Merge ~juliank/grub/+git/ubuntu:boot-complete into ~ubuntu-core-dev/grub/+git/ubuntu:master
- Git
- lp:~juliank/grub/+git/ubuntu
- boot-complete
- Merge into master
Status: | Superseded | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Proposed branch: | ~juliank/grub/+git/ubuntu:boot-complete | ||||||||||||||||||||||||
Merge into: | ~ubuntu-core-dev/grub/+git/ubuntu:master | ||||||||||||||||||||||||
Diff against target: |
33477 lines (+26270/-719) (has conflicts) 219 files modified
ChangeLog (+5278/-0) INSTALL (+31/-21) Makefile.am (+1/-1) Makefile.in (+270/-54) Makefile.util.am (+16/-7) Makefile.util.def (+15/-40) NEWS (+14/-0) README (+6/-0) acinclude.m4 (+36/-2) aclocal.m4 (+1/-0) autogen.sh (+1/-1) conf/Makefile.common (+2/-0) conf/Makefile.extra-dist (+21/-0) config-util.h.in (+6/-0) config.h.in (+0/-2) configure (+192/-39) configure.ac (+99/-104) debian/.git-dpm (+3/-0) debian/NEWS (+8/-0) debian/README.source (+3/-0) debian/apport/source_grub2.py (+14/-5) debian/build-efi-images (+27/-11) debian/changelog (+1421/-1) debian/control (+92/-26) debian/dirs.in (+1/-0) debian/grub-check-signatures (+21/-0) debian/grub-common.service (+13/-0) debian/grub-efi-amd64-bin.maintscript.in (+1/-0) debian/grub-efi-arm64-bin.maintscript.in (+1/-0) debian/grub-extras/915resolution/.gitignore (+3/-0) debian/grub-extras/915resolution/915resolution.c (+29/-8) debian/grub-extras/disabled/gpxe/.gitignore (+3/-0) debian/grub-extras/disabled/zfs/.gitignore (+5/-0) debian/grub-extras/lua/.gitignore (+3/-0) debian/grub-extras/ntldr-img/.gitignore (+3/-0) debian/grub.d/05_debian_theme (+2/-2) debian/legacy/upgrade-from-grub-legacy (+3/-1) debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+37/-0) debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch (+7/-0) debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch (+52/-0) debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch (+7/-0) debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch (+7/-0) debian/patches/0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch (+68/-0) debian/patches/0130-loader-efi-chainloader-simplify-the-loader-state.patch (+334/-0) debian/patches/0131-commands-boot-Add-API-to-pass-context-to-loader.patch (+157/-0) debian/patches/0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch (+144/-0) debian/patches/0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch (+306/-0) debian/patches/0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch (+72/-0) debian/patches/0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch (+98/-0) debian/patches/0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch (+36/-0) debian/patches/0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch (+196/-0) debian/patches/0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch (+26/-0) debian/patches/0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch (+167/-0) debian/patches/0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch (+37/-0) debian/patches/0141-video-readers-png-Sanity-check-some-huffman-codes.patch (+38/-0) debian/patches/0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch (+253/-0) debian/patches/0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch (+27/-0) debian/patches/0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch (+41/-0) debian/patches/0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch (+72/-0) debian/patches/0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch (+32/-0) debian/patches/0147-net-netbuff-Block-overly-large-netbuff-allocs.patch (+44/-0) debian/patches/0148-net-ip-Do-IP-fragment-maths-safely.patch (+42/-0) debian/patches/0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch (+54/-0) debian/patches/0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch (+69/-0) debian/patches/0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch (+110/-0) debian/patches/0152-net-tftp-Avoid-a-trivial-UAF.patch (+33/-0) debian/patches/0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch (+39/-0) debian/patches/0154-net-http-Fix-OOB-write-for-split-http-headers.patch (+44/-0) debian/patches/0155-net-http-Error-out-on-headers-with-LF-without-CR.patch (+46/-0) debian/patches/0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch (+70/-0) debian/patches/0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch (+130/-0) debian/patches/0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch (+36/-0) debian/patches/0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch (+74/-0) debian/patches/0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch (+132/-0) debian/patches/0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch (+74/-0) debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch (+47/-0) debian/patches/RISC-V-Update-image-header.patch (+84/-0) debian/patches/RISC-V-Use-common-linux-loader.patch (+120/-0) debian/patches/at_keyboard-module-init.patch (+4/-1) debian/patches/bash-completion-drop-have-checks.patch (+5/-2) debian/patches/blacklist-1440x900x32.patch (+4/-1) debian/patches/bootp-new-net_bootp6-command.patch (+22/-17) debian/patches/bootp-process-dhcpack-http-boot.patch (+20/-15) debian/patches/cherrypick-efi-grub_efi_close_protocol.patch (+79/-0) debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch (+106/-0) debian/patches/core-in-fs.patch (+3/-4) debian/patches/debug_verifiers.patch (+27/-0) debian/patches/default-grub-d.patch (+34/-17) debian/patches/dejavu-font-path.patch (+22/-0) debian/patches/disable-floppies.patch (+1/-2) debian/patches/dpkg-version-comparison.patch (+3/-4) debian/patches/efi-EFI-Device-Tree-Fixup-Protocol.patch (+140/-0) debian/patches/efi-add-definition-of-LoadFile2-protocol.patch (+61/-0) debian/patches/efi-correct-struct-grub_efi_boot_services.patch (+28/-0) debian/patches/efi-implement-grub_efi_run_image.patch (+900/-0) debian/patches/efi-implemented-LoadFile2-initrd-loading-protocol-fo.patch (+183/-0) debian/patches/efi-variable-storage-minimise-writes.patch (+60/-11) debian/patches/efinet-set-dns-from-uefi-proto.patch (+13/-8) debian/patches/efinet-set-network-from-uefi-devpath.patch (+8/-5) debian/patches/efinet-uefi-ipv6-pxe-support.patch (+8/-5) debian/patches/efivar-check-that-efivarfs-is-writeable.patch (+74/-0) debian/patches/fat-fix-listing-the-root-directory.patch (+46/-0) debian/patches/fdt-add-debug-output-to-devicetree-command.patch (+31/-0) debian/patches/gettext-quiet.patch (+4/-1) debian/patches/gfxpayload-dynamic.patch (+23/-7) debian/patches/gfxpayload-keep-default.patch (+9/-0) debian/patches/grub-install-pvxen-paths.patch (+14/-3) debian/patches/grub-legacy-0-based-partitions.patch (+1/-2) debian/patches/grub.cfg-400.patch (+2/-3) debian/patches/ieee1275-clear-reset.patch (+4/-1) debian/patches/ignore-grub_func_test-failures.patch (+4/-1) debian/patches/insmod-xzio-and-lzopio-on-xen.patch (+7/-0) debian/patches/install-efi-adjust-distributor.patch (+33/-0) debian/patches/install-efi-fallback.patch (+5/-2) debian/patches/install-efi-ubuntu-flavours.patch (+3/-0) debian/patches/install-locale-langpack.patch (+10/-7) debian/patches/install-powerpc-machtypes.patch (+18/-11) debian/patches/install-stage2-confusion.patch (+9/-6) debian/patches/linux-ignore-FDT-unless-we-need-to-modify-it.patch (+80/-0) debian/patches/linux_xen-Properly-load-multiple-initrd-files.patch (+123/-0) debian/patches/linux_xen-Properly-order-multiple-initrd-files.patch (+79/-0) debian/patches/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch (+111/-0) debian/patches/linuxefi-do-not-validate-kernels-twice.patch (+227/-0) debian/patches/loader-Move-arm64-linux-loader-to-common-code.patch (+1091/-0) debian/patches/loader-drop-argv-argument-in-grub_initrd_load.patch (+178/-0) debian/patches/maybe-quiet.patch (+30/-21) debian/patches/minilzo-2.10.patch (+2538/-0) debian/patches/mkconfig-loopback.patch (+11/-4) debian/patches/mkconfig-mid-upgrade.patch (+3/-0) debian/patches/mkconfig-nonexistent-loopback.patch (+11/-8) debian/patches/mkconfig-other-inits.patch (+14/-3) debian/patches/mkconfig-recovery-title.patch (+17/-10) debian/patches/mkconfig-signed-kernel.patch (+9/-0) debian/patches/mkconfig-ubuntu-distributor.patch (+7/-0) debian/patches/mkconfig-ubuntu-recovery.patch (+18/-5) debian/patches/mkimage-fix-section-sizes.patch (+108/-0) debian/patches/mkrescue-efi-modules.patch (+6/-3) debian/patches/net-read-bracketed-ipv6-addr.patch (+20/-16) debian/patches/no-devicetree-if-secure-boot.patch (+8/-5) debian/patches/no-insmod-on-sb.patch (+8/-58) debian/patches/olpc-prefix-hack.patch (+1/-2) debian/patches/pc-verifiers-module.patch (+166/-0) debian/patches/ppc64el-disable-vsx.patch (+4/-1) debian/patches/probe-fusionio.patch (+8/-5) debian/patches/quick-boot-lvm.patch (+6/-3) debian/patches/quick-boot.patch (+34/-20) debian/patches/restore-mkdevicemap.patch (+26/-13) debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch (+7/-0) debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch (+26/-0) debian/patches/rhboot-f34-make-exit-take-a-return-code.patch (+68/-0) debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch (+11/-0) debian/patches/rhboot-try-to-pick-better-locations-for-kernel-and-initrd.patch (+215/-0) debian/patches/riscv-adjust-march-flags-for-binutils-2.38.patch (+43/-0) debian/patches/series (+122/-4) debian/patches/skip-grub_cmd_set_date.patch (+4/-1) debian/patches/sleep-shift.patch (+3/-0) debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch (+68/-0) debian/patches/suse-add-support-for-UEFI-network-protocols.patch (+4941/-0) debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+49/-0) debian/patches/tests-ahci-update-qemu-device-name.patch (+33/-0) debian/patches/tpm-unknown-error-non-fatal.patch (+30/-0) debian/patches/ubuntu-add-devicetree-command-support.patch (+7/-0) debian/patches/ubuntu-add-initrd-less-boot-fallback.patch (+44/-0) debian/patches/ubuntu-add-initrd-less-boot-messages.patch (+24/-0) debian/patches/ubuntu-boot-from-multipath-dependent-symlink.patch (+7/-0) debian/patches/ubuntu-disable-LOAD-FILE2-protocol-for-initrd-on-ARM.patch (+63/-0) debian/patches/ubuntu-dont-verify-loopback-images.patch (+11/-0) debian/patches/ubuntu-efi-allow-loopmount-chainload.patch (+27/-0) debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+10/-0) debian/patches/ubuntu-fix-reproducible-squashfs-test.patch (+7/-0) debian/patches/ubuntu-flavour-order.patch (+17/-0) debian/patches/ubuntu-fuse3.patch (+108/-0) debian/patches/ubuntu-grub-install-extra-removable.patch (+37/-0) debian/patches/ubuntu-install-signed.patch (+41/-0) debian/patches/ubuntu-linuxefi-arm64-set-base-addr.patch (+22/-0) debian/patches/ubuntu-linuxefi-arm64.patch (+90/-0) debian/patches/ubuntu-linuxefi.patch (+510/-0) debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch (+10/-0) debian/patches/ubuntu-os-prober-auto.patch (+51/-0) debian/patches/ubuntu-recovery-dis_ucode_ldr.patch (+15/-0) debian/patches/ubuntu-resilient-boot-boot-order.patch (+45/-0) debian/patches/ubuntu-resilient-boot-ignore-alternative-esps.patch (+11/-0) debian/patches/ubuntu-shorter-version-info.patch (+18/-0) debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch (+10/-0) debian/patches/ubuntu-speed-zsys-history.patch (+34/-0) debian/patches/ubuntu-support-initrd-less-boot.patch (+27/-0) debian/patches/ubuntu-temp-keep-auto-nvram.patch (+7/-0) debian/patches/ubuntu-verifiers-last.patch (+59/-0) debian/patches/ubuntu-zfs-enhance-support.patch (+46/-0) debian/patches/ubuntu-zfs-gfxpayload-dynamic.patch (+95/-0) debian/patches/ubuntu-zfs-gfxpayload-keep-default.patch (+38/-0) debian/patches/ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch (+32/-0) debian/patches/ubuntu-zfs-maybe-quiet.patch (+72/-0) debian/patches/ubuntu-zfs-mkconfig-recovery-title.patch (+49/-0) debian/patches/ubuntu-zfs-mkconfig-signed-kernel.patch (+51/-0) debian/patches/ubuntu-zfs-mkconfig-ubuntu-distributor.patch (+36/-0) debian/patches/ubuntu-zfs-mkconfig-ubuntu-recovery.patch (+66/-0) debian/patches/ubuntu-zfs-quick-boot.patch (+50/-0) debian/patches/ubuntu-zfs-vt-handoff.patch (+77/-0) debian/patches/uefi-firmware-setup.patch (+3/-0) debian/patches/uefi-secure-boot-cryptomount.patch (+11/-0) debian/patches/vsnprintf-upper-case-hex.patch (+3/-0) debian/patches/vt-handoff.patch (+9/-2) debian/patches/wubi-no-windows.patch (+6/-3) debian/patches/xen-no-xsm-policy-in-non-xsm-options.patch (+34/-0) debian/patches/xfs-fix-v4-superblock.patch (+121/-0) debian/patches/zpool-full-device-name.patch (+4/-1) debian/patches/zstd-require-8-byte-buffer.patch (+63/-0) debian/postinst.in (+91/-7) debian/postrm.in (+2/-2) debian/rules (+113/-10) debian/sbat.debian.csv.in (+3/-0) debian/sbat.ubuntu.csv.in (+3/-0) debian/signing-template/control.in (+1/-1) dev/null (+0/-1) docs/Makefile.in (+2/-2) docs/grub-dev.info (+113/-45) docs/grub-dev.texi (+65/-1) docs/grub.info (+2/-1) Conflict in configure.ac Conflict in debian/.git-dpm Conflict in debian/build-efi-images Conflict in debian/changelog Conflict in debian/control Conflict in debian/grub-check-signatures Conflict in debian/grub-common.service Conflict in debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch Conflict in debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch Conflict in debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch Conflict in debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch Conflict in debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch Conflict in debian/patches/at_keyboard-module-init.patch Conflict in debian/patches/bash-completion-drop-have-checks.patch Conflict in debian/patches/blacklist-1440x900x32.patch Conflict in debian/patches/bootp-new-net_bootp6-command.patch Conflict in debian/patches/bootp-process-dhcpack-http-boot.patch Conflict in debian/patches/default-grub-d.patch Conflict in debian/patches/efi-variable-storage-minimise-writes.patch Conflict in debian/patches/efinet-set-dns-from-uefi-proto.patch Conflict in debian/patches/efinet-set-network-from-uefi-devpath.patch Conflict in debian/patches/efinet-uefi-ipv6-pxe-support.patch Conflict in debian/patches/gettext-quiet.patch Conflict in debian/patches/gfxpayload-dynamic.patch Conflict in debian/patches/gfxpayload-keep-default.patch Conflict in debian/patches/grub-install-extra-removable.patch Conflict in debian/patches/grub-install-pvxen-paths.patch Conflict in debian/patches/ieee1275-clear-reset.patch Conflict in debian/patches/ignore-grub_func_test-failures.patch Conflict in debian/patches/insmod-xzio-and-lzopio-on-xen.patch Conflict in debian/patches/install-efi-adjust-distributor.patch Conflict in debian/patches/install-efi-fallback.patch Conflict in debian/patches/install-efi-ubuntu-flavours.patch Conflict in debian/patches/install-locale-langpack.patch Conflict in debian/patches/install-powerpc-machtypes.patch Conflict in debian/patches/install-signed.patch Conflict in debian/patches/install-stage2-confusion.patch Conflict in debian/patches/maybe-quiet.patch Conflict in debian/patches/mkconfig-loopback.patch Conflict in debian/patches/mkconfig-mid-upgrade.patch Conflict in debian/patches/mkconfig-nonexistent-loopback.patch Conflict in debian/patches/mkconfig-other-inits.patch Conflict in debian/patches/mkconfig-recovery-title.patch Conflict in debian/patches/mkconfig-signed-kernel.patch Conflict in debian/patches/mkconfig-ubuntu-distributor.patch Conflict in debian/patches/mkconfig-ubuntu-recovery.patch Conflict in debian/patches/mkrescue-efi-modules.patch Conflict in debian/patches/net-read-bracketed-ipv6-addr.patch Conflict in debian/patches/no-devicetree-if-secure-boot.patch Conflict in debian/patches/no-insmod-on-sb.patch Conflict in debian/patches/ppc64el-disable-vsx.patch Conflict in debian/patches/probe-fusionio.patch Conflict in debian/patches/quick-boot-lvm.patch Conflict in debian/patches/quick-boot.patch Conflict in debian/patches/restore-mkdevicemap.patch Conflict in debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch Conflict in debian/patches/rhboot-f34-make-exit-take-a-return-code.patch Conflict in debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch Conflict in debian/patches/series Conflict in debian/patches/skip-grub_cmd_set_date.patch Conflict in debian/patches/sleep-shift.patch Conflict in debian/patches/ubuntu-add-devicetree-command-support.patch Conflict in debian/patches/ubuntu-add-initrd-less-boot-fallback.patch Conflict in debian/patches/ubuntu-add-initrd-less-boot-messages.patch Conflict in debian/patches/ubuntu-boot-from-multipath-dependent-symlink.patch Conflict in debian/patches/ubuntu-dont-verify-loopback-images.patch Conflict in debian/patches/ubuntu-efi-allow-loopmount-chainload.patch Conflict in debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch Conflict in debian/patches/ubuntu-fix-reproducible-squashfs-test.patch Conflict in debian/patches/ubuntu-flavour-order.patch Conflict in debian/patches/ubuntu-grub-install-extra-removable.patch Conflict in debian/patches/ubuntu-install-signed.patch Conflict in debian/patches/ubuntu-linuxefi-arm64-set-base-addr.patch Conflict in debian/patches/ubuntu-linuxefi-arm64.patch Conflict in debian/patches/ubuntu-linuxefi.patch Conflict in debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch Conflict in debian/patches/ubuntu-recovery-dis_ucode_ldr.patch Conflict in debian/patches/ubuntu-resilient-boot-boot-order.patch Conflict in debian/patches/ubuntu-resilient-boot-ignore-alternative-esps.patch Conflict in debian/patches/ubuntu-shorter-version-info.patch Conflict in debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch Conflict in debian/patches/ubuntu-speed-zsys-history.patch Conflict in debian/patches/ubuntu-support-initrd-less-boot.patch Conflict in debian/patches/ubuntu-temp-keep-auto-nvram.patch Conflict in debian/patches/ubuntu-zfs-enhance-support.patch Conflict in debian/patches/uefi-firmware-setup.patch Conflict in debian/patches/uefi-secure-boot-cryptomount.patch Conflict in debian/patches/vsnprintf-upper-case-hex.patch Conflict in debian/patches/vt-handoff.patch Conflict in debian/patches/wubi-no-windows.patch Conflict in debian/patches/zpool-full-device-name.patch Conflict in debian/postinst.in Conflict in debian/rules Conflict in docs/grub.info Conflict in docs/grub.texi Conflict in grub-core/Makefile.core.def Conflict in grub-core/commands/efi/tpm.c Conflict in grub-core/commands/iorw.c Conflict in grub-core/commands/memrw.c Conflict in grub-core/disk/ldm.c Conflict in grub-core/disk/lvm.c Conflict in grub-core/fs/hfsplus.c Conflict in grub-core/fs/xfs.c Conflict in grub-core/kern/efi/efi.c Conflict in grub-core/kern/efi/sb.c Conflict in grub-core/kern/mm.c Conflict in grub-core/kern/parser.c Conflict in grub-core/loader/efi/chainloader.c Conflict in grub-core/loader/efi/fdt.c Conflict in grub-core/loader/i386/efi/linux.c Conflict in grub-core/loader/i386/linux.c Conflict in grub-core/loader/i386/pc/linux.c Conflict in grub-core/loader/linux.c Conflict in grub-core/loader/multiboot_mbi2.c Conflict in grub-core/loader/xnu.c Conflict in grub-core/net/tftp.c Conflict in grub-core/osdep/unix/config.c Conflict in grub-core/osdep/unix/efivar.c Conflict in grub-core/osdep/unix/platform.c Conflict in grub-core/term/efi/console.c Conflict in include/grub/efi/sb.h Conflict in include/grub/util/install.h Conflict in util/deviceiter.c Conflict in util/grub-install-common.c Conflict in util/grub-install.c Conflict in util/grub-mkconfig.in Conflict in util/grub.d/00_header.in Conflict in util/grub.d/10_linux.in Conflict in util/grub.d/30_uefi-firmware.in |
||||||||||||||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Core Development Team | Pending | ||
Review via email: mp+431421@code.launchpad.net |
This proposal has been superseded by a proposal from 2022-10-12.
Commit message
Description of the change
Unmerged commits
- ab03c1e... by Julian Andres Klode
-
grub-common.
service: Add After=boot- complete. target LP: #1992643
- a093515... by Julian Andres Klode
-
Try to pick better locations for kernel and initrd
LP: #1989446
- 5e9731a... by Julian Andres Klode
-
releasing package grub2 version 2.06-2ubuntu12
- 1c0c8a3... by Julian Andres Klode
-
ubuntu-
zfs-enhance- support. patch: Fix missing lines The line count of the file was too short for unknown reasons,
fix this manually and then reimport and export the patch series
to clean up all the hunk locations.LP: #1990143
- 2fa139e... by dann frazier
-
releasing package grub2 version 2.06-2ubuntu11
- 64478a9... by Julian Andres Klode
-
Cleanup patch series
- d5f693b... by dann frazier
-
linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
- d/p/linuxefi-
Invalidate- i-cache- before- starting- the-kern. patch Gbp-Dch: Full
- 196b45a... by Mauricio Faria de Oliveira
-
Fix for ZFS snapshots without etc directory
In the situation where ZFS snapshots do not contain a .../etc directory,
the generation of /b/g/grub.cfg silently fails, providing no "linux"
kernel lines in the /b/g/grub.cfg file.This patch prevents this type of failure from occurring.
This issue is especially apparent on systems running in FIPS mode
with ZFS boot+root pools.Source: https:/
/code.launchpad .net/~arbell/ grub/+git/ grub/+merge/ 417575 LP: #1965983
Thanks: Adam R Bell <email address hidden>Signed-off-by: Mauricio Faria de Oliveira <email address hidden>
- 83bcaf1... by Heinrich Schuchardt
-
efi/peimage: fix typos in code comments
Signed-off-by: Heinrich Schuchardt <email address hidden>
- 47a3d1d... by Mauricio Faria de Oliveira
-
linux_xen: Properly handle multiple initrd files (LP: #1987567)
- d/p/linux_
xen-Properly- load-multiple- initrd- files.patch
- d/p/linux_xen-Properly- order-multiple- initrd- files.patch Gbp-Dch: Full
Preview Diff
1 | diff --git a/ChangeLog b/ChangeLog |
2 | index ba90478..434754f 100644 |
3 | --- a/ChangeLog |
4 | +++ b/ChangeLog |
5 | @@ -1,3 +1,5281 @@ |
6 | +2021-06-08 Daniel Kiper <daniel.kiper@oracle.com> |
7 | + |
8 | + Release 2.06 |
9 | + |
10 | +2021-06-08 Daniel Kiper <daniel.kiper@oracle.com> |
11 | + |
12 | + SECURITY: Add SECURITY file |
13 | + The SECURITY file describes the GRUB project security policy. |
14 | + |
15 | + It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md |
16 | + |
17 | +2021-06-08 Daniel Kiper <daniel.kiper@oracle.com> |
18 | + |
19 | + MAINTAINERS: Add MAINTAINERS file |
20 | + The MAINTAINERS file provides basic information about the GRUB project |
21 | + and its maintainers. |
22 | + |
23 | +2021-06-01 Dimitri John Ledkov <xnox@ubuntu.com> |
24 | + |
25 | + grub-install: Add backup and restore |
26 | + Refactor clean_grub_dir() to create a backup of all the files, instead |
27 | + of just irrevocably removing them as the first action. If available, |
28 | + register atexit() handler to restore the backup if errors occur before |
29 | + point of no return, or remove the backup if everything was successful. |
30 | + If atexit() is not available, the backup remains on disk for manual |
31 | + recovery. |
32 | + |
33 | + Some platforms defined a point of no return, i.e. after modules & core |
34 | + images were updated. Failures from any commands after that stage are |
35 | + ignored, and backup is cleaned up. For example, on EFI platforms update |
36 | + is not reverted when efibootmgr fails. |
37 | + |
38 | + Extra care is taken to ensure atexit() handler is only invoked by the |
39 | + parent process and not any children forks. Some older GRUB codebases |
40 | + can invoke parent atexit() hooks from forks, which can mess up the |
41 | + backup. |
42 | + |
43 | + This allows safer upgrades of MBR & modules, such that |
44 | + modules/images/fonts/translations are consistent with MBR in case of |
45 | + errors. For example accidental grub-install /dev/non-existent-disk |
46 | + currently clobbers and upgrades modules in /boot/grub, despite not |
47 | + actually updating any MBR. |
48 | + |
49 | + This patch only handles backup and restore of files copied to /boot/grub. |
50 | + This patch does not perform backup (or restoration) of MBR itself or |
51 | + blocklists. Thus when installing i386-pc platform, corruption may still |
52 | + occur with MBR and blocklists which will not be attempted to be |
53 | + automatically recovered. |
54 | + |
55 | + Also add modinfo.sh and *.efi to the cleanup/backup/restore code path, |
56 | + to ensure it is also cleaned, backed up and restored. |
57 | + |
58 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
59 | + |
60 | +2021-06-01 Dimitri John Ledkov <xnox@ubuntu.com> |
61 | + |
62 | + osdep/unix/exec: Avoid atexit() handlers when child execvp() fails |
63 | + The functions grub_util_exec_pipe() and grub_util_exec_pipe_stderr() |
64 | + currently call execvp(). If the call fails for any reason, the child |
65 | + currently calls exit(127). This in turn executes the parents |
66 | + atexit() handlers from the forked child, and then the same handlers |
67 | + are called again from parent. This is usually not desired, and can |
68 | + lead to deadlocks, and undesired behavior. So, change the exit() calls |
69 | + to _exit() calls to avoid calling atexit() handlers from child. |
70 | + |
71 | + Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits) |
72 | + |
73 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
74 | + |
75 | +2021-06-01 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> |
76 | + |
77 | + lib/i386/relocator64: Build fixes for i386 |
78 | + This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of |
79 | + |
80 | + grub-core/lib/i386/relocator64.S |
81 | + |
82 | + This file has six sections that only build with a 64-bit assembler, |
83 | + yet only the first two sections had support for a 32-bit assembler. |
84 | + This patch completes this for the remaining sections. |
85 | + |
86 | + To reproduce, update the GRUB source description in your local Guix |
87 | + archive and run |
88 | + |
89 | + ./pre-inst-env guix build --system=i686-linux --target=i586-pc-gnu grub |
90 | + |
91 | + or install an x86 cross-build environment on x86-linux (32-bit!) and |
92 | + configure to cross build and make, e.g., do something like |
93 | + |
94 | + ./configure \ |
95 | + CC_FOR_BUILD=gcc \ |
96 | + --build=i686-unknown-linux-gnu \ |
97 | + --host=i586-pc-gnu |
98 | + make |
99 | + |
100 | + Additionally, remove a line with redundant spaces. |
101 | + |
102 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
103 | + |
104 | +2021-06-01 Javier Martinez Canillas <javierm@redhat.com> |
105 | + |
106 | + fs/xfs: Add needsrepair incompat feature support |
107 | + The XFS now has an incompat feature flag to indicate that a filesystem |
108 | + needs to be repaired. The Linux kernel refuses to mount the filesystem |
109 | + that has it set and only the xfs_repair tool is able to clear that flag. |
110 | + |
111 | + The GRUB doesn't have the concept of mounting filesystems and just |
112 | + attempts to read the files. But it does some sanity checking before |
113 | + attempting to read from the filesystem. Among the things which are tested, |
114 | + is if the super block only has set of incompatible features flags that |
115 | + are supported by GRUB. If it contains any flags that are not listed as |
116 | + supported, reading the XFS filesystem fails. |
117 | + |
118 | + Since the GRUB doesn't attempt to detect if the filesystem is inconsistent |
119 | + nor replays the journal, the filesystem access is a best effort. For this |
120 | + reason, ignore if the filesystem needs to be repaired and just print a debug |
121 | + message. That way, if reading or booting fails later, the user is able to |
122 | + figure out that the failures can be related to broken XFS filesystem. |
123 | + |
124 | + Suggested-by: Eric Sandeen <esandeen@redhat.com> |
125 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
126 | + |
127 | +2021-06-01 Carlos Maiolino <cmaiolino@redhat.com> |
128 | + |
129 | + fs/xfs: Add bigtime incompat feature support |
130 | + The XFS filesystem supports a bigtime feature to overcome y2038 problem. |
131 | + This patch makes the GRUB able to support the XFS filesystems with this |
132 | + feature enabled. |
133 | + |
134 | + The XFS counter for the bigtime enabled timestamps starts at 0, which |
135 | + translates to GRUB_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy |
136 | + timestamps. The conversion to Unix timestamps is made before passing the |
137 | + value to other GRUB functions. |
138 | + |
139 | + For this to work properly, GRUB requires an access to flags2 field in the |
140 | + XFS ondisk inode. So, the grub_xfs_inode structure has been updated to |
141 | + cover full ondisk inode. |
142 | + |
143 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
144 | + |
145 | +2021-06-01 Carlos Maiolino <cmaiolino@redhat.com> |
146 | + |
147 | + fs: Use 64-bit type for filesystem timestamp |
148 | + Some filesystems nowadays use 64-bit types for timestamps. So, update |
149 | + grub_dirhook_info struct to use an grub_int64_t type to store mtime. |
150 | + This also updates the grub_unixtime2datetime() function to receive |
151 | + a 64-bit timestamp argument and do 64-bit-safe divisions. |
152 | + |
153 | + All the remaining conversion from 32-bit to 64-bit should be safe, as |
154 | + 32-bit to 64-bit attributions will be implicitly casted. The most |
155 | + critical part in the 32-bit to 64-bit conversion is in the function |
156 | + grub_unixtime2datetime() where it needs to deal with the 64-bit type. |
157 | + So, for that, the grub_divmod64() helper has been used. |
158 | + |
159 | + These changes enables the GRUB to support dates beyond y2038. |
160 | + |
161 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
162 | + |
163 | +2021-05-28 Javier Martinez Canillas <javierm@redhat.com> |
164 | + |
165 | + types: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers |
166 | + There are already PRI*_T constants defined for unsigned integers but not |
167 | + for signed integers. Add format specifiers for the latter. |
168 | + |
169 | + Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> |
170 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
171 | + |
172 | +2021-05-28 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
173 | + |
174 | + kern/efi/sb: Remove duplicate efi_shim_lock_guid variable |
175 | + The efi_shim_lock_guid local variable and shim_lock_guid global variable |
176 | + have the same GUID value. Only the latter is retained. |
177 | + |
178 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
179 | + |
180 | +2021-05-10 Javier Martinez Canillas <javierm@redhat.com> |
181 | + |
182 | + util/mkimage: Fix wrong PE32+ section sizes for some arches |
183 | + The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper) |
184 | + added a helper function to setup PE sections. But it also changed how the |
185 | + raw data offsets were calculated since all the section sizes are aligned. |
186 | + However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image |
187 | + size is not aligned using the section alignment. This leads to the situation |
188 | + in which the mods section offset in its PE section header does not match its |
189 | + real placement in the PE file. So, finally the GRUB is not able to locate |
190 | + and load built-in modules. |
191 | + |
192 | + The problem surfaces on ia64-efi and arm64-efi because both platforms |
193 | + require additional relocation data which is added behind .bss section. |
194 | + So, we have to add some padding behind this extra data to make the |
195 | + beginning of mods section properly aligned in the PE file. Fix it by |
196 | + aligning the kernel_size to the section alignment. That makes the sizes |
197 | + and offsets in the PE section headers to match relevant sections in the |
198 | + PE32+ binary file. |
199 | + |
200 | + Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
201 | + Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
202 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
203 | + |
204 | +2021-05-10 Daniel Kiper <daniel.kiper@oracle.com> |
205 | + |
206 | + term/terminfo: Fix the terminfo command help and documentation |
207 | + Additionally, fix the terminfo spelling mistake in |
208 | + the GRUB development documentation. |
209 | + |
210 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
211 | + |
212 | +2021-05-10 Daniel Kiper <daniel.kiper@oracle.com> |
213 | + |
214 | + i18n: Align N_() formatting with the rest of GRUB code |
215 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
216 | + |
217 | +2021-05-10 Daniel Kiper <daniel.kiper@oracle.com> |
218 | + |
219 | + i18n: Format large integers before the translation message - take 2 |
220 | + This is an additional fix which has been missing from the commit 837fe48de |
221 | + (i18n: Format large integers before the translation message). |
222 | + |
223 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
224 | + |
225 | +2021-04-13 Miguel Ángel Arruga Vivas <rosen644835@gmail.com> |
226 | + |
227 | + i18n: Format large integers before the translation message |
228 | + The GNU gettext only supports the ISO C99 macros for integral |
229 | + types. If there is a need to use unsupported formatting macros, |
230 | + e.g. PRIuGRUB_UINT64_T, according to [1] the number to a string |
231 | + conversion should be separated from the code printing message |
232 | + requiring the internationalization. So, the function grub_snprintf() |
233 | + is used to print the numeric values to an intermediate buffer and |
234 | + the internationalized message contains a string format directive. |
235 | + |
236 | + [1] https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html#No-string-concatenation |
237 | + |
238 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
239 | + |
240 | +2021-04-12 Daniel Axtens <dja@axtens.net> |
241 | + |
242 | + video/fb/fbfill: Use unsigned integers for width/height |
243 | + Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer |
244 | + overflow), clang builds of grub-emu have failed with messages like: |
245 | + |
246 | + /usr/bin/ld: libgrubmods.a(libgrubmods_a-fbfill.o): in function `grub_video_fbfill_direct24': |
247 | + fbfill.c:(.text+0x28e): undefined reference to `__muloti4' |
248 | + |
249 | + This appears to be due to a weird quirk in how clang compiles |
250 | + |
251 | + grub_mul(dst->mode_info->bytes_per_pixel, width, &rowskip) |
252 | + |
253 | + which is grub_mul(unsigned int, int, &grub_size_t). |
254 | + |
255 | + It looks like clang somewhere promotes everything to 128-bit maths |
256 | + before ultimately reducing down to 64 bit for grub_size_t. I think |
257 | + this is because width is signed, and indeed converting width to an |
258 | + unsigned int makes the problem go away. |
259 | + |
260 | + This conversion also makes more sense generally: |
261 | + - the caller of all the fbfill_directN functions is |
262 | + grub_video_fb_fill_dispatch() and it takes width and height as |
263 | + unsigned ints already, |
264 | + - it doesn't make sense to fill a negative width or height. |
265 | + |
266 | + Convert the width and height arguments and associated loop counters |
267 | + to unsigned ints. |
268 | + |
269 | + Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow) |
270 | + |
271 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
272 | + |
273 | +2021-04-12 Glenn Washburn <development@efficientek.com> |
274 | + |
275 | + docs: Conform badmem and cutmem description indentations with other commands |
276 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
277 | + |
278 | + docs: Add note to cryptomount that UUIDs should be specified without dashes |
279 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
280 | + |
281 | +2021-04-12 Aru Sahni <aru@arusahni.net> |
282 | + |
283 | + templates: Fix user-facing typo with an incorrect use of "it's" |
284 | + Since the possessive form of "it" is being used, the apostrophe must be omitted. |
285 | + |
286 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
287 | + |
288 | +2021-04-12 Colin Watson <cjwatson@debian.org> |
289 | + |
290 | + buffer: Sync up out-of-range error message |
291 | + The messages associated with other similar GRUB_ERR_OUT_OF_RANGE errors |
292 | + were lacking the trailing full stop. Syncing up the strings saves a small |
293 | + amount of precious core image space on i386-pc. |
294 | + |
295 | + DOWN: obj/i386-pc/grub-core/kernel.img (31740 > 31708) - change: -32 |
296 | + DOWN: i386-pc core image (biosdisk ext2 part_msdos) (27453 > 27452) - change: -1 |
297 | + DOWN: i386-pc core image (biosdisk ext2 part_msdos diskfilter mdraid09) (32367 > 32359) - change: -8 |
298 | + |
299 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
300 | + |
301 | +2021-04-12 Glenn Washburn <development@efficientek.com> |
302 | + |
303 | + usb/usbhub: Use GRUB_USB_MAX_CONF macro instead of literal in hub for maximum configs |
304 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
305 | + |
306 | +2021-04-12 Daniel Drake <drake@endlessm.com> |
307 | + |
308 | + fs/minix: Avoid mistakenly probing ext2 filesystems |
309 | + The ext2 (and ext3, ext4) filesystems write the number of free inodes to |
310 | + location 0x410. |
311 | + |
312 | + On a MINIX filesystem, that same location is used for the MINIX superblock |
313 | + magic number. |
314 | + |
315 | + If the number of free inodes on an ext2 filesystem is equal to any |
316 | + of the four MINIX superblock magic values plus any multiple of 65536, |
317 | + GRUB's MINIX filesystem code will probe it as a MINIX filesystem. |
318 | + |
319 | + In the case of an OS using ext2 as the root filesystem, since there will |
320 | + ordinarily be some amount of file creation and deletion on every bootup, |
321 | + it effectively means that this situation has a 1:16384 chance of being hit |
322 | + on every reboot. |
323 | + |
324 | + This will cause GRUB's filesystem probing code to mistakenly identify an |
325 | + ext2 filesystem as MINIX. This can be seen by e.g. "search --label" |
326 | + incorrectly indicating that no such ext2 partition with matching label |
327 | + exists, whereas in fact it does. |
328 | + |
329 | + After spotting the rough cause of the issue I was facing here, I borrowed |
330 | + much of the diagnosis/explanation from meierfra who found and investigated |
331 | + the same issue in util-linux in 2010: |
332 | + |
333 | + https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/518582 |
334 | + |
335 | + This was fixed in util-linux by having the MINIX code check for the |
336 | + ext2 magic. Do the same here. |
337 | + |
338 | + Reviewed-by: Derek Foreman <derek@endlessos.org> |
339 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
340 | + |
341 | +2021-03-12 Daniel Kiper <daniel.kiper@oracle.com> |
342 | + |
343 | + Release 2.06~rc1 |
344 | + |
345 | +2021-03-11 Ard Biesheuvel <ard.biesheuvel@arm.com> |
346 | + |
347 | + arm/linux: Fix ARM Linux header layout |
348 | + The hdr_offset member of the ARM Linux image header appears at |
349 | + offset 0x3c, matching the PE/COFF spec's placement of the COFF |
350 | + header offset in the MS-DOS header. We're currently off by four, |
351 | + so fix that. |
352 | + |
353 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
354 | + |
355 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
356 | + |
357 | + style: Format string macro should have a space between quotes |
358 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
359 | + |
360 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
361 | + |
362 | + grub/err: Do compile-time format string checking on grub_error() |
363 | + This should help prevent format string errors and thus improve the quality |
364 | + of error reporting. |
365 | + |
366 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
367 | + |
368 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
369 | + |
370 | + fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error() |
371 | + This is a temporary, less-intrusive change to get the build to success with |
372 | + compiler format string checking turned on. There is a better fix which |
373 | + addresses this issue, but it needs more testing. Use this change so that |
374 | + format string checking on grub_error() can be turned on until the better |
375 | + change is fully tested. |
376 | + |
377 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
378 | + |
379 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
380 | + |
381 | + fs/hfsplus: Use format code PRIuGRUB_UINT64_T for 64-bit typed fileblock in grub_error() |
382 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
383 | + |
384 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
385 | + |
386 | + dl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error() |
387 | + The macro ELF_R_TYPE does not change the underlying type. Here its argument |
388 | + is a 64-bit Elf64_Xword. Make sure the format code matches. |
389 | + |
390 | + For the RISC-V architecture, rel->r_info could be either Elf32_Xword or |
391 | + Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast |
392 | + to 64-bit value regardless. |
393 | + |
394 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
395 | + |
396 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
397 | + |
398 | + disk/ata: Use format code PRIxGRUB_UINT64_T for 64-bit uint argument in grub_error() |
399 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
400 | + |
401 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
402 | + |
403 | + loader/i386/pc/linux: Use PRI* macros to get correct format string code across architectures |
404 | + Also remove casting of format string args so that the architecture dependent |
405 | + type is preserved. |
406 | + |
407 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
408 | + |
409 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
410 | + |
411 | + kern/efi/mm: Format string error in grub_error() |
412 | + The second format string argument, GRUB_EFI_MAX_USABLE_ADDRESS, is a macro |
413 | + to a number literal. However, depending on what the target architecture, the |
414 | + type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the |
415 | + format string literals "%llx" to use PRIxGRUB_UINT64_T. |
416 | + |
417 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
418 | + |
419 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
420 | + |
421 | + commands/pgp: Format code for grub_error() is incorrect |
422 | + The format code is for a 32-bit int, but the argument, keyid, is declared as |
423 | + a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the |
424 | + comment or declaration is wrong, so force the display of a 64-bit int for now. |
425 | + |
426 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
427 | + |
428 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
429 | + |
430 | + grub_error: Use format code PRIuGRUB_SIZE for variables of type grub_size_t |
431 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
432 | + |
433 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
434 | + |
435 | + disk/dmraid_nvidia: Format string error in grub_error() |
436 | + The grub_error() has a format string expecting two arguments, but only one |
437 | + provided. According to the comments in the struct grub_nv_super definition, |
438 | + the version field looks like a version number where major.minor is encoded |
439 | + as each a byte in the two-byte short. |
440 | + |
441 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
442 | + |
443 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
444 | + |
445 | + video/bochs: grub_error() format string add missing format code |
446 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
447 | + |
448 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
449 | + |
450 | + parttool/msdospart: grub_error() missing format string argument |
451 | + Its obvious from the error message that the variable named "type" was |
452 | + accidentally omitted. |
453 | + |
454 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
455 | + |
456 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
457 | + |
458 | + misc: Format string for grub_error() should be a literal |
459 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
460 | + |
461 | +2021-03-10 Philip Müller <philm@manjaro.org> |
462 | + |
463 | + templates: Properly disable the os-prober by default |
464 | + This patch does the following: |
465 | + - really disables os-prober by default in the util/grub-mkconfig.in |
466 | + by setting GRUB_DISABLE_OS_PROBER to true, |
467 | + - fixes the logic in the util/grub.d/30_os-prober.in, |
468 | + - updates the grub_warn() lines. |
469 | + |
470 | + Reason for the code shuffling in the util/grub-mkconfig.in: |
471 | + |
472 | + The default was GRUB_DISABLE_OS_PROBER=false if you don't set |
473 | + GRUB_DISABLE_OS_PROBER at all. To prevent os-prober from starting we |
474 | + have to set it by default to true and shuffle GRUB_DISABLE_OS_PROBER to |
475 | + code section, which is executed by the script. However we still give an |
476 | + option to the user to overwrite it with false, if he wants to execute |
477 | + os-prober after all. |
478 | + |
479 | + Fixes: e3464147 (templates: Disable the os-prober by default) |
480 | + |
481 | + Reported-by: Didier Spaier <didier@slint.fr> |
482 | + Reported-by: Lennart Sorensen <lsorense@csclub.uwaterloo.ca> |
483 | + Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
484 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
485 | + |
486 | +2021-03-10 Michael Chang <mchang@suse.com> |
487 | + |
488 | + kern/efi/sb: Add chainloaded image as shim's verifiable object |
489 | + While attempting to dual boot Microsoft Windows with UEFI chainloader, |
490 | + it failed with below error when UEFI Secure Boot was enabled: |
491 | + |
492 | + error ../../grub-core/kern/verifiers.c:119:verification requested but |
493 | + nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. |
494 | + |
495 | + It is a regression, as previously it worked without any problem. |
496 | + |
497 | + It turns out chainloading PE image has been locked down by commit |
498 | + 578c95298 (kern: Add lockdown support). However, we should consider it |
499 | + as verifiable object by shim to allow booting in UEFI Secure Boot mode. |
500 | + The chainloaded PE image could also have trusted signature created by |
501 | + vendor with their pubkey cert in db. For that matters it's usage should |
502 | + not be locked down under UEFI Secure Boot, and instead shim should be |
503 | + allowed to validate a PE binary signature before running it. |
504 | + |
505 | + Fixes: 578c95298 (kern: Add lockdown support) |
506 | + |
507 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
508 | + |
509 | +2021-03-10 Glenn Washburn <development@efficientek.com> |
510 | + |
511 | + disk/pata: Suppress error message "no device connected" |
512 | + This error message comes from the grub_print_error() in |
513 | + grub_pata_device_initialize(), which does not pass on the error, and is |
514 | + raised in check_device(). The function check_device() needs to return this |
515 | + as an error because check_device() is also used in grub_pata_open(), which |
516 | + does pass on this error to indicate that the device can not be used. |
517 | + |
518 | + This is actually not an error when displayed by grub_pata_device_initialize() |
519 | + because it just indicates that there are no pata devices seen. This may be |
520 | + confusing to end users who do not have pata devices yet are loading the |
521 | + pata module (perhaps implicitly via nativedisk). This also causes unnecessary |
522 | + output which may need to be accounted for in functional testing. |
523 | + |
524 | + Instead print to the debug log when check_device() raises this "error" and |
525 | + pop the error from the error stack. If there is another error on the stack |
526 | + then print the error stack as those should be real errors. |
527 | + |
528 | + Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> |
529 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
530 | + |
531 | +2021-03-10 Yi Zhao <yi.zhao@windriver.com> |
532 | + |
533 | + fs/ext2: Fix a file not found error when a symlink filesize is equal to 60 |
534 | + We encountered a file not found error when the symlink filesize is |
535 | + equal to 60: |
536 | + |
537 | + $ ls -l initrd |
538 | + lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz |
539 | + |
540 | + When booting, we got the following error in the GRUB: |
541 | + |
542 | + error: file `/initrd' not found |
543 | + |
544 | + The root cause is that the size of diro->inode.symlink is equal to 60 |
545 | + and a symlink name has to be terminated with NUL there. So, if the |
546 | + symlink filesize is exactly 60 then it is also stored in a separate |
547 | + block rather than in the inode itself. |
548 | + |
549 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
550 | + |
551 | +2021-03-02 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
552 | + |
553 | + loader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable |
554 | + The relocatable variable is defined as grub_uint8_t. Relevant |
555 | + member in setup_header structure is also defined as one byte |
556 | + in Linux boot protocol. By semantic definition it is a bool type. |
557 | + It is not appropriate to treat it as a four bytes. This patch |
558 | + fixes the issue. |
559 | + |
560 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
561 | + |
562 | +2021-03-02 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
563 | + |
564 | + loader/i386/linux: Remove redundant code from in grub_cmd_linux() |
565 | + The preferred_address has been assigned to GRUB_LINUX_BZIMAGE_ADDR |
566 | + during initialization in grub_cmd_linux(). The assignment here |
567 | + is redundant and should be removed. |
568 | + |
569 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
570 | + |
571 | +2021-03-02 Heinrich Schuchardt <xypron.glpk@gmx.de> |
572 | + |
573 | + efi: The device-tree must be in EfiACPIReclaimMemory |
574 | + According to the Embedded Base Boot Requirements (EBBR) specification the |
575 | + device-tree passed to Linux as a configuration table must reside in |
576 | + EfiACPIReclaimMemory. |
577 | + |
578 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
579 | + |
580 | +2021-03-02 Heinrich Schuchardt <xypron.glpk@gmx.de> |
581 | + |
582 | + commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID |
583 | + UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE |
584 | + describing the services available at runtime. |
585 | + |
586 | + The lsefisystab command is used to display installed EFI configuration |
587 | + tables. Currently it only shows the GUID but not a short text for the |
588 | + new table. |
589 | + |
590 | + Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID. |
591 | + |
592 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
593 | + |
594 | +2021-03-02 Petr Vorel <pvorel@suse.cz> |
595 | + |
596 | + docs/luks2: Mention key derivation function support |
597 | + To give users hint why Argon2, the default in cryptsetup for LUKS2, does |
598 | + not work. |
599 | + |
600 | + Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> |
601 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
602 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
603 | + |
604 | +2021-03-02 Derek Foreman <derek@endlessos.org> |
605 | + |
606 | + commands/file: Fix array/enum desync |
607 | + The commit f1957dc8a (RISC-V: Add to build system) added two entries to |
608 | + the options array, but only 1 entry to the enum. This resulted in |
609 | + everything after the insertion point being off by one. |
610 | + |
611 | + This broke at least the "file --is-hibernated-hiberfil" command. |
612 | + |
613 | + Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into |
614 | + two, as is done for other architectures. |
615 | + |
616 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
617 | + |
618 | +2021-03-02 Marco A Benatto <mbenatto@redhat.com> |
619 | + |
620 | + kern/mm: Fix grub_debug_calloc() compilation error |
621 | + Fix compilation error due to missing parameter to |
622 | + grub_printf() when MM_DEBUG is defined. |
623 | + |
624 | + Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available) |
625 | + |
626 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
627 | + |
628 | +2021-03-02 Alex Burmashev <alexander.burmashev@oracle.com> |
629 | + |
630 | + templates: Disable the os-prober by default |
631 | + The os-prober is enabled by default what may lead to potentially |
632 | + dangerous use cases and borderline opening attack vectors. This |
633 | + patch disables the os-prober, adds warning messages and updates |
634 | + GRUB_DISABLE_OS_PROBER configuration option documentation. This |
635 | + way we make it clear that the os-prober usage is not recommended. |
636 | + |
637 | + Simplistic nature of this change allows downstream vendors, who |
638 | + really want os-prober to be enabled out of the box in their |
639 | + relevant products, easily revert to it's old behavior. |
640 | + |
641 | + Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec), |
642 | + working with SSD Secure Disclosure |
643 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
644 | + |
645 | +2021-03-02 Thomas Frauendorfer | Miray Software <tf@miray.de> |
646 | + |
647 | + gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label |
648 | + The gui_progress_bar and gui_label components can display the timeout |
649 | + value. The format string can be set through a theme file. This patch |
650 | + adds a validation step to the format string. |
651 | + |
652 | + If a user loads a theme file into the GRUB without this patch then |
653 | + a GUI label with the following settings |
654 | + |
655 | + + label { |
656 | + ... |
657 | + id = "__timeout__" |
658 | + text = "%s" |
659 | + } |
660 | + |
661 | + will interpret the current timeout value as string pointer and print the |
662 | + memory at that position on the screen. It is not desired behavior. |
663 | + |
664 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
665 | + |
666 | +2021-03-02 Thomas Frauendorfer | Miray Software <tf@miray.de> |
667 | + |
668 | + kern/misc: Add function to check printf() format against expected format |
669 | + The grub_printf_fmt_check() function parses the arguments of an untrusted |
670 | + printf() format and an expected printf() format and then compares the |
671 | + arguments counts and arguments types. The arguments count in the untrusted |
672 | + format string must be less or equal to the arguments count in the expected |
673 | + format string and both arguments types must match. |
674 | + |
675 | + To do this the parse_printf_arg_fmt() helper function is extended in the |
676 | + following way: |
677 | + |
678 | + 1. Add a return value to report errors to the grub_printf_fmt_check(). |
679 | + |
680 | + 2. Add the fmt_check argument to enable stricter format verification: |
681 | + - the function expects that arguments definitions are always |
682 | + terminated by a supported conversion specifier. |
683 | + - positional parameters, "$", are not allowed, as they cannot be |
684 | + validated correctly with the current implementation. For example |
685 | + "%s%1$d" would assign the first args entry twice while leaving the |
686 | + second one unchanged. |
687 | + - Return an error if preallocated space in args is too small and |
688 | + allocation fails for the needed size. The grub_printf_fmt_check() |
689 | + should verify all arguments. So, if validation is not possible for |
690 | + any reason it should return an error. |
691 | + This also adds a case entry to handle "%%", which is the escape |
692 | + sequence to print "%" character. |
693 | + |
694 | + 3. Add the max_args argument to check for the maximum allowed arguments |
695 | + count in a printf() string. This should be set to the arguments count |
696 | + of the expected format. Then the parse_printf_arg_fmt() function will |
697 | + return an error if the arguments count is exceeded. |
698 | + |
699 | + The two additional arguments allow us to use parse_printf_arg_fmt() in |
700 | + printf() and grub_printf_fmt_check() calls. |
701 | + |
702 | + When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the |
703 | + function parse user provided untrusted format string too. So, in |
704 | + that case it is better to be too strict than too lenient. |
705 | + |
706 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
707 | + |
708 | +2021-03-02 Thomas Frauendorfer | Miray Software <tf@miray.de> |
709 | + |
710 | + kern/misc: Add STRING type for internal printf() format handling |
711 | + Set printf() argument type for "%s" to new type STRING. This is in |
712 | + preparation for a follow up patch to compare a printf() format string |
713 | + against an expected printf() format string. |
714 | + |
715 | + For "%s" the corresponding printf() argument is dereferenced as pointer |
716 | + while all other argument types are defined as integer value. However, |
717 | + when validating a printf() format it is necessary to differentiate "%s" |
718 | + from "%p" and other integers. So, let's do that. |
719 | + |
720 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
721 | + |
722 | +2021-03-02 Thomas Frauendorfer | Miray Software <tf@miray.de> |
723 | + |
724 | + kern/misc: Split parse_printf_args() into format parsing and va_list handling |
725 | + This patch is preparing for a follow up patch which will use |
726 | + the format parsing part to compare the arguments in a printf() |
727 | + format from an external source against a printf() format with |
728 | + expected arguments. |
729 | + |
730 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
731 | + |
732 | +2021-03-02 Dimitri John Ledkov <xnox@ubuntu.com> |
733 | + |
734 | + shim_lock: Only skip loading shim_lock verifier with explicit consent |
735 | + Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock |
736 | + protocol is found and SB enabled) reintroduced CVE-2020-15705 which |
737 | + previously only existed in the out-of-tree linuxefi patches and was |
738 | + fixed as part of the BootHole patch series. |
739 | + |
740 | + Under Secure Boot enforce loading shim_lock verifier. Allow skipping |
741 | + shim_lock verifier if SecureBoot/MokSBState EFI variables indicate |
742 | + skipping validations, or if GRUB image is built with --disable-shim-lock. |
743 | + |
744 | + Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock |
745 | + protocol is found and SB enabled) |
746 | + Fixes: CVE-2020-15705 |
747 | + Fixes: CVE-2021-3418 |
748 | + |
749 | + Reported-by: Dimitri John Ledkov <xnox@ubuntu.com> |
750 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
751 | + |
752 | +2021-03-02 Dimitri John Ledkov <xnox@ubuntu.com> |
753 | + |
754 | + grub-install-common: Add --sbat option |
755 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
756 | + |
757 | +2021-03-02 Peter Jones <pjones@redhat.com> |
758 | + |
759 | + util/mkimage: Add an option to import SBAT metadata into a .sbat section |
760 | + Add a --sbat option to the grub-mkimage tool which allows us to import |
761 | + an SBAT metadata formatted as a CSV file into a .sbat section of the |
762 | + EFI binary. |
763 | + |
764 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
765 | + |
766 | +2021-03-02 Peter Jones <pjones@redhat.com> |
767 | + |
768 | + util/mkimage: Refactor section setup to use a helper |
769 | + Add a init_pe_section() helper function to setup PE sections. This makes |
770 | + the code simpler and easier to read. |
771 | + |
772 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
773 | + |
774 | +2021-03-02 Peter Jones <pjones@redhat.com> |
775 | + |
776 | + util/mkimage: Improve data_size value calculation |
777 | + According to "Microsoft Portable Executable and Common Object File Format |
778 | + Specification", the Optional Header SizeOfInitializedData field contains: |
779 | + |
780 | + Size of the initialized data section, or the sum of all such sections if |
781 | + there are multiple data sections. |
782 | + |
783 | + Make this explicit by adding the GRUB kernel data size to the sum of all |
784 | + the modules sizes. The ALIGN_UP() is not required by the PE spec but do |
785 | + it to avoid alignment issues. |
786 | + |
787 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
788 | + |
789 | +2021-03-02 Peter Jones <pjones@redhat.com> |
790 | + |
791 | + util/mkimage: Reorder PE optional header fields set-up |
792 | + This makes the PE32 and PE32+ header fields set-up easier to follow by |
793 | + setting them closer to the initialization of their related sections. |
794 | + |
795 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
796 | + |
797 | +2021-03-02 Peter Jones <pjones@redhat.com> |
798 | + |
799 | + util/mkimage: Unify more of the PE32 and PE32+ header set-up |
800 | + There's quite a bit of code duplication in the code that sets the optional |
801 | + header for PE32 and PE32+. The two are very similar with the exception of |
802 | + a few fields that have type grub_uint64_t instead of grub_uint32_t. |
803 | + |
804 | + Factor out the common code and add a PE_OHDR() macro that simplifies the |
805 | + set-up and make the code more readable. |
806 | + |
807 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
808 | + |
809 | +2021-03-02 Peter Jones <pjones@redhat.com> |
810 | + |
811 | + util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff |
812 | + This change does not impact final result of initialization itself. |
813 | + However, it eases PE code unification in subsequent patches. |
814 | + |
815 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
816 | + |
817 | +2021-03-02 Peter Jones <pjones@redhat.com> |
818 | + |
819 | + util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32() |
820 | + The latter doesn't take into account the target image endianness. There is |
821 | + a grub_cpu_to_le32_compile_time() but no compile time variant for function |
822 | + grub_host_to_target32(). So, let's keep using the other one for this case. |
823 | + |
824 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
825 | + |
826 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
827 | + |
828 | + util/mkimage: Remove unused code to add BSS section |
829 | + The code is compiled out so there is no reason to keep it. |
830 | + |
831 | + Additionally, don't set bss_size field since we do not add a BSS section. |
832 | + |
833 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
834 | + |
835 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
836 | + |
837 | + kern/efi: Add initial stack protector implementation |
838 | + It works only on UEFI platforms but can be quite easily extended to |
839 | + others architectures and platforms if needed. |
840 | + |
841 | + Reviewed-by: Marco A Benatto <mbenatto@redhat.com> |
842 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
843 | + |
844 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
845 | + |
846 | + kern/parser: Fix a stack buffer overflow |
847 | + grub_parser_split_cmdline() expands variable names present in the supplied |
848 | + command line in to their corresponding variable contents and uses a 1 kiB |
849 | + stack buffer for temporary storage without sufficient bounds checking. If |
850 | + the function is called with a command line that references a variable with |
851 | + a sufficiently large payload, it is possible to overflow the stack |
852 | + buffer via tab completion, corrupt the stack frame and potentially |
853 | + control execution. |
854 | + |
855 | + Fixes: CVE-2020-27749 |
856 | + |
857 | + Reported-by: Chris Coulson <chris.coulson@canonical.com> |
858 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
859 | + |
860 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
861 | + |
862 | + kern/buffer: Add variable sized heap buffer |
863 | + Add a new variable sized heap buffer type (grub_buffer_t) with simple |
864 | + operations for appending data, accessing the data and maintaining |
865 | + a read cursor. |
866 | + |
867 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
868 | + |
869 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
870 | + |
871 | + kern/parser: Refactor grub_parser_split_cmdline() cleanup |
872 | + Introduce a common function epilogue used for cleaning up on all |
873 | + return paths, which will simplify additional error handling to be |
874 | + introduced in a subsequent commit. |
875 | + |
876 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
877 | + |
878 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
879 | + |
880 | + kern/parser: Introduce terminate_arg() helper |
881 | + process_char() and grub_parser_split_cmdline() use similar code for |
882 | + terminating the most recent argument. Add a helper function for this. |
883 | + |
884 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
885 | + |
886 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
887 | + |
888 | + kern/parser: Introduce process_char() helper |
889 | + grub_parser_split_cmdline() iterates over each command line character. |
890 | + In order to add error checking and to simplify the subsequent error |
891 | + handling, split the character processing in to a separate function. |
892 | + |
893 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
894 | + |
895 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
896 | + |
897 | + kern/parser: Fix a memory leak |
898 | + The getline() function supplied to grub_parser_split_cmdline() returns |
899 | + a newly allocated buffer and can be called multiple times, but the |
900 | + returned buffer is never freed. |
901 | + |
902 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
903 | + |
904 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
905 | + |
906 | + fs/btrfs: Squash some uninitialized reads |
907 | + We need to check errors before calling into a function that uses the result. |
908 | + |
909 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
910 | + |
911 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
912 | + |
913 | + fs/btrfs: Validate the number of stripes/parities in RAID5/6 |
914 | + This prevents a divide by zero if nstripes == nparities, and |
915 | + also prevents propagation of invalid values if nstripes ends up |
916 | + less than nparities. |
917 | + |
918 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
919 | + |
920 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
921 | + |
922 | + disk/lvm: Do not allow a LV to be it's own segment's node's LV |
923 | + This prevents infinite recursion in the diskfilter verification code. |
924 | + |
925 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
926 | + |
927 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
928 | + |
929 | + disk/lvm: Sanitize rlocn->offset to prevent wild read |
930 | + rlocn->offset is read directly from disk and added to the metadatabuf |
931 | + pointer to create a pointer to a block of metadata. It's a 64-bit |
932 | + quantity so as long as you don't overflow you can set subsequent |
933 | + pointers to point anywhere in memory. |
934 | + |
935 | + Require that rlocn->offset fits within the metadata buffer size. |
936 | + |
937 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
938 | + |
939 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
940 | + |
941 | + disk/lvm: Do not overread metadata |
942 | + We could reach the end of valid metadata and not realize, leading to |
943 | + some buffer overreads. Check if we have reached the end and bail. |
944 | + |
945 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
946 | + |
947 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
948 | + |
949 | + disk/lvm: Do not crash if an expected string is not found |
950 | + Clean up a bunch of cases where we could have strstr() fail and lead to |
951 | + us dereferencing NULL. |
952 | + |
953 | + We'll still leak memory in some cases (loops don't clean up allocations |
954 | + from earlier iterations if a later iteration fails) but at least we're |
955 | + not crashing. |
956 | + |
957 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
958 | + |
959 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
960 | + |
961 | + disk/lvm: Bail on missing PV list |
962 | + There's an if block for the presence of "physical_volumes {", but if |
963 | + that block is absent, then p remains NULL and a NULL-deref will result |
964 | + when looking for logical volumes. |
965 | + |
966 | + It doesn't seem like LVM makes sense without physical volumes, so error |
967 | + out rather than crashing. |
968 | + |
969 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
970 | + |
971 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
972 | + |
973 | + disk/lvm: Don't blast past the end of the circular metadata buffer |
974 | + This catches at least some OOB reads, and it's possible I suppose that |
975 | + if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some |
976 | + OOB writes too (although that hasn't showed up as a crash in fuzzing yet). |
977 | + |
978 | + It's a bit ugly and I'd appreciate better suggestions. |
979 | + |
980 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
981 | + |
982 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
983 | + |
984 | + disk/lvm: Don't go beyond the end of the data we read from disk |
985 | + We unconditionally trusted offset_xl from the LVM label header, even if |
986 | + it told us that the PV header/disk locations were way off past the end |
987 | + of the data we read from disk. |
988 | + |
989 | + Require that the offset be sane, fixing an OOB read and crash. |
990 | + |
991 | + Fixes: CID 314367, CID 314371 |
992 | + |
993 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
994 | + |
995 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
996 | + |
997 | + io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails |
998 | + If huft_build() fails, gzio->tl or gzio->td could contain pointers that |
999 | + are no longer valid. Zero them out. |
1000 | + |
1001 | + This prevents a double free when grub_gzio_close() comes through and |
1002 | + attempts to free them again. |
1003 | + |
1004 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1005 | + |
1006 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1007 | + |
1008 | + io/gzio: Catch missing values in huft_build() and bail |
1009 | + In huft_build(), "v" is a table of values in order of bit length. |
1010 | + The code later (when setting up table entries in "r") assumes that all |
1011 | + elements of this array corresponding to a code are initialized and less |
1012 | + than N_MAX. However, it doesn't enforce this. |
1013 | + |
1014 | + With sufficiently manipulated inputs (e.g. from fuzzing), there can be |
1015 | + elements of "v" that are not filled. Therefore a lookup into "e" or "d" |
1016 | + will use an uninitialized value. This can lead to an invalid/OOB read on |
1017 | + those values, often leading to a crash. |
1018 | + |
1019 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1020 | + |
1021 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1022 | + |
1023 | + io/gzio: Add init_dynamic_block() clean up if unpacking codes fails |
1024 | + init_dynamic_block() didn't clean up gzio->tl and td in some error |
1025 | + paths. This left td pointing to part of tl. Then in grub_gzio_close(), |
1026 | + when tl was freed the storage for td would also be freed. The code then |
1027 | + attempts to free td explicitly, performing a UAF and then a double free. |
1028 | + |
1029 | + Explicitly clean up tl and td in the error paths. |
1030 | + |
1031 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1032 | + |
1033 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1034 | + |
1035 | + io/gzio: Bail if gzio->tl/td is NULL |
1036 | + This is an ugly fix that doesn't address why gzio->tl comes to be NULL. |
1037 | + However, it seems to be sufficient to patch up a bunch of NULL derefs. |
1038 | + |
1039 | + It would be good to revisit this in future and see if we can have |
1040 | + a cleaner solution that addresses some of the causes of the unexpected |
1041 | + NULL pointers. |
1042 | + |
1043 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1044 | + |
1045 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1046 | + |
1047 | + fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup() |
1048 | + We just introduced an error return in grub_nilfs2_btree_node_lookup(). |
1049 | + Make sure the callers catch it. |
1050 | + |
1051 | + At the same time, make sure that grub_nilfs2_btree_node_lookup() always |
1052 | + inits the index pointer passed to it. |
1053 | + |
1054 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1055 | + |
1056 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1057 | + |
1058 | + fs/nilfs2: Don't search children if provided number is too large |
1059 | + NILFS2 reads the number of children a node has from the node. Unfortunately, |
1060 | + that's not trustworthy. Check if it's beyond what the filesystem permits and |
1061 | + reject it if so. |
1062 | + |
1063 | + This blocks some OOB reads. I'm not sure how controllable the read is and what |
1064 | + could be done with invalidly read data later on. |
1065 | + |
1066 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1067 | + |
1068 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1069 | + |
1070 | + fs/nilfs2: Reject too-large keys |
1071 | + NILFS2 has up to 7 keys, per the data structure. Do not permit array |
1072 | + indices in excess of that. |
1073 | + |
1074 | + This catches some OOB reads. I don't know how controllable the invalidly |
1075 | + read data is or if that could be used later in the program. |
1076 | + |
1077 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1078 | + |
1079 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1080 | + |
1081 | + fs/jfs: Catch infinite recursion |
1082 | + It's possible with a fuzzed filesystem for JFS to keep getblk()-ing |
1083 | + the same data over and over again, leading to stack exhaustion. |
1084 | + |
1085 | + Check if we'd be calling the function with exactly the same data as |
1086 | + was passed in, and if so abort. |
1087 | + |
1088 | + I'm not sure what the performance impact of this is and am open to |
1089 | + better ideas. |
1090 | + |
1091 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1092 | + |
1093 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1094 | + |
1095 | + fs/jfs: Limit the extents that getblk() can consider |
1096 | + getblk() implicitly trusts that treehead->count is an accurate count of |
1097 | + the number of extents. However, that value is read from disk and is not |
1098 | + trustworthy, leading to OOB reads and crashes. I am not sure to what |
1099 | + extent the data read from OOB can influence subsequent program execution. |
1100 | + |
1101 | + Require callers to pass in the maximum number of extents for which |
1102 | + they have storage. |
1103 | + |
1104 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1105 | + |
1106 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1107 | + |
1108 | + fs/jfs: Do not move to leaf level if name length is negative |
1109 | + Fuzzing JFS revealed crashes where a negative number would be passed |
1110 | + to le_to_cpu16_copy(). There it would be cast to a large positive number |
1111 | + and the copy would read and write off the end of the respective buffers. |
1112 | + |
1113 | + Catch this at the top as well as the bottom of the loop. |
1114 | + |
1115 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1116 | + |
1117 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1118 | + |
1119 | + fs/sfs: Fix over-read of root object name |
1120 | + There's a read of the name of the root object that assumes that the name |
1121 | + is nul-terminated within the root block. This isn't guaranteed - it seems |
1122 | + SFS would require you to read multiple blocks to get a full name in general, |
1123 | + but maybe that doesn't apply to the root object. |
1124 | + |
1125 | + Either way, figure out how much space is left in the root block and don't |
1126 | + over-read it. This fixes some OOB reads. |
1127 | + |
1128 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1129 | + |
1130 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1131 | + |
1132 | + fs/hfs: Disable under lockdown |
1133 | + HFS has issues such as infinite mutual recursion that are simply too |
1134 | + complex to fix for such a legacy format. So simply do not permit |
1135 | + it to be loaded under lockdown. |
1136 | + |
1137 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1138 | + |
1139 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1140 | + |
1141 | + fs/hfsplus: Don't use uninitialized data on corrupt filesystems |
1142 | + Valgrind identified the following use of uninitialized data: |
1143 | + |
1144 | + ==2782220== Conditional jump or move depends on uninitialised value(s) |
1145 | + ==2782220== at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566) |
1146 | + ==2782220== by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185) |
1147 | + ==2782220== by 0x42A693: grub_fshelp_read_file (fshelp.c:386) |
1148 | + ==2782220== by 0x42C598: grub_hfsplus_read_file (hfsplus.c:219) |
1149 | + ==2782220== by 0x42C598: grub_hfsplus_mount (hfsplus.c:330) |
1150 | + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) |
1151 | + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) |
1152 | + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) |
1153 | + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) |
1154 | + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) |
1155 | + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) |
1156 | + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) |
1157 | + ==2782220== by 0x4045A6: main (grub-fstest.c:772) |
1158 | + ==2782220== Uninitialised value was created by a heap allocation |
1159 | + ==2782220== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) |
1160 | + ==2782220== by 0x4C0305: grub_malloc (mm.c:42) |
1161 | + ==2782220== by 0x42C21D: grub_hfsplus_mount (hfsplus.c:239) |
1162 | + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) |
1163 | + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) |
1164 | + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) |
1165 | + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) |
1166 | + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) |
1167 | + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) |
1168 | + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) |
1169 | + ==2782220== by 0x4045A6: main (grub-fstest.c:772) |
1170 | + |
1171 | + This happens when the process of reading the catalog file goes sufficiently |
1172 | + wrong that there's an attempt to read the extent overflow file, which has |
1173 | + not yet been loaded. Keep track of when the extent overflow file is |
1174 | + fully loaded and refuse to use it before then. |
1175 | + |
1176 | + The load valgrind doesn't like is btree->nodesize, and that's then used |
1177 | + to allocate a data structure. It looks like there are subsequently a lot |
1178 | + of reads based on that pointer so OOB reads are likely, and indeed crashes |
1179 | + (albeit difficult-to-replicate ones) have been observed in fuzzing. |
1180 | + |
1181 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1182 | + |
1183 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1184 | + |
1185 | + fs/hfsplus: Don't fetch a key beyond the end of the node |
1186 | + Otherwise you get a wild pointer, leading to a bunch of invalid reads. |
1187 | + Check it falls inside the given node. |
1188 | + |
1189 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1190 | + |
1191 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1192 | + |
1193 | + fs/fshelp: Catch impermissibly large block sizes in read helper |
1194 | + A fuzzed HFS+ filesystem had log2blocksize = 22. This gave |
1195 | + log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000, |
1196 | + which is -1 as an int. This caused some wacky behavior later on in |
1197 | + the function, leading to out-of-bounds writes on the destination buffer. |
1198 | + |
1199 | + Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter, |
1200 | + but this is the minimum that will prevent integer size weirdness. |
1201 | + |
1202 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1203 | + |
1204 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1205 | + |
1206 | + term/gfxterm: Don't set up a font with glyphs that are too big |
1207 | + Catch the case where we have a font so big that it causes the number of |
1208 | + rows or columns to be 0. Currently we continue and allocate a |
1209 | + virtual_screen.text_buffer of size 0. We then try to use that for glpyhs |
1210 | + and things go badly. |
1211 | + |
1212 | + On the emu platform, malloc() may give us a valid pointer, in which case |
1213 | + we'll access heap memory which we shouldn't. Alternatively, it may give us |
1214 | + NULL, in which case we'll crash. For other platforms, if I understand |
1215 | + grub_memalign() correctly, we will receive a valid but small allocation |
1216 | + that we will very likely later overrun. |
1217 | + |
1218 | + Prevent the creation of a virtual screen that isn't at least 40 cols |
1219 | + by 12 rows. This is arbitrary, but it seems that if your width or height |
1220 | + is half a standard 80x24 terminal, you're probably going to struggle to |
1221 | + read anything anyway. |
1222 | + |
1223 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1224 | + |
1225 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1226 | + |
1227 | + video/readers/jpeg: Don't decode data before start of stream |
1228 | + When a start of stream marker is encountered, we call grub_jpeg_decode_sos() |
1229 | + which allocates space for a bitmap. |
1230 | + |
1231 | + When a restart marker is encountered, we call grub_jpeg_decode_data() which |
1232 | + then fills in that bitmap. |
1233 | + |
1234 | + If we get a restart marker before the start of stream marker, we will |
1235 | + attempt to write to a bitmap_ptr that hasn't been allocated. Catch this |
1236 | + and bail out. This fixes an attempt to write to NULL. |
1237 | + |
1238 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1239 | + |
1240 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1241 | + |
1242 | + video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() |
1243 | + The key line is: |
1244 | + |
1245 | + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; |
1246 | + |
1247 | + jpeg_zigzag_order is grub_uint8_t[64]. |
1248 | + |
1249 | + I don't understand JPEG decoders quite well enough to explain what's |
1250 | + going on here. However, I observe sometimes pos=64, which leads to an |
1251 | + OOB read of the jpeg_zigzag_order global then an OOB write to du. |
1252 | + That leads to various unpleasant memory corruption conditions. |
1253 | + |
1254 | + Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. |
1255 | + |
1256 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1257 | + |
1258 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1259 | + |
1260 | + video/readers/jpeg: Catch files with unsupported quantization or Huffman tables |
1261 | + Our decoder only supports 2 quantization tables. If a file asks for |
1262 | + a quantization table with index > 1, reject it. |
1263 | + |
1264 | + Similarly, our decoder only supports 4 Huffman tables. If a file asks |
1265 | + for a Huffman table with index > 3, reject it. |
1266 | + |
1267 | + This fixes some out of bounds reads. It's not clear what degree of control |
1268 | + over subsequent execution could be gained by someone who can carefully |
1269 | + set up the contents of memory before loading an invalid JPEG file. |
1270 | + |
1271 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1272 | + |
1273 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1274 | + |
1275 | + kern/misc: Always set *end in grub_strtoull() |
1276 | + Currently, if there is an error in grub_strtoull(), *end is not set. |
1277 | + This differs from the usual behavior of strtoull(), and also means that |
1278 | + some callers may use an uninitialized value for *end. |
1279 | + |
1280 | + Set *end unconditionally. |
1281 | + |
1282 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1283 | + |
1284 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1285 | + |
1286 | + commands/menuentry: Fix quoting in setparams_prefix() |
1287 | + Commit 9acdcbf32542 (use single quotes in menuentry setparams command) |
1288 | + says that expressing a quoted single quote will require 3 characters. It |
1289 | + actually requires (and always did require!) 4 characters: |
1290 | + |
1291 | + str: a'b => a'\''b |
1292 | + len: 3 => 6 (2 for the letters + 4 for the quote) |
1293 | + |
1294 | + This leads to not allocating enough memory and thus out of bounds writes |
1295 | + that have been observed to cause heap corruption. |
1296 | + |
1297 | + Allocate 4 bytes for each single quote. |
1298 | + |
1299 | + Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same |
1300 | + quoting, but it adds 3 as extra overhead on top of the single byte that |
1301 | + the quote already needs. So it's correct. |
1302 | + |
1303 | + Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) |
1304 | + Fixes: CVE-2021-20233 |
1305 | + |
1306 | + Reported-by: Daniel Axtens <dja@axtens.net> |
1307 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1308 | + |
1309 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1310 | + |
1311 | + script/execute: Don't crash on a "for" loop with no items |
1312 | + The following crashes the parser: |
1313 | + |
1314 | + for x in; do |
1315 | + 0 |
1316 | + done |
1317 | + |
1318 | + This is because grub_script_arglist_to_argv() doesn't consider the |
1319 | + possibility that arglist is NULL. Catch that explicitly. |
1320 | + |
1321 | + This avoids a NULL pointer dereference. |
1322 | + |
1323 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1324 | + |
1325 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1326 | + |
1327 | + lib/arg: Block repeated short options that require an argument |
1328 | + Fuzzing found the following crash: |
1329 | + |
1330 | + search -hhhhhhhhhhhhhf |
1331 | + |
1332 | + We didn't allocate enough option space for 13 hints because the |
1333 | + allocation code counts the number of discrete arguments (i.e. argc). |
1334 | + However, the shortopt parsing code will happily keep processing |
1335 | + a combination of short options without checking if those short |
1336 | + options require an argument. This means you can easily end writing |
1337 | + past the allocated option space. |
1338 | + |
1339 | + This fixes a OOB write which can cause heap corruption. |
1340 | + |
1341 | + Fixes: CVE-2021-20225 |
1342 | + |
1343 | + Reported-by: Daniel Axtens <dja@axtens.net> |
1344 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1345 | + |
1346 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1347 | + |
1348 | + script/execute: Avoid crash when using "$#" outside a function scope |
1349 | + "$#" represents the number of arguments to a function. It is only |
1350 | + defined in a function scope, where "scope" is non-NULL. Currently, |
1351 | + if we attempt to evaluate "$#" outside a function scope, "scope" will |
1352 | + be NULL and we will crash with a NULL pointer dereference. |
1353 | + |
1354 | + Do not attempt to count arguments for "$#" if "scope" is NULL. This |
1355 | + will result in "$#" being interpreted as an empty string if evaluated |
1356 | + outside a function scope. |
1357 | + |
1358 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1359 | + |
1360 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1361 | + |
1362 | + commands/ls: Require device_name is not NULL before printing |
1363 | + This can be triggered with: |
1364 | + ls -l (0 0*) |
1365 | + and causes a NULL deref in grub_normal_print_device_info(). |
1366 | + |
1367 | + I'm not sure if there's any implication with the IEEE 1275 platform. |
1368 | + |
1369 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1370 | + |
1371 | +2021-03-02 Daniel Axtens <dja@axtens.net> |
1372 | + |
1373 | + script/execute: Fix NULL dereference in grub_script_execute_cmdline() |
1374 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1375 | + |
1376 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1377 | + |
1378 | + util/glue-efi: Fix incorrect use of a possibly negative value |
1379 | + It is possible for the ftell() function to return a negative value, |
1380 | + although it is fairly unlikely here, we should be checking for |
1381 | + a negative value before we assign it to an unsigned value. |
1382 | + |
1383 | + Fixes: CID 73744 |
1384 | + |
1385 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1386 | + |
1387 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1388 | + |
1389 | + util/grub-editenv: Fix incorrect casting of a signed value |
1390 | + The return value of ftell() may be negative (-1) on error. While it is |
1391 | + probably unlikely to occur, we should not blindly cast to an unsigned |
1392 | + value without first testing that it is not negative. |
1393 | + |
1394 | + Fixes: CID 73856 |
1395 | + |
1396 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1397 | + |
1398 | +2021-03-02 Daniel Kiper <daniel.kiper@oracle.com> |
1399 | + |
1400 | + util/grub-install: Fix NULL pointer dereferences |
1401 | + Two grub_device_open() calls does not have associated NULL checks |
1402 | + for returned values. Fix that and appease the Coverity. |
1403 | + |
1404 | + Fixes: CID 314583 |
1405 | + |
1406 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
1407 | + |
1408 | +2021-03-02 Paulo Flabiano Smorigo <pfsmorigo@canonical.com> |
1409 | + |
1410 | + loader/xnu: Check if pointer is NULL before using it |
1411 | + Fixes: CID 73654 |
1412 | + |
1413 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1414 | + |
1415 | +2021-03-02 Marco A Benatto <mbenatto@redhat.com> |
1416 | + |
1417 | + loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap() |
1418 | + ... to avoid memory leaks. |
1419 | + |
1420 | + Fixes: CID 96640 |
1421 | + |
1422 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1423 | + |
1424 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1425 | + |
1426 | + loader/xnu: Fix memory leak |
1427 | + The code here is finished with the memory stored in name, but it only |
1428 | + frees it if there curvalue is valid, while it could actually free it |
1429 | + regardless. |
1430 | + |
1431 | + The fix is a simple relocation of the grub_free() to before the test |
1432 | + of curvalue. |
1433 | + |
1434 | + Fixes: CID 96646 |
1435 | + |
1436 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1437 | + |
1438 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1439 | + |
1440 | + loader/bsd: Check for NULL arg up-front |
1441 | + The code in the next block suggests that it is possible for .set to be |
1442 | + true but .arg may still be NULL. |
1443 | + |
1444 | + This code assumes that it is never NULL, yet later is testing if it is |
1445 | + NULL - that is inconsistent. |
1446 | + |
1447 | + So we should check first if .arg is not NULL, and remove this check that |
1448 | + is being flagged by Coverity since it is no longer required. |
1449 | + |
1450 | + Fixes: CID 292471 |
1451 | + |
1452 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1453 | + |
1454 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1455 | + |
1456 | + gfxmenu/gui_list: Remove code that coverity is flagging as dead |
1457 | + The test of value for NULL before calling grub_strdup() is not required, |
1458 | + since the if condition prior to this has already tested for value being |
1459 | + NULL and cannot reach this code if it is. |
1460 | + |
1461 | + Fixes: CID 73659 |
1462 | + |
1463 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1464 | + |
1465 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1466 | + |
1467 | + video/readers/jpeg: Test for an invalid next marker reference from a jpeg file |
1468 | + While it may never happen, and potentially could be caught at the end of |
1469 | + the function, it is worth checking up front for a bad reference to the |
1470 | + next marker just in case of a maliciously crafted file being provided. |
1471 | + |
1472 | + Fixes: CID 73694 |
1473 | + |
1474 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1475 | + |
1476 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1477 | + |
1478 | + video/fb/video_fb: Fix possible integer overflow |
1479 | + It is minimal possibility that the values being used here will overflow. |
1480 | + So, change the code to use the safemath function grub_mul() to ensure |
1481 | + that doesn't happen. |
1482 | + |
1483 | + Fixes: CID 73761 |
1484 | + |
1485 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1486 | + |
1487 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1488 | + |
1489 | + video/fb/video_fb: Fix multiple integer overflows |
1490 | + The calculation of the unsigned 64-bit value is being generated by |
1491 | + multiplying 2, signed or unsigned, 32-bit integers which may overflow |
1492 | + before promotion to unsigned 64-bit. Fix all of them. |
1493 | + |
1494 | + Fixes: CID 73703, CID 73767, CID 73833 |
1495 | + |
1496 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1497 | + |
1498 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1499 | + |
1500 | + video/fb/fbfill: Fix potential integer overflow |
1501 | + The multiplication of 2 unsigned 32-bit integers may overflow before |
1502 | + promotion to unsigned 64-bit. We should ensure that the multiplication |
1503 | + is done with overflow detection. Additionally, use grub_sub() for |
1504 | + subtraction. |
1505 | + |
1506 | + Fixes: CID 73640, CID 73697, CID 73702, CID 73823 |
1507 | + |
1508 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1509 | + |
1510 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1511 | + |
1512 | + video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info() |
1513 | + The return value of grub_video_gop_fill_mode_info() is never able to be |
1514 | + anything other than GRUB_ERR_NONE. So, rather than continue to return |
1515 | + a value and checking it each time, it is more correct to redefine the |
1516 | + function to not return anything and remove checks of its return value |
1517 | + altogether. |
1518 | + |
1519 | + Fixes: CID 96701 |
1520 | + |
1521 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1522 | + |
1523 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1524 | + |
1525 | + commands/probe: Fix a resource leak when probing disks |
1526 | + Every other return statement in this code is calling grub_device_close() |
1527 | + to clean up dev before returning. This one should do that too. |
1528 | + |
1529 | + Fixes: CID 292443 |
1530 | + |
1531 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1532 | + |
1533 | +2021-03-02 Chris Coulson <chris.coulson@canonical.com> |
1534 | + |
1535 | + commands/hashsum: Fix a memory leak |
1536 | + check_list() uses grub_file_getline(), which allocates a buffer. |
1537 | + If the hash list file contains invalid lines, the function leaks |
1538 | + this buffer when it returns an error. |
1539 | + |
1540 | + Fixes: CID 176635 |
1541 | + |
1542 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1543 | + |
1544 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1545 | + |
1546 | + normal/completion: Fix leaking of memory when processing a completion |
1547 | + It is possible for the code to reach the end of the function without |
1548 | + freeing the memory allocated to argv and argc still to be 0. |
1549 | + |
1550 | + We should always call grub_free(argv). The grub_free() will handle |
1551 | + a NULL argument correctly if it reaches that code without the memory |
1552 | + being allocated. |
1553 | + |
1554 | + Fixes: CID 96672 |
1555 | + |
1556 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1557 | + |
1558 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1559 | + |
1560 | + syslinux: Fix memory leak while parsing |
1561 | + In syslinux_parse_real() the 2 points where return is being called |
1562 | + didn't release the memory stored in buf which is no longer required. |
1563 | + |
1564 | + Fixes: CID 176634 |
1565 | + |
1566 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1567 | + |
1568 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1569 | + |
1570 | + libgcrypt/mpi: Fix possible NULL dereference |
1571 | + The code in gcry_mpi_scan() assumes that buffer is not NULL, but there |
1572 | + is no explicit check for that, so we add one. |
1573 | + |
1574 | + Fixes: CID 73757 |
1575 | + |
1576 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1577 | + |
1578 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1579 | + |
1580 | + libgcrypt/mpi: Fix possible unintended sign extension |
1581 | + The array of unsigned char gets promoted to a signed 32-bit int before |
1582 | + it is finally promoted to a size_t. There is the possibility that this |
1583 | + may result in the signed-bit being set for the intermediate signed |
1584 | + 32-bit int. We should ensure that the promotion is to the correct type |
1585 | + before we bitwise-OR the values. |
1586 | + |
1587 | + Fixes: CID 96697 |
1588 | + |
1589 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1590 | + |
1591 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1592 | + |
1593 | + affs: Fix memory leaks |
1594 | + The node structure reference is being allocated but not freed if it |
1595 | + reaches the end of the function. If any of the hooks had returned |
1596 | + a non-zero value, then node would have been copied in to the context |
1597 | + reference, but otherwise node is not stored and should be freed. |
1598 | + |
1599 | + Similarly, the call to grub_affs_create_node() replaces the allocated |
1600 | + memory in node with a newly allocated structure, leaking the existing |
1601 | + memory pointed by node. |
1602 | + |
1603 | + Finally, when dir->parent is set, then we again replace node with newly |
1604 | + allocated memory, which seems unnecessary when we copy in the values |
1605 | + from dir->parent immediately after. |
1606 | + |
1607 | + Fixes: CID 73759 |
1608 | + |
1609 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1610 | + |
1611 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1612 | + |
1613 | + zfsinfo: Correct a check for error allocating memory |
1614 | + While arguably the check for grub_errno is correct, we should really be |
1615 | + checking the return value from the function since it is always possible |
1616 | + that grub_errno was set elsewhere, making this code behave incorrectly. |
1617 | + |
1618 | + Fixes: CID 73668 |
1619 | + |
1620 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1621 | + |
1622 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1623 | + |
1624 | + zfs: Fix possible integer overflows |
1625 | + In all cases the problem is that the value being acted upon by |
1626 | + a left-shift is a 32-bit number which is then being used in the |
1627 | + context of a 64-bit number. |
1628 | + |
1629 | + To avoid overflow we ensure that the number being shifted is 64-bit |
1630 | + before the shift is done. |
1631 | + |
1632 | + Fixes: CID 73684, CID 73695, CID 73764 |
1633 | + |
1634 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1635 | + |
1636 | +2021-03-02 Paulo Flabiano Smorigo <pfsmorigo@canonical.com> |
1637 | + |
1638 | + zfs: Fix resource leaks while constructing path |
1639 | + There are several exit points in dnode_get_path() that are causing possible |
1640 | + memory leaks. |
1641 | + |
1642 | + In the while(1) the correct exit mechanism should not be to do a direct return, |
1643 | + but to instead break out of the loop, setting err first if it is not already set. |
1644 | + |
1645 | + The reason behind this is that the dnode_path is a linked list, and while doing |
1646 | + through this loop, it is being allocated and built up - the only way to |
1647 | + correctly unravel it is to traverse it, which is what is being done at the end |
1648 | + of the function outside of the loop. |
1649 | + |
1650 | + Several of the existing exit points correctly did a break, but not all so this |
1651 | + change makes that more consistent and should resolve the leaking of memory as |
1652 | + found by Coverity. |
1653 | + |
1654 | + Fixes: CID 73741 |
1655 | + |
1656 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1657 | + |
1658 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1659 | + |
1660 | + zfs: Fix possible negative shift operation |
1661 | + While it is possible for the return value from zfs_log2() to be zero |
1662 | + (0), it is quite unlikely, given that the previous assignment to blksz |
1663 | + is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the |
1664 | + assignment to epbs. |
1665 | + |
1666 | + But, while unlikely during a normal operation, it may be that a carefully |
1667 | + crafted ZFS filesystem could result in a zero (0) value to the |
1668 | + dn_datalbkszsec field, which means that the shift left does nothing |
1669 | + and assigns zero (0) to blksz, resulting in a negative epbs value. |
1670 | + |
1671 | + Fixes: CID 73608 |
1672 | + |
1673 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1674 | + |
1675 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1676 | + |
1677 | + hfsplus: Check that the volume name length is valid |
1678 | + HFS+ documentation suggests that the maximum filename and volume name is |
1679 | + 255 Unicode characters in length. |
1680 | + |
1681 | + So, when converting from big-endian to little-endian, we should ensure |
1682 | + that the name of the volume has a length that is between 0 and 255, |
1683 | + inclusive. |
1684 | + |
1685 | + Fixes: CID 73641 |
1686 | + |
1687 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1688 | + |
1689 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1690 | + |
1691 | + disk/cryptodisk: Fix potential integer overflow |
1692 | + The encrypt and decrypt functions expect a grub_size_t. So, we need to |
1693 | + ensure that the constant bit shift is using grub_size_t rather than |
1694 | + unsigned int when it is performing the shift. |
1695 | + |
1696 | + Fixes: CID 307788 |
1697 | + |
1698 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1699 | + |
1700 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1701 | + |
1702 | + disk/ldm: Fix memory leak on uninserted lv references |
1703 | + The problem here is that the memory allocated to the variable lv is not |
1704 | + yet inserted into the list that is being processed at the label fail2. |
1705 | + |
1706 | + As we can already see at line 342, which correctly frees lv before going |
1707 | + to fail2, we should also be doing that at these earlier jumps to fail2. |
1708 | + |
1709 | + Fixes: CID 73824 |
1710 | + |
1711 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1712 | + |
1713 | +2021-03-02 Paulo Flabiano Smorigo <pfsmorigo@canonical.com> |
1714 | + |
1715 | + disk/ldm: If failed then free vg variable too |
1716 | + Fixes: CID 73809 |
1717 | + |
1718 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1719 | + |
1720 | +2021-03-02 Marco A Benatto <mbenatto@redhat.com> |
1721 | + |
1722 | + disk/ldm: Make sure comp data is freed before exiting from make_vg() |
1723 | + Several error handling paths in make_vg() do not free comp data before |
1724 | + jumping to fail2 label and returning from the function. This will leak |
1725 | + memory. So, let's fix all issues of that kind. |
1726 | + |
1727 | + Fixes: CID 73804 |
1728 | + |
1729 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1730 | + |
1731 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1732 | + |
1733 | + kern/partition: Check for NULL before dereferencing input string |
1734 | + There is the possibility that the value of str comes from an external |
1735 | + source and continuing to use it before ever checking its validity is |
1736 | + wrong. So, needs fixing. |
1737 | + |
1738 | + Additionally, drop unneeded part initialization. |
1739 | + |
1740 | + Fixes: CID 292444 |
1741 | + |
1742 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1743 | + |
1744 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1745 | + |
1746 | + zstd: Initialize seq_t structure fully |
1747 | + While many compilers will initialize this to zero, not all will, so it |
1748 | + is better to be sure that fields not being explicitly set are at known |
1749 | + values, and there is code that checks this fields value elsewhere in the |
1750 | + code. |
1751 | + |
1752 | + Fixes: CID 292440 |
1753 | + |
1754 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1755 | + |
1756 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1757 | + |
1758 | + io/lzopio: Resolve unnecessary self-assignment errors |
1759 | + These 2 assignments are unnecessary since they are just assigning |
1760 | + to themselves. |
1761 | + |
1762 | + Fixes: CID 73643 |
1763 | + |
1764 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1765 | + |
1766 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1767 | + |
1768 | + gnulib/regcomp: Fix uninitialized re_token |
1769 | + This issue has been fixed in the latest version of gnulib, so to |
1770 | + maintain consistency, I've backported that change rather than doing |
1771 | + something different. |
1772 | + |
1773 | + Fixes: CID 73828 |
1774 | + |
1775 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1776 | + |
1777 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1778 | + |
1779 | + gnulib/regexec: Fix possible null-dereference |
1780 | + It appears to be possible that the mctx->state_log field may be NULL, |
1781 | + and the name of this function, clean_state_log_if_needed(), suggests |
1782 | + that it should be checking that it is valid to be cleaned before |
1783 | + assuming that it does. |
1784 | + |
1785 | + Fixes: CID 86720 |
1786 | + |
1787 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1788 | + |
1789 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1790 | + |
1791 | + gnulib/argp-help: Fix dereference of a possibly NULL state |
1792 | + All other instances of call to __argp_failure() where there is |
1793 | + a dgettext() call is first checking whether state is NULL before |
1794 | + attempting to dereference it to get the root_argp->argp_domain. |
1795 | + |
1796 | + Fixes: CID 292436 |
1797 | + |
1798 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1799 | + |
1800 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1801 | + |
1802 | + gnulib/regcomp: Fix uninitialized token structure |
1803 | + The code is assuming that the value of br_token.constraint was |
1804 | + initialized to zero when it wasn't. |
1805 | + |
1806 | + While some compilers will ensure that, not all do, so it is better to |
1807 | + fix this explicitly than leave it to chance. |
1808 | + |
1809 | + Fixes: CID 73749 |
1810 | + |
1811 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1812 | + |
1813 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1814 | + |
1815 | + gnulib/regexec: Resolve unused variable |
1816 | + This is a really minor issue where a variable is being assigned to but |
1817 | + not checked before it is overwritten again. |
1818 | + |
1819 | + The reason for this issue is that we are not building with DEBUG set and |
1820 | + this in turn means that the assert() that reads the value of the |
1821 | + variable match_last is being processed out. |
1822 | + |
1823 | + The solution, move the assignment to match_last in to an ifdef DEBUG too. |
1824 | + |
1825 | + Fixes: CID 292459 |
1826 | + |
1827 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1828 | + |
1829 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1830 | + |
1831 | + kern/efi/mm: Fix possible NULL pointer dereference |
1832 | + The model of grub_efi_get_memory_map() is that if memory_map is NULL, |
1833 | + then the purpose is to discover how much memory should be allocated to |
1834 | + it for the subsequent call. |
1835 | + |
1836 | + The problem here is that with grub_efi_is_finished set to 1, there is no |
1837 | + check at all that the function is being called with a non-NULL memory_map. |
1838 | + |
1839 | + While this MAY be true, we shouldn't assume it. |
1840 | + |
1841 | + The solution to this is to behave as expected, and if memory_map is NULL, |
1842 | + then don't try to use it and allow memory_map_size to be filled in, and |
1843 | + return 0 as is done later in the code if the buffer is too small (or NULL). |
1844 | + |
1845 | + Additionally, drop unneeded ret = 1. |
1846 | + |
1847 | + Fixes: CID 96632 |
1848 | + |
1849 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1850 | + |
1851 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1852 | + |
1853 | + kern/efi: Fix memory leak on failure |
1854 | + Free the memory allocated to name before returning on failure. |
1855 | + |
1856 | + Fixes: CID 296222 |
1857 | + |
1858 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1859 | + |
1860 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1861 | + |
1862 | + kern/parser: Fix resource leak if argc == 0 |
1863 | + After processing the command-line yet arriving at the point where we are |
1864 | + setting argv, we are allocating memory, even if argc == 0, which makes |
1865 | + no sense since we never put anything into the allocated argv. |
1866 | + |
1867 | + The solution is to simply return that we've successfully processed the |
1868 | + arguments but that argc == 0, and also ensure that argv is NULL when |
1869 | + we're not allocating anything in it. |
1870 | + |
1871 | + There are only 2 callers of this function, and both are handling a zero |
1872 | + value in argc assuming nothing is allocated in argv. |
1873 | + |
1874 | + Fixes: CID 96680 |
1875 | + |
1876 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1877 | + |
1878 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1879 | + |
1880 | + net/tftp: Fix dangling memory pointer |
1881 | + The static code analysis tool, Parfait, reported that the valid of |
1882 | + file->data was left referencing memory that was freed by the call to |
1883 | + grub_free(data) where data was initialized from file->data. |
1884 | + |
1885 | + To ensure that there is no unintentional access to this memory |
1886 | + referenced by file->data we should set the pointer to NULL. |
1887 | + |
1888 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1889 | + |
1890 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1891 | + |
1892 | + net/net: Fix possible dereference to of a NULL pointer |
1893 | + It is always possible that grub_zalloc() could fail, so we should check for |
1894 | + a NULL return. Otherwise we run the risk of dereferencing a NULL pointer. |
1895 | + |
1896 | + Fixes: CID 296221 |
1897 | + |
1898 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1899 | + |
1900 | +2021-03-02 Darren Kenny <darren.kenny@oracle.com> |
1901 | + |
1902 | + mmap: Fix memory leak when iterating over mapped memory |
1903 | + When returning from grub_mmap_iterate() the memory allocated to present |
1904 | + is not being released causing it to leak. |
1905 | + |
1906 | + Fixes: CID 96655 |
1907 | + |
1908 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1909 | + |
1910 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1911 | + |
1912 | + usb: Avoid possible out-of-bound accesses caused by malicious devices |
1913 | + The maximum number of configurations and interfaces are fixed but there is |
1914 | + no out-of-bound checking to prevent a malicious USB device to report large |
1915 | + values for these and cause accesses outside the arrays' memory. |
1916 | + |
1917 | + Fixes: CVE-2020-25647 |
1918 | + |
1919 | + Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com> |
1920 | + Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
1921 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1922 | + |
1923 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1924 | + |
1925 | + dl: Only allow unloading modules that are not dependencies |
1926 | + When a module is attempted to be removed its reference counter is always |
1927 | + decremented. This means that repeated rmmod invocations will cause the |
1928 | + module to be unloaded even if another module depends on it. |
1929 | + |
1930 | + This may lead to a use-after-free scenario allowing an attacker to execute |
1931 | + arbitrary code and by-pass the UEFI Secure Boot protection. |
1932 | + |
1933 | + While being there, add the extern keyword to some function declarations in |
1934 | + that header file. |
1935 | + |
1936 | + Fixes: CVE-2020-25632 |
1937 | + |
1938 | + Reported-by: Chris Coulson <chris.coulson@canonical.com> |
1939 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1940 | + |
1941 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1942 | + |
1943 | + docs: Document the cutmem command |
1944 | + The command is not present in the docs/grub.texi user documentation. |
1945 | + |
1946 | + Reported-by: Daniel Kiper <daniel.kiper@oracle.com> |
1947 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
1948 | + |
1949 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1950 | + |
1951 | + loader/xnu: Don't allow loading extension and packages when locked down |
1952 | + The shim_lock verifier validates the XNU kernels but no its extensions |
1953 | + and packages. Prevent these to be loaded when the GRUB is locked down. |
1954 | + |
1955 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1956 | + |
1957 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1958 | + |
1959 | + gdb: Restrict GDB access when locked down |
1960 | + The gdbstub* commands allow to start and control a GDB stub running on |
1961 | + local host that can be used to connect from a remote debugger. Restrict |
1962 | + this functionality when the GRUB is locked down. |
1963 | + |
1964 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1965 | + |
1966 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1967 | + |
1968 | + commands/hdparm: Restrict hdparm command when locked down |
1969 | + The command can be used to get/set ATA disk parameters. Some of these can |
1970 | + be dangerous since change the disk behavior. Restrict it when locked down. |
1971 | + |
1972 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1973 | + |
1974 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1975 | + |
1976 | + commands/setpci: Restrict setpci command when locked down |
1977 | + This command can set PCI devices register values, which makes it dangerous |
1978 | + in a locked down configuration. Restrict it so can't be used on this setup. |
1979 | + |
1980 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1981 | + |
1982 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
1983 | + |
1984 | + commands: Restrict commands that can load BIOS or DT blobs when locked down |
1985 | + There are some more commands that should be restricted when the GRUB is |
1986 | + locked down. Following is the list of commands and reasons to restrict: |
1987 | + |
1988 | + * fakebios: creates BIOS-like structures for backward compatibility with |
1989 | + existing OSes. This should not be allowed when locked down. |
1990 | + |
1991 | + * loadbios: reads a BIOS dump from storage and loads it. This action |
1992 | + should not be allowed when locked down. |
1993 | + |
1994 | + * devicetree: loads a Device Tree blob and passes it to the OS. It replaces |
1995 | + any Device Tree provided by the firmware. This also should |
1996 | + not be allowed when locked down. |
1997 | + |
1998 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
1999 | + |
2000 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2001 | + |
2002 | + mmap: Don't register cutmem and badram commands when lockdown is enforced |
2003 | + The cutmem and badram commands can be used to remove EFI memory regions |
2004 | + and potentially disable the UEFI Secure Boot. Prevent the commands to be |
2005 | + registered if the GRUB is locked down. |
2006 | + |
2007 | + Fixes: CVE-2020-27779 |
2008 | + |
2009 | + Reported-by: Teddy Reed <teddy.reed@gmail.com> |
2010 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2011 | + |
2012 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2013 | + |
2014 | + acpi: Don't register the acpi command when locked down |
2015 | + The command is not allowed when lockdown is enforced. Otherwise an |
2016 | + attacker can instruct the GRUB to load an SSDT table to overwrite |
2017 | + the kernel lockdown configuration and later load and execute |
2018 | + unsigned code. |
2019 | + |
2020 | + Fixes: CVE-2020-14372 |
2021 | + |
2022 | + Reported-by: Máté Kukri <km@mkukri.xyz> |
2023 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2024 | + |
2025 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2026 | + |
2027 | + efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list |
2028 | + Now the GRUB can check if it has been locked down and this can be used to |
2029 | + prevent executing commands that can be utilized to circumvent the UEFI |
2030 | + Secure Boot mechanisms. So, instead of hardcoding a list of modules that |
2031 | + have to be disabled, prevent the usage of commands that can be dangerous. |
2032 | + |
2033 | + This not only allows the commands to be disabled on other platforms, but |
2034 | + also properly separate the concerns. Since the shim_lock verifier logic |
2035 | + should be only about preventing to run untrusted binaries and not about |
2036 | + defining these kind of policies. |
2037 | + |
2038 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2039 | + |
2040 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2041 | + |
2042 | + efi: Lockdown the GRUB when the UEFI Secure Boot is enabled |
2043 | + If the UEFI Secure Boot is enabled then the GRUB must be locked down |
2044 | + to prevent executing code that can potentially be used to subvert its |
2045 | + verification mechanisms. |
2046 | + |
2047 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2048 | + |
2049 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2050 | + |
2051 | + kern/lockdown: Set a variable if the GRUB is locked down |
2052 | + It may be useful for scripts to determine whether the GRUB is locked |
2053 | + down or not. Add the lockdown variable which is set to "y" when the GRUB |
2054 | + is locked down. |
2055 | + |
2056 | + Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> |
2057 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2058 | + |
2059 | +2021-03-02 Javier Martinez Canillas <javierm@redhat.com> |
2060 | + |
2061 | + kern: Add lockdown support |
2062 | + When the GRUB starts on a secure boot platform, some commands can be |
2063 | + used to subvert the protections provided by the verification mechanism and |
2064 | + could lead to booting untrusted system. |
2065 | + |
2066 | + To prevent that situation, allow GRUB to be locked down. That way the code |
2067 | + may check if GRUB has been locked down and further restrict the commands |
2068 | + that are registered or what subset of their functionality could be used. |
2069 | + |
2070 | + The lockdown support adds the following components: |
2071 | + |
2072 | + * The grub_lockdown() function which can be used to lockdown GRUB if, |
2073 | + e.g., UEFI Secure Boot is enabled. |
2074 | + |
2075 | + * The grub_is_lockdown() function which can be used to check if the GRUB |
2076 | + was locked down. |
2077 | + |
2078 | + * A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI |
2079 | + tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other |
2080 | + verifiers. These files are only successfully verified if another registered |
2081 | + verifier returns success. Otherwise, the whole verification process fails. |
2082 | + |
2083 | + For example, PE/COFF binaries verification can be done by the shim_lock |
2084 | + verifier which validates the signatures using the shim_lock protocol. |
2085 | + However, the verification is not deferred directly to the shim_lock verifier. |
2086 | + The shim_lock verifier is hooked into the verification process instead. |
2087 | + |
2088 | + * A set of grub_{command,extcmd}_lockdown functions that can be used by |
2089 | + code registering command handlers, to only register unsafe commands if |
2090 | + the GRUB has not been locked down. |
2091 | + |
2092 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2093 | + |
2094 | +2021-03-02 Marco A Benatto <mbenatto@redhat.com> |
2095 | + |
2096 | + efi: Move the shim_lock verifier to the GRUB core |
2097 | + Move the shim_lock verifier from its own module into the core image. The |
2098 | + Secure Boot lockdown mechanism has the intent to prevent the load of any |
2099 | + unsigned code or binary when Secure Boot is enabled. |
2100 | + |
2101 | + The reason is that GRUB must be able to prevent executing untrusted code |
2102 | + if UEFI Secure Boot is enabled, without depending on external modules. |
2103 | + |
2104 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2105 | + |
2106 | +2021-03-02 Marco A Benatto <mbenatto@redhat.com> |
2107 | + |
2108 | + verifiers: Move verifiers API to kernel image |
2109 | + Move verifiers API from a module to the kernel image, so it can be |
2110 | + used there as well. There are no functional changes in this patch. |
2111 | + |
2112 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2113 | + |
2114 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2115 | + |
2116 | + docs: Add documentation of disk size limitations |
2117 | + Document the artificially imposed 1 EiB disk size limit and size limitations |
2118 | + with LUKS volumes. |
2119 | + |
2120 | + Fix a few punctuation issues. |
2121 | + |
2122 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2123 | + |
2124 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2125 | + |
2126 | + luks2: Use grub_log2ull() to calculate log_sector_size and improve readability |
2127 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2128 | + |
2129 | + misc: Add grub_log2ull() macro for calculating log base 2 of 64-bit integers |
2130 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2131 | + |
2132 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2133 | + |
2134 | + mips: Enable __clzdi2() |
2135 | + This patch is similar to commit 9dab2f51e (sparc: Enable __clzsi2() and |
2136 | + __clzdi2()) but for MIPS target and __clzdi2() only, __clzsi2() was |
2137 | + already enabled. |
2138 | + |
2139 | + Suggested-by: Daniel Kiper <dkiper@net-space.pl> |
2140 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2141 | + |
2142 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2143 | + |
2144 | + luks2: Better error handling when setting up the cryptodisk |
2145 | + Do some sanity checking on data coming from the LUKS2 header. If segment.size |
2146 | + is "dynamic", verify that the offset is not past the end of disk. Otherwise, |
2147 | + check for errors from grub_strtoull() when converting segment size from |
2148 | + string. If a GRUB_ERR_BAD_NUMBER error was returned, then the string was |
2149 | + not a valid parsable number, so skip the key. If GRUB_ERR_OUT_OF_RANGE was |
2150 | + returned, then there was an overflow in converting to a 64-bit unsigned |
2151 | + integer. So this could be a very large disk (perhaps large RAID array). |
2152 | + In this case skip the key too. Additionally, enforce some other limits |
2153 | + and fail if needed. |
2154 | + |
2155 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2156 | + |
2157 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2158 | + |
2159 | + luks2: Do not handle disks of size GRUB_DISK_SIZE_UNKNOWN for now |
2160 | + Check to make sure that source disk has a known size. If not, print |
2161 | + a message and return error. There are 4 cases where GRUB_DISK_SIZE_UNKNOWN |
2162 | + is set (biosdisk, obdisk, ofdisk, and uboot), and in all those cases |
2163 | + processing continues. So this is probably a bit conservative. However, |
2164 | + 3 of the cases seem pathological, and the other, biosdisk, happens when |
2165 | + booting from a CD-ROM. Since I doubt booting from a LUKS2 volume on |
2166 | + a CD-ROM is a big use case, we'll error until someone complains. |
2167 | + |
2168 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2169 | + |
2170 | +2020-12-18 Glenn Washburn <development@efficientek.com> |
2171 | + |
2172 | + luks2: Convert to crypt sectors from GRUB native sectors |
2173 | + The function grub_disk_native_sectors(source) returns the number of sectors |
2174 | + of source in GRUB native (512-byte) sectors, not source sized sectors. So |
2175 | + the conversion needs to use GRUB_DISK_SECTOR_BITS, the GRUB native sector |
2176 | + size. |
2177 | + |
2178 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2179 | + |
2180 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2181 | + |
2182 | + luks2: Error check segment.sector_size |
2183 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2184 | + |
2185 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2186 | + |
2187 | + cryptodisk: Properly handle non-512 byte sized sectors |
2188 | + By default, dm-crypt internally uses an IV that corresponds to 512-byte |
2189 | + sectors, even when a larger sector size is specified. What this means is |
2190 | + that when using a larger sector size, the IV is incremented every sector. |
2191 | + However, the amount the IV is incremented is the number of 512 byte blocks |
2192 | + in a sector (i.e. 8 for 4K sectors). Confusingly the IV does not correspond |
2193 | + to the number of, for example, 4K sectors. So each 512 byte cipher block in |
2194 | + a sector will be encrypted with the same IV and the IV will be incremented |
2195 | + afterwards by the number of 512 byte cipher blocks in the sector. |
2196 | + |
2197 | + There are some encryption utilities which do it the intuitive way and have |
2198 | + the IV equal to the sector number regardless of sector size (ie. the fifth |
2199 | + sector would have an IV of 4 for each cipher block). And this is supported |
2200 | + by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.3.3 |
2201 | + with the --iv-large-sectors, though not with LUKS headers (only with --type |
2202 | + plain). However, support for this has not been included as grub does not |
2203 | + support plain devices right now. |
2204 | + |
2205 | + One gotcha here is that the encrypted split keys are encrypted with a hard- |
2206 | + coded 512-byte sector size. So even if your data is encrypted with 4K sector |
2207 | + sizes, the split key encrypted area must be decrypted with a block size of |
2208 | + 512 (ie the IV increments every 512 bytes). This made these changes less |
2209 | + aesthetically pleasing than desired. |
2210 | + |
2211 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2212 | + |
2213 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2214 | + |
2215 | + luks2: grub_cryptodisk_t->total_sectors is the max number of device native sectors |
2216 | + We need to convert the sectors from the size of the underlying device to the |
2217 | + cryptodisk sector size; segment.size is in bytes which need to be converted |
2218 | + to cryptodisk sectors as well. |
2219 | + |
2220 | + Also, removed an empty statement. |
2221 | + |
2222 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2223 | + |
2224 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2225 | + |
2226 | + cryptodisk: Add macros GRUB_TYPE_U_MAX/MIN(type) to replace literals |
2227 | + Add GRUB_TYPE_U_MAX/MIN(type) macros to get the max/min values for an |
2228 | + unsigned number with size of type. |
2229 | + |
2230 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2231 | + |
2232 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2233 | + |
2234 | + cryptodisk: Add macro GRUB_TYPE_BITS() to replace some literals |
2235 | + The new macro GRUB_TYPE_BITS(type) returns the number of bits |
2236 | + allocated for type. |
2237 | + |
2238 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2239 | + |
2240 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2241 | + |
2242 | + luks2: Add string "index" to user strings using a json index |
2243 | + This allows error messages to be more easily distinguishable between indexes |
2244 | + and slot keys. The former include the string "index" in the error/debug |
2245 | + string, and the later are surrounded in quotes. |
2246 | + |
2247 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2248 | + |
2249 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2250 | + |
2251 | + luks2: Rename json index variables to names that they are obviously json indexes |
2252 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2253 | + |
2254 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2255 | + |
2256 | + luks2: Use more intuitive object name instead of json index in user messages |
2257 | + Use the object name in the json array rather than the 0 based index in the |
2258 | + json array for keyslots, segments, and digests. This is less confusing for |
2259 | + the end user. For example, say you have a LUKS2 device with a key in slot 1 |
2260 | + and slot 4. When using the password for slot 4 to unlock the device, the |
2261 | + messages using the index of the keyslot will mention keyslot 1 (its a |
2262 | + zero-based index). Furthermore, with this change the keyslot number will |
2263 | + align with the number used to reference the keyslot when using the |
2264 | + --key-slot argument to cryptsetup. |
2265 | + |
2266 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2267 | + |
2268 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2269 | + |
2270 | + luks2: Add idx member to struct grub_luks2_keyslot/segment/digest |
2271 | + This allows code using these structs to know the named key associated with |
2272 | + these json data structures. In the future we can use these to provide better |
2273 | + error messages to the user. |
2274 | + |
2275 | + Get rid of idx local variable in luks2_get_keyslot() which was overloaded to |
2276 | + be used for both keyslot and segment slot keys. |
2277 | + |
2278 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2279 | + |
2280 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2281 | + |
2282 | + luks2: Make sure all fields of output argument in luks2_parse_digest() are written to |
2283 | + We should assume that the output argument "out" is uninitialized and could |
2284 | + have random data. So, make sure to initialize the segments and keyslots bit |
2285 | + fields because potentially not all bits of those fields are written to. |
2286 | + Otherwise, the digest could say it belongs to keyslots and segments that it |
2287 | + does not. |
2288 | + |
2289 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2290 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2291 | + |
2292 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2293 | + |
2294 | + luks2: Remove unused argument in grub_error() call |
2295 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2296 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2297 | + |
2298 | + luks2: Convert 8 spaces to tabs |
2299 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2300 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2301 | + |
2302 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2303 | + |
2304 | + misc: Add parentheses around ALIGN_UP() and ALIGN_DOWN() arguments |
2305 | + This ensures that expected order of operations is preserved when arguments |
2306 | + are expressions. |
2307 | + |
2308 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2309 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2310 | + |
2311 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2312 | + |
2313 | + disk: Rename grub_disk_get_size() to grub_disk_native_sectors() |
2314 | + The function grub_disk_get_size() is confusingly named because it actually |
2315 | + returns a sector count where the sectors are sized in the GRUB native sector |
2316 | + size. Rename to something more appropriate. |
2317 | + |
2318 | + Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> |
2319 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2320 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2321 | + |
2322 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2323 | + |
2324 | + loopback: Do not automaticaly replace existing loopback dev, error instead |
2325 | + If there is a loopback device with the same name as the one to be created, |
2326 | + instead of closing the old one and replacing it with the new one, return an |
2327 | + error instead. If the loopback device was created, its probably being used |
2328 | + by something and just replacing it may cause GRUB to crash unexpectedly. |
2329 | + This fixes obvious problems like "loopback d (d)/somefile". Its not too |
2330 | + onerous to force the user to delete the loopback first with the "-d" switch. |
2331 | + |
2332 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2333 | + |
2334 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2335 | + |
2336 | + disk: Move hardcoded max disk size literal to a GRUB_DISK_MAX_SECTORS in disk.h |
2337 | + There is a hardcoded maximum disk size that can be read or written from, |
2338 | + currently set at 1 EiB in grub_disk_adjust_range(). Move the literal into a |
2339 | + macro in disk.h, so our assumptions are more visible. This hard coded limit |
2340 | + does not prevent using larger disks, just GRUB won't read/write past the |
2341 | + limit. The comment accompanying this restriction didn't quite make sense to |
2342 | + me, so its been modified too. |
2343 | + |
2344 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2345 | + |
2346 | +2020-12-12 Glenn Washburn <development@efficientek.com> |
2347 | + |
2348 | + fs: Fix block lists not being able to address to end of disk sometimes |
2349 | + When checking if a block list goes past the end of the disk, make sure |
2350 | + the total size of the disk is in GRUB native sector sizes, otherwise there |
2351 | + will be blocks at the end of the disk inaccessible by block lists. |
2352 | + |
2353 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2354 | + |
2355 | +2020-12-12 Vladimir Serbinenko <phcoder@gmail.com> |
2356 | + |
2357 | + mbr: Document new limitations on MBR gap support |
2358 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2359 | + |
2360 | +2020-12-12 Vladimir Serbinenko <phcoder@google.com> |
2361 | + |
2362 | + mbr: Warn if MBR gap is small and user uses advanced modules |
2363 | + We don't want to support small MBR gap in pair with anything but the |
2364 | + simplest config of biosdisk + part_msdos + simple filesystem. In this |
2365 | + path "simple filesystems" are all current filesystems except ZFS and |
2366 | + Btrfs. |
2367 | + |
2368 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2369 | + |
2370 | +2020-12-12 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
2371 | + |
2372 | + efi/tpm: Extract duplicate code into independent functions |
2373 | + Part of the code logic for processing the return value of efi |
2374 | + log_extend_event is repetitive and complicated. Extract the |
2375 | + repetitive code into an independent function. |
2376 | + |
2377 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2378 | + |
2379 | +2020-12-12 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
2380 | + |
2381 | + efi/tpm: Add debug information for device protocol and eventlog |
2382 | + Add a number of debug logs to the tpm module. The condition tag |
2383 | + for opening debugging is "tpm". On TPM machines, this will bring |
2384 | + great convenience to diagnosis and debugging. |
2385 | + |
2386 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2387 | + |
2388 | +2020-12-12 Daniel Kiper <daniel.kiper@oracle.com> |
2389 | + |
2390 | + loader/linux: Report the UEFI Secure Boot status to the Linux kernel |
2391 | + Now that the GRUB has a grub_efi_get_secureboot() function to check the |
2392 | + UEFI Secure Boot status, use it to report that to the Linux kernel. |
2393 | + |
2394 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2395 | + |
2396 | +2020-12-12 Javier Martinez Canillas <javierm@redhat.com> |
2397 | + |
2398 | + efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled |
2399 | + The shim_lock module registers a verifier to call shim's verify, but the |
2400 | + handler is registered even when the shim_lock protocol was not installed. |
2401 | + |
2402 | + This doesn't cause a NULL pointer dereference in shim_lock_write() because |
2403 | + the shim_lock_init() function just returns GRUB_ERR_NONE if sl isn't set. |
2404 | + |
2405 | + But in that case there's no point to even register the shim_lock verifier |
2406 | + since won't do anything. Additionally, it is only useful when Secure Boot |
2407 | + is enabled. |
2408 | + |
2409 | + Finally, don't assume that the shim_lock protocol will always be present |
2410 | + when the shim_lock_write() function is called, and check for it on every |
2411 | + call to this function. |
2412 | + |
2413 | + Reported-by: Michael Chang <mchang@suse.com> |
2414 | + Reported-by: Peter Jones <pjones@redhat.com> |
2415 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2416 | + |
2417 | +2020-12-11 Daniel Kiper <daniel.kiper@oracle.com> |
2418 | + |
2419 | + efi: Add secure boot detection |
2420 | + Introduce grub_efi_get_secureboot() function which returns whether |
2421 | + UEFI Secure Boot is enabled or not on UEFI systems. |
2422 | + |
2423 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2424 | + |
2425 | +2020-12-11 Daniel Kiper <daniel.kiper@oracle.com> |
2426 | + |
2427 | + efi: Add a function to read EFI variables with attributes |
2428 | + It will be used to properly detect and report UEFI Secure Boot status to |
2429 | + the x86 Linux kernel. The functionality will be added by subsequent patches. |
2430 | + |
2431 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2432 | + |
2433 | +2020-12-11 Daniel Kiper <daniel.kiper@oracle.com> |
2434 | + |
2435 | + efi: Return grub_efi_status_t from grub_efi_get_variable() |
2436 | + This is needed to properly detect and report UEFI Secure Boot status |
2437 | + to the x86 Linux kernel. The functionality will be added by subsequent |
2438 | + patches. |
2439 | + |
2440 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2441 | + |
2442 | +2020-12-11 Daniel Kiper <daniel.kiper@oracle.com> |
2443 | + |
2444 | + efi: Make shim_lock GUID and protocol type public |
2445 | + The GUID will be used to properly detect and report UEFI Secure Boot |
2446 | + status to the x86 Linux kernel. The functionality will be added by |
2447 | + subsequent patches. The shim_lock protocol type is made public for |
2448 | + completeness. |
2449 | + |
2450 | + Additionally, fix formatting of four preceding GUIDs. |
2451 | + |
2452 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2453 | + |
2454 | +2020-12-11 Javier Martinez Canillas <javierm@redhat.com> |
2455 | + |
2456 | + arm/term: Fix linking error due multiple ps2_state definitions |
2457 | + When building with --target=arm-linux-gnu --with-platform=coreboot |
2458 | + a linking error occurs caused by multiple definitions of the |
2459 | + ps2_state variable. |
2460 | + |
2461 | + Mark them as static since they aren't used outside their compilation unit. |
2462 | + |
2463 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2464 | + |
2465 | +2020-12-11 Javier Martinez Canillas <javierm@redhat.com> |
2466 | + |
2467 | + include/grub/i386/linux.h: Include missing <grub/types.h> header |
2468 | + This header uses types defined in <grub/types.h> but does not include it, |
2469 | + which leads to compile errors like the following: |
2470 | + |
2471 | + In file included from ../include/grub/cpu/linux.h:19, |
2472 | + from kern/efi/sb.c:21: |
2473 | + ../include/grub/i386/linux.h:80:3: error: unknown type name ‘grub_uint64_t’ |
2474 | + 80 | grub_uint64_t addr; |
2475 | + |
2476 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2477 | + |
2478 | +2020-12-11 Javier Martinez Canillas <javierm@redhat.com> |
2479 | + |
2480 | + i386: Don't include <grub/cpu/linux.h> in coreboot and ieee1275 startup.S |
2481 | + Nothing defined in the header file is used in the assembly code but it |
2482 | + may lead to build errors if some headers are included through this and |
2483 | + contains definitions that are not recognized by the assembler, e.g.: |
2484 | + |
2485 | + ../include/grub/types.h: Assembler messages: |
2486 | + ../include/grub/types.h:76: Error: no such instruction: `typedef signed char grub_int8_t' |
2487 | + ../include/grub/types.h:77: Error: no such instruction: `typedef short grub_int16_t' |
2488 | + ../include/grub/types.h:78: Error: no such instruction: `typedef int grub_int32_t' |
2489 | + |
2490 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2491 | + |
2492 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2493 | + |
2494 | + luks2: Rename index variable "j" to "i" in luks2_get_keyslot() |
2495 | + Looping variable "j" was named such because the variable name "i" was taken. |
2496 | + Since "i" has been renamed in the previous patch, we can rename "j" to "i". |
2497 | + |
2498 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2499 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2500 | + |
2501 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2502 | + |
2503 | + luks2: Rename variable "i" to "keyslot_idx" in luks2_get_keyslot() |
2504 | + Variables named "i" are usually looping variables. So, rename it to |
2505 | + "keyslot_idx" to ease luks2_get_keyslot() reading. |
2506 | + |
2507 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2508 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2509 | + |
2510 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2511 | + |
2512 | + luks2: Use correct index variable when looping in luks2_get_keyslot() |
2513 | + The loop variable "j" should be used to index the digests and segments json |
2514 | + array, instead of the variable "i", which is the keyslot index. |
2515 | + |
2516 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2517 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2518 | + |
2519 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2520 | + |
2521 | + luks2: Rename source disk variable named "disk" to "source" as in luks.c |
2522 | + This makes it more obvious to the reader that the disk referred to is the |
2523 | + source disk, as opposed to say the disk holding the cryptodisk. |
2524 | + |
2525 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2526 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2527 | + |
2528 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2529 | + |
2530 | + cryptodisk: Rename "offset" in grub_cryptodisk_t to "offset_sectors" |
2531 | + This makes it clear that the offset represents sectors, not bytes, in |
2532 | + order to improve readability. |
2533 | + |
2534 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2535 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2536 | + |
2537 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2538 | + |
2539 | + cryptodisk: Rename "total_length" field in grub_cryptodisk_t to "total_sectors" |
2540 | + This creates an alignment with grub_disk_t naming of the same field and is |
2541 | + more intuitive as to how it should be used. |
2542 | + |
2543 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2544 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2545 | + |
2546 | +2020-11-20 Glenn Washburn <development@efficientek.com> |
2547 | + |
2548 | + types: Define GRUB_CHAR_BIT based on compiler macro instead of using literal |
2549 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2550 | + |
2551 | +2020-11-20 Javier Martinez Canillas <javierm@redhat.com> |
2552 | + |
2553 | + include/grub/arm64/linux.h: Include missing <grub/types.h> header |
2554 | + This header uses types defined in <grub/types.h> but does not include it, |
2555 | + which leads to compile errors like the following: |
2556 | + |
2557 | + ../include/grub/cpu/linux.h:27:3: error: unknown type name ‘grub_uint32_t’ |
2558 | + 27 | grub_uint32_t code0; /* Executable code */ |
2559 | + | ^~~~~~~~~~~~~ |
2560 | + |
2561 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2562 | + |
2563 | +2020-11-20 Javier Martinez Canillas <javierm@redhat.com> |
2564 | + |
2565 | + include/grub/arm/system.h: Include missing <grub/symbol.h> header |
2566 | + The header uses the EXPORT_FUNC() macro defined in <grub/types.h> but |
2567 | + doesn't include it, which leads to the following compile error on arm: |
2568 | + |
2569 | + ../include/grub/cpu/system.h:12:13: error: ‘EXPORT_FUNC’ declared as function returning a function |
2570 | + 12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void); |
2571 | + | ^~~~~~~~~~~ |
2572 | + ../include/grub/cpu/system.h:12:1: warning: parameter names (without types) in function declaration |
2573 | + 12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void); |
2574 | + | ^~~~~~ |
2575 | + make[3]: *** [Makefile:36581: kern/efi/kernel_exec-sb.o] Error 1 |
2576 | + |
2577 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2578 | + |
2579 | +2020-11-20 Daniel Axtens <dja@axtens.net> |
2580 | + |
2581 | + docs: grub-install --pubkey has been supported for some time |
2582 | + grub-install --pubkey is supported, so we can now document it. |
2583 | + |
2584 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2585 | + |
2586 | +2020-11-20 Daniel Axtens <dja@axtens.net> |
2587 | + |
2588 | + docs: grub-install is no longer a shell script |
2589 | + Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell |
2590 | + script. The para doesn't really add that much, especially since it's |
2591 | + the user manual, so just drop it. |
2592 | + |
2593 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2594 | + |
2595 | +2020-10-30 Jacob Kroon <jacob.kroon@gmail.com> |
2596 | + |
2597 | + Makefile: Remove unused GRUB_PKGLIBDIR definition |
2598 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2599 | + |
2600 | +2020-10-30 Daniel Axtens <dja@axtens.net> |
2601 | + |
2602 | + lzma: Fix compilation error under clang 10 |
2603 | + Compiling under clang 10 gives: |
2604 | + |
2605 | + grub-core/lib/LzmaEnc.c:1362:9: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation] |
2606 | + { |
2607 | + ^ |
2608 | + grub-core/lib/LzmaEnc.c:1358:7: note: previous statement is here |
2609 | + if (repIndex == 0) |
2610 | + ^ |
2611 | + 1 error generated. |
2612 | + |
2613 | + It's not really that unclear in context: there's a commented-out |
2614 | + if-statement. But tweak the alignment anyway so that clang is happy. |
2615 | + |
2616 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2617 | + |
2618 | +2020-10-30 Cao jin <caoj.fnst@cn.fujitsu.com> |
2619 | + |
2620 | + kern/i386/realmode: Update comment |
2621 | + Commit b81d609e4c did not update it. |
2622 | + |
2623 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2624 | + |
2625 | +2020-10-30 Glenn Washburn <development@efficientek.com> |
2626 | + |
2627 | + cryptodisk: Fix cipher IV mode "plain64" always being set as "plain" |
2628 | + When setting cipher IV mode, detection is done by prefix matching the |
2629 | + cipher IV mode part of the cipher mode string. Since "plain" matches |
2630 | + "plain64", we must check for "plain64" first. Otherwise, "plain64" will |
2631 | + be detected as "plain". |
2632 | + |
2633 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2634 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2635 | + |
2636 | +2020-09-18 Glenn Washburn <development@efficientek.com> |
2637 | + |
2638 | + crypto: Remove GPG_ERROR_CFLAGS from gpg_err_code_t enum |
2639 | + This was probably added by accident when originally creating the file. |
2640 | + |
2641 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2642 | + |
2643 | +2020-09-18 Glenn Washburn <development@efficientek.com> |
2644 | + |
2645 | + script: Do not allow a delimiter between function name and block start |
2646 | + Currently the following is valid syntax but should be a syntax error: |
2647 | + |
2648 | + grub> function f; { echo HERE; } |
2649 | + grub> f |
2650 | + HERE |
2651 | + |
2652 | + This fix is not backward compatible, but current syntax is not documented |
2653 | + either and has no functional value. So any scripts with this unintended |
2654 | + syntax are technically syntactically incorrect and should not be relying |
2655 | + on this behavior. |
2656 | + |
2657 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2658 | + |
2659 | +2020-09-18 Glenn Washburn <development@efficientek.com> |
2660 | + |
2661 | + docs: Support for loading and concatenating multiple initrds |
2662 | + This has been available since January of 2012 but has not been documented. |
2663 | + |
2664 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2665 | + |
2666 | +2020-09-18 Glenn Washburn <development@efficientek.com> |
2667 | + |
2668 | + lexer: char const * should be const char * |
2669 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2670 | + |
2671 | + cryptodisk: Use cipher name instead of object in error message |
2672 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2673 | + |
2674 | +2020-09-18 Glenn Washburn <development@efficientek.com> |
2675 | + |
2676 | + tests: F2FS test should use MOUNTDEVICE like other tests |
2677 | + LODEVICES is not an array variable and should not be accessed as such. |
2678 | + This allows the f2fs test to pass as it was failing because a device |
2679 | + name had a space prepended to the path. |
2680 | + |
2681 | + Acked-by: Jaegeuk Kim <jaegeuk@kernel.org> |
2682 | + Tested-by: Paul Menzel <pmenzel@molgen.mpg.de> |
2683 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2684 | + |
2685 | +2020-09-18 Florian La Roche <Florian.LaRoche@gmail.com> |
2686 | + |
2687 | + grub-mkconfig: If $hints is not set reduce the output into grub.cfg to just 1 line |
2688 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2689 | + |
2690 | +2020-09-18 Petr Vorel <pvorel@suse.cz> |
2691 | + |
2692 | + travis: Run bootstrap to fix build |
2693 | + autogen.sh isn't enough: |
2694 | + |
2695 | + $ ./autogen.sh |
2696 | + Gnulib not yet bootstrapped; run ./bootstrap instead. |
2697 | + The command "./autogen.sh" exited with 1. |
2698 | + |
2699 | + Additionally, using bootstrap requires to install autopoint package. |
2700 | + |
2701 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2702 | + |
2703 | +2020-09-18 Patrick Steinhardt <ps@pks.im> |
2704 | + |
2705 | + luks2: Strip dashes off of the UUID |
2706 | + The UUID header for LUKS2 uses a format with dashes, same as for |
2707 | + LUKS(1). But while we strip these dashes for the latter, we don't for |
2708 | + the former. This isn't wrong per se, but it's definitely inconsistent |
2709 | + for users as they need to use the dashed format for LUKS2 and the |
2710 | + non-dashed format for LUKS when e.g. calling "cryptomount -u $UUID". |
2711 | + |
2712 | + Fix this inconsistency by stripping dashes off of the LUKS2 UUID. |
2713 | + |
2714 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2715 | + |
2716 | +2020-09-18 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
2717 | + |
2718 | + efi/tpm: Remove unused functions and structures |
2719 | + Although the tpm_execute() series of functions are defined they are not |
2720 | + used anywhere. Several structures in the include/grub/efi/tpm.h header |
2721 | + file are not used too. There is even nonexistent grub_tpm_init() |
2722 | + declaration in this header. Delete all that unneeded stuff. |
2723 | + |
2724 | + If somebody needs the functionality implemented in the dropped code then |
2725 | + he/she can re-add it later. Now it needlessly increases the GRUB |
2726 | + code/image size. |
2727 | + |
2728 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2729 | + |
2730 | +2020-09-18 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
2731 | + |
2732 | + shim_lock: Enable module for all EFI architectures |
2733 | + Like the tpm the shim_lock module is only enabled for x86_64 target. |
2734 | + However, there's nothing specific to x86_64 in the implementation and |
2735 | + it can be enabled for all EFI architectures. |
2736 | + |
2737 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2738 | + |
2739 | +2020-09-18 Daniel Kiper <daniel.kiper@oracle.com> |
2740 | + |
2741 | + efi/tpm: Fix typo in grub_efi_tpm2_protocol struct |
2742 | + Rename get_active_pcr_blanks() to get_active_pcr_banks(). |
2743 | + |
2744 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
2745 | + |
2746 | +2020-09-18 Daniel Kiper <daniel.kiper@oracle.com> |
2747 | + |
2748 | + i386/efi/init: Drop bogus include |
2749 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
2750 | + |
2751 | +2020-09-18 Daniel Kiper <daniel.kiper@oracle.com> |
2752 | + |
2753 | + docs: Fix devicetree command description |
2754 | + Specifically fix the subsection and drop bogus reference to the GNU/Linux. |
2755 | + |
2756 | + Reported-by: Patrick Higgins <higgi1pt@gmail.com> |
2757 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
2758 | + |
2759 | +2020-09-18 Martin Whitaker <fsf@martin-whitaker.me.uk> |
2760 | + |
2761 | + grub-install: Fix inverted test for NLS enabled when copying locales |
2762 | + Commit 3d8439da8 (grub-install: Locale depends on nls) attempted to avoid |
2763 | + copying locale files to the target directory when NLS was disabled. |
2764 | + However the test is inverted, and it does the opposite. |
2765 | + |
2766 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
2767 | + |
2768 | +2020-09-11 Javier Martinez Canillas <javierm@redhat.com> |
2769 | + |
2770 | + tftp: Roll-over block counter to prevent data packets timeouts |
2771 | + Commit 781b3e5efc3 (tftp: Do not use priority queue) caused a regression |
2772 | + when fetching files over TFTP whose size is bigger than 65535 * block size. |
2773 | + |
2774 | + grub> linux /images/pxeboot/vmlinuz |
2775 | + grub> echo $? |
2776 | + 0 |
2777 | + grub> initrd /images/pxeboot/initrd.img |
2778 | + error: timeout reading '/images/pxeboot/initrd.img'. |
2779 | + grub> echo $? |
2780 | + 28 |
2781 | + |
2782 | + It is caused by the block number counter being a 16-bit field, which leads |
2783 | + to a maximum file size of ((1 << 16) - 1) * block size. Because GRUB sets |
2784 | + the block size to 1024 octets (by using the TFTP Blocksize Option from RFC |
2785 | + 2348 [0]), the maximum file size that can be transferred is 67107840 bytes. |
2786 | + |
2787 | + The TFTP PROTOCOL (REVISION 2) RFC 1350 [1] does not mention what a client |
2788 | + should do when a file size is bigger than the maximum, but most TFTP hosts |
2789 | + support the block number counter to be rolled over. That is, acking a data |
2790 | + packet with a block number of 0 is taken as if the 65356th block was acked. |
2791 | + |
2792 | + It was working before because the block counter roll-over was happening due |
2793 | + an overflow. But that got fixed by the mentioned commit, which led to the |
2794 | + regression when attempting to fetch files larger than the maximum size. |
2795 | + |
2796 | + To allow TFTP file transfers of unlimited size again, re-introduce a block |
2797 | + counter roll-over so the data packets are acked preventing the timeouts. |
2798 | + |
2799 | + [0]: https://tools.ietf.org/html/rfc2348 |
2800 | + [1]: https://tools.ietf.org/html/rfc1350 |
2801 | + |
2802 | + Fixes: 781b3e5efc3 (tftp: Do not use priority queue) |
2803 | + |
2804 | + Suggested-by: Peter Jones <pjones@redhat.com> |
2805 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2806 | + |
2807 | +2020-09-11 Florian La Roche <Florian.LaRoche@gmail.com> |
2808 | + |
2809 | + templates: Remove unnecessary trailing semicolon |
2810 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2811 | + |
2812 | +2020-09-11 Glenn Washburn <development@efficientek.com> |
2813 | + |
2814 | + cryptodisk: Fix incorrect calculation of start sector |
2815 | + Here dev is a grub_cryptodisk_t and dev->offset is offset in sectors of size |
2816 | + native to the cryptodisk device. The sector is correctly transformed into |
2817 | + native grub sector size, but then added to dev->offset which is not |
2818 | + transformed. It would be nice if the type system would help us with this. |
2819 | + |
2820 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2821 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2822 | + |
2823 | +2020-09-11 Glenn Washburn <development@efficientek.com> |
2824 | + |
2825 | + cryptodisk: Unregister cryptomount command when removing module |
2826 | + Reviewed-by: Patrick Steinhardt <ps@pks.im> |
2827 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2828 | + |
2829 | +2020-09-11 Patrick Steinhardt <ps@pks.im> |
2830 | + |
2831 | + luks2: Improve error reporting when decrypting/verifying key |
2832 | + While we already set up error messages in both luks2_verify_key() and |
2833 | + luks2_decrypt_key(), we do not ever print them. This makes it really |
2834 | + hard to discover why a given key actually failed to decrypt a disk. |
2835 | + |
2836 | + Improve this by including the error message in the user-visible output. |
2837 | + |
2838 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2839 | + |
2840 | +2020-09-11 Patrick Steinhardt <ps@pks.im> |
2841 | + |
2842 | + luks: Fix out-of-bounds copy of UUID |
2843 | + When configuring a LUKS disk, we copy over the UUID from the LUKS header |
2844 | + into the new grub_cryptodisk_t structure via grub_memcpy(). As size |
2845 | + we mistakenly use the size of the grub_cryptodisk_t UUID field, which |
2846 | + is guaranteed to be strictly bigger than the LUKS UUID field we're |
2847 | + copying. As a result, the copy always goes out-of-bounds and copies some |
2848 | + garbage from other surrounding fields. During runtime, this isn't |
2849 | + noticed due to the fact that we always NUL-terminate the UUID and thus |
2850 | + never hit the trailing garbage. |
2851 | + |
2852 | + Fix the issue by using the size of the local stripped UUID field. |
2853 | + |
2854 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2855 | + |
2856 | +2020-09-11 Patrick Steinhardt <ps@pks.im> |
2857 | + |
2858 | + json: Remove invalid typedef redefinition |
2859 | + The C standard does not allow for typedef redefinitions, even if they |
2860 | + map to the same underlying type. In order to avoid including the |
2861 | + jsmn.h in json.h and thus exposing jsmn's internals, we have exactly |
2862 | + such a forward-declaring typedef in json.h. If enforcing the GNU99 C |
2863 | + standard, clang may generate a warning about this non-standard |
2864 | + construct. |
2865 | + |
2866 | + Fix the issue by using a simple "struct jsmntok" forward declaration |
2867 | + instead of using a typedef. |
2868 | + |
2869 | + Tested-by: Chuck Tuffli <chuck@freebsd.org> |
2870 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2871 | + |
2872 | +2020-09-11 Cao jin <caoj.fnst@cn.fujitsu.com> |
2873 | + |
2874 | + i386/relocator_common: Drop empty #ifdef |
2875 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2876 | + |
2877 | +2020-09-11 Ave Milia <avemilia@protonmail.com> |
2878 | + |
2879 | + video/bochs: Fix typo |
2880 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2881 | + |
2882 | +2020-07-29 Colin Watson <cjwatson@debian.org> |
2883 | + |
2884 | + linux: Fix integer overflows in initrd size handling |
2885 | + These could be triggered by a crafted filesystem with very large files. |
2886 | + |
2887 | + Fixes: CVE-2020-15707 |
2888 | + |
2889 | + Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> |
2890 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2891 | + |
2892 | +2020-07-29 Peter Jones <pjones@redhat.com> |
2893 | + |
2894 | + loader/linux: Avoid overflow on initrd size calculation |
2895 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2896 | + |
2897 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
2898 | + |
2899 | + efi: Fix use-after-free in halt/reboot path |
2900 | + commit 92bfc33db984 ("efi: Free malloc regions on exit") |
2901 | + introduced memory freeing in grub_efi_fini(), which is |
2902 | + used not only by exit path but by halt/reboot one as well. |
2903 | + As result of memory freeing, code and data regions used by |
2904 | + modules, such as halt, reboot, acpi (used by halt) also got |
2905 | + freed. After return to module code, CPU executes, filled |
2906 | + by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as |
2907 | + a code. Which leads to #UD exception later. |
2908 | + |
2909 | + grub> halt |
2910 | + !!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!! |
2911 | + RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246 |
2912 | + RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41 |
2913 | + RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000 |
2914 | + RSI - 00000000064DB768, RDI - 000000000832C5C3 |
2915 | + R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52 |
2916 | + R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4 |
2917 | + R14 - 0000000003E10D80, R15 - 00000000061E2F60 |
2918 | + DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 |
2919 | + GS - 0000000000000030, SS - 0000000000000030 |
2920 | + CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 |
2921 | + CR4 - 0000000000000668, CR8 - 0000000000000000 |
2922 | + DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 |
2923 | + DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 |
2924 | + GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000 |
2925 | + IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000 |
2926 | + FXSAVE_STATE - 0000000007F0F4C0 |
2927 | + |
2928 | + Proposal here is to continue to free allocated memory for |
2929 | + exit boot services path but keep it for halt/reboot path |
2930 | + as it won't be much security concern here. |
2931 | + Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY |
2932 | + loader flag to be used by efi halt/reboot path. |
2933 | + |
2934 | + Reviewed-by: Darren Kenny <darren.kenny@oracle.com> |
2935 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2936 | + |
2937 | +2020-07-29 Daniel Kiper <daniel.kiper@oracle.com> |
2938 | + |
2939 | + efi/chainloader: Propagate errors from copy_file_path() |
2940 | + Without any error propagated to the caller, make_file_path() |
2941 | + would then try to advance the invalid device path node with |
2942 | + GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL |
2943 | + pointer that would subsequently be dereferenced. Hence, propagate |
2944 | + errors from copy_file_path(). |
2945 | + |
2946 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2947 | + |
2948 | +2020-07-29 Peter Jones <pjones@redhat.com> |
2949 | + |
2950 | + efi: Fix some malformed device path arithmetic errors |
2951 | + Several places we take the length of a device path and subtract 4 from |
2952 | + it, without ever checking that it's >= 4. There are also cases where |
2953 | + this kind of malformation will result in unpredictable iteration, |
2954 | + including treating the length from one dp node as the type in the next |
2955 | + node. These are all errors, no matter where the data comes from. |
2956 | + |
2957 | + This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which |
2958 | + can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH() |
2959 | + return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when |
2960 | + the length is too small. Additionally, it makes several places in the |
2961 | + code check for and return errors in these cases. |
2962 | + |
2963 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2964 | + |
2965 | +2020-07-29 Peter Jones <pjones@redhat.com> |
2966 | + |
2967 | + emu: Make grub_free(NULL) safe |
2968 | + The grub_free() implementation in grub-core/kern/mm.c safely handles |
2969 | + NULL pointers, and code at many places depends on this. We don't know |
2970 | + that the same is true on all host OSes, so we need to handle the same |
2971 | + behavior in grub-emu's implementation. |
2972 | + |
2973 | + Reviewed-by: Darren Kenny <darren.kenny@oracle.com> |
2974 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2975 | + |
2976 | +2020-07-29 Peter Jones <pjones@redhat.com> |
2977 | + |
2978 | + lvm: Fix two more potential data-dependent alloc overflows |
2979 | + It appears to be possible to make a (possibly invalid) lvm PV with |
2980 | + a metadata size field that overflows our type when adding it to the |
2981 | + address we've allocated. Even if it doesn't, it may be possible to do so |
2982 | + with the math using the outcome of that as an operand. Check them both. |
2983 | + |
2984 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2985 | + |
2986 | +2020-07-29 Peter Jones <pjones@redhat.com> |
2987 | + |
2988 | + hfsplus: Fix two more overflows |
2989 | + Both node->size and node->namelen come from the supplied filesystem, |
2990 | + which may be user-supplied. We can't trust them for the math unless we |
2991 | + know they don't overflow. Making sure they go through grub_add() or |
2992 | + grub_calloc() first will give us that. |
2993 | + |
2994 | + Reviewed-by: Darren Kenny <darren.kenny@oracle.com> |
2995 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
2996 | + |
2997 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
2998 | + |
2999 | + relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation |
3000 | + Current implementation of grub_relocator_alloc_chunk_align() |
3001 | + does not allow allocation of the top byte. |
3002 | + |
3003 | + Assuming input args are: |
3004 | + max_addr = 0xfffff000; |
3005 | + size = 0x1000; |
3006 | + |
3007 | + And this is valid. But following overflow protection will |
3008 | + unnecessarily move max_addr one byte down (to 0xffffefff): |
3009 | + if (max_addr > ~size) |
3010 | + max_addr = ~size; |
3011 | + |
3012 | + ~size + 1 will fix the situation. In addition, check size |
3013 | + for non zero to do not zero max_addr. |
3014 | + |
3015 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3016 | + |
3017 | +2020-07-29 Chris Coulson <chris.coulson@canonical.com> |
3018 | + |
3019 | + script: Avoid a use-after-free when redefining a function during execution |
3020 | + Defining a new function with the same name as a previously defined |
3021 | + function causes the grub_script and associated resources for the |
3022 | + previous function to be freed. If the previous function is currently |
3023 | + executing when a function with the same name is defined, this results |
3024 | + in use-after-frees when processing subsequent commands in the original |
3025 | + function. |
3026 | + |
3027 | + Instead, reject a new function definition if it has the same name as |
3028 | + a previously defined function, and that function is currently being |
3029 | + executed. Although a behavioural change, this should be backwards |
3030 | + compatible with existing configurations because they can't be |
3031 | + dependent on the current behaviour without being broken. |
3032 | + |
3033 | + Fixes: CVE-2020-15706 |
3034 | + |
3035 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3036 | + |
3037 | +2020-07-29 Chris Coulson <chris.coulson@canonical.com> |
3038 | + |
3039 | + script: Remove unused fields from grub_script_function struct |
3040 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3041 | + |
3042 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
3043 | + |
3044 | + relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow |
3045 | + This commit introduces integer underflow mitigation in max_addr calculation |
3046 | + in grub_relocator_alloc_chunk_align() invocation. |
3047 | + |
3048 | + It consists of 2 fixes: |
3049 | + 1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform |
3050 | + sanity check for min/max and size values, and to make safe invocation of |
3051 | + grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all |
3052 | + invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...) |
3053 | + by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...). |
3054 | + 2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top |
3055 | + address (0xffffffff - size + 1) or similar. |
3056 | + |
3057 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3058 | + |
3059 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
3060 | + |
3061 | + relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow |
3062 | + Use arithmetic macros from safemath.h to accomplish it. In this commit, |
3063 | + I didn't want to be too paranoid to check every possible math equation |
3064 | + for overflow/underflow. Only obvious places (with non zero chance of |
3065 | + overflow/underflow) were refactored. |
3066 | + |
3067 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3068 | + |
3069 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
3070 | + |
3071 | + tftp: Do not use priority queue |
3072 | + There is not need to reassemble the order of blocks. Per RFC 1350, |
3073 | + server must wait for the ACK, before sending next block. Data packets |
3074 | + can be served immediately without putting them to priority queue. |
3075 | + |
3076 | + Logic to handle incoming packet is this: |
3077 | + - if packet block id equal to expected block id, then |
3078 | + process the packet, |
3079 | + - if packet block id is less than expected - this is retransmit |
3080 | + of old packet, then ACK it and drop the packet, |
3081 | + - if packet block id is more than expected - that shouldn't |
3082 | + happen, just drop the packet. |
3083 | + |
3084 | + It makes the tftp receive path code simpler, smaller and faster. |
3085 | + As a benefit, this change fixes CID# 73624 and CID# 96690, caused |
3086 | + by following while loop: |
3087 | + |
3088 | + while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) |
3089 | + |
3090 | + where tftph pointer is not moving from one iteration to another, causing |
3091 | + to serve same packet again. Luckily, double serving didn't happen due to |
3092 | + data->block++ during the first iteration. |
3093 | + |
3094 | + Fixes: CID 73624, CID 96690 |
3095 | + |
3096 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3097 | + |
3098 | +2020-07-29 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
3099 | + |
3100 | + multiboot2: Fix memory leak if grub_create_loader_cmdline() fails |
3101 | + Fixes: CID 292468 |
3102 | + |
3103 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3104 | + |
3105 | +2020-07-29 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
3106 | + |
3107 | + udf: Fix memory leak |
3108 | + Fixes: CID 73796 |
3109 | + |
3110 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3111 | + Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> |
3112 | + |
3113 | +2020-07-29 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
3114 | + |
3115 | + term: Fix overflow on user inputs |
3116 | + This requires a very weird input from the serial interface but can cause |
3117 | + an overflow in input_buf (keys) overwriting the next variable (npending) |
3118 | + with the user choice: |
3119 | + |
3120 | + (pahole output) |
3121 | + |
3122 | + struct grub_terminfo_input_state { |
3123 | + int input_buf[6]; /* 0 24 */ |
3124 | + int npending; /* 24 4 */ <- CORRUPT |
3125 | + ...snip... |
3126 | + |
3127 | + The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow |
3128 | + npending with "q" (aka increase npending to 161). The simplest fix is to |
3129 | + just to disallow overwrites input_buf, which exactly what this patch does. |
3130 | + |
3131 | + Fixes: CID 292449 |
3132 | + |
3133 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3134 | + |
3135 | +2020-07-29 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
3136 | + |
3137 | + lzma: Make sure we don't dereference past array |
3138 | + The two dimensional array p->posSlotEncoder[4][64] is being dereferenced |
3139 | + using the GetLenToPosState() macro which checks if len is less than 5, |
3140 | + and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. |
3141 | + Obviously we don't want to dereference that far out so we check if the |
3142 | + position found is greater or equal kNumLenToPosStates (4) and bail out. |
3143 | + |
3144 | + N.B.: Upstream LZMA 18.05 and later has this function completely rewritten |
3145 | + without any history. |
3146 | + |
3147 | + Fixes: CID 51526 |
3148 | + |
3149 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3150 | + |
3151 | +2020-07-29 Chris Coulson <chris.coulson@canonical.com> |
3152 | + |
3153 | + json: Avoid a double-free when parsing fails. |
3154 | + When grub_json_parse() succeeds, it returns the root object which |
3155 | + contains a pointer to the provided JSON string. Callers are |
3156 | + responsible for ensuring that this string outlives the root |
3157 | + object and for freeing its memory when it's no longer needed. |
3158 | + |
3159 | + If grub_json_parse() fails to parse the provided JSON string, |
3160 | + it frees the string before returning an error. This results |
3161 | + in a double free in luks2_recover_key(), which also frees the |
3162 | + same string after grub_json_parse() returns an error. |
3163 | + |
3164 | + This changes grub_json_parse() to never free the JSON string |
3165 | + passed to it, and updates the documentation for it to make it |
3166 | + clear that callers are responsible for ensuring that the string |
3167 | + outlives the root JSON object. |
3168 | + |
3169 | + Fixes: CID 292465 |
3170 | + |
3171 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3172 | + |
3173 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
3174 | + |
3175 | + xnu: Fix double free in grub_xnu_devprop_add_property() |
3176 | + grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get |
3177 | + allocated and freed in the caller. |
3178 | + |
3179 | + Minor improvement: do prop fields initialization after memory allocations. |
3180 | + |
3181 | + Fixes: CID 292442, CID 292457, CID 292460, CID 292466 |
3182 | + |
3183 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3184 | + |
3185 | +2020-07-29 Alexey Makhalov <amakhalov@vmware.com> |
3186 | + |
3187 | + gfxmenu: Fix double free in load_image() |
3188 | + self->bitmap should be zeroed after free. Otherwise, there is a chance |
3189 | + to double free (USE_AFTER_FREE) it later in rescale_image(). |
3190 | + |
3191 | + Fixes: CID 292472 |
3192 | + |
3193 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3194 | + |
3195 | +2020-07-29 Daniel Kiper <daniel.kiper@oracle.com> |
3196 | + |
3197 | + font: Do not load more than one NAME section |
3198 | + The GRUB font file can have one NAME section only. Though if somebody |
3199 | + crafts a broken font file with many NAME sections and loads it then the |
3200 | + GRUB leaks memory. So, prevent against that by loading first NAME |
3201 | + section and failing in controlled way on following one. |
3202 | + |
3203 | + Reported-by: Chris Coulson <chris.coulson@canonical.com> |
3204 | + Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> |
3205 | + |
3206 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3207 | + |
3208 | + iso9660: Don't leak memory on realloc() failures |
3209 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3210 | + |
3211 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3212 | + |
3213 | + malloc: Use overflow checking primitives where we do complex allocations |
3214 | + This attempts to fix the places where we do the following where |
3215 | + arithmetic_expr may include unvalidated data: |
3216 | + |
3217 | + X = grub_malloc(arithmetic_expr); |
3218 | + |
3219 | + It accomplishes this by doing the arithmetic ahead of time using grub_add(), |
3220 | + grub_sub(), grub_mul() and testing for overflow before proceeding. |
3221 | + |
3222 | + Among other issues, this fixes: |
3223 | + - allocation of integer overflow in grub_video_bitmap_create() |
3224 | + reported by Chris Coulson, |
3225 | + - allocation of integer overflow in grub_png_decode_image_header() |
3226 | + reported by Chris Coulson, |
3227 | + - allocation of integer overflow in grub_squash_read_symlink() |
3228 | + reported by Chris Coulson, |
3229 | + - allocation of integer overflow in grub_ext2_read_symlink() |
3230 | + reported by Chris Coulson, |
3231 | + - allocation of integer overflow in read_section_as_string() |
3232 | + reported by Chris Coulson. |
3233 | + |
3234 | + Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 |
3235 | + |
3236 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3237 | + |
3238 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3239 | + |
3240 | + calloc: Use calloc() at most places |
3241 | + This modifies most of the places we do some form of: |
3242 | + |
3243 | + X = malloc(Y * Z); |
3244 | + |
3245 | + to use calloc(Y, Z) instead. |
3246 | + |
3247 | + Among other issues, this fixes: |
3248 | + - allocation of integer overflow in grub_png_decode_image_header() |
3249 | + reported by Chris Coulson, |
3250 | + - allocation of integer overflow in luks_recover_key() |
3251 | + reported by Chris Coulson, |
3252 | + - allocation of integer overflow in grub_lvm_detect() |
3253 | + reported by Chris Coulson. |
3254 | + |
3255 | + Fixes: CVE-2020-14308 |
3256 | + |
3257 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3258 | + |
3259 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3260 | + |
3261 | + calloc: Make sure we always have an overflow-checking calloc() available |
3262 | + This tries to make sure that everywhere in this source tree, we always have |
3263 | + an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.) |
3264 | + available, and that they all safely check for overflow and return NULL when |
3265 | + it would occur. |
3266 | + |
3267 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3268 | + |
3269 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3270 | + |
3271 | + safemath: Add some arithmetic primitives that check for overflow |
3272 | + This adds a new header, include/grub/safemath.h, that includes easy to |
3273 | + use wrappers for __builtin_{add,sub,mul}_overflow() declared like: |
3274 | + |
3275 | + bool OP(a, b, res) |
3276 | + |
3277 | + where OP is grub_add, grub_sub or grub_mul. OP() returns true in the |
3278 | + case where the operation would overflow and res is not modified. |
3279 | + Otherwise, false is returned and the operation is executed. |
3280 | + |
3281 | + These arithmetic primitives require newer compiler versions. So, bump |
3282 | + these requirements in the INSTALL file too. |
3283 | + |
3284 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3285 | + |
3286 | +2020-07-29 Peter Jones <pjones@redhat.com> |
3287 | + |
3288 | + yylex: Make lexer fatal errors actually be fatal |
3289 | + When presented with a command that can't be tokenized to anything |
3290 | + smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), |
3291 | + expecting that will stop further processing, as such: |
3292 | + |
3293 | + #define YY_DO_BEFORE_ACTION \ |
3294 | + yyg->yytext_ptr = yy_bp; \ |
3295 | + yyleng = (int) (yy_cp - yy_bp); \ |
3296 | + yyg->yy_hold_char = *yy_cp; \ |
3297 | + *yy_cp = '\0'; \ |
3298 | + if ( yyleng >= YYLMAX ) \ |
3299 | + YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ |
3300 | + yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ |
3301 | + yyg->yy_c_buf_p = yy_cp; |
3302 | + |
3303 | + The code flex generates expects that YY_FATAL_ERROR() will either return |
3304 | + for it or do some form of longjmp(), or handle the error in some way at |
3305 | + least, and so the strncpy() call isn't in an "else" clause, and thus if |
3306 | + YY_FATAL_ERROR() is *not* actually fatal, it does the call with the |
3307 | + questionable limit, and predictable results ensue. |
3308 | + |
3309 | + Unfortunately, our implementation of YY_FATAL_ERROR() is: |
3310 | + |
3311 | + #define YY_FATAL_ERROR(msg) \ |
3312 | + do { \ |
3313 | + grub_printf (_("fatal error: %s\n"), _(msg)); \ |
3314 | + } while (0) |
3315 | + |
3316 | + The same pattern exists in yyless(), and similar problems exist in users |
3317 | + of YY_INPUT(), several places in the main parsing loop, |
3318 | + yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, |
3319 | + yy_scan_buffer(), etc. |
3320 | + |
3321 | + All of these callers expect YY_FATAL_ERROR() to actually be fatal, and |
3322 | + the things they do if it returns after calling it are wildly unsafe. |
3323 | + |
3324 | + Fixes: CVE-2020-10713 |
3325 | + |
3326 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3327 | + |
3328 | +2020-05-25 Marc Zyngier <maz@kernel.org> |
3329 | + |
3330 | + arm: Fix 32-bit ARM handling of the CTR register |
3331 | + When booting on an ARMv8 core that implements either CTR.IDC or CTR.DIC |
3332 | + (indicating that some of the cache maintenance operations can be |
3333 | + removed when dealing with I/D-cache coherency, GRUB dies with a |
3334 | + "Unsupported cache type 0x........" message. |
3335 | + |
3336 | + This is pretty likely to happen when running in a virtual machine |
3337 | + hosted on an arm64 machine (I've triggered it on a system built around |
3338 | + a bunch of Cortex-A55 cores, which implements CTR.IDC). |
3339 | + |
3340 | + It turns out that the way GRUB deals with the CTR register is a bit |
3341 | + harsh for anything from ARMv7 onwards. The layout of the register is |
3342 | + backward compatible, meaning that nothing that gets added is allowed to |
3343 | + break earlier behaviour. In this case, ignoring IDC is completely fine, |
3344 | + and only results in unnecessary cache maintenance. |
3345 | + |
3346 | + We can thus avoid being paranoid, and align the 32bit behaviour with |
3347 | + its 64bit equivalent. |
3348 | + |
3349 | + This patch has the added benefit that it gets rid of a (gnu-specific) |
3350 | + case range too. |
3351 | + |
3352 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3353 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3354 | + |
3355 | +2020-05-25 Ian Jackson <ian.jackson@eu.citrix.com> |
3356 | + |
3357 | + templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK) |
3358 | + XSM is enabled by adding "flask=enforcing" as a Xen command line |
3359 | + argument, and providing the policy file as a grub module. |
3360 | + |
3361 | + We make entries for both with and without XSM. If XSM is not compiled |
3362 | + into Xen, then there are no policy files, so no change to the boot |
3363 | + options. |
3364 | + |
3365 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3366 | + |
3367 | +2020-05-25 Ian Jackson <ian.jackson@eu.citrix.com> |
3368 | + |
3369 | + templates/20_linux_xen: Ignore xenpolicy and config files too |
3370 | + file_is_not_sym() currently only checks for xen-syms. Extend it to |
3371 | + disregard xenpolicy (XSM policy files) and files ending .config (which |
3372 | + are built by the Xen upstream build system in some configurations and |
3373 | + can therefore end up in /boot). |
3374 | + |
3375 | + Rename the function accordingly, to file_is_not_xen_garbage(). |
3376 | + |
3377 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3378 | + |
3379 | +2020-05-25 Javier Martinez Canillas <javierm@redhat.com> |
3380 | + |
3381 | + net: Break out nested function |
3382 | + Nested functions are not supported in C, but are permitted as an extension |
3383 | + in the GNU C dialect. Commit cb2f15c5448 ("normal/main: Search for specific |
3384 | + config files for netboot") added a nested function which caused the build |
3385 | + to break when compiling with clang. |
3386 | + |
3387 | + Break that out into a static helper function to make the code portable again. |
3388 | + |
3389 | + Reported-by: Daniel Axtens <dja@axtens.net> |
3390 | + Tested-by: Daniel Axtens <dja@axtens.net> |
3391 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3392 | + |
3393 | +2020-05-25 Javier Martinez Canillas <javierm@redhat.com> |
3394 | + |
3395 | + tpm: Enable module for all EFI platforms |
3396 | + The module is only enabled for x86_64, but there's nothing specific to |
3397 | + x86_64 in the implementation and can be enabled for all EFI platforms. |
3398 | + |
3399 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3400 | + |
3401 | +2020-05-25 Daniel Kiper <daniel.kiper@oracle.com> |
3402 | + |
3403 | + INSTALL/configure: Update install doc and configure comment |
3404 | + ..to reflect the GRUB build reality in them. |
3405 | + |
3406 | + Additionally, fix text formatting a bit. |
3407 | + |
3408 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3409 | + |
3410 | +2020-05-25 Daniel Kiper <daniel.kiper@oracle.com> |
3411 | + |
3412 | + configure: Set gnu99 C language standard by default |
3413 | + Commit d5a32255d (misc: Make grub_strtol() "end" pointers have safer |
3414 | + const qualifiers) introduced "restrict" keyword into some functions |
3415 | + definitions. This keyword was introduced in C99 standard. However, some |
3416 | + compilers by default may use C89 or something different. This behavior |
3417 | + leads to the breakage during builds when c89 or gnu89 is in force. So, |
3418 | + let's set gnu99 C language standard for all compilers by default. This |
3419 | + way a bit random build issue will be fixed and the GRUB source will be |
3420 | + build consistently regardless of type and version of the compiler. |
3421 | + |
3422 | + It was decided to use gnu99 C language standard because it fixes the |
3423 | + issue mentioned above and also provides some useful extensions which are |
3424 | + used here and there in the GRUB source. Potentially we can use gnu11 |
3425 | + too. However, this may reduce pool of older compilers which can be used |
3426 | + to build the GRUB. So, let's live with gnu99 until we discover that we |
3427 | + strongly require a feature from newer C standard. |
3428 | + |
3429 | + The user is still able to override C language standard using relevant |
3430 | + *_CFLAGS variables. |
3431 | + |
3432 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3433 | + |
3434 | +2020-05-15 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
3435 | + |
3436 | + tpm: Rename function grub_tpm_log_event() to grub_tpm_measure() |
3437 | + grub_tpm_log_event() and grub_tpm_measure() are two functions that |
3438 | + have the same effect. So, keep grub_tpm_log_event() and rename it |
3439 | + to grub_tpm_measure(). This way we get also a more clear semantics. |
3440 | + |
3441 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3442 | + |
3443 | +2020-05-15 Daniel Kiper <daniel.kiper@oracle.com> |
3444 | + |
3445 | + autogen: Replace -iname with -ipath in find command |
3446 | + ..because -iname cannot be used to match paths. |
3447 | + |
3448 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
3449 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3450 | + Reviewed-by: Daniel Axtens <dja@axtens.net> |
3451 | + |
3452 | +2020-05-15 Daniel Kiper <daniel.kiper@oracle.com> |
3453 | + |
3454 | + INSTALL: Update configure example |
3455 | + ..to make it more relevant. |
3456 | + |
3457 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3458 | + |
3459 | +2020-05-15 Daniel Kiper <daniel.kiper@oracle.com> |
3460 | + |
3461 | + configure: Drop unneeded TARGET_CFLAGS expansion |
3462 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
3463 | + Reviewed-by: Leif Lindholm <leif@nuviainc.com> |
3464 | + |
3465 | +2020-05-15 Jacob Kroon <jacob.kroon@gmail.com> |
3466 | + |
3467 | + docs/grub: Support for probing partition UUID on MSDOS disks |
3468 | + Support was implemented in commit c7cb11b21 (probe: Support probing for |
3469 | + msdos PARTUUID). |
3470 | + |
3471 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3472 | + |
3473 | +2020-05-15 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
3474 | + |
3475 | + verifiers: Add verify string debug message |
3476 | + Like grub_verifiers_open(), the grub_verify_string() should also |
3477 | + display this debug message, which is very helpful for debugging. |
3478 | + |
3479 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3480 | + |
3481 | +2020-05-15 Javier Martinez Canillas <javierm@redhat.com> |
3482 | + |
3483 | + envblk: Fix buffer overrun when attempting to shrink a variable value |
3484 | + If an existing variable is set with a value whose length is smaller than |
3485 | + the current value, a memory corruption can happen due copying padding '#' |
3486 | + characters outside of the environment block buffer. |
3487 | + |
3488 | + This is caused by a wrong calculation of the previous free space position |
3489 | + after moving backward the characters that followed the old variable value. |
3490 | + |
3491 | + That position is calculated to fill the remaining of the buffer with the |
3492 | + padding '#' characters. But since isn't calculated correctly, it can lead |
3493 | + to copies outside of the buffer. |
3494 | + |
3495 | + The issue can be reproduced by creating a variable with a large value and |
3496 | + then try to set a new value that is much smaller: |
3497 | + |
3498 | + $ grub2-editenv --version |
3499 | + grub2-editenv (GRUB) 2.04 |
3500 | + |
3501 | + $ grub2-editenv env create |
3502 | + |
3503 | + $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" |
3504 | + |
3505 | + $ wc -c env |
3506 | + 1024 grubenv |
3507 | + |
3508 | + $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" |
3509 | + malloc(): corrupted top size |
3510 | + Aborted (core dumped) |
3511 | + |
3512 | + $ wc -c env |
3513 | + 0 grubenv |
3514 | + |
3515 | + Reported-by: Renaud Métrich <rmetrich@redhat.com> |
3516 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3517 | + |
3518 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3519 | + |
3520 | + docs: Remove docs for non-existing uppermem command |
3521 | + Remove all documentation of and mentions of the uppermem |
3522 | + command from the docs/grub.texi file. |
3523 | + |
3524 | + The uppermem command is not implemented in the GRUB source |
3525 | + at all and appears to never have been implemented despite |
3526 | + former plans to add an uppermem command. |
3527 | + |
3528 | + To reduce user confusion, this even removes the paragraph |
3529 | + describing how GRUB's uppermem command was supposed to |
3530 | + complement the Linux kernel's mem= parameter. |
3531 | + |
3532 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3533 | + |
3534 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3535 | + |
3536 | + docs: Remove docs for non-existing pxe_unload command |
3537 | + Remove the documentation of the pxe_unload command from the |
3538 | + docs/grub.texi file. |
3539 | + |
3540 | + The pxe_unload command is not implemented in the grub source |
3541 | + at this time at all. It appears to have been removed in commit |
3542 | + 671a78acb (cleanup pxe and efi network release). |
3543 | + |
3544 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3545 | + |
3546 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3547 | + |
3548 | + gitignore: Add a few forgotten file patterns |
3549 | + Add a few patterns to .gitignore to cover files which are generated |
3550 | + by building grub ("make", "make check", "make dist") but which have |
3551 | + been forgotten to add to .gitignore in the past. |
3552 | + |
3553 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3554 | + |
3555 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3556 | + |
3557 | + gitignore: Add leading slashes where appropriate |
3558 | + Going through the list of gitignore patterns without a leading slash, |
3559 | + this adds a leading slash where it appears to have been forgotten. |
3560 | + |
3561 | + Some gitignore patterns like ".deps/" or "Makefile" clearly should |
3562 | + match everywhere, so those definitively need no leading slash. |
3563 | + |
3564 | + For some patterns like "ascii.bitmaps", it is unclear where in the |
3565 | + source tree they should match. Those patterns are kept as they are, |
3566 | + matching the patterns in the whole tree of subdirectories. |
3567 | + |
3568 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3569 | + |
3570 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3571 | + |
3572 | + gitignore: Add trailing slashes for directories |
3573 | + Add trailing slashes for all patterns matching directories. |
3574 | + |
3575 | + Note that we do *not* add trailing slashes for *symlinks* |
3576 | + to directories. |
3577 | + |
3578 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3579 | + |
3580 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3581 | + |
3582 | + gitignore: Sort both pattern groups alphabetically |
3583 | + Alphabetically sort the two groups of gitignore patterns: |
3584 | + |
3585 | + * The group of patterns without slashes, matching anywhere |
3586 | + in the directory subtree. |
3587 | + |
3588 | + * The group of patterns with slashes, matching relative to the |
3589 | + .gitignore file's directory |
3590 | + |
3591 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3592 | + |
3593 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3594 | + |
3595 | + gitignore: Group patterns with and without slash |
3596 | + Group the .gitignore patterns into two groups: |
3597 | + |
3598 | + * Pattern not including a slash, i.e. matching files anywhere in |
3599 | + the .gitignore file's directory and all of its subdirectories. |
3600 | + |
3601 | + * Patterns including a slash, i.e. matching only relative to the |
3602 | + .gitignore file's directory. |
3603 | + |
3604 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3605 | + |
3606 | +2020-05-15 Hans Ulrich Niedermann <hun@n-dimensional.de> |
3607 | + |
3608 | + gitignore: Consistent leading slash is easier to read |
3609 | + As all gitignore patterns containing a left or middle slash match |
3610 | + only relative to the .gitignore file's directory, we write them |
3611 | + all in the same manner with a leading slash. |
3612 | + |
3613 | + This makes the file significantly easier to read. |
3614 | + |
3615 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3616 | + |
3617 | +2020-05-15 Daniel Kiper <daniel.kiper@oracle.com> |
3618 | + |
3619 | + mips/cache: Add missing nop's in delay slots |
3620 | + Lack of them causes random instructions to be executed before the |
3621 | + jump really happens. |
3622 | + |
3623 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3624 | + |
3625 | +2020-04-21 Patrick Steinhardt <ps@pks.im> |
3626 | + |
3627 | + luks2: Propagate error when reading area key fails |
3628 | + When decrypting a given keyslot, all error cases except for one set up |
3629 | + an error and return the error code. The only exception is when we try to |
3630 | + read the area key: instead of setting up an error message, we directly |
3631 | + print it via grub_dprintf(). |
3632 | + |
3633 | + Convert the outlier to use grub_error() to allow more uniform handling |
3634 | + of errors. |
3635 | + |
3636 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3637 | + |
3638 | +2020-04-21 Patrick Steinhardt <ps@pks.im> |
3639 | + |
3640 | + json: Get rid of casts for "jsmntok_t" |
3641 | + With the upstream change having landed that adds a name to the |
3642 | + previously anonymous "jsmntok" typedef, we can now add a forward |
3643 | + declaration for that struct in our code. As a result, we no longer have |
3644 | + to store the "tokens" member of "struct grub_json" as a void pointer but |
3645 | + can instead use the forward declaration, allowing us to get rid of casts |
3646 | + of that field. |
3647 | + |
3648 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3649 | + |
3650 | +2020-04-21 Patrick Steinhardt <ps@pks.im> |
3651 | + |
3652 | + json: Update jsmn library to upstream commit 053d3cd |
3653 | + Update our embedded version of the jsmn library to upstream commit |
3654 | + 053d3cd (Merge pull request #175 from pks-t/pks/struct-type, |
3655 | + 2020-04-02). |
3656 | + |
3657 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3658 | + |
3659 | +2020-04-21 Steve Langasek <steve.langasek@ubuntu.com> |
3660 | + |
3661 | + templates: Output a menu entry for firmware setup on UEFI FastBoot systems |
3662 | + The fwsetup command allows to reboot into the EFI firmware setup menu, add |
3663 | + a template to include a menu entry on EFI systems that makes use of that |
3664 | + command to reboot into the EFI firmware settings. |
3665 | + |
3666 | + This is useful for users since the hotkey to enter into the EFI setup menu |
3667 | + may not be the same on all systems so users can use the menu entry without |
3668 | + needing to figure out what key needs to be pressed. |
3669 | + |
3670 | + Also, if fastboot is enabled in the BIOS then often it is not possible to |
3671 | + enter the firmware setup menu. So the entry is again useful for this case. |
3672 | + |
3673 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3674 | + |
3675 | +2020-04-21 Hans de Goede <hdegoede@redhat.com> |
3676 | + |
3677 | + kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys |
3678 | + On some devices the ESC key is the hotkey to enter the BIOS/EFI setup |
3679 | + screen, making it really hard to time pressing it right. Besides that |
3680 | + ESC is also pretty hard to discover for a user who does not know it |
3681 | + will unhide the menu. |
3682 | + |
3683 | + This commit makes F4, which was chosen because is not used as a hotkey |
3684 | + to enter the BIOS setup by any vendor, also interrupt sleeps / stop the |
3685 | + menu countdown. |
3686 | + |
3687 | + This solves the ESC gets into the BIOS setup and also somewhat solves |
3688 | + the discoverability issue, but leaves the timing issue unresolved. |
3689 | + |
3690 | + This commit fixes the timing issue by also adding support for keeping |
3691 | + SHIFT pressed during boot to stop the menu countdown. This matches |
3692 | + what Ubuntu is doing, which should also help with discoverability. |
3693 | + |
3694 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3695 | + |
3696 | +2020-04-21 Hans de Goede <hdegoede@redhat.com> |
3697 | + |
3698 | + efi/console: Do not set text-mode until we actually need it |
3699 | + If we're running with a hidden menu we may never need text mode, so do not |
3700 | + change the video-mode to text until we actually need it. |
3701 | + |
3702 | + This allows to boot a machine without unnecessary graphical transitions and |
3703 | + provide a seamless boot experience to users. |
3704 | + |
3705 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3706 | + |
3707 | +2020-04-21 Hans de Goede <hdegoede@redhat.com> |
3708 | + |
3709 | + efi/console: Implement getkeystatus() support |
3710 | + Implement getkeystatus() support in the EFI console driver. |
3711 | + |
3712 | + This is needed because the logic to determine if a key was pressed to make |
3713 | + the menu countdown stop will be changed by a later patch to also take into |
3714 | + account the SHIFT key being held down. |
3715 | + |
3716 | + For this reason the EFI console driver has to support getkeystatus() to |
3717 | + allow detecting that event. |
3718 | + |
3719 | + Note that if a non-modifier key gets pressed and repeated calls to |
3720 | + getkeystatus() are made then it will return the modifier status at the |
3721 | + time of the non-modifier key, until that key-press gets consumed by a |
3722 | + getkey() call. |
3723 | + |
3724 | + This is a side-effect of how the EFI simple-text-input protocol works |
3725 | + and cannot be avoided. |
3726 | + |
3727 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3728 | + |
3729 | +2020-04-21 Hans de Goede <hdegoede@redhat.com> |
3730 | + |
3731 | + efi/console: Add grub_console_read_key_stroke() helper function |
3732 | + This is a preparatory patch for adding getkeystatus() support to the |
3733 | + EFI console driver. |
3734 | + |
3735 | + We can get modifier status through the simple_text_input read_key_stroke() |
3736 | + method, but if a non-modifier key is (also) pressed the read_key_stroke() |
3737 | + call will consume that key from the firmware's queue. |
3738 | + |
3739 | + The new grub_console_read_key_stroke() helper buffers upto 1 key-stroke. |
3740 | + If it has a non-modifier key buffered, it will return that one, if its |
3741 | + buffer is empty, it will fills its buffer by getting a new key-stroke. |
3742 | + |
3743 | + If called with consume=1 it will empty its buffer after copying the |
3744 | + key-data to the callers buffer, this is how getkey() will use it. |
3745 | + |
3746 | + If called with consume=0 it will keep the last key-stroke buffered, this |
3747 | + is how getkeystatus() will call it. This means that if a non-modifier |
3748 | + key gets pressed, repeated getkeystatus() calls will return the modifiers |
3749 | + of that key-press until it is consumed by a getkey() call. |
3750 | + |
3751 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3752 | + |
3753 | +2020-04-21 Hans de Goede <hdegoede@redhat.com> |
3754 | + |
3755 | + kern/term: Make grub_getkeystatus() helper function available everywhere |
3756 | + Move grub_getkeystatushelper() function from grub-core/commands/keystatus.c |
3757 | + to grub-core/kern/term.c and export it so that it can be used outside of |
3758 | + the keystatus command code too. |
3759 | + |
3760 | + There's no logic change in this patch. The function definition is moved so |
3761 | + it can be called from grub-core/kern/term.c in a subsequent patch. It will |
3762 | + be used to determine if a SHIFT key has was held down and use that also to |
3763 | + interrupt the countdown, without the need to press a key at the right time. |
3764 | + |
3765 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3766 | + |
3767 | +2020-04-21 Javier Martinez Canillas <javierm@redhat.com> |
3768 | + |
3769 | + efi/console: Move grub_console_set{colorstate,cursor} higher in the file |
3770 | + This is just a preparatory patch to move the functions higher in the file, |
3771 | + since these will be called by the grub_prepare_for_text_output() function |
3772 | + that will be introduced in a later patch. |
3773 | + |
3774 | + The logic is unchanged by this patch. Functions definitions are just moved |
3775 | + to avoid a forward declaration in a later patch, keeping the code clean. |
3776 | + |
3777 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3778 | + |
3779 | +2020-04-21 Paul Menzel <pmenzel@molgen.mpg.de> |
3780 | + |
3781 | + docs/grub: Fix typo in *preferred* |
3782 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3783 | + |
3784 | +2020-04-21 Daniel Axtens <dja@axtens.net> |
3785 | + |
3786 | + powerpc/mkimage: Fix CHRP note descsz |
3787 | + Currently, an image generated with 'grub-mkimage -n' causes an error when |
3788 | + read with 'readelf -a': |
3789 | + |
3790 | + Displaying notes found at file offset 0x000106f0 with length 0x0000002c: |
3791 | + Owner Data size Description |
3792 | + readelf: Warning: note with invalid namesz and/or descsz found at offset 0x0 |
3793 | + readelf: Warning: type: 0x1275, namesize: 0x00000008, descsize: 0x0000002c, alignment: 4 |
3794 | + |
3795 | + This is because the descsz of the CHRP note is set to |
3796 | + sizeof (struct grub_ieee1275_note) |
3797 | + which is the size of the entire note, including name and elf header. The |
3798 | + desczs should contain only the contents, not the name and header sizes. |
3799 | + |
3800 | + Set the descsz instead to 'sizeof (struct grub_ieee1275_note_desc)' |
3801 | + |
3802 | + Resultant readelf output: |
3803 | + |
3804 | + Displaying notes found at file offset 0x00010710 with length 0x0000002c: |
3805 | + Owner Data size Description |
3806 | + PowerPC 0x00000018 Unknown note type: (0x00001275) |
3807 | + description data: ff ff ff ff 00 c0 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 40 00 |
3808 | + |
3809 | + So far as I can tell this issue has existed for as long as the note |
3810 | + generation code has existed, but I guess nothing really checks descsz. |
3811 | + |
3812 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3813 | + |
3814 | +2020-03-31 Flavio Suligoi <f.suligoi@asem.it> |
3815 | + |
3816 | + efi: Add missed space in GRUB_EFI_GLOBAL_VARIABLE_GUID |
3817 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3818 | + |
3819 | +2020-03-31 Michael Chang <mchang@suse.com> |
3820 | + |
3821 | + zfs: Fix gcc10 error -Werror=zero-length-bounds |
3822 | + We bumped into the build error while testing gcc-10 pre-release. |
3823 | + |
3824 | + In file included from ../../include/grub/file.h:22, |
3825 | + from ../../grub-core/fs/zfs/zfs.c:34: |
3826 | + ../../grub-core/fs/zfs/zfs.c: In function 'zap_leaf_lookup': |
3827 | + ../../grub-core/fs/zfs/zfs.c:2263:44: error: array subscript '<unknown>' is outside the bounds of an interior zero-length array 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=zero-length-bounds] |
3828 | + 2263 | for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); |
3829 | + ../../include/grub/types.h:241:48: note: in definition of macro 'grub_le_to_cpu16' |
3830 | + 241 | # define grub_le_to_cpu16(x) ((grub_uint16_t) (x)) |
3831 | + | ^ |
3832 | + ../../grub-core/fs/zfs/zfs.c:2263:16: note: in expansion of macro 'grub_zfs_to_cpu16' |
3833 | + 2263 | for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); |
3834 | + | ^~~~~~~~~~~~~~~~~ |
3835 | + In file included from ../../grub-core/fs/zfs/zfs.c:48: |
3836 | + ../../include/grub/zfs/zap_leaf.h:72:16: note: while referencing 'l_hash' |
3837 | + 72 | grub_uint16_t l_hash[0]; |
3838 | + | ^~~~~~ |
3839 | + |
3840 | + Here I'd like to quote from the gcc document [1] which seems best to |
3841 | + explain what is going on here. |
3842 | + |
3843 | + "Although the size of a zero-length array is zero, an array member of |
3844 | + this kind may increase the size of the enclosing type as a result of |
3845 | + tail padding. The offset of a zero-length array member from the |
3846 | + beginning of the enclosing structure is the same as the offset of an |
3847 | + array with one or more elements of the same type. The alignment of a |
3848 | + zero-length array is the same as the alignment of its elements. |
3849 | + |
3850 | + Declaring zero-length arrays in other contexts, including as interior |
3851 | + members of structure objects or as non-member objects, is discouraged. |
3852 | + Accessing elements of zero-length arrays declared in such contexts is |
3853 | + undefined and may be diagnosed." |
3854 | + |
3855 | + The l_hash[0] is apparnetly an interior member to the enclosed structure |
3856 | + while l_entries[0] is the trailing member. And the offending code tries |
3857 | + to access members in l_hash[0] array that triggers the diagnose. |
3858 | + |
3859 | + Given that the l_entries[0] is used to get proper alignment to access |
3860 | + leaf chunks, we can accomplish the same thing through the ALIGN_UP macro |
3861 | + thus eliminating l_entries[0] from the structure. In this way we can |
3862 | + pacify the warning as l_hash[0] now becomes the last member to the |
3863 | + enclosed structure. |
3864 | + |
3865 | + [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html |
3866 | + |
3867 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3868 | + |
3869 | +2020-03-31 Michael Chang <mchang@suse.com> |
3870 | + |
3871 | + mdraid1x_linux: Fix gcc10 error -Werror=array-bounds |
3872 | + We bumped into the build error while testing gcc-10 pre-release. |
3873 | + |
3874 | + ../../grub-core/disk/mdraid1x_linux.c: In function 'grub_mdraid_detect': |
3875 | + ../../grub-core/disk/mdraid1x_linux.c:181:15: error: array subscript <unknown> is outside array bounds of 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=array-bounds] |
3876 | + 181 | (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)] |
3877 | + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
3878 | + ../../grub-core/disk/mdraid1x_linux.c:98:17: note: while referencing 'dev_roles' |
3879 | + 98 | grub_uint16_t dev_roles[0]; /* Role in array, or 0xffff for a spare, or 0xfffe for faulty. */ |
3880 | + | ^~~~~~~~~ |
3881 | + ../../grub-core/disk/mdraid1x_linux.c:127:33: note: defined here 'sb' |
3882 | + 127 | struct grub_raid_super_1x sb; |
3883 | + | ^~ |
3884 | + cc1: all warnings being treated as errors |
3885 | + |
3886 | + Apparently gcc issues the warning when trying to access sb.dev_roles |
3887 | + array's member, since it is a zero length array as the last element of |
3888 | + struct grub_raid_super_1x that is allocated sparsely without extra |
3889 | + chunks for the trailing bits, so the warning looks legitimate in this |
3890 | + regard. |
3891 | + |
3892 | + As the whole thing here is doing offset computation, it is undue to use |
3893 | + syntax that would imply array member access then take address from it |
3894 | + later. Instead we could accomplish the same thing through basic array |
3895 | + pointer arithmetic to pacify the warning. |
3896 | + |
3897 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3898 | + |
3899 | +2020-03-31 Simon Hardy <simon.hardy@itdev.co.uk> |
3900 | + |
3901 | + build: Fix GRUB i386-pc build with Ubuntu gcc |
3902 | + With recent versions of gcc on Ubuntu a very large lzma_decompress.img file is |
3903 | + output. (e.g. 134479600 bytes instead of 2864.) This causes grub-mkimage to |
3904 | + fail with: "error: Decompressor is too big." |
3905 | + |
3906 | + This seems to be caused by a section .note.gnu.property that is placed at an |
3907 | + offset such that objcopy needs to pad the img file with zeros. |
3908 | + |
3909 | + This issue is present on: |
3910 | + Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0 |
3911 | + Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008 |
3912 | + |
3913 | + This issue is not present on: |
3914 | + Ubuntu 19.10 with gcc (Ubuntu 7.5.0-3ubuntu1~19.10) 7.5.0 |
3915 | + RHEL 8.0 with gcc 8.3.1 20190507 (Red Hat 8.3.1-4) |
3916 | + |
3917 | + The issue can be fixed by removing the section using objcopy as shown in |
3918 | + this patch. |
3919 | + |
3920 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3921 | + |
3922 | +2020-03-31 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> |
3923 | + |
3924 | + efi/tpm: Fix memory leak in grub_tpm1/2_log_event() |
3925 | + The memory requested for the event is not released here, |
3926 | + causing memory leaks. This patch fixes this problem. |
3927 | + |
3928 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
3929 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3930 | + |
3931 | +2020-03-31 Michael Chang <mchang@suse.com> |
3932 | + |
3933 | + docs: Document notes on LVM cache booting |
3934 | + Add notes on LVM cache booting to the GRUB manual to help user understanding |
3935 | + the outstanding issue and status. |
3936 | + |
3937 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3938 | + |
3939 | +2020-03-31 Michael Chang <mchang@suse.com> |
3940 | + |
3941 | + lvm: Add LVM cache logical volume handling |
3942 | + The LVM cache logical volume is the logical volume consisting of the original |
3943 | + and the cache pool logical volume. The original is usually on a larger and |
3944 | + slower storage device while the cache pool is on a smaller and faster one. The |
3945 | + performance of the original volume can be improved by storing the frequently |
3946 | + used data on the cache pool to utilize the greater performance of faster |
3947 | + device. |
3948 | + |
3949 | + The default cache mode "writethrough" ensures that any data written will be |
3950 | + stored both in the cache and on the origin LV, therefore grub can be straight |
3951 | + to read the original lv as no data loss is guarenteed. |
3952 | + |
3953 | + The second cache mode is "writeback", which delays writing from the cache pool |
3954 | + back to the origin LV to have increased performance. The drawback is potential |
3955 | + data loss if losing the associated cache device. |
3956 | + |
3957 | + During the boot time grub reads the LVM offline i.e. LVM volumes are not |
3958 | + activated and mounted, hence it should be fine to read directly from original |
3959 | + lv since all cached data should have been flushed back in the process of taking |
3960 | + it offline. |
3961 | + |
3962 | + It is also not much helpful to the situation by adding fsync calls to the |
3963 | + install code. The fsync did not force to write back dirty cache to the original |
3964 | + device and rather it would update associated cache metadata to complete the |
3965 | + write transaction with the cache device. IOW the writes to cached blocks still |
3966 | + go only to the cache device. |
3967 | + |
3968 | + To write back dirty cache, as LVM cache did not support dirty cache flush per |
3969 | + block range, there'no way to do it for file. On the other hand the "cleaner" |
3970 | + policy is implemented and can be used to write back "all" dirty blocks in a |
3971 | + cache, which effectively drain all dirty cache gradually to attain and last in |
3972 | + the "clean" state, which can be useful for shrinking or decommissioning a |
3973 | + cache. The result and effect is not what we are looking for here. |
3974 | + |
3975 | + In conclusion, as it seems no way to enforce file writes to the original |
3976 | + device, grub may suffer from power failure as it cannot assemble the cache |
3977 | + device and read the dirty data from it. However since the case is only |
3978 | + applicable to writeback mode which is sensitive to data lost in nature, I'd |
3979 | + still like to propose my (relatively simple) patch and treat reading dirty |
3980 | + cache as improvement. |
3981 | + |
3982 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
3983 | + |
3984 | +2020-03-10 Patrick Steinhardt <ps@pks.im> |
3985 | + |
3986 | + gnulib: Fix build of base64 when compiling with memory debugging |
3987 | + When building GRUB with memory management debugging enabled, then the |
3988 | + build fails because of `grub_debug_malloc()` and `grub_debug_free()` |
3989 | + being undefined in the luks2 module. The cause is that we patch |
3990 | + "base64.h" to unconditionaly include "config-util.h", which shouldn't be |
3991 | + included for modules at all. As a result, `MM_DEBUG` is defined when |
3992 | + building the module, causing it to use the debug memory allocation |
3993 | + functions. As these are not built into modules, we end up with a linker |
3994 | + error. |
3995 | + |
3996 | + Fix the issue by removing the <config-util.h> include altogether. The |
3997 | + sole reason it was included was for the `_GL_ATTRIBUTE_CONST` macro, |
3998 | + which we can simply define as empty in case it's not set. |
3999 | + |
4000 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4001 | + |
4002 | +2020-03-10 Patrick Steinhardt <ps@pks.im> |
4003 | + |
4004 | + build: Fix option to explicitly disable memory debugging |
4005 | + The memory management system supports a debug mode that can be enabled |
4006 | + at build time by passing "--enable-mm-debug" to the configure script. |
4007 | + Passing the option will cause us define MM_DEBUG as expected, but in |
4008 | + fact the reverse option "--disable-mm-debug" will do the exact same |
4009 | + thing and also set up the define. This currently causes the build of |
4010 | + "lib/gnulib/base64.c" to fail as it tries to use `grub_debug_malloc()` |
4011 | + and `grub_debug_free()` even though both symbols aren't defined. |
4012 | + |
4013 | + Seemingly, `AC_ARG_ENABLE()` will always execute the third argument if |
4014 | + either the positive or negative option was passed. Let's thus fix the |
4015 | + issue by moving the call to`AC_DEFINE()` into an explicit `if test |
4016 | + $xenable_mm_debug` block, similar to how other defines work. |
4017 | + |
4018 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4019 | + Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> |
4020 | + |
4021 | +2020-03-10 David Michael <fedora.dm0@gmail.com> |
4022 | + |
4023 | + fat: Support file modification times |
4024 | + This allows comparing file ages on EFI system partitions. |
4025 | + |
4026 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4027 | + |
4028 | +2020-03-10 David Michael <fedora.dm0@gmail.com> |
4029 | + |
4030 | + exfat: Save the matching directory entry struct when searching |
4031 | + This provides the node's attributes outside the iterator function |
4032 | + so the file modification time can be accessed and reported. |
4033 | + |
4034 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4035 | + |
4036 | +2020-03-10 Mike Gilbert <floppym@gentoo.org> |
4037 | + |
4038 | + datetime: Enable the datetime module for the emu platform |
4039 | + Fixes a build failure: |
4040 | + |
4041 | + grub-core/commands/date.c:49: undefined reference to `grub_get_weekday_name' |
4042 | + grub-core/commands/ls.c:155: undefined reference to `grub_unixtime2datetime' |
4043 | + |
4044 | + Bug: https://bugs.gentoo.org/711512 |
4045 | + |
4046 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
4047 | + Tested-by: Javier Martinez Canillas <javierm@redhat.com> |
4048 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4049 | + |
4050 | +2020-03-10 John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
4051 | + |
4052 | + build: Add soft-float handling for SuperH (sh4) |
4053 | + While GRUB has no platform support for SuperH (sh4) yet, this change |
4054 | + adds the target-specific handling of soft-floats such that the GRUB |
4055 | + utilities can be built on this target. |
4056 | + |
4057 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4058 | + |
4059 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4060 | + |
4061 | + efi: Fix the type of grub_efi_status_t |
4062 | + Currently, in some builds with some checkers, we see: |
4063 | + |
4064 | + 1. grub-core/disk/efi/efidisk.c:601: error[shiftTooManyBitsSigned]: Shifting signed 64-bit value by 63 bits is undefined behaviour |
4065 | + |
4066 | + This is because grub_efi_status_t is defined as grub_efi_intn_t, which is |
4067 | + signed, and shifting into the sign bit is not defined behavior. UEFI fixed |
4068 | + this in the spec in 2.3: |
4069 | + |
4070 | + 2.3 | Change the defined type of EFI_STATUS from INTN to UINTN | May 7, 2009 |
4071 | + |
4072 | + And the current EDK2 code has: |
4073 | + MdePkg/Include/Base.h-// |
4074 | + MdePkg/Include/Base.h-// Status codes common to all execution phases |
4075 | + MdePkg/Include/Base.h-// |
4076 | + MdePkg/Include/Base.h:typedef UINTN RETURN_STATUS; |
4077 | + MdePkg/Include/Base.h- |
4078 | + MdePkg/Include/Base.h-/** |
4079 | + MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit set. |
4080 | + MdePkg/Include/Base.h- |
4081 | + MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. |
4082 | + MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. |
4083 | + MdePkg/Include/Base.h- |
4084 | + MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit set. |
4085 | + MdePkg/Include/Base.h- |
4086 | + MdePkg/Include/Base.h-**/ |
4087 | + MdePkg/Include/Base.h-#define ENCODE_ERROR(StatusCode) ((RETURN_STATUS)(MAX_BIT | (StatusCode))) |
4088 | + MdePkg/Include/Base.h- |
4089 | + MdePkg/Include/Base.h-/** |
4090 | + MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit clear. |
4091 | + MdePkg/Include/Base.h- |
4092 | + MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. |
4093 | + MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. |
4094 | + MdePkg/Include/Base.h- |
4095 | + MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit clear. |
4096 | + MdePkg/Include/Base.h- |
4097 | + MdePkg/Include/Base.h-**/ |
4098 | + MdePkg/Include/Base.h-#define ENCODE_WARNING(StatusCode) ((RETURN_STATUS)(StatusCode)) |
4099 | + MdePkg/Include/Base.h- |
4100 | + MdePkg/Include/Base.h-/** |
4101 | + MdePkg/Include/Base.h- Returns TRUE if a specified RETURN_STATUS code is an error code. |
4102 | + MdePkg/Include/Base.h- |
4103 | + MdePkg/Include/Base.h- This function returns TRUE if StatusCode has the high bit set. Otherwise, FALSE is returned. |
4104 | + MdePkg/Include/Base.h- |
4105 | + MdePkg/Include/Base.h- @param StatusCode The status code value to evaluate. |
4106 | + MdePkg/Include/Base.h- |
4107 | + MdePkg/Include/Base.h- @retval TRUE The high bit of StatusCode is set. |
4108 | + MdePkg/Include/Base.h- @retval FALSE The high bit of StatusCode is clear. |
4109 | + MdePkg/Include/Base.h- |
4110 | + MdePkg/Include/Base.h-**/ |
4111 | + MdePkg/Include/Base.h-#define RETURN_ERROR(StatusCode) (((INTN)(RETURN_STATUS)(StatusCode)) < 0) |
4112 | + ... |
4113 | + Uefi/UefiBaseType.h:typedef RETURN_STATUS EFI_STATUS; |
4114 | + |
4115 | + This patch makes grub's implementation match the Edk2 declaration with regards |
4116 | + to the signedness of the type. |
4117 | + |
4118 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4119 | + |
4120 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4121 | + |
4122 | + efi/gop: Add debug output on GOP probing |
4123 | + Add debug information to EFI GOP video driver probing function. |
4124 | + |
4125 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4126 | + |
4127 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4128 | + |
4129 | + efi/uga: Use video instead of fb as debug condition |
4130 | + All other video drivers use "video" as the debug condition instead of "fb" |
4131 | + so change this in the efi/uga driver to make it consistent with the others. |
4132 | + |
4133 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4134 | + |
4135 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4136 | + |
4137 | + efi: Print error messages to grub_efi_allocate_pages_real() |
4138 | + No messages were printed in this function, add some to ease debugging. |
4139 | + |
4140 | + Also, the function returns a void * pointer so return NULL instead of |
4141 | + 0 to make the code more readable. |
4142 | + |
4143 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4144 | + |
4145 | +2020-03-10 Andrei Borzenkov <arvidjaar@gmail.com> |
4146 | + |
4147 | + efi/uga: Use 64 bit for fb_base |
4148 | + We get 64 bit from PCI BAR but then truncate by assigning to 32 bit. |
4149 | + Make sure to check that pointer does not overflow on 32 bit platform. |
4150 | + |
4151 | + Closes: 50931 |
4152 | + |
4153 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4154 | + |
4155 | +2020-03-10 Alexander Graf <agraf@suse.de> |
4156 | + |
4157 | + efi/gop: Add support for BLT_ONLY adapters |
4158 | + EFI GOP has support for multiple different bitness types of frame buffers |
4159 | + and for a special "BLT only" type which is always defined to be RGBx. |
4160 | + |
4161 | + Because grub2 doesn't ever directly access the frame buffer but instead |
4162 | + only renders graphics via the BLT interface anyway, we can easily support |
4163 | + these adapters. |
4164 | + |
4165 | + The reason this has come up now is the emerging support for virtio-gpu |
4166 | + in OVMF. That adapter does not have the notion of a memory mapped frame |
4167 | + buffer and thus is BLT only. |
4168 | + |
4169 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4170 | + |
4171 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4172 | + |
4173 | + normal/completion: Fix possible NULL pointer dereference |
4174 | + Coverity Scan reports that the grub_strrchr() function can return NULL if |
4175 | + the character is not found. Check if that's the case for dirfile pointer. |
4176 | + |
4177 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4178 | + |
4179 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4180 | + |
4181 | + kern: Add grub_debug_enabled() |
4182 | + Add a grub_debug_enabled() helper function instead of open coding it. |
4183 | + |
4184 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4185 | + |
4186 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4187 | + |
4188 | + Makefile: Make libgrub.pp depend on config-util.h |
4189 | + If you build with "make -j48" a lot, sometimes you see: |
4190 | + |
4191 | + gcc -E -DHAVE_CONFIG_H -I. -I.. -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/ -I../grub-core/lib/minilzo -I../grub-core/lib/xzembed -DMINILZO_HAVE_CONFIG_H -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/ -I./grub-core/gnulib -I../grub-core/gnulib -I/builddir/build/BUILD/grub-2.02/grub-aarch64-efi-2.02 -D_FILE_OFFSET_BITS=64 \ |
4192 | + -D'GRUB_MOD_INIT(x)=@MARKER@x@' grub_script.tab.h grub_script.yy.h ../grub-core/commands/blocklist.c ../grub-core/commands/macbless.c ../grub-core/commands/xnu_uuid.c ../grub-core/commands/testload.c ../grub-core/commands/ls.c ../grub-core/disk/dmraid_nvidia.c ../grub-core/disk/loopback.c ../grub-core/disk/lvm.c ../grub-core/disk/mdraid_linux.c ../grub-core/disk/mdraid_linux_be.c ../grub-core/disk/mdraid1x_linux.c ../grub-core/disk/raid5_recover.c ../grub-core/disk/raid6_recover.c ../grub-core/font/font.c ../grub-core/gfxmenu/font.c ../grub-core/normal/charset.c ../grub-core/video/fb/fbblit.c ../grub-core/video/fb/fbutil.c ../grub-core/video/fb/fbfill.c ../grub-core/video/fb/video_fb.c ../grub-core/video/video.c ../grub-core/video/capture.c ../grub-core/video/colors.c ../grub-core/unidata.c ../grub-core/io/bufio.c ../grub-core/fs/affs.c ../grub-core/fs/afs.c ../grub-core/fs/bfs.c ../grub-core/fs/btrfs.c ../grub-core/fs/cbfs.c ../grub-core/fs/cpio.c ../grub-core/fs/cpio_be.c ../grub-core/fs/odc.c ../grub-core/fs/newc.c ../grub-core/fs/ext2.c ../grub-core/fs/fat.c ../grub-core/fs/exfat.c ../grub-core/fs/fshelp.c ../grub-core/fs/hfs.c ../grub-core/fs/hfsplus.c ../grub-core/fs/hfspluscomp.c ../grub-core/fs/iso9660.c ../grub-core/fs/jfs.c ../grub-core/fs/minix.c ../grub-core/fs/minix2.c ../grub-core/fs/minix3.c ../grub-core/fs/minix_be.c ../grub-core/fs/minix2_be.c ../grub-core/fs/minix3_be.c ../grub-core/fs/nilfs2.c ../grub-core/fs/ntfs.c ../grub-core/fs/ntfscomp.c ../grub-core/fs/reiserfs.c ../grub-core/fs/romfs.c ../grub-core/fs/sfs.c ../grub-core/fs/squash4.c ../grub-core/fs/tar.c ../grub-core/fs/udf.c ../grub-core/fs/ufs2.c ../grub-core/fs/ufs.c ../grub-core/fs/ufs_be.c ../grub-core/fs/xfs.c ../grub-core/fs/zfs/zfscrypt.c ../grub-core/fs/zfs/zfs.c ../grub-core/fs/zfs/zfsinfo.c ../grub-core/fs/zfs/zfs_lzjb.c ../grub-core/fs/zfs/zfs_lz4.c ../grub-core/fs/zfs/zfs_sha256.c ../grub-core/fs/zfs/zfs_fletcher.c ../grub-core/lib/envblk.c ../grub-core/lib/hexdump.c ../grub-core/lib/LzFind.c ../grub-core/lib/LzmaEnc.c ../grub-core/lib/crc.c ../grub-core/lib/adler32.c ../grub-core/lib/crc64.c ../grub-core/normal/datetime.c ../grub-core/normal/misc.c ../grub-core/partmap/acorn.c ../grub-core/partmap/amiga.c ../grub-core/partmap/apple.c ../grub-core/partmap/sun.c ../grub-core/partmap/plan.c ../grub-core/partmap/dvh.c ../grub-core/partmap/sunpc.c ../grub-core/partmap/bsdlabel.c ../grub-core/partmap/dfly.c ../grub-core/script/function.c ../grub-core/script/lexer.c ../grub-core/script/main.c ../grub-core/script/script.c ../grub-core/script/argv.c ../grub-core/io/gzio.c ../grub-core/io/xzio.c ../grub-core/io/lzopio.c ../grub-core/kern/ia64/dl_helper.c ../grub-core/kern/arm/dl_helper.c ../grub-core/kern/arm64/dl_helper.c ../grub-core/lib/minilzo/minilzo.c ../grub-core/lib/xzembed/xz_dec_bcj.c ../grub-core/lib/xzembed/xz_dec_lzma2.c ../grub-core/lib/xzembed/xz_dec_stream.c ../util/misc.c ../grub-core/kern/command.c ../grub-core/kern/device.c ../grub-core/kern/disk.c ../grub-core/lib/disk.c ../util/getroot.c ../grub-core/osdep/unix/getroot.c ../grub-core/osdep/getroot.c ../grub-core/osdep/devmapper/getroot.c ../grub-core/osdep/relpath.c ../grub-core/kern/emu/hostdisk.c ../grub-core/osdep/devmapper/hostdisk.c ../grub-core/osdep/hostdisk.c ../grub-core/osdep/unix/hostdisk.c ../grub-core/osdep/exec.c ../grub-core/osdep/sleep.c ../grub-core/osdep/password.c ../grub-core/kern/emu/misc.c ../grub-core/kern/emu/mm.c ../grub-core/kern/env.c ../grub-core/kern/err.c ../grub-core/kern/file.c ../grub-core/kern/fs.c ../grub-core/kern/list.c ../grub-core/kern/misc.c ../grub-core/kern/partition.c ../grub-core/lib/crypto.c ../grub-core/disk/luks.c ../grub-core/disk/geli.c ../grub-core/disk/cryptodisk.c ../grub-core/disk/AFSplitter.c ../grub-core/lib/pbkdf2.c ../grub-core/commands/extcmd.c ../grub-core/lib/arg.c ../grub-core/disk/ldm.c ../grub-core/disk/diskfilter.c ../grub-core/partmap/gpt.c ../grub-core/partmap/msdos.c ../grub-core/fs/proc.c ../grub-core/fs/archelp.c > libgrub.pp || (rm -f libgrub.pp; exit 1) |
4193 | + rm -f stamp-h1 |
4194 | + touch ../config-util.h.in |
4195 | + cd . && /bin/sh ./config.status config-util.h |
4196 | + config.status: creating config-util.h |
4197 | + In file included from ../include/grub/mm.h:25:0, |
4198 | + from ../include/grub/disk.h:29, |
4199 | + from ../include/grub/file.h:26, |
4200 | + from ../grub-core/fs/btrfs.c:21: |
4201 | + ./config.h:38:10: fatal error: ./config-util.h: No such file or directory |
4202 | + #include <config-util.h> |
4203 | + ^~~~~~~~~~~~~~~ |
4204 | + compilation terminated. |
4205 | + make: *** [Makefile:13098: libgrub.pp] Error 1 |
4206 | + |
4207 | + This is because libgrub.pp is built with -DGRUB_UTIL=1, which means |
4208 | + it'll try to include config-util.h, but a parallel make is actually |
4209 | + building that file. I think. |
4210 | + |
4211 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4212 | + |
4213 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4214 | + |
4215 | + efi: Print more debug info in our module loader |
4216 | + The function that searches the mods section base address does not have |
4217 | + any debug information. Add some debugging outputs that could be useful. |
4218 | + |
4219 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4220 | + |
4221 | +2020-03-10 Peter Jones <pjones@redhat.com> |
4222 | + |
4223 | + linux/getroot: Handle rssd storage device names |
4224 | + The Micron PCIe SSDs Linux driver (mtip32xx) exposes block devices |
4225 | + as /dev/rssd[a-z]+[0-9]*. Add support for these rssd device names. |
4226 | + |
4227 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4228 | + |
4229 | +2020-03-10 Julian Andres Klode <julian.klode@canonical.com> |
4230 | + |
4231 | + smbios: Add a --linux argument to apply linux modalias-like filtering |
4232 | + Linux creates modalias strings by filtering out non-ASCII, space, |
4233 | + and colon characters. Provide an option that does the same filtering |
4234 | + so people can create a modalias string in GRUB, and then match their |
4235 | + modalias patterns against it. |
4236 | + |
4237 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4238 | + |
4239 | +2020-03-10 Mike Gilbert <floppym@gentoo.org> |
4240 | + |
4241 | + po: Fix replacement of %m in sed programs |
4242 | + When running make dist, I hit this error: |
4243 | + |
4244 | + rm -f en@arabic.gmo && /usr/bin/gmsgfmt -c --statistics --verbose -o en@arabic.gmo en@arabic.po |
4245 | + en@arabic.po:5312: 'msgstr' is not a valid C format string, unlike 'msgid'. |
4246 | + Reason: The character that terminates the directive number 3 is not a valid conversion specifier. |
4247 | + /usr/bin/gmsgfmt: found 1 fatal error |
4248 | + |
4249 | + This was caused by "%m" being replaced with foreign Unicode characters. |
4250 | + For example: |
4251 | + |
4252 | + msgid "cannot rename the file %s to %s: %m" |
4253 | + msgstr "ﺹﺎﻨﻧﻮﺗ ﺮﻌﻧﺎﻤﻋ ﺖﻬﻋ ﻒִﻴﻠﻋ %s ﺕﻭ %s: %ﻡ" |
4254 | + |
4255 | + Mimic the workaround used for "%s" by reversing the replacement of "%m" at |
4256 | + the end of the sed programs. |
4257 | + |
4258 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4259 | + |
4260 | +2020-03-10 Colin Watson <cjwatson@ubuntu.com> |
4261 | + |
4262 | + gettext: Restore patches to po/Makefile.in.in |
4263 | + These were inadvertently lost during the conversion to Gnulib (gnulib: |
4264 | + Upgrade Gnulib and switch to bootstrap tool; commit 35b909062). The |
4265 | + files in po/gettext-patches/ can be imported using "git am" on top of |
4266 | + the gettext tag corresponding to AM_GNU_GETTEXT_VERSION in configure.ac |
4267 | + (currently 0.18.3). They handle translation of messages in shell files, |
4268 | + make msgfmt output in little-endian format, and arrange to use @SHELL@ |
4269 | + rather than /bin/sh. |
4270 | + |
4271 | + There were some changes solely for the purpose of distributing extra |
4272 | + files; for ease of maintenance, I've added these to |
4273 | + conf/Makefile.extra-dist instead. |
4274 | + |
4275 | + Fixes: https://savannah.gnu.org/bugs/?57298 |
4276 | + |
4277 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4278 | + |
4279 | +2020-02-28 Peter Jones <pjones@redhat.com> |
4280 | + |
4281 | + misc: Make grub_strtol() "end" pointers have safer const qualifiers |
4282 | + Currently the string functions grub_strtol(), grub_strtoul(), and |
4283 | + grub_strtoull() don't declare the "end" pointer in such a way as to |
4284 | + require the pointer itself or the character array to be immutable to the |
4285 | + implementation, nor does the C standard do so in its similar functions, |
4286 | + though it does require us not to change any of it. |
4287 | + |
4288 | + The typical declarations of these functions follow this pattern: |
4289 | + |
4290 | + long |
4291 | + strtol(const char * restrict nptr, char ** restrict endptr, int base); |
4292 | + |
4293 | + Much of the reason for this is historic, and a discussion of that |
4294 | + follows below, after the explanation of this change. (GRUB currently |
4295 | + does not include the "restrict" qualifiers, and we name the arguments a |
4296 | + bit differently.) |
4297 | + |
4298 | + The implementation is semantically required to treat the character array |
4299 | + as immutable, but such accidental modifications aren't stopped by the |
4300 | + compiler, and the semantics for both the callers and the implementation |
4301 | + of these functions are sometimes also helped by adding that requirement. |
4302 | + |
4303 | + This patch changes these declarations to follow this pattern instead: |
4304 | + |
4305 | + long |
4306 | + strtol(const char * restrict nptr, |
4307 | + const char ** const restrict endptr, |
4308 | + int base); |
4309 | + |
4310 | + This means that if any modification to these functions accidentally |
4311 | + introduces either an errant modification to the underlying character |
4312 | + array, or an accidental assignment to endptr rather than *endptr, the |
4313 | + compiler should generate an error. (The two uses of "restrict" in this |
4314 | + case basically mean strtol() isn't allowed to modify the character array |
4315 | + by going through *endptr, and endptr isn't allowed to point inside the |
4316 | + array.) |
4317 | + |
4318 | + It also means the typical use case changes to: |
4319 | + |
4320 | + char *s = ...; |
4321 | + const char *end; |
4322 | + long l; |
4323 | + |
4324 | + l = strtol(s, &end, 10); |
4325 | + |
4326 | + Or even: |
4327 | + |
4328 | + const char *p = str; |
4329 | + while (p && *p) { |
4330 | + long l = strtol(p, &p, 10); |
4331 | + ... |
4332 | + } |
4333 | + |
4334 | + This fixes 26 places where we discard our attempts at treating the data |
4335 | + safely by doing: |
4336 | + |
4337 | + const char *p = str; |
4338 | + long l; |
4339 | + |
4340 | + l = strtol(p, (char **)&ptr, 10); |
4341 | + |
4342 | + It also adds 5 places where we do: |
4343 | + |
4344 | + char *p = str; |
4345 | + while (p && *p) { |
4346 | + long l = strtol(p, (const char ** const)&p, 10); |
4347 | + ... |
4348 | + /* more calls that need p not to be pointer-to-const */ |
4349 | + } |
4350 | + |
4351 | + While moderately distasteful, this is a better problem to have. |
4352 | + |
4353 | + With one minor exception, I have tested that all of this compiles |
4354 | + without relevant warnings or errors, and that /much/ of it behaves |
4355 | + correctly, with gcc 9 using 'gcc -W -Wall -Wextra'. The one exception |
4356 | + is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea |
4357 | + how to build. |
4358 | + |
4359 | + Because the C standard defined type-qualifiers in a way that can be |
4360 | + confusing, in the past there's been a slow but fairly regular stream of |
4361 | + churn within our patches, which add and remove the const qualifier in many |
4362 | + of the users of these functions. This change should help avoid that in |
4363 | + the future, and in order to help ensure this, I've added an explanation |
4364 | + in misc.h so that when someone does get a compiler warning about a type |
4365 | + error, they have the fix at hand. |
4366 | + |
4367 | + The reason we don't have "const" in these calls in the standard is |
4368 | + purely anachronistic: C78 (de facto) did not have type qualifiers in the |
4369 | + syntax, and the "const" type qualifier was added for C89 (I think; it |
4370 | + may have been later). strtol() appears to date from 4.3BSD in 1986, |
4371 | + which means it could not be added to those functions in the standard |
4372 | + without breaking compatibility, which is usually avoided. |
4373 | + |
4374 | + The syntax chosen for type qualifiers is what has led to the churn |
4375 | + regarding usage of const, and is especially confusing on string |
4376 | + functions due to the lack of a string type. Quoting from C99, the |
4377 | + syntax is: |
4378 | + |
4379 | + declarator: |
4380 | + pointer[opt] direct-declarator |
4381 | + direct-declarator: |
4382 | + identifier |
4383 | + ( declarator ) |
4384 | + direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ] |
4385 | + ... |
4386 | + direct-declarator [ type-qualifier-list[opt] * ] |
4387 | + ... |
4388 | + pointer: |
4389 | + * type-qualifier-list[opt] |
4390 | + * type-qualifier-list[opt] pointer |
4391 | + type-qualifier-list: |
4392 | + type-qualifier |
4393 | + type-qualifier-list type-qualifier |
4394 | + ... |
4395 | + type-qualifier: |
4396 | + const |
4397 | + restrict |
4398 | + volatile |
4399 | + |
4400 | + So the examples go like: |
4401 | + |
4402 | + const char foo; // immutable object |
4403 | + const char *foo; // mutable pointer to object |
4404 | + char * const foo; // immutable pointer to mutable object |
4405 | + const char * const foo; // immutable pointer to immutable object |
4406 | + const char const * const foo; // XXX extra const keyword in the middle |
4407 | + const char * const * const foo; // immutable pointer to immutable |
4408 | + // pointer to immutable object |
4409 | + const char ** const foo; // immutable pointer to mutable pointer |
4410 | + // to immutable object |
4411 | + |
4412 | + Making const left-associative for * and right-associative for everything |
4413 | + else may not have been the best choice ever, but here we are, and the |
4414 | + inevitable result is people using trying to use const (as they should!), |
4415 | + putting it at the wrong place, fighting with the compiler for a bit, and |
4416 | + then either removing it or typecasting something in a bad way. I won't |
4417 | + go into describing restrict, but its syntax has exactly the same issue |
4418 | + as with const. |
4419 | + |
4420 | + Anyway, the last example above actually represents the *behavior* that's |
4421 | + required of strtol()-like functions, so that's our choice for the "end" |
4422 | + pointer. |
4423 | + |
4424 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4425 | + |
4426 | +2020-02-28 Mike Gilbert <floppym@gentoo.org> |
4427 | + |
4428 | + build: Disable PIE in TARGET_CCASFLAGS if needed |
4429 | + PIE should be disabled in assembly sources as well, or else GRUB will |
4430 | + fail to boot. |
4431 | + |
4432 | + Bug: https://bugs.gentoo.org/667852 |
4433 | + |
4434 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4435 | + Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
4436 | + |
4437 | +2020-02-28 Mike Gilbert <floppym@gentoo.org> |
4438 | + |
4439 | + build: Move TARGET_* assignments earlier |
4440 | + On a 32-bit SPARC userland, configure fails to compile assembly and the |
4441 | + build fails: |
4442 | + |
4443 | + checking for options to compile assembly... configure: error: could not compile assembly |
4444 | + |
4445 | + config.log shows: |
4446 | + |
4447 | + asm-tests/sparc64.S: Assembler messages: |
4448 | + asm-tests/sparc64.S:5: Error: Architecture mismatch on "lduw [%o4+4],%o4". |
4449 | + asm-tests/sparc64.S:5: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) |
4450 | + asm-tests/sparc64.S:7: Error: Architecture mismatch on "stw %o5,[%o3]". |
4451 | + asm-tests/sparc64.S:7: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) |
4452 | + asm-tests/sparc64.S:8: Error: Architecture mismatch on "bne,pt %icc,1b ,pt %icc,1b". |
4453 | + asm-tests/sparc64.S:8: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) |
4454 | + |
4455 | + Simply moving these blocks earlier in configure.ac is sufficient to |
4456 | + ensure that the tests are executed with the appropriate flags |
4457 | + (specifically -m64 in this case). |
4458 | + |
4459 | + Bug: https://bugs.gentoo.org/667850 |
4460 | + |
4461 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4462 | + Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> |
4463 | + |
4464 | +2020-02-28 Patrick Steinhardt <ps@pks.im> |
4465 | + |
4466 | + luks2: Add missing newline to debug message |
4467 | + The debug message printed when decryption with a keyslot fails is |
4468 | + missing its trailing newline. Add it to avoid mangling it with |
4469 | + subsequent output. |
4470 | + |
4471 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4472 | + |
4473 | +2020-02-18 Michael Chang <mchang@suse.com> |
4474 | + |
4475 | + verifiers: Fix calling uninitialized function pointer |
4476 | + The necessary check for NULL before use of function ver->close is not |
4477 | + taking place in the failure path. This patch simply adds the missing |
4478 | + check and fixes the problem that GRUB hangs indefinitely after booting |
4479 | + rogue image without valid signature if secure boot is turned on. |
4480 | + |
4481 | + Now it displays like this for booting rogue UEFI image: |
4482 | + |
4483 | + error: bad shim signature |
4484 | + error: you need to load the kernel first |
4485 | + |
4486 | + Press any key to continue... |
4487 | + |
4488 | + and then you can go back to boot menu by pressing any key or after a few |
4489 | + seconds expired. |
4490 | + |
4491 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
4492 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4493 | + |
4494 | +2020-02-18 Peter Jones <pjones@redhat.com> |
4495 | + |
4496 | + grub-editenv: Make grub-editenv chase symlinks including those across devices |
4497 | + The grub-editenv create command will wrongly overwrite /boot/grub2/grubenv |
4498 | + with a regular file if grubenv is a symbolic link. But instead, it should |
4499 | + create a new file in the path the symlink points to. |
4500 | + |
4501 | + This lets /boot/grub2/grubenv be a symlink to /boot/efi/EFI/fedora/grubenv |
4502 | + even when they're different mount points, which allows grub2-editenv to be |
4503 | + the same across platforms (i.e. UEFI vs BIOS). |
4504 | + |
4505 | + For example, in Fedora the GRUB EFI builds have prefix set to /EFI/fedora |
4506 | + (on the EFI System Partition), but for BIOS machine it'll be /boot/grub2 |
4507 | + (which may or may not be its own mountpoint). |
4508 | + |
4509 | + With this patch, on EFI machines we can make /boot/grub2/grubenv a symlink |
4510 | + to /boot/efi/EFI/fedora/grubenv, and the same copy of grub-set-default will |
4511 | + work on both kinds of systems. |
4512 | + |
4513 | + Windows doesn't implement a readlink primitive, so the current behaviour is |
4514 | + maintained for this operating system. |
4515 | + |
4516 | + Reviewed-by: Adam Jackson <ajax@redhat.com> |
4517 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4518 | + |
4519 | +2020-02-18 Peter Jones <pjones@redhat.com> |
4520 | + |
4521 | + grub-editenv: Add grub_util_readlink() |
4522 | + Currently grub-editenv and related tools are not able to follow symbolic |
4523 | + links when finding their config file. For example the grub-editenv create |
4524 | + command will wrongly overwrite a symlink in /boot/grub2/grubenv with a new |
4525 | + regular file, instead of creating a file in the path the symlink points to. |
4526 | + |
4527 | + A following patch will change that and add support in grub-editenv to |
4528 | + follow symbolic links when finding the grub environment variables file. |
4529 | + |
4530 | + Add a grub_util_readlink() helper function that is just a wrapper around |
4531 | + the platform specific function to read the value of a symbolic link. This |
4532 | + helper function will be used by the following patch for grub-editenv. |
4533 | + |
4534 | + The helper function is not added for Windows, since this operating system |
4535 | + doesn't have a primitive to read the contents of a symbolic link. |
4536 | + |
4537 | + Reviewed-by: Adam Jackson <ajax@redhat.com> |
4538 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4539 | + |
4540 | +2020-02-18 Robert Marshall <rmarshall@redhat.com> |
4541 | + |
4542 | + docs: Update info with grub.cfg netboot selection order |
4543 | + Add documentation to the GRUB manual that specifies the order netboot |
4544 | + clients use to select a GRUB configuration file. |
4545 | + |
4546 | + Also explain that the feature is enabled by default but can be disabled |
4547 | + by setting the "feature_net_search_cfg" environment variable to "n" in |
4548 | + an embedded configuration file. |
4549 | + |
4550 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4551 | + |
4552 | +2020-02-18 Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com> |
4553 | + |
4554 | + normal/main: Search for specific config files for netboot |
4555 | + This patch implements a search for a specific configuration when the config |
4556 | + file is on a remoteserver. It uses the following order: |
4557 | + 1) DHCP client UUID option. |
4558 | + 2) MAC address (in lower case hexadecimal with dash separators); |
4559 | + 3) IP (in upper case hexadecimal) or IPv6; |
4560 | + 4) The original grub.cfg file. |
4561 | + |
4562 | + This procedure is similar to what is used by pxelinux and yaboot: |
4563 | + http://www.syslinux.org/wiki/index.php/PXELINUX#config |
4564 | + |
4565 | + It is enabled by default but can be disabled by setting the environment |
4566 | + variable "feature_net_search_cfg" to "n" in an embedded configuration. |
4567 | + |
4568 | + Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=873406 |
4569 | + |
4570 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4571 | + |
4572 | +2020-02-18 Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com> |
4573 | + |
4574 | + net/dhcp: Set net_<interface>_client{id, uuid} variables from DHCP options |
4575 | + This patch sets a net_<interface>_clientid and net_<interface>_clientuuid |
4576 | + GRUB environment variables, using the DHCP client ID and UUID options if |
4577 | + these are found. |
4578 | + |
4579 | + In the same way than net_<interface>_<option> variables are set for other |
4580 | + options such domain name, boot file, next server, etc. |
4581 | + |
4582 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4583 | + |
4584 | +2020-02-18 Javier Martinez Canillas <javierm@redhat.com> |
4585 | + |
4586 | + net/dhcp: Consistently use decimal numbers for DHCP/BOOTP options enum |
4587 | + The DHCP Options and BOOTP Vendor Extensions enum values are a mixture of |
4588 | + decimal and hexadecimal numbers. Change this to consistently use decimal |
4589 | + numbers for all since that is how these values are defined by RFC 2132. |
4590 | + |
4591 | + Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> |
4592 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4593 | + |
4594 | +2020-02-18 Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com> |
4595 | + |
4596 | + kern: Add %X option to printf functions |
4597 | + The printf(3) function has support for the %X format specifier, to output |
4598 | + an unsigned hexadecimal integer in uppercase. |
4599 | + |
4600 | + This can be achived in GRUB using the %x format specifier in grub_printf() |
4601 | + and calling grub_toupper(), but it is more convenient if there is support |
4602 | + for %X in grub_printf(). |
4603 | + |
4604 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4605 | + |
4606 | +2020-02-18 Javier Martinez Canillas <javierm@redhat.com> |
4607 | + |
4608 | + normal: Move common datetime functions out of the normal module |
4609 | + The common datetime helper functions are currently included in the normal |
4610 | + module, but this makes any other module that calls these functions to have |
4611 | + a dependency with the normal module only for this reason. |
4612 | + |
4613 | + Since the normal module does a lot of stuff, it calls functions from other |
4614 | + modules. But since other modules may depend on it for calling the datetime |
4615 | + helpers, this could lead to circular dependencies between modules. |
4616 | + |
4617 | + As an example, when platform == xen the grub_get_datetime() function from |
4618 | + the datetime module calls to the grub_unixtime2datetime() helper function |
4619 | + from the normal module. Which leads to the following module dependency: |
4620 | + |
4621 | + datetime -> normal |
4622 | + |
4623 | + and send_dhcp_packet() from the net module calls the grub_get_datetime() |
4624 | + function, which leads to the following module dependency: |
4625 | + |
4626 | + net -> datetime -> normal |
4627 | + |
4628 | + but that means that the normal module is not allowed to depend on net or |
4629 | + any other module that depends on it due the transitive dependency caused |
4630 | + by datetime. A recent patch attempted to add support to fetch the config |
4631 | + file over the network, which leads to the following circular dependency: |
4632 | + |
4633 | + normal -> net -> datetime -> normal |
4634 | + |
4635 | + So having the datetime helpers in the normal module makes it quite fragile |
4636 | + and easy to add circular dependencies like these, that break the build due |
4637 | + the genmoddep.awk script catching the issues. |
4638 | + |
4639 | + Fix this by taking the datetime helper functions out of the normal module |
4640 | + and instead add them to the datetime module itself. Besides fixing these |
4641 | + issues, it makes more sense to have these helper functions there anyways. |
4642 | + |
4643 | + Reported-by: Daniel Kiper <daniel.kiper@oracle.com> |
4644 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4645 | + |
4646 | +2020-02-11 Peter Jones <pjones@redhat.com> |
4647 | + |
4648 | + minilzo: Update to minilzo-2.08 |
4649 | + This patch updates the miniLZO library to a newer version, which among other |
4650 | + things fixes "CVE-2014-4607 - lzo: lzo1x_decompress_safe() integer overflow" |
4651 | + that is present in the current used in GRUB. |
4652 | + |
4653 | + It also updates the "GRUB Developers Manual", to mention that the library is |
4654 | + used and describes the process to update it to a newer release when needed. |
4655 | + |
4656 | + Resolves: http://savannah.gnu.org/bugs/?42635 |
4657 | + |
4658 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4659 | + |
4660 | +2020-01-28 Peter Jones <pjones@redhat.com> |
4661 | + |
4662 | + squash4: Fix an uninitialized variable |
4663 | + gcc says: |
4664 | + |
4665 | + grub-core/fs/squash4.c: In function ‘direct_read’: |
4666 | + grub-core/fs/squash4.c:868:10: error: ‘err’ may be used uninitialized in |
4667 | + this function [-Werror=maybe-uninitialized] |
4668 | + 868 | if (err) |
4669 | + | ^ |
4670 | + cc1: all warnings being treated as errors |
4671 | + |
4672 | + This patch initializes it to GRUB_ERR_NONE. |
4673 | + |
4674 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4675 | + |
4676 | +2020-01-28 C. Masloch <pushbx@ulukai.org> |
4677 | + |
4678 | + freedos: Fix FreeDOS command booting large files (near or above 64 KiB) |
4679 | + While testing the 86-DOS lDebug [1] booting from GRUB2, newer versions of the |
4680 | + debugger would fail to load when booted using GRUB's freedos command. The |
4681 | + behaviour observed in a qemu i386 machine was that the ROM-BIOS's boot load |
4682 | + would start anew, instead of loading the selected debugger as kernel. |
4683 | + |
4684 | + It came to light that there was a size limit: Kernel files that were 58880 |
4685 | + bytes (E600h) long or shorter succeeded to boot, while files that were 64000 |
4686 | + bytes or longer failed in the manner described. |
4687 | + |
4688 | + Eventually it turned out that the relocator16 stub succeeded whenever it was |
4689 | + placed completely within the first 64 KiB of the Low Memory Area. The chunk |
4690 | + for the relocator is allocated with a minimum address of 0x8010 and a maximum |
4691 | + address just below 0xA0000 [2]. That means if the kernel is, for instance, |
4692 | + E600h bytes long, then the kernel will be allocated memory starting at 00600h |
4693 | + (the fixed FreeDOS kernel load address) up to E600h + 00600h = 0EC00h, which |
4694 | + leaves 1400h (5120) bytes for the relocator to stay in the first 64 KiB. |
4695 | + If the kernel is 64000 bytes (FA00h) long, then the relocator must go to |
4696 | + FA00h + 00600h = 10000h at least which is outside the first 64 KiB. |
4697 | + |
4698 | + The problem is that the relocator16 initialises the DS register with a |
4699 | + "pseudo real mode" descriptor, which is defined with a segment limit of |
4700 | + 64 KiB and a segment base of zero. After that, the relocator addressed |
4701 | + parts of itself (implicitly) using the DS register, with an offset from |
4702 | + ESI, which holds the linear address of the relocator's base [3]. With the |
4703 | + larger kernel files this would lead to accessing data beyond the 64 KiB |
4704 | + segment limit, presumably leading to a fault and perhaps a subsequent |
4705 | + triple-fault or such. |
4706 | + |
4707 | + This patch fixes the relocator to set the segment base of the descriptors |
4708 | + to the base address of the relocator; then, the subsequent accesses to |
4709 | + the relocator's variables are done without the ESI register as an index. |
4710 | + This does not interfere with the relocator's or its target's normal |
4711 | + operation; the segment limits are still loaded with 64 KiB and all the |
4712 | + segment bases are subsequently reset by the relocator anyway. |
4713 | + |
4714 | + Current versions of the debugger to test are uploaded to [4]. The file |
4715 | + ldebugnh.com (LZ4-compressed and built with -D_EXTHELP=0) at 58368 bytes |
4716 | + loads successfully, whereas ldebug.com at 64000 bytes fails. Loading one |
4717 | + of these files requires setting root to a FAT FS partition and using the |
4718 | + freedos command to specify the file as kernel: |
4719 | + |
4720 | + set root='(hd0,msdos1)' |
4721 | + freedos /ldebug.com |
4722 | + boot |
4723 | + |
4724 | + Booting the file using the multiboot command (which uses a WIP entrypoint |
4725 | + of the debugger) works, as it does not use GRUB's relocator16 but instead |
4726 | + includes a loader in the kernel itself, which drops it back to 86 Mode. |
4727 | + |
4728 | + [1]: https://hg.ulukai.org/ecm/ldebug |
4729 | + [2]: http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/lib/i386/relocator.c?id=495781f5ed1b48bf27f16c53940d6700c181c74c#n127 |
4730 | + [3]: http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/lib/i386/relocator16.S?id=495781f5ed1b48bf27f16c53940d6700c181c74c#n97 |
4731 | + [4]: https://ulukai.org/ecm/lDebug-5479a7988d21-nohelp.zip |
4732 | + |
4733 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4734 | + |
4735 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4736 | + |
4737 | + disk: Implement support for LUKS2 |
4738 | + With cryptsetup 2.0, a new version of LUKS was introduced that breaks |
4739 | + compatibility with the previous version due to various reasons. GRUB |
4740 | + currently lacks any support for LUKS2, making it impossible to decrypt |
4741 | + disks encrypted with that version. This commit implements support for |
4742 | + this new format. |
4743 | + |
4744 | + Note that LUKS1 and LUKS2 are quite different data formats. While they |
4745 | + do share the same disk signature in the first few bytes, representation |
4746 | + of encryption parameters is completely different between both versions. |
4747 | + While the former version one relied on a single binary header, only, |
4748 | + LUKS2 uses the binary header only in order to locate the actual metadata |
4749 | + which is encoded in JSON. Furthermore, the new data format is a lot more |
4750 | + complex to allow for more flexible setups, like e.g. having multiple |
4751 | + encrypted segments and other features that weren't previously possible. |
4752 | + Because of this, it was decided that it doesn't make sense to keep both |
4753 | + LUKS1 and LUKS2 support in the same module and instead to implement it |
4754 | + in two different modules luks and luks2. |
4755 | + |
4756 | + The proposed support for LUKS2 is able to make use of the metadata to |
4757 | + decrypt such disks. Note though that in the current version, only the |
4758 | + PBKDF2 key derival function is supported. This can mostly attributed to |
4759 | + the fact that the libgcrypt library currently has no support for either |
4760 | + Argon2i or Argon2id, which are the remaining KDFs supported by LUKS2. It |
4761 | + wouldn't have been much of a problem to bundle those algorithms with |
4762 | + GRUB itself, but it was decided against that in order to keep down the |
4763 | + number of patches required for initial LUKS2 support. Adding it in the |
4764 | + future would be trivial, given that the code structure is already in |
4765 | + place. |
4766 | + |
4767 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4768 | + |
4769 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4770 | + |
4771 | + luks: Move configuration of ciphers into cryptodisk |
4772 | + The luks module contains quite a lot of logic to parse cipher and |
4773 | + cipher-mode strings like aes-xts-plain64 into constants to apply them |
4774 | + to the grub_cryptodisk_t structure. This code will be required by the |
4775 | + upcoming luks2 module, as well, which is why this commit moves it into |
4776 | + its own function grub_cryptodisk_setcipher in the cryptodisk module. |
4777 | + While the strings are probably rather specific to the LUKS modules, it |
4778 | + certainly does make sense that the cryptodisk module houses code to set |
4779 | + up its own internal ciphers instead of hosting that code in the luks |
4780 | + module. |
4781 | + |
4782 | + Except for necessary adjustments around error handling, this commit does |
4783 | + an exact move of the cipher configuration logic from luks.c to |
4784 | + cryptodisk.c. Any behavior changes are unintentional. |
4785 | + |
4786 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4787 | + |
4788 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4789 | + |
4790 | + afsplitter: Move into its own module |
4791 | + While the AFSplitter code is currently used only by the luks module, |
4792 | + upcoming support for luks2 will add a second module that depends on it. |
4793 | + To avoid any linker errors when adding the code to both modules because |
4794 | + of duplicated symbols, this commit moves it into its own standalone |
4795 | + module afsplitter as a preparatory step. |
4796 | + |
4797 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4798 | + |
4799 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4800 | + |
4801 | + bootstrap: Add gnulib's base64 module |
4802 | + The upcoming support for LUKS2 disc encryption requires us to include a |
4803 | + parser for base64-encoded data, as it is used to represent salts and |
4804 | + digests. As gnulib already has code to decode such data, we can just |
4805 | + add it to the boostrapping configuration in order to make it available |
4806 | + in GRUB. |
4807 | + |
4808 | + The gnulib module makes use of booleans via the <stdbool.h> header. As |
4809 | + GRUB does not provide any POSIX wrapper header for this, but instead |
4810 | + implements support for bool in <sys/types.h>, we need to patch |
4811 | + base64.h to not use <stdbool.h> anymore. We unfortunately cannot include |
4812 | + <sys/types.h> instead, as it would then use gnulib's internal header |
4813 | + while compiling the gnulib object but our own <sys/types.h> when |
4814 | + including it in a GRUB module. Because of this, the patch replaces the |
4815 | + include with a direct typedef. |
4816 | + |
4817 | + A second fix is required to make available _GL_ATTRIBUTE_CONST, which |
4818 | + is provided by the configure script. As base64.h does not include |
4819 | + <config.h>, it is thus not available and results in a compile error. |
4820 | + This is fixed by adding an include of <config-util.h>. |
4821 | + |
4822 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4823 | + |
4824 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4825 | + |
4826 | + json: Implement wrapping interface |
4827 | + While the newly added jsmn library provides the parsing interface, it |
4828 | + does not provide any kind of interface to act on parsed tokens. Instead, |
4829 | + the caller is expected to handle pointer arithmetics inside of the token |
4830 | + array in order to extract required information. While simple, this |
4831 | + requires users to know some of the inner workings of the library and is |
4832 | + thus quite an unintuitive interface. |
4833 | + |
4834 | + This commit adds a new interface on top of the jsmn parser that provides |
4835 | + convenience functions to retrieve values from the parsed json type, grub_json_t. |
4836 | + |
4837 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4838 | + |
4839 | +2020-01-10 Patrick Steinhardt <ps@pks.im> |
4840 | + |
4841 | + json: Import upstream jsmn-1.1.0 |
4842 | + The upcoming support for LUKS2 encryption will require a JSON parser to |
4843 | + decode all parameters required for decryption of a drive. As there is |
4844 | + currently no other tool that requires JSON, and as gnulib does not |
4845 | + provide a parser, we need to introduce a new one into the code base. The |
4846 | + backend for the JSON implementation is going to be the jsmn library [1]. |
4847 | + It has several benefits that make it a very good fit for inclusion in |
4848 | + GRUB: |
4849 | + |
4850 | + - It is licensed under MIT. |
4851 | + - It is written in C89. |
4852 | + - It has no dependencies, not even libc. |
4853 | + - It is small with only about 500 lines of code. |
4854 | + - It doesn't do any dynamic memory allocation. |
4855 | + - It is testen on x86, amd64, ARM and AVR. |
4856 | + |
4857 | + The library itself comes as a single header, only, that contains both |
4858 | + declarations and definitions. The exposed interface is kind of |
4859 | + simplistic, though, and does not provide any convenience features |
4860 | + whatsoever. Thus there will be a separate interface provided by GRUB |
4861 | + around this parser that is going to be implemented in the following |
4862 | + commit. This change only imports jsmn.h from tag v1.1.0 and adds it |
4863 | + unmodified to a new json module with the following command: |
4864 | + |
4865 | + curl -L https://raw.githubusercontent.com/zserge/jsmn/v1.1.0/jsmn.h \ |
4866 | + -o grub-core/lib/json/jsmn.h |
4867 | + |
4868 | + Upstream jsmn commit hash: fdcef3ebf886fa210d14956d3c068a653e76a24e |
4869 | + Upstream jsmn commit name: Modernize (#149), 2019-04-20 |
4870 | + |
4871 | + [1]: https://github.com/zserge/jsmn |
4872 | + |
4873 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4874 | + |
4875 | +2019-12-20 Lukasz Hawrylko <lukasz.hawrylko@linux.intel.com> |
4876 | + |
4877 | + multiboot2: Set min address for mbi allocation to 0x1000 |
4878 | + In some cases GRUB2 allocates multiboot2 structure at 0 address, that is |
4879 | + a confusing behavior. Consumers of that structure can have internal NULL-checks |
4880 | + that will throw an error when get a pointer to data allocated at address 0. |
4881 | + To prevent that, define min address for mbi allocation on x86 and x86_64 |
4882 | + platforms. |
4883 | + |
4884 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4885 | + |
4886 | +2019-12-20 Paul Menzel <pmenzel@molgen.mpg.de> |
4887 | + |
4888 | + docs: Export "superusers" variable to apply to submenus |
4889 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4890 | + |
4891 | +2019-12-20 Daniel Kiper <daniel.kiper@oracle.com> |
4892 | + |
4893 | + loader/i386/linux: Fix an underflow in the setup_header length calculation |
4894 | + Recent work around x86 Linux kernel loader revealed an underflow in the |
4895 | + setup_header length calculation and another related issue. Both lead to |
4896 | + the memory overwrite and later machine crash. |
4897 | + |
4898 | + Currently when the GRUB copies the setup_header into the linux_params |
4899 | + (struct boot_params, traditionally known as "zero page") it assumes the |
4900 | + setup_header size as sizeof(linux_i386_kernel_header/lh). This is |
4901 | + incorrect. It should use the value calculated accordingly to the Linux |
4902 | + kernel boot protocol. Otherwise in case of pretty old kernel, to be |
4903 | + exact Linux kernel boot protocol, the GRUB may write more into |
4904 | + linux_params than it was expected to. Fortunately this is not very big |
4905 | + issue. Though it has to be fixed. However, there is also an underflow |
4906 | + which is grave. It happens when |
4907 | + |
4908 | + sizeof(linux_i386_kernel_header/lh) > "real size of the setup_header". |
4909 | + |
4910 | + Then len value wraps around and grub_file_read() reads whole kernel into |
4911 | + the linux_params overwriting memory past it. This leads to the GRUB |
4912 | + memory allocator breakage and finally to its crash during boot. |
4913 | + |
4914 | + The patch fixes both issues. Additionally, it moves the code not related to |
4915 | + grub_memset(linux_params)/grub_memcpy(linux_params)/grub_file_read(linux_params) |
4916 | + section outside of it to not confuse the reader. |
4917 | + |
4918 | + Fixes: e683cfb0cf5 (loader/i386/linux: Calculate the setup_header length) |
4919 | + |
4920 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
4921 | + Reviewed-by: Ross Philipson <ross.philipson@oracle.com> |
4922 | + Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com> |
4923 | + |
4924 | +2019-12-06 David Sterba <dave@jikos.cz> |
4925 | + |
4926 | + btrfs: Add support for new RAID1C34 profiles |
4927 | + New 3- and 4-copy variants of RAID1 were merged into Linux kernel 5.5. |
4928 | + Add the two new profiles to the list of recognized ones. As this builds |
4929 | + on the same code as RAID1, only the redundancy level needs to be |
4930 | + adjusted, the rest is done by the existing code. |
4931 | + |
4932 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4933 | + |
4934 | +2019-12-06 Lenny Szubowicz <lszubowi@redhat.com> |
4935 | + |
4936 | + tftp: Normalize slashes in TFTP paths |
4937 | + Some TFTP servers do not handle multiple consecutive slashes correctly. |
4938 | + This patch avoids sending TFTP requests with non-normalized paths. |
4939 | + |
4940 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4941 | + |
4942 | +2019-11-18 Michael Chang <MChang@suse.com> |
4943 | + |
4944 | + grub-editenv: Warn a user against editing environment block |
4945 | + The environment block is a preallocated 1024-byte file which serves as |
4946 | + persistent storage for environment variables. It has its own format |
4947 | + which is sensitive to corruption if an editor does not know how to |
4948 | + process it. Besides that the editor may inadvertently change grubenv |
4949 | + file size and/or make it sparse which can lead to unexpected results. |
4950 | + |
4951 | + This patch adds a message to the grubenv file to warn a user against |
4952 | + editing it by tools other than grub-editenv. |
4953 | + |
4954 | + Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> |
4955 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4956 | + |
4957 | +2019-11-18 Michael Chang <MChang@suse.com> |
4958 | + |
4959 | + hostdisk: Set linux file descriptor to O_CLOEXEC as default |
4960 | + We are often bothered by this sort of lvm warning while running grub-install |
4961 | + every now and then: |
4962 | + |
4963 | + File descriptor 4 (/dev/vda1) leaked on vgs invocation. Parent PID 1991: /usr/sbin/grub2-install |
4964 | + |
4965 | + The requirement related to the warning is dictated in the lvm man page: |
4966 | + |
4967 | + "On invocation, lvm requires that only the standard file descriptors stdin, |
4968 | + stdout and stderr are available. If others are found, they get closed and |
4969 | + messages are issued warning about the leak. This warning can be suppressed by |
4970 | + setting the environment variable LVM_SUPPRESS_FD_WARNINGS." |
4971 | + |
4972 | + While it could be disabled through settings, most Linux distributions seem to |
4973 | + enable it by default and the justification provided by the developer looks to |
4974 | + be valid to me: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466138#15 |
4975 | + |
4976 | + Rather than trying to close and reopen the file descriptor to the same file |
4977 | + multiple times, which is rather cumbersome, for the sake of no vgs invocation |
4978 | + could happen in between. This patch enables the close-on-exec flag (O_CLOEXEC) |
4979 | + for new file descriptor returned by the open() system call, making it closed |
4980 | + thus not inherited by the child process forked and executed by the exec() |
4981 | + family of functions. |
4982 | + |
4983 | + Fixes Debian bug #466138. |
4984 | + |
4985 | + Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
4986 | + |
4987 | +2019-10-28 Eli Schwartz <eschwartz@archlinux.org> |
4988 | + |
4989 | + grub-mkconfig: Use portable "command -v" to detect installed programs |
4990 | + The "which" utility is not guaranteed to be installed either, and if it |
4991 | + is, its behavior is not portable either. |
4992 | + |
4993 | + Conversely, the "command -v" shell builtin is required to exist in all |
4994 | + POSIX 2008 compliant shells, and is thus guaranteed to work everywhere. |
4995 | + |
4996 | + Examples of open-source shells likely to be installed as /bin/sh on |
4997 | + Linux, which implement the 11-year-old standard: ash, bash, busybox, |
4998 | + dash, ksh, mksh and zsh. |
4999 | + |
5000 | + A side benefit of using the POSIX portable option is that it requires |