From patchwork Tue Mar 11 18:09:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4E66C282EC for ; Tue, 11 Mar 2025 18:11:12 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.17447.1741716662957727677 for ; Tue, 11 Mar 2025 11:11:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=NI0T9wHe; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20250311181059424fe6a58490ef7ee3-gkjjn_@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250311181059424fe6a58490ef7ee3 for ; Tue, 11 Mar 2025 19:11:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=nHxhH8JiKDpXJ592XF5wO1uYrwOrmfeSW4jXdSLKb9s=; b=NI0T9wHeGvyyWDxAM7St7vQpBysjRfWBIBSGWA6tJSd615VfWrBM6nAIpzcceyfIVwYrMB 5og3FaTMqCArNV2N53he9v2Imod7/IXodqLwyTuNxE/5f95H1Gph2mrdBsifHxUvhvL2Hdoq DsvIA4Pk2G4fv0bV5+RZKGEnW54L5y9OBj3G8O4C8AlVHRJu5+BFvHPyo3MNZWEHjgudTXgK 0roxOe7ZbwfJgDHmvO7rs7b3vCzb276if+30ieb7/vvMjXynq/XTMTN1OiYAHkBA7wNj/9fC BxFLkgpZCuQE1JCxjlwR/QAMbnWs1TIPA+s679914W/j5SD05tT3Xa9w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 01/17] grub: drop obsolete CVE statuses Date: Tue, 11 Mar 2025 19:09:44 +0100 Message-Id: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212578 From: Peter Marko CVE-2021-46705 was needed only with 2.06 CVE-2023-4692 and CVE-2023-4693 were fixed in NVD DB meanwhile Signed-off-by: Peter Marko --- meta/recipes-bsp/grub/grub2.inc | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 26bcb5197e..a327e7ebdf 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -23,11 +23,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" -CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE" CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" -CVE_STATUS[CVE-2023-4692] = "cpe-incorrect: Fixed in version 2.12 already" -CVE_STATUS[CVE-2023-4693] = "cpe-incorrect: Fixed in version 2.12 already" DEPENDS = "flex-native bison-native gettext-native" From patchwork Tue Mar 11 18:09:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E625EC2BA1B for ; Tue, 11 Mar 2025 18:11:12 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.17208.1741716666394958817 for ; Tue, 11 Mar 2025 11:11:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=bOt9KDu/; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250311181103bbfe16670c855c41d5-b5lb10@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250311181103bbfe16670c855c41d5 for ; Tue, 11 Mar 2025 19:11:03 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=ztuT4HZdBwD2tFiS5tbgiF935lFSHLCoxpS2ZT0kXwM=; b=bOt9KDu/AXsKomOpHYAmlZDGYgMss7NEzkFU/Sc9mv5lM68K3t2JJMuPoxa7C2Nh9h+1fe FJNlo/lpKvxWSn5TwWLeAAa7xhNB1tiWX9dCNaCtCJnXTLW6kmiYfFEiDHVClQSY2SPP65Ie v1gSa52eRpvwI30JHsQ+x2w2kM9umdW3//2SK2+OGoTVcz6U94zGpnRdkdEMupl/guCFa5xD jcqB6K6Y1sl7mufqZDpO7Uau14mCeb77tIkyVzP8YXMPFnMBcDhwMydglFGfxXLMj2wQd5dP qOhKoDrbnXLHcHJfNRQpQXHR+tUyLEnUKq0KtKa+qy1o0xI/gKYWLngw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 02/17] grub: backport strlcpy function Date: Tue, 11 Mar 2025 19:09:45 +0100 Message-Id: <20250311181000.8582-2-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212579 From: Peter Marko It is used to fix multiple CVEs. Signed-off-by: Peter Marko --- .../0001-misc-Implement-grub_strlcpy.patch | 68 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch diff --git a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch new file mode 100644 index 0000000000..0ff6dff33a --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch @@ -0,0 +1,68 @@ +From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sat, 15 Jun 2024 02:33:08 +0100 +Subject: [PATCH 1/2] misc: Implement grub_strlcpy() + +grub_strlcpy() acts the same way as strlcpy() does on most *NIX, +returning the length of src and ensuring dest is always NUL +terminated except when size is 0. + +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f] +Signed-off-by: Peter Marko +--- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 1578f36c3..14d8f37ac 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a327e7ebdf..a7d24dd68d 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://grub-module-explicitly-keeps-symbole-.module_license.patch \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ + file://0001-misc-Implement-grub_strlcpy.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7328C28B2F for ; Tue, 11 Mar 2025 18:11:12 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.17209.1741716669210506648 for ; Tue, 11 Mar 2025 11:11:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=hixUwxUo; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-202503111811079c87d984d2a9414a6a-k1svkd@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 202503111811079c87d984d2a9414a6a for ; Tue, 11 Mar 2025 19:11:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Yl893lRwhJiGL/jtSc/MNVugmVuSOz+4/Y1RaKhkFcg=; b=hixUwxUoEYCheZJ5BmyQXgPw+09oPClIasqFMOJqlp0tu4SjSgyH6Up/pzVHSz7Nu9CqV/ /DvAX/l/QV/LNOgQ6w1Q50xWelxOCswo7FaMvHeB4qlg15I3e+Y6KKfh9UqSGawJJIb7G8Yf JFN2n+pCacaCs/JA0EOOgRyT9Q/Ns6KEmpgPmr3RC27rU+5A1qAWENYqZ519I936frZjJrvg rCG8hbykGTyoXlzFWFeOt9Y4S/tlm6hql7p9MCJ350mM0YRCSIdIIi1WBOSalQ8dMS8gJgKi +9n0ylsc25ADltoht3U1wu3KY1TiCwR3n72KQ7PUC+Wdjm1PhBFW9U6Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 03/17] grup: patch CVE-2024-45781 Date: Tue, 11 Mar 2025 19:09:46 +0100 Message-Id: <20250311181000.8582-3-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212580 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45781.patch | 35 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch new file mode 100644 index 0000000000..bd0b6aa04a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch @@ -0,0 +1,35 @@ +From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:03:33 +0100 +Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write + +grub_strcpy() was used to copy a symlink name from the filesystem +image to a heap allocated buffer. This led to a OOB write to adjacent +heap allocations. Fix by using grub_strlcpy(). + +Fixes: CVE-2024-45781 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45781 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba] +Signed-off-by: Peter Marko +--- + grub-core/fs/ufs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index a354c92d9..01235101b 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino) + /* Check against zero is paylindromic, no need to swap. */ + if (data->inode.nblocks == 0 + && INODE_SIZE (data) <= sizeof (data->inode.symlink)) +- grub_strcpy (symlink, (char *) data->inode.symlink); ++ grub_strlcpy (symlink, (char *) data->inode.symlink, sz); + else + { + if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a7d24dd68d..f166a2e052 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ + file://CVE-2024-45781.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD5E3C282EC for ; Tue, 11 Mar 2025 18:11:22 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17454.1741716673560318351 for ; Tue, 11 Mar 2025 11:11:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ILjIPSZa; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202503111811110068d08848c04051bf-8_5uin@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202503111811110068d08848c04051bf for ; Tue, 11 Mar 2025 19:11:11 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=MKiCm0RegTmH/OSEpIE+W5L8mB9hUO9TA+/EldTvipo=; b=ILjIPSZaIkrq/PzA1nytDCddrepH4PpRXzA+F1YxRwCjeIFxOubw+YrmOroJC3kHeShKhH hI4K50Cu8YOLe32uf3yIcS28lYRz+wBTMwmGtnG0Pc+Jb9Ztnrw15rS+w7i+goLn6hZ9uas5 BYoAahXjeU6AWKq9Ppsdp/iZx7ngB1wpgxpSUhb032fUcJxwSEHD92Tl4s/oqT9neHGG32nX xMkNn3Z6hJxDz+A9ysLFwVDOx306nhUG078RQoHn1u6gcm68C225iPJKWtyb/GL/SaoM0DES 1oUNxm/x2e9Xx4C3ZFNa9zXFrWBangAXCpYLC6psMeun21EbL4FWW9zw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 04/17] grub: patch CVE-2024-45782 and CVE-2024-56737 Date: Tue, 11 Mar 2025 19:09:47 +0100 Message-Id: <20250311181000.8582-4-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212581 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45782_CVE-2024-56737.patch | 36 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch new file mode 100644 index 0000000000..41cc025b81 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch @@ -0,0 +1,36 @@ +From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:48:33 +0100 +Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy() + +Replaced with grub_strlcpy(). + +Fixes: CVE-2024-45782 +Fixes: CVE-2024-56737 +Fixes: https://savannah.gnu.org/bugs/?66599 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45782 +CVE: CVE-2024-56737 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c +index 91dc0e69c..920112b03 100644 +--- a/grub-core/fs/hfs.c ++++ b/grub-core/fs/hfs.c +@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk) + volume name. */ + key.parent_dir = grub_cpu_to_be32_compile_time (1); + key.strlen = data->sblock.volname[0]; +- grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1)); ++ grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str)); + + if (grub_hfs_find_node (data, (char *) &key, data->cat_root, + 0, (char *) &dir, sizeof (dir)) == 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index f166a2e052..0e08485b40 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ + file://CVE-2024-45782_CVE-2024-56737.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD61BC28B2F for ; Tue, 11 Mar 2025 18:11:22 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17454.1741716673560318351 for ; Tue, 11 Mar 2025 11:11:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=NTv1biZQ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202503111811149d4f4c661d95b65bde-g8s1_m@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202503111811149d4f4c661d95b65bde for ; Tue, 11 Mar 2025 19:11:14 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=RMmJtZBvn1QO9SrElM9VU2qe2PrSAAF9V4DkzwicMmg=; b=NTv1biZQ1A0Y4WrB50NLAh6xZktHDJzBdR62NlssVBxhNP5aRl9jrZ2GzmHPasGIu/yFsV HdOkw6+sNg5SoJXGzQGfNjgw3iukGZFdjRLjalexpB4upboaZiINyOvvMsovXirfhsaTzK4a 84gV7WA+erQni8Ty6B/OF8uGyjdslZ3tzkiMep9qWJxFbOgZevYMbpQeBQbNjc4hZdu/TPMx gXXXMjzCemYqniMqSS7CRTtGVx9gStfOW7cPiBaWXkYqHiy1M8+9bC3pyaYyYGnL93LSdNc3 7giYnzjJ8+ZQ0r61bVse2wTqkp5RJ7fUhpMOOnLMBMjAbC1BRVxOJMlQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 05/17] grub: patch CVE-2024-45780 Date: Tue, 11 Mar 2025 19:09:48 +0100 Message-Id: <20250311181000.8582-5-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212582 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45780.patch | 93 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45780.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch new file mode 100644 index 0000000000..1de0099f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch @@ -0,0 +1,93 @@ +From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:58 +0000 +Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write + +Both namesize and linksize are derived from hd.size, a 12-digit octal +number parsed by read_number(). Later direct arithmetic calculation like +"namesize + 1" and "linksize + 1" may exceed the maximum value of +grub_size_t leading to heap OOB write. This patch fixes the issue by +using grub_add() and checking for an overflow. + +Fixes: CVE-2024-45780 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45780 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3] +Signed-off-by: Peter Marko +--- + grub-core/fs/tar.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c +index 646bce5eb..386c09022 100644 +--- a/grub-core/fs/tar.c ++++ b/grub-core/fs/tar.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + struct head hd; + int reread = 0, have_longname = 0, have_longlink = 0; ++ grub_size_t sz; + + data->hofs = data->next_hofs; + +@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t namesize = read_number (hd.size, sizeof (hd.size)); +- *name = grub_malloc (namesize + 1); ++ ++ if (grub_add (namesize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow")); ++ ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + err = grub_disk_read (data->disk, 0, +@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t linksize = read_number (hd.size, sizeof (hd.size)); +- if (data->linkname_alloc < linksize + 1) ++ ++ if (grub_add (linksize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow")); ++ ++ if (data->linkname_alloc < sz) + { + char *n; +- n = grub_calloc (2, linksize + 1); ++ n = grub_calloc (2, sz); + if (!n) + return grub_errno; + grub_free (data->linkname); + data->linkname = n; +- data->linkname_alloc = 2 * (linksize + 1); ++ data->linkname_alloc = 2 * (sz); + } + + err = grub_disk_read (data->disk, 0, +@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + while (extra_size < sizeof (hd.prefix) + && hd.prefix[extra_size]) + extra_size++; +- *name = grub_malloc (sizeof (hd.name) + extra_size + 2); ++ ++ if (grub_add (sizeof (hd.name) + 2, extra_size, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow")); ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + if (hd.prefix[0]) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 0e08485b40..84b28c7b9f 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ + file://CVE-2024-45780.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D202AC35FF1 for ; Tue, 11 Mar 2025 18:11:22 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17217.1741716680801195483 for ; Tue, 11 Mar 2025 11:11:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=iU00aM8A; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181118698b96c9e37754b63f-xovtxc@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181118698b96c9e37754b63f for ; Tue, 11 Mar 2025 19:11:18 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Iea/Gs5fXIDqPfmD6l6QfdXNszdt70+AxvFs0yUuWJw=; b=iU00aM8A7DvjInwuVWQ8JfmU5Nn2dfCKqfk7QErS8nEx0o1Gs8c/cw5qIwnpEVr1I528le uNJ8HvP/mdrUPisTycXyat1tqBJ3RrtrSX0qzVP2XLSt9G9VY32l71tEcpjGZqCgcLo21vBW RAQIY7fCSZpFRAGKrbzgR5g1VdFMdz5pwL4dl7MOmlfMFFeFzIsZNRTKqkQQCje+Mx+peNIX I7Q1gGBI/cJvQ7u0fI179sEHCm+Xy1U/Rk5B8Qo3p4V1mwTgNZCA0ujoKPim/MpquNBLxsJr r7C615DAB3xX6qw5+47fm1678YE+NCeWtGjLCqQQ+OR4sT6ThfKQ6e5w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 06/17] grub: patch CVE-2024-45783 Date: Tue, 11 Mar 2025 19:09:49 +0100 Message-Id: <20250311181000.8582-6-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212583 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45783.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45783.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch new file mode 100644 index 0000000000..99c769961b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch @@ -0,0 +1,39 @@ +From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 06:22:51 +0100 +Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails + +It was possible for mount to fail but not set grub_errno. This led to +a possible double decrement of the module reference count if the NULL +page was mapped. + +Fixing in general as a similar bug was fixed in commit 61b13c187 +(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there +are likely more variants around. + +Fixes: CVE-2024-45783 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45783 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfsplus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index 295822f69..de71fd486 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk) + + fail: + +- if (grub_errno == GRUB_ERR_OUT_OF_RANGE) ++ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE) + grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem"); + + grub_free (data); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 84b28c7b9f..8b638c58c0 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ + file://CVE-2024-45783.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB7E3C35FF1 for ; Tue, 11 Mar 2025 18:11:32 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17463.1741716684172822066 for ; Tue, 11 Mar 2025 11:11:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=jbiEPQgr; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250311181122e214309ab50235b54e-erahit@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250311181122e214309ab50235b54e for ; Tue, 11 Mar 2025 19:11:22 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=uIy+/9ieWsdHG7Of/pY9ildLlFKqVN99rkiMs2tyNAo=; b=jbiEPQgraQ9XBz4rEA4wid33Sd6gJMyj+xUDbV2iGz37T0zL44dlE35RR9sUuK/y4Wzacx RdhQ2J3YljqpgvEVXrsvJXMgQNssp2wQreJ0ElxL/RRjcsaINATA87/x4fYNyk8Tuyp+Xtb/ krq6GIoSmYi/4wEvphyXRSbBQ5PZnOdb/99zzCgHoLCgje6l2x1LEP7POjNE65GatLlcGpEx CzBM7BXXnZdQC1dXUvIIRBPPELTjNazjE5Z9wUP2jim1UjbpjTuQgp/8F4XW1YE5v/xbjJZA MLP0A5wsEuSNSz3rmmWw6NbaV2punxXSh+CsSh0kvOtk9QhIPYJ3Yi+Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 07/17] grub: patch CVE-2025-0624 Date: Tue, 11 Mar 2025 19:09:50 +0100 Message-Id: <20250311181000.8582-7-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212584 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0624.patch | 84 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0624.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch new file mode 100644 index 0000000000..229fe6399e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch @@ -0,0 +1,84 @@ +From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 15 Nov 2024 13:12:09 +0000 +Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file() + +The function included a call to grub_strcpy() which copied data from an +environment variable to a buffer allocated in grub_cmd_normal(). The +grub_cmd_normal() didn't consider the length of the environment variable. +So, the copy operation could exceed the allocation and lead to an OOB +write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and +pass the underlying buffers size to the grub_net_search_config_file(). + +Fixes: CVE-2025-0624 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0624 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1] +Signed-off-by: Peter Marko +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/net.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 0e41e21a5..9939ff601 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1909,14 +1909,15 @@ grub_config_search_through (char *config, char *suffix, + } + + grub_err_t +-grub_net_search_config_file (char *config) ++grub_net_search_config_file (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -1942,7 +1943,7 @@ grub_net_search_config_file (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (grub_config_search_through (config, suffix, 1, 0) == 0) + return GRUB_ERR_NONE; + } +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 90879dc21..838f57fa5 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), + + if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 && + !disable_net_search) +- grub_net_search_config_file (config); ++ grub_net_search_config_file (config, config_len); + + grub_enter_normal_mode (config); + grub_free (config); +diff --git a/include/grub/net.h b/include/grub/net.h +index 228d04963..58a4f83fc 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -579,7 +579,7 @@ void + grub_net_remove_dns_server (const struct grub_net_network_level_address *s); + + grub_err_t +-grub_net_search_config_file (char *config); ++grub_net_search_config_file (char *config, grub_size_t config_buf_len); + + extern char *grub_net_default_server; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 8b638c58c0..d4f588660a 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ + file://CVE-2025-0624.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5B5BC28B2F for ; Tue, 11 Mar 2025 18:11:32 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17463.1741716684172822066 for ; Tue, 11 Mar 2025 11:11:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=hCRpPL2V; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-2025031118112593e93ad3a22148ed13-d_wkql@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2025031118112593e93ad3a22148ed13 for ; Tue, 11 Mar 2025 19:11:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=YFKPZ2kLmAr6gAS9UvnIo1084ak6y4JPRPiruFeNZCI=; b=hCRpPL2Vavd1O6eZR/cQs7CtxYlvwNjmZKe9bVJKIIaZZFqkVPJo87rxKpvfB/m4RV8uSl 9rrCIb+Uqq1nQjsUeaIvU7k0xX0b31iReIw0msPnnl5FV/xWAWm888e3f3eZxOjRRygg8LFf pI0ARAp/SOpW7TfPj0CiS7fE6Qf7idUjnFohdSKUbL9Fyc8pjB7MdGal/y3FmJetjHvpUI4C lDmC24g0/V5DZtgjk6zhFTwvcxO1GDbwPTfiXqRKWZqZkt8YaDpMVZyuYkD7IlwdsNCYL1A/ iPfOIhUP6t1R81WQzBeFX4mQC+BOD15bdH9y+ifPiW4ne1Xiz23Qdfaw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 08/17] grub: patch CVE-2024-45774 Date: Tue, 11 Mar 2025 19:09:51 +0100 Message-Id: <20250311181000.8582-8-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212585 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45774.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45774.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch new file mode 100644 index 0000000000..55aecc17d7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch @@ -0,0 +1,37 @@ +From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 8 Mar 2024 22:47:20 +1100 +Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in + JPEG + +Otherwise a subsequent header could change the height and width +allowing future OOB writes. + +Fixes: CVE-2024-45774 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45774 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f] +Signed-off-by: Peter Marko +--- + grub-core/video/readers/jpeg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index ae634fd41..631a89356 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + if (grub_errno != GRUB_ERR_NONE) + return grub_errno; + ++ if (data->image_height != 0 || data->image_width != 0) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: cannot have duplicate SOF0 markers"); ++ + if (grub_jpeg_get_byte (data) != 8) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: only 8-bit precision is supported"); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index d4f588660a..ee841b3de6 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ + file://CVE-2024-45774.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBD56C35FF2 for ; Tue, 11 Mar 2025 18:11:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17470.1741716690569201244 for ; Tue, 11 Mar 2025 11:11:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=mCIMFiFR; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-2025031118112827d3e734a0c4c8ca0e-irtqcf@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2025031118112827d3e734a0c4c8ca0e for ; Tue, 11 Mar 2025 19:11:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=vT+hY7UrjJGGN70V+rZ2pjELQaUTgT8GPswm28JEIsE=; b=mCIMFiFRvwW0V1lZDd2JFMviSIrvhJ26X9LWMLj6cTKuj9vls0feB+9v1RpxoGJJOi0olF yND1Yt7ID3BpDZrvXlDjvc2reH9FQq95KkN6rxfSOKtwP0xlK3y6I0qMaS/KtACx/s4x+/BJ tk43jRG2I8nxgjsS9niGGaKgNFBSZI1K1cbopsRJbuQPm04OO2t0JGJXIGIUq7fYEpIYSGJ7 VqH0Kxz/D0Ixa7XkDC8XUqIEX6mn0b70Y8Fg6kCpJ3Ei14wW5pP00VBIUCbJoxy4fEtTVPaq 38QlDVXgiwqBHZofBXr5YqZnyZdOq2kjKbh7ckQ42l7k71t+UbnDjmcg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 09/17] grub: patch CVE-2024-45775 Date: Tue, 11 Mar 2025 19:09:52 +0100 Message-Id: <20250311181000.8582-9-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212586 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45775.patch | 38 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45775.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch new file mode 100644 index 0000000000..70492b8c2e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch @@ -0,0 +1,38 @@ +From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:55 +0000 +Subject: [PATCH] commands/extcmd: Missing check for failed allocation + +The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate +a grub_arg_list struct but it does not verify the allocation was successful. +In case of failed allocation the NULL state pointer can be accessed in +parse_option() through grub_arg_parse() which may lead to a security issue. + +Fixes: CVE-2024-45775 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45775 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872] +Signed-off-by: Peter Marko +--- + grub-core/commands/extcmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c +index 90a5ca24a..c236be13a 100644 +--- a/grub-core/commands/extcmd.c ++++ b/grub-core/commands/extcmd.c +@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args, + } + + state = grub_arg_list_alloc (ext, argc, args); ++ if (state == NULL) ++ return grub_errno; ++ + if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc)) + { + context.state = state; diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index ee841b3de6..0ad5ba7fc0 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ + file://CVE-2024-45775.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB116C2BA1B for ; Tue, 11 Mar 2025 18:11:42 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.17472.1741716693797291842 for ; Tue, 11 Mar 2025 11:11:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=L90C4bEP; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-202503111811327b4c40eb5ed397fba8-l_um69@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202503111811327b4c40eb5ed397fba8 for ; Tue, 11 Mar 2025 19:11:32 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=IIwZADLrvLlIQGASsVOk7mCGu5xfQ6O9RUmUsOJT6kk=; b=L90C4bEPp6WAW50rnGm9oU4fbrWtH/BxPsGFX0ZftGV8Oy1SjJJX6bxw7UW7DrtREWfTUD zLeABL+HK+//HqdYn5Ku+gcQ0xHp+8SSrHAsp6pU7iDez+pYc0Cu/izkLDou3WXUw4LqnowR /p99BG10BV3+HtKf+QEKd6pSkZNuUWVbUWpNmVPECJoB8zuRVJ+OWq+gtLf4zKDQB3wcjhQw 6QoS+07LK9IqPIqLjWD1NCA3rlZwnY2DpX9uOMljPt8UdWYegHpDrhFZ8QiGxjfDzHUQUi1n Ezqw4pZjTATT+WwSqrYiGcHAWNpVEKqPMr7lK2B2DHZs9AnBooAVhv3Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 10/17] grub: patch CVE-2025-0622 Date: Tue, 11 Mar 2025 19:09:53 +0100 Message-Id: <20250311181000.8582-10-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212587 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0622-01.patch | 35 ++++++++++++++++ .../grub/files/CVE-2025-0622-02.patch | 41 +++++++++++++++++++ .../grub/files/CVE-2025-0622-03.patch | 38 +++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 3 ++ 4 files changed, 117 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch new file mode 100644 index 0000000000..09dbfce5f8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch @@ -0,0 +1,35 @@ +From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 19:24:29 +0000 +Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on + module unload + +If the hooks are not removed they can be called after the module has +been unloaded leading to an use-after-free. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726] +Signed-off-by: Peter Marko +--- + grub-core/commands/pgp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c +index c6766f044..5fadc33c4 100644 +--- a/grub-core/commands/pgp.c ++++ b/grub-core/commands/pgp.c +@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp) + + GRUB_MOD_FINI(pgp) + { ++ grub_register_variable_hook ("check_signatures", NULL, NULL); ++ grub_env_unset ("check_signatures"); + grub_verifier_unregister (&grub_pubkey_verifier); + grub_unregister_extcmd (cmd); + grub_unregister_extcmd (cmd_trust); diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch new file mode 100644 index 0000000000..be01da3355 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch @@ -0,0 +1,41 @@ +From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:46:55 +0000 +Subject: [PATCH 2/3] normal: Remove variables hooks on module unload + +The normal module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload normal module now but fix the +issues for completeness. + +On the occasion replace 0s with NULLs for "pager" variable +hooks unregister. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67] +Signed-off-by: Peter Marko +--- + grub-core/normal/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 838f57fa5..04d058f55 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal) + grub_xputs = grub_xputs_saved; + + grub_set_history (0); +- grub_register_variable_hook ("pager", 0, 0); ++ grub_register_variable_hook ("pager", NULL, NULL); ++ grub_register_variable_hook ("color_normal", NULL, NULL); ++ grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); + } diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch new file mode 100644 index 0000000000..79078a4350 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch @@ -0,0 +1,38 @@ +From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:52:06 +0000 +Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload + +The gettext module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload gettext module because normal +module depends on it. Though fix the issues for completeness. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 7a1c14e4f..e4f4f8ee6 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext) + + GRUB_MOD_FINI (gettext) + { ++ grub_register_variable_hook ("locale_dir", NULL, NULL); ++ grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); ++ grub_register_variable_hook ("lang", NULL, NULL); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 0ad5ba7fc0..99174a4f33 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -26,6 +26,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ file://CVE-2024-45775.patch \ + file://CVE-2025-0622-01.patch \ + file://CVE-2025-0622-02.patch \ + file://CVE-2025-0622-03.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1DBCC35FF2 for ; Tue, 11 Mar 2025 18:11:42 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.17225.1741716697233754773 for ; Tue, 11 Mar 2025 11:11:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=XOOA64Mr; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20250311181135700f8977dcf8e612a3-2x5rm7@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250311181135700f8977dcf8e612a3 for ; Tue, 11 Mar 2025 19:11:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=D3SxLvcw0BHyM8CBtvXSYgKLhzM3pApvOULYAJquxkE=; b=XOOA64MrbPnTI/k9ogD0w1vffd+g/AlxT/UXpJ7jGS8sf09W90+huQ5fUu1hmPGIxsVo2F VP87FtTtp5fUiK3QBNNBzOlNj+J4LpB3HrljpI7F2vGuiH25OyDzaZwWnEmHn+RHr/t1lLnu iIXqMdvUF7NjWSR618TwCjbXjc+DeqefCMGdIglVnXSrWRjZ7OBDbgChbz6Bgw0xhBV/TWdZ thhSP1orta9IGxfje3s6A7t9K66n7cSPdjYSF6x2BVPsfbh6tUpqKU3cZsxcA97T5a/Z/H82 Oz+wLrNYEU9b3G2paHQy+xBzKD5RmQtZqcltncsYNmkE1NInsSMTBxfg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 11/17] grub: patch CVE-2024-45776 Date: Tue, 11 Mar 2025 19:09:54 +0100 Message-Id: <20250311181000.8582-11-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212588 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45776.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45776.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch new file mode 100644 index 0000000000..8deea958b8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch @@ -0,0 +1,39 @@ +From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:56 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read + +Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may +overflow leading to subsequent OOB write or read. This patch fixes the +issue by replacing grub_zalloc() and explicit multiplication with +grub_calloc() which does the same thing in safe manner. + +Fixes: CVE-2024-45776 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45776 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index e4f4f8ee6..63bb1ab73 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx, + for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log; + ctx->grub_gettext_max_log++); + +- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max +- * sizeof (ctx->grub_gettext_msg_list[0])); ++ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max, ++ sizeof (ctx->grub_gettext_msg_list[0])); + if (!ctx->grub_gettext_msg_list) + { + grub_file_close (fd); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 99174a4f33..4a08a549e5 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -29,6 +29,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-01.patch \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ + file://CVE-2024-45776.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58700 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB0C9C28B2F for ; Tue, 11 Mar 2025 18:11:42 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.17225.1741716697233754773 for ; Tue, 11 Mar 2025 11:11:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=XuUEhIlS; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20250311181138e5409838efc1b50655-9smjpj@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250311181138e5409838efc1b50655 for ; Tue, 11 Mar 2025 19:11:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=InGEouRvhtRHa1sn7Kg9MFEJVlWGQoZk6/NmbYYPu0I=; b=XuUEhIlS1mN2vZcBzyk2bEiH0pHKWXfbNJBjI715l2tPWF1kSid2U+4uR94C/RMkvyP4Ww 8KPPYb/1lLOARlc9CxrJEDGBq9Dm0Z27Q9EiELLGTpTqu+dohhh4x/1WdQgWFe2NZkwLtwut iq9wRRaWAN5iWxxXhXkFeFRVnchhtqhbTDGSlOeqJfFRYD57lbWYzdMpxGmAgVpCNr0FY/bp QvF6pDApwAGRJOa2mG94+3UNRL38f46dV2OrPaAAQJn7ULa2ckdA/iHAr2wzh82EyjHoxPo5 AaNEX63rVzODKx46T3Z9woBmWFP9m+ICD0Oj0bvymDl0CKxTj4b1lYuw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 12/17] grub: patch CVE-2024-45777 Date: Tue, 11 Mar 2025 19:09:55 +0100 Message-Id: <20250311181000.8582-12-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212589 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45777.patch | 57 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45777.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch new file mode 100644 index 0000000000..0305a95fd5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch @@ -0,0 +1,57 @@ +From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:57 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write + +The size calculation of the translation buffer in +grub_gettext_getstr_from_position() may overflow +to 0 leading to heap OOB write. This patch fixes +the issue by using grub_add() and checking for +an overflow. + +Fixes: CVE-2024-45777 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45777 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 63bb1ab73..9ffc73428 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + char *translation; + struct string_descriptor desc; + grub_err_t err; ++ grub_size_t alloc_sz; + + internal_position = (off + position * sizeof (desc)); + +@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + length = grub_cpu_to_le32 (desc.length); + offset = grub_cpu_to_le32 (desc.offset); + +- translation = grub_malloc (length + 1); ++ if (grub_add (length, 1, &alloc_sz)) ++ return NULL; ++ ++ translation = grub_malloc (alloc_sz); + if (!translation) + return NULL; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 4a08a549e5..160dfc5d2b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ + file://CVE-2024-45777.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58703 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFA51C35FF1 for ; Tue, 11 Mar 2025 18:11:52 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17479.1741716703522631912 for ; Tue, 11 Mar 2025 11:11:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=N+aJeqrl; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2025031118114164a7ef8e4c9b5c0832-xxrzii@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025031118114164a7ef8e4c9b5c0832 for ; Tue, 11 Mar 2025 19:11:41 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=7S0yV/XuvjSnyhKUEDDQxr3+Mw7OuH0xUFMCQcvDZuY=; b=N+aJeqrlIuOSdRmfugY3Gjhzxpwo57nmDhsV77rkF+d0wi8z4yUV7Jhi/EBtqk2SfYxH1K A42J5MFCzmkBmzSas69ssIBeaqCxC+/Kjg6rOPjQlIOaSlCX1jnwkQtG1bGQwzf1souKlqLL 8iOKxzWKsxKzbEdR6LiPeQ41nOhHse0Auy3Eg7RWlNnfzPFNuROpvIC+vXXAWj6D4N8UvV8Z fPlttmWcptitJ6/CsElnq0I272rkETmUPJkZ8ZJPkEeRolJ13Nr7dqqCO8ioE/HB4RDB6Gt3 ox8LAwRxltccmkidSl3j9fsovFuBhis8Hvgm2klrIP5+WBkokRLqzMMA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 13/17] grub: patch CVE-2025-0690 Date: Tue, 11 Mar 2025 19:09:56 +0100 Message-Id: <20250311181000.8582-13-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212590 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0690.patch | 73 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch new file mode 100644 index 0000000000..be585c96ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch @@ -0,0 +1,73 @@ +From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001 +From: Jonathan Bar Or +Date: Thu, 23 Jan 2025 19:17:05 +0100 +Subject: [PATCH] commands/read: Fix an integer overflow when supplying more + than 2^31 characters + +The grub_getline() function currently has a signed integer variable "i" +that can be overflown when user supplies more than 2^31 characters. +It results in a memory corruption of the allocated line buffer as well +as supplying large negative values to grub_realloc(). + +Fixes: CVE-2025-0690 + +Reported-by: Jonathan Bar Or +Signed-off-by: Jonathan Bar Or +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0690 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc] +Signed-off-by: Peter Marko +--- + grub-core/commands/read.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c +index 597c90706..8d72e45c9 100644 +--- a/grub-core/commands/read.c ++++ b/grub-core/commands/read.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] = + static char * + grub_getline (int silent) + { +- int i; ++ grub_size_t i; + char *line; + char *tmp; + int c; ++ grub_size_t alloc_size; + + i = 0; +- line = grub_malloc (1 + i + sizeof('\0')); ++ line = grub_malloc (1 + sizeof('\0')); + if (! line) + return NULL; + +@@ -59,8 +61,17 @@ grub_getline (int silent) + line[i] = (char) c; + if (!silent) + grub_printf ("%c", c); +- i++; +- tmp = grub_realloc (line, 1 + i + sizeof('\0')); ++ if (grub_add (i, 1, &i)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ tmp = grub_realloc (line, alloc_size); + if (! tmp) + { + grub_free (line); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 160dfc5d2b..2c61fb66bc 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ + file://CVE-2025-0690.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58704 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE673C282EC for ; Tue, 11 Mar 2025 18:11:52 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17479.1741716703522631912 for ; Tue, 11 Mar 2025 11:11:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=iCAgKY7T; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20250311181145ff159e799130816b7a-6_lyxa@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20250311181145ff159e799130816b7a for ; Tue, 11 Mar 2025 19:11:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=vfBHdgB2ojehvIk6QXblAOvpoO43Q6E5L2YhUkrLMVM=; b=iCAgKY7TwAPGGRVTyyH2k4awne1F3ICNW8PJ6Fs0Qyx5hk6ffxWhlIqEsP3RVnDbRXOZyq yQWjJMeGfg0c3+RlGil79fyh7tVO87WI2e2hSgxBxwzHmcqXBbd/qU8AxpTb6IKF4+xwAzV3 tRAKs90BLFomNVem/Pbup4JXHF1K9IAtF9m/5FdfIdD7dTpFX1A9XwW7imSzSJS2zRNrUHiL CnQtQRl0uml66mDIfRdyafBZvfjHJCy3C2z2RaoiQmtVxrF6CT2e0msO4K2LKUhKf44ENkfa j7ttMBVFsJdxWK2Z7HRuX6QUlm9fFVX8dfHcgVg6PDHa/8qILLszP6iA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 14/17] grub: patch CVE-2025-1118 Date: Tue, 11 Mar 2025 19:09:57 +0100 Message-Id: <20250311181000.8582-14-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212591 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-1118.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-1118.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch new file mode 100644 index 0000000000..e6906d909c --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch @@ -0,0 +1,37 @@ +From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Thu, 18 Apr 2024 20:29:39 +0100 +Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode + +The dump enables a user to read memory which should not be possible +in lockdown mode. + +Fixes: CVE-2025-1118 + +Reported-by: B Horn +Reported-by: Jonathan Bar Or +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-1118 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f] +Signed-off-by: Peter Marko +--- + grub-core/commands/minicmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c +index 286290866..8c5ee3e60 100644 +--- a/grub-core/commands/minicmd.c ++++ b/grub-core/commands/minicmd.c +@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd) + grub_register_command ("help", grub_mini_cmd_help, + 0, N_("Show this message.")); + cmd_dump = +- grub_register_command ("dump", grub_mini_cmd_dump, +- N_("ADDR [SIZE]"), N_("Show memory contents.")); ++ grub_register_command_lockdown ("dump", grub_mini_cmd_dump, ++ N_("ADDR [SIZE]"), N_("Show memory contents.")); + cmd_rmmod = + grub_register_command ("rmmod", grub_mini_cmd_rmmod, + N_("MODULE"), N_("Remove a module.")); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 2c61fb66bc..19e6fd64b2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -32,6 +32,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ + file://CVE-2025-1118.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58705 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE8B2C28B2F for ; Tue, 11 Mar 2025 18:11:52 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.17234.1741716710370246178 for ; Tue, 11 Mar 2025 11:11:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=d+YD8sXz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2025031118114872ac9b5b58ed990a45-grmxdk@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025031118114872ac9b5b58ed990a45 for ; Tue, 11 Mar 2025 19:11:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=QEHJhdrXUAUYzleFkOXeaB8u1KYDOxRNYWRSVbGFujs=; b=d+YD8sXzSfbuJreCWnYDWMoNTF4QLJ9FEVhwh9z4ag0JybMstRaS8io3LKGcpq+//Tj8Rz /0Kl/VvN+FxInRF2H/SdfdLxUpIMWxXZoLWIFStoInkjxtz6XN7Io51sFDrsnJywzxYhR5ta zSGJRvYxyIR7TUu1fob5VFKdu//uAahV4bORXjAcITtUi2XfeTt797bo/LHK+RQsZRnZyzMe 2m/VEi9yG/Y6mp2lf2/X5isYJWev137tEX4szB7+u/PTnms7JlgeA3rvsngbm0hUmRig/XSL rUKKxAhk92PjO/3OD7WbaVY7Fd1N3wTYKgi/TOb1QZ3bWxo61o1P0nQQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 15/17] grub: patch CVE-2024-45778 and CVE-2024-45779 Date: Tue, 11 Mar 2025 19:09:58 +0100 Message-Id: <20250311181000.8582-15-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212592 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45778_CVE-2024-45779.patch | 55 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch new file mode 100644 index 0000000000..eba013897f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch @@ -0,0 +1,55 @@ +From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 15:59:43 +1100 +Subject: [PATCH] fs/bfs: Disable under lockdown + +The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown. +This will also disable the AFS. + +Fixes: CVE-2024-45778 +Fixes: CVE-2024-45779 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45778 +CVE: CVE-2024-45779 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=] +Signed-off-by: Peter Marko +--- + grub-core/fs/bfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c +index 022f69fe2..78aeb051f 100644 +--- a/grub-core/fs/bfs.c ++++ b/grub-core/fs/bfs.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs) + { + COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE == + sizeof (struct grub_bfs_extent)); +- grub_fs_register (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_bfs_fs); ++ } + } + + #ifdef MODE_AFS +@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs) + GRUB_MOD_FINI (bfs) + #endif + { +- grub_fs_unregister (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_bfs_fs); + } diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 19e6fd64b2..8fef137261 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -33,6 +33,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ + file://CVE-2024-45778_CVE-2024-45779.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:09:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58706 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC91DC2BA1B for ; Tue, 11 Mar 2025 18:11:52 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.17234.1741716710370246178 for ; Tue, 11 Mar 2025 11:11:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=f8b7TQX6; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20250311181151e2017903fcc481889d-3wbgl_@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20250311181151e2017903fcc481889d for ; Tue, 11 Mar 2025 19:11:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=JdA8SmM7b3O+ZTSW7hAHUTYZozPo6inP79Drt3fBF2E=; b=f8b7TQX6tuGOnC+YlMdn3+PFlVPbg0TbvPrSPby5ZOmDvPrO8xs/rFPg4LJo7QIV8wMdgR BADO84LJduxE7U3zR66HAcXHRQrSW4xrr0esWy/PC+il8ZxaA+5F8d69p3UWE6CI+dcZ8JP4 5iVa19mu67CT+9IwYrym8hXaCRCHMAHdpcgot7YkOx6CryV+qq4jXe5lZxwIOQLVlQ57iaOA wtsZ8l2cIOWRFwEAjYh8r9fbBH5nYnm0YG3QXTRMbLrNCsWnBqIW/IbtRLi11N97pEzH4EH/ f+ZSgXArqRMOSwUwDhK8eTRPt9ZToUhrXov2Q0Dug8jhM3udT9A8V25Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 16/17] grub: patch CVE-2025-0677, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686 and CVE-2025-0689 Date: Tue, 11 Mar 2025 19:09:59 +0100 Message-Id: <20250311181000.8582-16-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:11:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212593 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- ...025-0685_CVE-2025-0686_CVE-2025-0689.patch | 377 ++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 378 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch new file mode 100644 index 0000000000..d5563cecc4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch @@ -0,0 +1,377 @@ +From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 16:20:45 +1100 +Subject: [PATCH] fs: Disable many filesystems under lockdown + +The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat, +hfsplus, iso9660, squash4, tar, xfs and zfs. + +The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were +reported by Jonathan Bar Or . + +Fixes: CVE-2025-0677 +Fixes: CVE-2025-0684 +Fixes: CVE-2025-0685 +Fixes: CVE-2025-0686 +Fixes: CVE-2025-0689 + +Suggested-by: Daniel Axtens +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0677 +CVE: CVE-2025-0684 +CVE: CVE-2025-0685 +CVE: CVE-2025-0686 +CVE: CVE-2025-0689 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10] +Signed-off-by: Peter Marko +--- + grub-core/fs/affs.c | 9 +++++++-- + grub-core/fs/cbfs.c | 9 +++++++-- + grub-core/fs/jfs.c | 9 +++++++-- + grub-core/fs/minix.c | 9 +++++++-- + grub-core/fs/nilfs2.c | 9 +++++++-- + grub-core/fs/ntfs.c | 9 +++++++-- + grub-core/fs/reiserfs.c | 9 +++++++-- + grub-core/fs/romfs.c | 9 +++++++-- + grub-core/fs/sfs.c | 9 +++++++-- + grub-core/fs/udf.c | 9 +++++++-- + grub-core/fs/ufs.c | 9 +++++++-- + 11 files changed, 77 insertions(+), 22 deletions(-) + +diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c +index ed606b3f1..352f5d232 100644 +--- a/grub-core/fs/affs.c ++++ b/grub-core/fs/affs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -703,11 +704,15 @@ static struct grub_fs grub_affs_fs = + + GRUB_MOD_INIT(affs) + { +- grub_fs_register (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_affs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(affs) + { +- grub_fs_unregister (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_affs_fs); + } +diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c +index 8ab7106af..f6349df34 100644 +--- a/grub-core/fs/cbfs.c ++++ b/grub-core/fs/cbfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs) + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + init_cbfsdisk (); + #endif +- grub_fs_register (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_cbfs_fs); ++ } + } + + GRUB_MOD_FINI (cbfs) + { +- grub_fs_unregister (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_cbfs_fs); + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + fini_cbfsdisk (); + #endif +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index 6f7c43904..c0bbab8a9 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs = + + GRUB_MOD_INIT(jfs) + { +- grub_fs_register (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_jfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(jfs) + { +- grub_fs_unregister (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_jfs_fs); + } +diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c +index 5354951d1..c267298b5 100644 +--- a/grub-core/fs/minix.c ++++ b/grub-core/fs/minix.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -734,7 +735,10 @@ GRUB_MOD_INIT(minix) + #endif + #endif + { +- grub_fs_register (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_minix_fs); ++ } + my_mod = mod; + } + +@@ -756,5 +760,6 @@ GRUB_MOD_FINI(minix) + #endif + #endif + { +- grub_fs_unregister (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_minix_fs); + } +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index fc7374ead..08abf173f 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2) + grub_nilfs2_dat_entry)); + COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE + == sizeof (struct grub_nilfs2_inode)); +- grub_fs_register (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_nilfs2_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (nilfs2) + { +- grub_fs_unregister (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_nilfs2_fs); + } +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index de435aa14..8cc2ba3d5 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1320,11 +1321,15 @@ static struct grub_fs grub_ntfs_fs = + + GRUB_MOD_INIT (ntfs) + { +- grub_fs_register (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ntfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (ntfs) + { +- grub_fs_unregister (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ntfs_fs); + } +diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c +index 36b26ac98..cdef2eba0 100644 +--- a/grub-core/fs/reiserfs.c ++++ b/grub-core/fs/reiserfs.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs = + + GRUB_MOD_INIT(reiserfs) + { +- grub_fs_register (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_reiserfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(reiserfs) + { +- grub_fs_unregister (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_reiserfs_fs); + } +diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c +index 1f7dcfca1..acf8dd21e 100644 +--- a/grub-core/fs/romfs.c ++++ b/grub-core/fs/romfs.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs = + + GRUB_MOD_INIT(romfs) + { +- grub_fs_register (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_romfs_fs); ++ } + } + + GRUB_MOD_FINI(romfs) + { +- grub_fs_unregister (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_romfs_fs); + } +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 983e88008..f64bdd2df 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + GRUB_MOD_LICENSE ("GPLv3+"); +@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs = + + GRUB_MOD_INIT(sfs) + { +- grub_fs_register (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_sfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(sfs) + { +- grub_fs_unregister (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_sfs_fs); + } +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index b836e6107..a60643be1 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1455,11 +1456,15 @@ static struct grub_fs grub_udf_fs = { + + GRUB_MOD_INIT (udf) + { +- grub_fs_register (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_udf_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (udf) + { +- grub_fs_unregister (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_udf_fs); + } +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index 01235101b..6b496e7b8 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1) + #endif + #endif + { +- grub_fs_register (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ufs_fs); ++ } + my_mod = mod; + } + +@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1) + #endif + #endif + { +- grub_fs_unregister (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ufs_fs); + } + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 8fef137261..658ce6109e 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -34,6 +34,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ + file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:10:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58707 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1825C282EC for ; Tue, 11 Mar 2025 18:12:02 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17486.1741716716734289784 for ; Tue, 11 Mar 2025 11:11:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=f7QHY/fy; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202503111811553d343633ef920481b9-7bxrbf@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202503111811553d343633ef920481b9 for ; Tue, 11 Mar 2025 19:11:55 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=cTP/iQzbYGFVJ2No19J2Z3F1MYn/4NKCaWSyQB2H43k=; b=f7QHY/fyI8xZX24BtSBSFP9feAz3UBbMFeuXzo1noC3/9NgM8zu1RSIHimuBMieRt7r4zA 30P3AgOeC7z+TggLZguln7hhM0wCekW+lgbq4fvRP28+s52k28aO+fTGn4wMYz+8yJgn6UpU A6nRFuf28mRBAl/Jc2zCiNjGxQ0Te7HXFEuwm13rbsM+8ukybtpnUA2LUT9K750GkpjW9FV/ B/7XWCuFdEXD/OErC6luudEk7ur4VsTyfpKf0Yxz8BSNPKD/B7XuGjXPZJNYVQmz8pDSWAnC BEtbPlVXD3eqMPDvnVWQJ2E/RPPrs60Zb/Ljt3g0h8Lm33h+pTuMnwNQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 17/17] grub: patch CVE-2025-0678 and CVE-2025-1125 Date: Tue, 11 Mar 2025 19:10:00 +0100 Message-Id: <20250311181000.8582-17-peter.marko@siemens.com> In-Reply-To: <20250311181000.8582-1-peter.marko@siemens.com> References: <20250311181000.8582-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:12:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212594 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2025-0678_CVE-2025-1125.patch | 87 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch new file mode 100644 index 0000000000..14e67cf35b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch @@ -0,0 +1,87 @@ +From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Tue, 21 Jan 2025 19:02:37 +0000 +Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays + +Use grub_calloc() when allocating memory for arrays to ensure proper +overflow checks are in place. + +The HFS+ and squash4 security vulnerabilities were reported by +Jonathan Bar Or . + +Fixes: CVE-2025-0678 +Fixes: CVE-2025-1125 + +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0678 +CVE: CVE-2025-1125 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e] +Signed-off-by: Peter Marko +--- + grub-core/fs/btrfs.c | 4 ++-- + grub-core/fs/hfspluscomp.c | 9 +++++++-- + grub-core/fs/squash4.c | 8 ++++---- + 3 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 0625b1166..9c1e925c9 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev) + } + + data->n_devices_allocated = 16; +- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0]) +- * data->n_devices_allocated); ++ data->devices_attached = grub_calloc (data->n_devices_allocated, ++ sizeof (data->devices_attached[0])); + if (!data->devices_attached) + { + grub_free (data); +diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c +index 48ae438d8..a80954ee6 100644 +--- a/grub-core/fs/hfspluscomp.c ++++ b/grub-core/fs/hfspluscomp.c +@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node) + return 0; + } + node->compress_index_size = grub_le_to_cpu32 (index_size); +- node->compress_index = grub_malloc (node->compress_index_size +- * sizeof (node->compress_index[0])); ++ node->compress_index = grub_calloc (node->compress_index_size, ++ sizeof (node->compress_index[0])); + if (!node->compress_index) + { + node->compressed = 0; + grub_free (attr_node); + return grub_errno; + } ++ ++ /* ++ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here ++ * due to relevant checks done in grub_calloc() above. ++ */ + if (grub_hfsplus_read_file (node, 0, 0, + 0x104 + sizeof (index_size), + node->compress_index_size +diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c +index f91ff3bfa..cf2bca822 100644 +--- a/grub-core/fs/squash4.c ++++ b/grub-core/fs/squash4.c +@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data, + break; + } + total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz); +- ino->block_sizes = grub_malloc (total_blocks +- * sizeof (ino->block_sizes[0])); +- ino->cumulated_block_sizes = grub_malloc (total_blocks +- * sizeof (ino->cumulated_block_sizes[0])); ++ ino->block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->block_sizes[0])); ++ ino->cumulated_block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->cumulated_block_sizes[0])); + if (!ino->block_sizes || !ino->cumulated_block_sizes) + { + grub_free (ino->block_sizes); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 658ce6109e..1fe39a59d2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -35,6 +35,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ + file://CVE-2025-0678_CVE-2025-1125.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"