Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2020-07-31 15:54:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "grub2" Fri Jul 31 15:54:21 2020 rev:223 rq:823470 version:2.04 Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2020-07-28 17:22:15.957689250 +0200 +++ /work/SRC/openSUSE:Factory/.grub2.new.3592/grub2.changes 2020-07-31 15:56:22.228376572 +0200 @@ -1,0 +2,28 @@ +Mon Jul 27 10:04:49 UTC 2020 - Michael Chang <mchang@suse.com> + +- Fix for CVE-2020-10713 (bsc#1168994) + * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch +- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 + (bsc#1173812) + * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch + * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch + * 0004-calloc-Use-calloc-at-most-places.patch + * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch + * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch + * 0007-font-Do-not-load-more-than-one-NAME-section.patch +- Fix CVE-2020-15706 (bsc#1174463) + * 0008-script-Remove-unused-fields-from-grub_script_functio.patch + * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch +- Fix CVE-2020-15707 (bsc#1174570) + * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch +- Use overflow checking primitives where the arithmetic expression for buffer + allocations may include unvalidated data +- Use grub_calloc for overflow check and return NULL when it would occur + * 0001-add-support-for-UEFI-network-protocols.patch + * 0003-bootp-New-net_bootp6-command.patch + * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch + * grub2-btrfs-09-get-default-subvolume.patch + * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch + * grub2-grubenv-in-btrfs-header.patch + +------------------------------------------------------------------- New: ---- 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch 0004-calloc-Use-calloc-at-most-places.patch 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch 0007-font-Do-not-load-more-than-one-NAME-section.patch 0008-script-Remove-unused-fields-from-grub_script_functio.patch 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.472379933 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.476379937 +0200 @@ -302,6 +302,24 @@ Patch701: 0002-kern-Add-X-option-to-printf-functions.patch Patch702: 0003-normal-main-Search-for-specific-config-files-for-net.patch Patch703: 0004-datetime-Enable-the-datetime-module-for-the-emu-plat.patch +# bsc#1168994 VUL-0: EMBARGOED: CVE-2020-10713: grub2: parsing overflows can +# bypass secure boot restrictions +Patch704: 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch +# bsc#1173812 VUL-0: EMBARGOED: CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, +# CVE-2020-14311: grub2: avoid integer overflows +Patch705: 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch +Patch706: 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch +Patch707: 0004-calloc-Use-calloc-at-most-places.patch +Patch708: 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch +Patch709: 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch +Patch710: 0007-font-Do-not-load-more-than-one-NAME-section.patch +# bsc#1174463 VUL-0: EMBARGOED: CVE-2020-15706: grub2: script: Avoid a +# use-after-free when redefining a function during execution +Patch711: 0008-script-Remove-unused-fields-from-grub_script_functio.patch +Patch712: 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch +# bsc#1174570 VUL-0: EMBARGOED: CVE-2020-15707: grub2: linux: Fix integer +# overflows in initrd size handling +Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -607,6 +625,16 @@ %patch701 -p1 %patch702 -p1 %patch703 -p1 +%patch704 -p1 +%patch705 -p1 +%patch706 -p1 +%patch707 -p1 +%patch708 -p1 +%patch709 -p1 +%patch710 -p1 +%patch711 -p1 +%patch712 -p1 +%patch713 -p1 %build # collect evidence to debug spurious build failure on SLE15 ++++++ 0001-add-support-for-UEFI-network-protocols.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.500379962 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.504379966 +0200 @@ -23,10 +23,16 @@ * Finish HTTP transaction in one go * Fix bsc#1076132 -V4 +V4: * Add fs_ prefix with upstream commit ad4bfeec5 Change fs functions to add fs_ prefix +V5: + * Use overflow checking primitives where the arithmetic expression for + buffer allocations may include unvalidated data + * Use grub_calloc for overflow check and return NULL when it would + occur. + --- grub-core/Makefile.core.def | 18 + grub-core/io/bufio.c | 2 +- @@ -57,10 +63,10 @@ create mode 100644 include/grub/efi/http.h create mode 100644 include/grub/net/efi.h -Index: grub-2.04~rc1/grub-core/Makefile.core.def +Index: grub-2.04/grub-core/Makefile.core.def =================================================================== ---- grub-2.04~rc1.orig/grub-core/Makefile.core.def -+++ grub-2.04~rc1/grub-core/Makefile.core.def +--- grub-2.04.orig/grub-core/Makefile.core.def ++++ grub-2.04/grub-core/Makefile.core.def @@ -1854,7 +1854,6 @@ module = { module = { name = linuxefi; @@ -82,10 +88,10 @@ }; module = { -Index: grub-2.04~rc1/grub-core/io/bufio.c +Index: grub-2.04/grub-core/io/bufio.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/io/bufio.c -+++ grub-2.04~rc1/grub-core/io/bufio.c +--- grub-2.04.orig/grub-core/io/bufio.c ++++ grub-2.04/grub-core/io/bufio.c @@ -139,7 +139,7 @@ grub_bufio_read (grub_file_t file, char return res; @@ -95,10 +101,10 @@ /* Now read between file->offset + res and bufio->buffer_at. */ if (file->offset + res < next_buf) { -Index: grub-2.04~rc1/grub-core/kern/efi/efi.c +Index: grub-2.04/grub-core/kern/efi/efi.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/kern/efi/efi.c -+++ grub-2.04~rc1/grub-core/kern/efi/efi.c +--- grub-2.04.orig/grub-core/kern/efi/efi.c ++++ grub-2.04/grub-core/kern/efi/efi.c @@ -722,7 +722,7 @@ grub_efi_print_device_path (grub_efi_dev { grub_efi_ipv4_device_path_t *ipv4 @@ -226,10 +232,10 @@ default: grub_printf ("/UnknownMessaging(%x)", (unsigned) subtype); break; -Index: grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c +Index: grub-2.04/grub-core/net/drivers/efi/efinet.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/net/drivers/efi/efinet.c -+++ grub-2.04~rc1/grub-core/net/drivers/efi/efinet.c +--- grub-2.04.orig/grub-core/net/drivers/efi/efinet.c ++++ grub-2.04/grub-core/net/drivers/efi/efinet.c @@ -24,6 +24,7 @@ #include <grub/efi/efi.h> #include <grub/i18n.h> @@ -298,11 +304,11 @@ + grub_efi_net_config = NULL; } -Index: grub-2.04~rc1/grub-core/net/efi/dhcp.c +Index: grub-2.04/grub-core/net/efi/dhcp.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/dhcp.c -@@ -0,0 +1,397 @@ ++++ grub-2.04/grub-core/net/efi/dhcp.c +@@ -0,0 +1,399 @@ +#include <grub/mm.h> +#include <grub/command.h> +#include <grub/efi/api.h> @@ -385,7 +391,7 @@ + if (status != GRUB_EFI_BUFFER_TOO_SMALL) + return NULL; + -+ option_list = grub_malloc (option_count * sizeof(*option_list)); ++ option_list = grub_calloc (option_count, sizeof(*option_list)); + if (!option_list) + return NULL; + @@ -665,7 +671,9 @@ + + if (status == GRUB_EFI_BUFFER_TOO_SMALL && count) + { -+ options = grub_malloc (count * sizeof(*options)); ++ options = grub_calloc (count, sizeof(*options)); ++ if (!options) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + status = efi_call_4 (dev->dhcp6->parse, dev->dhcp6, mode.ia->reply_packet, &count, options); + } + @@ -700,17 +708,18 @@ + +grub_command_func_t grub_efi_net_bootp = grub_cmd_efi_bootp; +grub_command_func_t grub_efi_net_bootp6 = grub_cmd_efi_bootp6; -Index: grub-2.04~rc1/grub-core/net/efi/http.c +Index: grub-2.04/grub-core/net/efi/http.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/http.c -@@ -0,0 +1,419 @@ ++++ grub-2.04/grub-core/net/efi/http.c +@@ -0,0 +1,424 @@ + +#include <grub/efi/api.h> +#include <grub/efi/efi.h> +#include <grub/misc.h> +#include <grub/net/efi.h> +#include <grub/charset.h> ++#include <grub/safemath.h> + +static void +http_configure (struct grub_efi_net_device *dev, int prefer_ip6) @@ -835,6 +844,7 @@ + grub_efi_char16_t *ucs2_url; + grub_size_t url_len, ucs2_url_len; + const char *protocol = (use_https == 1) ? "https" : "http"; ++ grub_size_t sz; + + if (grub_efi_string_to_ip6_address (server, &address, &rest) && *rest == 0) + url = grub_xasprintf ("%s://[%s]%s", protocol, server, name); @@ -847,8 +857,11 @@ + } + + url_len = grub_strlen (url); -+ ucs2_url_len = url_len * GRUB_MAX_UTF16_PER_UTF8; -+ ucs2_url = grub_malloc ((ucs2_url_len + 1) * sizeof (ucs2_url[0])); ++ if (grub_mul (url_len, GRUB_MAX_UTF16_PER_UTF8, &ucs2_url_len) || ++ grub_add (ucs2_url_len, 1, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ ucs2_url = grub_calloc (sz, sizeof (ucs2_url[0])); + + if (!ucs2_url) + { @@ -1124,26 +1137,30 @@ + .read = grub_efihttp_read, + .close = grub_efihttp_close + }; -Index: grub-2.04~rc1/grub-core/net/efi/ip4_config.c +Index: grub-2.04/grub-core/net/efi/ip4_config.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/ip4_config.c -@@ -0,0 +1,398 @@ ++++ grub-2.04/grub-core/net/efi/ip4_config.c +@@ -0,0 +1,409 @@ + +#include <grub/efi/api.h> +#include <grub/efi/efi.h> +#include <grub/misc.h> +#include <grub/net/efi.h> +#include <grub/charset.h> ++#include <grub/safemath.h> + +char * +grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address) +{ + char *hw_addr, *p; -+ int sz, s; ++ int s; + int i; ++ grub_size_t sz; + -+ sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1; ++ if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) || ++ grub_add (sz, 1, &sz)) ++ return NULL; + + hw_addr = grub_malloc (sz); + if (!hw_addr) @@ -1359,12 +1376,19 @@ + grub_efi_ip4_config2_interface_info_t *interface_info; + char **ret; + int i, id; ++ grub_size_t sz; + + interface_info = efi_ip4_config_interface_info (dev->ip4_config); + if (!interface_info) + return NULL; + -+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1)); ++ if (grub_add (interface_info->route_table_size, 1, &sz)) ++ { ++ grub_free (interface_info); ++ return NULL; ++ } ++ ++ ret = grub_calloc (sz, sizeof (*ret)); + + if (!ret) + { @@ -1527,16 +1551,17 @@ + .set_gateway = grub_efi_ip4_interface_set_gateway, + .set_dns = grub_efi_ip4_interface_set_dns + }; -Index: grub-2.04~rc1/grub-core/net/efi/ip6_config.c +Index: grub-2.04/grub-core/net/efi/ip6_config.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/ip6_config.c -@@ -0,0 +1,422 @@ ++++ grub-2.04/grub-core/net/efi/ip6_config.c +@@ -0,0 +1,430 @@ +#include <grub/efi/api.h> +#include <grub/efi/efi.h> +#include <grub/misc.h> +#include <grub/net/efi.h> +#include <grub/charset.h> ++#include <grub/safemath.h> + +char * +grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address) @@ -1763,12 +1788,19 @@ + grub_efi_ip6_config_interface_info_t *interface_info; + char **ret; + int i, id; ++ grub_size_t sz; + + interface_info = efi_ip6_config_interface_info (dev->ip6_config); + if (!interface_info) + return NULL; + -+ ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1)); ++ if (grub_add (interface_info->route_count, 1, &sz)) ++ { ++ grub_free (interface_info); ++ return NULL; ++ } ++ ++ ret = grub_calloc (sz, sizeof (*ret)); + + if (!ret) + { @@ -1954,11 +1986,11 @@ + .set_gateway = grub_efi_ip6_interface_set_gateway, + .set_dns = grub_efi_ip6_interface_set_dns + }; -Index: grub-2.04~rc1/grub-core/net/efi/net.c +Index: grub-2.04/grub-core/net/efi/net.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/net.c -@@ -0,0 +1,1428 @@ ++++ grub-2.04/grub-core/net/efi/net.c +@@ -0,0 +1,1437 @@ +#include <grub/net.h> +#include <grub/env.h> +#include <grub/mm.h> @@ -1973,6 +2005,7 @@ +#include <grub/efi/dhcp.h> +#include <grub/net/efi.h> +#include <grub/charset.h> ++#include <grub/safemath.h> + +GRUB_MOD_LICENSE ("GPLv3+"); + @@ -2198,7 +2231,15 @@ + + if (code == GRUB_NET_DHCP6_OPTION_BOOTFILE_URL) + { -+ char *url = grub_malloc (len + 1); ++ char *url; ++ grub_size_t sz; ++ ++ if (grub_add (len, 1, &sz)) ++ return; ++ ++ url = grub_malloc (sz); ++ if (!url) ++ return; + + grub_memcpy (url, dhcp_opt->data, len); + url[len] = 0; @@ -3387,10 +3428,10 @@ + grub_net_open = NULL; + grub_fs_unregister (&grub_efi_netfs); +} -Index: grub-2.04~rc1/grub-core/net/efi/pxe.c +Index: grub-2.04/grub-core/net/efi/pxe.c =================================================================== --- /dev/null -+++ grub-2.04~rc1/grub-core/net/efi/pxe.c ++++ grub-2.04/grub-core/net/efi/pxe.c @@ -0,0 +1,424 @@ + +#include <grub/efi/api.h> @@ -3816,10 +3857,10 @@ + .close = pxe_close + }; + -Index: grub-2.04~rc1/grub-core/net/net.c +Index: grub-2.04/grub-core/net/net.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/net/net.c -+++ grub-2.04~rc1/grub-core/net/net.c +--- grub-2.04.orig/grub-core/net/net.c ++++ grub-2.04/grub-core/net/net.c @@ -32,6 +32,9 @@ #include <grub/loader.h> #include <grub/bufio.h> @@ -3926,10 +3967,10 @@ + init_mode = INIT_MODE_NONE; +#endif } -Index: grub-2.04~rc1/include/grub/efi/api.h +Index: grub-2.04/include/grub/efi/api.h =================================================================== ---- grub-2.04~rc1.orig/include/grub/efi/api.h -+++ grub-2.04~rc1/include/grub/efi/api.h +--- grub-2.04.orig/include/grub/efi/api.h ++++ grub-2.04/include/grub/efi/api.h @@ -588,6 +588,23 @@ typedef grub_uint16_t grub_efi_ipv6_addr typedef grub_uint8_t grub_efi_ip_address_t[8] __attribute__ ((aligned(4))); typedef grub_efi_uint64_t grub_efi_physical_address_t; @@ -4177,10 +4218,10 @@ #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \ || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \ || defined(__riscv) -Index: grub-2.04~rc1/include/grub/efi/dhcp.h +Index: grub-2.04/include/grub/efi/dhcp.h =================================================================== --- /dev/null -+++ grub-2.04~rc1/include/grub/efi/dhcp.h ++++ grub-2.04/include/grub/efi/dhcp.h @@ -0,0 +1,343 @@ +#ifndef GRUB_EFI_DHCP_HEADER +#define GRUB_EFI_DHCP_HEADER 1 @@ -4525,10 +4566,10 @@ +}; + +#endif /* ! GRUB_EFI_DHCP_HEADER */ -Index: grub-2.04~rc1/include/grub/efi/http.h +Index: grub-2.04/include/grub/efi/http.h =================================================================== --- /dev/null -+++ grub-2.04~rc1/include/grub/efi/http.h ++++ grub-2.04/include/grub/efi/http.h @@ -0,0 +1,215 @@ +/* + * GRUB -- GRand Unified Bootloader @@ -4745,10 +4786,10 @@ +typedef struct grub_efi_http grub_efi_http_t; + +#endif /* !GRUB_EFI_HTTP_HEADER */ -Index: grub-2.04~rc1/include/grub/net/efi.h +Index: grub-2.04/include/grub/net/efi.h =================================================================== --- /dev/null -+++ grub-2.04~rc1/include/grub/net/efi.h ++++ grub-2.04/include/grub/net/efi.h @@ -0,0 +1,144 @@ +#ifndef GRUB_NET_EFI_HEADER +#define GRUB_NET_EFI_HEADER 1 ++++++ 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch ++++++
From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Wed, 15 Apr 2020 15:45:02 -0400 Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors actually be fatal
When presented with a command that can't be tokenized to anything smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), expecting that will stop further processing, as such: #define YY_DO_BEFORE_ACTION \ yyg->yytext_ptr = yy_bp; \ yyleng = (int) (yy_cp - yy_bp); \ yyg->yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ if ( yyleng >= YYLMAX ) \ YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ yyg->yy_c_buf_p = yy_cp; The code flex generates expects that YY_FATAL_ERROR() will either return for it or do some form of longjmp(), or handle the error in some way at least, and so the strncpy() call isn't in an "else" clause, and thus if YY_FATAL_ERROR() is *not* actually fatal, it does the call with the questionable limit, and predictable results ensue. Unfortunately, our implementation of YY_FATAL_ERROR() is: #define YY_FATAL_ERROR(msg) \ do { \ grub_printf (_("fatal error: %s\n"), _(msg)); \ } while (0) The same pattern exists in yyless(), and similar problems exist in users of YY_INPUT(), several places in the main parsing loop, yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, yy_scan_buffer(), etc. All of these callers expect YY_FATAL_ERROR() to actually be fatal, and the things they do if it returns after calling it are wildly unsafe. Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/script/yylex.l | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l index 7b44c37b7..b7203c823 100644 --- a/grub-core/script/yylex.l +++ b/grub-core/script/yylex.l @@ -37,11 +37,11 @@ /* * As we don't have access to yyscanner, we cannot do much except to - * print the fatal error. + * print the fatal error and exit. */ #define YY_FATAL_ERROR(msg) \ do { \ - grub_printf (_("fatal error: %s\n"), _(msg)); \ + grub_fatal (_("fatal error: %s\n"), _(msg));\ } while (0) #define COPY(str, hint) \ -- 2.11.0 ++++++ 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch ++++++
From de1c315841aa6f37357c72e196810484013291d6 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Mon, 15 Jun 2020 10:58:42 -0400 Subject: [PATCH 2/7] safemath: Add some arithmetic primitives that check for overflow
This adds a new header, include/grub/safemath.h, that includes easy to use wrappers for __builtin_{add,sub,mul}_overflow() declared like: bool OP(a, b, res) where OP is grub_add, grub_sub or grub_mul. OP() returns true in the case where the operation would overflow and res is not modified. Otherwise, false is returned and the operation is executed. These arithmetic primitives require newer compiler versions. So, bump these requirements in the INSTALL file too. Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- INSTALL | 22 ++-------------------- include/grub/compiler.h | 8 ++++++++ include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 20 deletions(-) create mode 100644 include/grub/safemath.h diff --git a/INSTALL b/INSTALL index dedf236a8..79a0af7d9 100644 --- a/INSTALL +++ b/INSTALL @@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If you don't have any of them, please obtain and install them before configuring the GRUB. -* GCC 4.1.3 or later - Note: older versions may work but support is limited - - Experimental support for clang 3.3 or later (results in much bigger binaries) +* GCC 5.1.0 or later + Experimental support for clang 3.8.0 or later (results in much bigger binaries) for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64 - Note: clang 3.2 or later works for i386 and x86_64 targets but results in - much bigger binaries. - earlier versions not tested - Note: clang 3.2 or later works for arm - earlier versions not tested - Note: clang on arm64 is not supported due to - https://llvm.org/bugs/show_bug.cgi?id=26030 - Note: clang 3.3 or later works for mips(el) - earlier versions fail to generate .reginfo and hence gprel relocations - fail. - Note: clang 3.2 or later works for powerpc - earlier versions not tested - Note: clang 3.5 or later works for sparc64 - earlier versions return "error: unable to interface with target machine" - Note: clang has no support for ia64 and hence you can't compile GRUB - for ia64 with clang * GNU Make * GNU Bison 2.3 or later * GNU gettext 0.17 or later diff --git a/include/grub/compiler.h b/include/grub/compiler.h index c9e1d7a73..8f3be3ae7 100644 --- a/include/grub/compiler.h +++ b/include/grub/compiler.h @@ -48,4 +48,12 @@ # define WARN_UNUSED_RESULT #endif +#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__) +# define CLANG_PREREQ(maj,min) \ + ((__clang_major__ > (maj)) || \ + (__clang_major__ == (maj) && __clang_minor__ >= (min))) +#else +# define CLANG_PREREQ(maj,min) 0 +#endif + #endif /* ! GRUB_COMPILER_HEADER */ diff --git a/include/grub/safemath.h b/include/grub/safemath.h new file mode 100644 index 000000000..c17b89bba --- /dev/null +++ b/include/grub/safemath.h @@ -0,0 +1,37 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2020 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. + * + * Arithmetic operations that protect against overflow. + */ + +#ifndef GRUB_SAFEMATH_H +#define GRUB_SAFEMATH_H 1 + +#include <grub/compiler.h> + +/* These appear in gcc 5.1 and clang 3.8. */ +#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8) + +#define grub_add(a, b, res) __builtin_add_overflow(a, b, res) +#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) +#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) + +#else +#error gcc 5.1 or newer or clang 3.8 or newer is required +#endif + +#endif /* GRUB_SAFEMATH_H */ -- 2.27.0 ++++++ 0003-bootp-New-net_bootp6-command.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.560380024 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.560380024 +0200 @@ -8,16 +8,21 @@ Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Ken Lin <ken.lin@hpe.com> + +V1: + * Use grub_calloc for overflow check and return NULL when it would + occur. + --- grub-core/net/bootp.c | 908 +++++++++++++++++++++++++++++++++++++++++++++++++- grub-core/net/ip.c | 39 +++ include/grub/net.h | 72 ++++ 3 files changed, 1018 insertions(+), 1 deletion(-) -Index: grub-2.04~rc1/grub-core/net/bootp.c +Index: grub-2.04/grub-core/net/bootp.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/net/bootp.c -+++ grub-2.04~rc1/grub-core/net/bootp.c +--- grub-2.04.orig/grub-core/net/bootp.c ++++ grub-2.04/grub-core/net/bootp.c @@ -24,6 +24,98 @@ #include <grub/net/netbuff.h> #include <grub/net/udp.h> @@ -265,7 +270,7 @@ + break; + } + dhcp6->num_dns_server = ln = len >> 4; -+ dhcp6->dns_server_addrs = la = grub_zalloc (ln * sizeof (*la)); ++ dhcp6->dns_server_addrs = la = grub_calloc (ln, sizeof (*la)); + + for (po = opt->data; ln > 0; po += 0x10, la++, ln--) + { @@ -966,10 +971,10 @@ grub_unregister_command (cmd_dhcp); + grub_unregister_command (cmd_bootp6); } -Index: grub-2.04~rc1/grub-core/net/ip.c +Index: grub-2.04/grub-core/net/ip.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/net/ip.c -+++ grub-2.04~rc1/grub-core/net/ip.c +--- grub-2.04.orig/grub-core/net/ip.c ++++ grub-2.04/grub-core/net/ip.c @@ -239,6 +239,45 @@ handle_dgram (struct grub_net_buff *nb, { struct udphdr *udph; @@ -1016,10 +1021,10 @@ if (proto == GRUB_NET_IP_UDP && grub_be_to_cpu16 (udph->dst) == 68) { const struct grub_net_bootp_packet *bootp; -Index: grub-2.04~rc1/include/grub/net.h +Index: grub-2.04/include/grub/net.h =================================================================== ---- grub-2.04~rc1.orig/include/grub/net.h -+++ grub-2.04~rc1/include/grub/net.h +--- grub-2.04.orig/include/grub/net.h ++++ grub-2.04/include/grub/net.h @@ -448,6 +448,66 @@ struct grub_net_bootp_packet grub_uint8_t vendor[0]; } GRUB_PACKED; ++++++ 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch ++++++
From 79e51ab7a9a56f60a14f89ef047fd669977b99d1 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Mon, 15 Jun 2020 12:15:29 -0400 Subject: [PATCH 3/7] calloc: Make sure we always have an overflow-checking calloc() available
This tries to make sure that everywhere in this source tree, we always have an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.) available, and that they all safely check for overflow and return NULL when it would occur. Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/kern/emu/misc.c | 12 +++++++++ grub-core/kern/emu/mm.c | 10 ++++++++ grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++ grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++-- grub-core/lib/posix_wrap/stdlib.h | 8 +++++- include/grub/emu/misc.h | 1 + include/grub/mm.h | 6 +++++ 7 files changed, 85 insertions(+), 3 deletions(-) Index: grub-2.04/grub-core/kern/emu/misc.c =================================================================== --- grub-2.04.orig/grub-core/kern/emu/misc.c +++ grub-2.04/grub-core/kern/emu/misc.c @@ -87,6 +87,18 @@ grub_util_error (const char *fmt, ...) } void * +xcalloc (grub_size_t nmemb, grub_size_t size) +{ + void *p; + + p = calloc (nmemb, size); + if (!p) + grub_util_error ("%s", _("out of memory")); + + return p; +} + +void * xmalloc (grub_size_t size) { void *p; Index: grub-2.04/grub-core/kern/emu/mm.c =================================================================== --- grub-2.04.orig/grub-core/kern/emu/mm.c +++ grub-2.04/grub-core/kern/emu/mm.c @@ -26,6 +26,16 @@ #include <grub/i18n.h> void * +grub_calloc (grub_size_t nmemb, grub_size_t size) +{ + void *ret; + ret = calloc (nmemb, size); + if (!ret) + grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory")); + return ret; +} + +void * grub_malloc (grub_size_t size) { void *ret; Index: grub-2.04/grub-core/kern/mm.c =================================================================== --- grub-2.04.orig/grub-core/kern/mm.c +++ grub-2.04/grub-core/kern/mm.c @@ -67,8 +67,10 @@ #include <grub/dl.h> #include <grub/i18n.h> #include <grub/mm_private.h> +#include <grub/safemath.h> #ifdef MM_DEBUG +# undef grub_calloc # undef grub_malloc # undef grub_zalloc # undef grub_realloc @@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_s return 0; } +/* + * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on + * integer overflow. + */ +void * +grub_calloc (grub_size_t nmemb, grub_size_t size) +{ + void *ret; + grub_size_t sz = 0; + + if (grub_mul (nmemb, size, &sz)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + + ret = grub_memalign (0, sz); + if (!ret) + return NULL; + + grub_memset (ret, 0, sz); + return ret; +} + /* Allocate SIZE bytes and return the pointer. */ void * grub_malloc (grub_size_t size) @@ -562,6 +588,20 @@ grub_mm_dump (unsigned lineno) } void * +grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size) +{ + void *ptr; + + if (grub_mm_debug) + grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ", + file, line, size); + ptr = grub_calloc (nmemb, size); + if (grub_mm_debug) + grub_printf ("%p\n", ptr); + return ptr; +} + +void * grub_debug_malloc (const char *file, int line, grub_size_t size) { void *ptr; Index: grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c =================================================================== --- grub-2.04.orig/grub-core/lib/libgcrypt_wrap/mem.c +++ grub-2.04/grub-core/lib/libgcrypt_wrap/mem.c @@ -4,6 +4,7 @@ #include <grub/crypto.h> #include <grub/dl.h> #include <grub/env.h> +#include <grub/safemath.h> GRUB_MOD_LICENSE ("GPLv3+"); @@ -36,7 +37,10 @@ void * gcry_xcalloc (size_t n, size_t m) { void *ret; - ret = grub_zalloc (n * m); + size_t sz; + if (grub_mul (n, m, &sz)) + grub_fatal ("gcry_xcalloc would overflow"); + ret = grub_zalloc (sz); if (!ret) grub_fatal ("gcry_xcalloc failed"); return ret; @@ -56,7 +60,10 @@ void * gcry_xcalloc_secure (size_t n, size_t m) { void *ret; - ret = grub_zalloc (n * m); + size_t sz; + if (grub_mul (n, m, &sz)) + grub_fatal ("gcry_xcalloc would overflow"); + ret = grub_zalloc (sz); if (!ret) grub_fatal ("gcry_xcalloc failed"); return ret; Index: grub-2.04/grub-core/lib/posix_wrap/stdlib.h =================================================================== --- grub-2.04.orig/grub-core/lib/posix_wrap/stdlib.h +++ grub-2.04/grub-core/lib/posix_wrap/stdlib.h @@ -21,6 +21,7 @@ #include <grub/mm.h> #include <grub/misc.h> +#include <grub/safemath.h> static inline void free (void *ptr) @@ -37,7 +38,12 @@ malloc (grub_size_t size) static inline void * calloc (grub_size_t size, grub_size_t nelem) { - return grub_zalloc (size * nelem); + grub_size_t sz; + + if (grub_mul (size, nelem, &sz)) + return NULL; + + return grub_zalloc (sz); } static inline void * Index: grub-2.04/include/grub/emu/misc.h =================================================================== --- grub-2.04.orig/include/grub/emu/misc.h +++ grub-2.04/include/grub/emu/misc.h @@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char * #define GRUB_HOST_PRIuLONG_LONG "llu" #define GRUB_HOST_PRIxLONG_LONG "llx" +void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT; void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT; void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT; char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT; Index: grub-2.04/include/grub/mm.h =================================================================== --- grub-2.04.orig/include/grub/mm.h +++ grub-2.04/include/grub/mm.h @@ -29,6 +29,7 @@ #endif void grub_mm_init_region (void *addr, grub_size_t size); +void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size); void *EXPORT_FUNC(grub_malloc) (grub_size_t size); void *EXPORT_FUNC(grub_zalloc) (grub_size_t size); void EXPORT_FUNC(grub_free) (void *ptr); @@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug); void grub_mm_dump_free (void); void grub_mm_dump (unsigned lineno); +#define grub_calloc(nmemb, size) \ + grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size) + #define grub_malloc(size) \ grub_debug_malloc (GRUB_FILE, __LINE__, size) @@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno); #define grub_free(ptr) \ grub_debug_free (GRUB_FILE, __LINE__, ptr) +void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line, + grub_size_t nmemb, grub_size_t size); void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line, grub_size_t size); void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line, ++++++ 0004-calloc-Use-calloc-at-most-places.patch ++++++ ++++ 1825 lines (skipped) ++++++ 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch ++++++ ++++ 1319 lines (skipped) ++++++ 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch ++++++
From 30508bd4692d2e022eff2e7f9c4be9f8abf57977 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Sat, 4 Jul 2020 12:25:09 -0400 Subject: [PATCH 6/7] iso9660: Don't leak memory on realloc() failures
Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c index 7ba5b300b..5ec4433b8 100644 --- a/grub-core/fs/iso9660.c +++ b/grub-core/fs/iso9660.c @@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, { int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; grub_size_t sz; + char *new; if (grub_add (size, len2, &sz) || grub_add (sz, 1, &sz)) return; - ctx->symlink = grub_realloc (ctx->symlink, sz); - if (! ctx->symlink) - return; + new = grub_realloc (ctx->symlink, sz); + if (!new) + { + grub_free (ctx->symlink); + ctx->symlink = NULL; + return; + } + ctx->symlink = new; grub_memcpy (ctx->symlink + size, part, len2); ctx->symlink[size + len2] = 0; @@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, is the length. Both are part of the `Component Record'. */ if (ctx->symlink && !ctx->was_continue) - add_part (ctx, "/", 1); + { + add_part (ctx, "/", 1); + if (grub_errno) + return grub_errno; + } + add_part (ctx, (char *) &entry->data[pos + 2], entry->data[pos + 1]); ctx->was_continue = (entry->data[pos] & 1); @@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, add_part (ctx, "/", 1); break; } + + /* Check if grub_realloc() failed in add_part(). */ + if (grub_errno) + return grub_errno; + /* In pos + 1 the length of the `Component Record' is stored. */ pos += entry->data[pos + 1] + 2; -- 2.27.0 ++++++ 0007-font-Do-not-load-more-than-one-NAME-section.patch ++++++
From e2b5230126b340e1d88a079cd6a5c22dd4c00682 Mon Sep 17 00:00:00 2001 From: Daniel Kiper <daniel.kiper@oracle.com> Date: Tue, 7 Jul 2020 15:36:26 +0200 Subject: [PATCH 7/7] font: Do not load more than one NAME section
The GRUB font file can have one NAME section only. Though if somebody crafts a broken font file with many NAME sections and loads it then the GRUB leaks memory. So, prevent against that by loading first NAME section and failing in controlled way on following one. Reported-by: Chris Coulson <chris.coulson@canonical.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/font/font.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/grub-core/font/font.c b/grub-core/font/font.c index 5edb477ac..d09bb38d8 100644 --- a/grub-core/font/font.c +++ b/grub-core/font/font.c @@ -532,6 +532,12 @@ grub_font_load (const char *filename) if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME, sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0) { + if (font->name != NULL) + { + grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections"); + goto fail; + } + font->name = read_section_as_string (§ion); if (!font->name) goto fail; -- 2.27.0 ++++++ 0008-script-Remove-unused-fields-from-grub_script_functio.patch ++++++
From 1804acfd35cff2aab9ec9dc586f74f5e3aa83ef2 Mon Sep 17 00:00:00 2001 From: Chris Coulson <chris.coulson@canonical.com> Date: Fri, 10 Jul 2020 11:21:14 +0100 Subject: [PATCH 18/27] script: Remove unused fields from grub_script_function struct
Signed-off-by: Chris Coulson <chris.coulson@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- include/grub/script_sh.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h index 360c2be1f..b382bcf09 100644 --- a/include/grub/script_sh.h +++ b/include/grub/script_sh.h @@ -359,13 +359,8 @@ struct grub_script_function /* The script function. */ struct grub_script *func; - /* The flags. */ - unsigned flags; - /* The next element. */ struct grub_script_function *next; - - int references; }; typedef struct grub_script_function *grub_script_function_t; -- 2.27.0 ++++++ 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch ++++++
From 809f3a26897f5f648325c5741e72dc1b3db828ee Mon Sep 17 00:00:00 2001 From: Chris Coulson <chris.coulson@canonical.com> Date: Fri, 10 Jul 2020 14:41:45 +0100 Subject: [PATCH 19/27] script: Avoid a use-after-free when redefining a function during execution
Defining a new function with the same name as a previously defined function causes the grub_script and associated resources for the previous function to be freed. If the previous function is currently executing when a function with the same name is defined, this results in use-after-frees when processing subsequent commands in the original function. Instead, reject a new function definition if it has the same name as a previously defined function, and that function is currently being executed. Although a behavioural change, this should be backwards compatible with existing configurations because they can't be dependent on the current behaviour without being broken. Signed-off-by: Chris Coulson <chris.coulson@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/script/execute.c | 2 ++ grub-core/script/function.c | 16 +++++++++++++--- grub-core/script/parser.y | 3 ++- include/grub/script_sh.h | 2 ++ 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c index 8a9161cc8..ce83edd4b 100644 --- a/grub-core/script/execute.c +++ b/grub-core/script/execute.c @@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) old_scope = scope; scope = &new_scope; + func->executing++; ret = grub_script_execute (func->func); + func->executing--; function_return = 0; active_loops = loops; diff --git a/grub-core/script/function.c b/grub-core/script/function.c index d36655e51..3aad04bf9 100644 --- a/grub-core/script/function.c +++ b/grub-core/script/function.c @@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, func = (grub_script_function_t) grub_malloc (sizeof (*func)); if (! func) return 0; + func->executing = 0; func->name = grub_strdup (functionname_arg->str); if (! func->name) @@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, grub_script_function_t q; q = *p; - grub_script_free (q->func); - q->func = cmd; grub_free (func); - func = q; + if (q->executing > 0) + { + grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("attempt to redefine a function being executed")); + func = NULL; + } + else + { + grub_script_free (q->func); + q->func = cmd; + func = q; + } } else { diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y index 4f0ab8319..f80b86b6f 100644 --- a/grub-core/script/parser.y +++ b/grub-core/script/parser.y @@ -289,7 +289,8 @@ function: "function" "name" grub_script_mem_free (state->func_mem); else { script->children = state->scripts; - grub_script_function_create ($2, script); + if (!grub_script_function_create ($2, script)) + grub_script_free (script); } state->scripts = $<scripts>3; diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h index b382bcf09..6c48e0751 100644 --- a/include/grub/script_sh.h +++ b/include/grub/script_sh.h @@ -361,6 +361,8 @@ struct grub_script_function /* The next element. */ struct grub_script_function *next; + + unsigned executing; }; typedef struct grub_script_function *grub_script_function_t; -- 2.27.0 ++++++ 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch ++++++ commit a59b854381d1148d32f74fbb9cf0f384972a5b4b Author: Colin Watson <cjwatson@debian.org> Date: Sat Jul 25 12:15:37 2020 +0100 linux: Fix integer overflows in initrd size handling These could be triggered by a crafted filesystem with very large files. Fixes: CVE-2020-15707 Signed-off-by: Colin Watson <cjwatson@debian.org> Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c index 25624ebc1..e9f819ee9 100644 --- a/grub-core/loader/linux.c +++ b/grub-core/loader/linux.c @@ -4,6 +4,7 @@ #include <grub/misc.h> #include <grub/file.h> #include <grub/mm.h> +#include <grub/safemath.h> struct newc_head { @@ -98,13 +99,13 @@ free_dir (struct dir *root) grub_free (root); } -static grub_size_t +static grub_err_t insert_dir (const char *name, struct dir **root, - grub_uint8_t *ptr) + grub_uint8_t *ptr, grub_size_t *size) { struct dir *cur, **head = root; const char *cb, *ce = name; - grub_size_t size = 0; + *size = 0; while (1) { for (cb = ce; *cb == '/'; cb++); @@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root, ptr = make_header (ptr, name, ce - name, 040777, 0); } - size += ALIGN_UP ((ce - (char *) name) - + sizeof (struct newc_head), 4); + if (grub_add (*size, + ALIGN_UP ((ce - (char *) name) + + sizeof (struct newc_head), 4), + size)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + grub_free (n->name); + grub_free (n); + return grub_errno; + } *head = n; cur = n; } root = &cur->next; } - return size; + return GRUB_ERR_NONE; } grub_err_t @@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[], eptr = grub_strchr (ptr, ':'); if (eptr) { + grub_size_t dir_size, name_len; + initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr); - if (!initrd_ctx->components[i].newc_name) + if (!initrd_ctx->components[i].newc_name || + insert_dir (initrd_ctx->components[i].newc_name, &root, 0, + &dir_size)) { grub_initrd_close (initrd_ctx); return grub_errno; } - initrd_ctx->size - += ALIGN_UP (sizeof (struct newc_head) - + grub_strlen (initrd_ctx->components[i].newc_name), - 4); - initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name, - &root, 0); + name_len = grub_strlen (initrd_ctx->components[i].newc_name); + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) + name_len, 4), + &initrd_ctx->size) || + grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size)) + goto overflow; newc = 1; fname = eptr + 1; } } else if (newc) { - initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) - + sizeof ("TRAILER!!!") - 1, 4); + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) + + sizeof ("TRAILER!!!") - 1, 4), + &initrd_ctx->size)) + goto overflow; free_dir (root); root = 0; newc = 0; @@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[], initrd_ctx->nfiles++; initrd_ctx->components[i].size = grub_file_size (initrd_ctx->components[i].file); - initrd_ctx->size += initrd_ctx->components[i].size; + if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size, + &initrd_ctx->size)) + goto overflow; } if (newc) { initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); - initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) - + sizeof ("TRAILER!!!") - 1, 4); + if (grub_add (initrd_ctx->size, + ALIGN_UP (sizeof (struct newc_head) + + sizeof ("TRAILER!!!") - 1, 4), + &initrd_ctx->size)) + goto overflow; free_dir (root); root = 0; } return GRUB_ERR_NONE; + +overflow: + free_dir (root); + grub_initrd_close (initrd_ctx); + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); } grub_size_t @@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, if (initrd_ctx->components[i].newc_name) { - ptr += insert_dir (initrd_ctx->components[i].newc_name, - &root, ptr); + grub_size_t dir_size; + + if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr, + &dir_size)) + { + free_dir (root); + grub_initrd_close (initrd_ctx); + return grub_errno; + } + ptr += dir_size; ptr = make_header (ptr, initrd_ctx->components[i].newc_name, grub_strlen (initrd_ctx->components[i].newc_name), 0100777, ++++++ grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.760380232 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.764380235 +0200 @@ -16,15 +16,20 @@ variable and loading the config file from the subvolume. Signed-off-by: Jeff Mahoney <jeffm@suse.com> + +V1: + * Use overflow checking primitives where the arithmetic expression for + buffer allocations may include unvalidated data + --- grub-core/fs/btrfs.c | 529 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 518 insertions(+), 11 deletions(-) -Index: grub-2.04~rc1/grub-core/fs/btrfs.c +Index: grub-2.04/grub-core/fs/btrfs.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/fs/btrfs.c -+++ grub-2.04~rc1/grub-core/fs/btrfs.c +--- grub-2.04.orig/grub-core/fs/btrfs.c ++++ grub-2.04/grub-core/fs/btrfs.c @@ -40,6 +40,9 @@ #include <grub/btrfs.h> #include <grub/crypto.h> @@ -164,7 +169,7 @@ return data; } -@@ -1654,6 +1739,91 @@ get_root (struct grub_btrfs_data *data, +@@ -1654,6 +1739,98 @@ get_root (struct grub_btrfs_data *data, } static grub_err_t @@ -207,8 +212,12 @@ + key_out.object_id != key_out.offset) { + struct grub_btrfs_inode_ref *inode_ref; + char *new; ++ grub_size_t sz; + -+ inode_ref = grub_malloc(elemsize + 1); ++ if (grub_add (elemsize, 1, &sz)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ inode_ref = grub_malloc(sz); + if (!inode_ref) + return grub_error(GRUB_ERR_OUT_OF_MEMORY, + "couldn't allocate memory for inode_ref (%"PRIuGRUB_SIZE")\n", elemsize); @@ -217,7 +226,10 @@ + if (err) + return grub_error(err, "read_logical caught %d\n", err); + -+ alloc += grub_le_to_cpu16 (inode_ref->n) + 2; ++ if (grub_add (grub_le_to_cpu16 (inode_ref->n), 2, &sz) || ++ grub_add (alloc, sz, &alloc)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ + new = grub_malloc(alloc); + if (!new) + return grub_error(GRUB_ERR_OUT_OF_MEMORY, @@ -256,7 +268,7 @@ find_path (struct grub_btrfs_data *data, const char *path, struct grub_btrfs_key *key, grub_uint64_t *tree, grub_uint8_t *type) -@@ -1671,14 +1841,26 @@ find_path (struct grub_btrfs_data *data, +@@ -1671,14 +1848,26 @@ find_path (struct grub_btrfs_data *data, char *origpath = NULL; unsigned symlinks_max = 32; @@ -287,7 +299,7 @@ while (1) { while (path[0] == '/') -@@ -1851,9 +2033,21 @@ find_path (struct grub_btrfs_data *data, +@@ -1851,9 +2040,21 @@ find_path (struct grub_btrfs_data *data, path = path_alloc = tmp; if (path[0] == '/') { @@ -312,7 +324,7 @@ } continue; } -@@ -2094,6 +2288,20 @@ grub_btrfs_read (grub_file_t file, char +@@ -2094,6 +2295,20 @@ grub_btrfs_read (grub_file_t file, char data->tree, file->offset, buf, len); } @@ -333,7 +345,7 @@ static grub_err_t grub_btrfs_uuid (grub_device_t device, char **uuid) { -@@ -2105,15 +2313,7 @@ grub_btrfs_uuid (grub_device_t device, c +@@ -2105,15 +2320,7 @@ grub_btrfs_uuid (grub_device_t device, c if (!data) return grub_errno; @@ -350,7 +362,7 @@ grub_btrfs_unmount (data); -@@ -2170,6 +2370,242 @@ grub_btrfs_embed (grub_device_t device _ +@@ -2170,6 +2377,248 @@ grub_btrfs_embed (grub_device_t device _ } #endif @@ -531,9 +543,15 @@ + + if (elemsize > allocated) + { ++ grub_size_t sz; ++ + grub_free(buf); -+ allocated = 2 * elemsize; -+ buf = grub_malloc(allocated + 1); ++ ++ if (grub_mul (elemsize, 2, &allocated) || ++ grub_add (allocated, 1, &sz)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ buf = grub_malloc(sz); + if (!buf) + { + r = -grub_errno; @@ -593,7 +611,7 @@ static struct grub_fs grub_btrfs_fs = { .name = "btrfs", .fs_dir = grub_btrfs_dir, -@@ -2185,12 +2621,88 @@ static struct grub_fs grub_btrfs_fs = { +@@ -2185,12 +2634,88 @@ static struct grub_fs grub_btrfs_fs = { #endif }; @@ -682,10 +700,10 @@ } + +// vim: si et sw=2: -Index: grub-2.04~rc1/include/grub/btrfs.h +Index: grub-2.04/include/grub/btrfs.h =================================================================== ---- grub-2.04~rc1.orig/include/grub/btrfs.h -+++ grub-2.04~rc1/include/grub/btrfs.h +--- grub-2.04.orig/include/grub/btrfs.h ++++ grub-2.04/include/grub/btrfs.h @@ -29,6 +29,7 @@ enum GRUB_BTRFS_ITEM_TYPE_ROOT_ITEM = 0x84, GRUB_BTRFS_ITEM_TYPE_ROOT_BACKREF = 0x90, ++++++ grub2-btrfs-09-get-default-subvolume.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.792380265 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.792380265 +0200 @@ -1,8 +1,13 @@ -Index: grub-2.04~rc1/grub-core/fs/btrfs.c + +V1: + * Use overflow checking primitives where the arithmetic expression for + buffer allocations may include unvalidated data + +Index: grub-2.04/grub-core/fs/btrfs.c =================================================================== ---- grub-2.04~rc1.orig/grub-core/fs/btrfs.c -+++ grub-2.04~rc1/grub-core/fs/btrfs.c -@@ -2867,6 +2867,242 @@ out: +--- grub-2.04.orig/grub-core/fs/btrfs.c ++++ grub-2.04/grub-core/fs/btrfs.c +@@ -2880,6 +2880,254 @@ out: return 0; } @@ -26,6 +31,7 @@ + grub_disk_addr_t elemaddr; + grub_err_t err; + char *parent_path; ++ grub_size_t sz; + + *parent_id = 0; + *path_out = 0; @@ -44,7 +50,10 @@ + return grub_error(GRUB_ERR_FILE_NOT_FOUND, N_("can't find root backrefs")); + } + -+ buf = grub_malloc(elemsize + 1); ++ if (grub_add (elemsize, 1, &sz)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ buf = grub_malloc(sz); + if (!buf) + { + free_iterator(&desc); @@ -98,6 +107,7 @@ + struct grub_btrfs_dir_item *direl = NULL; + const char *ctoken = "default"; + grub_size_t ctokenlen = sizeof ("default") - 1; ++ grub_size_t sz; + + *id = 0; + key.object_id = data->sblock.root_dir_objectid; @@ -112,7 +122,14 @@ + return grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("file not found")); + + struct grub_btrfs_dir_item *cdirel; -+ direl = grub_malloc (elemsize + 1); ++ ++ if (grub_add (elemsize, 1, &sz)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ direl = grub_malloc (sz); ++ if (!direl) ++ return grub_errno; ++ + err = grub_btrfs_read_logical (data, elemaddr, direl, elemsize, 0); + if (err) + { @@ -245,7 +262,7 @@ static struct grub_fs grub_btrfs_fs = { .name = "btrfs", .fs_dir = grub_btrfs_dir, -@@ -2885,6 +3121,7 @@ static struct grub_fs grub_btrfs_fs = { +@@ -2898,6 +3146,7 @@ static struct grub_fs grub_btrfs_fs = { static grub_command_t cmd_info; static grub_command_t cmd_mount_subvol; static grub_extcmd_t cmd_list_subvols; @@ -253,7 +270,7 @@ static char * subvolid_set_env (struct grub_env_var *var __attribute__ ((unused)), -@@ -2955,6 +3192,11 @@ GRUB_MOD_INIT (btrfs) +@@ -2968,6 +3217,11 @@ GRUB_MOD_INIT (btrfs) "[-p|-n] [-o var] DEVICE", "Print list of BtrFS subvolumes on " "DEVICE.", options); ++++++ grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.872380347 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.872380347 +0200 @@ -14,6 +14,10 @@ the ctrl+l and ctrl+r to scroll the highlighted text left and right. The scrolled result will remain in place to help memorizing it after changing highlight to other entry. + +V1: + * Use grub_calloc for overflow check and return NULL when it would + occur. --- grub-core/gfxmenu/gfxmenu.c | 3 +++ grub-core/gfxmenu/gui_label.c | 2 ++ @@ -24,20 +28,27 @@ include/grub/menu_viewer.h | 1 + 7 files changed, 112 insertions(+) -diff --git a/grub-core/gfxmenu/gfxmenu.c b/grub-core/gfxmenu/gfxmenu.c -index 8a17dda2c..e834895fb 100644 ---- a/grub-core/gfxmenu/gfxmenu.c -+++ b/grub-core/gfxmenu/gfxmenu.c -@@ -108,6 +108,8 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested) +Index: grub-2.04/grub-core/gfxmenu/gfxmenu.c +=================================================================== +--- grub-2.04.orig/grub-core/gfxmenu/gfxmenu.c ++++ grub-2.04/grub-core/gfxmenu/gfxmenu.c +@@ -108,6 +108,15 @@ grub_gfxmenu_try (int entry, grub_menu_t view->menu = menu; view->nested = nested; view->first_timeout = -1; + if (menu->size) -+ view->menu_title_offset = grub_zalloc (sizeof (*view->menu_title_offset) * menu->size); ++ { ++ view->menu_title_offset = grub_calloc (menu->size, sizeof (*view->menu_title_offset)); ++ if (!view->menu_title_offset) ++ { ++ grub_free (instance); ++ return grub_errno; ++ } ++ } grub_video_set_viewport (0, 0, mode_info.width, mode_info.height); if (view->double_repaint) -@@ -123,6 +125,7 @@ grub_gfxmenu_try (int entry, grub_menu_t menu, int nested) +@@ -123,6 +132,7 @@ grub_gfxmenu_try (int entry, grub_menu_t instance->fini = grub_gfxmenu_viewer_fini; instance->print_timeout = grub_gfxmenu_print_timeout; instance->clear_timeout = grub_gfxmenu_clear_timeout; @@ -45,11 +56,11 @@ grub_menu_register_viewer (instance); -diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c -index a4c817891..8b1358dd4 100644 ---- a/grub-core/gfxmenu/gui_label.c -+++ b/grub-core/gfxmenu/gui_label.c -@@ -192,6 +192,8 @@ label_set_property (void *vself, const char *name, const char *value) +Index: grub-2.04/grub-core/gfxmenu/gui_label.c +=================================================================== +--- grub-2.04.orig/grub-core/gfxmenu/gui_label.c ++++ grub-2.04/grub-core/gfxmenu/gui_label.c +@@ -192,6 +192,8 @@ label_set_property (void *vself, const c "or `c' for a command-line."); else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0) value = _("enter: boot, `e': options, `c': cmd-line"); @@ -58,10 +69,10 @@ /* FIXME: Add more templates here if needed. */ self->template = grub_strdup (value); self->text = grub_xasprintf (value, self->value); -diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c -index 01477cdf2..90487aef4 100644 ---- a/grub-core/gfxmenu/gui_list.c -+++ b/grub-core/gfxmenu/gui_list.c +Index: grub-2.04/grub-core/gfxmenu/gui_list.c +=================================================================== +--- grub-2.04.orig/grub-core/gfxmenu/gui_list.c ++++ grub-2.04/grub-core/gfxmenu/gui_list.c @@ -24,6 +24,7 @@ #include <grub/gfxmenu_view.h> #include <grub/gfxwidgets.h> @@ -104,7 +115,7 @@ /* Draw the list of items. */ static void draw_menu (list_impl_t self, int num_shown_items) -@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_shown_items) +@@ -433,6 +461,16 @@ draw_menu (list_impl_t self, int num_sho const char *item_title = grub_menu_get_entry (self->view->menu, menu_index)->title; @@ -121,10 +132,10 @@ sviewport.y = item_top + top_pad; sviewport.width = viewport_width; grub_gui_set_viewport (&sviewport, &svpsave); -diff --git a/grub-core/gfxmenu/view.c b/grub-core/gfxmenu/view.c -index ad5e82b81..7aed7faa1 100644 ---- a/grub-core/gfxmenu/view.c -+++ b/grub-core/gfxmenu/view.c +Index: grub-2.04/grub-core/gfxmenu/view.c +=================================================================== +--- grub-2.04.orig/grub-core/gfxmenu/view.c ++++ grub-2.04/grub-core/gfxmenu/view.c @@ -37,6 +37,7 @@ #include <grub/gui_string_util.h> #include <grub/icon_manager.h> @@ -133,7 +144,7 @@ static void init_terminal (grub_gfxmenu_view_t view); -@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_view_t view) +@@ -142,6 +143,7 @@ grub_gfxmenu_view_destroy (grub_gfxmenu_ grub_free (view->title_text); grub_free (view->progress_message_text); grub_free (view->theme_path); @@ -141,7 +152,7 @@ if (view->canvas) view->canvas->component.ops->destroy (view->canvas); grub_free (view); -@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry, void *data) +@@ -410,6 +412,52 @@ grub_gfxmenu_set_chosen_entry (int entry grub_gfxmenu_redraw_menu (view); } @@ -194,15 +205,14 @@ static void grub_gfxmenu_draw_terminal_box (void) { -diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index e7a83c2d6..0af20d052 100644 ---- a/grub-core/normal/menu.c -+++ b/grub-core/normal/menu.c -@@ -376,6 +376,15 @@ menu_set_chosen_entry (int entry) - cur->set_chosen_entry (entry, cur->data); +Index: grub-2.04/grub-core/normal/menu.c +=================================================================== +--- grub-2.04.orig/grub-core/normal/menu.c ++++ grub-2.04/grub-core/normal/menu.c +@@ -401,6 +401,15 @@ menu_set_chosen_entry (int entry) } -+static void + static void +menu_scroll_chosen_entry (int diren) +{ + struct grub_menu_viewer *cur; @@ -211,10 +221,11 @@ + cur->scroll_chosen_entry (cur->data, diren); +} + - static void ++static void menu_print_timeout (int timeout) { -@@ -755,6 +764,13 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) + struct grub_menu_viewer *cur; +@@ -828,6 +837,13 @@ run_menu (grub_menu_t menu, int nested, menu_set_chosen_entry (current_entry); break; @@ -228,10 +239,10 @@ case '\n': case '\r': case GRUB_TERM_KEY_RIGHT: -diff --git a/include/grub/gfxmenu_view.h b/include/grub/gfxmenu_view.h -index 4203c8fb9..56c0d17ae 100644 ---- a/include/grub/gfxmenu_view.h -+++ b/include/grub/gfxmenu_view.h +Index: grub-2.04/include/grub/gfxmenu_view.h +=================================================================== +--- grub-2.04.orig/include/grub/gfxmenu_view.h ++++ grub-2.04/include/grub/gfxmenu_view.h @@ -61,6 +61,8 @@ void grub_gfxmenu_print_timeout (int timeout, void *data); void @@ -250,10 +261,10 @@ }; #endif /* ! GRUB_GFXMENU_VIEW_HEADER */ -diff --git a/include/grub/menu_viewer.h b/include/grub/menu_viewer.h -index c6513c4e8..5f2a39dc9 100644 ---- a/include/grub/menu_viewer.h -+++ b/include/grub/menu_viewer.h +Index: grub-2.04/include/grub/menu_viewer.h +=================================================================== +--- grub-2.04.orig/include/grub/menu_viewer.h ++++ grub-2.04/include/grub/menu_viewer.h @@ -33,6 +33,7 @@ struct grub_menu_viewer void (*set_chosen_entry) (int entry, void *data); void (*print_timeout) (int timeout, void *data); @@ -262,6 +273,3 @@ void (*fini) (void *fini); }; --- -2.16.4 - ++++++ grub2-grubenv-in-btrfs-header.patch ++++++ --- /var/tmp/diff_new_pack.84M0bi/_old 2020-07-31 15:56:25.884380360 +0200 +++ /var/tmp/diff_new_pack.84M0bi/_new 2020-07-31 15:56:25.884380360 +0200 @@ -4,11 +4,16 @@ block. v2: export env_block and make sure to use the device of grubenv + +v3: + * Use xcalloc for overflow check and return NULL when it would + occur. + --- -Index: grub-2.02/grub-core/kern/fs.c +Index: grub-2.04/grub-core/kern/fs.c =================================================================== ---- grub-2.02.orig/grub-core/kern/fs.c -+++ grub-2.02/grub-core/kern/fs.c +--- grub-2.04.orig/grub-core/kern/fs.c ++++ grub-2.04/grub-core/kern/fs.c @@ -27,6 +27,7 @@ #include <grub/mm.h> #include <grub/term.h> @@ -31,10 +36,10 @@ ret += size; len -= size; sector -= ((size + offset) >> GRUB_DISK_SECTOR_BITS); -Index: grub-2.02/util/grub-editenv.c +Index: grub-2.04/util/grub-editenv.c =================================================================== ---- grub-2.02.orig/util/grub-editenv.c -+++ grub-2.02/util/grub-editenv.c +--- grub-2.04.orig/util/grub-editenv.c ++++ grub-2.04/util/grub-editenv.c @@ -23,8 +23,11 @@ #include <grub/util/misc.h> #include <grub/lib/envblk.h> @@ -207,7 +212,7 @@ } static void -@@ -202,6 +346,38 @@ write_envblk (const char *name, grub_env +@@ -203,6 +347,38 @@ write_envblk (const char *name, grub_env } static void @@ -246,7 +251,7 @@ set_variables (const char *name, int argc, char *argv[]) { grub_envblk_t envblk; -@@ -217,8 +393,27 @@ set_variables (const char *name, int arg +@@ -218,8 +394,27 @@ set_variables (const char *name, int arg *(p++) = 0; @@ -276,7 +281,7 @@ argc--; argv++; -@@ -226,26 +421,158 @@ set_variables (const char *name, int arg +@@ -227,26 +422,158 @@ set_variables (const char *name, int arg write_envblk (name, envblk); grub_envblk_close (envblk); @@ -371,7 +376,7 @@ + ndev++; + } + -+ grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1)); ++ grub_drives = xcalloc ((ndev + 1), sizeof (grub_drives[0])); + + for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++, + curdrive++) @@ -435,7 +440,7 @@ int main (int argc, char *argv[]) { -@@ -277,6 +604,9 @@ main (int argc, char *argv[]) +@@ -278,6 +605,9 @@ main (int argc, char *argv[]) command = argv[curindex++]; } @@ -445,10 +450,10 @@ if (strcmp (command, "create") == 0) grub_util_create_envblk_file (filename); else if (strcmp (command, "list") == 0) -Index: grub-2.02/util/grub.d/00_header.in +Index: grub-2.04/util/grub.d/00_header.in =================================================================== ---- grub-2.02.orig/util/grub.d/00_header.in -+++ grub-2.02/util/grub.d/00_header.in +--- grub-2.04.orig/util/grub.d/00_header.in ++++ grub-2.04/util/grub.d/00_header.in @@ -46,6 +46,13 @@ cat << EOF if [ -s \$prefix/grubenv ]; then load_env