From patchwork Tue Mar 11 18:14:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58708 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04394C2BA1B for ; Tue, 11 Mar 2025 18:15:23 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.17559.1741716914841485370 for ; Tue, 11 Mar 2025 11:15:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=CATsgWD/; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20250311181512088d8ad160997bb6a9-_gibsc@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250311181512088d8ad160997bb6a9 for ; Tue, 11 Mar 2025 19:15:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=gj3TEaZkCIbT1+3phvQF7IXqNz77k4G42XbBtPsxHNo=; b=CATsgWD/TM98jlpSJaBBck2lsNUvb0v8hBLSP2lnGrNSk1+uld3p1DFlBbq/qBauucunuG zZdfREdqzkWdPXFaB/XeVOktovY2YT9+55p2WWvUwXSdPcMOAnhblFmpEGx9S6UJDhtFnca0 8E2xRV9f86AtgwDIzg22zAH0k/0quFL+UPOuInBq64RBnzor1apMVqYUROF58NtOHiNkLoYU 3D9TUxALzGpHiC2DlaV/dEQxI6ojY1He8rmlKgC3vFhHpN7jc3q2T4MGjbd/FxPcfEjNQmBC eYIISpA4pRkbEjaUyafL1YN/pWZiPb4GTNLxNC3fhuNfOJzdk4JUnftA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 01/17] grub: drop obsolete CVE statuses Date: Tue, 11 Mar 2025 19:14:08 +0100 Message-Id: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212595 From: Peter Marko CVE-2021-46705 was needed only with 2.06 CVE-2023-4692 and CVE-2023-4693 were fixed in NVD DB meanwhile Signed-off-by: Peter Marko --- meta/recipes-bsp/grub/grub2.inc | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 07b4000e04..c93b9594c8 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -23,11 +23,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" -CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE" CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" -CVE_STATUS[CVE-2023-4692] = "cpe-incorrect: Fixed in version 2.12 already" -CVE_STATUS[CVE-2023-4693] = "cpe-incorrect: Fixed in version 2.12 already" DEPENDS = "flex-native bison-native gettext-native" From patchwork Tue Mar 11 18:14:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58709 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0434EC282EC for ; Tue, 11 Mar 2025 18:15:23 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.17562.1741716919491506702 for ; Tue, 11 Mar 2025 11:15:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=kqJDWZVC; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-2025031118151790538c950999b47fa1-8pvbcz@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2025031118151790538c950999b47fa1 for ; Tue, 11 Mar 2025 19:15:17 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=UnbFz6TI7LODzAp9gzCoNLzQdcyMAnBywgn+DG0Iap0=; b=kqJDWZVCZM39NkG8ZOP/LmLZcuYRnERFXQ6GTMelRNOR34DJ2lp0SQ6oPNIN9Mt/OxupjS i2x12D4kWaMeCkUeax7Z1Byy+PtGu+h/rdjEksU/dOTqpyqm7JwZHyr7t2v3/E1QjBdHjhI2 Zxy5izYMXd7ZOr/+gfW4ODKRCawGXfOmhGTIrb5LpUXKrrkJZOvPzgxiJhPBuf+N4tWAAmvp mIUlc4dEVVmdT/3w+Q4IzTzfJ1f8D07bBb6zYz0yPqSEjjy6VYLj9kEv9018p7wmxjuNUIZw sySbeq8zyAPgBqrMGh9zEqfQJFhGOPUUU9CRLgtlR6udR2aymbbJKw3Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 02/17] grub: backport strlcpy function Date: Tue, 11 Mar 2025 19:14:09 +0100 Message-Id: <20250311181424.8837-2-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212596 From: Peter Marko It is used to fix multiple CVEs. Signed-off-by: Peter Marko --- .../0001-misc-Implement-grub_strlcpy.patch | 68 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch diff --git a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch new file mode 100644 index 0000000000..0ff6dff33a --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch @@ -0,0 +1,68 @@ +From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sat, 15 Jun 2024 02:33:08 +0100 +Subject: [PATCH 1/2] misc: Implement grub_strlcpy() + +grub_strlcpy() acts the same way as strlcpy() does on most *NIX, +returning the length of src and ensuring dest is always NUL +terminated except when size is 0. + +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f] +Signed-off-by: Peter Marko +--- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 1578f36c3..14d8f37ac 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index c93b9594c8..43ba632ce2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://grub-module-explicitly-keeps-symbole-.module_license.patch \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ + file://0001-misc-Implement-grub_strlcpy.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58710 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5245C3DA4A for ; Tue, 11 Mar 2025 18:15:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17565.1741716923043416534 for ; Tue, 11 Mar 2025 11:15:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=WOS/Mle9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181521953243742b970f6df2-9ahlbq@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181521953243742b970f6df2 for ; Tue, 11 Mar 2025 19:15:21 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=tDAq9oDF96J+aBdLS4aGaxfz5txtxXcvXoHqFXH6I/0=; b=WOS/Mle9n3cYC1OyxJKv/+hTo+hLRfEYKegB+3/RuP7kRmyoGLEYfWzImuC9dEp8/3IuNk xJurLtCvD410QmshT0L1bkGfJP4SMjnkz42fhprdvd0mS+hfhwU7BnMgSBdPCx9v2pDEnUMG fIC9Z8Nscl4ajhbPK+/DrU6YOM1z2sND6ygCN/GnAIjwyLq5BFcci+f18pCo0L82sbLFJ6bq edIDjGYxXGIUYmyVcMUIo49wxm9HHKA+3T55N1LvegaOTcHnFKnBBtimbScbgntR2pJaAQzH MIpQ12NtnmaPyD6JUz0MoIyN5lxaLYSHc5ljqa0oKag7LntbT6kgwuBA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 03/17] grup: patch CVE-2024-45781 Date: Tue, 11 Mar 2025 19:14:10 +0100 Message-Id: <20250311181424.8837-3-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212597 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45781.patch | 35 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch new file mode 100644 index 0000000000..bd0b6aa04a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch @@ -0,0 +1,35 @@ +From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:03:33 +0100 +Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write + +grub_strcpy() was used to copy a symlink name from the filesystem +image to a heap allocated buffer. This led to a OOB write to adjacent +heap allocations. Fix by using grub_strlcpy(). + +Fixes: CVE-2024-45781 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45781 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba] +Signed-off-by: Peter Marko +--- + grub-core/fs/ufs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index a354c92d9..01235101b 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino) + /* Check against zero is paylindromic, no need to swap. */ + if (data->inode.nblocks == 0 + && INODE_SIZE (data) <= sizeof (data->inode.symlink)) +- grub_strcpy (symlink, (char *) data->inode.symlink); ++ grub_strlcpy (symlink, (char *) data->inode.symlink, sz); + else + { + if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 43ba632ce2..58f4a6e181 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ + file://CVE-2024-45781.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58711 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D51A3C35FF2 for ; Tue, 11 Mar 2025 18:15:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17565.1741716923043416534 for ; Tue, 11 Mar 2025 11:15:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=KdiRbcog; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181523b90d75ee923aff5673-c2ekml@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181523b90d75ee923aff5673 for ; Tue, 11 Mar 2025 19:15:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=J+xByvs1DqSG0Eii2MwY5aqVvML/wLofenga1Yznj6U=; b=KdiRbcogxQUCg7lmNweOrVfthGJsVG3Vvrv1mvXl+eIMjJEsU6gWMKUl8SPsAFM3eq1RNm H2mDsdeAIbd0A4B2AEGfXGLCFzKwI6GhegyOW5aoQDa2CzTrRj2FJmfHCQkL8G2RfBAEZQwF k7zT9msdHE6+3wFzwUGUKSNZVC1aO4zbhOVlPgemYmYrFncZn4g3oG0qF8DDTYH39EbyFYMj BlUwyJO+0GZn2AyttaibYgf9n0V5JPy2k8Yr7M9dLH+xkTbWKbCzZvQZstRs5eEWDwHgx7eh 2BkWJ+JL4PDVkeIYq6svsJq/XyGZqCCvpK4ejV1XsGnpySnh05+LQz4g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 04/17] grub: patch CVE-2024-45782 and CVE-2024-56737 Date: Tue, 11 Mar 2025 19:14:11 +0100 Message-Id: <20250311181424.8837-4-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212598 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45782_CVE-2024-56737.patch | 36 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch new file mode 100644 index 0000000000..41cc025b81 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch @@ -0,0 +1,36 @@ +From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:48:33 +0100 +Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy() + +Replaced with grub_strlcpy(). + +Fixes: CVE-2024-45782 +Fixes: CVE-2024-56737 +Fixes: https://savannah.gnu.org/bugs/?66599 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45782 +CVE: CVE-2024-56737 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c +index 91dc0e69c..920112b03 100644 +--- a/grub-core/fs/hfs.c ++++ b/grub-core/fs/hfs.c +@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk) + volume name. */ + key.parent_dir = grub_cpu_to_be32_compile_time (1); + key.strlen = data->sblock.volname[0]; +- grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1)); ++ grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str)); + + if (grub_hfs_find_node (data, (char *) &key, data->cat_root, + 0, (char *) &dir, sizeof (dir)) == 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 58f4a6e181..f5112d773d 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ + file://CVE-2024-45782_CVE-2024-56737.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58714 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E45D8C35FF4 for ; Tue, 11 Mar 2025 18:15:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17565.1741716923043416534 for ; Tue, 11 Mar 2025 11:15:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=D3faXvLb; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181526e0ae8d3f4ecc25d91b-2byvms@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181526e0ae8d3f4ecc25d91b for ; Tue, 11 Mar 2025 19:15:26 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=8JWt3s15EafF3cMbbpQb0dg29nm/KHvDOI5jOTyCW+g=; b=D3faXvLb7H1muUYeLfqzOzrCcV2mfqwjuoRJvr3Dpim/jcuINkk8yxVlnejEDw0DKn6g3E Him2SP5jHzJ2GsIyxTMoL2N1in6jSKyV577MkPxdZyUHIxE6PxN3Sk9MpaIINiF0KDz+ovGD Hl67+wljf1OTpzZWfJdTwP0NUDLZdmJXycGvA7usCWYD9JtTeXWMjB50mbILnjv2tJ66SntK RozLaU0lZlsjW97lIZveB6xM+x6eQpWHXlfrXtXwSpl3XTw3GiNE1H4AgNdCNwM3c2eZWpMv qlqYRPPO/piXUcelGCygFS0PcrG9snjWfqriuT8xq2i/OAoRT/pjAtGQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 05/17] grub: patch CVE-2024-45780 Date: Tue, 11 Mar 2025 19:14:12 +0100 Message-Id: <20250311181424.8837-5-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212599 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45780.patch | 93 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45780.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch new file mode 100644 index 0000000000..1de0099f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch @@ -0,0 +1,93 @@ +From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:58 +0000 +Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write + +Both namesize and linksize are derived from hd.size, a 12-digit octal +number parsed by read_number(). Later direct arithmetic calculation like +"namesize + 1" and "linksize + 1" may exceed the maximum value of +grub_size_t leading to heap OOB write. This patch fixes the issue by +using grub_add() and checking for an overflow. + +Fixes: CVE-2024-45780 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45780 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3] +Signed-off-by: Peter Marko +--- + grub-core/fs/tar.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c +index 646bce5eb..386c09022 100644 +--- a/grub-core/fs/tar.c ++++ b/grub-core/fs/tar.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + struct head hd; + int reread = 0, have_longname = 0, have_longlink = 0; ++ grub_size_t sz; + + data->hofs = data->next_hofs; + +@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t namesize = read_number (hd.size, sizeof (hd.size)); +- *name = grub_malloc (namesize + 1); ++ ++ if (grub_add (namesize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow")); ++ ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + err = grub_disk_read (data->disk, 0, +@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t linksize = read_number (hd.size, sizeof (hd.size)); +- if (data->linkname_alloc < linksize + 1) ++ ++ if (grub_add (linksize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow")); ++ ++ if (data->linkname_alloc < sz) + { + char *n; +- n = grub_calloc (2, linksize + 1); ++ n = grub_calloc (2, sz); + if (!n) + return grub_errno; + grub_free (data->linkname); + data->linkname = n; +- data->linkname_alloc = 2 * (linksize + 1); ++ data->linkname_alloc = 2 * (sz); + } + + err = grub_disk_read (data->disk, 0, +@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + while (extra_size < sizeof (hd.prefix) + && hd.prefix[extra_size]) + extra_size++; +- *name = grub_malloc (sizeof (hd.name) + extra_size + 2); ++ ++ if (grub_add (sizeof (hd.name) + 2, extra_size, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow")); ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + if (hd.prefix[0]) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index f5112d773d..01d9be6bc2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ + file://CVE-2024-45780.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58713 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4518C35FF3 for ; Tue, 11 Mar 2025 18:15:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17565.1741716923043416534 for ; Tue, 11 Mar 2025 11:15:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Yo+WOtot; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-202503111815283906134a0f33a2e7aa-7yir8x@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202503111815283906134a0f33a2e7aa for ; Tue, 11 Mar 2025 19:15:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=7gloa8ISbM2rtVBixlZYD+g7etLvt/7a9eaWTaCiDHc=; b=Yo+WOtotrFLF8v9TO/ht44kA+S2zxeA5jna3o8qrA5gjsbq5ESiG72gzZdJj/AelrCpI4k SaM1oRakuUPLS3Ms3JXYqWWnMmz/QDayll9J9gW3SSDEDMHUW1CXqUAHJOU8YtOhIyYPfH1y vLCIHOyHdwkY/gv4f4WOgNAOBh5PMK181aPbOKgQ/oMwpUNhslRcQOW9WdyxuyncEyvkh+GM QbGuDyZwd1jy+30dz3t92bax+bP5C1ylXWeCIThUK0TlFpZu+5F2l6SPOTFOkvvGsFt6kiH7 adc6JGiEGAmF6WkENpb5WI/hp4jObGBONnt5DI6/r6IkdIDZ89wsFX0w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 06/17] grub: patch CVE-2024-45783 Date: Tue, 11 Mar 2025 19:14:13 +0100 Message-Id: <20250311181424.8837-6-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212600 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45783.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45783.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch new file mode 100644 index 0000000000..99c769961b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch @@ -0,0 +1,39 @@ +From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 06:22:51 +0100 +Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails + +It was possible for mount to fail but not set grub_errno. This led to +a possible double decrement of the module reference count if the NULL +page was mapped. + +Fixing in general as a similar bug was fixed in commit 61b13c187 +(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there +are likely more variants around. + +Fixes: CVE-2024-45783 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45783 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfsplus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index 295822f69..de71fd486 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk) + + fail: + +- if (grub_errno == GRUB_ERR_OUT_OF_RANGE) ++ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE) + grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem"); + + grub_free (data); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 01d9be6bc2..05aea4cc6a 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ + file://CVE-2024-45783.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58712 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5165C2BA1B for ; Tue, 11 Mar 2025 18:15:32 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.17565.1741716923043416534 for ; Tue, 11 Mar 2025 11:15:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ahtwOrXm; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181531cfda1e1f0e11795ffd-blryco@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181531cfda1e1f0e11795ffd for ; Tue, 11 Mar 2025 19:15:31 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=V5Uvma60WpUA7axz7H4FzVOYCCbdxzQbYR8n39nJHqM=; b=ahtwOrXmsVZxeEtwreCImf0BkmbHq2H52U1kmqlGeUjPiVfD/XQMPO5t6QjiDjl/FB/NPq JEjVLD23E7Qg4l/igMcbKkSKlHwbs0mu8xR/C8mQHjuk6z5YKGemlQKteuR2xd2c5RGjGCj6 fez+13XD7EtPNIX5uPS6TE1kHxaPut9KiWHMIDVMrrXxwJIyLZ61OAD5QkJGer0TuwvRKvwf CvfMfeAruIdD3OMCoqX1mC9yy7NzEWyfZYiKG2E+RlcAUqyMNd/z5cJxcZAyy3XOlkMy+qxC 4jR2ROfY8o+eyVuyFOWUTaKMrqyFA5KJRQgWZjg8dXRdh9Sw5RjXdKkA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 07/17] grub: patch CVE-2025-0624 Date: Tue, 11 Mar 2025 19:14:14 +0100 Message-Id: <20250311181424.8837-7-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212601 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0624.patch | 84 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0624.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch new file mode 100644 index 0000000000..229fe6399e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch @@ -0,0 +1,84 @@ +From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 15 Nov 2024 13:12:09 +0000 +Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file() + +The function included a call to grub_strcpy() which copied data from an +environment variable to a buffer allocated in grub_cmd_normal(). The +grub_cmd_normal() didn't consider the length of the environment variable. +So, the copy operation could exceed the allocation and lead to an OOB +write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and +pass the underlying buffers size to the grub_net_search_config_file(). + +Fixes: CVE-2025-0624 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0624 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1] +Signed-off-by: Peter Marko +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/net.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 0e41e21a5..9939ff601 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1909,14 +1909,15 @@ grub_config_search_through (char *config, char *suffix, + } + + grub_err_t +-grub_net_search_config_file (char *config) ++grub_net_search_config_file (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -1942,7 +1943,7 @@ grub_net_search_config_file (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (grub_config_search_through (config, suffix, 1, 0) == 0) + return GRUB_ERR_NONE; + } +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 90879dc21..838f57fa5 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), + + if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 && + !disable_net_search) +- grub_net_search_config_file (config); ++ grub_net_search_config_file (config, config_len); + + grub_enter_normal_mode (config); + grub_free (config); +diff --git a/include/grub/net.h b/include/grub/net.h +index 228d04963..58a4f83fc 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -579,7 +579,7 @@ void + grub_net_remove_dns_server (const struct grub_net_network_level_address *s); + + grub_err_t +-grub_net_search_config_file (char *config); ++grub_net_search_config_file (char *config, grub_size_t config_buf_len); + + extern char *grub_net_default_server; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 05aea4cc6a..3526c43835 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ + file://CVE-2025-0624.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58715 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8B67C2BA1B for ; Tue, 11 Mar 2025 18:15:42 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.17336.1741716935333029132 for ; Tue, 11 Mar 2025 11:15:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=IbYRiGQ0; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-2025031118153337e3f00552b5fbb129-dvhr3r@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2025031118153337e3f00552b5fbb129 for ; Tue, 11 Mar 2025 19:15:33 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=rOShKo/+FdgKmSp6UWiSB9ahSzqFgGiEYcBXn2tcydY=; b=IbYRiGQ0yxkjTpoZ0SaM79CnqcgzbAvop9kBgSUup1iQpBLTmZWK+jj3CuvSTqAB30UC5S 9AWVvS/H+EpXDWKXlAAL4hUDafmS3hLaV5DHwSQfV2EGV7KtjiRvWV1fsSBfou8ictd3soUw L69o9BvHMXsHREYe3HRu1EHyAT0zGhhiEIzpLieWdb8eJFiSagdhqJeILOwRkMlm8oNxh5g1 P/wPQokzprl7pP9/Y3K/TDl5B5Bc5yf/Ai3pryL4C9r0B9rVo5s85aNcZMfKEGSAFXNx72mr 0Xl8qzhBEbBQBIq6Ut5MvLNFtn7/4Xanj9Gf36zxKX3MaL0y//lmof2w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 08/17] grub: patch CVE-2024-45774 Date: Tue, 11 Mar 2025 19:14:15 +0100 Message-Id: <20250311181424.8837-8-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212602 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45774.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45774.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch new file mode 100644 index 0000000000..55aecc17d7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch @@ -0,0 +1,37 @@ +From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 8 Mar 2024 22:47:20 +1100 +Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in + JPEG + +Otherwise a subsequent header could change the height and width +allowing future OOB writes. + +Fixes: CVE-2024-45774 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45774 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f] +Signed-off-by: Peter Marko +--- + grub-core/video/readers/jpeg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index ae634fd41..631a89356 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + if (grub_errno != GRUB_ERR_NONE) + return grub_errno; + ++ if (data->image_height != 0 || data->image_width != 0) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: cannot have duplicate SOF0 markers"); ++ + if (grub_jpeg_get_byte (data) != 8) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: only 8-bit precision is supported"); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3526c43835..ea6e19072e 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ + file://CVE-2024-45774.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58716 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2BB0C282EC for ; Tue, 11 Mar 2025 18:15:42 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.17336.1741716935333029132 for ; Tue, 11 Mar 2025 11:15:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=PTGv2KeR; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20250311181535b0fcfab56e240149c8-n_sbh8@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20250311181535b0fcfab56e240149c8 for ; Tue, 11 Mar 2025 19:15:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=xt5gXtLYV6keTPOB58ceKfB1nthrkmGPUHY1II8w2LM=; b=PTGv2KeRZ7jBnCW6CH6+zoUlRdmj9EwLNPr32EfuC59hrONubeDMyK1VhSKeHRwCCn+/cp HKMj11wayLhhRHZJ3GFn54XOkKNKYhQto5R/UPC+cVnTwMAgy781Zr3j5Re48VMSW+MzRgcb NGmduZkoYvW1c7KFHwvbOTpwmwZQ7OIkeuh/HkUq9vNf+07u8GEn7xUXURBwwMAGIjcugDxz UsARe4GSgcCEhTCf0MRFWlesd6g0+jgmSVwNN/Jj/06bgfsBSJblGRmOYDQJ8IzpyW7XKbyp Dh8Vus27wPm9Ow/7eVicCbFirGl0RVa+qECIQIlEg/Ty+zkGpioiX21w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 09/17] grub: patch CVE-2024-45775 Date: Tue, 11 Mar 2025 19:14:16 +0100 Message-Id: <20250311181424.8837-9-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212603 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45775.patch | 38 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45775.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch new file mode 100644 index 0000000000..70492b8c2e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch @@ -0,0 +1,38 @@ +From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:55 +0000 +Subject: [PATCH] commands/extcmd: Missing check for failed allocation + +The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate +a grub_arg_list struct but it does not verify the allocation was successful. +In case of failed allocation the NULL state pointer can be accessed in +parse_option() through grub_arg_parse() which may lead to a security issue. + +Fixes: CVE-2024-45775 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45775 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872] +Signed-off-by: Peter Marko +--- + grub-core/commands/extcmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c +index 90a5ca24a..c236be13a 100644 +--- a/grub-core/commands/extcmd.c ++++ b/grub-core/commands/extcmd.c +@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args, + } + + state = grub_arg_list_alloc (ext, argc, args); ++ if (state == NULL) ++ return grub_errno; ++ + if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc)) + { + context.state = state; diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index ea6e19072e..b9b9d37637 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ + file://CVE-2024-45775.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58718 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFD9AC28B2F for ; Tue, 11 Mar 2025 18:15:42 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17570.1741716940131801874 for ; Tue, 11 Mar 2025 11:15:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=c9wHdOR+; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202503111815385f1bd987ccfd553587-wv4lf9@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202503111815385f1bd987ccfd553587 for ; Tue, 11 Mar 2025 19:15:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=QgVT5RpJ1m6qg7wycfQWOrssh27xHfaIfadWYVG0/PU=; b=c9wHdOR+/g9yEKKraqP7fx+Gtd9TSUgaq9Rp8B3oXhX5LmVC6UPMNjlAdxcnbOpwYoyWcu ptAy9OYyxs6WkBIKOhBb9ZvEUPy7mAnkEwyWpr+JZ1BuA3gITtAbnl+gsgt2h495atNBxyza 3+9+WIhvKIznyevXcd5XxHAeOaLjDM1hnWMKbQO4YS9xHqhCh+0UHUxCy8XpCcx+PJpf15lf R6iISCqCW6newIC99TbjxCH0v3lScgLa0BCeuxO5fLJfKasPjDAUHF+COsJYlKU31CWiaEml HMs3Hhrxj0UeFWhiaRYJzHOznw368t7mnGVehGiLlEMQOYrQWFNz8MJA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 10/17] grub: patch CVE-2025-0622 Date: Tue, 11 Mar 2025 19:14:17 +0100 Message-Id: <20250311181424.8837-10-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212604 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0622-01.patch | 35 ++++++++++++++++ .../grub/files/CVE-2025-0622-02.patch | 41 +++++++++++++++++++ .../grub/files/CVE-2025-0622-03.patch | 38 +++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 3 ++ 4 files changed, 117 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch new file mode 100644 index 0000000000..09dbfce5f8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch @@ -0,0 +1,35 @@ +From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 19:24:29 +0000 +Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on + module unload + +If the hooks are not removed they can be called after the module has +been unloaded leading to an use-after-free. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726] +Signed-off-by: Peter Marko +--- + grub-core/commands/pgp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c +index c6766f044..5fadc33c4 100644 +--- a/grub-core/commands/pgp.c ++++ b/grub-core/commands/pgp.c +@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp) + + GRUB_MOD_FINI(pgp) + { ++ grub_register_variable_hook ("check_signatures", NULL, NULL); ++ grub_env_unset ("check_signatures"); + grub_verifier_unregister (&grub_pubkey_verifier); + grub_unregister_extcmd (cmd); + grub_unregister_extcmd (cmd_trust); diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch new file mode 100644 index 0000000000..be01da3355 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch @@ -0,0 +1,41 @@ +From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:46:55 +0000 +Subject: [PATCH 2/3] normal: Remove variables hooks on module unload + +The normal module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload normal module now but fix the +issues for completeness. + +On the occasion replace 0s with NULLs for "pager" variable +hooks unregister. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67] +Signed-off-by: Peter Marko +--- + grub-core/normal/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 838f57fa5..04d058f55 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal) + grub_xputs = grub_xputs_saved; + + grub_set_history (0); +- grub_register_variable_hook ("pager", 0, 0); ++ grub_register_variable_hook ("pager", NULL, NULL); ++ grub_register_variable_hook ("color_normal", NULL, NULL); ++ grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); + } diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch new file mode 100644 index 0000000000..79078a4350 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch @@ -0,0 +1,38 @@ +From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:52:06 +0000 +Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload + +The gettext module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload gettext module because normal +module depends on it. Though fix the issues for completeness. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 7a1c14e4f..e4f4f8ee6 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext) + + GRUB_MOD_FINI (gettext) + { ++ grub_register_variable_hook ("locale_dir", NULL, NULL); ++ grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); ++ grub_register_variable_hook ("lang", NULL, NULL); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index b9b9d37637..7d463f8aeb 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -26,6 +26,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ file://CVE-2024-45775.patch \ + file://CVE-2025-0622-01.patch \ + file://CVE-2025-0622-02.patch \ + file://CVE-2025-0622-03.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58717 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFDE1C35FF2 for ; Tue, 11 Mar 2025 18:15:42 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17343.1741716942392990095 for ; Tue, 11 Mar 2025 11:15:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=bjZ/xL/I; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-202503111815403f52840356f5fec24c-febmjk@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202503111815403f52840356f5fec24c for ; Tue, 11 Mar 2025 19:15:40 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=KjztLRF24ThBm+gxJZyg3UXEO+d4JZiSl+mNMrbZnpQ=; b=bjZ/xL/IOaajyb+GQQf1757IwrLCMWe4cNVkSJimZQETFr+59i3iJffPN9EZ8WP2qC//fR ViSPG8pVnNhAuFo9+ttnkzUOISRnHLJUu+bMttPyCLEjaYora4okThwTWqmy2LYymvHXFUXb LWN5X0ZtkENuOrxnSUw/qO2+5YQ9lpm6Yzsc3LRvZIxw9OB5zjio4bX89nAbdh73XMOwJuaB Bz0vNVJGU4mUY4V5AUbK0GWZ2j4DA/evDPXkvTK6XwZ4a7grKaEsz01Szw0P/cyz6ebwLuWM /VbePKGbwLvxVGJzSNTKAd8ZsHetbpucqMDADmwtvN4Q8HokHng8LI2A==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 11/17] grub: patch CVE-2024-45776 Date: Tue, 11 Mar 2025 19:14:18 +0100 Message-Id: <20250311181424.8837-11-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212605 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45776.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45776.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch new file mode 100644 index 0000000000..8deea958b8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch @@ -0,0 +1,39 @@ +From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:56 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read + +Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may +overflow leading to subsequent OOB write or read. This patch fixes the +issue by replacing grub_zalloc() and explicit multiplication with +grub_calloc() which does the same thing in safe manner. + +Fixes: CVE-2024-45776 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45776 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index e4f4f8ee6..63bb1ab73 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx, + for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log; + ctx->grub_gettext_max_log++); + +- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max +- * sizeof (ctx->grub_gettext_msg_list[0])); ++ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max, ++ sizeof (ctx->grub_gettext_msg_list[0])); + if (!ctx->grub_gettext_msg_list) + { + grub_file_close (fd); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 7d463f8aeb..581855eb4b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -29,6 +29,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-01.patch \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ + file://CVE-2024-45776.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58722 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEC1FC2BA1B for ; Tue, 11 Mar 2025 18:15:52 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17343.1741716942392990095 for ; Tue, 11 Mar 2025 11:15:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=OoNmuddG; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-2025031118154327481a492be38f20f2-8sn_91@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2025031118154327481a492be38f20f2 for ; Tue, 11 Mar 2025 19:15:43 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=h/QGx0PFF0ekygxJLlI1PSTO6E/xQTP3vInduf2Cyew=; b=OoNmuddGVCwNyVu9vrtJja2EmeTci7dtPQ50mpnxFXeHba3nBhgYhada+E2gk5zizBA6WI XOmRrRjJjU4i528hmDqZv+2M1HW8+2m2wgP5rS+HkdgEEcuo8DEG3wmJgke08RqSBpL6vx25 eToKW3cLm+64kBTXxsCSKHQxYdO01Aet9kG4HrAiEhPduH8CI3Au7OQYlDCmb3b9n/+Z460A bR92GqMdBBPiWQrK0/zpOh1E57fycS4XPDZoleDXtYaAyXTkzY5HpHN6YCsDnBv0YjrOfN7T lh6pC2yVlmIrTReHFACUUvzX3Jp5Ya2Vv8FyXfZswFU6r+lp4ZDDclZQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 12/17] grub: patch CVE-2024-45777 Date: Tue, 11 Mar 2025 19:14:19 +0100 Message-Id: <20250311181424.8837-12-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212606 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45777.patch | 57 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45777.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch new file mode 100644 index 0000000000..0305a95fd5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch @@ -0,0 +1,57 @@ +From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:57 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write + +The size calculation of the translation buffer in +grub_gettext_getstr_from_position() may overflow +to 0 leading to heap OOB write. This patch fixes +the issue by using grub_add() and checking for +an overflow. + +Fixes: CVE-2024-45777 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45777 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 63bb1ab73..9ffc73428 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + char *translation; + struct string_descriptor desc; + grub_err_t err; ++ grub_size_t alloc_sz; + + internal_position = (off + position * sizeof (desc)); + +@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + length = grub_cpu_to_le32 (desc.length); + offset = grub_cpu_to_le32 (desc.offset); + +- translation = grub_malloc (length + 1); ++ if (grub_add (length, 1, &alloc_sz)) ++ return NULL; ++ ++ translation = grub_malloc (alloc_sz); + if (!translation) + return NULL; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 581855eb4b..b67b7d2e16 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ + file://CVE-2024-45777.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58721 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00C36C28B2F for ; Tue, 11 Mar 2025 18:15:53 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17343.1741716942392990095 for ; Tue, 11 Mar 2025 11:15:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ZdcE/O5a; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-202503111815456e2c0fd16e40599cb2-vpaqme@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202503111815456e2c0fd16e40599cb2 for ; Tue, 11 Mar 2025 19:15:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=+0sHEFhUBWfl3JNDc+fhAAyVFnypAiGd+SQimdd2O7g=; b=ZdcE/O5aQE+ChqIjrHd7t4qBvwP5VKVJf5hJJXLfsdZdh40rvzdYUbnKrYXVgFrj1Q8E3u ImhAIbMZiXkFLNksLcp1f9J99vX7dF6gDRYLs2Bu33cSt4TP7hJIwFfTDe6iitl2MSxw/yMC ky2AmtXiaXcP/vvFZkw0SaFfa9GURPDFEjfjMEF3ey+w5SBU9uTIPuLktzz4ApjOe5ISSqEK eWy0TG6EyK/9RsmEKALvU7XDidbM6YMc0Gl9aYfr/QXNTldAJoez6P/1M6gkpOhHZo6z05q0 51tJ9+eYoiCG+iQGUFBtMZQIv11zWax1qnkX64fiyNVIWzDs3P8y2e4g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 13/17] grub: patch CVE-2025-0690 Date: Tue, 11 Mar 2025 19:14:20 +0100 Message-Id: <20250311181424.8837-13-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212607 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0690.patch | 73 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch new file mode 100644 index 0000000000..be585c96ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch @@ -0,0 +1,73 @@ +From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001 +From: Jonathan Bar Or +Date: Thu, 23 Jan 2025 19:17:05 +0100 +Subject: [PATCH] commands/read: Fix an integer overflow when supplying more + than 2^31 characters + +The grub_getline() function currently has a signed integer variable "i" +that can be overflown when user supplies more than 2^31 characters. +It results in a memory corruption of the allocated line buffer as well +as supplying large negative values to grub_realloc(). + +Fixes: CVE-2025-0690 + +Reported-by: Jonathan Bar Or +Signed-off-by: Jonathan Bar Or +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0690 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc] +Signed-off-by: Peter Marko +--- + grub-core/commands/read.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c +index 597c90706..8d72e45c9 100644 +--- a/grub-core/commands/read.c ++++ b/grub-core/commands/read.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] = + static char * + grub_getline (int silent) + { +- int i; ++ grub_size_t i; + char *line; + char *tmp; + int c; ++ grub_size_t alloc_size; + + i = 0; +- line = grub_malloc (1 + i + sizeof('\0')); ++ line = grub_malloc (1 + sizeof('\0')); + if (! line) + return NULL; + +@@ -59,8 +61,17 @@ grub_getline (int silent) + line[i] = (char) c; + if (!silent) + grub_printf ("%c", c); +- i++; +- tmp = grub_realloc (line, 1 + i + sizeof('\0')); ++ if (grub_add (i, 1, &i)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ tmp = grub_realloc (line, alloc_size); + if (! tmp) + { + grub_free (line); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index b67b7d2e16..6f0c8a133f 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ + file://CVE-2025-0690.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58719 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00CFBC35FF2 for ; Tue, 11 Mar 2025 18:15:53 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17343.1741716942392990095 for ; Tue, 11 Mar 2025 11:15:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=LK10LEFf; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181547b1b555ee0732ecd5d3-myyrug@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181547b1b555ee0732ecd5d3 for ; Tue, 11 Mar 2025 19:15:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=PYjx9OplIjAvkL5Xa/TbJpkiIeMbRWZ+gMWBCWtWSqA=; b=LK10LEFfN2d4Y9Jm8zgmu4SPZLYxL3Slq6Tcavp1IT8C5qTfRSurZcdrGJoL4ig9+ltbv8 VY++qYVMJ4qQgmH6iPl/uC78Xf+no78mPbC8Of31S95Eiyp1OHRE8Z54j7ocLaltD+G0iicG k7TCl8/MSxd82BQP99YuDCeTciZBvR0Odio7oLJ10dzicg8jSjhjNJRx7fZRg2KR5hiFhb2y rLYtCq74pwDbTGKyrzSC6eZ7MSKA3U5z1uCt32lKeVgAr95e60sRQvV+tHUzIZ6InJBKQUNM Osj+Gdd9/j3lkIZ7mb+k42nmmsuyIg5v4p91w/Yb7ElIlNoRCqF5z7AQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 14/17] grub: patch CVE-2025-1118 Date: Tue, 11 Mar 2025 19:14:21 +0100 Message-Id: <20250311181424.8837-14-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212608 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-1118.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-1118.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch new file mode 100644 index 0000000000..e6906d909c --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch @@ -0,0 +1,37 @@ +From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Thu, 18 Apr 2024 20:29:39 +0100 +Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode + +The dump enables a user to read memory which should not be possible +in lockdown mode. + +Fixes: CVE-2025-1118 + +Reported-by: B Horn +Reported-by: Jonathan Bar Or +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-1118 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f] +Signed-off-by: Peter Marko +--- + grub-core/commands/minicmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c +index 286290866..8c5ee3e60 100644 +--- a/grub-core/commands/minicmd.c ++++ b/grub-core/commands/minicmd.c +@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd) + grub_register_command ("help", grub_mini_cmd_help, + 0, N_("Show this message.")); + cmd_dump = +- grub_register_command ("dump", grub_mini_cmd_dump, +- N_("ADDR [SIZE]"), N_("Show memory contents.")); ++ grub_register_command_lockdown ("dump", grub_mini_cmd_dump, ++ N_("ADDR [SIZE]"), N_("Show memory contents.")); + cmd_rmmod = + grub_register_command ("rmmod", grub_mini_cmd_rmmod, + N_("MODULE"), N_("Remove a module.")); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 6f0c8a133f..bd0c9d2601 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -32,6 +32,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ + file://CVE-2025-1118.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58720 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7546C282EC for ; Tue, 11 Mar 2025 18:15:52 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17578.1741716951276213823 for ; Tue, 11 Mar 2025 11:15:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=kGzZ0wU8; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2025031118154936d717286fe194ff11-y2uiew@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025031118154936d717286fe194ff11 for ; Tue, 11 Mar 2025 19:15:49 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=sapf3b/HPKpme3kaa20JZ65xk5YrCWrK+6DQlsZCF20=; b=kGzZ0wU8+NrwN+9BF2Cctgnd7keQYL4a3YKIzDpboaTbyfTBPUXENKFWUkHNWQzVmCb7o1 HKVOG4wYG9R6ovhbDl3Jb31fP4pI6GEhTMwlp451eGeiM/g6KovQRTydlQQOsNAIrQf/w+bA PZDqxQhJLugIj7kLvv/EZ/VfHbUUB7YeIvaxfPD1WamtkcLvipoNDrbbvEMLxbfKUwWABzdA 1AfHi6Oe51p0gnPP4ufU7Qb//IlXeXDip+boPD+8HsmgYNN9pNXAaDPK+ykZzXi6h+ci2k3l Vo8LoxGP0uLTN24CMdNlRRibp8iRBh7hZdjNfWFSJVspr7dwOtySoOFg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 15/17] grub: patch CVE-2024-45778 and CVE-2024-45779 Date: Tue, 11 Mar 2025 19:14:22 +0100 Message-Id: <20250311181424.8837-15-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:15:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212610 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45778_CVE-2024-45779.patch | 55 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch new file mode 100644 index 0000000000..eba013897f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch @@ -0,0 +1,55 @@ +From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 15:59:43 +1100 +Subject: [PATCH] fs/bfs: Disable under lockdown + +The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown. +This will also disable the AFS. + +Fixes: CVE-2024-45778 +Fixes: CVE-2024-45779 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45778 +CVE: CVE-2024-45779 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=] +Signed-off-by: Peter Marko +--- + grub-core/fs/bfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c +index 022f69fe2..78aeb051f 100644 +--- a/grub-core/fs/bfs.c ++++ b/grub-core/fs/bfs.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs) + { + COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE == + sizeof (struct grub_bfs_extent)); +- grub_fs_register (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_bfs_fs); ++ } + } + + #ifdef MODE_AFS +@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs) + GRUB_MOD_FINI (bfs) + #endif + { +- grub_fs_unregister (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_bfs_fs); + } diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bd0c9d2601..d187ffedc4 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -33,6 +33,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ + file://CVE-2024-45778_CVE-2024-45779.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58724 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DDEDC282EC for ; Tue, 11 Mar 2025 18:16:03 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.17350.1741716953240830819 for ; Tue, 11 Mar 2025 11:15:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Ny4fbXmW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250311181551d8729203fa4fdc7d76-ujkbnf@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250311181551d8729203fa4fdc7d76 for ; Tue, 11 Mar 2025 19:15:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=GFlIjvT29XlItIsGeKr/x8AdSOTbnOnvVzq25jvktUo=; b=Ny4fbXmWIMM7+iDJ1vnDd31PxkBLbI7XrT7jjaG+GC1+6Diza71aDb7kKQ+ICJbX8EFaBs YXDzcPS7/P5BO+hABiJwqQoQojxeueIrQ4zB0FpLZeku/F2XdYa5Z59sxhG2K6xtoeNoElPg WhH9f/Qwrq6/F1cQ41layorkjNI+2jslahiHn9ZMtsVm2g6oW+4E9PixpOgbZH2gIKiUlU+1 Eox5HWFRaLH/8q9bSLmQRrghu+j1szzCJfHYjZ82iYvSkdXBtfV41vbuJoN8rNDlM4dGird8 cWKVv+wrrye43pHS5iEK1IznU6LZsvVx5dYBj+PLsE0p3pVghe3/HdsQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 16/17] grub: patch CVE-2025-0677, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686 and CVE-2025-0689 Date: Tue, 11 Mar 2025 19:14:23 +0100 Message-Id: <20250311181424.8837-16-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:16:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212611 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- ...025-0685_CVE-2025-0686_CVE-2025-0689.patch | 377 ++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 378 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch new file mode 100644 index 0000000000..d5563cecc4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch @@ -0,0 +1,377 @@ +From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 16:20:45 +1100 +Subject: [PATCH] fs: Disable many filesystems under lockdown + +The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat, +hfsplus, iso9660, squash4, tar, xfs and zfs. + +The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were +reported by Jonathan Bar Or . + +Fixes: CVE-2025-0677 +Fixes: CVE-2025-0684 +Fixes: CVE-2025-0685 +Fixes: CVE-2025-0686 +Fixes: CVE-2025-0689 + +Suggested-by: Daniel Axtens +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0677 +CVE: CVE-2025-0684 +CVE: CVE-2025-0685 +CVE: CVE-2025-0686 +CVE: CVE-2025-0689 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10] +Signed-off-by: Peter Marko +--- + grub-core/fs/affs.c | 9 +++++++-- + grub-core/fs/cbfs.c | 9 +++++++-- + grub-core/fs/jfs.c | 9 +++++++-- + grub-core/fs/minix.c | 9 +++++++-- + grub-core/fs/nilfs2.c | 9 +++++++-- + grub-core/fs/ntfs.c | 9 +++++++-- + grub-core/fs/reiserfs.c | 9 +++++++-- + grub-core/fs/romfs.c | 9 +++++++-- + grub-core/fs/sfs.c | 9 +++++++-- + grub-core/fs/udf.c | 9 +++++++-- + grub-core/fs/ufs.c | 9 +++++++-- + 11 files changed, 77 insertions(+), 22 deletions(-) + +diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c +index ed606b3f1..352f5d232 100644 +--- a/grub-core/fs/affs.c ++++ b/grub-core/fs/affs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -703,11 +704,15 @@ static struct grub_fs grub_affs_fs = + + GRUB_MOD_INIT(affs) + { +- grub_fs_register (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_affs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(affs) + { +- grub_fs_unregister (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_affs_fs); + } +diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c +index 8ab7106af..f6349df34 100644 +--- a/grub-core/fs/cbfs.c ++++ b/grub-core/fs/cbfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs) + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + init_cbfsdisk (); + #endif +- grub_fs_register (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_cbfs_fs); ++ } + } + + GRUB_MOD_FINI (cbfs) + { +- grub_fs_unregister (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_cbfs_fs); + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + fini_cbfsdisk (); + #endif +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index 6f7c43904..c0bbab8a9 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs = + + GRUB_MOD_INIT(jfs) + { +- grub_fs_register (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_jfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(jfs) + { +- grub_fs_unregister (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_jfs_fs); + } +diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c +index 5354951d1..c267298b5 100644 +--- a/grub-core/fs/minix.c ++++ b/grub-core/fs/minix.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -734,7 +735,10 @@ GRUB_MOD_INIT(minix) + #endif + #endif + { +- grub_fs_register (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_minix_fs); ++ } + my_mod = mod; + } + +@@ -756,5 +760,6 @@ GRUB_MOD_FINI(minix) + #endif + #endif + { +- grub_fs_unregister (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_minix_fs); + } +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index fc7374ead..08abf173f 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2) + grub_nilfs2_dat_entry)); + COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE + == sizeof (struct grub_nilfs2_inode)); +- grub_fs_register (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_nilfs2_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (nilfs2) + { +- grub_fs_unregister (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_nilfs2_fs); + } +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index de435aa14..8cc2ba3d5 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1320,11 +1321,15 @@ static struct grub_fs grub_ntfs_fs = + + GRUB_MOD_INIT (ntfs) + { +- grub_fs_register (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ntfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (ntfs) + { +- grub_fs_unregister (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ntfs_fs); + } +diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c +index 36b26ac98..cdef2eba0 100644 +--- a/grub-core/fs/reiserfs.c ++++ b/grub-core/fs/reiserfs.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs = + + GRUB_MOD_INIT(reiserfs) + { +- grub_fs_register (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_reiserfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(reiserfs) + { +- grub_fs_unregister (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_reiserfs_fs); + } +diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c +index 1f7dcfca1..acf8dd21e 100644 +--- a/grub-core/fs/romfs.c ++++ b/grub-core/fs/romfs.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs = + + GRUB_MOD_INIT(romfs) + { +- grub_fs_register (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_romfs_fs); ++ } + } + + GRUB_MOD_FINI(romfs) + { +- grub_fs_unregister (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_romfs_fs); + } +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 983e88008..f64bdd2df 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + GRUB_MOD_LICENSE ("GPLv3+"); +@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs = + + GRUB_MOD_INIT(sfs) + { +- grub_fs_register (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_sfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(sfs) + { +- grub_fs_unregister (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_sfs_fs); + } +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index b836e6107..a60643be1 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1455,11 +1456,15 @@ static struct grub_fs grub_udf_fs = { + + GRUB_MOD_INIT (udf) + { +- grub_fs_register (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_udf_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (udf) + { +- grub_fs_unregister (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_udf_fs); + } +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index 01235101b..6b496e7b8 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1) + #endif + #endif + { +- grub_fs_register (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ufs_fs); ++ } + my_mod = mod; + } + +@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1) + #endif + #endif + { +- grub_fs_unregister (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ufs_fs); + } + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index d187ffedc4..a9d55ba015 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -34,6 +34,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ + file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:14:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58723 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DE20C28B2F for ; Tue, 11 Mar 2025 18:16:03 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17578.1741716951276213823 for ; Tue, 11 Mar 2025 11:15:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ZAEYRVi/; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2025031118155330b0bdf91597a5e038-sbdrwm@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025031118155330b0bdf91597a5e038 for ; Tue, 11 Mar 2025 19:15:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=ZCEgxF6rDIuU+7bW4XD0tZ1HzT8lQojVUBHXVGdlSHM=; b=ZAEYRVi/y+yokHhjxaudmUri7jPCP9lFz5LUuzrK8tskf7YAdJBuDi8pZUpEuYccPJFdrQ atyd6wzfBfd/k1xnt5Vx8UZ4y6IQNqvloEgnyYPWed/lSUvfJv7e72Kn9xe1QqgpvexGPTIm rMwdxgxGfVBF5daOykzTLjdhF8ue/6RibMfwyl2i9tZQ17FDMlaDL1yC1wE7jLXakKXHIs8i ZeGC0o1C+6rBTnjLdOF4l2puLrNm5bk6Xj80TWnvkvTsjvTncjjpUSmCgUCEt2UecZyuLuH3 hyrV00QD5EyJRLjuPP8tdr9R5UpFy8/p4umgf4F4peNz1umPyTazJRdA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][styhead][PATCH 17/17] grub: patch CVE-2025-0678 and CVE-2025-1125 Date: Tue, 11 Mar 2025 19:14:24 +0100 Message-Id: <20250311181424.8837-17-peter.marko@siemens.com> In-Reply-To: <20250311181424.8837-1-peter.marko@siemens.com> References: <20250311181424.8837-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:16:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212612 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2025-0678_CVE-2025-1125.patch | 87 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch new file mode 100644 index 0000000000..14e67cf35b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch @@ -0,0 +1,87 @@ +From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Tue, 21 Jan 2025 19:02:37 +0000 +Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays + +Use grub_calloc() when allocating memory for arrays to ensure proper +overflow checks are in place. + +The HFS+ and squash4 security vulnerabilities were reported by +Jonathan Bar Or . + +Fixes: CVE-2025-0678 +Fixes: CVE-2025-1125 + +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0678 +CVE: CVE-2025-1125 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e] +Signed-off-by: Peter Marko +--- + grub-core/fs/btrfs.c | 4 ++-- + grub-core/fs/hfspluscomp.c | 9 +++++++-- + grub-core/fs/squash4.c | 8 ++++---- + 3 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 0625b1166..9c1e925c9 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev) + } + + data->n_devices_allocated = 16; +- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0]) +- * data->n_devices_allocated); ++ data->devices_attached = grub_calloc (data->n_devices_allocated, ++ sizeof (data->devices_attached[0])); + if (!data->devices_attached) + { + grub_free (data); +diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c +index 48ae438d8..a80954ee6 100644 +--- a/grub-core/fs/hfspluscomp.c ++++ b/grub-core/fs/hfspluscomp.c +@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node) + return 0; + } + node->compress_index_size = grub_le_to_cpu32 (index_size); +- node->compress_index = grub_malloc (node->compress_index_size +- * sizeof (node->compress_index[0])); ++ node->compress_index = grub_calloc (node->compress_index_size, ++ sizeof (node->compress_index[0])); + if (!node->compress_index) + { + node->compressed = 0; + grub_free (attr_node); + return grub_errno; + } ++ ++ /* ++ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here ++ * due to relevant checks done in grub_calloc() above. ++ */ + if (grub_hfsplus_read_file (node, 0, 0, + 0x104 + sizeof (index_size), + node->compress_index_size +diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c +index f91ff3bfa..cf2bca822 100644 +--- a/grub-core/fs/squash4.c ++++ b/grub-core/fs/squash4.c +@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data, + break; + } + total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz); +- ino->block_sizes = grub_malloc (total_blocks +- * sizeof (ino->block_sizes[0])); +- ino->cumulated_block_sizes = grub_malloc (total_blocks +- * sizeof (ino->cumulated_block_sizes[0])); ++ ino->block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->block_sizes[0])); ++ ino->cumulated_block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->cumulated_block_sizes[0])); + if (!ino->block_sizes || !ino->cumulated_block_sizes) + { + grub_free (ino->block_sizes); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a9d55ba015..820a30c6c2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -35,6 +35,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ + file://CVE-2025-0678_CVE-2025-1125.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"