1
diff --git a/ChangeLog b/ChangeLog
2
index ba90478..434754f 100644
3
--- a/ChangeLog
4
+++ b/ChangeLog
5
@@ -1,3 +1,5281 @@
6
1
2021-06-08  Daniel Kiper  <daniel.kiper@oracle.com>
7
2
8
3
	Release 2.06
9
4
10
5
2021-06-08  Daniel Kiper  <daniel.kiper@oracle.com>
11
6
12
7
	SECURITY: Add SECURITY file
13
8
	The SECURITY file describes the GRUB project security policy.
14
9
15
10
	It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md
16
11
17
12
2021-06-08  Daniel Kiper  <daniel.kiper@oracle.com>
18
13
19
14
	MAINTAINERS: Add MAINTAINERS file
20
15
	The MAINTAINERS file provides basic information about the GRUB project
21
16
	and its maintainers.
22
17
23
18
2021-06-01  Dimitri John Ledkov  <xnox@ubuntu.com>
24
19
25
20
	grub-install: Add backup and restore
26
21
	Refactor clean_grub_dir() to create a backup of all the files, instead
27
22
	of just irrevocably removing them as the first action. If available,
28
23
	register atexit() handler to restore the backup if errors occur before
29
24
	point of no return, or remove the backup if everything was successful.
30
25
	If atexit() is not available, the backup remains on disk for manual
31
26
	recovery.
32
27
33
28
	Some platforms defined a point of no return, i.e. after modules & core
34
29
	images were updated. Failures from any commands after that stage are
35
30
	ignored, and backup is cleaned up. For example, on EFI platforms update
36
31
	is not reverted when efibootmgr fails.
37
32
38
33
	Extra care is taken to ensure atexit() handler is only invoked by the
39
34
	parent process and not any children forks. Some older GRUB codebases
40
35
	can invoke parent atexit() hooks from forks, which can mess up the
41
36
	backup.
42
37
43
38
	This allows safer upgrades of MBR & modules, such that
44
39
	modules/images/fonts/translations are consistent with MBR in case of
45
40
	errors. For example accidental grub-install /dev/non-existent-disk
46
41
	currently clobbers and upgrades modules in /boot/grub, despite not
47
42
	actually updating any MBR.
48
43
49
44
	This patch only handles backup and restore of files copied to /boot/grub.
50
45
	This patch does not perform backup (or restoration) of MBR itself or
51
46
	blocklists. Thus when installing i386-pc platform, corruption may still
52
47
	occur with MBR and blocklists which will not be attempted to be
53
48
	automatically recovered.
54
49
55
50
	Also add modinfo.sh and *.efi to the cleanup/backup/restore code path,
56
51
	to ensure it is also cleaned, backed up and restored.
57
52
58
53
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
59
54
60
55
2021-06-01  Dimitri John Ledkov  <xnox@ubuntu.com>
61
56
62
57
	osdep/unix/exec: Avoid atexit() handlers when child execvp() fails
63
58
	The functions grub_util_exec_pipe() and grub_util_exec_pipe_stderr()
64
59
	currently call execvp(). If the call fails for any reason, the child
65
60
	currently calls exit(127). This in turn executes the parents
66
61
	atexit() handlers from the forked child, and then the same handlers
67
62
	are called again from parent. This is usually not desired, and can
68
63
	lead to deadlocks, and undesired behavior. So, change the exit() calls
69
64
	to _exit() calls to avoid calling atexit() handlers from child.
70
65
71
66
	Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits)
72
67
73
68
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
74
69
75
70
2021-06-01  Jan (janneke) Nieuwenhuizen  <janneke@gnu.org>
76
71
77
72
	lib/i386/relocator64: Build fixes for i386
78
73
	This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of
79
74
80
75
	    grub-core/lib/i386/relocator64.S
81
76
82
77
	This file has six sections that only build with a 64-bit assembler,
83
78
	yet only the first two sections had support for a 32-bit assembler.
84
79
	This patch completes this for the remaining sections.
85
80
86
81
	To reproduce, update the GRUB source description in your local Guix
87
82
	archive and run
88
83
89
84
	   ./pre-inst-env guix build --system=i686-linux --target=i586-pc-gnu grub
90
85
91
86
	or install an x86 cross-build environment on x86-linux (32-bit!) and
92
87
	configure to cross build and make, e.g., do something like
93
88
94
89
	    ./configure \
95
90
	       CC_FOR_BUILD=gcc \
96
91
	       --build=i686-unknown-linux-gnu \
97
92
	       --host=i586-pc-gnu
98
93
	    make
99
94
100
95
	Additionally, remove a line with redundant spaces.
101
96
102
97
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
103
98
104
99
2021-06-01  Javier Martinez Canillas  <javierm@redhat.com>
105
100
106
101
	fs/xfs: Add needsrepair incompat feature support
107
102
	The XFS now has an incompat feature flag to indicate that a filesystem
108
103
	needs to be repaired. The Linux kernel refuses to mount the filesystem
109
104
	that has it set and only the xfs_repair tool is able to clear that flag.
110
105
111
106
	The GRUB doesn't have the concept of mounting filesystems and just
112
107
	attempts to read the files. But it does some sanity checking before
113
108
	attempting to read from the filesystem. Among the things which are tested,
114
109
	is if the super block only has set of incompatible features flags that
115
110
	are supported by GRUB. If it contains any flags that are not listed as
116
111
	supported, reading the XFS filesystem fails.
117
112
118
113
	Since the GRUB doesn't attempt to detect if the filesystem is inconsistent
119
114
	nor replays the journal, the filesystem access is a best effort. For this
120
115
	reason, ignore if the filesystem needs to be repaired and just print a debug
121
116
	message. That way, if reading or booting fails later, the user is able to
122
117
	figure out that the failures can be related to broken XFS filesystem.
123
118
124
119
	Suggested-by: Eric Sandeen <esandeen@redhat.com>
125
120
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
126
121
127
122
2021-06-01  Carlos Maiolino  <cmaiolino@redhat.com>
128
123
129
124
	fs/xfs: Add bigtime incompat feature support
130
125
	The XFS filesystem supports a bigtime feature to overcome y2038 problem.
131
126
	This patch makes the GRUB able to support the XFS filesystems with this
132
127
	feature enabled.
133
128
134
129
	The XFS counter for the bigtime enabled timestamps starts at 0, which
135
130
	translates to GRUB_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy
136
131
	timestamps. The conversion to Unix timestamps is made before passing the
137
132
	value to other GRUB functions.
138
133
139
134
	For this to work properly, GRUB requires an access to flags2 field in the
140
135
	XFS ondisk inode. So, the grub_xfs_inode structure has been updated to
141
136
	cover full ondisk inode.
142
137
143
138
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
144
139
145
140
2021-06-01  Carlos Maiolino  <cmaiolino@redhat.com>
146
141
147
142
	fs: Use 64-bit type for filesystem timestamp
148
143
	Some filesystems nowadays use 64-bit types for timestamps. So, update
149
144
	grub_dirhook_info struct to use an grub_int64_t type to store mtime.
150
145
	This also updates the grub_unixtime2datetime() function to receive
151
146
	a 64-bit timestamp argument and do 64-bit-safe divisions.
152
147
153
148
	All the remaining conversion from 32-bit to 64-bit should be safe, as
154
149
	32-bit to 64-bit attributions will be implicitly casted. The most
155
150
	critical part in the 32-bit to 64-bit conversion is in the function
156
151
	grub_unixtime2datetime() where it needs to deal with the 64-bit type.
157
152
	So, for that, the grub_divmod64() helper has been used.
158
153
159
154
	These changes enables the GRUB to support dates beyond y2038.
160
155
161
156
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
162
157
163
158
2021-05-28  Javier Martinez Canillas  <javierm@redhat.com>
164
159
165
160
	types: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers
166
161
	There are already PRI*_T constants defined for unsigned integers but not
167
162
	for signed integers. Add format specifiers for the latter.
168
163
169
164
	Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
170
165
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
171
166
172
167
2021-05-28  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
173
168
174
169
	kern/efi/sb: Remove duplicate efi_shim_lock_guid variable
175
170
	The efi_shim_lock_guid local variable and shim_lock_guid global variable
176
171
	have the same GUID value. Only the latter is retained.
177
172
178
173
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
179
174
180
175
2021-05-10  Javier Martinez Canillas  <javierm@redhat.com>
181
176
182
177
	util/mkimage: Fix wrong PE32+ section sizes for some arches
183
178
	The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
184
179
	added a helper function to setup PE sections. But it also changed how the
185
180
	raw data offsets were calculated since all the section sizes are aligned.
186
181
	However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image
187
182
	size is not aligned using the section alignment. This leads to the situation
188
183
	in which the mods section offset in its PE section header does not match its
189
184
	real placement in the PE file. So, finally the GRUB is not able to locate
190
185
	and load built-in modules.
191
186
192
187
	The problem surfaces on ia64-efi and arm64-efi because both platforms
193
188
	require additional relocation data which is added behind .bss section.
194
189
	So, we have to add some padding behind this extra data to make the
195
190
	beginning of mods section properly aligned in the PE file. Fix it by
196
191
	aligning the kernel_size to the section alignment. That makes the sizes
197
192
	and offsets in the PE section headers to match relevant sections in the
198
193
	PE32+ binary file.
199
194
200
195
	Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
201
196
	Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
202
197
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
203
198
204
199
2021-05-10  Daniel Kiper  <daniel.kiper@oracle.com>
205
200
206
201
	term/terminfo: Fix the terminfo command help and documentation
207
202
	Additionally, fix the terminfo spelling mistake in
208
203
	the GRUB development documentation.
209
204
210
205
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
211
206
212
207
2021-05-10  Daniel Kiper  <daniel.kiper@oracle.com>
213
208
214
209
	i18n: Align N_() formatting with the rest of GRUB code
215
210
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
216
211
217
212
2021-05-10  Daniel Kiper  <daniel.kiper@oracle.com>
218
213
219
214
	i18n: Format large integers before the translation message - take 2
220
215
	This is an additional fix which has been missing from the commit 837fe48de
221
216
	(i18n: Format large integers before the translation message).
222
217
223
218
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
224
219
225
220
2021-04-13  Miguel Ángel Arruga Vivas  <rosen644835@gmail.com>
226
221
227
222
	i18n: Format large integers before the translation message
228
223
	The GNU gettext only supports the ISO C99 macros for integral
229
224
	types. If there is a need to use unsupported formatting macros,
230
225
	e.g. PRIuGRUB_UINT64_T, according to [1] the number to a string
231
226
	conversion should be separated from the code printing message
232
227
	requiring the internationalization. So, the function grub_snprintf()
233
228
	is used to print the numeric values to an intermediate buffer and
234
229
	the internationalized message contains a string format directive.
235
230
236
231
	[1] https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html#No-string-concatenation
237
232
238
233
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
239
234
240
235
2021-04-12  Daniel Axtens  <dja@axtens.net>
241
236
242
237
	video/fb/fbfill: Use unsigned integers for width/height
243
238
	Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer
244
239
	overflow), clang builds of grub-emu have failed with messages like:
245
240
246
241
	  /usr/bin/ld: libgrubmods.a(libgrubmods_a-fbfill.o): in function `grub_video_fbfill_direct24':
247
242
	  fbfill.c:(.text+0x28e): undefined reference to `__muloti4'
248
243
249
244
	This appears to be due to a weird quirk in how clang compiles
250
245
251
246
	  grub_mul(dst->mode_info->bytes_per_pixel, width, &rowskip)
252
247
253
248
	which is grub_mul(unsigned int, int, &grub_size_t).
254
249
255
250
	It looks like clang somewhere promotes everything to 128-bit maths
256
251
	before ultimately reducing down to 64 bit for grub_size_t. I think
257
252
	this is because width is signed, and indeed converting width to an
258
253
	unsigned int makes the problem go away.
259
254
260
255
	This conversion also makes more sense generally:
261
256
	  - the caller of all the fbfill_directN functions is
262
257
	    grub_video_fb_fill_dispatch() and it takes width and height as
263
258
	    unsigned ints already,
264
259
	  - it doesn't make sense to fill a negative width or height.
265
260
266
261
	Convert the width and height arguments and associated loop counters
267
262
	to unsigned ints.
268
263
269
264
	Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow)
270
265
271
266
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
272
267
273
268
2021-04-12  Glenn Washburn  <development@efficientek.com>
274
269
275
270
	docs: Conform badmem and cutmem description indentations with other commands
276
271
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
277
272
278
273
	docs: Add note to cryptomount that UUIDs should be specified without dashes
279
274
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
280
275
281
276
2021-04-12  Aru Sahni  <aru@arusahni.net>
282
277
283
278
	templates: Fix user-facing typo with an incorrect use of "it's"
284
279
	Since the possessive form of "it" is being used, the apostrophe must be omitted.
285
280
286
281
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
287
282
288
283
2021-04-12  Colin Watson  <cjwatson@debian.org>
289
284
290
285
	buffer: Sync up out-of-range error message
291
286
	The messages associated with other similar GRUB_ERR_OUT_OF_RANGE errors
292
287
	were lacking the trailing full stop. Syncing up the strings saves a small
293
288
	amount of precious core image space on i386-pc.
294
289
295
290
	  DOWN: obj/i386-pc/grub-core/kernel.img (31740 > 31708) - change: -32
296
291
	  DOWN: i386-pc core image (biosdisk ext2 part_msdos) (27453 > 27452) - change: -1
297
292
	  DOWN: i386-pc core image (biosdisk ext2 part_msdos diskfilter mdraid09) (32367 > 32359) - change: -8
298
293
299
294
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
300
295
301
296
2021-04-12  Glenn Washburn  <development@efficientek.com>
302
297
303
298
	usb/usbhub: Use GRUB_USB_MAX_CONF macro instead of literal in hub for maximum configs
304
299
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
305
300
306
301
2021-04-12  Daniel Drake  <drake@endlessm.com>
307
302
308
303
	fs/minix: Avoid mistakenly probing ext2 filesystems
309
304
	The ext2 (and ext3, ext4) filesystems write the number of free inodes to
310
305
	location 0x410.
311
306
312
307
	On a MINIX filesystem, that same location is used for the MINIX superblock
313
308
	magic number.
314
309
315
310
	If the number of free inodes on an ext2 filesystem is equal to any
316
311
	of the four MINIX superblock magic values plus any multiple of 65536,
317
312
	GRUB's MINIX filesystem code will probe it as a MINIX filesystem.
318
313
319
314
	In the case of an OS using ext2 as the root filesystem, since there will
320
315
	ordinarily be some amount of file creation and deletion on every bootup,
321
316
	it effectively means that this situation has a 1:16384 chance of being hit
322
317
	on every reboot.
323
318
324
319
	This will cause GRUB's filesystem probing code to mistakenly identify an
325
320
	ext2 filesystem as MINIX. This can be seen by e.g. "search --label"
326
321
	incorrectly indicating that no such ext2 partition with matching label
327
322
	exists, whereas in fact it does.
328
323
329
324
	After spotting the rough cause of the issue I was facing here, I borrowed
330
325
	much of the diagnosis/explanation from meierfra who found and investigated
331
326
	the same issue in util-linux in 2010:
332
327
333
328
	  https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/518582
334
329
335
330
	This was fixed in util-linux by having the MINIX code check for the
336
331
	ext2 magic. Do the same here.
337
332
338
333
	Reviewed-by: Derek Foreman <derek@endlessos.org>
339
334
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
340
335
341
336
2021-03-12  Daniel Kiper  <daniel.kiper@oracle.com>
342
337
343
338
	Release 2.06~rc1
344
339
345
340
2021-03-11  Ard Biesheuvel  <ard.biesheuvel@arm.com>
346
341
347
342
	arm/linux: Fix ARM Linux header layout
348
343
	The hdr_offset member of the ARM Linux image header appears at
349
344
	offset 0x3c, matching the PE/COFF spec's placement of the COFF
350
345
	header offset in the MS-DOS header. We're currently off by four,
351
346
	so fix that.
352
347
353
348
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
354
349
355
350
2021-03-10  Glenn Washburn  <development@efficientek.com>
356
351
357
352
	style: Format string macro should have a space between quotes
358
353
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
359
354
360
355
2021-03-10  Glenn Washburn  <development@efficientek.com>
361
356
362
357
	grub/err: Do compile-time format string checking on grub_error()
363
358
	This should help prevent format string errors and thus improve the quality
364
359
	of error reporting.
365
360
366
361
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
367
362
368
363
2021-03-10  Glenn Washburn  <development@efficientek.com>
369
364
370
365
	fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error()
371
366
	This is a temporary, less-intrusive change to get the build to success with
372
367
	compiler format string checking turned on. There is a better fix which
373
368
	addresses this issue, but it needs more testing. Use this change so that
374
369
	format string checking on grub_error() can be turned on until the better
375
370
	change is fully tested.
376
371
377
372
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
378
373
379
374
2021-03-10  Glenn Washburn  <development@efficientek.com>
380
375
381
376
	fs/hfsplus: Use format code PRIuGRUB_UINT64_T for 64-bit typed fileblock in grub_error()
382
377
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
383
378
384
379
2021-03-10  Glenn Washburn  <development@efficientek.com>
385
380
386
381
	dl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error()
387
382
	The macro ELF_R_TYPE does not change the underlying type. Here its argument
388
383
	is a 64-bit Elf64_Xword. Make sure the format code matches.
389
384
390
385
	For the RISC-V architecture, rel->r_info could be either Elf32_Xword or
391
386
	Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast
392
387
	to 64-bit value regardless.
393
388
394
389
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
395
390
396
391
2021-03-10  Glenn Washburn  <development@efficientek.com>
397
392
398
393
	disk/ata: Use format code PRIxGRUB_UINT64_T for 64-bit uint argument in grub_error()
399
394
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
400
395
401
396
2021-03-10  Glenn Washburn  <development@efficientek.com>
402
397
403
398
	loader/i386/pc/linux: Use PRI* macros to get correct format string code across architectures
404
399
	Also remove casting of format string args so that the architecture dependent
405
400
	type is preserved.
406
401
407
402
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
408
403
409
404
2021-03-10  Glenn Washburn  <development@efficientek.com>
410
405
411
406
	kern/efi/mm: Format string error in grub_error()
412
407
	The second format string argument, GRUB_EFI_MAX_USABLE_ADDRESS, is a macro
413
408
	to a number literal. However, depending on what the target architecture, the
414
409
	type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the
415
410
	format string literals "%llx" to use PRIxGRUB_UINT64_T.
416
411
417
412
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
418
413
419
414
2021-03-10  Glenn Washburn  <development@efficientek.com>
420
415
421
416
	commands/pgp: Format code for grub_error() is incorrect
422
417
	The format code is for a 32-bit int, but the argument, keyid, is declared as
423
418
	a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the
424
419
	comment or declaration is wrong, so force the display of a 64-bit int for now.
425
420
426
421
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
427
422
428
423
2021-03-10  Glenn Washburn  <development@efficientek.com>
429
424
430
425
	grub_error: Use format code PRIuGRUB_SIZE for variables of type grub_size_t
431
426
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
432
427
433
428
2021-03-10  Glenn Washburn  <development@efficientek.com>
434
429
435
430
	disk/dmraid_nvidia: Format string error in grub_error()
436
431
	The grub_error() has a format string expecting two arguments, but only one
437
432
	provided. According to the comments in the struct grub_nv_super definition,
438
433
	the version field looks like a version number where major.minor is encoded
439
434
	as each a byte in the two-byte short.
440
435
441
436
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
442
437
443
438
2021-03-10  Glenn Washburn  <development@efficientek.com>
444
439
445
440
	video/bochs: grub_error() format string add missing format code
446
441
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
447
442
448
443
2021-03-10  Glenn Washburn  <development@efficientek.com>
449
444
450
445
	parttool/msdospart: grub_error() missing format string argument
451
446
	Its obvious from the error message that the variable named "type" was
452
447
	accidentally omitted.
453
448
454
449
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
455
450
456
451
2021-03-10  Glenn Washburn  <development@efficientek.com>
457
452
458
453
	misc: Format string for grub_error() should be a literal
459
454
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
460
455
461
456
2021-03-10  Philip Müller  <philm@manjaro.org>
462
457
463
458
	templates: Properly disable the os-prober by default
464
459
	This patch does the following:
465
460
	 - really disables os-prober by default in the util/grub-mkconfig.in
466
461
	   by setting GRUB_DISABLE_OS_PROBER to true,
467
462
	 - fixes the logic in the util/grub.d/30_os-prober.in,
468
463
	 - updates the grub_warn() lines.
469
464
470
465
	Reason for the code shuffling in the util/grub-mkconfig.in:
471
466
472
467
	  The default was GRUB_DISABLE_OS_PROBER=false if you don't set
473
468
	  GRUB_DISABLE_OS_PROBER at all. To prevent os-prober from starting we
474
469
	  have to set it by default to true and shuffle GRUB_DISABLE_OS_PROBER to
475
470
	  code section, which is executed by the script. However we still give an
476
471
	  option to the user to overwrite it with false, if he wants to execute
477
472
	  os-prober after all.
478
473
479
474
	Fixes: e3464147 (templates: Disable the os-prober by default)
480
475
481
476
	Reported-by: Didier Spaier <didier@slint.fr>
482
477
	Reported-by: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
483
478
	Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
484
479
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
485
480
486
481
2021-03-10  Michael Chang  <mchang@suse.com>
487
482
488
483
	kern/efi/sb: Add chainloaded image as shim's verifiable object
489
484
	While attempting to dual boot Microsoft Windows with UEFI chainloader,
490
485
	it failed with below error when UEFI Secure Boot was enabled:
491
486
492
487
	  error ../../grub-core/kern/verifiers.c:119:verification requested but
493
488
	  nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
494
489
495
490
	It is a regression, as previously it worked without any problem.
496
491
497
492
	It turns out chainloading PE image has been locked down by commit
498
493
	578c95298 (kern: Add lockdown support). However, we should consider it
499
494
	as verifiable object by shim to allow booting in UEFI Secure Boot mode.
500
495
	The chainloaded PE image could also have trusted signature created by
501
496
	vendor with their pubkey cert in db. For that matters it's usage should
502
497
	not be locked down under UEFI Secure Boot, and instead shim should be
503
498
	allowed to validate a PE binary signature before running it.
504
499
505
500
	Fixes: 578c95298 (kern: Add lockdown support)
506
501
507
502
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
508
503
509
504
2021-03-10  Glenn Washburn  <development@efficientek.com>
510
505
511
506
	disk/pata: Suppress error message "no device connected"
512
507
	This error message comes from the grub_print_error() in
513
508
	grub_pata_device_initialize(), which does not pass on the error, and is
514
509
	raised in check_device(). The function check_device() needs to return this
515
510
	as an error because check_device() is also used in grub_pata_open(), which
516
511
	does pass on this error to indicate that the device can not be used.
517
512
518
513
	This is actually not an error when displayed by grub_pata_device_initialize()
519
514
	because it just indicates that there are no pata devices seen. This may be
520
515
	confusing to end users who do not have pata devices yet are loading the
521
516
	pata module (perhaps implicitly via nativedisk). This also causes unnecessary
522
517
	output which may need to be accounted for in functional testing.
523
518
524
519
	Instead print to the debug log when check_device() raises this "error" and
525
520
	pop the error from the error stack. If there is another error on the stack
526
521
	then print the error stack as those should be real errors.
527
522
528
523
	Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
529
524
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
530
525
531
526
2021-03-10  Yi Zhao  <yi.zhao@windriver.com>
532
527
533
528
	fs/ext2: Fix a file not found error when a symlink filesize is equal to 60
534
529
	We encountered a file not found error when the symlink filesize is
535
530
	equal to 60:
536
531
537
532
	  $ ls -l initrd
538
533
	  lrwxrwxrwx 1 root root 60 Jan  6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz
539
534
540
535
	When booting, we got the following error in the GRUB:
541
536
542
537
	  error: file `/initrd' not found
543
538
544
539
	The root cause is that the size of diro->inode.symlink is equal to 60
545
540
	and a symlink name has to be terminated with NUL there. So, if the
546
541
	symlink filesize is exactly 60 then it is also stored in a separate
547
542
	block rather than in the inode itself.
548
543
549
544
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
550
545
551
546
2021-03-02  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
552
547
553
548
	loader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable
554
549
	The relocatable variable is defined as grub_uint8_t. Relevant
555
550
	member in setup_header structure is also defined as one byte
556
551
	in Linux boot protocol. By semantic definition it is a bool type.
557
552
	It is not appropriate to treat it as a four bytes. This patch
558
553
	fixes the issue.
559
554
560
555
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
561
556
562
557
2021-03-02  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
563
558
564
559
	loader/i386/linux: Remove redundant code from in grub_cmd_linux()
565
560
	The preferred_address has been assigned to GRUB_LINUX_BZIMAGE_ADDR
566
561
	during initialization in grub_cmd_linux(). The assignment here
567
562
	is redundant and should be removed.
568
563
569
564
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
570
565
571
566
2021-03-02  Heinrich Schuchardt  <xypron.glpk@gmx.de>
572
567
573
568
	efi: The device-tree must be in EfiACPIReclaimMemory
574
569
	According to the Embedded Base Boot Requirements (EBBR) specification the
575
570
	device-tree passed to Linux as a configuration table must reside in
576
571
	EfiACPIReclaimMemory.
577
572
578
573
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
579
574
580
575
2021-03-02  Heinrich Schuchardt  <xypron.glpk@gmx.de>
581
576
582
577
	commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID
583
578
	UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE
584
579
	describing the services available at runtime.
585
580
586
581
	The lsefisystab command is used to display installed EFI configuration
587
582
	tables. Currently it only shows the GUID but not a short text for the
588
583
	new table.
589
584
590
585
	Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID.
591
586
592
587
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
593
588
594
589
2021-03-02  Petr Vorel  <pvorel@suse.cz>
595
590
596
591
	docs/luks2: Mention key derivation function support
597
592
	To give users hint why Argon2, the default in cryptsetup for LUKS2, does
598
593
	not work.
599
594
600
595
	Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
601
596
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
602
597
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
603
598
604
599
2021-03-02  Derek Foreman  <derek@endlessos.org>
605
600
606
601
	commands/file: Fix array/enum desync
607
602
	The commit f1957dc8a (RISC-V: Add to build system) added two entries to
608
603
	the options array, but only 1 entry to the enum. This resulted in
609
604
	everything after the insertion point being off by one.
610
605
611
606
	This broke at least the "file --is-hibernated-hiberfil" command.
612
607
613
608
	Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into
614
609
	two, as is done for other architectures.
615
610
616
611
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
617
612
618
613
2021-03-02  Marco A Benatto  <mbenatto@redhat.com>
619
614
620
615
	kern/mm: Fix grub_debug_calloc() compilation error
621
616
	Fix compilation error due to missing parameter to
622
617
	grub_printf() when MM_DEBUG is defined.
623
618
624
619
	Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available)
625
620
626
621
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
627
622
628
623
2021-03-02  Alex Burmashev  <alexander.burmashev@oracle.com>
629
624
630
625
	templates: Disable the os-prober by default
631
626
	The os-prober is enabled by default what may lead to potentially
632
627
	dangerous use cases and borderline opening attack vectors. This
633
628
	patch disables the os-prober, adds warning messages and updates
634
629
	GRUB_DISABLE_OS_PROBER configuration option documentation. This
635
630
	way we make it clear that the os-prober usage is not recommended.
636
631
637
632
	Simplistic nature of this change allows downstream vendors, who
638
633
	really want os-prober to be enabled out of the box in their
639
634
	relevant products, easily revert to it's old behavior.
640
635
641
636
	Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec),
642
637
	             working with SSD Secure Disclosure
643
638
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
644
639
645
640
2021-03-02  Thomas Frauendorfer | Miray Software  <tf@miray.de>
646
641
647
642
	gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label
648
643
	The gui_progress_bar and gui_label components can display the timeout
649
644
	value. The format string can be set through a theme file. This patch
650
645
	adds a validation step to the format string.
651
646
652
647
	If a user loads a theme file into the GRUB without this patch then
653
648
	a GUI label with the following settings
654
649
655
650
	  + label {
656
651
	  ...
657
652
	  id = "__timeout__"
658
653
	  text = "%s"
659
654
	  }
660
655
661
656
	will interpret the current timeout value as string pointer and print the
662
657
	memory at that position on the screen. It is not desired behavior.
663
658
664
659
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
665
660
666
661
2021-03-02  Thomas Frauendorfer | Miray Software  <tf@miray.de>
667
662
668
663
	kern/misc: Add function to check printf() format against expected format
669
664
	The grub_printf_fmt_check() function parses the arguments of an untrusted
670
665
	printf() format and an expected printf() format and then compares the
671
666
	arguments counts and arguments types. The arguments count in the untrusted
672
667
	format string must be less or equal to the arguments count in the expected
673
668
	format string and both arguments types must match.
674
669
675
670
	To do this the parse_printf_arg_fmt() helper function is extended in the
676
671
	following way:
677
672
678
673
	  1. Add a return value to report errors to the grub_printf_fmt_check().
679
674
680
675
	  2. Add the fmt_check argument to enable stricter format verification:
681
676
	     - the function expects that arguments definitions are always
682
677
	       terminated by a supported conversion specifier.
683
678
	     - positional parameters, "$", are not allowed, as they cannot be
684
679
	       validated correctly with the current implementation. For example
685
680
	       "%s%1$d" would assign the first args entry twice while leaving the
686
681
	       second one unchanged.
687
682
	     - Return an error if preallocated space in args is too small and
688
683
	       allocation fails for the needed size. The grub_printf_fmt_check()
689
684
	       should verify all arguments. So, if validation is not possible for
690
685
	       any reason it should return an error.
691
686
	     This also adds a case entry to handle "%%", which is the escape
692
687
	     sequence to print "%" character.
693
688
694
689
	  3. Add the max_args argument to check for the maximum allowed arguments
695
690
	     count in a printf() string. This should be set to the arguments count
696
691
	     of the expected format. Then the parse_printf_arg_fmt() function will
697
692
	     return an error if the arguments count is exceeded.
698
693
699
694
	The two additional arguments allow us to use parse_printf_arg_fmt() in
700
695
	printf() and grub_printf_fmt_check() calls.
701
696
702
697
	When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the
703
698
	function parse user provided untrusted format string too. So, in
704
699
	that case it is better to be too strict than too lenient.
705
700
706
701
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
707
702
708
703
2021-03-02  Thomas Frauendorfer | Miray Software  <tf@miray.de>
709
704
710
705
	kern/misc: Add STRING type for internal printf() format handling
711
706
	Set printf() argument type for "%s" to new type STRING. This is in
712
707
	preparation for a follow up patch to compare a printf() format string
713
708
	against an expected printf() format string.
714
709
715
710
	For "%s" the corresponding printf() argument is dereferenced as pointer
716
711
	while all other argument types are defined as integer value. However,
717
712
	when validating a printf() format it is necessary to differentiate "%s"
718
713
	from "%p" and other integers. So, let's do that.
719
714
720
715
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
721
716
722
717
2021-03-02  Thomas Frauendorfer | Miray Software  <tf@miray.de>
723
718
724
719
	kern/misc: Split parse_printf_args() into format parsing and va_list handling
725
720
	This patch is preparing for a follow up patch which will use
726
721
	the format parsing part to compare the arguments in a printf()
727
722
	format from an external source against a printf() format with
728
723
	expected arguments.
729
724
730
725
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
731
726
732
727
2021-03-02  Dimitri John Ledkov  <xnox@ubuntu.com>
733
728
734
729
	shim_lock: Only skip loading shim_lock verifier with explicit consent
735
730
	Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
736
731
	protocol is found and SB enabled) reintroduced CVE-2020-15705 which
737
732
	previously only existed in the out-of-tree linuxefi patches and was
738
733
	fixed as part of the BootHole patch series.
739
734
740
735
	Under Secure Boot enforce loading shim_lock verifier. Allow skipping
741
736
	shim_lock verifier if SecureBoot/MokSBState EFI variables indicate
742
737
	skipping validations, or if GRUB image is built with --disable-shim-lock.
743
738
744
739
	Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock
745
740
	       protocol is found and SB enabled)
746
741
	Fixes: CVE-2020-15705
747
742
	Fixes: CVE-2021-3418
748
743
749
744
	Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
750
745
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
751
746
752
747
2021-03-02  Dimitri John Ledkov  <xnox@ubuntu.com>
753
748
754
749
	grub-install-common: Add --sbat option
755
750
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
756
751
757
752
2021-03-02  Peter Jones  <pjones@redhat.com>
758
753
759
754
	util/mkimage: Add an option to import SBAT metadata into a .sbat section
760
755
	Add a --sbat option to the grub-mkimage tool which allows us to import
761
756
	an SBAT metadata formatted as a CSV file into a .sbat section of the
762
757
	EFI binary.
763
758
764
759
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
765
760
766
761
2021-03-02  Peter Jones  <pjones@redhat.com>
767
762
768
763
	util/mkimage: Refactor section setup to use a helper
769
764
	Add a init_pe_section() helper function to setup PE sections. This makes
770
765
	the code simpler and easier to read.
771
766
772
767
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
773
768
774
769
2021-03-02  Peter Jones  <pjones@redhat.com>
775
770
776
771
	util/mkimage: Improve data_size value calculation
777
772
	According to "Microsoft Portable Executable and Common Object File Format
778
773
	Specification", the Optional Header SizeOfInitializedData field contains:
779
774
780
775
	  Size of the initialized data section, or the sum of all such sections if
781
776
	  there are multiple data sections.
782
777
783
778
	Make this explicit by adding the GRUB kernel data size to the sum of all
784
779
	the modules sizes. The ALIGN_UP() is not required by the PE spec but do
785
780
	it to avoid alignment issues.
786
781
787
782
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
788
783
789
784
2021-03-02  Peter Jones  <pjones@redhat.com>
790
785
791
786
	util/mkimage: Reorder PE optional header fields set-up
792
787
	This makes the PE32 and PE32+ header fields set-up easier to follow by
793
788
	setting them closer to the initialization of their related sections.
794
789
795
790
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
796
791
797
792
2021-03-02  Peter Jones  <pjones@redhat.com>
798
793
799
794
	util/mkimage: Unify more of the PE32 and PE32+ header set-up
800
795
	There's quite a bit of code duplication in the code that sets the optional
801
796
	header for PE32 and PE32+. The two are very similar with the exception of
802
797
	a few fields that have type grub_uint64_t instead of grub_uint32_t.
803
798
804
799
	Factor out the common code and add a PE_OHDR() macro that simplifies the
805
800
	set-up and make the code more readable.
806
801
807
802
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
808
803
809
804
2021-03-02  Peter Jones  <pjones@redhat.com>
810
805
811
806
	util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff
812
807
	This change does not impact final result of initialization itself.
813
808
	However, it eases PE code unification in subsequent patches.
814
809
815
810
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
816
811
817
812
2021-03-02  Peter Jones  <pjones@redhat.com>
818
813
819
814
	util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
820
815
	The latter doesn't take into account the target image endianness. There is
821
816
	a grub_cpu_to_le32_compile_time() but no compile time variant for function
822
817
	grub_host_to_target32(). So, let's keep using the other one for this case.
823
818
824
819
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
825
820
826
821
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
827
822
828
823
	util/mkimage: Remove unused code to add BSS section
829
824
	The code is compiled out so there is no reason to keep it.
830
825
831
826
	Additionally, don't set bss_size field since we do not add a BSS section.
832
827
833
828
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
834
829
835
830
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
836
831
837
832
	kern/efi: Add initial stack protector implementation
838
833
	It works only on UEFI platforms but can be quite easily extended to
839
834
	others architectures and platforms if needed.
840
835
841
836
	Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
842
837
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
843
838
844
839
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
845
840
846
841
	kern/parser: Fix a stack buffer overflow
847
842
	grub_parser_split_cmdline() expands variable names present in the supplied
848
843
	command line in to their corresponding variable contents and uses a 1 kiB
849
844
	stack buffer for temporary storage without sufficient bounds checking. If
850
845
	the function is called with a command line that references a variable with
851
846
	a sufficiently large payload, it is possible to overflow the stack
852
847
	buffer via tab completion, corrupt the stack frame and potentially
853
848
	control execution.
854
849
855
850
	Fixes: CVE-2020-27749
856
851
857
852
	Reported-by: Chris Coulson <chris.coulson@canonical.com>
858
853
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
859
854
860
855
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
861
856
862
857
	kern/buffer: Add variable sized heap buffer
863
858
	Add a new variable sized heap buffer type (grub_buffer_t) with simple
864
859
	operations for appending data, accessing the data and maintaining
865
860
	a read cursor.
866
861
867
862
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
868
863
869
864
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
870
865
871
866
	kern/parser: Refactor grub_parser_split_cmdline() cleanup
872
867
	Introduce a common function epilogue used for cleaning up on all
873
868
	return paths, which will simplify additional error handling to be
874
869
	introduced in a subsequent commit.
875
870
876
871
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
877
872
878
873
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
879
874
880
875
	kern/parser: Introduce terminate_arg() helper
881
876
	process_char() and grub_parser_split_cmdline() use similar code for
882
877
	terminating the most recent argument. Add a helper function for this.
883
878
884
879
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
885
880
886
881
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
887
882
888
883
	kern/parser: Introduce process_char() helper
889
884
	grub_parser_split_cmdline() iterates over each command line character.
890
885
	In order to add error checking and to simplify the subsequent error
891
886
	handling, split the character processing in to a separate function.
892
887
893
888
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
894
889
895
890
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
896
891
897
892
	kern/parser: Fix a memory leak
898
893
	The getline() function supplied to grub_parser_split_cmdline() returns
899
894
	a newly allocated buffer and can be called multiple times, but the
900
895
	returned buffer is never freed.
901
896
902
897
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
903
898
904
899
2021-03-02  Daniel Axtens  <dja@axtens.net>
905
900
906
901
	fs/btrfs: Squash some uninitialized reads
907
902
	We need to check errors before calling into a function that uses the result.
908
903
909
904
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
910
905
911
906
2021-03-02  Daniel Axtens  <dja@axtens.net>
912
907
913
908
	fs/btrfs: Validate the number of stripes/parities in RAID5/6
914
909
	This prevents a divide by zero if nstripes == nparities, and
915
910
	also prevents propagation of invalid values if nstripes ends up
916
911
	less than nparities.
917
912
918
913
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
919
914
920
915
2021-03-02  Daniel Axtens  <dja@axtens.net>
921
916
922
917
	disk/lvm: Do not allow a LV to be it's own segment's node's LV
923
918
	This prevents infinite recursion in the diskfilter verification code.
924
919
925
920
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
926
921
927
922
2021-03-02  Daniel Axtens  <dja@axtens.net>
928
923
929
924
	disk/lvm: Sanitize rlocn->offset to prevent wild read
930
925
	rlocn->offset is read directly from disk and added to the metadatabuf
931
926
	pointer to create a pointer to a block of metadata. It's a 64-bit
932
927
	quantity so as long as you don't overflow you can set subsequent
933
928
	pointers to point anywhere in memory.
934
929
935
930
	Require that rlocn->offset fits within the metadata buffer size.
936
931
937
932
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
938
933
939
934
2021-03-02  Daniel Axtens  <dja@axtens.net>
940
935
941
936
	disk/lvm: Do not overread metadata
942
937
	We could reach the end of valid metadata and not realize, leading to
943
938
	some buffer overreads. Check if we have reached the end and bail.
944
939
945
940
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
946
941
947
942
2021-03-02  Daniel Axtens  <dja@axtens.net>
948
943
949
944
	disk/lvm: Do not crash if an expected string is not found
950
945
	Clean up a bunch of cases where we could have strstr() fail and lead to
951
946
	us dereferencing NULL.
952
947
953
948
	We'll still leak memory in some cases (loops don't clean up allocations
954
949
	from earlier iterations if a later iteration fails) but at least we're
955
950
	not crashing.
956
951
957
952
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
958
953
959
954
2021-03-02  Daniel Axtens  <dja@axtens.net>
960
955
961
956
	disk/lvm: Bail on missing PV list
962
957
	There's an if block for the presence of "physical_volumes {", but if
963
958
	that block is absent, then p remains NULL and a NULL-deref will result
964
959
	when looking for logical volumes.
965
960
966
961
	It doesn't seem like LVM makes sense without physical volumes, so error
967
962
	out rather than crashing.
968
963
969
964
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
970
965
971
966
2021-03-02  Daniel Axtens  <dja@axtens.net>
972
967
973
968
	disk/lvm: Don't blast past the end of the circular metadata buffer
974
969
	This catches at least some OOB reads, and it's possible I suppose that
975
970
	if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some
976
971
	OOB writes too (although that hasn't showed up as a crash in fuzzing yet).
977
972
978
973
	It's a bit ugly and I'd appreciate better suggestions.
979
974
980
975
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
981
976
982
977
2021-03-02  Daniel Axtens  <dja@axtens.net>
983
978
984
979
	disk/lvm: Don't go beyond the end of the data we read from disk
985
980
	We unconditionally trusted offset_xl from the LVM label header, even if
986
981
	it told us that the PV header/disk locations were way off past the end
987
982
	of the data we read from disk.
988
983
989
984
	Require that the offset be sane, fixing an OOB read and crash.
990
985
991
986
	Fixes: CID 314367, CID 314371
992
987
993
988
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
994
989
995
990
2021-03-02  Daniel Axtens  <dja@axtens.net>
996
991
997
992
	io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails
998
993
	If huft_build() fails, gzio->tl or gzio->td could contain pointers that
999
994
	are no longer valid. Zero them out.
1000
995
1001
996
	This prevents a double free when grub_gzio_close() comes through and
1002
997
	attempts to free them again.
1003
998
1004
999
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1005
1000
1006
1001
2021-03-02  Daniel Axtens  <dja@axtens.net>
1007
1002
1008
1003
	io/gzio: Catch missing values in huft_build() and bail
1009
1004
	In huft_build(), "v" is a table of values in order of bit length.
1010
1005
	The code later (when setting up table entries in "r") assumes that all
1011
1006
	elements of this array corresponding to a code are initialized and less
1012
1007
	than N_MAX. However, it doesn't enforce this.
1013
1008
1014
1009
	With sufficiently manipulated inputs (e.g. from fuzzing), there can be
1015
1010
	elements of "v" that are not filled. Therefore a lookup into "e" or "d"
1016
1011
	will use an uninitialized value. This can lead to an invalid/OOB read on
1017
1012
	those values, often leading to a crash.
1018
1013
1019
1014
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1020
1015
1021
1016
2021-03-02  Daniel Axtens  <dja@axtens.net>
1022
1017
1023
1018
	io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
1024
1019
	init_dynamic_block() didn't clean up gzio->tl and td in some error
1025
1020
	paths. This left td pointing to part of tl. Then in grub_gzio_close(),
1026
1021
	when tl was freed the storage for td would also be freed. The code then
1027
1022
	attempts to free td explicitly, performing a UAF and then a double free.
1028
1023
1029
1024
	Explicitly clean up tl and td in the error paths.
1030
1025
1031
1026
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1032
1027
1033
1028
2021-03-02  Daniel Axtens  <dja@axtens.net>
1034
1029
1035
1030
	io/gzio: Bail if gzio->tl/td is NULL
1036
1031
	This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
1037
1032
	However, it seems to be sufficient to patch up a bunch of NULL derefs.
1038
1033
1039
1034
	It would be good to revisit this in future and see if we can have
1040
1035
	a cleaner solution that addresses some of the causes of the unexpected
1041
1036
	NULL pointers.
1042
1037
1043
1038
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1044
1039
1045
1040
2021-03-02  Daniel Axtens  <dja@axtens.net>
1046
1041
1047
1042
	fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
1048
1043
	We just introduced an error return in grub_nilfs2_btree_node_lookup().
1049
1044
	Make sure the callers catch it.
1050
1045
1051
1046
	At the same time, make sure that grub_nilfs2_btree_node_lookup() always
1052
1047
	inits the index pointer passed to it.
1053
1048
1054
1049
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1055
1050
1056
1051
2021-03-02  Daniel Axtens  <dja@axtens.net>
1057
1052
1058
1053
	fs/nilfs2: Don't search children if provided number is too large
1059
1054
	NILFS2 reads the number of children a node has from the node. Unfortunately,
1060
1055
	that's not trustworthy. Check if it's beyond what the filesystem permits and
1061
1056
	reject it if so.
1062
1057
1063
1058
	This blocks some OOB reads. I'm not sure how controllable the read is and what
1064
1059
	could be done with invalidly read data later on.
1065
1060
1066
1061
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1067
1062
1068
1063
2021-03-02  Daniel Axtens  <dja@axtens.net>
1069
1064
1070
1065
	fs/nilfs2: Reject too-large keys
1071
1066
	NILFS2 has up to 7 keys, per the data structure. Do not permit array
1072
1067
	indices in excess of that.
1073
1068
1074
1069
	This catches some OOB reads. I don't know how controllable the invalidly
1075
1070
	read data is or if that could be used later in the program.
1076
1071
1077
1072
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1078
1073
1079
1074
2021-03-02  Daniel Axtens  <dja@axtens.net>
1080
1075
1081
1076
	fs/jfs: Catch infinite recursion
1082
1077
	It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
1083
1078
	the same data over and over again, leading to stack exhaustion.
1084
1079
1085
1080
	Check if we'd be calling the function with exactly the same data as
1086
1081
	was passed in, and if so abort.
1087
1082
1088
1083
	I'm not sure what the performance impact of this is and am open to
1089
1084
	better ideas.
1090
1085
1091
1086
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1092
1087
1093
1088
2021-03-02  Daniel Axtens  <dja@axtens.net>
1094
1089
1095
1090
	fs/jfs: Limit the extents that getblk() can consider
1096
1091
	getblk() implicitly trusts that treehead->count is an accurate count of
1097
1092
	the number of extents. However, that value is read from disk and is not
1098
1093
	trustworthy, leading to OOB reads and crashes. I am not sure to what
1099
1094
	extent the data read from OOB can influence subsequent program execution.
1100
1095
1101
1096
	Require callers to pass in the maximum number of extents for which
1102
1097
	they have storage.
1103
1098
1104
1099
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1105
1100
1106
1101
2021-03-02  Daniel Axtens  <dja@axtens.net>
1107
1102
1108
1103
	fs/jfs: Do not move to leaf level if name length is negative
1109
1104
	Fuzzing JFS revealed crashes where a negative number would be passed
1110
1105
	to le_to_cpu16_copy(). There it would be cast to a large positive number
1111
1106
	and the copy would read and write off the end of the respective buffers.
1112
1107
1113
1108
	Catch this at the top as well as the bottom of the loop.
1114
1109
1115
1110
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1116
1111
1117
1112
2021-03-02  Daniel Axtens  <dja@axtens.net>
1118
1113
1119
1114
	fs/sfs: Fix over-read of root object name
1120
1115
	There's a read of the name of the root object that assumes that the name
1121
1116
	is nul-terminated within the root block. This isn't guaranteed - it seems
1122
1117
	SFS would require you to read multiple blocks to get a full name in general,
1123
1118
	but maybe that doesn't apply to the root object.
1124
1119
1125
1120
	Either way, figure out how much space is left in the root block and don't
1126
1121
	over-read it. This fixes some OOB reads.
1127
1122
1128
1123
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1129
1124
1130
1125
2021-03-02  Daniel Axtens  <dja@axtens.net>
1131
1126
1132
1127
	fs/hfs: Disable under lockdown
1133
1128
	HFS has issues such as infinite mutual recursion that are simply too
1134
1129
	complex to fix for such a legacy format. So simply do not permit
1135
1130
	it to be loaded under lockdown.
1136
1131
1137
1132
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1138
1133
1139
1134
2021-03-02  Daniel Axtens  <dja@axtens.net>
1140
1135
1141
1136
	fs/hfsplus: Don't use uninitialized data on corrupt filesystems
1142
1137
	Valgrind identified the following use of uninitialized data:
1143
1138
1144
1139
	  ==2782220== Conditional jump or move depends on uninitialised value(s)
1145
1140
	  ==2782220==    at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566)
1146
1141
	  ==2782220==    by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185)
1147
1142
	  ==2782220==    by 0x42A693: grub_fshelp_read_file (fshelp.c:386)
1148
1143
	  ==2782220==    by 0x42C598: grub_hfsplus_read_file (hfsplus.c:219)
1149
1144
	  ==2782220==    by 0x42C598: grub_hfsplus_mount (hfsplus.c:330)
1150
1145
	  ==2782220==    by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958)
1151
1146
	  ==2782220==    by 0x4C1AE6: grub_fs_probe (fs.c:73)
1152
1147
	  ==2782220==    by 0x407C94: grub_ls_list_files (ls.c:186)
1153
1148
	  ==2782220==    by 0x407C94: grub_cmd_ls (ls.c:284)
1154
1149
	  ==2782220==    by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55)
1155
1150
	  ==2782220==    by 0x4045A6: execute_command (grub-fstest.c:59)
1156
1151
	  ==2782220==    by 0x4045A6: fstest (grub-fstest.c:433)
1157
1152
	  ==2782220==    by 0x4045A6: main (grub-fstest.c:772)
1158
1153
	  ==2782220==  Uninitialised value was created by a heap allocation
1159
1154
	  ==2782220==    at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
1160
1155
	  ==2782220==    by 0x4C0305: grub_malloc (mm.c:42)
1161
1156
	  ==2782220==    by 0x42C21D: grub_hfsplus_mount (hfsplus.c:239)
1162
1157
	  ==2782220==    by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958)
1163
1158
	  ==2782220==    by 0x4C1AE6: grub_fs_probe (fs.c:73)
1164
1159
	  ==2782220==    by 0x407C94: grub_ls_list_files (ls.c:186)
1165
1160
	  ==2782220==    by 0x407C94: grub_cmd_ls (ls.c:284)
1166
1161
	  ==2782220==    by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55)
1167
1162
	  ==2782220==    by 0x4045A6: execute_command (grub-fstest.c:59)
1168
1163
	  ==2782220==    by 0x4045A6: fstest (grub-fstest.c:433)
1169
1164
	  ==2782220==    by 0x4045A6: main (grub-fstest.c:772)
1170
1165
1171
1166
	This happens when the process of reading the catalog file goes sufficiently
1172
1167
	wrong that there's an attempt to read the extent overflow file, which has
1173
1168
	not yet been loaded. Keep track of when the extent overflow file is
1174
1169
	fully loaded and refuse to use it before then.
1175
1170
1176
1171
	The load valgrind doesn't like is btree->nodesize, and that's then used
1177
1172
	to allocate a data structure. It looks like there are subsequently a lot
1178
1173
	of reads based on that pointer so OOB reads are likely, and indeed crashes
1179
1174
	(albeit difficult-to-replicate ones) have been observed in fuzzing.
1180
1175
1181
1176
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1182
1177
1183
1178
2021-03-02  Daniel Axtens  <dja@axtens.net>
1184
1179
1185
1180
	fs/hfsplus: Don't fetch a key beyond the end of the node
1186
1181
	Otherwise you get a wild pointer, leading to a bunch of invalid reads.
1187
1182
	Check it falls inside the given node.
1188
1183
1189
1184
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1190
1185
1191
1186
2021-03-02  Daniel Axtens  <dja@axtens.net>
1192
1187
1193
1188
	fs/fshelp: Catch impermissibly large block sizes in read helper
1194
1189
	A fuzzed HFS+ filesystem had log2blocksize = 22. This gave
1195
1190
	log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000,
1196
1191
	which is -1 as an int. This caused some wacky behavior later on in
1197
1192
	the function, leading to out-of-bounds writes on the destination buffer.
1198
1193
1199
1194
	Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter,
1200
1195
	but this is the minimum that will prevent integer size weirdness.
1201
1196
1202
1197
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1203
1198
1204
1199
2021-03-02  Daniel Axtens  <dja@axtens.net>
1205
1200
1206
1201
	term/gfxterm: Don't set up a font with glyphs that are too big
1207
1202
	Catch the case where we have a font so big that it causes the number of
1208
1203
	rows or columns to be 0. Currently we continue and allocate a
1209
1204
	virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
1210
1205
	and things go badly.
1211
1206
1212
1207
	On the emu platform, malloc() may give us a valid pointer, in which case
1213
1208
	we'll access heap memory which we shouldn't. Alternatively, it may give us
1214
1209
	NULL, in which case we'll crash. For other platforms, if I understand
1215
1210
	grub_memalign() correctly, we will receive a valid but small allocation
1216
1211
	that we will very likely later overrun.
1217
1212
1218
1213
	Prevent the creation of a virtual screen that isn't at least 40 cols
1219
1214
	by 12 rows. This is arbitrary, but it seems that if your width or height
1220
1215
	is half a standard 80x24 terminal, you're probably going to struggle to
1221
1216
	read anything anyway.
1222
1217
1223
1218
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1224
1219
1225
1220
2021-03-02  Daniel Axtens  <dja@axtens.net>
1226
1221
1227
1222
	video/readers/jpeg: Don't decode data before start of stream
1228
1223
	When a start of stream marker is encountered, we call grub_jpeg_decode_sos()
1229
1224
	which allocates space for a bitmap.
1230
1225
1231
1226
	When a restart marker is encountered, we call grub_jpeg_decode_data() which
1232
1227
	then fills in that bitmap.
1233
1228
1234
1229
	If we get a restart marker before the start of stream marker, we will
1235
1230
	attempt to write to a bitmap_ptr that hasn't been allocated. Catch this
1236
1231
	and bail out. This fixes an attempt to write to NULL.
1237
1232
1238
1233
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1239
1234
1240
1235
2021-03-02  Daniel Axtens  <dja@axtens.net>
1241
1236
1242
1237
	video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
1243
1238
	The key line is:
1244
1239
1245
1240
	  du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
1246
1241
1247
1242
	jpeg_zigzag_order is grub_uint8_t[64].
1248
1243
1249
1244
	I don't understand JPEG decoders quite well enough to explain what's
1250
1245
	going on here. However, I observe sometimes pos=64, which leads to an
1251
1246
	OOB read of the jpeg_zigzag_order global then an OOB write to du.
1252
1247
	That leads to various unpleasant memory corruption conditions.
1253
1248
1254
1249
	Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
1255
1250
1256
1251
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1257
1252
1258
1253
2021-03-02  Daniel Axtens  <dja@axtens.net>
1259
1254
1260
1255
	video/readers/jpeg: Catch files with unsupported quantization or Huffman tables
1261
1256
	Our decoder only supports 2 quantization tables. If a file asks for
1262
1257
	a quantization table with index > 1, reject it.
1263
1258
1264
1259
	Similarly, our decoder only supports 4 Huffman tables. If a file asks
1265
1260
	for a Huffman table with index > 3, reject it.
1266
1261
1267
1262
	This fixes some out of bounds reads. It's not clear what degree of control
1268
1263
	over subsequent execution could be gained by someone who can carefully
1269
1264
	set up the contents of memory before loading an invalid JPEG file.
1270
1265
1271
1266
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1272
1267
1273
1268
2021-03-02  Daniel Axtens  <dja@axtens.net>
1274
1269
1275
1270
	kern/misc: Always set *end in grub_strtoull()
1276
1271
	Currently, if there is an error in grub_strtoull(), *end is not set.
1277
1272
	This differs from the usual behavior of strtoull(), and also means that
1278
1273
	some callers may use an uninitialized value for *end.
1279
1274
1280
1275
	Set *end unconditionally.
1281
1276
1282
1277
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1283
1278
1284
1279
2021-03-02  Daniel Axtens  <dja@axtens.net>
1285
1280
1286
1281
	commands/menuentry: Fix quoting in setparams_prefix()
1287
1282
	Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
1288
1283
	says that expressing a quoted single quote will require 3 characters. It
1289
1284
	actually requires (and always did require!) 4 characters:
1290
1285
1291
1286
	  str: a'b => a'\''b
1292
1287
	  len:  3  => 6 (2 for the letters + 4 for the quote)
1293
1288
1294
1289
	This leads to not allocating enough memory and thus out of bounds writes
1295
1290
	that have been observed to cause heap corruption.
1296
1291
1297
1292
	Allocate 4 bytes for each single quote.
1298
1293
1299
1294
	Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
1300
1295
	quoting, but it adds 3 as extra overhead on top of the single byte that
1301
1296
	the quote already needs. So it's correct.
1302
1297
1303
1298
	Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
1304
1299
	Fixes: CVE-2021-20233
1305
1300
1306
1301
	Reported-by: Daniel Axtens <dja@axtens.net>
1307
1302
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1308
1303
1309
1304
2021-03-02  Daniel Axtens  <dja@axtens.net>
1310
1305
1311
1306
	script/execute: Don't crash on a "for" loop with no items
1312
1307
	The following crashes the parser:
1313
1308
1314
1309
	  for x in; do
1315
1310
	  0
1316
1311
	  done
1317
1312
1318
1313
	This is because grub_script_arglist_to_argv() doesn't consider the
1319
1314
	possibility that arglist is NULL. Catch that explicitly.
1320
1315
1321
1316
	This avoids a NULL pointer dereference.
1322
1317
1323
1318
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1324
1319
1325
1320
2021-03-02  Daniel Axtens  <dja@axtens.net>
1326
1321
1327
1322
	lib/arg: Block repeated short options that require an argument
1328
1323
	Fuzzing found the following crash:
1329
1324
1330
1325
	  search -hhhhhhhhhhhhhf
1331
1326
1332
1327
	We didn't allocate enough option space for 13 hints because the
1333
1328
	allocation code counts the number of discrete arguments (i.e. argc).
1334
1329
	However, the shortopt parsing code will happily keep processing
1335
1330
	a combination of short options without checking if those short
1336
1331
	options require an argument. This means you can easily end writing
1337
1332
	past the allocated option space.
1338
1333
1339
1334
	This fixes a OOB write which can cause heap corruption.
1340
1335
1341
1336
	Fixes: CVE-2021-20225
1342
1337
1343
1338
	Reported-by: Daniel Axtens <dja@axtens.net>
1344
1339
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1345
1340
1346
1341
2021-03-02  Daniel Axtens  <dja@axtens.net>
1347
1342
1348
1343
	script/execute: Avoid crash when using "$#" outside a function scope
1349
1344
	"$#" represents the number of arguments to a function. It is only
1350
1345
	defined in a function scope, where "scope" is non-NULL. Currently,
1351
1346
	if we attempt to evaluate "$#" outside a function scope, "scope" will
1352
1347
	be NULL and we will crash with a NULL pointer dereference.
1353
1348
1354
1349
	Do not attempt to count arguments for "$#" if "scope" is NULL. This
1355
1350
	will result in "$#" being interpreted as an empty string if evaluated
1356
1351
	outside a function scope.
1357
1352
1358
1353
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1359
1354
1360
1355
2021-03-02  Daniel Axtens  <dja@axtens.net>
1361
1356
1362
1357
	commands/ls: Require device_name is not NULL before printing
1363
1358
	This can be triggered with:
1364
1359
	  ls -l (0 0*)
1365
1360
	and causes a NULL deref in grub_normal_print_device_info().
1366
1361
1367
1362
	I'm not sure if there's any implication with the IEEE 1275 platform.
1368
1363
1369
1364
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1370
1365
1371
1366
2021-03-02  Daniel Axtens  <dja@axtens.net>
1372
1367
1373
1368
	script/execute: Fix NULL dereference in grub_script_execute_cmdline()
1374
1369
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1375
1370
1376
1371
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1377
1372
1378
1373
	util/glue-efi: Fix incorrect use of a possibly negative value
1379
1374
	It is possible for the ftell() function to return a negative value,
1380
1375
	although it is fairly unlikely here, we should be checking for
1381
1376
	a negative value before we assign it to an unsigned value.
1382
1377
1383
1378
	Fixes: CID 73744
1384
1379
1385
1380
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1386
1381
1387
1382
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1388
1383
1389
1384
	util/grub-editenv: Fix incorrect casting of a signed value
1390
1385
	The return value of ftell() may be negative (-1) on error. While it is
1391
1386
	probably unlikely to occur, we should not blindly cast to an unsigned
1392
1387
	value without first testing that it is not negative.
1393
1388
1394
1389
	Fixes: CID 73856
1395
1390
1396
1391
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1397
1392
1398
1393
2021-03-02  Daniel Kiper  <daniel.kiper@oracle.com>
1399
1394
1400
1395
	util/grub-install: Fix NULL pointer dereferences
1401
1396
	Two grub_device_open() calls does not have associated NULL checks
1402
1397
	for returned values. Fix that and appease the Coverity.
1403
1398
1404
1399
	Fixes: CID 314583
1405
1400
1406
1401
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
1407
1402
1408
1403
2021-03-02  Paulo Flabiano Smorigo  <pfsmorigo@canonical.com>
1409
1404
1410
1405
	loader/xnu: Check if pointer is NULL before using it
1411
1406
	Fixes: CID 73654
1412
1407
1413
1408
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1414
1409
1415
1410
2021-03-02  Marco A Benatto  <mbenatto@redhat.com>
1416
1411
1417
1412
	loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap()
1418
1413
	... to avoid memory leaks.
1419
1414
1420
1415
	Fixes: CID 96640
1421
1416
1422
1417
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1423
1418
1424
1419
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1425
1420
1426
1421
	loader/xnu: Fix memory leak
1427
1422
	The code here is finished with the memory stored in name, but it only
1428
1423
	frees it if there curvalue is valid, while it could actually free it
1429
1424
	regardless.
1430
1425
1431
1426
	The fix is a simple relocation of the grub_free() to before the test
1432
1427
	of curvalue.
1433
1428
1434
1429
	Fixes: CID 96646
1435
1430
1436
1431
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1437
1432
1438
1433
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1439
1434
1440
1435
	loader/bsd: Check for NULL arg up-front
1441
1436
	The code in the next block suggests that it is possible for .set to be
1442
1437
	true but .arg may still be NULL.
1443
1438
1444
1439
	This code assumes that it is never NULL, yet later is testing if it is
1445
1440
	NULL - that is inconsistent.
1446
1441
1447
1442
	So we should check first if .arg is not NULL, and remove this check that
1448
1443
	is being flagged by Coverity since it is no longer required.
1449
1444
1450
1445
	Fixes: CID 292471
1451
1446
1452
1447
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1453
1448
1454
1449
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1455
1450
1456
1451
	gfxmenu/gui_list: Remove code that coverity is flagging as dead
1457
1452
	The test of value for NULL before calling grub_strdup() is not required,
1458
1453
	since the if condition prior to this has already tested for value being
1459
1454
	NULL and cannot reach this code if it is.
1460
1455
1461
1456
	Fixes: CID 73659
1462
1457
1463
1458
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1464
1459
1465
1460
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1466
1461
1467
1462
	video/readers/jpeg: Test for an invalid next marker reference from a jpeg file
1468
1463
	While it may never happen, and potentially could be caught at the end of
1469
1464
	the function, it is worth checking up front for a bad reference to the
1470
1465
	next marker just in case of a maliciously crafted file being provided.
1471
1466
1472
1467
	Fixes: CID 73694
1473
1468
1474
1469
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1475
1470
1476
1471
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1477
1472
1478
1473
	video/fb/video_fb: Fix possible integer overflow
1479
1474
	It is minimal possibility that the values being used here will overflow.
1480
1475
	So, change the code to use the safemath function grub_mul() to ensure
1481
1476
	that doesn't happen.
1482
1477
1483
1478
	Fixes: CID 73761
1484
1479
1485
1480
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1486
1481
1487
1482
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1488
1483
1489
1484
	video/fb/video_fb: Fix multiple integer overflows
1490
1485
	The calculation of the unsigned 64-bit value is being generated by
1491
1486
	multiplying 2, signed or unsigned, 32-bit integers which may overflow
1492
1487
	before promotion to unsigned 64-bit. Fix all of them.
1493
1488
1494
1489
	Fixes: CID 73703, CID 73767, CID 73833
1495
1490
1496
1491
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1497
1492
1498
1493
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1499
1494
1500
1495
	video/fb/fbfill: Fix potential integer overflow
1501
1496
	The multiplication of 2 unsigned 32-bit integers may overflow before
1502
1497
	promotion to unsigned 64-bit. We should ensure that the multiplication
1503
1498
	is done with overflow detection. Additionally, use grub_sub() for
1504
1499
	subtraction.
1505
1500
1506
1501
	Fixes: CID 73640, CID 73697, CID 73702, CID 73823
1507
1502
1508
1503
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1509
1504
1510
1505
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1511
1506
1512
1507
	video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info()
1513
1508
	The return value of grub_video_gop_fill_mode_info() is never able to be
1514
1509
	anything other than GRUB_ERR_NONE. So, rather than continue to return
1515
1510
	a value and checking it each time, it is more correct to redefine the
1516
1511
	function to not return anything and remove checks of its return value
1517
1512
	altogether.
1518
1513
1519
1514
	Fixes: CID 96701
1520
1515
1521
1516
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1522
1517
1523
1518
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1524
1519
1525
1520
	commands/probe: Fix a resource leak when probing disks
1526
1521
	Every other return statement in this code is calling grub_device_close()
1527
1522
	to clean up dev before returning. This one should do that too.
1528
1523
1529
1524
	Fixes: CID 292443
1530
1525
1531
1526
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1532
1527
1533
1528
2021-03-02  Chris Coulson  <chris.coulson@canonical.com>
1534
1529
1535
1530
	commands/hashsum: Fix a memory leak
1536
1531
	check_list() uses grub_file_getline(), which allocates a buffer.
1537
1532
	If the hash list file contains invalid lines, the function leaks
1538
1533
	this buffer when it returns an error.
1539
1534
1540
1535
	Fixes: CID 176635
1541
1536
1542
1537
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1543
1538
1544
1539
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1545
1540
1546
1541
	normal/completion: Fix leaking of memory when processing a completion
1547
1542
	It is possible for the code to reach the end of the function without
1548
1543
	freeing the memory allocated to argv and argc still to be 0.
1549
1544
1550
1545
	We should always call grub_free(argv). The grub_free() will handle
1551
1546
	a NULL argument correctly if it reaches that code without the memory
1552
1547
	being allocated.
1553
1548
1554
1549
	Fixes: CID 96672
1555
1550
1556
1551
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1557
1552
1558
1553
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1559
1554
1560
1555
	syslinux: Fix memory leak while parsing
1561
1556
	In syslinux_parse_real() the 2 points where return is being called
1562
1557
	didn't release the memory stored in buf which is no longer required.
1563
1558
1564
1559
	Fixes: CID 176634
1565
1560
1566
1561
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1567
1562
1568
1563
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1569
1564
1570
1565
	libgcrypt/mpi: Fix possible NULL dereference
1571
1566
	The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
1572
1567
	is no explicit check for that, so we add one.
1573
1568
1574
1569
	Fixes: CID 73757
1575
1570
1576
1571
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1577
1572
1578
1573
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1579
1574
1580
1575
	libgcrypt/mpi: Fix possible unintended sign extension
1581
1576
	The array of unsigned char gets promoted to a signed 32-bit int before
1582
1577
	it is finally promoted to a size_t. There is the possibility that this
1583
1578
	may result in the signed-bit being set for the intermediate signed
1584
1579
	32-bit int. We should ensure that the promotion is to the correct type
1585
1580
	before we bitwise-OR the values.
1586
1581
1587
1582
	Fixes: CID 96697
1588
1583
1589
1584
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1590
1585
1591
1586
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1592
1587
1593
1588
	affs: Fix memory leaks
1594
1589
	The node structure reference is being allocated but not freed if it
1595
1590
	reaches the end of the function. If any of the hooks had returned
1596
1591
	a non-zero value, then node would have been copied in to the context
1597
1592
	reference, but otherwise node is not stored and should be freed.
1598
1593
1599
1594
	Similarly, the call to grub_affs_create_node() replaces the allocated
1600
1595
	memory in node with a newly allocated structure, leaking the existing
1601
1596
	memory pointed by node.
1602
1597
1603
1598
	Finally, when dir->parent is set, then we again replace node with newly
1604
1599
	allocated memory, which seems unnecessary when we copy in the values
1605
1600
	from dir->parent immediately after.
1606
1601
1607
1602
	Fixes: CID 73759
1608
1603
1609
1604
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1610
1605
1611
1606
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1612
1607
1613
1608
	zfsinfo: Correct a check for error allocating memory
1614
1609
	While arguably the check for grub_errno is correct, we should really be
1615
1610
	checking the return value from the function since it is always possible
1616
1611
	that grub_errno was set elsewhere, making this code behave incorrectly.
1617
1612
1618
1613
	Fixes: CID 73668
1619
1614
1620
1615
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1621
1616
1622
1617
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1623
1618
1624
1619
	zfs: Fix possible integer overflows
1625
1620
	In all cases the problem is that the value being acted upon by
1626
1621
	a left-shift is a 32-bit number which is then being used in the
1627
1622
	context of a 64-bit number.
1628
1623
1629
1624
	To avoid overflow we ensure that the number being shifted is 64-bit
1630
1625
	before the shift is done.
1631
1626
1632
1627
	Fixes: CID 73684, CID 73695, CID 73764
1633
1628
1634
1629
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1635
1630
1636
1631
2021-03-02  Paulo Flabiano Smorigo  <pfsmorigo@canonical.com>
1637
1632
1638
1633
	zfs: Fix resource leaks while constructing path
1639
1634
	There are several exit points in dnode_get_path() that are causing possible
1640
1635
	memory leaks.
1641
1636
1642
1637
	In the while(1) the correct exit mechanism should not be to do a direct return,
1643
1638
	but to instead break out of the loop, setting err first if it is not already set.
1644
1639
1645
1640
	The reason behind this is that the dnode_path is a linked list, and while doing
1646
1641
	through this loop, it is being allocated and built up - the only way to
1647
1642
	correctly unravel it is to traverse it, which is what is being done at the end
1648
1643
	of the function outside of the loop.
1649
1644
1650
1645
	Several of the existing exit points correctly did a break, but not all so this
1651
1646
	change makes that more consistent and should resolve the leaking of memory as
1652
1647
	found by Coverity.
1653
1648
1654
1649
	Fixes: CID 73741
1655
1650
1656
1651
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1657
1652
1658
1653
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1659
1654
1660
1655
	zfs: Fix possible negative shift operation
1661
1656
	While it is possible for the return value from zfs_log2() to be zero
1662
1657
	(0), it is quite unlikely, given that the previous assignment to blksz
1663
1658
	is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
1664
1659
	assignment to epbs.
1665
1660
1666
1661
	But, while unlikely during a normal operation, it may be that a carefully
1667
1662
	crafted ZFS filesystem could result in a zero (0) value to the
1668
1663
	dn_datalbkszsec field, which means that the shift left does nothing
1669
1664
	and assigns zero (0) to blksz, resulting in a negative epbs value.
1670
1665
1671
1666
	Fixes: CID 73608
1672
1667
1673
1668
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1674
1669
1675
1670
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1676
1671
1677
1672
	hfsplus: Check that the volume name length is valid
1678
1673
	HFS+ documentation suggests that the maximum filename and volume name is
1679
1674
	255 Unicode characters in length.
1680
1675
1681
1676
	So, when converting from big-endian to little-endian, we should ensure
1682
1677
	that the name of the volume has a length that is between 0 and 255,
1683
1678
	inclusive.
1684
1679
1685
1680
	Fixes: CID 73641
1686
1681
1687
1682
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1688
1683
1689
1684
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1690
1685
1691
1686
	disk/cryptodisk: Fix potential integer overflow
1692
1687
	The encrypt and decrypt functions expect a grub_size_t. So, we need to
1693
1688
	ensure that the constant bit shift is using grub_size_t rather than
1694
1689
	unsigned int when it is performing the shift.
1695
1690
1696
1691
	Fixes: CID 307788
1697
1692
1698
1693
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1699
1694
1700
1695
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1701
1696
1702
1697
	disk/ldm: Fix memory leak on uninserted lv references
1703
1698
	The problem here is that the memory allocated to the variable lv is not
1704
1699
	yet inserted into the list that is being processed at the label fail2.
1705
1700
1706
1701
	As we can already see at line 342, which correctly frees lv before going
1707
1702
	to fail2, we should also be doing that at these earlier jumps to fail2.
1708
1703
1709
1704
	Fixes: CID 73824
1710
1705
1711
1706
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1712
1707
1713
1708
2021-03-02  Paulo Flabiano Smorigo  <pfsmorigo@canonical.com>
1714
1709
1715
1710
	disk/ldm: If failed then free vg variable too
1716
1711
	Fixes: CID 73809
1717
1712
1718
1713
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1719
1714
1720
1715
2021-03-02  Marco A Benatto  <mbenatto@redhat.com>
1721
1716
1722
1717
	disk/ldm: Make sure comp data is freed before exiting from make_vg()
1723
1718
	Several error handling paths in make_vg() do not free comp data before
1724
1719
	jumping to fail2 label and returning from the function. This will leak
1725
1720
	memory. So, let's fix all issues of that kind.
1726
1721
1727
1722
	Fixes: CID 73804
1728
1723
1729
1724
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1730
1725
1731
1726
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1732
1727
1733
1728
	kern/partition: Check for NULL before dereferencing input string
1734
1729
	There is the possibility that the value of str comes from an external
1735
1730
	source and continuing to use it before ever checking its validity is
1736
1731
	wrong. So, needs fixing.
1737
1732
1738
1733
	Additionally, drop unneeded part initialization.
1739
1734
1740
1735
	Fixes: CID 292444
1741
1736
1742
1737
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1743
1738
1744
1739
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1745
1740
1746
1741
	zstd: Initialize seq_t structure fully
1747
1742
	While many compilers will initialize this to zero, not all will, so it
1748
1743
	is better to be sure that fields not being explicitly set are at known
1749
1744
	values, and there is code that checks this fields value elsewhere in the
1750
1745
	code.
1751
1746
1752
1747
	Fixes: CID 292440
1753
1748
1754
1749
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1755
1750
1756
1751
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1757
1752
1758
1753
	io/lzopio: Resolve unnecessary self-assignment errors
1759
1754
	These 2 assignments are unnecessary since they are just assigning
1760
1755
	to themselves.
1761
1756
1762
1757
	Fixes: CID 73643
1763
1758
1764
1759
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1765
1760
1766
1761
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1767
1762
1768
1763
	gnulib/regcomp: Fix uninitialized re_token
1769
1764
	This issue has been fixed in the latest version of gnulib, so to
1770
1765
	maintain consistency, I've backported that change rather than doing
1771
1766
	something different.
1772
1767
1773
1768
	Fixes: CID 73828
1774
1769
1775
1770
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1776
1771
1777
1772
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1778
1773
1779
1774
	gnulib/regexec: Fix possible null-dereference
1780
1775
	It appears to be possible that the mctx->state_log field may be NULL,
1781
1776
	and the name of this function, clean_state_log_if_needed(), suggests
1782
1777
	that it should be checking that it is valid to be cleaned before
1783
1778
	assuming that it does.
1784
1779
1785
1780
	Fixes: CID 86720
1786
1781
1787
1782
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1788
1783
1789
1784
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1790
1785
1791
1786
	gnulib/argp-help: Fix dereference of a possibly NULL state
1792
1787
	All other instances of call to __argp_failure() where there is
1793
1788
	a dgettext() call is first checking whether state is NULL before
1794
1789
	attempting to dereference it to get the root_argp->argp_domain.
1795
1790
1796
1791
	Fixes: CID 292436
1797
1792
1798
1793
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1799
1794
1800
1795
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1801
1796
1802
1797
	gnulib/regcomp: Fix uninitialized token structure
1803
1798
	The code is assuming that the value of br_token.constraint was
1804
1799
	initialized to zero when it wasn't.
1805
1800
1806
1801
	While some compilers will ensure that, not all do, so it is better to
1807
1802
	fix this explicitly than leave it to chance.
1808
1803
1809
1804
	Fixes: CID 73749
1810
1805
1811
1806
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1812
1807
1813
1808
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1814
1809
1815
1810
	gnulib/regexec: Resolve unused variable
1816
1811
	This is a really minor issue where a variable is being assigned to but
1817
1812
	not checked before it is overwritten again.
1818
1813
1819
1814
	The reason for this issue is that we are not building with DEBUG set and
1820
1815
	this in turn means that the assert() that reads the value of the
1821
1816
	variable match_last is being processed out.
1822
1817
1823
1818
	The solution, move the assignment to match_last in to an ifdef DEBUG too.
1824
1819
1825
1820
	Fixes: CID 292459
1826
1821
1827
1822
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1828
1823
1829
1824
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1830
1825
1831
1826
	kern/efi/mm: Fix possible NULL pointer dereference
1832
1827
	The model of grub_efi_get_memory_map() is that if memory_map is NULL,
1833
1828
	then the purpose is to discover how much memory should be allocated to
1834
1829
	it for the subsequent call.
1835
1830
1836
1831
	The problem here is that with grub_efi_is_finished set to 1, there is no
1837
1832
	check at all that the function is being called with a non-NULL memory_map.
1838
1833
1839
1834
	While this MAY be true, we shouldn't assume it.
1840
1835
1841
1836
	The solution to this is to behave as expected, and if memory_map is NULL,
1842
1837
	then don't try to use it and allow memory_map_size to be filled in, and
1843
1838
	return 0 as is done later in the code if the buffer is too small (or NULL).
1844
1839
1845
1840
	Additionally, drop unneeded ret = 1.
1846
1841
1847
1842
	Fixes: CID 96632
1848
1843
1849
1844
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1850
1845
1851
1846
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1852
1847
1853
1848
	kern/efi: Fix memory leak on failure
1854
1849
	Free the memory allocated to name before returning on failure.
1855
1850
1856
1851
	Fixes: CID 296222
1857
1852
1858
1853
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1859
1854
1860
1855
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1861
1856
1862
1857
	kern/parser: Fix resource leak if argc == 0
1863
1858
	After processing the command-line yet arriving at the point where we are
1864
1859
	setting argv, we are allocating memory, even if argc == 0, which makes
1865
1860
	no sense since we never put anything into the allocated argv.
1866
1861
1867
1862
	The solution is to simply return that we've successfully processed the
1868
1863
	arguments but that argc == 0, and also ensure that argv is NULL when
1869
1864
	we're not allocating anything in it.
1870
1865
1871
1866
	There are only 2 callers of this function, and both are handling a zero
1872
1867
	value in argc assuming nothing is allocated in argv.
1873
1868
1874
1869
	Fixes: CID 96680
1875
1870
1876
1871
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1877
1872
1878
1873
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1879
1874
1880
1875
	net/tftp: Fix dangling memory pointer
1881
1876
	The static code analysis tool, Parfait, reported that the valid of
1882
1877
	file->data was left referencing memory that was freed by the call to
1883
1878
	grub_free(data) where data was initialized from file->data.
1884
1879
1885
1880
	To ensure that there is no unintentional access to this memory
1886
1881
	referenced by file->data we should set the pointer to NULL.
1887
1882
1888
1883
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1889
1884
1890
1885
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1891
1886
1892
1887
	net/net: Fix possible dereference to of a NULL pointer
1893
1888
	It is always possible that grub_zalloc() could fail, so we should check for
1894
1889
	a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
1895
1890
1896
1891
	Fixes: CID 296221
1897
1892
1898
1893
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1899
1894
1900
1895
2021-03-02  Darren Kenny  <darren.kenny@oracle.com>
1901
1896
1902
1897
	mmap: Fix memory leak when iterating over mapped memory
1903
1898
	When returning from grub_mmap_iterate() the memory allocated to present
1904
1899
	is not being released causing it to leak.
1905
1900
1906
1901
	Fixes: CID 96655
1907
1902
1908
1903
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1909
1904
1910
1905
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1911
1906
1912
1907
	usb: Avoid possible out-of-bound accesses caused by malicious devices
1913
1908
	The maximum number of configurations and interfaces are fixed but there is
1914
1909
	no out-of-bound checking to prevent a malicious USB device to report large
1915
1910
	values for these and cause accesses outside the arrays' memory.
1916
1911
1917
1912
	Fixes: CVE-2020-25647
1918
1913
1919
1914
	Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
1920
1915
	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1921
1916
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1922
1917
1923
1918
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1924
1919
1925
1920
	dl: Only allow unloading modules that are not dependencies
1926
1921
	When a module is attempted to be removed its reference counter is always
1927
1922
	decremented. This means that repeated rmmod invocations will cause the
1928
1923
	module to be unloaded even if another module depends on it.
1929
1924
1930
1925
	This may lead to a use-after-free scenario allowing an attacker to execute
1931
1926
	arbitrary code and by-pass the UEFI Secure Boot protection.
1932
1927
1933
1928
	While being there, add the extern keyword to some function declarations in
1934
1929
	that header file.
1935
1930
1936
1931
	Fixes: CVE-2020-25632
1937
1932
1938
1933
	Reported-by: Chris Coulson <chris.coulson@canonical.com>
1939
1934
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1940
1935
1941
1936
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1942
1937
1943
1938
	docs: Document the cutmem command
1944
1939
	The command is not present in the docs/grub.texi user documentation.
1945
1940
1946
1941
	Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
1947
1942
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
1948
1943
1949
1944
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1950
1945
1951
1946
	loader/xnu: Don't allow loading extension and packages when locked down
1952
1947
	The shim_lock verifier validates the XNU kernels but no its extensions
1953
1948
	and packages. Prevent these to be loaded when the GRUB is locked down.
1954
1949
1955
1950
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1956
1951
1957
1952
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1958
1953
1959
1954
	gdb: Restrict GDB access when locked down
1960
1955
	The gdbstub* commands allow to start and control a GDB stub running on
1961
1956
	local host that can be used to connect from a remote debugger. Restrict
1962
1957
	this functionality when the GRUB is locked down.
1963
1958
1964
1959
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1965
1960
1966
1961
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1967
1962
1968
1963
	commands/hdparm: Restrict hdparm command when locked down
1969
1964
	The command can be used to get/set ATA disk parameters. Some of these can
1970
1965
	be dangerous since change the disk behavior. Restrict it when locked down.
1971
1966
1972
1967
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1973
1968
1974
1969
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1975
1970
1976
1971
	commands/setpci: Restrict setpci command when locked down
1977
1972
	This command can set PCI devices register values, which makes it dangerous
1978
1973
	in a locked down configuration. Restrict it so can't be used on this setup.
1979
1974
1980
1975
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1981
1976
1982
1977
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
1983
1978
1984
1979
	commands: Restrict commands that can load BIOS or DT blobs when locked down
1985
1980
	There are some more commands that should be restricted when the GRUB is
1986
1981
	locked down. Following is the list of commands and reasons to restrict:
1987
1982
1988
1983
	  * fakebios:   creates BIOS-like structures for backward compatibility with
1989
1984
	                existing OSes. This should not be allowed when locked down.
1990
1985
1991
1986
	  * loadbios:   reads a BIOS dump from storage and loads it. This action
1992
1987
	                should not be allowed when locked down.
1993
1988
1994
1989
	  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
1995
1990
	                any Device Tree provided by the firmware. This also should
1996
1991
	                not be allowed when locked down.
1997
1992
1998
1993
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1999
1994
2000
1995
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2001
1996
2002
1997
	mmap: Don't register cutmem and badram commands when lockdown is enforced
2003
1998
	The cutmem and badram commands can be used to remove EFI memory regions
2004
1999
	and potentially disable the UEFI Secure Boot. Prevent the commands to be
2005
2000
	registered if the GRUB is locked down.
2006
2001
2007
2002
	Fixes: CVE-2020-27779
2008
2003
2009
2004
	Reported-by: Teddy Reed <teddy.reed@gmail.com>
2010
2005
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2011
2006
2012
2007
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2013
2008
2014
2009
	acpi: Don't register the acpi command when locked down
2015
2010
	The command is not allowed when lockdown is enforced. Otherwise an
2016
2011
	attacker can instruct the GRUB to load an SSDT table to overwrite
2017
2012
	the kernel lockdown configuration and later load and execute
2018
2013
	unsigned code.
2019
2014
2020
2015
	Fixes: CVE-2020-14372
2021
2016
2022
2017
	Reported-by: Máté Kukri <km@mkukri.xyz>
2023
2018
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2024
2019
2025
2020
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2026
2021
2027
2022
	efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
2028
2023
	Now the GRUB can check if it has been locked down and this can be used to
2029
2024
	prevent executing commands that can be utilized to circumvent the UEFI
2030
2025
	Secure Boot mechanisms. So, instead of hardcoding a list of modules that
2031
2026
	have to be disabled, prevent the usage of commands that can be dangerous.
2032
2027
2033
2028
	This not only allows the commands to be disabled on other platforms, but
2034
2029
	also properly separate the concerns. Since the shim_lock verifier logic
2035
2030
	should be only about preventing to run untrusted binaries and not about
2036
2031
	defining these kind of policies.
2037
2032
2038
2033
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2039
2034
2040
2035
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2041
2036
2042
2037
	efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
2043
2038
	If the UEFI Secure Boot is enabled then the GRUB must be locked down
2044
2039
	to prevent executing code that can potentially be used to subvert its
2045
2040
	verification mechanisms.
2046
2041
2047
2042
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2048
2043
2049
2044
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2050
2045
2051
2046
	kern/lockdown: Set a variable if the GRUB is locked down
2052
2047
	It may be useful for scripts to determine whether the GRUB is locked
2053
2048
	down or not. Add the lockdown variable which is set to "y" when the GRUB
2054
2049
	is locked down.
2055
2050
2056
2051
	Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
2057
2052
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2058
2053
2059
2054
2021-03-02  Javier Martinez Canillas  <javierm@redhat.com>
2060
2055
2061
2056
	kern: Add lockdown support
2062
2057
	When the GRUB starts on a secure boot platform, some commands can be
2063
2058
	used to subvert the protections provided by the verification mechanism and
2064
2059
	could lead to booting untrusted system.
2065
2060
2066
2061
	To prevent that situation, allow GRUB to be locked down. That way the code
2067
2062
	may check if GRUB has been locked down and further restrict the commands
2068
2063
	that are registered or what subset of their functionality could be used.
2069
2064
2070
2065
	The lockdown support adds the following components:
2071
2066
2072
2067
	* The grub_lockdown() function which can be used to lockdown GRUB if,
2073
2068
	  e.g., UEFI Secure Boot is enabled.
2074
2069
2075
2070
	* The grub_is_lockdown() function which can be used to check if the GRUB
2076
2071
	  was locked down.
2077
2072
2078
2073
	* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
2079
2074
	  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
2080
2075
	  verifiers. These files are only successfully verified if another registered
2081
2076
	  verifier returns success. Otherwise, the whole verification process fails.
2082
2077
2083
2078
	  For example, PE/COFF binaries verification can be done by the shim_lock
2084
2079
	  verifier which validates the signatures using the shim_lock protocol.
2085
2080
	  However, the verification is not deferred directly to the shim_lock verifier.
2086
2081
	  The shim_lock verifier is hooked into the verification process instead.
2087
2082
2088
2083
	* A set of grub_{command,extcmd}_lockdown functions that can be used by
2089
2084
	  code registering command handlers, to only register unsafe commands if
2090
2085
	  the GRUB has not been locked down.
2091
2086
2092
2087
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2093
2088
2094
2089
2021-03-02  Marco A Benatto  <mbenatto@redhat.com>
2095
2090
2096
2091
	efi: Move the shim_lock verifier to the GRUB core
2097
2092
	Move the shim_lock verifier from its own module into the core image. The
2098
2093
	Secure Boot lockdown mechanism has the intent to prevent the load of any
2099
2094
	unsigned code or binary when Secure Boot is enabled.
2100
2095
2101
2096
	The reason is that GRUB must be able to prevent executing untrusted code
2102
2097
	if UEFI Secure Boot is enabled, without depending on external modules.
2103
2098
2104
2099
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2105
2100
2106
2101
2021-03-02  Marco A Benatto  <mbenatto@redhat.com>
2107
2102
2108
2103
	verifiers: Move verifiers API to kernel image
2109
2104
	Move verifiers API from a module to the kernel image, so it can be
2110
2105
	used there as well. There are no functional changes in this patch.
2111
2106
2112
2107
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2113
2108
2114
2109
2020-12-18  Glenn Washburn  <development@efficientek.com>
2115
2110
2116
2111
	docs: Add documentation of disk size limitations
2117
2112
	Document the artificially imposed 1 EiB disk size limit and size limitations
2118
2113
	with LUKS volumes.
2119
2114
2120
2115
	Fix a few punctuation issues.
2121
2116
2122
2117
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2123
2118
2124
2119
2020-12-18  Glenn Washburn  <development@efficientek.com>
2125
2120
2126
2121
	luks2: Use grub_log2ull() to calculate log_sector_size and improve readability
2127
2122
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2128
2123
2129
2124
	misc: Add grub_log2ull() macro for calculating log base 2 of 64-bit integers
2130
2125
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2131
2126
2132
2127
2020-12-18  Glenn Washburn  <development@efficientek.com>
2133
2128
2134
2129
	mips: Enable __clzdi2()
2135
2130
	This patch is similar to commit 9dab2f51e (sparc: Enable __clzsi2() and
2136
2131
	__clzdi2()) but for MIPS target and __clzdi2() only, __clzsi2() was
2137
2132
	already enabled.
2138
2133
2139
2134
	Suggested-by: Daniel Kiper <dkiper@net-space.pl>
2140
2135
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2141
2136
2142
2137
2020-12-18  Glenn Washburn  <development@efficientek.com>
2143
2138
2144
2139
	luks2: Better error handling when setting up the cryptodisk
2145
2140
	Do some sanity checking on data coming from the LUKS2 header. If segment.size
2146
2141
	is "dynamic", verify that the offset is not past the end of disk. Otherwise,
2147
2142
	check for errors from grub_strtoull() when converting segment size from
2148
2143
	string. If a GRUB_ERR_BAD_NUMBER error was returned, then the string was
2149
2144
	not a valid parsable number, so skip the key. If GRUB_ERR_OUT_OF_RANGE was
2150
2145
	returned, then there was an overflow in converting to a 64-bit unsigned
2151
2146
	integer. So this could be a very large disk (perhaps large RAID array).
2152
2147
	In this case skip the key too. Additionally, enforce some other limits
2153
2148
	and fail if needed.
2154
2149
2155
2150
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2156
2151
2157
2152
2020-12-18  Glenn Washburn  <development@efficientek.com>
2158
2153
2159
2154
	luks2: Do not handle disks of size GRUB_DISK_SIZE_UNKNOWN for now
2160
2155
	Check to make sure that source disk has a known size. If not, print
2161
2156
	a message and return error. There are 4 cases where GRUB_DISK_SIZE_UNKNOWN
2162
2157
	is set (biosdisk, obdisk, ofdisk, and uboot), and in all those cases
2163
2158
	processing continues. So this is probably a bit conservative. However,
2164
2159
	3 of the cases seem pathological, and the other, biosdisk, happens when
2165
2160
	booting from a CD-ROM. Since I doubt booting from a LUKS2 volume on
2166
2161
	a CD-ROM is a big use case, we'll error until someone complains.
2167
2162
2168
2163
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2169
2164
2170
2165
2020-12-18  Glenn Washburn  <development@efficientek.com>
2171
2166
2172
2167
	luks2: Convert to crypt sectors from GRUB native sectors
2173
2168
	The function grub_disk_native_sectors(source) returns the number of sectors
2174
2169
	of source in GRUB native (512-byte) sectors, not source sized sectors. So
2175
2170
	the conversion needs to use GRUB_DISK_SECTOR_BITS, the GRUB native sector
2176
2171
	size.
2177
2172
2178
2173
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2179
2174
2180
2175
2020-12-12  Glenn Washburn  <development@efficientek.com>
2181
2176
2182
2177
	luks2: Error check segment.sector_size
2183
2178
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2184
2179
2185
2180
2020-12-12  Glenn Washburn  <development@efficientek.com>
2186
2181
2187
2182
	cryptodisk: Properly handle non-512 byte sized sectors
2188
2183
	By default, dm-crypt internally uses an IV that corresponds to 512-byte
2189
2184
	sectors, even when a larger sector size is specified. What this means is
2190
2185
	that when using a larger sector size, the IV is incremented every sector.
2191
2186
	However, the amount the IV is incremented is the number of 512 byte blocks
2192
2187
	in a sector (i.e. 8 for 4K sectors). Confusingly the IV does not correspond
2193
2188
	to the number of, for example, 4K sectors. So each 512 byte cipher block in
2194
2189
	a sector will be encrypted with the same IV and the IV will be incremented
2195
2190
	afterwards by the number of 512 byte cipher blocks in the sector.
2196
2191
2197
2192
	There are some encryption utilities which do it the intuitive way and have
2198
2193
	the IV equal to the sector number regardless of sector size (ie. the fifth
2199
2194
	sector would have an IV of 4 for each cipher block). And this is supported
2200
2195
	by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.3.3
2201
2196
	with the --iv-large-sectors, though not with LUKS headers (only with --type
2202
2197
	plain). However, support for this has not been included as grub does not
2203
2198
	support plain devices right now.
2204
2199
2205
2200
	One gotcha here is that the encrypted split keys are encrypted with a hard-
2206
2201
	coded 512-byte sector size. So even if your data is encrypted with 4K sector
2207
2202
	sizes, the split key encrypted area must be decrypted with a block size of
2208
2203
	512 (ie the IV increments every 512 bytes). This made these changes less
2209
2204
	aesthetically pleasing than desired.
2210
2205
2211
2206
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2212
2207
2213
2208
2020-12-12  Glenn Washburn  <development@efficientek.com>
2214
2209
2215
2210
	luks2: grub_cryptodisk_t->total_sectors is the max number of device native sectors
2216
2211
	We need to convert the sectors from the size of the underlying device to the
2217
2212
	cryptodisk sector size; segment.size is in bytes which need to be converted
2218
2213
	to cryptodisk sectors as well.
2219
2214
2220
2215
	Also, removed an empty statement.
2221
2216
2222
2217
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2223
2218
2224
2219
2020-12-12  Glenn Washburn  <development@efficientek.com>
2225
2220
2226
2221
	cryptodisk: Add macros GRUB_TYPE_U_MAX/MIN(type) to replace literals
2227
2222
	Add GRUB_TYPE_U_MAX/MIN(type) macros to get the max/min values for an
2228
2223
	unsigned number with size of type.
2229
2224
2230
2225
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2231
2226
2232
2227
2020-12-12  Glenn Washburn  <development@efficientek.com>
2233
2228
2234
2229
	cryptodisk: Add macro GRUB_TYPE_BITS() to replace some literals
2235
2230
	The new macro GRUB_TYPE_BITS(type) returns the number of bits
2236
2231
	allocated for type.
2237
2232
2238
2233
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2239
2234
2240
2235
2020-12-12  Glenn Washburn  <development@efficientek.com>
2241
2236
2242
2237
	luks2: Add string "index" to user strings using a json index
2243
2238
	This allows error messages to be more easily distinguishable between indexes
2244
2239
	and slot keys. The former include the string "index" in the error/debug
2245
2240
	string, and the later are surrounded in quotes.
2246
2241
2247
2242
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2248
2243
2249
2244
2020-12-12  Glenn Washburn  <development@efficientek.com>
2250
2245
2251
2246
	luks2: Rename json index variables to names that they are obviously json indexes
2252
2247
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2253
2248
2254
2249
2020-12-12  Glenn Washburn  <development@efficientek.com>
2255
2250
2256
2251
	luks2: Use more intuitive object name instead of json index in user messages
2257
2252
	Use the object name in the json array rather than the 0 based index in the
2258
2253
	json array for keyslots, segments, and digests. This is less confusing for
2259
2254
	the end user. For example, say you have a LUKS2 device with a key in slot 1
2260
2255
	and slot 4. When using the password for slot 4 to unlock the device, the
2261
2256
	messages using the index of the keyslot will mention keyslot 1 (its a
2262
2257
	zero-based index). Furthermore, with this change the keyslot number will
2263
2258
	align with the number used to reference the keyslot when using the
2264
2259
	--key-slot argument to cryptsetup.
2265
2260
2266
2261
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2267
2262
2268
2263
2020-12-12  Glenn Washburn  <development@efficientek.com>
2269
2264
2270
2265
	luks2: Add idx member to struct grub_luks2_keyslot/segment/digest
2271
2266
	This allows code using these structs to know the named key associated with
2272
2267
	these json data structures. In the future we can use these to provide better
2273
2268
	error messages to the user.
2274
2269
2275
2270
	Get rid of idx local variable in luks2_get_keyslot() which was overloaded to
2276
2271
	be used for both keyslot and segment slot keys.
2277
2272
2278
2273
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2279
2274
2280
2275
2020-12-12  Glenn Washburn  <development@efficientek.com>
2281
2276
2282
2277
	luks2: Make sure all fields of output argument in luks2_parse_digest() are written to
2283
2278
	We should assume that the output argument "out" is uninitialized and could
2284
2279
	have random data. So, make sure to initialize the segments and keyslots bit
2285
2280
	fields because potentially not all bits of those fields are written to.
2286
2281
	Otherwise, the digest could say it belongs to keyslots and segments that it
2287
2282
	does not.
2288
2283
2289
2284
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2290
2285
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2291
2286
2292
2287
2020-12-12  Glenn Washburn  <development@efficientek.com>
2293
2288
2294
2289
	luks2: Remove unused argument in grub_error() call
2295
2290
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2296
2291
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2297
2292
2298
2293
	luks2: Convert 8 spaces to tabs
2299
2294
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2300
2295
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2301
2296
2302
2297
2020-12-12  Glenn Washburn  <development@efficientek.com>
2303
2298
2304
2299
	misc: Add parentheses around ALIGN_UP() and ALIGN_DOWN() arguments
2305
2300
	This ensures that expected order of operations is preserved when arguments
2306
2301
	are expressions.
2307
2302
2308
2303
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2309
2304
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2310
2305
2311
2306
2020-12-12  Glenn Washburn  <development@efficientek.com>
2312
2307
2313
2308
	disk: Rename grub_disk_get_size() to grub_disk_native_sectors()
2314
2309
	The function grub_disk_get_size() is confusingly named because it actually
2315
2310
	returns a sector count where the sectors are sized in the GRUB native sector
2316
2311
	size. Rename to something more appropriate.
2317
2312
2318
2313
	Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
2319
2314
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2320
2315
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2321
2316
2322
2317
2020-12-12  Glenn Washburn  <development@efficientek.com>
2323
2318
2324
2319
	loopback: Do not automaticaly replace existing loopback dev, error instead
2325
2320
	If there is a loopback device with the same name as the one to be created,
2326
2321
	instead of closing the old one and replacing it with the new one, return an
2327
2322
	error instead. If the loopback device was created, its probably being used
2328
2323
	by something and just replacing it may cause GRUB to crash unexpectedly.
2329
2324
	This fixes obvious problems like "loopback d (d)/somefile". Its not too
2330
2325
	onerous to force the user to delete the loopback first with the "-d" switch.
2331
2326
2332
2327
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2333
2328
2334
2329
2020-12-12  Glenn Washburn  <development@efficientek.com>
2335
2330
2336
2331
	disk: Move hardcoded max disk size literal to a GRUB_DISK_MAX_SECTORS in disk.h
2337
2332
	There is a hardcoded maximum disk size that can be read or written from,
2338
2333
	currently set at 1 EiB in grub_disk_adjust_range(). Move the literal into a
2339
2334
	macro in disk.h, so our assumptions are more visible. This hard coded limit
2340
2335
	does not prevent using larger disks, just GRUB won't read/write past the
2341
2336
	limit. The comment accompanying this restriction didn't quite make sense to
2342
2337
	me, so its been modified too.
2343
2338
2344
2339
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2345
2340
2346
2341
2020-12-12  Glenn Washburn  <development@efficientek.com>
2347
2342
2348
2343
	fs: Fix block lists not being able to address to end of disk sometimes
2349
2344
	When checking if a block list goes past the end of the disk, make sure
2350
2345
	the total size of the disk is in GRUB native sector sizes, otherwise there
2351
2346
	will be blocks at the end of the disk inaccessible by block lists.
2352
2347
2353
2348
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2354
2349
2355
2350
2020-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
2356
2351
2357
2352
	mbr: Document new limitations on MBR gap support
2358
2353
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2359
2354
2360
2355
2020-12-12  Vladimir Serbinenko  <phcoder@google.com>
2361
2356
2362
2357
	mbr: Warn if MBR gap is small and user uses advanced modules
2363
2358
	We don't want to support small MBR gap in pair with anything but the
2364
2359
	simplest config of biosdisk + part_msdos + simple filesystem. In this
2365
2360
	path "simple filesystems" are all current filesystems except ZFS and
2366
2361
	Btrfs.
2367
2362
2368
2363
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2369
2364
2370
2365
2020-12-12  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
2371
2366
2372
2367
	efi/tpm: Extract duplicate code into independent functions
2373
2368
	Part of the code logic for processing the return value of efi
2374
2369
	log_extend_event is repetitive and complicated. Extract the
2375
2370
	repetitive code into an independent function.
2376
2371
2377
2372
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2378
2373
2379
2374
2020-12-12  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
2380
2375
2381
2376
	efi/tpm: Add debug information for device protocol and eventlog
2382
2377
	Add a number of debug logs to the tpm module. The condition tag
2383
2378
	for opening debugging is "tpm". On TPM machines, this will bring
2384
2379
	great convenience to diagnosis and debugging.
2385
2380
2386
2381
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2387
2382
2388
2383
2020-12-12  Daniel Kiper  <daniel.kiper@oracle.com>
2389
2384
2390
2385
	loader/linux: Report the UEFI Secure Boot status to the Linux kernel
2391
2386
	Now that the GRUB has a grub_efi_get_secureboot() function to check the
2392
2387
	UEFI Secure Boot status, use it to report that to the Linux kernel.
2393
2388
2394
2389
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2395
2390
2396
2391
2020-12-12  Javier Martinez Canillas  <javierm@redhat.com>
2397
2392
2398
2393
	efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled
2399
2394
	The shim_lock module registers a verifier to call shim's verify, but the
2400
2395
	handler is registered even when the shim_lock protocol was not installed.
2401
2396
2402
2397
	This doesn't cause a NULL pointer dereference in shim_lock_write() because
2403
2398
	the shim_lock_init() function just returns GRUB_ERR_NONE if sl isn't set.
2404
2399
2405
2400
	But in that case there's no point to even register the shim_lock verifier
2406
2401
	since won't do anything. Additionally, it is only useful when Secure Boot
2407
2402
	is enabled.
2408
2403
2409
2404
	Finally, don't assume that the shim_lock protocol will always be present
2410
2405
	when the shim_lock_write() function is called, and check for it on every
2411
2406
	call to this function.
2412
2407
2413
2408
	Reported-by: Michael Chang <mchang@suse.com>
2414
2409
	Reported-by: Peter Jones <pjones@redhat.com>
2415
2410
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2416
2411
2417
2412
2020-12-11  Daniel Kiper  <daniel.kiper@oracle.com>
2418
2413
2419
2414
	efi: Add secure boot detection
2420
2415
	Introduce grub_efi_get_secureboot() function which returns whether
2421
2416
	UEFI Secure Boot is enabled or not on UEFI systems.
2422
2417
2423
2418
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2424
2419
2425
2420
2020-12-11  Daniel Kiper  <daniel.kiper@oracle.com>
2426
2421
2427
2422
	efi: Add a function to read EFI variables with attributes
2428
2423
	It will be used to properly detect and report UEFI Secure Boot status to
2429
2424
	the x86 Linux kernel. The functionality will be added by subsequent patches.
2430
2425
2431
2426
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2432
2427
2433
2428
2020-12-11  Daniel Kiper  <daniel.kiper@oracle.com>
2434
2429
2435
2430
	efi: Return grub_efi_status_t from grub_efi_get_variable()
2436
2431
	This is needed to properly detect and report UEFI Secure Boot status
2437
2432
	to the x86 Linux kernel. The functionality will be added by subsequent
2438
2433
	patches.
2439
2434
2440
2435
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2441
2436
2442
2437
2020-12-11  Daniel Kiper  <daniel.kiper@oracle.com>
2443
2438
2444
2439
	efi: Make shim_lock GUID and protocol type public
2445
2440
	The GUID will be used to properly detect and report UEFI Secure Boot
2446
2441
	status to the x86 Linux kernel. The functionality will be added by
2447
2442
	subsequent patches. The shim_lock protocol type is made public for
2448
2443
	completeness.
2449
2444
2450
2445
	Additionally, fix formatting of four preceding GUIDs.
2451
2446
2452
2447
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2453
2448
2454
2449
2020-12-11  Javier Martinez Canillas  <javierm@redhat.com>
2455
2450
2456
2451
	arm/term: Fix linking error due multiple ps2_state definitions
2457
2452
	When building with --target=arm-linux-gnu --with-platform=coreboot
2458
2453
	a linking error occurs caused by multiple definitions of the
2459
2454
	ps2_state variable.
2460
2455
2461
2456
	Mark them as static since they aren't used outside their compilation unit.
2462
2457
2463
2458
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2464
2459
2465
2460
2020-12-11  Javier Martinez Canillas  <javierm@redhat.com>
2466
2461
2467
2462
	include/grub/i386/linux.h: Include missing <grub/types.h> header
2468
2463
	This header uses types defined in <grub/types.h> but does not include it,
2469
2464
	which leads to compile errors like the following:
2470
2465
2471
2466
	In file included from ../include/grub/cpu/linux.h:19,
2472
2467
	                 from kern/efi/sb.c:21:
2473
2468
	../include/grub/i386/linux.h:80:3: error: unknown type name ‘grub_uint64_t’
2474
2469
	   80 |   grub_uint64_t addr;
2475
2470
2476
2471
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2477
2472
2478
2473
2020-12-11  Javier Martinez Canillas  <javierm@redhat.com>
2479
2474
2480
2475
	i386: Don't include <grub/cpu/linux.h> in coreboot and ieee1275 startup.S
2481
2476
	Nothing defined in the header file is used in the assembly code but it
2482
2477
	may lead to build errors if some headers are included through this and
2483
2478
	contains definitions that are not recognized by the assembler, e.g.:
2484
2479
2485
2480
	../include/grub/types.h: Assembler messages:
2486
2481
	../include/grub/types.h:76: Error: no such instruction: `typedef signed char grub_int8_t'
2487
2482
	../include/grub/types.h:77: Error: no such instruction: `typedef short grub_int16_t'
2488
2483
	../include/grub/types.h:78: Error: no such instruction: `typedef int grub_int32_t'
2489
2484
2490
2485
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2491
2486
2492
2487
2020-11-20  Glenn Washburn  <development@efficientek.com>
2493
2488
2494
2489
	luks2: Rename index variable "j" to "i" in luks2_get_keyslot()
2495
2490
	Looping variable "j" was named such because the variable name "i" was taken.
2496
2491
	Since "i" has been renamed in the previous patch, we can rename "j" to "i".
2497
2492
2498
2493
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2499
2494
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2500
2495
2501
2496
2020-11-20  Glenn Washburn  <development@efficientek.com>
2502
2497
2503
2498
	luks2: Rename variable "i" to "keyslot_idx" in luks2_get_keyslot()
2504
2499
	Variables named "i" are usually looping variables. So, rename it to
2505
2500
	"keyslot_idx" to ease luks2_get_keyslot() reading.
2506
2501
2507
2502
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2508
2503
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2509
2504
2510
2505
2020-11-20  Glenn Washburn  <development@efficientek.com>
2511
2506
2512
2507
	luks2: Use correct index variable when looping in luks2_get_keyslot()
2513
2508
	The loop variable "j" should be used to index the digests and segments json
2514
2509
	array, instead of the variable "i", which is the keyslot index.
2515
2510
2516
2511
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2517
2512
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2518
2513
2519
2514
2020-11-20  Glenn Washburn  <development@efficientek.com>
2520
2515
2521
2516
	luks2: Rename source disk variable named "disk" to "source" as in luks.c
2522
2517
	This makes it more obvious to the reader that the disk referred to is the
2523
2518
	source disk, as opposed to say the disk holding the cryptodisk.
2524
2519
2525
2520
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2526
2521
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2527
2522
2528
2523
2020-11-20  Glenn Washburn  <development@efficientek.com>
2529
2524
2530
2525
	cryptodisk: Rename "offset" in grub_cryptodisk_t to "offset_sectors"
2531
2526
	This makes it clear that the offset represents sectors, not bytes, in
2532
2527
	order to improve readability.
2533
2528
2534
2529
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2535
2530
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2536
2531
2537
2532
2020-11-20  Glenn Washburn  <development@efficientek.com>
2538
2533
2539
2534
	cryptodisk: Rename "total_length" field in grub_cryptodisk_t to "total_sectors"
2540
2535
	This creates an alignment with grub_disk_t naming of the same field and is
2541
2536
	more intuitive as to how it should be used.
2542
2537
2543
2538
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2544
2539
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2545
2540
2546
2541
2020-11-20  Glenn Washburn  <development@efficientek.com>
2547
2542
2548
2543
	types: Define GRUB_CHAR_BIT based on compiler macro instead of using literal
2549
2544
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2550
2545
2551
2546
2020-11-20  Javier Martinez Canillas  <javierm@redhat.com>
2552
2547
2553
2548
	include/grub/arm64/linux.h: Include missing <grub/types.h> header
2554
2549
	This header uses types defined in <grub/types.h> but does not include it,
2555
2550
	which leads to compile errors like the following:
2556
2551
2557
2552
	../include/grub/cpu/linux.h:27:3: error: unknown type name ‘grub_uint32_t’
2558
2553
	   27 |   grub_uint32_t code0;  /* Executable code */
2559
2554
	      |   ^~~~~~~~~~~~~
2560
2555
2561
2556
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2562
2557
2563
2558
2020-11-20  Javier Martinez Canillas  <javierm@redhat.com>
2564
2559
2565
2560
	include/grub/arm/system.h: Include missing <grub/symbol.h> header
2566
2561
	The header uses the EXPORT_FUNC() macro defined in <grub/types.h> but
2567
2562
	doesn't include it, which leads to the following compile error on arm:
2568
2563
2569
2564
	../include/grub/cpu/system.h:12:13: error: ‘EXPORT_FUNC’ declared as function returning a function
2570
2565
	   12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void);
2571
2566
	      |             ^~~~~~~~~~~
2572
2567
	../include/grub/cpu/system.h:12:1: warning: parameter names (without types) in function declaration
2573
2568
	   12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void);
2574
2569
	      | ^~~~~~
2575
2570
	make[3]: *** [Makefile:36581: kern/efi/kernel_exec-sb.o] Error 1
2576
2571
2577
2572
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2578
2573
2579
2574
2020-11-20  Daniel Axtens  <dja@axtens.net>
2580
2575
2581
2576
	docs: grub-install --pubkey has been supported for some time
2582
2577
	grub-install --pubkey is supported, so we can now document it.
2583
2578
2584
2579
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2585
2580
2586
2581
2020-11-20  Daniel Axtens  <dja@axtens.net>
2587
2582
2588
2583
	docs: grub-install is no longer a shell script
2589
2584
	Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell
2590
2585
	script. The para doesn't really add that much, especially since it's
2591
2586
	the user manual, so just drop it.
2592
2587
2593
2588
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2594
2589
2595
2590
2020-10-30  Jacob Kroon  <jacob.kroon@gmail.com>
2596
2591
2597
2592
	Makefile: Remove unused GRUB_PKGLIBDIR definition
2598
2593
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2599
2594
2600
2595
2020-10-30  Daniel Axtens  <dja@axtens.net>
2601
2596
2602
2597
	lzma: Fix compilation error under clang 10
2603
2598
	Compiling under clang 10 gives:
2604
2599
2605
2600
	grub-core/lib/LzmaEnc.c:1362:9: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation]
2606
2601
	        {
2607
2602
	        ^
2608
2603
	grub-core/lib/LzmaEnc.c:1358:7: note: previous statement is here
2609
2604
	      if (repIndex == 0)
2610
2605
	      ^
2611
2606
	1 error generated.
2612
2607
2613
2608
	It's not really that unclear in context: there's a commented-out
2614
2609
	if-statement. But tweak the alignment anyway so that clang is happy.
2615
2610
2616
2611
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2617
2612
2618
2613
2020-10-30  Cao jin  <caoj.fnst@cn.fujitsu.com>
2619
2614
2620
2615
	kern/i386/realmode: Update comment
2621
2616
	Commit b81d609e4c did not update it.
2622
2617
2623
2618
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2624
2619
2625
2620
2020-10-30  Glenn Washburn  <development@efficientek.com>
2626
2621
2627
2622
	cryptodisk: Fix cipher IV mode "plain64" always being set as "plain"
2628
2623
	When setting cipher IV mode, detection is done by prefix matching the
2629
2624
	cipher IV mode part of the cipher mode string. Since "plain" matches
2630
2625
	"plain64", we must check for "plain64" first. Otherwise, "plain64" will
2631
2626
	be detected as "plain".
2632
2627
2633
2628
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2634
2629
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2635
2630
2636
2631
2020-09-18  Glenn Washburn  <development@efficientek.com>
2637
2632
2638
2633
	crypto: Remove GPG_ERROR_CFLAGS from gpg_err_code_t enum
2639
2634
	This was probably added by accident when originally creating the file.
2640
2635
2641
2636
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2642
2637
2643
2638
2020-09-18  Glenn Washburn  <development@efficientek.com>
2644
2639
2645
2640
	script: Do not allow a delimiter between function name and block start
2646
2641
	Currently the following is valid syntax but should be a syntax error:
2647
2642
2648
2643
	  grub> function f; { echo HERE; }
2649
2644
	  grub> f
2650
2645
	  HERE
2651
2646
2652
2647
	This fix is not backward compatible, but current syntax is not documented
2653
2648
	either and has no functional value. So any scripts with this unintended
2654
2649
	syntax are technically syntactically incorrect and should not be relying
2655
2650
	on this behavior.
2656
2651
2657
2652
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2658
2653
2659
2654
2020-09-18  Glenn Washburn  <development@efficientek.com>
2660
2655
2661
2656
	docs: Support for loading and concatenating multiple initrds
2662
2657
	This has been available since January of 2012 but has not been documented.
2663
2658
2664
2659
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2665
2660
2666
2661
2020-09-18  Glenn Washburn  <development@efficientek.com>
2667
2662
2668
2663
	lexer: char const * should be const char *
2669
2664
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2670
2665
2671
2666
	cryptodisk: Use cipher name instead of object in error message
2672
2667
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2673
2668
2674
2669
2020-09-18  Glenn Washburn  <development@efficientek.com>
2675
2670
2676
2671
	tests: F2FS test should use MOUNTDEVICE like other tests
2677
2672
	LODEVICES is not an array variable and should not be accessed as such.
2678
2673
	This allows the f2fs test to pass as it was failing because a device
2679
2674
	name had a space prepended to the path.
2680
2675
2681
2676
	Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
2682
2677
	Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
2683
2678
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2684
2679
2685
2680
2020-09-18  Florian La Roche  <Florian.LaRoche@gmail.com>
2686
2681
2687
2682
	grub-mkconfig: If $hints is not set reduce the output into grub.cfg to just 1 line
2688
2683
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2689
2684
2690
2685
2020-09-18  Petr Vorel  <pvorel@suse.cz>
2691
2686
2692
2687
	travis: Run bootstrap to fix build
2693
2688
	autogen.sh isn't enough:
2694
2689
2695
2690
	  $ ./autogen.sh
2696
2691
	  Gnulib not yet bootstrapped; run ./bootstrap instead.
2697
2692
	  The command "./autogen.sh" exited with 1.
2698
2693
2699
2694
	Additionally, using bootstrap requires to install autopoint package.
2700
2695
2701
2696
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2702
2697
2703
2698
2020-09-18  Patrick Steinhardt  <ps@pks.im>
2704
2699
2705
2700
	luks2: Strip dashes off of the UUID
2706
2701
	The UUID header for LUKS2 uses a format with dashes, same as for
2707
2702
	LUKS(1). But while we strip these dashes for the latter, we don't for
2708
2703
	the former. This isn't wrong per se, but it's definitely inconsistent
2709
2704
	for users as they need to use the dashed format for LUKS2 and the
2710
2705
	non-dashed format for LUKS when e.g. calling "cryptomount -u $UUID".
2711
2706
2712
2707
	Fix this inconsistency by stripping dashes off of the LUKS2 UUID.
2713
2708
2714
2709
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2715
2710
2716
2711
2020-09-18  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
2717
2712
2718
2713
	efi/tpm: Remove unused functions and structures
2719
2714
	Although the tpm_execute() series of functions are defined they are not
2720
2715
	used anywhere. Several structures in the include/grub/efi/tpm.h header
2721
2716
	file are not used too. There is even nonexistent grub_tpm_init()
2722
2717
	declaration in this header. Delete all that unneeded stuff.
2723
2718
2724
2719
	If somebody needs the functionality implemented in the dropped code then
2725
2720
	he/she can re-add it later. Now it needlessly increases the GRUB
2726
2721
	code/image size.
2727
2722
2728
2723
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2729
2724
2730
2725
2020-09-18  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
2731
2726
2732
2727
	shim_lock: Enable module for all EFI architectures
2733
2728
	Like the tpm the shim_lock module is only enabled for x86_64 target.
2734
2729
	However, there's nothing specific to x86_64 in the implementation and
2735
2730
	it can be enabled for all EFI architectures.
2736
2731
2737
2732
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2738
2733
2739
2734
2020-09-18  Daniel Kiper  <daniel.kiper@oracle.com>
2740
2735
2741
2736
	efi/tpm: Fix typo in grub_efi_tpm2_protocol struct
2742
2737
	Rename get_active_pcr_blanks() to get_active_pcr_banks().
2743
2738
2744
2739
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
2745
2740
2746
2741
2020-09-18  Daniel Kiper  <daniel.kiper@oracle.com>
2747
2742
2748
2743
	i386/efi/init: Drop bogus include
2749
2744
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
2750
2745
2751
2746
2020-09-18  Daniel Kiper  <daniel.kiper@oracle.com>
2752
2747
2753
2748
	docs: Fix devicetree command description
2754
2749
	Specifically fix the subsection and drop bogus reference to the GNU/Linux.
2755
2750
2756
2751
	Reported-by: Patrick Higgins <higgi1pt@gmail.com>
2757
2752
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
2758
2753
2759
2754
2020-09-18  Martin Whitaker  <fsf@martin-whitaker.me.uk>
2760
2755
2761
2756
	grub-install: Fix inverted test for NLS enabled when copying locales
2762
2757
	Commit 3d8439da8 (grub-install: Locale depends on nls) attempted to avoid
2763
2758
	copying locale files to the target directory when NLS was disabled.
2764
2759
	However the test is inverted, and it does the opposite.
2765
2760
2766
2761
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
2767
2762
2768
2763
2020-09-11  Javier Martinez Canillas  <javierm@redhat.com>
2769
2764
2770
2765
	tftp: Roll-over block counter to prevent data packets timeouts
2771
2766
	Commit 781b3e5efc3 (tftp: Do not use priority queue) caused a regression
2772
2767
	when fetching files over TFTP whose size is bigger than 65535 * block size.
2773
2768
2774
2769
	  grub> linux /images/pxeboot/vmlinuz
2775
2770
	  grub> echo $?
2776
2771
	  0
2777
2772
	  grub> initrd /images/pxeboot/initrd.img
2778
2773
	  error: timeout reading '/images/pxeboot/initrd.img'.
2779
2774
	  grub> echo $?
2780
2775
	  28
2781
2776
2782
2777
	It is caused by the block number counter being a 16-bit field, which leads
2783
2778
	to a maximum file size of ((1 << 16) - 1) * block size. Because GRUB sets
2784
2779
	the block size to 1024 octets (by using the TFTP Blocksize Option from RFC
2785
2780
	2348 [0]), the maximum file size that can be transferred is 67107840 bytes.
2786
2781
2787
2782
	The TFTP PROTOCOL (REVISION 2) RFC 1350 [1] does not mention what a client
2788
2783
	should do when a file size is bigger than the maximum, but most TFTP hosts
2789
2784
	support the block number counter to be rolled over. That is, acking a data
2790
2785
	packet with a block number of 0 is taken as if the 65356th block was acked.
2791
2786
2792
2787
	It was working before because the block counter roll-over was happening due
2793
2788
	an overflow. But that got fixed by the mentioned commit, which led to the
2794
2789
	regression when attempting to fetch files larger than the maximum size.
2795
2790
2796
2791
	To allow TFTP file transfers of unlimited size again, re-introduce a block
2797
2792
	counter roll-over so the data packets are acked preventing the timeouts.
2798
2793
2799
2794
	[0]: https://tools.ietf.org/html/rfc2348
2800
2795
	[1]: https://tools.ietf.org/html/rfc1350
2801
2796
2802
2797
	Fixes: 781b3e5efc3 (tftp: Do not use priority queue)
2803
2798
2804
2799
	Suggested-by: Peter Jones <pjones@redhat.com>
2805
2800
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2806
2801
2807
2802
2020-09-11  Florian La Roche  <Florian.LaRoche@gmail.com>
2808
2803
2809
2804
	templates: Remove unnecessary trailing semicolon
2810
2805
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2811
2806
2812
2807
2020-09-11  Glenn Washburn  <development@efficientek.com>
2813
2808
2814
2809
	cryptodisk: Fix incorrect calculation of start sector
2815
2810
	Here dev is a grub_cryptodisk_t and dev->offset is offset in sectors of size
2816
2811
	native to the cryptodisk device. The sector is correctly transformed into
2817
2812
	native grub sector size, but then added to dev->offset which is not
2818
2813
	transformed. It would be nice if the type system would help us with this.
2819
2814
2820
2815
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2821
2816
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2822
2817
2823
2818
2020-09-11  Glenn Washburn  <development@efficientek.com>
2824
2819
2825
2820
	cryptodisk: Unregister cryptomount command when removing module
2826
2821
	Reviewed-by: Patrick Steinhardt <ps@pks.im>
2827
2822
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2828
2823
2829
2824
2020-09-11  Patrick Steinhardt  <ps@pks.im>
2830
2825
2831
2826
	luks2: Improve error reporting when decrypting/verifying key
2832
2827
	While we already set up error messages in both luks2_verify_key() and
2833
2828
	luks2_decrypt_key(), we do not ever print them. This makes it really
2834
2829
	hard to discover why a given key actually failed to decrypt a disk.
2835
2830
2836
2831
	Improve this by including the error message in the user-visible output.
2837
2832
2838
2833
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2839
2834
2840
2835
2020-09-11  Patrick Steinhardt  <ps@pks.im>
2841
2836
2842
2837
	luks: Fix out-of-bounds copy of UUID
2843
2838
	When configuring a LUKS disk, we copy over the UUID from the LUKS header
2844
2839
	into the new grub_cryptodisk_t structure via grub_memcpy(). As size
2845
2840
	we mistakenly use the size of the grub_cryptodisk_t UUID field, which
2846
2841
	is guaranteed to be strictly bigger than the LUKS UUID field we're
2847
2842
	copying. As a result, the copy always goes out-of-bounds and copies some
2848
2843
	garbage from other surrounding fields. During runtime, this isn't
2849
2844
	noticed due to the fact that we always NUL-terminate the UUID and thus
2850
2845
	never hit the trailing garbage.
2851
2846
2852
2847
	Fix the issue by using the size of the local stripped UUID field.
2853
2848
2854
2849
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2855
2850
2856
2851
2020-09-11  Patrick Steinhardt  <ps@pks.im>
2857
2852
2858
2853
	json: Remove invalid typedef redefinition
2859
2854
	The C standard does not allow for typedef redefinitions, even if they
2860
2855
	map to the same underlying type. In order to avoid including the
2861
2856
	jsmn.h in json.h and thus exposing jsmn's internals, we have exactly
2862
2857
	such a forward-declaring typedef in json.h. If enforcing the GNU99 C
2863
2858
	standard, clang may generate a warning about this non-standard
2864
2859
	construct.
2865
2860
2866
2861
	Fix the issue by using a simple "struct jsmntok" forward declaration
2867
2862
	instead of using a typedef.
2868
2863
2869
2864
	Tested-by: Chuck Tuffli <chuck@freebsd.org>
2870
2865
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2871
2866
2872
2867
2020-09-11  Cao jin  <caoj.fnst@cn.fujitsu.com>
2873
2868
2874
2869
	i386/relocator_common: Drop empty #ifdef
2875
2870
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2876
2871
2877
2872
2020-09-11  Ave Milia  <avemilia@protonmail.com>
2878
2873
2879
2874
	video/bochs: Fix typo
2880
2875
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2881
2876
2882
2877
2020-07-29  Colin Watson  <cjwatson@debian.org>
2883
2878
2884
2879
	linux: Fix integer overflows in initrd size handling
2885
2880
	These could be triggered by a crafted filesystem with very large files.
2886
2881
2887
2882
	Fixes: CVE-2020-15707
2888
2883
2889
2884
	Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
2890
2885
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2891
2886
2892
2887
2020-07-29  Peter Jones  <pjones@redhat.com>
2893
2888
2894
2889
	loader/linux: Avoid overflow on initrd size calculation
2895
2890
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2896
2891
2897
2892
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
2898
2893
2899
2894
	efi: Fix use-after-free in halt/reboot path
2900
2895
	commit 92bfc33db984 ("efi: Free malloc regions on exit")
2901
2896
	introduced memory freeing in grub_efi_fini(), which is
2902
2897
	used not only by exit path but by halt/reboot one as well.
2903
2898
	As result of memory freeing, code and data regions used by
2904
2899
	modules, such as halt, reboot, acpi (used by halt) also got
2905
2900
	freed. After return to module code, CPU executes, filled
2906
2901
	by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as
2907
2902
	a code. Which leads to #UD exception later.
2908
2903
2909
2904
	grub> halt
2910
2905
	!!!! X64 Exception Type - 06(#UD - Invalid Opcode)  CPU Apic ID - 00000000 !!!!
2911
2906
	RIP  - 0000000003F4EC28, CS  - 0000000000000038, RFLAGS - 0000000000200246
2912
2907
	RAX  - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41
2913
2908
	RBX  - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000
2914
2909
	RSI  - 00000000064DB768, RDI - 000000000832C5C3
2915
2910
	R8   - 0000000000000002, R9  - 0000000000000000, R10 - 00000000061E2E52
2916
2911
	R11  - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4
2917
2912
	R14  - 0000000003E10D80, R15 - 00000000061E2F60
2918
2913
	DS   - 0000000000000030, ES  - 0000000000000030, FS  - 0000000000000030
2919
2914
	GS   - 0000000000000030, SS  - 0000000000000030
2920
2915
	CR0  - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000
2921
2916
	CR4  - 0000000000000668, CR8 - 0000000000000000
2922
2917
	DR0  - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
2923
2918
	DR3  - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
2924
2919
	GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000
2925
2920
	IDTR - 0000000007598018 0000000000000FFF,   TR - 0000000000000000
2926
2921
	FXSAVE_STATE - 0000000007F0F4C0
2927
2922
2928
2923
	Proposal here is to continue to free allocated memory for
2929
2924
	exit boot services path but keep it for halt/reboot path
2930
2925
	as it won't be much security concern here.
2931
2926
	Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY
2932
2927
	loader flag to be used by efi halt/reboot path.
2933
2928
2934
2929
	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2935
2930
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2936
2931
2937
2932
2020-07-29  Daniel Kiper  <daniel.kiper@oracle.com>
2938
2933
2939
2934
	efi/chainloader: Propagate errors from copy_file_path()
2940
2935
	Without any error propagated to the caller, make_file_path()
2941
2936
	would then try to advance the invalid device path node with
2942
2937
	GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL
2943
2938
	pointer that would subsequently be dereferenced. Hence, propagate
2944
2939
	errors from copy_file_path().
2945
2940
2946
2941
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2947
2942
2948
2943
2020-07-29  Peter Jones  <pjones@redhat.com>
2949
2944
2950
2945
	efi: Fix some malformed device path arithmetic errors
2951
2946
	Several places we take the length of a device path and subtract 4 from
2952
2947
	it, without ever checking that it's >= 4. There are also cases where
2953
2948
	this kind of malformation will result in unpredictable iteration,
2954
2949
	including treating the length from one dp node as the type in the next
2955
2950
	node. These are all errors, no matter where the data comes from.
2956
2951
2957
2952
	This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
2958
2953
	can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
2959
2954
	return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
2960
2955
	the length is too small. Additionally, it makes several places in the
2961
2956
	code check for and return errors in these cases.
2962
2957
2963
2958
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2964
2959
2965
2960
2020-07-29  Peter Jones  <pjones@redhat.com>
2966
2961
2967
2962
	emu: Make grub_free(NULL) safe
2968
2963
	The grub_free() implementation in grub-core/kern/mm.c safely handles
2969
2964
	NULL pointers, and code at many places depends on this. We don't know
2970
2965
	that the same is true on all host OSes, so we need to handle the same
2971
2966
	behavior in grub-emu's implementation.
2972
2967
2973
2968
	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2974
2969
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2975
2970
2976
2971
2020-07-29  Peter Jones  <pjones@redhat.com>
2977
2972
2978
2973
	lvm: Fix two more potential data-dependent alloc overflows
2979
2974
	It appears to be possible to make a (possibly invalid) lvm PV with
2980
2975
	a metadata size field that overflows our type when adding it to the
2981
2976
	address we've allocated. Even if it doesn't, it may be possible to do so
2982
2977
	with the math using the outcome of that as an operand. Check them both.
2983
2978
2984
2979
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2985
2980
2986
2981
2020-07-29  Peter Jones  <pjones@redhat.com>
2987
2982
2988
2983
	hfsplus: Fix two more overflows
2989
2984
	Both node->size and node->namelen come from the supplied filesystem,
2990
2985
	which may be user-supplied. We can't trust them for the math unless we
2991
2986
	know they don't overflow. Making sure they go through grub_add() or
2992
2987
	grub_calloc() first will give us that.
2993
2988
2994
2989
	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2995
2990
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2996
2991
2997
2992
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
2998
2993
2999
2994
	relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation
3000
2995
	Current implementation of grub_relocator_alloc_chunk_align()
3001
2996
	does not allow allocation of the top byte.
3002
2997
3003
2998
	Assuming input args are:
3004
2999
	  max_addr = 0xfffff000;
3005
3000
	  size = 0x1000;
3006
3001
3007
3002
	And this is valid. But following overflow protection will
3008
3003
	unnecessarily move max_addr one byte down (to 0xffffefff):
3009
3004
	  if (max_addr > ~size)
3010
3005
	    max_addr = ~size;
3011
3006
3012
3007
	~size + 1 will fix the situation. In addition, check size
3013
3008
	for non zero to do not zero max_addr.
3014
3009
3015
3010
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3016
3011
3017
3012
2020-07-29  Chris Coulson  <chris.coulson@canonical.com>
3018
3013
3019
3014
	script: Avoid a use-after-free when redefining a function during execution
3020
3015
	Defining a new function with the same name as a previously defined
3021
3016
	function causes the grub_script and associated resources for the
3022
3017
	previous function to be freed. If the previous function is currently
3023
3018
	executing when a function with the same name is defined, this results
3024
3019
	in use-after-frees when processing subsequent commands in the original
3025
3020
	function.
3026
3021
3027
3022
	Instead, reject a new function definition if it has the same name as
3028
3023
	a previously defined function, and that function is currently being
3029
3024
	executed. Although a behavioural change, this should be backwards
3030
3025
	compatible with existing configurations because they can't be
3031
3026
	dependent on the current behaviour without being broken.
3032
3027
3033
3028
	Fixes: CVE-2020-15706
3034
3029
3035
3030
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3036
3031
3037
3032
2020-07-29  Chris Coulson  <chris.coulson@canonical.com>
3038
3033
3039
3034
	script: Remove unused fields from grub_script_function struct
3040
3035
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3041
3036
3042
3037
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
3043
3038
3044
3039
	relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow
3045
3040
	This commit introduces integer underflow mitigation in max_addr calculation
3046
3041
	in grub_relocator_alloc_chunk_align() invocation.
3047
3042
3048
3043
	It consists of 2 fixes:
3049
3044
	  1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform
3050
3045
	     sanity check for min/max and size values, and to make safe invocation of
3051
3046
	     grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all
3052
3047
	     invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...)
3053
3048
	     by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...).
3054
3049
	  2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top
3055
3050
	     address (0xffffffff - size + 1) or similar.
3056
3051
3057
3052
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3058
3053
3059
3054
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
3060
3055
3061
3056
	relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow
3062
3057
	Use arithmetic macros from safemath.h to accomplish it. In this commit,
3063
3058
	I didn't want to be too paranoid to check every possible math equation
3064
3059
	for overflow/underflow. Only obvious places (with non zero chance of
3065
3060
	overflow/underflow) were refactored.
3066
3061
3067
3062
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3068
3063
3069
3064
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
3070
3065
3071
3066
	tftp: Do not use priority queue
3072
3067
	There is not need to reassemble the order of blocks. Per RFC 1350,
3073
3068
	server must wait for the ACK, before sending next block. Data packets
3074
3069
	can be served immediately without putting them to priority queue.
3075
3070
3076
3071
	Logic to handle incoming packet is this:
3077
3072
	  - if packet block id equal to expected block id, then
3078
3073
	    process the packet,
3079
3074
	  - if packet block id is less than expected - this is retransmit
3080
3075
	    of old packet, then ACK it and drop the packet,
3081
3076
	  - if packet block id is more than expected - that shouldn't
3082
3077
	    happen, just drop the packet.
3083
3078
3084
3079
	It makes the tftp receive path code simpler, smaller and faster.
3085
3080
	As a benefit, this change fixes CID# 73624 and CID# 96690, caused
3086
3081
	by following while loop:
3087
3082
3088
3083
	  while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0)
3089
3084
3090
3085
	where tftph pointer is not moving from one iteration to another, causing
3091
3086
	to serve same packet again. Luckily, double serving didn't happen due to
3092
3087
	data->block++ during the first iteration.
3093
3088
3094
3089
	Fixes: CID 73624, CID 96690
3095
3090
3096
3091
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3097
3092
3098
3093
2020-07-29  Konrad Rzeszutek Wilk  <konrad.wilk@oracle.com>
3099
3094
3100
3095
	multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
3101
3096
	Fixes: CID 292468
3102
3097
3103
3098
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3104
3099
3105
3100
2020-07-29  Konrad Rzeszutek Wilk  <konrad.wilk@oracle.com>
3106
3101
3107
3102
	udf: Fix memory leak
3108
3103
	Fixes: CID 73796
3109
3104
3110
3105
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3111
3106
	Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
3112
3107
3113
3108
2020-07-29  Konrad Rzeszutek Wilk  <konrad.wilk@oracle.com>
3114
3109
3115
3110
	term: Fix overflow on user inputs
3116
3111
	This requires a very weird input from the serial interface but can cause
3117
3112
	an overflow in input_buf (keys) overwriting the next variable (npending)
3118
3113
	with the user choice:
3119
3114
3120
3115
	(pahole output)
3121
3116
3122
3117
	struct grub_terminfo_input_state {
3123
3118
	        int                        input_buf[6];         /*     0    24 */
3124
3119
	        int                        npending;             /*    24     4 */ <- CORRUPT
3125
3120
	        ...snip...
3126
3121
3127
3122
	The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow
3128
3123
	npending with "q" (aka increase npending to 161). The simplest fix is to
3129
3124
	just to disallow overwrites input_buf, which exactly what this patch does.
3130
3125
3131
3126
	Fixes: CID 292449
3132
3127
3133
3128
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3134
3129
3135
3130
2020-07-29  Konrad Rzeszutek Wilk  <konrad.wilk@oracle.com>
3136
3131
3137
3132
	lzma: Make sure we don't dereference past array
3138
3133
	The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
3139
3134
	using the GetLenToPosState() macro which checks if len is less than 5,
3140
3135
	and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
3141
3136
	Obviously we don't want to dereference that far out so we check if the
3142
3137
	position found is greater or equal kNumLenToPosStates (4) and bail out.
3143
3138
3144
3139
	N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
3145
3140
	without any history.
3146
3141
3147
3142
	Fixes: CID 51526
3148
3143
3149
3144
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3150
3145
3151
3146
2020-07-29  Chris Coulson  <chris.coulson@canonical.com>
3152
3147
3153
3148
	json: Avoid a double-free when parsing fails.
3154
3149
	When grub_json_parse() succeeds, it returns the root object which
3155
3150
	contains a pointer to the provided JSON string. Callers are
3156
3151
	responsible for ensuring that this string outlives the root
3157
3152
	object and for freeing its memory when it's no longer needed.
3158
3153
3159
3154
	If grub_json_parse() fails to parse the provided JSON string,
3160
3155
	it frees the string before returning an error. This results
3161
3156
	in a double free in luks2_recover_key(), which also frees the
3162
3157
	same string after grub_json_parse() returns an error.
3163
3158
3164
3159
	This changes grub_json_parse() to never free the JSON string
3165
3160
	passed to it, and updates the documentation for it to make it
3166
3161
	clear that callers are responsible for ensuring that the string
3167
3162
	outlives the root JSON object.
3168
3163
3169
3164
	Fixes: CID 292465
3170
3165
3171
3166
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3172
3167
3173
3168
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
3174
3169
3175
3170
	xnu: Fix double free in grub_xnu_devprop_add_property()
3176
3171
	grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
3177
3172
	allocated and freed in the caller.
3178
3173
3179
3174
	Minor improvement: do prop fields initialization after memory allocations.
3180
3175
3181
3176
	Fixes: CID 292442, CID 292457, CID 292460, CID 292466
3182
3177
3183
3178
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3184
3179
3185
3180
2020-07-29  Alexey Makhalov  <amakhalov@vmware.com>
3186
3181
3187
3182
	gfxmenu: Fix double free in load_image()
3188
3183
	self->bitmap should be zeroed after free. Otherwise, there is a chance
3189
3184
	to double free (USE_AFTER_FREE) it later in rescale_image().
3190
3185
3191
3186
	Fixes: CID 292472
3192
3187
3193
3188
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3194
3189
3195
3190
2020-07-29  Daniel Kiper  <daniel.kiper@oracle.com>
3196
3191
3197
3192
	font: Do not load more than one NAME section
3198
3193
	The GRUB font file can have one NAME section only. Though if somebody
3199
3194
	crafts a broken font file with many NAME sections and loads it then the
3200
3195
	GRUB leaks memory. So, prevent against that by loading first NAME
3201
3196
	section and failing in controlled way on following one.
3202
3197
3203
3198
	Reported-by: Chris Coulson <chris.coulson@canonical.com>
3204
3199
	Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
3205
3200
3206
3201
2020-07-29  Peter Jones  <pjones@redhat.com>
3207
3202
3208
3203
	iso9660: Don't leak memory on realloc() failures
3209
3204
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3210
3205
3211
3206
2020-07-29  Peter Jones  <pjones@redhat.com>
3212
3207
3213
3208
	malloc: Use overflow checking primitives where we do complex allocations
3214
3209
	This attempts to fix the places where we do the following where
3215
3210
	arithmetic_expr may include unvalidated data:
3216
3211
3217
3212
	  X = grub_malloc(arithmetic_expr);
3218
3213
3219
3214
	It accomplishes this by doing the arithmetic ahead of time using grub_add(),
3220
3215
	grub_sub(), grub_mul() and testing for overflow before proceeding.
3221
3216
3222
3217
	Among other issues, this fixes:
3223
3218
	  - allocation of integer overflow in grub_video_bitmap_create()
3224
3219
	    reported by Chris Coulson,
3225
3220
	  - allocation of integer overflow in grub_png_decode_image_header()
3226
3221
	    reported by Chris Coulson,
3227
3222
	  - allocation of integer overflow in grub_squash_read_symlink()
3228
3223
	    reported by Chris Coulson,
3229
3224
	  - allocation of integer overflow in grub_ext2_read_symlink()
3230
3225
	    reported by Chris Coulson,
3231
3226
	  - allocation of integer overflow in read_section_as_string()
3232
3227
	    reported by Chris Coulson.
3233
3228
3234
3229
	Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
3235
3230
3236
3231
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3237
3232
3238
3233
2020-07-29  Peter Jones  <pjones@redhat.com>
3239
3234
3240
3235
	calloc: Use calloc() at most places
3241
3236
	This modifies most of the places we do some form of:
3242
3237
3243
3238
	  X = malloc(Y * Z);
3244
3239
3245
3240
	to use calloc(Y, Z) instead.
3246
3241
3247
3242
	Among other issues, this fixes:
3248
3243
	  - allocation of integer overflow in grub_png_decode_image_header()
3249
3244
	    reported by Chris Coulson,
3250
3245
	  - allocation of integer overflow in luks_recover_key()
3251
3246
	    reported by Chris Coulson,
3252
3247
	  - allocation of integer overflow in grub_lvm_detect()
3253
3248
	    reported by Chris Coulson.
3254
3249
3255
3250
	Fixes: CVE-2020-14308
3256
3251
3257
3252
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3258
3253
3259
3254
2020-07-29  Peter Jones  <pjones@redhat.com>
3260
3255
3261
3256
	calloc: Make sure we always have an overflow-checking calloc() available
3262
3257
	This tries to make sure that everywhere in this source tree, we always have
3263
3258
	an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
3264
3259
	available, and that they all safely check for overflow and return NULL when
3265
3260
	it would occur.
3266
3261
3267
3262
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3268
3263
3269
3264
2020-07-29  Peter Jones  <pjones@redhat.com>
3270
3265
3271
3266
	safemath: Add some arithmetic primitives that check for overflow
3272
3267
	This adds a new header, include/grub/safemath.h, that includes easy to
3273
3268
	use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
3274
3269
3275
3270
	  bool OP(a, b, res)
3276
3271
3277
3272
	where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
3278
3273
	case where the operation would overflow and res is not modified.
3279
3274
	Otherwise, false is returned and the operation is executed.
3280
3275
3281
3276
	These arithmetic primitives require newer compiler versions. So, bump
3282
3277
	these requirements in the INSTALL file too.
3283
3278
3284
3279
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3285
3280
3286
3281
2020-07-29  Peter Jones  <pjones@redhat.com>
3287
3282
3288
3283
	yylex: Make lexer fatal errors actually be fatal
3289
3284
	When presented with a command that can't be tokenized to anything
3290
3285
	smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
3291
3286
	expecting that will stop further processing, as such:
3292
3287
3293
3288
	  #define YY_DO_BEFORE_ACTION \
3294
3289
	        yyg->yytext_ptr = yy_bp; \
3295
3290
	        yyleng = (int) (yy_cp - yy_bp); \
3296
3291
	        yyg->yy_hold_char = *yy_cp; \
3297
3292
	        *yy_cp = '\0'; \
3298
3293
	        if ( yyleng >= YYLMAX ) \
3299
3294
	                YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
3300
3295
	        yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
3301
3296
	        yyg->yy_c_buf_p = yy_cp;
3302
3297
3303
3298
	The code flex generates expects that YY_FATAL_ERROR() will either return
3304
3299
	for it or do some form of longjmp(), or handle the error in some way at
3305
3300
	least, and so the strncpy() call isn't in an "else" clause, and thus if
3306
3301
	YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
3307
3302
	questionable limit, and predictable results ensue.
3308
3303
3309
3304
	Unfortunately, our implementation of YY_FATAL_ERROR() is:
3310
3305
3311
3306
	   #define YY_FATAL_ERROR(msg)                     \
3312
3307
	     do {                                          \
3313
3308
	       grub_printf (_("fatal error: %s\n"), _(msg));     \
3314
3309
	     } while (0)
3315
3310
3316
3311
	The same pattern exists in yyless(), and similar problems exist in users
3317
3312
	of YY_INPUT(), several places in the main parsing loop,
3318
3313
	yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
3319
3314
	yy_scan_buffer(), etc.
3320
3315
3321
3316
	All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
3322
3317
	the things they do if it returns after calling it are wildly unsafe.
3323
3318
3324
3319
	Fixes: CVE-2020-10713
3325
3320
3326
3321
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3327
3322
3328
3323
2020-05-25  Marc Zyngier  <maz@kernel.org>
3329
3324
3330
3325
	arm: Fix 32-bit ARM handling of the CTR register
3331
3326
	When booting on an ARMv8 core that implements either CTR.IDC or CTR.DIC
3332
3327
	(indicating that some of the cache maintenance operations can be
3333
3328
	removed when dealing with I/D-cache coherency, GRUB dies with a
3334
3329
	"Unsupported cache type 0x........" message.
3335
3330
3336
3331
	This is pretty likely to happen when running in a virtual machine
3337
3332
	hosted on an arm64 machine (I've triggered it on a system built around
3338
3333
	a bunch of Cortex-A55 cores, which implements CTR.IDC).
3339
3334
3340
3335
	It turns out that the way GRUB deals with the CTR register is a bit
3341
3336
	harsh for anything from ARMv7 onwards. The layout of the register is
3342
3337
	backward compatible, meaning that nothing that gets added is allowed to
3343
3338
	break earlier behaviour. In this case, ignoring IDC is completely fine,
3344
3339
	and only results in unnecessary cache maintenance.
3345
3340
3346
3341
	We can thus avoid being paranoid, and align the 32bit behaviour with
3347
3342
	its 64bit equivalent.
3348
3343
3349
3344
	This patch has the added benefit that it gets rid of a (gnu-specific)
3350
3345
	case range too.
3351
3346
3352
3347
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3353
3348
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3354
3349
3355
3350
2020-05-25  Ian Jackson  <ian.jackson@eu.citrix.com>
3356
3351
3357
3352
	templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK)
3358
3353
	XSM is enabled by adding "flask=enforcing" as a Xen command line
3359
3354
	argument, and providing the policy file as a grub module.
3360
3355
3361
3356
	We make entries for both with and without XSM. If XSM is not compiled
3362
3357
	into Xen, then there are no policy files, so no change to the boot
3363
3358
	options.
3364
3359
3365
3360
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3366
3361
3367
3362
2020-05-25  Ian Jackson  <ian.jackson@eu.citrix.com>
3368
3363
3369
3364
	templates/20_linux_xen: Ignore xenpolicy and config files too
3370
3365
	file_is_not_sym() currently only checks for xen-syms. Extend it to
3371
3366
	disregard xenpolicy (XSM policy files) and files ending .config (which
3372
3367
	are built by the Xen upstream build system in some configurations and
3373
3368
	can therefore end up in /boot).
3374
3369
3375
3370
	Rename the function accordingly, to file_is_not_xen_garbage().
3376
3371
3377
3372
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3378
3373
3379
3374
2020-05-25  Javier Martinez Canillas  <javierm@redhat.com>
3380
3375
3381
3376
	net: Break out nested function
3382
3377
	Nested functions are not supported in C, but are permitted as an extension
3383
3378
	in the GNU C dialect. Commit cb2f15c5448 ("normal/main: Search for specific
3384
3379
	config files for netboot") added a nested function which caused the build
3385
3380
	to break when compiling with clang.
3386
3381
3387
3382
	Break that out into a static helper function to make the code portable again.
3388
3383
3389
3384
	Reported-by: Daniel Axtens <dja@axtens.net>
3390
3385
	Tested-by: Daniel Axtens <dja@axtens.net>
3391
3386
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3392
3387
3393
3388
2020-05-25  Javier Martinez Canillas  <javierm@redhat.com>
3394
3389
3395
3390
	tpm: Enable module for all EFI platforms
3396
3391
	The module is only enabled for x86_64, but there's nothing specific to
3397
3392
	x86_64 in the implementation and can be enabled for all EFI platforms.
3398
3393
3399
3394
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3400
3395
3401
3396
2020-05-25  Daniel Kiper  <daniel.kiper@oracle.com>
3402
3397
3403
3398
	INSTALL/configure: Update install doc and configure comment
3404
3399
	..to reflect the GRUB build reality in them.
3405
3400
3406
3401
	Additionally, fix text formatting a bit.
3407
3402
3408
3403
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3409
3404
3410
3405
2020-05-25  Daniel Kiper  <daniel.kiper@oracle.com>
3411
3406
3412
3407
	configure: Set gnu99 C language standard by default
3413
3408
	Commit d5a32255d (misc: Make grub_strtol() "end" pointers have safer
3414
3409
	const qualifiers) introduced "restrict" keyword into some functions
3415
3410
	definitions. This keyword was introduced in C99 standard. However, some
3416
3411
	compilers by default may use C89 or something different. This behavior
3417
3412
	leads to the breakage during builds when c89 or gnu89 is in force. So,
3418
3413
	let's set gnu99 C language standard for all compilers by default. This
3419
3414
	way a bit random build issue will be fixed and the GRUB source will be
3420
3415
	build consistently regardless of type and version of the compiler.
3421
3416
3422
3417
	It was decided to use gnu99 C language standard because it fixes the
3423
3418
	issue mentioned above and also provides some useful extensions which are
3424
3419
	used here and there in the GRUB source. Potentially we can use gnu11
3425
3420
	too. However, this may reduce pool of older compilers which can be used
3426
3421
	to build the GRUB. So, let's live with gnu99 until we discover that we
3427
3422
	strongly require a feature from newer C standard.
3428
3423
3429
3424
	The user is still able to override C language standard using relevant
3430
3425
	*_CFLAGS variables.
3431
3426
3432
3427
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3433
3428
3434
3429
2020-05-15  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
3435
3430
3436
3431
	tpm: Rename function grub_tpm_log_event() to grub_tpm_measure()
3437
3432
	grub_tpm_log_event() and grub_tpm_measure() are two functions that
3438
3433
	have the same effect. So, keep grub_tpm_log_event() and rename it
3439
3434
	to grub_tpm_measure(). This way we get also a more clear semantics.
3440
3435
3441
3436
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3442
3437
3443
3438
2020-05-15  Daniel Kiper  <daniel.kiper@oracle.com>
3444
3439
3445
3440
	autogen: Replace -iname with -ipath in find command
3446
3441
	..because -iname cannot be used to match paths.
3447
3442
3448
3443
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
3449
3444
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3450
3445
	Reviewed-by: Daniel Axtens <dja@axtens.net>
3451
3446
3452
3447
2020-05-15  Daniel Kiper  <daniel.kiper@oracle.com>
3453
3448
3454
3449
	INSTALL: Update configure example
3455
3450
	..to make it more relevant.
3456
3451
3457
3452
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3458
3453
3459
3454
2020-05-15  Daniel Kiper  <daniel.kiper@oracle.com>
3460
3455
3461
3456
	configure: Drop unneeded TARGET_CFLAGS expansion
3462
3457
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
3463
3458
	Reviewed-by: Leif Lindholm <leif@nuviainc.com>
3464
3459
3465
3460
2020-05-15  Jacob Kroon  <jacob.kroon@gmail.com>
3466
3461
3467
3462
	docs/grub: Support for probing partition UUID on MSDOS disks
3468
3463
	Support was implemented in commit c7cb11b21 (probe: Support probing for
3469
3464
	msdos PARTUUID).
3470
3465
3471
3466
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3472
3467
3473
3468
2020-05-15  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
3474
3469
3475
3470
	verifiers: Add verify string debug message
3476
3471
	Like grub_verifiers_open(), the grub_verify_string() should also
3477
3472
	display this debug message, which is very helpful for debugging.
3478
3473
3479
3474
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3480
3475
3481
3476
2020-05-15  Javier Martinez Canillas  <javierm@redhat.com>
3482
3477
3483
3478
	envblk: Fix buffer overrun when attempting to shrink a variable value
3484
3479
	If an existing variable is set with a value whose length is smaller than
3485
3480
	the current value, a memory corruption can happen due copying padding '#'
3486
3481
	characters outside of the environment block buffer.
3487
3482
3488
3483
	This is caused by a wrong calculation of the previous free space position
3489
3484
	after moving backward the characters that followed the old variable value.
3490
3485
3491
3486
	That position is calculated to fill the remaining of the buffer with the
3492
3487
	padding '#' characters. But since isn't calculated correctly, it can lead
3493
3488
	to copies outside of the buffer.
3494
3489
3495
3490
	The issue can be reproduced by creating a variable with a large value and
3496
3491
	then try to set a new value that is much smaller:
3497
3492
3498
3493
	$ grub2-editenv --version
3499
3494
	grub2-editenv (GRUB) 2.04
3500
3495
3501
3496
	$ grub2-editenv env create
3502
3497
3503
3498
	$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
3504
3499
3505
3500
	$ wc -c env
3506
3501
	1024 grubenv
3507
3502
3508
3503
	$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
3509
3504
	malloc(): corrupted top size
3510
3505
	Aborted (core dumped)
3511
3506
3512
3507
	$ wc -c env
3513
3508
	0 grubenv
3514
3509
3515
3510
	Reported-by: Renaud Métrich <rmetrich@redhat.com>
3516
3511
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3517
3512
3518
3513
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3519
3514
3520
3515
	docs: Remove docs for non-existing uppermem command
3521
3516
	Remove all documentation of and mentions of the uppermem
3522
3517
	command from the docs/grub.texi file.
3523
3518
3524
3519
	The uppermem command is not implemented in the GRUB source
3525
3520
	at all and appears to never have been implemented despite
3526
3521
	former plans to add an uppermem command.
3527
3522
3528
3523
	To reduce user confusion, this even removes the paragraph
3529
3524
	describing how GRUB's uppermem command was supposed to
3530
3525
	complement the Linux kernel's mem= parameter.
3531
3526
3532
3527
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3533
3528
3534
3529
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3535
3530
3536
3531
	docs: Remove docs for non-existing pxe_unload command
3537
3532
	Remove the documentation of the pxe_unload command from the
3538
3533
	docs/grub.texi file.
3539
3534
3540
3535
	The pxe_unload command is not implemented in the grub source
3541
3536
	at this time at all. It appears to have been removed in commit
3542
3537
	671a78acb (cleanup pxe and efi network release).
3543
3538
3544
3539
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3545
3540
3546
3541
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3547
3542
3548
3543
	gitignore: Add a few forgotten file patterns
3549
3544
	Add a few patterns to .gitignore to cover files which are generated
3550
3545
	by building grub ("make", "make check", "make dist") but which have
3551
3546
	been forgotten to add to .gitignore in the past.
3552
3547
3553
3548
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3554
3549
3555
3550
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3556
3551
3557
3552
	gitignore: Add leading slashes where appropriate
3558
3553
	Going through the list of gitignore patterns without a leading slash,
3559
3554
	this adds a leading slash where it appears to have been forgotten.
3560
3555
3561
3556
	Some gitignore patterns like ".deps/" or "Makefile" clearly should
3562
3557
	match everywhere, so those definitively need no leading slash.
3563
3558
3564
3559
	For some patterns like "ascii.bitmaps", it is unclear where in the
3565
3560
	source tree they should match. Those patterns are kept as they are,
3566
3561
	matching the patterns in the whole tree of subdirectories.
3567
3562
3568
3563
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3569
3564
3570
3565
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3571
3566
3572
3567
	gitignore: Add trailing slashes for directories
3573
3568
	Add trailing slashes for all patterns matching directories.
3574
3569
3575
3570
	Note that we do *not* add trailing slashes for *symlinks*
3576
3571
	to directories.
3577
3572
3578
3573
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3579
3574
3580
3575
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3581
3576
3582
3577
	gitignore: Sort both pattern groups alphabetically
3583
3578
	Alphabetically sort the two groups of gitignore patterns:
3584
3579
3585
3580
	  * The group of patterns without slashes, matching anywhere
3586
3581
	    in the directory subtree.
3587
3582
3588
3583
	  * The group of patterns with slashes, matching relative to the
3589
3584
	    .gitignore file's directory
3590
3585
3591
3586
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3592
3587
3593
3588
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3594
3589
3595
3590
	gitignore: Group patterns with and without slash
3596
3591
	Group the .gitignore patterns into two groups:
3597
3592
3598
3593
	  * Pattern not including a slash, i.e. matching files anywhere in
3599
3594
	    the .gitignore file's directory and all of its subdirectories.
3600
3595
3601
3596
	  * Patterns including a slash, i.e. matching only relative to the
3602
3597
	    .gitignore file's directory.
3603
3598
3604
3599
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3605
3600
3606
3601
2020-05-15  Hans Ulrich Niedermann  <hun@n-dimensional.de>
3607
3602
3608
3603
	gitignore: Consistent leading slash is easier to read
3609
3604
	As all gitignore patterns containing a left or middle slash match
3610
3605
	only relative to the .gitignore file's directory, we write them
3611
3606
	all in the same manner with a leading slash.
3612
3607
3613
3608
	This makes the file significantly easier to read.
3614
3609
3615
3610
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3616
3611
3617
3612
2020-05-15  Daniel Kiper  <daniel.kiper@oracle.com>
3618
3613
3619
3614
	mips/cache: Add missing nop's in delay slots
3620
3615
	Lack of them causes random instructions to be executed before the
3621
3616
	jump really happens.
3622
3617
3623
3618
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3624
3619
3625
3620
2020-04-21  Patrick Steinhardt  <ps@pks.im>
3626
3621
3627
3622
	luks2: Propagate error when reading area key fails
3628
3623
	When decrypting a given keyslot, all error cases except for one set up
3629
3624
	an error and return the error code. The only exception is when we try to
3630
3625
	read the area key: instead of setting up an error message, we directly
3631
3626
	print it via grub_dprintf().
3632
3627
3633
3628
	Convert the outlier to use grub_error() to allow more uniform handling
3634
3629
	of errors.
3635
3630
3636
3631
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3637
3632
3638
3633
2020-04-21  Patrick Steinhardt  <ps@pks.im>
3639
3634
3640
3635
	json: Get rid of casts for "jsmntok_t"
3641
3636
	With the upstream change having landed that adds a name to the
3642
3637
	previously anonymous "jsmntok" typedef, we can now add a forward
3643
3638
	declaration for that struct in our code. As a result, we no longer have
3644
3639
	to store the "tokens" member of "struct grub_json" as a void pointer but
3645
3640
	can instead use the forward declaration, allowing us to get rid of casts
3646
3641
	of that field.
3647
3642
3648
3643
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3649
3644
3650
3645
2020-04-21  Patrick Steinhardt  <ps@pks.im>
3651
3646
3652
3647
	json: Update jsmn library to upstream commit 053d3cd
3653
3648
	Update our embedded version of the jsmn library to upstream commit
3654
3649
	053d3cd (Merge pull request #175 from pks-t/pks/struct-type,
3655
3650
	2020-04-02).
3656
3651
3657
3652
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3658
3653
3659
3654
2020-04-21  Steve Langasek  <steve.langasek@ubuntu.com>
3660
3655
3661
3656
	templates: Output a menu entry for firmware setup on UEFI FastBoot systems
3662
3657
	The fwsetup command allows to reboot into the EFI firmware setup menu, add
3663
3658
	a template to include a menu entry on EFI systems that makes use of that
3664
3659
	command to reboot into the EFI firmware settings.
3665
3660
3666
3661
	This is useful for users since the hotkey to enter into the EFI setup menu
3667
3662
	may not be the same on all systems so users can use the menu entry without
3668
3663
	needing to figure out what key needs to be pressed.
3669
3664
3670
3665
	Also, if fastboot is enabled in the BIOS then often it is not possible to
3671
3666
	enter the firmware setup menu. So the entry is again useful for this case.
3672
3667
3673
3668
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3674
3669
3675
3670
2020-04-21  Hans de Goede  <hdegoede@redhat.com>
3676
3671
3677
3672
	kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys
3678
3673
	On some devices the ESC key is the hotkey to enter the BIOS/EFI setup
3679
3674
	screen, making it really hard to time pressing it right. Besides that
3680
3675
	ESC is also pretty hard to discover for a user who does not know it
3681
3676
	will unhide the menu.
3682
3677
3683
3678
	This commit makes F4, which was chosen because is not used as a hotkey
3684
3679
	to enter the BIOS setup by any vendor, also interrupt sleeps / stop the
3685
3680
	menu countdown.
3686
3681
3687
3682
	This solves the ESC gets into the BIOS setup and also somewhat solves
3688
3683
	the discoverability issue, but leaves the timing issue unresolved.
3689
3684
3690
3685
	This commit fixes the timing issue by also adding support for keeping
3691
3686
	SHIFT pressed during boot to stop the menu countdown. This matches
3692
3687
	what Ubuntu is doing, which should also help with discoverability.
3693
3688
3694
3689
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3695
3690
3696
3691
2020-04-21  Hans de Goede  <hdegoede@redhat.com>
3697
3692
3698
3693
	efi/console: Do not set text-mode until we actually need it
3699
3694
	If we're running with a hidden menu we may never need text mode, so do not
3700
3695
	change the video-mode to text until we actually need it.
3701
3696
3702
3697
	This allows to boot a machine without unnecessary graphical transitions and
3703
3698
	provide a seamless boot experience to users.
3704
3699
3705
3700
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3706
3701
3707
3702
2020-04-21  Hans de Goede  <hdegoede@redhat.com>
3708
3703
3709
3704
	efi/console: Implement getkeystatus() support
3710
3705
	Implement getkeystatus() support in the EFI console driver.
3711
3706
3712
3707
	This is needed because the logic to determine if a key was pressed to make
3713
3708
	the menu countdown stop will be changed by a later patch to also take into
3714
3709
	account the SHIFT key being held down.
3715
3710
3716
3711
	For this reason the EFI console driver has to support getkeystatus() to
3717
3712
	allow detecting that event.
3718
3713
3719
3714
	Note that if a non-modifier key gets pressed and repeated calls to
3720
3715
	getkeystatus() are made then it will return the modifier status at the
3721
3716
	time of the non-modifier key, until that key-press gets consumed by a
3722
3717
	getkey() call.
3723
3718
3724
3719
	This is a side-effect of how the EFI simple-text-input protocol works
3725
3720
	and cannot be avoided.
3726
3721
3727
3722
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3728
3723
3729
3724
2020-04-21  Hans de Goede  <hdegoede@redhat.com>
3730
3725
3731
3726
	efi/console: Add grub_console_read_key_stroke() helper function
3732
3727
	This is a preparatory patch for adding getkeystatus() support to the
3733
3728
	EFI console driver.
3734
3729
3735
3730
	We can get modifier status through the simple_text_input read_key_stroke()
3736
3731
	method, but if a non-modifier key is (also) pressed the read_key_stroke()
3737
3732
	call will consume that key from the firmware's queue.
3738
3733
3739
3734
	The new grub_console_read_key_stroke() helper buffers upto 1 key-stroke.
3740
3735
	If it has a non-modifier key buffered, it will return that one, if its
3741
3736
	buffer is empty, it will fills its buffer by getting a new key-stroke.
3742
3737
3743
3738
	If called with consume=1 it will empty its buffer after copying the
3744
3739
	key-data to the callers buffer, this is how getkey() will use it.
3745
3740
3746
3741
	If called with consume=0 it will keep the last key-stroke buffered, this
3747
3742
	is how getkeystatus() will call it. This means that if a non-modifier
3748
3743
	key gets pressed, repeated getkeystatus() calls will return the modifiers
3749
3744
	of that key-press until it is consumed by a getkey() call.
3750
3745
3751
3746
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3752
3747
3753
3748
2020-04-21  Hans de Goede  <hdegoede@redhat.com>
3754
3749
3755
3750
	kern/term: Make grub_getkeystatus() helper function available everywhere
3756
3751
	Move grub_getkeystatushelper() function from grub-core/commands/keystatus.c
3757
3752
	to grub-core/kern/term.c and export it so that it can be used outside of
3758
3753
	the keystatus command code too.
3759
3754
3760
3755
	There's no logic change in this patch. The function definition is moved so
3761
3756
	it can be called from grub-core/kern/term.c in a subsequent patch. It will
3762
3757
	be used to determine if a SHIFT key has was held down and use that also to
3763
3758
	interrupt the countdown, without the need to press a key at the right time.
3764
3759
3765
3760
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3766
3761
3767
3762
2020-04-21  Javier Martinez Canillas  <javierm@redhat.com>
3768
3763
3769
3764
	efi/console: Move grub_console_set{colorstate,cursor} higher in the file
3770
3765
	This is just a preparatory patch to move the functions higher in the file,
3771
3766
	since these will be called by the grub_prepare_for_text_output() function
3772
3767
	that will be introduced in a later patch.
3773
3768
3774
3769
	The logic is unchanged by this patch. Functions definitions are just moved
3775
3770
	to avoid a forward declaration in a later patch, keeping the code clean.
3776
3771
3777
3772
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3778
3773
3779
3774
2020-04-21  Paul Menzel  <pmenzel@molgen.mpg.de>
3780
3775
3781
3776
	docs/grub: Fix typo in *preferred*
3782
3777
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3783
3778
3784
3779
2020-04-21  Daniel Axtens  <dja@axtens.net>
3785
3780
3786
3781
	powerpc/mkimage: Fix CHRP note descsz
3787
3782
	Currently, an image generated with 'grub-mkimage -n' causes an error when
3788
3783
	read with 'readelf -a':
3789
3784
3790
3785
	Displaying notes found at file offset 0x000106f0 with length 0x0000002c:
3791
3786
	  Owner                Data size        Description
3792
3787
	readelf: Warning: note with invalid namesz and/or descsz found at offset 0x0
3793
3788
	readelf: Warning:  type: 0x1275, namesize: 0x00000008, descsize: 0x0000002c, alignment: 4
3794
3789
3795
3790
	This is because the descsz of the CHRP note is set to
3796
3791
	 sizeof (struct grub_ieee1275_note)
3797
3792
	which is the size of the entire note, including name and elf header. The
3798
3793
	desczs should contain only the contents, not the name and header sizes.
3799
3794
3800
3795
	Set the descsz instead to 'sizeof (struct grub_ieee1275_note_desc)'
3801
3796
3802
3797
	Resultant readelf output:
3803
3798
3804
3799
	Displaying notes found at file offset 0x00010710 with length 0x0000002c:
3805
3800
	  Owner                Data size        Description
3806
3801
	  PowerPC              0x00000018       Unknown note type: (0x00001275)
3807
3802
	   description data: ff ff ff ff 00 c0 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 40 00
3808
3803
3809
3804
	So far as I can tell this issue has existed for as long as the note
3810
3805
	generation code has existed, but I guess nothing really checks descsz.
3811
3806
3812
3807
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3813
3808
3814
3809
2020-03-31  Flavio Suligoi  <f.suligoi@asem.it>
3815
3810
3816
3811
	efi: Add missed space in GRUB_EFI_GLOBAL_VARIABLE_GUID
3817
3812
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3818
3813
3819
3814
2020-03-31  Michael Chang  <mchang@suse.com>
3820
3815
3821
3816
	zfs: Fix gcc10 error -Werror=zero-length-bounds
3822
3817
	We bumped into the build error while testing gcc-10 pre-release.
3823
3818
3824
3819
	In file included from ../../include/grub/file.h:22,
3825
3820
			from ../../grub-core/fs/zfs/zfs.c:34:
3826
3821
	../../grub-core/fs/zfs/zfs.c: In function 'zap_leaf_lookup':
3827
3822
	../../grub-core/fs/zfs/zfs.c:2263:44: error: array subscript '<unknown>' is outside the bounds of an interior zero-length array 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=zero-length-bounds]
3828
3823
	2263 |   for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian);
3829
3824
	../../include/grub/types.h:241:48: note: in definition of macro 'grub_le_to_cpu16'
3830
3825
	 241 | # define grub_le_to_cpu16(x) ((grub_uint16_t) (x))
3831
3826
	     |                                                ^
3832
3827
	../../grub-core/fs/zfs/zfs.c:2263:16: note: in expansion of macro 'grub_zfs_to_cpu16'
3833
3828
	2263 |   for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian);
3834
3829
	     |                ^~~~~~~~~~~~~~~~~
3835
3830
	In file included from ../../grub-core/fs/zfs/zfs.c:48:
3836
3831
	../../include/grub/zfs/zap_leaf.h:72:16: note: while referencing 'l_hash'
3837
3832
	  72 |  grub_uint16_t l_hash[0];
3838
3833
	     |                ^~~~~~
3839
3834
3840
3835
	Here I'd like to quote from the gcc document [1] which seems best to
3841
3836
	explain what is going on here.
3842
3837
3843
3838
	"Although the size of a zero-length array is zero, an array member of
3844
3839
	this kind may increase the size of the enclosing type as a result of
3845
3840
	tail padding. The offset of a zero-length array member from the
3846
3841
	beginning of the enclosing structure is the same as the offset of an
3847
3842
	array with one or more elements of the same type. The alignment of a
3848
3843
	zero-length array is the same as the alignment of its elements.
3849
3844
3850
3845
	Declaring zero-length arrays in other contexts, including as interior
3851
3846
	members of structure objects or as non-member objects, is discouraged.
3852
3847
	Accessing elements of zero-length arrays declared in such contexts is
3853
3848
	undefined and may be diagnosed."
3854
3849
3855
3850
	The l_hash[0] is apparnetly an interior member to the enclosed structure
3856
3851
	while l_entries[0] is the trailing member. And the offending code tries
3857
3852
	to access members in l_hash[0] array that triggers the diagnose.
3858
3853
3859
3854
	Given that the l_entries[0] is used to get proper alignment to access
3860
3855
	leaf chunks, we can accomplish the same thing through the ALIGN_UP macro
3861
3856
	thus eliminating l_entries[0] from the structure. In this way we can
3862
3857
	pacify the warning as l_hash[0] now becomes the last member to the
3863
3858
	enclosed structure.
3864
3859
3865
3860
	[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
3866
3861
3867
3862
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3868
3863
3869
3864
2020-03-31  Michael Chang  <mchang@suse.com>
3870
3865
3871
3866
	mdraid1x_linux: Fix gcc10 error -Werror=array-bounds
3872
3867
	We bumped into the build error while testing gcc-10 pre-release.
3873
3868
3874
3869
	../../grub-core/disk/mdraid1x_linux.c: In function 'grub_mdraid_detect':
3875
3870
	../../grub-core/disk/mdraid1x_linux.c:181:15: error: array subscript <unknown> is outside array bounds of 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=array-bounds]
3876
3871
	  181 |      (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)]
3877
3872
	      |               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3878
3873
	../../grub-core/disk/mdraid1x_linux.c:98:17: note: while referencing 'dev_roles'
3879
3874
	   98 |   grub_uint16_t dev_roles[0]; /* Role in array, or 0xffff for a spare, or 0xfffe for faulty.  */
3880
3875
	      |                 ^~~~~~~~~
3881
3876
	../../grub-core/disk/mdraid1x_linux.c:127:33: note: defined here 'sb'
3882
3877
	  127 |       struct grub_raid_super_1x sb;
3883
3878
	      |                                 ^~
3884
3879
	cc1: all warnings being treated as errors
3885
3880
3886
3881
	Apparently gcc issues the warning when trying to access sb.dev_roles
3887
3882
	array's member, since it is a zero length array as the last element of
3888
3883
	struct grub_raid_super_1x that is allocated sparsely without extra
3889
3884
	chunks for the trailing bits, so the warning looks legitimate in this
3890
3885
	regard.
3891
3886
3892
3887
	As the whole thing here is doing offset computation, it is undue to use
3893
3888
	syntax that would imply array member access then take address from it
3894
3889
	later. Instead we could accomplish the same thing through basic array
3895
3890
	pointer arithmetic to pacify the warning.
3896
3891
3897
3892
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3898
3893
3899
3894
2020-03-31  Simon Hardy  <simon.hardy@itdev.co.uk>
3900
3895
3901
3896
	build: Fix GRUB i386-pc build with Ubuntu gcc
3902
3897
	With recent versions of gcc on Ubuntu a very large lzma_decompress.img file is
3903
3898
	output. (e.g. 134479600 bytes instead of 2864.) This causes grub-mkimage to
3904
3899
	fail with: "error: Decompressor is too big."
3905
3900
3906
3901
	This seems to be caused by a section .note.gnu.property that is placed at an
3907
3902
	offset such that objcopy needs to pad the img file with zeros.
3908
3903
3909
3904
	This issue is present on:
3910
3905
	Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0
3911
3906
	Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008
3912
3907
3913
3908
	This issue is not present on:
3914
3909
	Ubuntu 19.10 with gcc (Ubuntu 7.5.0-3ubuntu1~19.10) 7.5.0
3915
3910
	RHEL 8.0 with gcc 8.3.1 20190507 (Red Hat 8.3.1-4)
3916
3911
3917
3912
	The issue can be fixed by removing the section using objcopy as shown in
3918
3913
	this patch.
3919
3914
3920
3915
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3921
3916
3922
3917
2020-03-31  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>
3923
3918
3924
3919
	efi/tpm: Fix memory leak in grub_tpm1/2_log_event()
3925
3920
	The memory requested for the event is not released here,
3926
3921
	causing memory leaks. This patch fixes this problem.
3927
3922
3928
3923
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
3929
3924
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3930
3925
3931
3926
2020-03-31  Michael Chang  <mchang@suse.com>
3932
3927
3933
3928
	docs: Document notes on LVM cache booting
3934
3929
	Add notes on LVM cache booting to the GRUB manual to help user understanding
3935
3930
	the outstanding issue and status.
3936
3931
3937
3932
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3938
3933
3939
3934
2020-03-31  Michael Chang  <mchang@suse.com>
3940
3935
3941
3936
	lvm: Add LVM cache logical volume handling
3942
3937
	The LVM cache logical volume is the logical volume consisting of the original
3943
3938
	and the cache pool logical volume. The original is usually on a larger and
3944
3939
	slower storage device while the cache pool is on a smaller and faster one. The
3945
3940
	performance of the original volume can be improved by storing the frequently
3946
3941
	used data on the cache pool to utilize the greater performance of faster
3947
3942
	device.
3948
3943
3949
3944
	The default cache mode "writethrough" ensures that any data written will be
3950
3945
	stored both in the cache and on the origin LV, therefore grub can be straight
3951
3946
	to read the original lv as no data loss is guarenteed.
3952
3947
3953
3948
	The second cache mode is "writeback", which delays writing from the cache pool
3954
3949
	back to the origin LV to have increased performance. The drawback is potential
3955
3950
	data loss if losing the associated cache device.
3956
3951
3957
3952
	During the boot time grub reads the LVM offline i.e. LVM volumes are not
3958
3953
	activated and mounted, hence it should be fine to read directly from original
3959
3954
	lv since all cached data should have been flushed back in the process of taking
3960
3955
	it offline.
3961
3956
3962
3957
	It is also not much helpful to the situation by adding fsync calls to the
3963
3958
	install code. The fsync did not force to write back dirty cache to the original
3964
3959
	device and rather it would update associated cache metadata to complete the
3965
3960
	write transaction with the cache device. IOW the writes to cached blocks still
3966
3961
	go only to the cache device.
3967
3962
3968
3963
	To write back dirty cache, as LVM cache did not support dirty cache flush per
3969
3964
	block range, there'no way to do it for file. On the other hand the "cleaner"
3970
3965
	policy is implemented and can be used to write back "all" dirty blocks in a
3971
3966
	cache, which effectively drain all dirty cache gradually to attain and last in
3972
3967
	the "clean" state, which can be useful for shrinking or decommissioning a
3973
3968
	cache. The result and effect is not what we are looking for here.
3974
3969
3975
3970
	In conclusion, as it seems no way to enforce file writes to the original
3976
3971
	device, grub may suffer from power failure as it cannot assemble the cache
3977
3972
	device and read the dirty data from it. However since the case is only
3978
3973
	applicable to writeback mode which is sensitive to data lost in nature, I'd
3979
3974
	still like to propose my (relatively simple) patch and treat reading dirty
3980
3975
	cache as improvement.
3981
3976
3982
3977
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
3983
3978
3984
3979
2020-03-10  Patrick Steinhardt  <ps@pks.im>
3985
3980
3986
3981
	gnulib: Fix build of base64 when compiling with memory debugging
3987
3982
	When building GRUB with memory management debugging enabled, then the
3988
3983
	build fails because of `grub_debug_malloc()` and `grub_debug_free()`
3989
3984
	being undefined in the luks2 module. The cause is that we patch
3990
3985
	"base64.h" to unconditionaly include "config-util.h", which shouldn't be
3991
3986
	included for modules at all. As a result, `MM_DEBUG` is defined when
3992
3987
	building the module, causing it to use the debug memory allocation
3993
3988
	functions. As these are not built into modules, we end up with a linker
3994
3989
	error.
3995
3990
3996
3991
	Fix the issue by removing the <config-util.h> include altogether. The
3997
3992
	sole reason it was included was for the `_GL_ATTRIBUTE_CONST` macro,
3998
3993
	which we can simply define as empty in case it's not set.
3999
3994
4000
3995
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4001
3996
4002
3997
2020-03-10  Patrick Steinhardt  <ps@pks.im>
4003
3998
4004
3999
	build: Fix option to explicitly disable memory debugging
4005
4000
	The memory management system supports a debug mode that can be enabled
4006
4001
	at build time by passing "--enable-mm-debug" to the configure script.
4007
4002
	Passing the option will cause us define MM_DEBUG as expected, but in
4008
4003
	fact the reverse option "--disable-mm-debug" will do the exact same
4009
4004
	thing and also set up the define. This currently causes the build of
4010
4005
	"lib/gnulib/base64.c" to fail as it tries to use `grub_debug_malloc()`
4011
4006
	and `grub_debug_free()` even though both symbols aren't defined.
4012
4007
4013
4008
	Seemingly, `AC_ARG_ENABLE()` will always execute the third argument if
4014
4009
	either the positive or negative option was passed. Let's thus fix the
4015
4010
	issue by moving the call to`AC_DEFINE()` into an explicit `if test
4016
4011
	$xenable_mm_debug` block, similar to how other defines work.
4017
4012
4018
4013
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4019
4014
	Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
4020
4015
4021
4016
2020-03-10  David Michael  <fedora.dm0@gmail.com>
4022
4017
4023
4018
	fat: Support file modification times
4024
4019
	This allows comparing file ages on EFI system partitions.
4025
4020
4026
4021
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4027
4022
4028
4023
2020-03-10  David Michael  <fedora.dm0@gmail.com>
4029
4024
4030
4025
	exfat: Save the matching directory entry struct when searching
4031
4026
	This provides the node's attributes outside the iterator function
4032
4027
	so the file modification time can be accessed and reported.
4033
4028
4034
4029
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4035
4030
4036
4031
2020-03-10  Mike Gilbert  <floppym@gentoo.org>
4037
4032
4038
4033
	datetime: Enable the datetime module for the emu platform
4039
4034
	Fixes a build failure:
4040
4035
4041
4036
	  grub-core/commands/date.c:49: undefined reference to `grub_get_weekday_name'
4042
4037
	  grub-core/commands/ls.c:155: undefined reference to `grub_unixtime2datetime'
4043
4038
4044
4039
	Bug: https://bugs.gentoo.org/711512
4045
4040
4046
4041
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4047
4042
	Tested-by: Javier Martinez Canillas <javierm@redhat.com>
4048
4043
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4049
4044
4050
4045
2020-03-10  John Paul Adrian Glaubitz  <glaubitz@physik.fu-berlin.de>
4051
4046
4052
4047
	build: Add soft-float handling for SuperH (sh4)
4053
4048
	While GRUB has no platform support for SuperH (sh4) yet, this change
4054
4049
	adds the target-specific handling of soft-floats such that the GRUB
4055
4050
	utilities can be built on this target.
4056
4051
4057
4052
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4058
4053
4059
4054
2020-03-10  Peter Jones  <pjones@redhat.com>
4060
4055
4061
4056
	efi: Fix the type of grub_efi_status_t
4062
4057
	Currently, in some builds with some checkers, we see:
4063
4058
4064
4059
	1. grub-core/disk/efi/efidisk.c:601: error[shiftTooManyBitsSigned]: Shifting signed 64-bit value by 63 bits is undefined behaviour
4065
4060
4066
4061
	This is because grub_efi_status_t is defined as grub_efi_intn_t, which is
4067
4062
	signed, and shifting into the sign bit is not defined behavior.  UEFI fixed
4068
4063
	this in the spec in 2.3:
4069
4064
4070
4065
	2.3 | Change the defined type of EFI_STATUS from INTN to UINTN | May 7, 2009
4071
4066
4072
4067
	And the current EDK2 code has:
4073
4068
	MdePkg/Include/Base.h-//
4074
4069
	MdePkg/Include/Base.h-// Status codes common to all execution phases
4075
4070
	MdePkg/Include/Base.h-//
4076
4071
	MdePkg/Include/Base.h:typedef UINTN RETURN_STATUS;
4077
4072
	MdePkg/Include/Base.h-
4078
4073
	MdePkg/Include/Base.h-/**
4079
4074
	MdePkg/Include/Base.h-  Produces a RETURN_STATUS code with the highest bit set.
4080
4075
	MdePkg/Include/Base.h-
4081
4076
	MdePkg/Include/Base.h-  @param  StatusCode    The status code value to convert into a warning code.
4082
4077
	MdePkg/Include/Base.h-                        StatusCode must be in the range 0x00000000..0x7FFFFFFF.
4083
4078
	MdePkg/Include/Base.h-
4084
4079
	MdePkg/Include/Base.h-  @return The value specified by StatusCode with the highest bit set.
4085
4080
	MdePkg/Include/Base.h-
4086
4081
	MdePkg/Include/Base.h-**/
4087
4082
	MdePkg/Include/Base.h-#define ENCODE_ERROR(StatusCode)     ((RETURN_STATUS)(MAX_BIT | (StatusCode)))
4088
4083
	MdePkg/Include/Base.h-
4089
4084
	MdePkg/Include/Base.h-/**
4090
4085
	MdePkg/Include/Base.h-  Produces a RETURN_STATUS code with the highest bit clear.
4091
4086
	MdePkg/Include/Base.h-
4092
4087
	MdePkg/Include/Base.h-  @param  StatusCode    The status code value to convert into a warning code.
4093
4088
	MdePkg/Include/Base.h-                        StatusCode must be in the range 0x00000000..0x7FFFFFFF.
4094
4089
	MdePkg/Include/Base.h-
4095
4090
	MdePkg/Include/Base.h-  @return The value specified by StatusCode with the highest bit clear.
4096
4091
	MdePkg/Include/Base.h-
4097
4092
	MdePkg/Include/Base.h-**/
4098
4093
	MdePkg/Include/Base.h-#define ENCODE_WARNING(StatusCode)   ((RETURN_STATUS)(StatusCode))
4099
4094
	MdePkg/Include/Base.h-
4100
4095
	MdePkg/Include/Base.h-/**
4101
4096
	MdePkg/Include/Base.h-  Returns TRUE if a specified RETURN_STATUS code is an error code.
4102
4097
	MdePkg/Include/Base.h-
4103
4098
	MdePkg/Include/Base.h-  This function returns TRUE if StatusCode has the high bit set.  Otherwise, FALSE is returned.
4104
4099
	MdePkg/Include/Base.h-
4105
4100
	MdePkg/Include/Base.h-  @param  StatusCode    The status code value to evaluate.
4106
4101
	MdePkg/Include/Base.h-
4107
4102
	MdePkg/Include/Base.h-  @retval TRUE          The high bit of StatusCode is set.
4108
4103
	MdePkg/Include/Base.h-  @retval FALSE         The high bit of StatusCode is clear.
4109
4104
	MdePkg/Include/Base.h-
4110
4105
	MdePkg/Include/Base.h-**/
4111
4106
	MdePkg/Include/Base.h-#define RETURN_ERROR(StatusCode)     (((INTN)(RETURN_STATUS)(StatusCode)) < 0)
4112
4107
	...
4113
4108
	Uefi/UefiBaseType.h:typedef RETURN_STATUS             EFI_STATUS;
4114
4109
4115
4110
	This patch makes grub's implementation match the Edk2 declaration with regards
4116
4111
	to the signedness of the type.
4117
4112
4118
4113
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4119
4114
4120
4115
2020-03-10  Peter Jones  <pjones@redhat.com>
4121
4116
4122
4117
	efi/gop: Add debug output on GOP probing
4123
4118
	Add debug information to EFI GOP video driver probing function.
4124
4119
4125
4120
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4126
4121
4127
4122
2020-03-10  Peter Jones  <pjones@redhat.com>
4128
4123
4129
4124
	efi/uga: Use video instead of fb as debug condition
4130
4125
	All other video drivers use "video" as the debug condition instead of "fb"
4131
4126
	so change this in the efi/uga driver to make it consistent with the others.
4132
4127
4133
4128
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4134
4129
4135
4130
2020-03-10  Peter Jones  <pjones@redhat.com>
4136
4131
4137
4132
	efi: Print error messages to grub_efi_allocate_pages_real()
4138
4133
	No messages were printed in this function, add some to ease debugging.
4139
4134
4140
4135
	Also, the function returns a void * pointer so return NULL instead of
4141
4136
	0 to make the code more readable.
4142
4137
4143
4138
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4144
4139
4145
4140
2020-03-10  Andrei Borzenkov  <arvidjaar@gmail.com>
4146
4141
4147
4142
	efi/uga: Use 64 bit for fb_base
4148
4143
	We get 64 bit from PCI BAR but then truncate by assigning to 32 bit.
4149
4144
	Make sure to check that pointer does not overflow on 32 bit platform.
4150
4145
4151
4146
	Closes: 50931
4152
4147
4153
4148
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4154
4149
4155
4150
2020-03-10  Alexander Graf  <agraf@suse.de>
4156
4151
4157
4152
	efi/gop: Add support for BLT_ONLY adapters
4158
4153
	EFI GOP has support for multiple different bitness types of frame buffers
4159
4154
	and for a special "BLT only" type which is always defined to be RGBx.
4160
4155
4161
4156
	Because grub2 doesn't ever directly access the frame buffer but instead
4162
4157
	only renders graphics via the BLT interface anyway, we can easily support
4163
4158
	these adapters.
4164
4159
4165
4160
	The reason this has come up now is the emerging support for virtio-gpu
4166
4161
	in OVMF. That adapter does not have the notion of a memory mapped frame
4167
4162
	buffer and thus is BLT only.
4168
4163
4169
4164
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4170
4165
4171
4166
2020-03-10  Peter Jones  <pjones@redhat.com>
4172
4167
4173
4168
	normal/completion: Fix possible NULL pointer dereference
4174
4169
	Coverity Scan reports that the grub_strrchr() function can return NULL if
4175
4170
	the character is not found. Check if that's the case for dirfile pointer.
4176
4171
4177
4172
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4178
4173
4179
4174
2020-03-10  Peter Jones  <pjones@redhat.com>
4180
4175
4181
4176
	kern: Add grub_debug_enabled()
4182
4177
	Add a grub_debug_enabled() helper function instead of open coding it.
4183
4178
4184
4179
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4185
4180
4186
4181
2020-03-10  Peter Jones  <pjones@redhat.com>
4187
4182
4188
4183
	Makefile: Make libgrub.pp depend on config-util.h
4189
4184
	If you build with "make -j48" a lot, sometimes you see:
4190
4185
4191
4186
	gcc -E -DHAVE_CONFIG_H -I. -I..  -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/  -I../grub-core/lib/minilzo -I../grub-core/lib/xzembed -DMINILZO_HAVE_CONFIG_H -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/  -I./grub-core/gnulib -I../grub-core/gnulib -I/builddir/build/BUILD/grub-2.02/grub-aarch64-efi-2.02 -D_FILE_OFFSET_BITS=64 \
4192
4187
	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' grub_script.tab.h grub_script.yy.h ../grub-core/commands/blocklist.c ../grub-core/commands/macbless.c ../grub-core/commands/xnu_uuid.c ../grub-core/commands/testload.c ../grub-core/commands/ls.c ../grub-core/disk/dmraid_nvidia.c ../grub-core/disk/loopback.c ../grub-core/disk/lvm.c ../grub-core/disk/mdraid_linux.c ../grub-core/disk/mdraid_linux_be.c ../grub-core/disk/mdraid1x_linux.c ../grub-core/disk/raid5_recover.c ../grub-core/disk/raid6_recover.c ../grub-core/font/font.c ../grub-core/gfxmenu/font.c ../grub-core/normal/charset.c ../grub-core/video/fb/fbblit.c ../grub-core/video/fb/fbutil.c ../grub-core/video/fb/fbfill.c ../grub-core/video/fb/video_fb.c ../grub-core/video/video.c ../grub-core/video/capture.c ../grub-core/video/colors.c ../grub-core/unidata.c ../grub-core/io/bufio.c ../grub-core/fs/affs.c ../grub-core/fs/afs.c ../grub-core/fs/bfs.c ../grub-core/fs/btrfs.c ../grub-core/fs/cbfs.c ../grub-core/fs/cpio.c ../grub-core/fs/cpio_be.c ../grub-core/fs/odc.c ../grub-core/fs/newc.c ../grub-core/fs/ext2.c ../grub-core/fs/fat.c ../grub-core/fs/exfat.c ../grub-core/fs/fshelp.c ../grub-core/fs/hfs.c ../grub-core/fs/hfsplus.c ../grub-core/fs/hfspluscomp.c ../grub-core/fs/iso9660.c ../grub-core/fs/jfs.c ../grub-core/fs/minix.c ../grub-core/fs/minix2.c ../grub-core/fs/minix3.c ../grub-core/fs/minix_be.c ../grub-core/fs/minix2_be.c ../grub-core/fs/minix3_be.c ../grub-core/fs/nilfs2.c ../grub-core/fs/ntfs.c ../grub-core/fs/ntfscomp.c ../grub-core/fs/reiserfs.c ../grub-core/fs/romfs.c ../grub-core/fs/sfs.c ../grub-core/fs/squash4.c ../grub-core/fs/tar.c ../grub-core/fs/udf.c ../grub-core/fs/ufs2.c ../grub-core/fs/ufs.c ../grub-core/fs/ufs_be.c ../grub-core/fs/xfs.c ../grub-core/fs/zfs/zfscrypt.c ../grub-core/fs/zfs/zfs.c ../grub-core/fs/zfs/zfsinfo.c ../grub-core/fs/zfs/zfs_lzjb.c ../grub-core/fs/zfs/zfs_lz4.c ../grub-core/fs/zfs/zfs_sha256.c ../grub-core/fs/zfs/zfs_fletcher.c ../grub-core/lib/envblk.c ../grub-core/lib/hexdump.c ../grub-core/lib/LzFind.c ../grub-core/lib/LzmaEnc.c ../grub-core/lib/crc.c ../grub-core/lib/adler32.c ../grub-core/lib/crc64.c ../grub-core/normal/datetime.c ../grub-core/normal/misc.c ../grub-core/partmap/acorn.c ../grub-core/partmap/amiga.c ../grub-core/partmap/apple.c ../grub-core/partmap/sun.c ../grub-core/partmap/plan.c ../grub-core/partmap/dvh.c ../grub-core/partmap/sunpc.c ../grub-core/partmap/bsdlabel.c ../grub-core/partmap/dfly.c ../grub-core/script/function.c ../grub-core/script/lexer.c ../grub-core/script/main.c ../grub-core/script/script.c ../grub-core/script/argv.c ../grub-core/io/gzio.c ../grub-core/io/xzio.c ../grub-core/io/lzopio.c ../grub-core/kern/ia64/dl_helper.c ../grub-core/kern/arm/dl_helper.c ../grub-core/kern/arm64/dl_helper.c ../grub-core/lib/minilzo/minilzo.c ../grub-core/lib/xzembed/xz_dec_bcj.c ../grub-core/lib/xzembed/xz_dec_lzma2.c ../grub-core/lib/xzembed/xz_dec_stream.c ../util/misc.c ../grub-core/kern/command.c ../grub-core/kern/device.c ../grub-core/kern/disk.c ../grub-core/lib/disk.c ../util/getroot.c ../grub-core/osdep/unix/getroot.c ../grub-core/osdep/getroot.c ../grub-core/osdep/devmapper/getroot.c ../grub-core/osdep/relpath.c ../grub-core/kern/emu/hostdisk.c ../grub-core/osdep/devmapper/hostdisk.c ../grub-core/osdep/hostdisk.c ../grub-core/osdep/unix/hostdisk.c ../grub-core/osdep/exec.c ../grub-core/osdep/sleep.c ../grub-core/osdep/password.c ../grub-core/kern/emu/misc.c ../grub-core/kern/emu/mm.c ../grub-core/kern/env.c ../grub-core/kern/err.c ../grub-core/kern/file.c ../grub-core/kern/fs.c ../grub-core/kern/list.c ../grub-core/kern/misc.c ../grub-core/kern/partition.c ../grub-core/lib/crypto.c ../grub-core/disk/luks.c ../grub-core/disk/geli.c ../grub-core/disk/cryptodisk.c ../grub-core/disk/AFSplitter.c ../grub-core/lib/pbkdf2.c ../grub-core/commands/extcmd.c ../grub-core/lib/arg.c ../grub-core/disk/ldm.c ../grub-core/disk/diskfilter.c ../grub-core/partmap/gpt.c ../grub-core/partmap/msdos.c ../grub-core/fs/proc.c ../grub-core/fs/archelp.c > libgrub.pp || (rm -f libgrub.pp; exit 1)
4193
4188
	rm -f stamp-h1
4194
4189
	touch ../config-util.h.in
4195
4190
	cd . && /bin/sh ./config.status config-util.h
4196
4191
	config.status: creating config-util.h
4197
4192
	In file included from ../include/grub/mm.h:25:0,
4198
4193
	                 from ../include/grub/disk.h:29,
4199
4194
	                 from ../include/grub/file.h:26,
4200
4195
	                 from ../grub-core/fs/btrfs.c:21:
4201
4196
	./config.h:38:10: fatal error: ./config-util.h: No such file or directory
4202
4197
	 #include <config-util.h>
4203
4198
	          ^~~~~~~~~~~~~~~
4204
4199
	compilation terminated.
4205
4200
	make: *** [Makefile:13098: libgrub.pp] Error 1
4206
4201
4207
4202
	This is because libgrub.pp is built with -DGRUB_UTIL=1, which means
4208
4203
	it'll try to include config-util.h, but a parallel make is actually
4209
4204
	building that file.  I think.
4210
4205
4211
4206
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4212
4207
4213
4208
2020-03-10  Peter Jones  <pjones@redhat.com>
4214
4209
4215
4210
	efi: Print more debug info in our module loader
4216
4211
	The function that searches the mods section base address does not have
4217
4212
	any debug information. Add some debugging outputs that could be useful.
4218
4213
4219
4214
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4220
4215
4221
4216
2020-03-10  Peter Jones  <pjones@redhat.com>
4222
4217
4223
4218
	linux/getroot: Handle rssd storage device names
4224
4219
	The Micron PCIe SSDs Linux driver (mtip32xx) exposes block devices
4225
4220
	as /dev/rssd[a-z]+[0-9]*. Add support for these rssd device names.
4226
4221
4227
4222
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4228
4223
4229
4224
2020-03-10  Julian Andres Klode  <julian.klode@canonical.com>
4230
4225
4231
4226
	smbios: Add a --linux argument to apply linux modalias-like filtering
4232
4227
	Linux creates modalias strings by filtering out non-ASCII, space,
4233
4228
	and colon characters. Provide an option that does the same filtering
4234
4229
	so people can create a modalias string in GRUB, and then match their
4235
4230
	modalias patterns against it.
4236
4231
4237
4232
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4238
4233
4239
4234
2020-03-10  Mike Gilbert  <floppym@gentoo.org>
4240
4235
4241
4236
	po: Fix replacement of %m in sed programs
4242
4237
	When running make dist, I hit this error:
4243
4238
4244
4239
	  rm -f en@arabic.gmo && /usr/bin/gmsgfmt -c --statistics --verbose -o en@arabic.gmo en@arabic.po
4245
4240
	  en@arabic.po:5312: 'msgstr' is not a valid C format string, unlike 'msgid'.
4246
4241
	  Reason: The character that terminates the directive number 3 is not a valid conversion specifier.
4247
4242
	  /usr/bin/gmsgfmt: found 1 fatal error
4248
4243
4249
4244
	This was caused by "%m" being replaced with foreign Unicode characters.
4250
4245
	For example:
4251
4246
4252
4247
	  msgid "cannot rename the file %s to %s: %m"
4253
4248
	  msgstr "ﺹﺎﻨﻧﻮﺗ ﺮﻌﻧﺎﻤﻋ ﺖﻬﻋ ﻒִﻴﻠﻋ %s ﺕﻭ %s: %ﻡ"
4254
4249
4255
4250
	Mimic the workaround used for "%s" by reversing the replacement of "%m" at
4256
4251
	the end of the sed programs.
4257
4252
4258
4253
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4259
4254
4260
4255
2020-03-10  Colin Watson  <cjwatson@ubuntu.com>
4261
4256
4262
4257
	gettext: Restore patches to po/Makefile.in.in
4263
4258
	These were inadvertently lost during the conversion to Gnulib (gnulib:
4264
4259
	Upgrade Gnulib and switch to bootstrap tool; commit 35b909062). The
4265
4260
	files in po/gettext-patches/ can be imported using "git am" on top of
4266
4261
	the gettext tag corresponding to AM_GNU_GETTEXT_VERSION in configure.ac
4267
4262
	(currently 0.18.3). They handle translation of messages in shell files,
4268
4263
	make msgfmt output in little-endian format, and arrange to use @SHELL@
4269
4264
	rather than /bin/sh.
4270
4265
4271
4266
	There were some changes solely for the purpose of distributing extra
4272
4267
	files; for ease of maintenance, I've added these to
4273
4268
	conf/Makefile.extra-dist instead.
4274
4269
4275
4270
	Fixes: https://savannah.gnu.org/bugs/?57298
4276
4271
4277
4272
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4278
4273
4279
4274
2020-02-28  Peter Jones  <pjones@redhat.com>
4280
4275
4281
4276
	misc: Make grub_strtol() "end" pointers have safer const qualifiers
4282
4277
	Currently the string functions grub_strtol(), grub_strtoul(), and
4283
4278
	grub_strtoull() don't declare the "end" pointer in such a way as to
4284
4279
	require the pointer itself or the character array to be immutable to the
4285
4280
	implementation, nor does the C standard do so in its similar functions,
4286
4281
	though it does require us not to change any of it.
4287
4282
4288
4283
	The typical declarations of these functions follow this pattern:
4289
4284
4290
4285
	long
4291
4286
	strtol(const char * restrict nptr, char ** restrict endptr, int base);
4292
4287
4293
4288
	Much of the reason for this is historic, and a discussion of that
4294
4289
	follows below, after the explanation of this change.  (GRUB currently
4295
4290
	does not include the "restrict" qualifiers, and we name the arguments a
4296
4291
	bit differently.)
4297
4292
4298
4293
	The implementation is semantically required to treat the character array
4299
4294
	as immutable, but such accidental modifications aren't stopped by the
4300
4295
	compiler, and the semantics for both the callers and the implementation
4301
4296
	of these functions are sometimes also helped by adding that requirement.
4302
4297
4303
4298
	This patch changes these declarations to follow this pattern instead:
4304
4299
4305
4300
	long
4306
4301
	strtol(const char * restrict nptr,
4307
4302
	       const char ** const restrict endptr,
4308
4303
	       int base);
4309
4304
4310
4305
	This means that if any modification to these functions accidentally
4311
4306
	introduces either an errant modification to the underlying character
4312
4307
	array, or an accidental assignment to endptr rather than *endptr, the
4313
4308
	compiler should generate an error.  (The two uses of "restrict" in this
4314
4309
	case basically mean strtol() isn't allowed to modify the character array
4315
4310
	by going through *endptr, and endptr isn't allowed to point inside the
4316
4311
	array.)
4317
4312
4318
4313
	It also means the typical use case changes to:
4319
4314
4320
4315
	  char *s = ...;
4321
4316
	  const char *end;
4322
4317
	  long l;
4323
4318
4324
4319
	  l = strtol(s, &end, 10);
4325
4320
4326
4321
	Or even:
4327
4322
4328
4323
	  const char *p = str;
4329
4324
	  while (p && *p) {
4330
4325
		  long l = strtol(p, &p, 10);
4331
4326
		  ...
4332
4327
	  }
4333
4328
4334
4329
	This fixes 26 places where we discard our attempts at treating the data
4335
4330
	safely by doing:
4336
4331
4337
4332
	  const char *p = str;
4338
4333
	  long l;
4339
4334
4340
4335
	  l = strtol(p, (char **)&ptr, 10);
4341
4336
4342
4337
	It also adds 5 places where we do:
4343
4338
4344
4339
	  char *p = str;
4345
4340
	  while (p && *p) {
4346
4341
		  long l = strtol(p, (const char ** const)&p, 10);
4347
4342
		  ...
4348
4343
		  /* more calls that need p not to be pointer-to-const */
4349
4344
	  }
4350
4345
4351
4346
	While moderately distasteful, this is a better problem to have.
4352
4347
4353
4348
	With one minor exception, I have tested that all of this compiles
4354
4349
	without relevant warnings or errors, and that /much/ of it behaves
4355
4350
	correctly, with gcc 9 using 'gcc -W -Wall -Wextra'.  The one exception
4356
4351
	is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea
4357
4352
	how to build.
4358
4353
4359
4354
	Because the C standard defined type-qualifiers in a way that can be
4360
4355
	confusing, in the past there's been a slow but fairly regular stream of
4361
4356
	churn within our patches, which add and remove the const qualifier in many
4362
4357
	of the users of these functions.  This change should help avoid that in
4363
4358
	the future, and in order to help ensure this, I've added an explanation
4364
4359
	in misc.h so that when someone does get a compiler warning about a type
4365
4360
	error, they have the fix at hand.
4366
4361
4367
4362
	The reason we don't have "const" in these calls in the standard is
4368
4363
	purely anachronistic: C78 (de facto) did not have type qualifiers in the
4369
4364
	syntax, and the "const" type qualifier was added for C89 (I think; it
4370
4365
	may have been later).  strtol() appears to date from 4.3BSD in 1986,
4371
4366
	which means it could not be added to those functions in the standard
4372
4367
	without breaking compatibility, which is usually avoided.
4373
4368
4374
4369
	The syntax chosen for type qualifiers is what has led to the churn
4375
4370
	regarding usage of const, and is especially confusing on string
4376
4371
	functions due to the lack of a string type.  Quoting from C99, the
4377
4372
	syntax is:
4378
4373
4379
4374
	 declarator:
4380
4375
	  pointer[opt] direct-declarator
4381
4376
	 direct-declarator:
4382
4377
	  identifier
4383
4378
	  ( declarator )
4384
4379
	  direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ]
4385
4380
	  ...
4386
4381
	  direct-declarator [ type-qualifier-list[opt] * ]
4387
4382
	  ...
4388
4383
	 pointer:
4389
4384
	  * type-qualifier-list[opt]
4390
4385
	  * type-qualifier-list[opt] pointer
4391
4386
	 type-qualifier-list:
4392
4387
	  type-qualifier
4393
4388
	  type-qualifier-list type-qualifier
4394
4389
	 ...
4395
4390
	 type-qualifier:
4396
4391
	  const
4397
4392
	  restrict
4398
4393
	  volatile
4399
4394
4400
4395
	So the examples go like:
4401
4396
4402
4397
	const char foo;			// immutable object
4403
4398
	const char *foo;		// mutable pointer to object
4404
4399
	char * const foo;		// immutable pointer to mutable object
4405
4400
	const char * const foo;		// immutable pointer to immutable object
4406
4401
	const char const * const foo; 	// XXX extra const keyword in the middle
4407
4402
	const char * const * const foo; // immutable pointer to immutable
4408
4403
					//   pointer to immutable object
4409
4404
	const char ** const foo;	// immutable pointer to mutable pointer
4410
4405
					//   to immutable object
4411
4406
4412
4407
	Making const left-associative for * and right-associative for everything
4413
4408
	else may not have been the best choice ever, but here we are, and the
4414
4409
	inevitable result is people using trying to use const (as they should!),
4415
4410
	putting it at the wrong place, fighting with the compiler for a bit, and
4416
4411
	then either removing it or typecasting something in a bad way.  I won't
4417
4412
	go into describing restrict, but its syntax has exactly the same issue
4418
4413
	as with const.
4419
4414
4420
4415
	Anyway, the last example above actually represents the *behavior* that's
4421
4416
	required of strtol()-like functions, so that's our choice for the "end"
4422
4417
	pointer.
4423
4418
4424
4419
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4425
4420
4426
4421
2020-02-28  Mike Gilbert  <floppym@gentoo.org>
4427
4422
4428
4423
	build: Disable PIE in TARGET_CCASFLAGS if needed
4429
4424
	PIE should be disabled in assembly sources as well, or else GRUB will
4430
4425
	fail to boot.
4431
4426
4432
4427
	Bug: https://bugs.gentoo.org/667852
4433
4428
4434
4429
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4435
4430
	Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
4436
4431
4437
4432
2020-02-28  Mike Gilbert  <floppym@gentoo.org>
4438
4433
4439
4434
	build: Move TARGET_* assignments earlier
4440
4435
	On a 32-bit SPARC userland, configure fails to compile assembly and the
4441
4436
	build fails:
4442
4437
4443
4438
	    checking for options to compile assembly... configure: error: could not compile assembly
4444
4439
4445
4440
	config.log shows:
4446
4441
4447
4442
	    asm-tests/sparc64.S: Assembler messages:
4448
4443
	    asm-tests/sparc64.S:5: Error: Architecture mismatch on "lduw [%o4+4],%o4".
4449
4444
	    asm-tests/sparc64.S:5: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.)
4450
4445
	    asm-tests/sparc64.S:7: Error: Architecture mismatch on "stw %o5,[%o3]".
4451
4446
	    asm-tests/sparc64.S:7: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.)
4452
4447
	    asm-tests/sparc64.S:8: Error: Architecture mismatch on "bne,pt %icc,1b ,pt %icc,1b".
4453
4448
	    asm-tests/sparc64.S:8: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.)
4454
4449
4455
4450
	Simply moving these blocks earlier in configure.ac is sufficient to
4456
4451
	ensure that the tests are executed with the appropriate flags
4457
4452
	(specifically -m64 in this case).
4458
4453
4459
4454
	Bug: https://bugs.gentoo.org/667850
4460
4455
4461
4456
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4462
4457
	Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
4463
4458
4464
4459
2020-02-28  Patrick Steinhardt  <ps@pks.im>
4465
4460
4466
4461
	luks2: Add missing newline to debug message
4467
4462
	The debug message printed when decryption with a keyslot fails is
4468
4463
	missing its trailing newline. Add it to avoid mangling it with
4469
4464
	subsequent output.
4470
4465
4471
4466
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4472
4467
4473
4468
2020-02-18  Michael Chang  <mchang@suse.com>
4474
4469
4475
4470
	verifiers: Fix calling uninitialized function pointer
4476
4471
	The necessary check for NULL before use of function ver->close is not
4477
4472
	taking place in the failure path. This patch simply adds the missing
4478
4473
	check and fixes the problem that GRUB hangs indefinitely after booting
4479
4474
	rogue image without valid signature if secure boot is turned on.
4480
4475
4481
4476
	Now it displays like this for booting rogue UEFI image:
4482
4477
4483
4478
	  error: bad shim signature
4484
4479
	  error: you need to load the kernel first
4485
4480
4486
4481
	  Press any key to continue...
4487
4482
4488
4483
	and then you can go back to boot menu by pressing any key or after a few
4489
4484
	seconds expired.
4490
4485
4491
4486
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4492
4487
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4493
4488
4494
4489
2020-02-18  Peter Jones  <pjones@redhat.com>
4495
4490
4496
4491
	grub-editenv: Make grub-editenv chase symlinks including those across devices
4497
4492
	The grub-editenv create command will wrongly overwrite /boot/grub2/grubenv
4498
4493
	with a regular file if grubenv is a symbolic link. But instead, it should
4499
4494
	create a new file in the path the symlink points to.
4500
4495
4501
4496
	This lets /boot/grub2/grubenv be a symlink to /boot/efi/EFI/fedora/grubenv
4502
4497
	even when they're different mount points, which allows grub2-editenv to be
4503
4498
	the same across platforms (i.e. UEFI vs BIOS).
4504
4499
4505
4500
	For example, in Fedora the GRUB EFI builds have prefix set to /EFI/fedora
4506
4501
	(on the EFI System Partition), but for BIOS machine it'll be /boot/grub2
4507
4502
	(which may or may not be its own mountpoint).
4508
4503
4509
4504
	With this patch, on EFI machines we can make /boot/grub2/grubenv a symlink
4510
4505
	to /boot/efi/EFI/fedora/grubenv, and the same copy of grub-set-default will
4511
4506
	work on both kinds of systems.
4512
4507
4513
4508
	Windows doesn't implement a readlink primitive, so the current behaviour is
4514
4509
	maintained for this operating system.
4515
4510
4516
4511
	Reviewed-by: Adam Jackson <ajax@redhat.com>
4517
4512
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4518
4513
4519
4514
2020-02-18  Peter Jones  <pjones@redhat.com>
4520
4515
4521
4516
	grub-editenv: Add grub_util_readlink()
4522
4517
	Currently grub-editenv and related tools are not able to follow symbolic
4523
4518
	links when finding their config file. For example the grub-editenv create
4524
4519
	command will wrongly overwrite a symlink in /boot/grub2/grubenv with a new
4525
4520
	regular file, instead of creating a file in the path the symlink points to.
4526
4521
4527
4522
	A following patch will change that and add support in grub-editenv to
4528
4523
	follow symbolic links when finding the grub environment variables file.
4529
4524
4530
4525
	Add a grub_util_readlink() helper function that is just a wrapper around
4531
4526
	the platform specific function to read the value of a symbolic link. This
4532
4527
	helper function will be used by the following patch for grub-editenv.
4533
4528
4534
4529
	The helper function is not added for Windows, since this operating system
4535
4530
	doesn't have a primitive to read the contents of a symbolic link.
4536
4531
4537
4532
	Reviewed-by: Adam Jackson <ajax@redhat.com>
4538
4533
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4539
4534
4540
4535
2020-02-18  Robert Marshall  <rmarshall@redhat.com>
4541
4536
4542
4537
	docs: Update info with grub.cfg netboot selection order
4543
4538
	Add documentation to the GRUB manual that specifies the order netboot
4544
4539
	clients use to select a GRUB configuration file.
4545
4540
4546
4541
	Also explain that the feature is enabled by default but can be disabled
4547
4542
	by setting the "feature_net_search_cfg" environment variable to "n" in
4548
4543
	an embedded configuration file.
4549
4544
4550
4545
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4551
4546
4552
4547
2020-02-18  Paulo Flabiano Smorigo  <pfsmorigo@br.ibm.com>
4553
4548
4554
4549
	normal/main: Search for specific config files for netboot
4555
4550
	This patch implements a search for a specific configuration when the config
4556
4551
	file is on a remoteserver. It uses the following order:
4557
4552
	   1) DHCP client UUID option.
4558
4553
	   2) MAC address (in lower case hexadecimal with dash separators);
4559
4554
	   3) IP (in upper case hexadecimal) or IPv6;
4560
4555
	   4) The original grub.cfg file.
4561
4556
4562
4557
	This procedure is similar to what is used by pxelinux and yaboot:
4563
4558
	http://www.syslinux.org/wiki/index.php/PXELINUX#config
4564
4559
4565
4560
	It is enabled by default but can be disabled by setting the environment
4566
4561
	variable "feature_net_search_cfg" to "n" in an embedded configuration.
4567
4562
4568
4563
	Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=873406
4569
4564
4570
4565
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4571
4566
4572
4567
2020-02-18  Paulo Flabiano Smorigo  <pfsmorigo@br.ibm.com>
4573
4568
4574
4569
	net/dhcp: Set net_<interface>_client{id, uuid} variables from DHCP options
4575
4570
	This patch sets a net_<interface>_clientid and net_<interface>_clientuuid
4576
4571
	GRUB environment variables, using the DHCP client ID and UUID options if
4577
4572
	these are found.
4578
4573
4579
4574
	In the same way than net_<interface>_<option> variables are set for other
4580
4575
	options such domain name, boot file, next server, etc.
4581
4576
4582
4577
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4583
4578
4584
4579
2020-02-18  Javier Martinez Canillas  <javierm@redhat.com>
4585
4580
4586
4581
	net/dhcp: Consistently use decimal numbers for DHCP/BOOTP options enum
4587
4582
	The DHCP Options and BOOTP Vendor Extensions enum values are a mixture of
4588
4583
	decimal and hexadecimal numbers. Change this to consistently use decimal
4589
4584
	numbers for all since that is how these values are defined by RFC 2132.
4590
4585
4591
4586
	Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
4592
4587
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4593
4588
4594
4589
2020-02-18  Paulo Flabiano Smorigo  <pfsmorigo@br.ibm.com>
4595
4590
4596
4591
	kern: Add %X option to printf functions
4597
4592
	The printf(3) function has support for the %X format specifier, to output
4598
4593
	an unsigned hexadecimal integer in uppercase.
4599
4594
4600
4595
	This can be achived in GRUB using the %x format specifier in grub_printf()
4601
4596
	and calling grub_toupper(), but it is more convenient if there is support
4602
4597
	for %X in grub_printf().
4603
4598
4604
4599
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4605
4600
4606
4601
2020-02-18  Javier Martinez Canillas  <javierm@redhat.com>
4607
4602
4608
4603
	normal: Move common datetime functions out of the normal module
4609
4604
	The common datetime helper functions are currently included in the normal
4610
4605
	module, but this makes any other module that calls these functions to have
4611
4606
	a dependency with the normal module only for this reason.
4612
4607
4613
4608
	Since the normal module does a lot of stuff, it calls functions from other
4614
4609
	modules. But since other modules may depend on it for calling the datetime
4615
4610
	helpers, this could lead to circular dependencies between modules.
4616
4611
4617
4612
	As an example, when platform == xen the grub_get_datetime() function from
4618
4613
	the datetime module calls to the grub_unixtime2datetime() helper function
4619
4614
	from the normal module. Which leads to the following module dependency:
4620
4615
4621
4616
	    datetime -> normal
4622
4617
4623
4618
	and send_dhcp_packet() from the net module calls the grub_get_datetime()
4624
4619
	function, which leads to the following module dependency:
4625
4620
4626
4621
	    net -> datetime -> normal
4627
4622
4628
4623
	but that means that the normal module is not allowed to depend on net or
4629
4624
	any other module that depends on it due the transitive dependency caused
4630
4625
	by datetime. A recent patch attempted to add support to fetch the config
4631
4626
	file over the network, which leads to the following circular dependency:
4632
4627
4633
4628
	    normal -> net -> datetime -> normal
4634
4629
4635
4630
	So having the datetime helpers in the normal module makes it quite fragile
4636
4631
	and easy to add circular dependencies like these, that break the build due
4637
4632
	the genmoddep.awk script catching the issues.
4638
4633
4639
4634
	Fix this by taking the datetime helper functions out of the normal module
4640
4635
	and instead add them to the datetime module itself. Besides fixing these
4641
4636
	issues, it makes more sense to have these helper functions there anyways.
4642
4637
4643
4638
	Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
4644
4639
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4645
4640
4646
4641
2020-02-11  Peter Jones  <pjones@redhat.com>
4647
4642
4648
4643
	minilzo: Update to minilzo-2.08
4649
4644
	This patch updates the miniLZO library to a newer version, which among other
4650
4645
	things fixes "CVE-2014-4607 - lzo: lzo1x_decompress_safe() integer overflow"
4651
4646
	that is present in the current used in GRUB.
4652
4647
4653
4648
	It also updates the "GRUB Developers Manual", to mention that the library is
4654
4649
	used and describes the process to update it to a newer release when needed.
4655
4650
4656
4651
	Resolves: http://savannah.gnu.org/bugs/?42635
4657
4652
4658
4653
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4659
4654
4660
4655
2020-01-28  Peter Jones  <pjones@redhat.com>
4661
4656
4662
4657
	squash4: Fix an uninitialized variable
4663
4658
	gcc says:
4664
4659
4665
4660
	grub-core/fs/squash4.c: In function ‘direct_read’:
4666
4661
	grub-core/fs/squash4.c:868:10: error: ‘err’ may be used uninitialized in
4667
4662
	this function [-Werror=maybe-uninitialized]
4668
4663
	  868 |       if (err)
4669
4664
	      |          ^
4670
4665
	cc1: all warnings being treated as errors
4671
4666
4672
4667
	This patch initializes it to GRUB_ERR_NONE.
4673
4668
4674
4669
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4675
4670
4676
4671
2020-01-28  C. Masloch  <pushbx@ulukai.org>
4677
4672
4678
4673
	freedos: Fix FreeDOS command booting large files (near or above 64 KiB)
4679
4674
	While testing the 86-DOS lDebug [1] booting from GRUB2, newer versions of the
4680
4675
	debugger would fail to load when booted using GRUB's freedos command. The
4681
4676
	behaviour observed in a qemu i386 machine was that the ROM-BIOS's boot load
4682
4677
	would start anew, instead of loading the selected debugger as kernel.
4683
4678
4684
4679
	It came to light that there was a size limit: Kernel files that were 58880
4685
4680
	bytes (E600h) long or shorter succeeded to boot, while files that were 64000
4686
4681
	bytes or longer failed in the manner described.
4687
4682
4688
4683
	Eventually it turned out that the relocator16 stub succeeded whenever it was
4689
4684
	placed completely within the first 64 KiB of the Low Memory Area. The chunk
4690
4685
	for the relocator is allocated with a minimum address of 0x8010 and a maximum
4691
4686
	address just below 0xA0000 [2]. That means if the kernel is, for instance,
4692
4687
	E600h bytes long, then the kernel will be allocated memory starting at 00600h
4693
4688
	(the fixed FreeDOS kernel load address) up to E600h + 00600h = 0EC00h, which
4694
4689
	leaves 1400h (5120) bytes for the relocator to stay in the first 64 KiB.
4695
4690
	If the kernel is 64000 bytes (FA00h) long, then the relocator must go to
4696
4691
	FA00h + 00600h = 10000h at least which is outside the first 64 KiB.
4697
4692
4698
4693
	The problem is that the relocator16 initialises the DS register with a
4699
4694
	"pseudo real mode" descriptor, which is defined with a segment limit of
4700
4695
	64 KiB and a segment base of zero. After that, the relocator addressed
4701
4696
	parts of itself (implicitly) using the DS register, with an offset from
4702
4697
	ESI, which holds the linear address of the relocator's base [3]. With the
4703
4698
	larger kernel files this would lead to accessing data beyond the 64 KiB
4704
4699
	segment limit, presumably leading to a fault and perhaps a subsequent
4705
4700
	triple-fault or such.
4706
4701
4707
4702
	This patch fixes the relocator to set the segment base of the descriptors
4708
4703
	to the base address of the relocator; then, the subsequent accesses to
4709
4704
	the relocator's variables are done without the ESI register as an index.
4710
4705
	This does not interfere with the relocator's or its target's normal
4711
4706
	operation; the segment limits are still loaded with 64 KiB and all the
4712
4707
	segment bases are subsequently reset by the relocator anyway.
4713
4708
4714
4709
	Current versions of the debugger to test are uploaded to [4]. The file
4715
4710
	ldebugnh.com (LZ4-compressed and built with -D_EXTHELP=0) at 58368 bytes
4716
4711
	loads successfully, whereas ldebug.com at 64000 bytes fails. Loading one
4717
4712
	of these files requires setting root to a FAT FS partition and using the
4718
4713
	freedos command to specify the file as kernel:
4719
4714
4720
4715
	set root='(hd0,msdos1)'
4721
4716
	freedos /ldebug.com
4722
4717
	boot
4723
4718
4724
4719
	Booting the file using the multiboot command (which uses a WIP entrypoint
4725
4720
	of the debugger) works, as it does not use GRUB's relocator16 but instead
4726
4721
	includes a loader in the kernel itself, which drops it back to 86 Mode.
4727
4722
4728
4723
	[1]: https://hg.ulukai.org/ecm/ldebug
4729
4724
	[2]: http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/lib/i386/relocator.c?id=495781f5ed1b48bf27f16c53940d6700c181c74c#n127
4730
4725
	[3]: http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/lib/i386/relocator16.S?id=495781f5ed1b48bf27f16c53940d6700c181c74c#n97
4731
4726
	[4]: https://ulukai.org/ecm/lDebug-5479a7988d21-nohelp.zip
4732
4727
4733
4728
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4734
4729
4735
4730
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4736
4731
4737
4732
	disk: Implement support for LUKS2
4738
4733
	With cryptsetup 2.0, a new version of LUKS was introduced that breaks
4739
4734
	compatibility with the previous version due to various reasons. GRUB
4740
4735
	currently lacks any support for LUKS2, making it impossible to decrypt
4741
4736
	disks encrypted with that version. This commit implements support for
4742
4737
	this new format.
4743
4738
4744
4739
	Note that LUKS1 and LUKS2 are quite different data formats. While they
4745
4740
	do share the same disk signature in the first few bytes, representation
4746
4741
	of encryption parameters is completely different between both versions.
4747
4742
	While the former version one relied on a single binary header, only,
4748
4743
	LUKS2 uses the binary header only in order to locate the actual metadata
4749
4744
	which is encoded in JSON. Furthermore, the new data format is a lot more
4750
4745
	complex to allow for more flexible setups, like e.g. having multiple
4751
4746
	encrypted segments and other features that weren't previously possible.
4752
4747
	Because of this, it was decided that it doesn't make sense to keep both
4753
4748
	LUKS1 and LUKS2 support in the same module and instead to implement it
4754
4749
	in two different modules luks and luks2.
4755
4750
4756
4751
	The proposed support for LUKS2 is able to make use of the metadata to
4757
4752
	decrypt such disks. Note though that in the current version, only the
4758
4753
	PBKDF2 key derival function is supported. This can mostly attributed to
4759
4754
	the fact that the libgcrypt library currently has no support for either
4760
4755
	Argon2i or Argon2id, which are the remaining KDFs supported by LUKS2. It
4761
4756
	wouldn't have been much of a problem to bundle those algorithms with
4762
4757
	GRUB itself, but it was decided against that in order to keep down the
4763
4758
	number of patches required for initial LUKS2 support. Adding it in the
4764
4759
	future would be trivial, given that the code structure is already in
4765
4760
	place.
4766
4761
4767
4762
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4768
4763
4769
4764
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4770
4765
4771
4766
	luks: Move configuration of ciphers into cryptodisk
4772
4767
	The luks module contains quite a lot of logic to parse cipher and
4773
4768
	cipher-mode strings like aes-xts-plain64 into constants to apply them
4774
4769
	to the grub_cryptodisk_t structure. This code will be required by the
4775
4770
	upcoming luks2 module, as well, which is why this commit moves it into
4776
4771
	its own function grub_cryptodisk_setcipher in the cryptodisk module.
4777
4772
	While the strings are probably rather specific to the LUKS modules, it
4778
4773
	certainly does make sense that the cryptodisk module houses code to set
4779
4774
	up its own internal ciphers instead of hosting that code in the luks
4780
4775
	module.
4781
4776
4782
4777
	Except for necessary adjustments around error handling, this commit does
4783
4778
	an exact move of the cipher configuration logic from luks.c to
4784
4779
	cryptodisk.c. Any behavior changes are unintentional.
4785
4780
4786
4781
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4787
4782
4788
4783
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4789
4784
4790
4785
	afsplitter: Move into its own module
4791
4786
	While the AFSplitter code is currently used only by the luks module,
4792
4787
	upcoming support for luks2 will add a second module that depends on it.
4793
4788
	To avoid any linker errors when adding the code to both modules because
4794
4789
	of duplicated symbols, this commit moves it into its own standalone
4795
4790
	module afsplitter as a preparatory step.
4796
4791
4797
4792
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4798
4793
4799
4794
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4800
4795
4801
4796
	bootstrap: Add gnulib's base64 module
4802
4797
	The upcoming support for LUKS2 disc encryption requires us to include a
4803
4798
	parser for base64-encoded data, as it is used to represent salts and
4804
4799
	digests. As gnulib already has code to decode such data, we can just
4805
4800
	add it to the boostrapping configuration in order to make it available
4806
4801
	in GRUB.
4807
4802
4808
4803
	The gnulib module makes use of booleans via the <stdbool.h> header. As
4809
4804
	GRUB does not provide any POSIX wrapper header for this, but instead
4810
4805
	implements support for bool in <sys/types.h>, we need to patch
4811
4806
	base64.h to not use <stdbool.h> anymore. We unfortunately cannot include
4812
4807
	<sys/types.h> instead, as it would then use gnulib's internal header
4813
4808
	while compiling the gnulib object but our own <sys/types.h> when
4814
4809
	including it in a GRUB module. Because of this, the patch replaces the
4815
4810
	include with a direct typedef.
4816
4811
4817
4812
	A second fix is required to make available _GL_ATTRIBUTE_CONST, which
4818
4813
	is provided by the configure script. As base64.h does not include
4819
4814
	<config.h>, it is thus not available and results in a compile error.
4820
4815
	This is fixed by adding an include of <config-util.h>.
4821
4816
4822
4817
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4823
4818
4824
4819
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4825
4820
4826
4821
	json: Implement wrapping interface
4827
4822
	While the newly added jsmn library provides the parsing interface, it
4828
4823
	does not provide any kind of interface to act on parsed tokens. Instead,
4829
4824
	the caller is expected to handle pointer arithmetics inside of the token
4830
4825
	array in order to extract required information. While simple, this
4831
4826
	requires users to know some of the inner workings of the library and is
4832
4827
	thus quite an unintuitive interface.
4833
4828
4834
4829
	This commit adds a new interface on top of the jsmn parser that provides
4835
4830
	convenience functions to retrieve values from the parsed json type, grub_json_t.
4836
4831
4837
4832
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4838
4833
4839
4834
2020-01-10  Patrick Steinhardt  <ps@pks.im>
4840
4835
4841
4836
	json: Import upstream jsmn-1.1.0
4842
4837
	The upcoming support for LUKS2 encryption will require a JSON parser to
4843
4838
	decode all parameters required for decryption of a drive. As there is
4844
4839
	currently no other tool that requires JSON, and as gnulib does not
4845
4840
	provide a parser, we need to introduce a new one into the code base. The
4846
4841
	backend for the JSON implementation is going to be the jsmn library [1].
4847
4842
	It has several benefits that make it a very good fit for inclusion in
4848
4843
	GRUB:
4849
4844
4850
4845
	    - It is licensed under MIT.
4851
4846
	    - It is written in C89.
4852
4847
	    - It has no dependencies, not even libc.
4853
4848
	    - It is small with only about 500 lines of code.
4854
4849
	    - It doesn't do any dynamic memory allocation.
4855
4850
	    - It is testen on x86, amd64, ARM and AVR.
4856
4851
4857
4852
	The library itself comes as a single header, only, that contains both
4858
4853
	declarations and definitions. The exposed interface is kind of
4859
4854
	simplistic, though, and does not provide any convenience features
4860
4855
	whatsoever. Thus there will be a separate interface provided by GRUB
4861
4856
	around this parser that is going to be implemented in the following
4862
4857
	commit. This change only imports jsmn.h from tag v1.1.0 and adds it
4863
4858
	unmodified to a new json module with the following command:
4864
4859
4865
4860
	curl -L https://raw.githubusercontent.com/zserge/jsmn/v1.1.0/jsmn.h \
4866
4861
	    -o grub-core/lib/json/jsmn.h
4867
4862
4868
4863
	Upstream jsmn commit hash: fdcef3ebf886fa210d14956d3c068a653e76a24e
4869
4864
	Upstream jsmn commit name: Modernize (#149), 2019-04-20
4870
4865
4871
4866
	[1]: https://github.com/zserge/jsmn
4872
4867
4873
4868
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4874
4869
4875
4870
2019-12-20  Lukasz Hawrylko  <lukasz.hawrylko@linux.intel.com>
4876
4871
4877
4872
	multiboot2: Set min address for mbi allocation to 0x1000
4878
4873
	In some cases GRUB2 allocates multiboot2 structure at 0 address, that is
4879
4874
	a confusing behavior. Consumers of that structure can have internal NULL-checks
4880
4875
	that will throw an error when get a pointer to data allocated at address 0.
4881
4876
	To prevent that, define min address for mbi allocation on x86 and x86_64
4882
4877
	platforms.
4883
4878
4884
4879
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4885
4880
4886
4881
2019-12-20  Paul Menzel  <pmenzel@molgen.mpg.de>
4887
4882
4888
4883
	docs: Export "superusers" variable to apply to submenus
4889
4884
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4890
4885
4891
4886
2019-12-20  Daniel Kiper  <daniel.kiper@oracle.com>
4892
4887
4893
4888
	loader/i386/linux: Fix an underflow in the setup_header length calculation
4894
4889
	Recent work around x86 Linux kernel loader revealed an underflow in the
4895
4890
	setup_header length calculation and another related issue. Both lead to
4896
4891
	the memory overwrite and later machine crash.
4897
4892
4898
4893
	Currently when the GRUB copies the setup_header into the linux_params
4899
4894
	(struct boot_params, traditionally known as "zero page") it assumes the
4900
4895
	setup_header size as sizeof(linux_i386_kernel_header/lh). This is
4901
4896
	incorrect. It should use the value calculated accordingly to the Linux
4902
4897
	kernel boot protocol. Otherwise in case of pretty old kernel, to be
4903
4898
	exact Linux kernel boot protocol, the GRUB may write more into
4904
4899
	linux_params than it was expected to. Fortunately this is not very big
4905
4900
	issue. Though it has to be fixed. However, there is also an underflow
4906
4901
	which is grave. It happens when
4907
4902
4908
4903
	  sizeof(linux_i386_kernel_header/lh) > "real size of the setup_header".
4909
4904
4910
4905
	Then len value wraps around and grub_file_read() reads whole kernel into
4911
4906
	the linux_params overwriting memory past it. This leads to the GRUB
4912
4907
	memory allocator breakage and finally to its crash during boot.
4913
4908
4914
4909
	The patch fixes both issues. Additionally, it moves the code not related to
4915
4910
	grub_memset(linux_params)/grub_memcpy(linux_params)/grub_file_read(linux_params)
4916
4911
	section outside of it to not confuse the reader.
4917
4912
4918
4913
	Fixes: e683cfb0cf5 (loader/i386/linux: Calculate the setup_header length)
4919
4914
4920
4915
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4921
4916
	Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
4922
4917
	Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com>
4923
4918
4924
4919
2019-12-06  David Sterba  <dave@jikos.cz>
4925
4920
4926
4921
	btrfs: Add support for new RAID1C34 profiles
4927
4922
	New 3- and 4-copy variants of RAID1 were merged into Linux kernel 5.5.
4928
4923
	Add the two new profiles to the list of recognized ones. As this builds
4929
4924
	on the same code as RAID1, only the redundancy level needs to be
4930
4925
	adjusted, the rest is done by the existing code.
4931
4926
4932
4927
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4933
4928
4934
4929
2019-12-06  Lenny Szubowicz  <lszubowi@redhat.com>
4935
4930
4936
4931
	tftp: Normalize slashes in TFTP paths
4937
4932
	Some TFTP servers do not handle multiple consecutive slashes correctly.
4938
4933
	This patch avoids sending TFTP requests with non-normalized paths.
4939
4934
4940
4935
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4941
4936
4942
4937
2019-11-18  Michael Chang  <MChang@suse.com>
4943
4938
4944
4939
	grub-editenv: Warn a user against editing environment block
4945
4940
	The environment block is a preallocated 1024-byte file which serves as
4946
4941
	persistent storage for environment variables. It has its own format
4947
4942
	which is sensitive to corruption if an editor does not know how to
4948
4943
	process it. Besides that the editor may inadvertently change grubenv
4949
4944
	file size and/or make it sparse which can lead to unexpected results.
4950
4945
4951
4946
	This patch adds a message to the grubenv file to warn a user against
4952
4947
	editing it by tools other than grub-editenv.
4953
4948
4954
4949
	Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4955
4950
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4956
4951
4957
4952
2019-11-18  Michael Chang  <MChang@suse.com>
4958
4953
4959
4954
	hostdisk: Set linux file descriptor to O_CLOEXEC as default
4960
4955
	We are often bothered by this sort of lvm warning while running grub-install
4961
4956
	every now and then:
4962
4957
4963
4958
	  File descriptor 4 (/dev/vda1) leaked on vgs invocation. Parent PID 1991: /usr/sbin/grub2-install
4964
4959
4965
4960
	The requirement related to the warning is dictated in the lvm man page:
4966
4961
4967
4962
	  "On invocation, lvm requires that only the standard file descriptors stdin,
4968
4963
	  stdout and stderr are available.  If others are found, they get closed and
4969
4964
	  messages are issued warning about the leak.  This warning can be suppressed by
4970
4965
	  setting the environment variable LVM_SUPPRESS_FD_WARNINGS."
4971
4966
4972
4967
	While it could be disabled through settings, most Linux distributions seem to
4973
4968
	enable it by default and the justification provided by the developer looks to
4974
4969
	be valid to me: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466138#15
4975
4970
4976
4971
	Rather than trying to close and reopen the file descriptor to the same file
4977
4972
	multiple times, which is rather cumbersome, for the sake of no vgs invocation
4978
4973
	could happen in between. This patch enables the close-on-exec flag (O_CLOEXEC)
4979
4974
	for new file descriptor returned by the open() system call, making it closed
4980
4975
	thus not inherited by the child process forked and executed by the exec()
4981
4976
	family of functions.
4982
4977
4983
4978
	Fixes Debian bug #466138.
4984
4979
4985
4980
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4986
4981
4987
4982
2019-10-28  Eli Schwartz  <eschwartz@archlinux.org>
4988
4983
4989
4984
	grub-mkconfig: Use portable "command -v" to detect installed programs
4990
4985
	The "which" utility is not guaranteed to be installed either, and if it
4991
4986
	is, its behavior is not portable either.
4992
4987
4993
4988
	Conversely, the "command -v" shell builtin is required to exist in all
4994
4989
	POSIX 2008 compliant shells, and is thus guaranteed to work everywhere.
4995
4990
4996
4991
	Examples of open-source shells likely to be installed as /bin/sh on
4997
4992
	Linux, which implement the 11-year-old standard: ash, bash, busybox,
4998
4993
	dash, ksh, mksh and zsh.
4999
4994
5000
4995
	A side benefit of using the POSIX portable option is that it requires
Reviewer	Review Type	Date Requested	Status
Ubuntu Core Development Team		2022-10-12	Pending
Review via email: mp+431421@code.launchpad.net