errno to not be set if mount of an ISO 9660
filesystem failed when set_rockridge() returned 0.
This isn't known to be exploitable as the other filesystems due to
filesystem helper checking the requested file type. Though fixing
as a precaution.
Reported-b
From: B Horn
It was possible to read OOB when an attribute had a size that exceeded
the allocated buffer. This resolves that by making sure all attributes
that get read are fully in the allocated space by implementing
a function to validate them.
Defining the offsets in include/grub/ntfs.h but t
From: B Horn
It was previously possible for grub_xfs_mount() to return NULL without
setting grub_errno if the XFS version was invalid. This resulted in it
being possible for grub_dl_unref() to be called twice allowing the XFS
module to be unloaded while there were still references to it.
Fixing
From: Michael Chang
The ctx->filename can point to either a string literal or a dynamically
allocated string. The ctx->filename_alloc field is used to indicate the
type of allocation.
An issue has been identified where ctx->filename is reassigned to
a string literal in susp_iterate_dir() but ctx
From: B Horn
This is to avoid a generic issue were some filesystems would not set
data and also not set a grub_errno. This meant it was possible for many
filesystems to grub_dl_unref() themselves multiple times resulting in
it being possible to unload the filesystems while there were still
refere
From: B Horn
The normal module does not entirely cleanup after itself in
its GRUB_MOD_FINI() leaving a few variables hooks in place.
It is not possible to unload normal module now but fix the
issues for completeness.
On the occasion replace 0s with NULLs for "pager" variable
hooks unregister.
F
From: Lidong Chen
The getblk() returns a value of type grub_int64_t which is assigned to
iagblk and inoblk, both of type grub_uint64_t, in grub_jfs_read_inode()
via grub_jfs_blkno(). This patch fixes the type mismatch in the
functions. Additionally, the getblk() will return 0 instead of -1 on
fai
From: Lidong Chen
Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.
Signed-off-by: Lidong Chen
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/net/bootp.c |
From: Lidong Chen
The direct assignment of the unsigned long long value returned by
read_number() can potentially lead to an overflow on a 32-bit systems.
The fix replaces the direct assignments with calls to grub_cast()
which detects the overflows and safely assigns the values if no
overflow is
From: Lidong Chen
The size calculation of the translation buffer in
grub_gettext_getstr_from_position() may overflow
to 0 leading to heap OOB write. This patch fixes
the issue by using grub_add() and checking for
an overflow.
Fixes: CVE-2024-45777
Reported-by: Nils Langius
Signed-off-by: Lidon
From: B Horn
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/commands/hexdump.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/hexdump.c b/grub-core/commands/hexdump.c
index eaa12465b..d6f61d98a 100644
--- a/grub-
From: Alec Brown
When using grub_malloc(), the function can fail if we are out of memory.
After allocating memory we should check if this function returned NULL
and handle this error if it did.
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/net/net.c | 5 +
1 file chang
From: Lidong Chen
The result is initialized to 0 in grub_script_arglist_to_argv().
If the for loop condition is not met both result.args and result.argc
remain 0 causing result.argc - 1 to underflow and/or result.args NULL
dereference. Fix the issues by adding relevant checks.
Fixes: CID 473880
From: Alec Brown
The operation kern_end - kern_start may underflow when we input it into
grub_relocator_alloc_chunk_addr() call. To avoid this we can use safe
math for this subtraction.
Fixes: CID 73845
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/loader/i386/bsd.c | 14
From: Lidong Chen
When the format string, fmt0, includes a positional argument
grub_strtoul() or grub_strtoull() is called to extract the argument
position. However, the returned argument position isn't fully validated.
If the format is something like "%0$x" then these functions return
0 which le
From: Lidong Chen
The current code incorrectly assumes that both the input and the values
returned by grub_strtoul() are always valid which can lead to potential
errors. This fix ensures proper validation to prevent any unintended issues.
Fixes: CID 473843
Signed-off-by: Lidong Chen
Reviewed-b
From: Alec Brown
The Coverity indicates that the variable current_entry might overflow.
To prevent this use safe math when adding GRUB_MENU_PAGE_SIZE to current_entry.
On the occasion fix limiting condition which was broken.
Fixes: CID 473853
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kipe
From: B Horn
The dump enables a user to read memory which should not be possible
in lockdown mode.
Fixes: CVE-2025-1118
Reported-by: B Horn
Reported-by: Jonathan Bar Or
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/commands/minicmd.c | 4 ++--
1 file changed, 2 insertions(+
From: Lidong Chen
Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/zfs/zfs.c | 50
From: Daniel Axtens
The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
This will also disable the AFS.
Fixes: CVE-2024-45778
Fixes: CVE-2024-45779
Reported-by: Nils Langius
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/fs/bfs.c | 11 ---
1
From: Alec Brown
The Coverity indicates that GRUB_EHCI_TOGGLE is an int that contains
a negative value and we are using it for the variable token which is
grub_uint32_t. To remedy this we can cast the definition to grub_uint32_t.
Fixes: CID 473851
Signed-off-by: Alec Brown
Reviewed-by: Daniel
From: B Horn
The part_iterate() is used by grub_partition_iterate() as a callback in
the partition iterate functions. However, part_iterate() may also call
the partition iterate functions which may lead to recursion. Fix potential
issue by limiting the recursion depth.
Signed-off-by: B Horn
Rev
From: Lidong Chen
The test_parse() evaluates test expression recursively. Due to lack of
recursion depth check a specially crafted expression may cause a stack
overflow. The recursion is only triggered by the parentheses usage and
it can be unlimited. However, sensible expressions are unlikely to
From: Lidong Chen
Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
overflow leading to subsequent OOB write or read. This patch fixes the
issue by replacing grub_zalloc() and explicit multiplication with
grub_calloc() which does the same thing in safe manner.
Fixes: CVE-2
From: Lidong Chen
Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/zfs/zfs.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/zfs/zfs
From: Lidong Chen
Update the overflow error messages to make them consistent
across the GRUB code.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/ntfs.c | 2 +-
grub-core/fs/ntfscomp.c | 2 +-
grub-core/video/readers/png.c | 2 +-
3 files changed, 3 inse
From: Alec Brown
When using grub_zalloc(), if we are out of memory, this function can fail.
After allocating memory, we should check if grub_zalloc() returns NULL.
If so, we should handle this error.
Fixes: CID 473856
Signed-off-by: Alec Brown
Reviewed-by: Ross Philipson
Reviewed-by: Daniel K
From: Lidong Chen
Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.
The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or .
Fixes: CVE-2025-0678
Fixes: CVE-2025-1125
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
From: Lidong Chen
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/zfs/zfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index 6a964974f..376042631 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@
From: Daniel Axtens
The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
hfsplus, iso9660, squash4, tar, xfs and zfs.
The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
reported by Jonathan Bar Or .
Fixes: CVE-2025-0677
Fixes: CVE-2025-0684
Fixes: CVE-2025-0
From: Lidong Chen
Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.
Signed-off-by: Lidong Chen
Reviewed-by: Daniel Kiper
---
grub-core/fs/archelp.c | 9 -
grub-core/fs/btrfs.c
From: B Horn
If the hooks are not removed they can be called after the module has
been unloaded leading to an use-after-free.
Fixes: CVE-2025-0622
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/commands/pgp.c | 2 ++
1 file changed, 2 insertions(+)
diff -
From: Alec Brown
Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/disk/cryptodisk.c | 2 +-
grub-core/disk/lvm.c| 6 ++
2 files changed, 3 insertions(+), 5 deletions
From: Daniel Axtens
Otherwise a subsequent header could change the height and width
allowing future OOB writes.
Fixes: CVE-2024-45774
Reported-by: Nils Langius
Signed-off-by: Daniel Axtens
Reviewed-by: Daniel Kiper
---
grub-core/video/readers/jpeg.c | 4
1 file changed, 4 insertions(+)
From: Jonathan Bar Or
The grub_getline() function currently has a signed integer variable "i"
that can be overflown when user supplies more than 2^31 characters.
It results in a memory corruption of the allocated line buffer as well
as supplying large negative values to grub_realloc().
Fixes: CV
From: B Horn
The grub_strrchr() may return NULL when the dirname do not contain "/".
This can happen on broken filesystems.
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/commands/ls.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a
From: Alec Brown
In the dev_iterate() function a handle is opened but isn't closed when
grub_malloc() returns NULL. We should fix this by closing it on error.
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/disk/ieee1275/ofdisk.c | 5 -
1 file changed, 4 insertions(+), 1
From: Alec Brown
Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.
Signed-off-by: Alec Brown
Reviewed-by: Daniel Kiper
---
grub-core/disk/cryptodisk.c | 36 ++--
grub-c
From: Alec Brown
When using grub_malloc(), grub_zalloc() or grub_calloc(), these functions can
fail if we are out of memory. After allocating memory we should check if these
functions returned NULL and handle this error if they did.
On the occasion make a NULL check in ATA code more obvious.
Si
From: B Horn
The gettext module does not entirely cleanup after itself in
its GRUB_MOD_FINI() leaving a few variables hooks in place.
It is not possible to unload gettext module because normal
module depends on it. Though fix the issues for completeness.
Fixes: CVE-2025-0622
Reported-by: B Horn
From: B Horn
The previous code would never actually call grub_update_mem_attrs()
as sh_info will always be zero for the sections that exist in memory.
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/kern/dl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletio
From: B Horn
The grub_file_open() and grub_file_close() should be the only places
that allow a reference to a filesystem to stay open. So, add grub_dl_t
to grub_fs_t and set this in the GRUB_MOD_INIT() for each filesystem to
avoid issues when filesystems forget to do it themselves or do not track
From: B Horn
The grub_dl_relocate_symbols() iterates through the sections in
an ELF looking for relocation sections. According to the spec [1]
the SHF_INFO_LINK flag should be set if the sh_info field is meant
to be a section index.
[1] https://refspecs.linuxbase.org/elf/gabi4+/ch4.sheader.html
From: Lidong Chen
The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
a grub_arg_list struct but it does not verify the allocation was successful.
In case of failed allocation the NULL state pointer can be accessed in
parse_option() through grub_arg_parse() which may lead to a se
From: B Horn
The net module is a dependency of normal. So, it shouldn't be possible
to unload the net. Though unregister variables hooks as a precaution.
It also gets in line with unregistering the other net module hooks.
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/net/net.c
From: B Horn
It was possible to overflow the value of mod->ref_count, a signed
integer, by repeatedly invoking insmod on an already loaded module.
This led to a use-after-free. As once ref_count was overflowed it became
possible to unload the module while there was still references to it.
This r
From: B Horn
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
From: B Horn
If unbounded recursion is allowed it becomes possible to collide the
stack with the heap. As UEFI firmware often lacks guard pages this
becomes an exploitable issue as it is possible in some cases to do
a controlled overwrite of a section of this heap region with
arbitrary data.
Rep
From: B Horn
An overly long filename can be passed to tftp_open() which would cause
grub_normalize_filename() to write out of bounds.
Fixed by adding an extra argument to grub_normalize_filename() for the
space available, making it act closer to a strlcpy(). As several fixed
strings are strcpy()
From: B Horn
It was possible to delete a loopback while there were still references
to it. This led to an exploitable use-after-free.
Fixed by implementing a reference counting in the grub_loopback struct.
Reported-by: B Horn
Signed-off-by: B Horn
Reviewed-by: Daniel Kiper
---
grub-core/dis
From: B Horn
The grub_net_network_level_interface_unregister(), previously
implemented in a header, did not remove the variables hooks that
were registered in grub_net_network_level_interface_register().
Fix this by implementing the same logic used to register the
variables and move the function
From: B Horn
Right now to access the next attribute the code reads the length of the
current attribute and adds that to the current pointer. This is error
prone as bounds checking needs to be performed all over the place. So,
implement a helper and ensure its used across find_attr() and read_attr
From: Lidong Chen
The JFS fuzzing revealed an OOB read in grub_jfs_getent(). The crash
was caused by an invalid leaf nodes count, diro->dirpage->header.count,
which was larger than the maximum number of leaf nodes allowed in an
inode. This fix is to ensure that the leaf nodes count is validated i
From: B Horn
The end of the attribute buffer should be stored alongside the rest of
the attribute struct as right now it is not possible to implement bounds
checking when accessing attributes sequentially.
This is done via:
- updating init_attr() to set at->end and check is is not initially ou
1 - 100 of 172 matches
Mail list logo
