From patchwork Tue Mar 11 18:17:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58725 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A60AC282EC for ; Tue, 11 Mar 2025 18:18:43 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.17671.1741717116911827360 for ; Tue, 11 Mar 2025 11:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=U0reNzMh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20250311181834c4d4666ef843cc01ad-tailal@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20250311181834c4d4666ef843cc01ad for ; Tue, 11 Mar 2025 19:18:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=Qu83peykJUOWSOAykrPnTnQ9wCG11E37QkEU0tpvIiw=; b=U0reNzMhVc/3i1038z03yj+YXBGs+Wy3apbn51L2KHsHA7H1ziywxPy0+DCFP5E7X31YMd x96XRMYpxq/Yp3khiMABfQTLatwedZPKRJt653mBvvq6hYk8YNunwPLv6uZ9/6hIN3E0clqV yrhyQHG21NfN1cOoyBhVrS3Wv0svQqsJrgrhTn7YM6xevNnvPtoIFfNAZfuBdaFfJRZZmFx6 ZCCv5DYV+LoKvOfl7zuc5/WVw4JMqT12E2nnbYM8hGj2U0fvYEdzX26toQ47HBJZTCgJi+rU m1t5degx0EG5Z7pmKaUxlcmgEDFhzaow+fhl/oT2jgABcmJGk8Lf/l3w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 01/17] grub: drop obsolete CVE statuses Date: Tue, 11 Mar 2025 19:17:09 +0100 Message-Id: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212613 From: Peter Marko CVE-2021-46705 was needed only with 2.06 CVE-2023-4692 and CVE-2023-4693 were fixed in NVD DB meanwhile Signed-off-by: Peter Marko --- meta/recipes-bsp/grub/grub2.inc | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 54c0e9bdd5..c160d15717 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -24,11 +24,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" -CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE" CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" -CVE_STATUS[CVE-2023-4692] = "cpe-incorrect: Fixed in version 2.12 already" -CVE_STATUS[CVE-2023-4693] = "cpe-incorrect: Fixed in version 2.12 already" DEPENDS = "flex-native bison-native gettext-native" From patchwork Tue Mar 11 18:17:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58727 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C15BC35FF1 for ; Tue, 11 Mar 2025 18:18:43 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17673.1741717120467981927 for ; Tue, 11 Mar 2025 11:18:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=dA/Kg/zS; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250311181838db75445328970a53cd-qtqawr@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250311181838db75445328970a53cd for ; Tue, 11 Mar 2025 19:18:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=nvI+yFTkYrIrlvKlCn/o/ECvt6QfjZyO+/xtp3mUPR0=; b=dA/Kg/zS2afLT7vwsDbdnM9k5oNHl5b/iZeAPOpkpK/GU1fsNrDG3eDni4dfNWvVfVQN9F NKOTFcJj5yBYEpNfkVM0wYVVKv8mXhaQNg1ZQCcUKqQ5w9Sq2iP4p1baXc6g8jxo5T92LaN3 DqlpmdH4HULiDjlLn9t/VfNPHHtQ+gf8WbGB2MC15ln3oVpoAExgh5HKCsdLq9fSHs4ub02z hSIv9nXLNGtPMq/Wihxt7vHCfeqGGVMjYl2ZzC9me+JR1UDovu1pRku2Do62D5v9zlBBKZLC EU3BtPspsVLy1QQ84uTznWKrHmUjMjKJWn7b8lL4boKjmSi9Mxs0L8wg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 02/17] grub: backport strlcpy function Date: Tue, 11 Mar 2025 19:17:10 +0100 Message-Id: <20250311181725.8986-2-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212614 From: Peter Marko It is used to fix multiple CVEs. Signed-off-by: Peter Marko --- .../0001-misc-Implement-grub_strlcpy.patch | 68 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch diff --git a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch new file mode 100644 index 0000000000..0ff6dff33a --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch @@ -0,0 +1,68 @@ +From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sat, 15 Jun 2024 02:33:08 +0100 +Subject: [PATCH 1/2] misc: Implement grub_strlcpy() + +grub_strlcpy() acts the same way as strlcpy() does on most *NIX, +returning the length of src and ensuring dest is always NUL +terminated except when size is 0. + +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f] +Signed-off-by: Peter Marko +--- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 1578f36c3..14d8f37ac 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index c160d15717..f3279f7d2b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://grub-module-explicitly-keeps-symbole-.module_license.patch \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ + file://0001-misc-Implement-grub_strlcpy.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58726 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A6A9C28B2F for ; Tue, 11 Mar 2025 18:18:43 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17673.1741717120467981927 for ; Tue, 11 Mar 2025 11:18:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=QBwi2aQz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250311181841941cec7e993be0ac57-j56kmj@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250311181841941cec7e993be0ac57 for ; Tue, 11 Mar 2025 19:18:41 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=F/wmdakdfagMfZulR8M3qFnkhB/pgRus4w+ZAUXW8qA=; b=QBwi2aQzdm/+Hc+YG4m4iyBnNDaKHpNB2E/NBEB1yWt50JEQyyMn4mNRVTvUzSkGPHcYpC 83Sax8mni1M3PAZzSrSV7PZRVUMb1mf3fZTWiu7hmo06YWUmMUDknGPXS1xR0WwWaJDJOMhC K9VmB2bvzQ794sBZVe0qZJbg1SC61/3T4T0pT/iFCIv4jJSpPA0uTNzpQ9Za5uddMhiTZIyn VILW/DsPXOvula3h2CkhhdZvT2R0Kr2da9MMB2x2xGiB6bBBcozdoaexqttV5pn9TfOs4zvp TI8bMtjf1QKrtdrggpUow3wT9Bi8LV7OT+dRj36dk0/45tufN018U47A==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 03/17] grup: patch CVE-2024-45781 Date: Tue, 11 Mar 2025 19:17:11 +0100 Message-Id: <20250311181725.8986-3-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212615 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45781.patch | 35 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch new file mode 100644 index 0000000000..bd0b6aa04a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch @@ -0,0 +1,35 @@ +From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:03:33 +0100 +Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write + +grub_strcpy() was used to copy a symlink name from the filesystem +image to a heap allocated buffer. This led to a OOB write to adjacent +heap allocations. Fix by using grub_strlcpy(). + +Fixes: CVE-2024-45781 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45781 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba] +Signed-off-by: Peter Marko +--- + grub-core/fs/ufs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index a354c92d9..01235101b 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino) + /* Check against zero is paylindromic, no need to swap. */ + if (data->inode.nblocks == 0 + && INODE_SIZE (data) <= sizeof (data->inode.symlink)) +- grub_strcpy (symlink, (char *) data->inode.symlink); ++ grub_strlcpy (symlink, (char *) data->inode.symlink, sz); + else + { + if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index f3279f7d2b..bace594ac4 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ + file://CVE-2024-45781.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58728 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C4F1C282EC for ; Tue, 11 Mar 2025 18:18:53 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17673.1741717120467981927 for ; Tue, 11 Mar 2025 11:18:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=HhRrke/2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250311181843544f03dc886f994421-4rgzsp@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250311181843544f03dc886f994421 for ; Tue, 11 Mar 2025 19:18:43 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=csHLZnXvvdqKEEw+R53fiJNaNAN/RNc/qKkuUI8/HS0=; b=HhRrke/2zXGA0YYfqtbf4AE6O2yQ8WSbs+8GLpjBLPiZunTXrFzrsY/Z3dZwPE038ldnJK okl/fsikQG6b3OpUH++G9hxNinMSYH14rB4hro+puhd9hCcDyeDc2mkFkzH9rRvDuEvG81Fv R2TiyGblDu8lHnk9X+IvFdV3TSUfhs30aq9ZW55k0im/wPYTYIpybHRSxxp2BdOiPksASroq lmq0MOnZagdvJLxFh8njqz42CrxTZGKOJr8k8Q2i27yh+edrW+Cz9y/FLGQqyaKRasJVFZMZ kooFpbCoKRXDbYSg93K5d3NZhXHKg3H0hTmD6k7WAXvPq/kuEXrINYug==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 04/17] grub: patch CVE-2024-45782 and CVE-2024-56737 Date: Tue, 11 Mar 2025 19:17:12 +0100 Message-Id: <20250311181725.8986-4-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212616 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45782_CVE-2024-56737.patch | 36 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch new file mode 100644 index 0000000000..41cc025b81 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch @@ -0,0 +1,36 @@ +From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 02:48:33 +0100 +Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy() + +Replaced with grub_strlcpy(). + +Fixes: CVE-2024-45782 +Fixes: CVE-2024-56737 +Fixes: https://savannah.gnu.org/bugs/?66599 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45782 +CVE: CVE-2024-56737 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c +index 91dc0e69c..920112b03 100644 +--- a/grub-core/fs/hfs.c ++++ b/grub-core/fs/hfs.c +@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk) + volume name. */ + key.parent_dir = grub_cpu_to_be32_compile_time (1); + key.strlen = data->sblock.volname[0]; +- grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1)); ++ grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str)); + + if (grub_hfs_find_node (data, (char *) &key, data->cat_root, + 0, (char *) &dir, sizeof (dir)) == 0) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bace594ac4..8146ead5db 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ + file://CVE-2024-45782_CVE-2024-56737.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58730 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 149DFC28B2F for ; Tue, 11 Mar 2025 18:18:53 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.17681.1741717128645084540 for ; Tue, 11 Mar 2025 11:18:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=N4srwvcW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250311181846825004d3a420bc04f5-tf6trv@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250311181846825004d3a420bc04f5 for ; Tue, 11 Mar 2025 19:18:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=tdZVdW+W2/mqdLb5dw0CVk55xJFkIf+3/cku8+HK4O0=; b=N4srwvcWbNAfxGy4rhPlykoLwDlEQ/FsJ/3nynbaG11iTrzR1tJDvNjXhyxM57CMBNzQyV mQ+kizO96jSOY2B5NYAWHygM8DsdNdq6nYtv3ACtsK0tQ+pc8tWiU3TMS38FJwMNqpJOFuis aOcKUM2/B/0hn3Xdr6jWPVJOZGn/oGuW3k+BT3sga4EdiqWI7p44sjWP3KCLG/tdejDOdSLj 42TiNVTdwCggvaGMNfNBdp12qYqHOCFNtOj7GDQAp9/2okvwE1yeT4e3Ch8fcsdyr8knZhUE 9wENenKkm6DuNNS82WoD1g22+c8TTtLxX19KiiWz3TuhYyR+h8FaLLAA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 05/17] grub: patch CVE-2024-45780 Date: Tue, 11 Mar 2025 19:17:13 +0100 Message-Id: <20250311181725.8986-5-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212617 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45780.patch | 93 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45780.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch new file mode 100644 index 0000000000..1de0099f94 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch @@ -0,0 +1,93 @@ +From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:58 +0000 +Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write + +Both namesize and linksize are derived from hd.size, a 12-digit octal +number parsed by read_number(). Later direct arithmetic calculation like +"namesize + 1" and "linksize + 1" may exceed the maximum value of +grub_size_t leading to heap OOB write. This patch fixes the issue by +using grub_add() and checking for an overflow. + +Fixes: CVE-2024-45780 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45780 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3] +Signed-off-by: Peter Marko +--- + grub-core/fs/tar.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c +index 646bce5eb..386c09022 100644 +--- a/grub-core/fs/tar.c ++++ b/grub-core/fs/tar.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + struct head hd; + int reread = 0, have_longname = 0, have_longlink = 0; ++ grub_size_t sz; + + data->hofs = data->next_hofs; + +@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t namesize = read_number (hd.size, sizeof (hd.size)); +- *name = grub_malloc (namesize + 1); ++ ++ if (grub_add (namesize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow")); ++ ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + err = grub_disk_read (data->disk, 0, +@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + { + grub_err_t err; + grub_size_t linksize = read_number (hd.size, sizeof (hd.size)); +- if (data->linkname_alloc < linksize + 1) ++ ++ if (grub_add (linksize, 1, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow")); ++ ++ if (data->linkname_alloc < sz) + { + char *n; +- n = grub_calloc (2, linksize + 1); ++ n = grub_calloc (2, sz); + if (!n) + return grub_errno; + grub_free (data->linkname); + data->linkname = n; +- data->linkname_alloc = 2 * (linksize + 1); ++ data->linkname_alloc = 2 * (sz); + } + + err = grub_disk_read (data->disk, 0, +@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + while (extra_size < sizeof (hd.prefix) + && hd.prefix[extra_size]) + extra_size++; +- *name = grub_malloc (sizeof (hd.name) + extra_size + 2); ++ ++ if (grub_add (sizeof (hd.name) + 2, extra_size, &sz)) ++ return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow")); ++ *name = grub_malloc (sz); + if (*name == NULL) + return grub_errno; + if (hd.prefix[0]) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 8146ead5db..6fa096c57b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-misc-Implement-grub_strlcpy.patch \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ + file://CVE-2024-45780.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58729 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18833C35FF1 for ; Tue, 11 Mar 2025 18:18:53 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.17453.1741717132517715471 for ; Tue, 11 Mar 2025 11:18:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=YVwd8BDP; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202503111818495b68a6fc5215ace552-hqqos4@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202503111818495b68a6fc5215ace552 for ; Tue, 11 Mar 2025 19:18:49 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=M2YSlfyljGqpW5yuTyAKX8ge0ubb4HikoVZBVVZpD8M=; b=YVwd8BDPh4WRW8itnkXpLO8uWXAi0tH7pdFSAIdaUcDNyuLwtnT/wcckvCfTqmRHzcJsTN HTAspUIsfceGttw53B6LimtYKRl+2pV091MYEdZDD0zAu2YUNHhrjdbvdSjKsOzoybXF9W91 UOH38VXcHOxIjY3dSXzMyRNgHjVBqaTAtRQp9FPIT++a3MNzvzijItXu2VnvhGJuM0xFD2I9 iha9i2lDc2ttRfwSvQo0H0UKCnejUU/oaMgOd++UbDgp/NcXSSkauVmyAh52y3RSPR7KnpZr KdrjRKZcRIYd5YBxuGDbiPyHP7AiHpsprukrKduQeAy+e3BgfP1oqHMw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 06/17] grub: patch CVE-2024-45783 Date: Tue, 11 Mar 2025 19:17:14 +0100 Message-Id: <20250311181725.8986-6-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:18:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212618 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45783.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45783.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch new file mode 100644 index 0000000000..99c769961b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch @@ -0,0 +1,39 @@ +From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sun, 12 May 2024 06:22:51 +0100 +Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails + +It was possible for mount to fail but not set grub_errno. This led to +a possible double decrement of the module reference count if the NULL +page was mapped. + +Fixing in general as a similar bug was fixed in commit 61b13c187 +(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there +are likely more variants around. + +Fixes: CVE-2024-45783 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45783 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898] +Signed-off-by: Peter Marko +--- + grub-core/fs/hfsplus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index 295822f69..de71fd486 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk) + + fail: + +- if (grub_errno == GRUB_ERR_OUT_OF_RANGE) ++ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE) + grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem"); + + grub_free (data); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 6fa096c57b..604c2fe568 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45781.patch \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ + file://CVE-2024-45783.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58731 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14BB8C28B2F for ; Tue, 11 Mar 2025 18:19:03 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.17455.1741717135201239395 for ; Tue, 11 Mar 2025 11:18:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=LjZFxraA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20250311181853c845cb0c4ae44a3905-ka72v4@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250311181853c845cb0c4ae44a3905 for ; Tue, 11 Mar 2025 19:18:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=92JEta+yzPZGk2yXh3F7jtnw3LQDAxgSSybGqzvyzr4=; b=LjZFxraAawCrGDZ0VPcGm/HbwQ0GLvIHQKpCt9nih7iE7SI5x6PmR5LvotPVUSyOuR78Qf DqGrj0ehvLgXnxNIl+azOK9Gn50PCOQYUEFd+uHBWtPfBvMhJ39vz5ds3qA05qOt4AsrHb4/ vd43X1MtJfSu6sPtYuEGkuSey1cwxTqQk4q+tVnriXb3pOkv8NONRXe64+wxVdTe0C8B/3BB gRilLTm9RguSjhXFjMCe9GCueMB1xHT2DUJq1N3sM541op6IX56xpvDJGu/vkTUF7G6s427J qjO7Hwecd9whnhEbgn1cq5w3ROa9ODc6PbLNfpbaWnXmtwyzXV/Pao/g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 07/17] grub: patch CVE-2025-0624 Date: Tue, 11 Mar 2025 19:17:15 +0100 Message-Id: <20250311181725.8986-7-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212619 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0624.patch | 84 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0624.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch new file mode 100644 index 0000000000..229fe6399e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch @@ -0,0 +1,84 @@ +From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 15 Nov 2024 13:12:09 +0000 +Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file() + +The function included a call to grub_strcpy() which copied data from an +environment variable to a buffer allocated in grub_cmd_normal(). The +grub_cmd_normal() didn't consider the length of the environment variable. +So, the copy operation could exceed the allocation and lead to an OOB +write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and +pass the underlying buffers size to the grub_net_search_config_file(). + +Fixes: CVE-2025-0624 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0624 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1] +Signed-off-by: Peter Marko +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/net.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 0e41e21a5..9939ff601 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1909,14 +1909,15 @@ grub_config_search_through (char *config, char *suffix, + } + + grub_err_t +-grub_net_search_config_file (char *config) ++grub_net_search_config_file (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -1942,7 +1943,7 @@ grub_net_search_config_file (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (grub_config_search_through (config, suffix, 1, 0) == 0) + return GRUB_ERR_NONE; + } +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 90879dc21..838f57fa5 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), + + if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 && + !disable_net_search) +- grub_net_search_config_file (config); ++ grub_net_search_config_file (config, config_len); + + grub_enter_normal_mode (config); + grub_free (config); +diff --git a/include/grub/net.h b/include/grub/net.h +index 228d04963..58a4f83fc 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -579,7 +579,7 @@ void + grub_net_remove_dns_server (const struct grub_net_network_level_address *s); + + grub_err_t +-grub_net_search_config_file (char *config); ++grub_net_search_config_file (char *config, grub_size_t config_buf_len); + + extern char *grub_net_default_server; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 604c2fe568..9e037e953e 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45782_CVE-2024-56737.patch \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ + file://CVE-2025-0624.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58732 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E149C282EC for ; Tue, 11 Mar 2025 18:19:03 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17690.1741717138178873325 for ; Tue, 11 Mar 2025 11:18:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=UiTMqglG; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2025031118185623028420f1a997c673-od_iib@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025031118185623028420f1a997c673 for ; Tue, 11 Mar 2025 19:18:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=nIKq8S7pvpypQsyontl2Dj9B2yYy2hbiijjCJaTIQTE=; b=UiTMqglGJLZryRedyVfV9AyEDHVJS1lsUfCxPTGWEOt4wkd4PDgdTUfuqHIuodWe6g2fjl /QEXa2ExD2RqbNWVT6AurSIB0WzIS3AUDavxSF9odPZ4+1tYDNM8rCdZjPeVo8+t33NuD++t 2Bfd3KCKOu8ytbjmHlcGia5TSI9r0yb4D7aGHOqPJ5F4y0fhB67FVaWtzGVod76G5bnGUGs/ ZC2AqLLFsCYLCvu7xgSMI2Rl3BCXh4UDiQcL515dgwLGDO0BvzSL6mTqYenIhb2oxGRznWLG YlD6bR2J3T8P7lBqfrOJ6Sl4wfk3ezdca2L6tjLptmNMWi/uyqlRNP7w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 08/17] grub: patch CVE-2024-45774 Date: Tue, 11 Mar 2025 19:17:16 +0100 Message-Id: <20250311181725.8986-8-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212620 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45774.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45774.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch new file mode 100644 index 0000000000..55aecc17d7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch @@ -0,0 +1,37 @@ +From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 8 Mar 2024 22:47:20 +1100 +Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in + JPEG + +Otherwise a subsequent header could change the height and width +allowing future OOB writes. + +Fixes: CVE-2024-45774 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45774 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f] +Signed-off-by: Peter Marko +--- + grub-core/video/readers/jpeg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index ae634fd41..631a89356 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) + if (grub_errno != GRUB_ERR_NONE) + return grub_errno; + ++ if (data->image_height != 0 || data->image_width != 0) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: cannot have duplicate SOF0 markers"); ++ + if (grub_jpeg_get_byte (data) != 8) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: only 8-bit precision is supported"); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 9e037e953e..4e13b0eb43 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45780.patch \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ + file://CVE-2024-45774.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58733 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A028C3DA4A for ; Tue, 11 Mar 2025 18:19:03 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17690.1741717138178873325 for ; Tue, 11 Mar 2025 11:19:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=W0cOi3DB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250311181859b4338abf1bef7a885c-gnwayt@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250311181859b4338abf1bef7a885c for ; Tue, 11 Mar 2025 19:18:59 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=4/teakfX5b77+TiJttfeENza18BGdCbUSA08Utkb284=; b=W0cOi3DBJBNHI82ZqewXe8WoIfv3kppFfd79fOQTGj3rdaEl6UtFmCs8w8u55RBKgwblmq mKAy/AsQljXWDuluiisdHK760Ud9gdBLVYIIbLP/kpWRdSKkT1O2yCUZ6yJ7diQ4jBOthbXt /ygbThzVcFOfI7gJHB/i0Kg72gZzazTsEWKMC8NIsrDolNISpEpKd0G6xMX6A1cwUTrJBqy0 JNujLr5eTIuimBHsnHjHlA4PT7fN2zsTAmbQEJgVFv6GiwhOxrdJCelGuXwunQi3giDQI0ln hpfVd7SVObz2vmywr3IGaNkyftpos2XoXB9OB6Z06DrTgU5+M24aCelw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 09/17] grub: patch CVE-2024-45775 Date: Tue, 11 Mar 2025 19:17:17 +0100 Message-Id: <20250311181725.8986-9-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212621 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45775.patch | 38 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45775.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch new file mode 100644 index 0000000000..70492b8c2e --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch @@ -0,0 +1,38 @@ +From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:55 +0000 +Subject: [PATCH] commands/extcmd: Missing check for failed allocation + +The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate +a grub_arg_list struct but it does not verify the allocation was successful. +In case of failed allocation the NULL state pointer can be accessed in +parse_option() through grub_arg_parse() which may lead to a security issue. + +Fixes: CVE-2024-45775 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45775 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872] +Signed-off-by: Peter Marko +--- + grub-core/commands/extcmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c +index 90a5ca24a..c236be13a 100644 +--- a/grub-core/commands/extcmd.c ++++ b/grub-core/commands/extcmd.c +@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args, + } + + state = grub_arg_list_alloc (ext, argc, args); ++ if (state == NULL) ++ return grub_errno; ++ + if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc)) + { + context.state = state; diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 4e13b0eb43..0378d5ee72 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45783.patch \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ + file://CVE-2024-45775.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58736 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1561BC282EC for ; Tue, 11 Mar 2025 18:19:13 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.17459.1741717144815181125 for ; Tue, 11 Mar 2025 11:19:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=RF4qBb16; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-2025031118190243d9bd769394ea6c8a-ymmfno@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2025031118190243d9bd769394ea6c8a for ; Tue, 11 Mar 2025 19:19:02 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Ed/eL2PVX2Xl5XkZPFsiCtOPPnighNMdzP276pmg7G8=; b=RF4qBb16HOs8lMeAjOvWbVnmtFvCftag1anuQYCADcfexgF6yFnYdiG2hLG5M/g7/ACUPP im8JsOB+f1J4yZnHGEni4vTs2+7KJ4lOBBXckToDga5Xs21eYtFuce5/ReYZKV/NCrrfOHSR 3eHirHmxkjSLrNCX3JRbLQfLuRUvnKFrS9qx86VxBs7zAdcxtXGLelwfF9iaP+anixLddAo1 TkAZOGdLsOh6RYKd+Zn4MkNaA1l1ekvyFRF/I7PzVDEzLruG+0NalEBJOlN2d0PRL7CjrWJY awYBPTj4iaKN9M9nRwkpAfakXb7/guuFRW7EEDieC6Stm421y4y0m8LA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 10/17] grub: patch CVE-2025-0622 Date: Tue, 11 Mar 2025 19:17:18 +0100 Message-Id: <20250311181725.8986-10-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212622 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0622-01.patch | 35 ++++++++++++++++ .../grub/files/CVE-2025-0622-02.patch | 41 +++++++++++++++++++ .../grub/files/CVE-2025-0622-03.patch | 38 +++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 3 ++ 4 files changed, 117 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch new file mode 100644 index 0000000000..09dbfce5f8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch @@ -0,0 +1,35 @@ +From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 19:24:29 +0000 +Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on + module unload + +If the hooks are not removed they can be called after the module has +been unloaded leading to an use-after-free. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726] +Signed-off-by: Peter Marko +--- + grub-core/commands/pgp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c +index c6766f044..5fadc33c4 100644 +--- a/grub-core/commands/pgp.c ++++ b/grub-core/commands/pgp.c +@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp) + + GRUB_MOD_FINI(pgp) + { ++ grub_register_variable_hook ("check_signatures", NULL, NULL); ++ grub_env_unset ("check_signatures"); + grub_verifier_unregister (&grub_pubkey_verifier); + grub_unregister_extcmd (cmd); + grub_unregister_extcmd (cmd_trust); diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch new file mode 100644 index 0000000000..be01da3355 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch @@ -0,0 +1,41 @@ +From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:46:55 +0000 +Subject: [PATCH 2/3] normal: Remove variables hooks on module unload + +The normal module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload normal module now but fix the +issues for completeness. + +On the occasion replace 0s with NULLs for "pager" variable +hooks unregister. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67] +Signed-off-by: Peter Marko +--- + grub-core/normal/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 838f57fa5..04d058f55 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal) + grub_xputs = grub_xputs_saved; + + grub_set_history (0); +- grub_register_variable_hook ("pager", 0, 0); ++ grub_register_variable_hook ("pager", NULL, NULL); ++ grub_register_variable_hook ("color_normal", NULL, NULL); ++ grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); + } diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch new file mode 100644 index 0000000000..79078a4350 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch @@ -0,0 +1,38 @@ +From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Fri, 1 Nov 2024 23:52:06 +0000 +Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload + +The gettext module does not entirely cleanup after itself in +its GRUB_MOD_FINI() leaving a few variables hooks in place. +It is not possible to unload gettext module because normal +module depends on it. Though fix the issues for completeness. + +Fixes: CVE-2025-0622 + +Reported-by: B Horn +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0622 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 7a1c14e4f..e4f4f8ee6 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext) + + GRUB_MOD_FINI (gettext) + { ++ grub_register_variable_hook ("locale_dir", NULL, NULL); ++ grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); ++ grub_register_variable_hook ("lang", NULL, NULL); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 0378d5ee72..3c8860948c 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -27,6 +27,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0624.patch \ file://CVE-2024-45774.patch \ file://CVE-2024-45775.patch \ + file://CVE-2025-0622-01.patch \ + file://CVE-2025-0622-02.patch \ + file://CVE-2025-0622-03.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58734 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D02FC28B2F for ; Tue, 11 Mar 2025 18:19:13 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.17460.1741717146583858526 for ; Tue, 11 Mar 2025 11:19:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=A/7vR3cX; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250311181904c00866b07f5552735b-fibul3@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250311181904c00866b07f5552735b for ; Tue, 11 Mar 2025 19:19:04 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=0daL3X6isGzKyuywJVKlh9chzrNA5Tbhbn8FqxsbMJI=; b=A/7vR3cXYA5MAkSEuM8NeA4Us5werncWp4hAt2QkMOmhdupZOA9aS40YX1OptnMSjGDqxP sneU8+qa7E82oB6eYjouwMJSEa4Vg97eZzddC7/LYbCKkK42CwoH9RtqVoRJ2sYDxnA1U66r ed4Qwg3TcvVKQbrz1/I4Bu4ISgTnevzOf/6ejM6z/o17d+UPfeXl9Pcn5mAfFD/aukiPuEBy SoIe8bdkj1WFgdAnH/NvANCbZXF1CIbWAhIyB9hEt3JIkDfMLnejY6UDTsO3ISASWj7mEBo+ 2YpvnsBsBTDb7R0pK5n1CJtbgv5efzppRkTVbkaLXMEFd2feNto/sj6Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 11/17] grub: patch CVE-2024-45776 Date: Tue, 11 Mar 2025 19:17:19 +0100 Message-Id: <20250311181725.8986-11-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212623 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45776.patch | 39 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45776.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch new file mode 100644 index 0000000000..8deea958b8 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch @@ -0,0 +1,39 @@ +From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:56 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read + +Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may +overflow leading to subsequent OOB write or read. This patch fixes the +issue by replacing grub_zalloc() and explicit multiplication with +grub_calloc() which does the same thing in safe manner. + +Fixes: CVE-2024-45776 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45776 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index e4f4f8ee6..63bb1ab73 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx, + for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log; + ctx->grub_gettext_max_log++); + +- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max +- * sizeof (ctx->grub_gettext_msg_list[0])); ++ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max, ++ sizeof (ctx->grub_gettext_msg_list[0])); + if (!ctx->grub_gettext_msg_list) + { + grub_file_close (fd); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3c8860948c..e4dca6613c 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-01.patch \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ + file://CVE-2024-45776.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58735 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19D6CC35FF2 for ; Tue, 11 Mar 2025 18:19:13 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17697.1741717148854679521 for ; Tue, 11 Mar 2025 11:19:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=d+ZNdc2Q; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2025031118190627e5f53f36e5c0ef5a-jkfbol@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025031118190627e5f53f36e5c0ef5a for ; Tue, 11 Mar 2025 19:19:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=W4PJibjXZr7Uqt6n/gEWkl4pk7Gr/uTR7YU8g8puu0w=; b=d+ZNdc2Q6wiIWEjVBIzuBwDID4eeJ6ZB7XDp0RNCJEBOSUqQO2/JDmeJJZXhPaXiyJvp3O KyE1TtW1Fhv2JXma5z8takckGnbJYJcgtcVh61Yhl24IYG4ztEoSoudzd4Fq1LmAYLBpe3cP AhNYlLC+GT90TrpH+NCDynObiL/CPImtnR9/pX9yp6kmNCuD5+z1xrXhS57Sqi0PuPFTCaBP qqWEJie/mhoTUgz2p2ZtSxU6PIiJ/JuSFGE5U8qhSAGGidrwuUmCGDequb11+yC3avUXs5bM RtXyqGvKEROb+YZ2jKvBBGOq4qIeUi2U8lUShdQvw+cjq9RgQur5Zf/Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 12/17] grub: patch CVE-2024-45777 Date: Tue, 11 Mar 2025 19:17:20 +0100 Message-Id: <20250311181725.8986-12-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212624 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2024-45777.patch | 57 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45777.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch new file mode 100644 index 0000000000..0305a95fd5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch @@ -0,0 +1,57 @@ +From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Fri, 22 Nov 2024 06:27:57 +0000 +Subject: [PATCH] gettext: Integer overflow leads to heap OOB write + +The size calculation of the translation buffer in +grub_gettext_getstr_from_position() may overflow +to 0 leading to heap OOB write. This patch fixes +the issue by using grub_add() and checking for +an overflow. + +Fixes: CVE-2024-45777 + +Reported-by: Nils Langius +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper +Reviewed-by: Alec Brown + +CVE: CVE-2024-45777 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515] +Signed-off-by: Peter Marko +--- + grub-core/gettext/gettext.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 63bb1ab73..9ffc73428 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + char *translation; + struct string_descriptor desc; + grub_err_t err; ++ grub_size_t alloc_sz; + + internal_position = (off + position * sizeof (desc)); + +@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx, + length = grub_cpu_to_le32 (desc.length); + offset = grub_cpu_to_le32 (desc.offset); + +- translation = grub_malloc (length + 1); ++ if (grub_add (length, 1, &alloc_sz)) ++ return NULL; ++ ++ translation = grub_malloc (alloc_sz); + if (!translation) + return NULL; + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index e4dca6613c..fb33c2bd98 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -31,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-02.patch \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ + file://CVE-2024-45777.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58737 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19CA4C2BA1B for ; Tue, 11 Mar 2025 18:19:13 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17699.1741717151419383529 for ; Tue, 11 Mar 2025 11:19:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=UP4ddNeV; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20250311181909c2e6a001e88e808015-yvptby@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20250311181909c2e6a001e88e808015 for ; Tue, 11 Mar 2025 19:19:09 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=pSXA0qoazkUbYpcYwJU0cdpHp22QdVh3fReTMJfr1tg=; b=UP4ddNeVVsXkkezpmQeUwasWcv9amKHOZvZ9/DxJ243p8no1md9WzxZhtYUVjrze82jWTJ f56YZXBKSCVtdcLGwBk7Hmf+q2/sG06JOU32SrH3zOR5mGWdkvBAQmFeeVEUvYlWwnaFfurJ XXsM7ahpUaWjNYwGZDf4c8eJj3QSYd9H8H00GSbjf/U12zQTHGCKVdyVAyqNCJ/ln6VsBCSH putUJkr3nlp55TcU8GJDgGWM0wUoDimLNkZnBR/iyMmZJfeudUlrt1FsLdFwcXf1nzpkoPCt HhVtLl8EQt5aTfJ8nZXcWB3uYF7EpfpprorlUB6qP13Une1UQFo2nAvA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 13/17] grub: patch CVE-2025-0690 Date: Tue, 11 Mar 2025 19:17:21 +0100 Message-Id: <20250311181725.8986-13-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212625 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-0690.patch | 73 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch new file mode 100644 index 0000000000..be585c96ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch @@ -0,0 +1,73 @@ +From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001 +From: Jonathan Bar Or +Date: Thu, 23 Jan 2025 19:17:05 +0100 +Subject: [PATCH] commands/read: Fix an integer overflow when supplying more + than 2^31 characters + +The grub_getline() function currently has a signed integer variable "i" +that can be overflown when user supplies more than 2^31 characters. +It results in a memory corruption of the allocated line buffer as well +as supplying large negative values to grub_realloc(). + +Fixes: CVE-2025-0690 + +Reported-by: Jonathan Bar Or +Signed-off-by: Jonathan Bar Or +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0690 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc] +Signed-off-by: Peter Marko +--- + grub-core/commands/read.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c +index 597c90706..8d72e45c9 100644 +--- a/grub-core/commands/read.c ++++ b/grub-core/commands/read.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] = + static char * + grub_getline (int silent) + { +- int i; ++ grub_size_t i; + char *line; + char *tmp; + int c; ++ grub_size_t alloc_size; + + i = 0; +- line = grub_malloc (1 + i + sizeof('\0')); ++ line = grub_malloc (1 + sizeof('\0')); + if (! line) + return NULL; + +@@ -59,8 +61,17 @@ grub_getline (int silent) + line[i] = (char) c; + if (!silent) + grub_printf ("%c", c); +- i++; +- tmp = grub_realloc (line, 1 + i + sizeof('\0')); ++ if (grub_add (i, 1, &i)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ tmp = grub_realloc (line, alloc_size); + if (! tmp) + { + grub_free (line); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index fb33c2bd98..af6f434c5f 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -32,6 +32,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0622-03.patch \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ + file://CVE-2025-0690.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58740 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 172DEC28B2F for ; Tue, 11 Mar 2025 18:19:23 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.17699.1741717151419383529 for ; Tue, 11 Mar 2025 11:19:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=DfZqLgqW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2025031118191290d97e8dfcb50fd5c0-yhiwiz@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025031118191290d97e8dfcb50fd5c0 for ; Tue, 11 Mar 2025 19:19:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=U1gVEr6FazRKeHYwokNU5D8KZGNFJIt0z7eykoiCgLg=; b=DfZqLgqW1OdxG//1fqFHh/h1k9HyBcUxxYaA2WvwVBAPxb0rGugJHxcqgV/jSA4/QbioWh 8d6KtJG6A2JCEsD7MvjZ14nhW+t2kfLr15xZoTzydEqOyfVFefui4E0F7CJRBJpohn7KnfKM leJtbtpHM+UMJ95oxQiKgN33G1kSRiV2Kj0TXVNg2k8V+RErz1YF2lMXd+KAjbEDSsIzTcPo 483k8a1BLMen+slg0HvVZbu5DfiTdm62LMiiDhNlT3AUUaUIYar03YpJHISszOsv1MQPTGr5 zWtVn2mClh1NiiUpQ28jFNmxMrtjlSLOnRc79qnzG9Zz1998b3a0CMvQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 14/17] grub: patch CVE-2025-1118 Date: Tue, 11 Mar 2025 19:17:22 +0100 Message-Id: <20250311181725.8986-14-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212626 From: Peter Marko Cherry-pick patch mentioning this CVE. Signed-off-by: Peter Marko --- .../grub/files/CVE-2025-1118.patch | 37 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-1118.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch new file mode 100644 index 0000000000..e6906d909c --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch @@ -0,0 +1,37 @@ +From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Thu, 18 Apr 2024 20:29:39 +0100 +Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode + +The dump enables a user to read memory which should not be possible +in lockdown mode. + +Fixes: CVE-2025-1118 + +Reported-by: B Horn +Reported-by: Jonathan Bar Or +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-1118 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f] +Signed-off-by: Peter Marko +--- + grub-core/commands/minicmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c +index 286290866..8c5ee3e60 100644 +--- a/grub-core/commands/minicmd.c ++++ b/grub-core/commands/minicmd.c +@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd) + grub_register_command ("help", grub_mini_cmd_help, + 0, N_("Show this message.")); + cmd_dump = +- grub_register_command ("dump", grub_mini_cmd_dump, +- N_("ADDR [SIZE]"), N_("Show memory contents.")); ++ grub_register_command_lockdown ("dump", grub_mini_cmd_dump, ++ N_("ADDR [SIZE]"), N_("Show memory contents.")); + cmd_rmmod = + grub_register_command ("rmmod", grub_mini_cmd_rmmod, + N_("MODULE"), N_("Remove a module.")); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index af6f434c5f..dbceaf9931 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -33,6 +33,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45776.patch \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ + file://CVE-2025-1118.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58739 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11C21C282EC for ; Tue, 11 Mar 2025 18:19:23 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.17701.1741717156545316565 for ; Tue, 11 Mar 2025 11:19:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=SRh4mtkh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250311181914e432738cd294ac4949-vo82ts@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250311181914e432738cd294ac4949 for ; Tue, 11 Mar 2025 19:19:14 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=wANuO3wvE6+OVYkfSjcBR86vI82eCCm91hi00X6A2tI=; b=SRh4mtkh6hx5RwwfuUZiae3iTdLsQcmX6+Pc9L7n0u6xmRt7rEvXBktOp4lhf+Ft5C0sII BCfKMFK1fRWvZObcyGbFW7pMjyhfysxB58DuoMOkJhc4DUIuK+vlh6rOSa6xJ6WV6KHw3zv5 6PQYNjG4TKy2rUSOAKLglTE3cwM0yNKP8HfAozjMhjXOubATjYanNIUs58VbnFTYVZCJXj3i GO/Rv/TmQ9W/un7f18d48FvsxK4+PrmtuAwfnuBw79ZIs9cDP3x8pTL6WTT/xknXeYUSX2vm Q54AzuxqQXaNzzcCPqdiytYDFHyDYP1WPzQyU2qLSEb8u6ULdYTzDGuQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 15/17] grub: patch CVE-2024-45778 and CVE-2024-45779 Date: Tue, 11 Mar 2025 19:17:23 +0100 Message-Id: <20250311181725.8986-15-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212627 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2024-45778_CVE-2024-45779.patch | 55 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch new file mode 100644 index 0000000000..eba013897f --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch @@ -0,0 +1,55 @@ +From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 15:59:43 +1100 +Subject: [PATCH] fs/bfs: Disable under lockdown + +The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown. +This will also disable the AFS. + +Fixes: CVE-2024-45778 +Fixes: CVE-2024-45779 + +Reported-by: Nils Langius +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2024-45778 +CVE: CVE-2024-45779 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=] +Signed-off-by: Peter Marko +--- + grub-core/fs/bfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c +index 022f69fe2..78aeb051f 100644 +--- a/grub-core/fs/bfs.c ++++ b/grub-core/fs/bfs.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs) + { + COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE == + sizeof (struct grub_bfs_extent)); +- grub_fs_register (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_bfs_fs); ++ } + } + + #ifdef MODE_AFS +@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs) + GRUB_MOD_FINI (bfs) + #endif + { +- grub_fs_unregister (&grub_bfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_bfs_fs); + } diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index dbceaf9931..ef16242ed3 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -34,6 +34,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2024-45777.patch \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ + file://CVE-2024-45778_CVE-2024-45779.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58741 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 206C2C35FF1 for ; Tue, 11 Mar 2025 18:19:23 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.17465.1741717158311463493 for ; Tue, 11 Mar 2025 11:19:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=SV53kqLI; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-2025031118191692a364879058a0abaf-ghlh_9@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2025031118191692a364879058a0abaf for ; Tue, 11 Mar 2025 19:19:16 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=0vNJqo49hgXKb983BQOCeFnC/cTRqc3TDxQemORdkMM=; b=SV53kqLIzbJ1x8wc0A8Rg+8yM+hqiB+dJj9AKbj1WQ871+F3Xj+McJOZvdJ1SqP00cCb+w 68PFMM71F1VhUCbqxZNukadabJUw04kytvCl6uXyDc3/5/8tKRQnOi5uTzCX8DA5ipqnxj7p vi3l0nPH1w1yGQnASIb3++XpIeEznVqUkaFoLByZ3d4Gw8w1jK7cje0cQBaTb0Jp8U4SBBFp tY2rRtKOHR+V54rTtfvS2HpvHkxOvJkjsyHVqZrM+f55smxQuBbyrwMwrOFEAzk204wgMmNU abJxW0yO1qGAvoxOrPQUTs0AuO1eAlmj2EXMRmIDCClJsC/yXoJ7gpQw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 16/17] grub: patch CVE-2025-0677, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686 and CVE-2025-0689 Date: Tue, 11 Mar 2025 19:17:24 +0100 Message-Id: <20250311181725.8986-16-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212628 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- ...025-0685_CVE-2025-0686_CVE-2025-0689.patch | 377 ++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 378 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch new file mode 100644 index 0000000000..d5563cecc4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch @@ -0,0 +1,377 @@ +From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sat, 23 Mar 2024 16:20:45 +1100 +Subject: [PATCH] fs: Disable many filesystems under lockdown + +The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat, +hfsplus, iso9660, squash4, tar, xfs and zfs. + +The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were +reported by Jonathan Bar Or . + +Fixes: CVE-2025-0677 +Fixes: CVE-2025-0684 +Fixes: CVE-2025-0685 +Fixes: CVE-2025-0686 +Fixes: CVE-2025-0689 + +Suggested-by: Daniel Axtens +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0677 +CVE: CVE-2025-0684 +CVE: CVE-2025-0685 +CVE: CVE-2025-0686 +CVE: CVE-2025-0689 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10] +Signed-off-by: Peter Marko +--- + grub-core/fs/affs.c | 9 +++++++-- + grub-core/fs/cbfs.c | 9 +++++++-- + grub-core/fs/jfs.c | 9 +++++++-- + grub-core/fs/minix.c | 9 +++++++-- + grub-core/fs/nilfs2.c | 9 +++++++-- + grub-core/fs/ntfs.c | 9 +++++++-- + grub-core/fs/reiserfs.c | 9 +++++++-- + grub-core/fs/romfs.c | 9 +++++++-- + grub-core/fs/sfs.c | 9 +++++++-- + grub-core/fs/udf.c | 9 +++++++-- + grub-core/fs/ufs.c | 9 +++++++-- + 11 files changed, 77 insertions(+), 22 deletions(-) + +diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c +index ed606b3f1..352f5d232 100644 +--- a/grub-core/fs/affs.c ++++ b/grub-core/fs/affs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -703,11 +704,15 @@ static struct grub_fs grub_affs_fs = + + GRUB_MOD_INIT(affs) + { +- grub_fs_register (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_affs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(affs) + { +- grub_fs_unregister (&grub_affs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_affs_fs); + } +diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c +index 8ab7106af..f6349df34 100644 +--- a/grub-core/fs/cbfs.c ++++ b/grub-core/fs/cbfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs) + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + init_cbfsdisk (); + #endif +- grub_fs_register (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_cbfs_fs); ++ } + } + + GRUB_MOD_FINI (cbfs) + { +- grub_fs_unregister (&grub_cbfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_cbfs_fs); + #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN) + fini_cbfsdisk (); + #endif +diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c +index 6f7c43904..c0bbab8a9 100644 +--- a/grub-core/fs/jfs.c ++++ b/grub-core/fs/jfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs = + + GRUB_MOD_INIT(jfs) + { +- grub_fs_register (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_jfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(jfs) + { +- grub_fs_unregister (&grub_jfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_jfs_fs); + } +diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c +index 5354951d1..c267298b5 100644 +--- a/grub-core/fs/minix.c ++++ b/grub-core/fs/minix.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -734,7 +735,10 @@ GRUB_MOD_INIT(minix) + #endif + #endif + { +- grub_fs_register (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_minix_fs); ++ } + my_mod = mod; + } + +@@ -756,5 +760,6 @@ GRUB_MOD_FINI(minix) + #endif + #endif + { +- grub_fs_unregister (&grub_minix_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_minix_fs); + } +diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c +index fc7374ead..08abf173f 100644 +--- a/grub-core/fs/nilfs2.c ++++ b/grub-core/fs/nilfs2.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2) + grub_nilfs2_dat_entry)); + COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE + == sizeof (struct grub_nilfs2_inode)); +- grub_fs_register (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_nilfs2_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (nilfs2) + { +- grub_fs_unregister (&grub_nilfs2_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_nilfs2_fs); + } +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index de435aa14..8cc2ba3d5 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1320,11 +1321,15 @@ static struct grub_fs grub_ntfs_fs = + + GRUB_MOD_INIT (ntfs) + { +- grub_fs_register (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ntfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (ntfs) + { +- grub_fs_unregister (&grub_ntfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ntfs_fs); + } +diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c +index 36b26ac98..cdef2eba0 100644 +--- a/grub-core/fs/reiserfs.c ++++ b/grub-core/fs/reiserfs.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs = + + GRUB_MOD_INIT(reiserfs) + { +- grub_fs_register (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_reiserfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(reiserfs) + { +- grub_fs_unregister (&grub_reiserfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_reiserfs_fs); + } +diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c +index 1f7dcfca1..acf8dd21e 100644 +--- a/grub-core/fs/romfs.c ++++ b/grub-core/fs/romfs.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs = + + GRUB_MOD_INIT(romfs) + { +- grub_fs_register (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_romfs_fs); ++ } + } + + GRUB_MOD_FINI(romfs) + { +- grub_fs_unregister (&grub_romfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_romfs_fs); + } +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 983e88008..f64bdd2df 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + GRUB_MOD_LICENSE ("GPLv3+"); +@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs = + + GRUB_MOD_INIT(sfs) + { +- grub_fs_register (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_sfs_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI(sfs) + { +- grub_fs_unregister (&grub_sfs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_sfs_fs); + } +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index b836e6107..a60643be1 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1455,11 +1456,15 @@ static struct grub_fs grub_udf_fs = { + + GRUB_MOD_INIT (udf) + { +- grub_fs_register (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_udf_fs); ++ } + my_mod = mod; + } + + GRUB_MOD_FINI (udf) + { +- grub_fs_unregister (&grub_udf_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_udf_fs); + } +diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c +index 01235101b..6b496e7b8 100644 +--- a/grub-core/fs/ufs.c ++++ b/grub-core/fs/ufs.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1) + #endif + #endif + { +- grub_fs_register (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ { ++ grub_fs_register (&grub_ufs_fs); ++ } + my_mod = mod; + } + +@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1) + #endif + #endif + { +- grub_fs_unregister (&grub_ufs_fs); ++ if (!grub_is_lockdown ()) ++ grub_fs_unregister (&grub_ufs_fs); + } + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index ef16242ed3..f34b5ee50e 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -35,6 +35,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ + file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" From patchwork Tue Mar 11 18:17:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 58738 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 206F2C35FF2 for ; Tue, 11 Mar 2025 18:19:23 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.17468.1741717160491119210 for ; Tue, 11 Mar 2025 11:19:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=S7SvhQDx; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202503111819180f64e7f622accdac08-y_rsbe@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202503111819180f64e7f622accdac08 for ; Tue, 11 Mar 2025 19:19:18 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=5FjFPM/8KMFKaUrFQsnd7vRQWpsmVDsFMqsdJh4pib0=; b=S7SvhQDxNdUrPXjCOTMWtMnakjmmATCO9/8OwsMNhxV5w4segbtl73qNx+ItACo8WtK+t9 Dh3VxYh/PEvkurvyciGAYnpXgEn6gj/LcaBhLkHG1tzVZhPo/PH0ymYzUu/xeqBXQN8umMQ8 KaM3skSpr8YBWMZt1TMq4qlq9fnBB4aPGN6SoT8nfEbf2s3VZXwIf36styn3alz+FDM9DzvI tCx13i1LJlXi50gDluMKj6ibVl4jqDBQsDfvWZuQ7RGPf/RZuMWNOkDeZZGu4VE+mkRI/CTt SvY87QlChBggeuWolwaj7x1Kqxv/WcHOE/hWePskHP7or53DM+bYJzkA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 17/17] grub: patch CVE-2025-0678 and CVE-2025-1125 Date: Tue, 11 Mar 2025 19:17:25 +0100 Message-Id: <20250311181725.8986-17-peter.marko@siemens.com> In-Reply-To: <20250311181725.8986-1-peter.marko@siemens.com> References: <20250311181725.8986-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Mar 2025 18:19:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212629 From: Peter Marko Cherry-pick patch mentioning these CVEs. Signed-off-by: Peter Marko --- .../files/CVE-2025-0678_CVE-2025-1125.patch | 87 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch new file mode 100644 index 0000000000..14e67cf35b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch @@ -0,0 +1,87 @@ +From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Tue, 21 Jan 2025 19:02:37 +0000 +Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays + +Use grub_calloc() when allocating memory for arrays to ensure proper +overflow checks are in place. + +The HFS+ and squash4 security vulnerabilities were reported by +Jonathan Bar Or . + +Fixes: CVE-2025-0678 +Fixes: CVE-2025-1125 + +Signed-off-by: Lidong Chen +Reviewed-by: Daniel Kiper + +CVE: CVE-2025-0678 +CVE: CVE-2025-1125 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e] +Signed-off-by: Peter Marko +--- + grub-core/fs/btrfs.c | 4 ++-- + grub-core/fs/hfspluscomp.c | 9 +++++++-- + grub-core/fs/squash4.c | 8 ++++---- + 3 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 0625b1166..9c1e925c9 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev) + } + + data->n_devices_allocated = 16; +- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0]) +- * data->n_devices_allocated); ++ data->devices_attached = grub_calloc (data->n_devices_allocated, ++ sizeof (data->devices_attached[0])); + if (!data->devices_attached) + { + grub_free (data); +diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c +index 48ae438d8..a80954ee6 100644 +--- a/grub-core/fs/hfspluscomp.c ++++ b/grub-core/fs/hfspluscomp.c +@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node) + return 0; + } + node->compress_index_size = grub_le_to_cpu32 (index_size); +- node->compress_index = grub_malloc (node->compress_index_size +- * sizeof (node->compress_index[0])); ++ node->compress_index = grub_calloc (node->compress_index_size, ++ sizeof (node->compress_index[0])); + if (!node->compress_index) + { + node->compressed = 0; + grub_free (attr_node); + return grub_errno; + } ++ ++ /* ++ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here ++ * due to relevant checks done in grub_calloc() above. ++ */ + if (grub_hfsplus_read_file (node, 0, 0, + 0x104 + sizeof (index_size), + node->compress_index_size +diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c +index f91ff3bfa..cf2bca822 100644 +--- a/grub-core/fs/squash4.c ++++ b/grub-core/fs/squash4.c +@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data, + break; + } + total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz); +- ino->block_sizes = grub_malloc (total_blocks +- * sizeof (ino->block_sizes[0])); +- ino->cumulated_block_sizes = grub_malloc (total_blocks +- * sizeof (ino->cumulated_block_sizes[0])); ++ ino->block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->block_sizes[0])); ++ ino->cumulated_block_sizes = grub_calloc (total_blocks, ++ sizeof (ino->cumulated_block_sizes[0])); + if (!ino->block_sizes || !ino->cumulated_block_sizes) + { + grub_free (ino->block_sizes); diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index f34b5ee50e..7c83febaa2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -36,6 +36,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-1118.patch \ file://CVE-2024-45778_CVE-2024-45779.patch \ file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \ + file://CVE-2025-0678_CVE-2025-1125.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"