X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=ChangeLog;h=434754f594e7f19a4872e36cf67308311b7d269d;hb=HEAD;hp=6b35a5c2b1db35a870f221fee65c5a9f18dc5d5e;hpb=0f1f95c7b7bc72cfbeea2f6dc5986855738ad96d;p=grub2.git diff --git a/ChangeLog b/ChangeLog index 6b35a5c2b..434754f59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,55182 +1,13098 @@ -2014-09-21 Valentin Dornauer +2021-06-08 Daniel Kiper - The AML parser implements only a small subset of possible AML - opcodes. On the Fujitsu Lifebook E744 this and another bug in - the parser (incorrect handling of TermArg data types) would lead - to the laptop not turning off (_S5 not found). + Release 2.06 - * grub-core/commands/acpihalt.c: Support OpAlias in the AML parser; - in skip_ext_op(), handle some Type2Opcodes more correctly (TermArgs - aren't always simply strings!); Add function to skip TermArgs - * include/grub/acpi.h: Add new opcodes +2021-06-08 Daniel Kiper -2014-09-21 Vladimir Serbinenko + SECURITY: Add SECURITY file + The SECURITY file describes the GRUB project security policy. - * grub-core/normal/main.c: Don't drop to rescue console in - case of password-protected prompt and no menu entries. + It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md -2014-09-21 Vladimir Serbinenko +2021-06-08 Daniel Kiper - * grub-core/commands/keylayouts.c: Ignore unknown keys. + MAINTAINERS: Add MAINTAINERS file + The MAINTAINERS file provides basic information about the GRUB project + and its maintainers. -2014-09-21 Vladimir Serbinenko +2021-06-01 Dimitri John Ledkov - * grub-core/gmodule.pl.in: Accept newer binutils which output - empty column rather than 0x0. + grub-install: Add backup and restore + Refactor clean_grub_dir() to create a backup of all the files, instead + of just irrevocably removing them as the first action. If available, + register atexit() handler to restore the backup if errors occur before + point of no return, or remove the backup if everything was successful. + If atexit() is not available, the backup remains on disk for manual + recovery. -2014-09-21 Michael Chang + Some platforms defined a point of no return, i.e. after modules & core + images were updated. Failures from any commands after that stage are + ignored, and backup is cleaned up. For example, on EFI platforms update + is not reverted when efibootmgr fails. - * grub-core/osdep/unix/config.c: Remove extraneous comma. + Extra care is taken to ensure atexit() handler is only invoked by the + parent process and not any children forks. Some older GRUB codebases + can invoke parent atexit() hooks from forks, which can mess up the + backup. -2014-09-21 Peter Jones + This allows safer upgrades of MBR & modules, such that + modules/images/fonts/translations are consistent with MBR in case of + errors. For example accidental grub-install /dev/non-existent-disk + currently clobbers and upgrades modules in /boot/grub, despite not + actually updating any MBR. - * grub-core/loader/arm/linux.c: Initialized initrd_ctx so - we don't free a random pointer from the stack. - * grub-core/loader/arm64/linux.c: Likewise. - * grub-core/loader/i386/linux.c: Likewise. - * grub-core/loader/i386/pc/linux.c: Likewise. - * grub-core/loader/ia64/efi/linux.c: Likewise. - * grub-core/loader/mips/linux.c: Likewise. - * grub-core/loader/powerpc/ieee1275/linux.c: Likewise. - * grub-core/loader/sparc64/ieee1275/linux.c: Likewise. + This patch only handles backup and restore of files copied to /boot/grub. + This patch does not perform backup (or restoration) of MBR itself or + blocklists. Thus when installing i386-pc platform, corruption may still + occur with MBR and blocklists which will not be attempted to be + automatically recovered. -2014-09-15 Khem Raj + Also add modinfo.sh and *.efi to the cleanup/backup/restore code path, + to ensure it is also cleaned, backed up and restored. - * grub-core/kern/emu/hostfs.c: use _DEFAULT_SOURCE in addition to - _BSD_SOURCE to avoid warnings under glibc 2.20+. + Reviewed-by: Daniel Kiper -2014-09-08 Michael Chang +2021-06-01 Dimitri John Ledkov - * grub-core/fs/btrfs.c (grub_btrfs_extent_read): Fix extent size - check; comparing &data->extent against addresses in the region it - points to is unpredictable. + osdep/unix/exec: Avoid atexit() handlers when child execvp() fails + The functions grub_util_exec_pipe() and grub_util_exec_pipe_stderr() + currently call execvp(). If the call fails for any reason, the child + currently calls exit(127). This in turn executes the parents + atexit() handlers from the forked child, and then the same handlers + are called again from parent. This is usually not desired, and can + lead to deadlocks, and undesired behavior. So, change the exit() calls + to _exit() calls to avoid calling atexit() handlers from child. -2014-09-07 Colin Watson + Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits) - Support grub-emu on x32 (ILP32 but with x86-64 instruction set) + Reviewed-by: Daniel Kiper - * configure.ac: Remove -m64 from checks for -mcmodel=large and - -mno-red-zone. These are always either unnecessary (x86_64-emu) or - already in TARGET_CFLAGS at this point, and they produce incorrect - results when building for x32. - * grub-core/kern/x86_64/dl.c (grub_arch_dl_relocate_symbols): Cast - pointers to Elf64_Xword via grub_addr_t, in order to work on x32. - * include/grub/x86_64/types.h (GRUB_TARGET_SIZEOF_VOID_P, - GRUB_TARGET_SIZEOF_LONG): Define to 4 on x32. +2021-06-01 Jan (janneke) Nieuwenhuizen -2014-09-07 Colin Watson + lib/i386/relocator64: Build fixes for i386 + This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of - * configure.ac: Remove several unnecessary semicolons. + grub-core/lib/i386/relocator64.S -2014-08-25 Colin Watson + This file has six sections that only build with a 64-bit assembler, + yet only the first two sections had support for a 32-bit assembler. + This patch completes this for the remaining sections. - * grub-core/kern/mips/arc/init.c (grub_machine_get_bootlocation): - Initialise pend to pacify GCC. + To reproduce, update the GRUB source description in your local Guix + archive and run -2014-08-14 Andrey Borzenkov + ./pre-inst-env guix build --system=i686-linux --target=i586-pc-gnu grub - * util/grub-mkconfig.in: Fix typo (gettext_print instead of - gettext_printf). + or install an x86 cross-build environment on x86-linux (32-bit!) and + configure to cross build and make, e.g., do something like -2014-08-13 Vladimir Serbinenko + ./configure \ + CC_FOR_BUILD=gcc \ + --build=i686-unknown-linux-gnu \ + --host=i586-pc-gnu + make - * grub-core/term/at_keyboard.c: Retry probing keyboard if - scancode setup failed. + Additionally, remove a line with redundant spaces. -2014-08-10 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/disk_common.c: Clump disk size to 1EiB. +2021-06-01 Javier Martinez Canillas -2014-08-10 Vladimir Serbinenko + fs/xfs: Add needsrepair incompat feature support + The XFS now has an incompat feature flag to indicate that a filesystem + needs to be repaired. The Linux kernel refuses to mount the filesystem + that has it set and only the xfs_repair tool is able to clear that flag. - * grub-core/disk/i386/pc/biosdisk.c (grub_biosdisk_rw): Add - safety to avoid triggerring VirtualBox bug. + The GRUB doesn't have the concept of mounting filesystems and just + attempts to read the files. But it does some sanity checking before + attempting to read from the filesystem. Among the things which are tested, + is if the super block only has set of incompatible features flags that + are supported by GRUB. If it contains any flags that are not listed as + supported, reading the XFS filesystem fails. -2014-08-10 Vladimir Serbinenko + Since the GRUB doesn't attempt to detect if the filesystem is inconsistent + nor replays the journal, the filesystem access is a best effort. For this + reason, ignore if the filesystem needs to be repaired and just print a debug + message. That way, if reading or booting fails later, the user is able to + figure out that the failures can be related to broken XFS filesystem. - * grub-core/fs/cbfs.c: Don't probe disks of unknow size. + Suggested-by: Eric Sandeen + Reviewed-by: Daniel Kiper - Fixes hang on virtualbox. +2021-06-01 Carlos Maiolino -2014-07-08 Colin Watson + fs/xfs: Add bigtime incompat feature support + The XFS filesystem supports a bigtime feature to overcome y2038 problem. + This patch makes the GRUB able to support the XFS filesystems with this + feature enabled. - * util/grub.d/10_hurd.in: Make kernel list progression not fail on - kernels whose paths contain regex metacharacters. - * util/grub.d/10_kfreebsd.in: Likewise. - * util/grub.d/10_linux.in: Likewise. - * util/grub.d/20_linux_xen.in: Likewise. + The XFS counter for the bigtime enabled timestamps starts at 0, which + translates to GRUB_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy + timestamps. The conversion to Unix timestamps is made before passing the + value to other GRUB functions. - Reported by: Heimo Stranner. + For this to work properly, GRUB requires an access to flags2 field in the + XFS ondisk inode. So, the grub_xfs_inode structure has been updated to + cover full ondisk inode. -2014-06-26 Colin Watson + Reviewed-by: Daniel Kiper - * docs/grub-dev.texi (Finding your way around): The build system no - longer uses AutoGen directly. +2021-06-01 Carlos Maiolino -2014-06-21 Роман Пехов + fs: Use 64-bit type for filesystem timestamp + Some filesystems nowadays use 64-bit types for timestamps. So, update + grub_dirhook_info struct to use an grub_int64_t type to store mtime. + This also updates the grub_unixtime2datetime() function to receive + a 64-bit timestamp argument and do 64-bit-safe divisions. - * grub-core/commands/loadenv.c (check_blocklists): Fix overlap check. + All the remaining conversion from 32-bit to 64-bit should be safe, as + 32-bit to 64-bit attributions will be implicitly casted. The most + critical part in the 32-bit to 64-bit conversion is in the function + grub_unixtime2datetime() where it needs to deal with the 64-bit type. + So, for that, the grub_divmod64() helper has been used. -2014-06-21 Glenn Washburn + These changes enables the GRUB to support dates beyond y2038. - * util/grub-install.c: Fix handling of --disk-module. + Reviewed-by: Daniel Kiper -2014-06-21 Stephane Rochoy +2021-05-28 Javier Martinez Canillas - * grub-core/loader/i386/bsd.c (grub_netbsd_boot): Pass pointer to - EFI system table. + types: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers + There are already PRI*_T constants defined for unsigned integers but not + for signed integers. Add format specifiers for the latter. -2014-06-21 Stephane Rochoy + Suggested-by: Daniel Kiper + Reviewed-by: Daniel Kiper - * grub-core/commands/efi/lsefisystab.c (grub_cmd_lsefisystab): Show - EFI system table physical address. +2021-05-28 Tianjia Zhang -2014-06-21 Trevor Woerner + kern/efi/sb: Remove duplicate efi_shim_lock_guid variable + The efi_shim_lock_guid local variable and shim_lock_guid global variable + have the same GUID value. Only the latter is retained. - * util/grub-gen-asciih.c (add_glyph): Fix uninitialised variable. + Reviewed-by: Daniel Kiper -2014-06-21 Vladimir Serbinenko +2021-05-10 Javier Martinez Canillas - * grub-core/commands/verify.c (grub_pubkey_open): Trust procfs. + util/mkimage: Fix wrong PE32+ section sizes for some arches + The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper) + added a helper function to setup PE sections. But it also changed how the + raw data offsets were calculated since all the section sizes are aligned. + However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image + size is not aligned using the section alignment. This leads to the situation + in which the mods section offset in its PE section header does not match its + real placement in the PE file. So, finally the GRUB is not able to locate + and load built-in modules. -2014-06-21 Vladimir Serbinenko + The problem surfaces on ia64-efi and arm64-efi because both platforms + require additional relocation data which is added behind .bss section. + So, we have to add some padding behind this extra data to make the + beginning of mods section properly aligned in the PE file. Fix it by + aligning the kernel_size to the section alignment. That makes the sizes + and offsets in the PE section headers to match relevant sections in the + PE32+ binary file. - * grub-core/commands/verify.c (grub_pubkey_open): Fix memdisk - check. + Reported-by: John Paul Adrian Glaubitz + Tested-by: John Paul Adrian Glaubitz + Reviewed-by: Daniel Kiper -2014-04-20 Vladimir Serbinenko +2021-05-10 Daniel Kiper - * grub-core/kern/misc.c (__bzero): Don't compile in GRUB_UTIL. + term/terminfo: Fix the terminfo command help and documentation + Additionally, fix the terminfo spelling mistake in + the GRUB development documentation. - Reported by: Yves Blusseau . + Reviewed-by: Javier Martinez Canillas -2014-04-20 Piotr Krysiuk +2021-05-10 Daniel Kiper - * grub-core/lib/i386/relocator.c: Allow loading old kernels by placing - GDT in conventional memory. + i18n: Align N_() formatting with the rest of GRUB code + Reviewed-by: Javier Martinez Canillas -2014-04-10 Colin Watson +2021-05-10 Daniel Kiper - * util/grub.d/30_os-prober.in: Tolerate devices with no filesystem - UUID. Other parts of grub-mkconfig tolerate these, they were - previously allowed here up to commit - 55e706c918922def17f5012c23cfe88c4c645208, and they can arise in - practice when the system has active LVM snapshots. - Fixes Ubuntu bug #1287436. + i18n: Format large integers before the translation message - take 2 + This is an additional fix which has been missing from the commit 837fe48de + (i18n: Format large integers before the translation message). -2014-04-10 Colin Watson + Reviewed-by: Javier Martinez Canillas - * grub-core/disk/lvm.c (grub_lvm_detect): Search for - "logical_volumes" block a little more accurately. +2021-04-13 Miguel Ángel Arruga Vivas -2014-04-06 Vladimir Serbinenko + i18n: Format large integers before the translation message + The GNU gettext only supports the ISO C99 macros for integral + types. If there is a need to use unsupported formatting macros, + e.g. PRIuGRUB_UINT64_T, according to [1] the number to a string + conversion should be separated from the code printing message + requiring the internationalization. So, the function grub_snprintf() + is used to print the numeric values to an intermediate buffer and + the internationalized message contains a string format directive. - * grub-core/lib/syslinux_parse.c: Fix timeout quoting. + [1] https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html#No-string-concatenation -2014-04-04 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/libgcc.h: Remove ctzsi2 and ctzdi2. They're no longer - pulled from libgcc. +2021-04-12 Daniel Axtens -2014-04-04 Vladimir Serbinenko + video/fb/fbfill: Use unsigned integers for width/height + Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer + overflow), clang builds of grub-emu have failed with messages like: - Replace few instances of memcmp/memcpy in the code that should be - grub_memcmp/grub_memcpy. + /usr/bin/ld: libgrubmods.a(libgrubmods_a-fbfill.o): in function `grub_video_fbfill_direct24': + fbfill.c:(.text+0x28e): undefined reference to `__muloti4' -2014-04-03 Vladimir Serbinenko + This appears to be due to a weird quirk in how clang compiles - * grub-core/osdep/linux/getroot.c (grub_util_part_to_disk): Support NVMe - device names. + grub_mul(dst->mode_info->bytes_per_pixel, width, &rowskip) -2014-03-31 Thomas Falcon + which is grub_mul(unsigned int, int, &grub_size_t). - btrfs: fix get_root key comparison failures due to endianness + It looks like clang somewhere promotes everything to 128-bit maths + before ultimately reducing down to 64 bit for grub_size_t. I think + this is because width is signed, and indeed converting width to an + unsigned int makes the problem go away. - * grub-core/fs/btrfs.c (get_root): Convert - GRUB_BTRFS_ROOT_VOL_OBJECTID to little-endian. + This conversion also makes more sense generally: + - the caller of all the fbfill_directN functions is + grub_video_fb_fill_dispatch() and it takes width and height as + unsigned ints already, + - it doesn't make sense to fill a negative width or height. -2014-03-31 Colin Watson + Convert the width and height arguments and associated loop counters + to unsigned ints. - Fix partmap, cryptodisk, and abstraction handling in grub-mkconfig. + Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow) - Commit 588744d0dc655177d5883bdcb8f72ff5160109ed caused grub-mkconfig - no longer to be forgiving of trailing spaces on grub-probe output - lines, which among other things means that util/grub.d/10_linux.in - no longer detects LVM. To fix this, make grub-probe's output - delimiting more consistent. As a bonus, this improves the coverage - of the -0 option. + Reviewed-by: Daniel Kiper - Fixes Debian bug #735935. +2021-04-12 Glenn Washburn - * grub-core/disk/cryptodisk.c - (grub_util_cryptodisk_get_abstraction): Add a user-data argument. - * grub-core/disk/diskfilter.c (grub_diskfilter_get_partmap): - Likewise. - * include/grub/cryptodisk.h (grub_util_cryptodisk_get_abstraction): - Update prototype. - * include/grub/diskfilter.h (grub_diskfilter_get_partmap): Likewise. - * util/grub-install.c (push_partmap_module, push_cryptodisk_module, - probe_mods): Adjust for extra user-data arguments. - * util/grub-probe.c (do_print, probe_partmap, probe_cryptodisk_uuid, - probe_abstraction): Use configured delimiter. Update callers. + docs: Conform badmem and cutmem description indentations with other commands + Reviewed-by: Daniel Kiper -2014-03-31 Colin Watson + docs: Add note to cryptomount that UUIDs should be specified without dashes + Reviewed-by: Daniel Kiper - * util/grub-probe,c (options): Make -0 work again (broken by - conversion to argp). - (main): Simplify logic. +2021-04-12 Aru Sahni -2014-03-26 Vladimir Serbinenko + templates: Fix user-facing typo with an incorrect use of "it's" + Since the possessive form of "it" is being used, the apostrophe must be omitted. - * grub-core/lib/relocator.c: Fix the case when end of leftover is used. + Reviewed-by: Daniel Kiper -2014-03-26 Fu Wei +2021-04-12 Colin Watson - * grub-core/loader/arm64/linux.c: Remove redundant "0x". + buffer: Sync up out-of-range error message + The messages associated with other similar GRUB_ERR_OUT_OF_RANGE errors + were lacking the trailing full stop. Syncing up the strings saves a small + amount of precious core image space on i386-pc. -2014-02-28 Vladimir Serbinenko + DOWN: obj/i386-pc/grub-core/kernel.img (31740 > 31708) - change: -32 + DOWN: i386-pc core image (biosdisk ext2 part_msdos) (27453 > 27452) - change: -1 + DOWN: i386-pc core image (biosdisk ext2 part_msdos diskfilter mdraid09) (32367 > 32359) - change: -8 - * include/grub/i386/openbsd_bootarg.h: Add addr and frequency fields. - * grub-core/loader/i386/bsd.c (grub_cmd_openbsd): Fill addr field. + Reviewed-by: Daniel Kiper - Suggested by: Markus Müller. +2021-04-12 Glenn Washburn -2014-02-28 Vladimir Serbinenko + usb/usbhub: Use GRUB_USB_MAX_CONF macro instead of literal in hub for maximum configs + Reviewed-by: Daniel Kiper - * grub-core/kern/i386/pc/mmap.c: Fallback to EISA memory map - if E820 failed to return any regions. +2021-04-12 Daniel Drake -2014-02-28 Vladimir Serbinenko + fs/minix: Avoid mistakenly probing ext2 filesystems + The ext2 (and ext3, ext4) filesystems write the number of free inodes to + location 0x410. - * grub-core/mmap/i386/uppermem.c (lower_hook) [COREBOOT]: Ignore low - tables for low memory calculations. + On a MINIX filesystem, that same location is used for the MINIX superblock + magic number. -2014-02-28 Vladimir Serbinenko + If the number of free inodes on an ext2 filesystem is equal to any + of the four MINIX superblock magic values plus any multiple of 65536, + GRUB's MINIX filesystem code will probe it as a MINIX filesystem. - * grub-core/loader/i386/multiboot_mbi.c (grub_multiboot_make_mbi): Limit - location to 640K. + In the case of an OS using ext2 as the root filesystem, since there will + ordinarily be some amount of file creation and deletion on every bootup, + it effectively means that this situation has a 1:16384 chance of being hit + on every reboot. -2014-02-28 Vladimir Serbinenko + This will cause GRUB's filesystem probing code to mistakenly identify an + ext2 filesystem as MINIX. This can be seen by e.g. "search --label" + incorrectly indicating that no such ext2 partition with matching label + exists, whereas in fact it does. - * grub-core/kern/i386/coreboot/mmap.c: Filter out 0xa0000-0x100000 - region. + After spotting the rough cause of the issue I was facing here, I borrowed + much of the diagnosis/explanation from meierfra who found and investigated + the same issue in util-linux in 2010: -2014-02-20 Vladimir Serbinenko + https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/518582 - * grub-core/disk/ahci.c: Ignore NPORTS field and rely on PI - exclusively. + This was fixed in util-linux by having the MINIX code check for the + ext2 magic. Do the same here. -2014-02-04 Paulo Flabiano Smorigo + Reviewed-by: Derek Foreman + Reviewed-by: Daniel Kiper - Add bootpath parser for open firmware. +2021-03-12 Daniel Kiper - It enables net boot even when there is no bootp/dhcp server. + Release 2.06~rc1 - * grub-core/net/drivers/ieee1275/ofnet.c: Add grub_ieee1275_parse_bootpath - and call it at grub_ieee1275_net_config_real. - * grub-core/kern/ieee1275/init.c: Add bootpath to - grub_ieee1275_net_config. - * include/grub/ieee1275/ieee1275.h: Likewise. +2021-03-11 Ard Biesheuvel + arm/linux: Fix ARM Linux header layout + The hdr_offset member of the ARM Linux image header appears at + offset 0x3c, matching the PE/COFF spec's placement of the COFF + header offset in the MS-DOS header. We're currently off by four, + so fix that. -2014-02-04 Paulo Flabiano Smorigo + Reviewed-by: Daniel Kiper - Add grub_env_set_net_property function. +2021-03-10 Glenn Washburn - * grub-core/net/bootp.c: Remove set_env_limn_ro. - * grub-core/net/net.c: Add grub_env_set_net_property. - * include/grub/net.h: Likewise. + style: Format string macro should have a space between quotes + Reviewed-by: Daniel Kiper -2014-02-03 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * util/grub-mkrescue.c: Build fix for argp.h with older gcc. + grub/err: Do compile-time format string checking on grub_error() + This should help prevent format string errors and thus improve the quality + of error reporting. -2014-02-03 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-mkfont.c: Build fix for argp.h with older gcc. +2021-03-10 Glenn Washburn -2014-01-29 Vladimir Serbinenko + fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error() + This is a temporary, less-intrusive change to get the build to success with + compiler format string checking turned on. There is a better fix which + addresses this issue, but it needs more testing. Use this change so that + format string checking on grub_error() can be turned on until the better + change is fully tested. - * grub-core/disk/ahci.c: Increase timeout. Some SSDs take up to - 7 seconds to recover if last poweroff was bad. + Reviewed-by: Daniel Kiper -2014-01-29 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * grub-core/disk/ahci.c: Properly handle transactions with no - transferred data. + fs/hfsplus: Use format code PRIuGRUB_UINT64_T for 64-bit typed fileblock in grub_error() + Reviewed-by: Daniel Kiper -2014-01-29 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * grub-core/disk/ahci.c: Add safety cleanups. + dl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error() + The macro ELF_R_TYPE does not change the underlying type. Here its argument + is a 64-bit Elf64_Xword. Make sure the format code matches. -2014-01-29 Vladimir Serbinenko + For the RISC-V architecture, rel->r_info could be either Elf32_Xword or + Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast + to 64-bit value regardless. - * grub-core/disk/ahci.c: Allocate and clean space for all possible 32 - slots to avoid pointing to uninited area. + Reviewed-by: Daniel Kiper -2014-01-29 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * grub-core/disk/ahci.c: Do not enable I/O decoding and keep - enabling busmaster for the end. + disk/ata: Use format code PRIxGRUB_UINT64_T for 64-bit uint argument in grub_error() + Reviewed-by: Daniel Kiper -2014-01-29 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * util/grub-mkfont.c: Downgrade warnings about unhandled features - to debug. + loader/i386/pc/linux: Use PRI* macros to get correct format string code across architectures + Also remove casting of format string args so that the architecture dependent + type is preserved. -2014-01-29 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/term/at_keyboard.c: Tolerate missing keyboard. +2021-03-10 Glenn Washburn -2014-01-29 Paulo Flabiano Smorigo + kern/efi/mm: Format string error in grub_error() + The second format string argument, GRUB_EFI_MAX_USABLE_ADDRESS, is a macro + to a number literal. However, depending on what the target architecture, the + type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the + format string literals "%llx" to use PRIxGRUB_UINT64_T. - * .gitignore: add missing files and .exe variants. + Reviewed-by: Daniel Kiper -2014-01-26 Mike Gilbert +2021-03-10 Glenn Washburn - grub-install: support for partitioned partx loop devices. + commands/pgp: Format code for grub_error() is incorrect + The format code is for a 32-bit int, but the argument, keyid, is declared as + a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the + comment or declaration is wrong, so force the display of a 64-bit int for now. - * grub-core/osdep/linux/getroot.c (grub_util_part_to_disk): Detect - /dev/loopX as being the parent of /dev/loopXpY. + Reviewed-by: Daniel Kiper -2014-01-26 Vladimir Serbinenko +2021-03-10 Glenn Washburn - * grub-core/term/serial.c (grub_serial_register): Fix invalid free. - Ensure that pointers are inited to NULL and that pointers are not - accessed after free. + grub_error: Use format code PRIuGRUB_SIZE for variables of type grub_size_t + Reviewed-by: Daniel Kiper -2014-01-25 Andrey Borzenkov +2021-03-10 Glenn Washburn - * include/grub/crypto.h: Replace __attribute__ ((format (printf)) with - __attribute__ ((format (__printf__)) to fix compilation under MinGW-w64. - * include/grub/emu/misc.h: ... and here. - * include/grub/err.h: ... and here. - * util/import_gcry.py: ... and here (in files g10lib.h). + disk/dmraid_nvidia: Format string error in grub_error() + The grub_error() has a format string expecting two arguments, but only one + provided. According to the comments in the struct grub_nv_super definition, + the version field looks like a version number where major.minor is encoded + as each a byte in the two-byte short. -2014-01-25 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * util/grub-mkimage.c: Make prefix argument mandatory. +2021-03-10 Glenn Washburn -2014-01-24 Vladimir Serbinenko + video/bochs: grub_error() format string add missing format code + Reviewed-by: Daniel Kiper - Fix several translatable strings. +2021-03-10 Glenn Washburn - Suggested by: D. Prévot. + parttool/msdospart: grub_error() missing format string argument + Its obvious from the error message that the variable named "type" was + accidentally omitted. -2014-01-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-install.c: List available targets. +2021-03-10 Glenn Washburn -2014-01-23 Colin Watson + misc: Format string for grub_error() should be a literal + Reviewed-by: Daniel Kiper - * util/grub-install.c (write_to_disk): Add an info message. +2021-03-10 Philip Müller -2014-01-21 Andrey Borzenkov + templates: Properly disable the os-prober by default + This patch does the following: + - really disables os-prober by default in the util/grub-mkconfig.in + by setting GRUB_DISABLE_OS_PROBER to true, + - fixes the logic in the util/grub.d/30_os-prober.in, + - updates the grub_warn() lines. - * Makefile.am: Allow adding extra files to generated Windows ZIP - archive by setting GRUB_WINDOWS_EXTRA_DIST. + Reason for the code shuffling in the util/grub-mkconfig.in: -2014-01-21 Andrey Borzenkov + The default was GRUB_DISABLE_OS_PROBER=false if you don't set + GRUB_DISABLE_OS_PROBER at all. To prevent os-prober from starting we + have to set it by default to true and shuffle GRUB_DISABLE_OS_PROBER to + code section, which is executed by the script. However we still give an + option to the user to overwrite it with false, if he wants to execute + os-prober after all. - * configure.ac: Look for DejaVuSans also in /usr/share/fonts/truetype. - Show detected font path in summary. + Fixes: e3464147 (templates: Disable the os-prober by default) -2014-01-21 Paulo Flabiano Smorigo + Reported-by: Didier Spaier + Reported-by: Lennart Sorensen + Reported-by: John Paul Adrian Glaubitz + Reviewed-by: Daniel Kiper - * grub-core/net/arp.c (grub_net_arp_send_request): Increase network try - interval gradually. - * grub-core/net/icmp6.c (grub_net_icmp6_send_request): Likewise. - * grub-core/net/net.c (grub_net_fs_read_real): Likewise. - * grub-core/net/tftp.c (tftp_open): Likewise. - * include/grub/net.h (GRUB_NET_INTERVAL_ADDITION): New define. +2021-03-10 Michael Chang -2014-01-21 Paulo Flabiano Smorigo + kern/efi/sb: Add chainloaded image as shim's verifiable object + While attempting to dual boot Microsoft Windows with UEFI chainloader, + it failed with below error when UEFI Secure Boot was enabled: - * grub-core/net/net.c (receive_packets): Change stop condition to avoid - infinite loops. + error ../../grub-core/kern/verifiers.c:119:verification requested but + nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. - In net/net.c there is a while (1) that only exits if there is a stop - condition and more then 10 packages or if there is no package received. + It is a regression, as previously it worked without any problem. - If GRUB is idle and enter in this loop, the only condition to leave is - if it doesn't have incoming packages. In a network with heavy traffic - this never happens. + It turns out chainloading PE image has been locked down by commit + 578c95298 (kern: Add lockdown support). However, we should consider it + as verifiable object by shim to allow booting in UEFI Secure Boot mode. + The chainloaded PE image could also have trusted signature created by + vendor with their pubkey cert in db. For that matters it's usage should + not be locked down under UEFI Secure Boot, and instead shim should be + allowed to validate a PE binary signature before running it. -2014-01-19 Colin Watson + Fixes: 578c95298 (kern: Add lockdown support) - * grub-core/osdep/freebsd/hostdisk.c (grub_util_fd_open): Ignore - EPERM when modifying kern.geom.debugflags. It is only a problem for - such things as installing GRUB to the MBR, in which case there'll be - an error later anyway, not for opening files during tests. + Reviewed-by: Daniel Kiper -2014-01-18 Andrey Borzenkov +2021-03-10 Glenn Washburn - * grub-core/Makefile.am: Build grub_emu_init.[ch] from MODULE_FILES - instead of MOD_FILES. - * grub-core/genemuinit.sh: Simplify stripping of suffix so it works - both with and without .exe. - * grub-core/genemuinitheader.sh: Same. + disk/pata: Suppress error message "no device connected" + This error message comes from the grub_print_error() in + grub_pata_device_initialize(), which does not pass on the error, and is + raised in check_device(). The function check_device() needs to return this + as an error because check_device() is also used in grub_pata_open(), which + does pass on this error to indicate that the device can not be used. -2014-01-18 Vladimir Serbinenko + This is actually not an error when displayed by grub_pata_device_initialize() + because it just indicates that there are no pata devices seen. This may be + confusing to end users who do not have pata devices yet are loading the + pata module (perhaps implicitly via nativedisk). This also causes unnecessary + output which may need to be accounted for in functional testing. - * util/grub-install.c: Fix a typo. + Instead print to the debug log when check_device() raises this "error" and + pop the error from the error stack. If there is another error on the stack + then print the error stack as those should be real errors. -2014-01-18 Vladimir Serbinenko + Acked-by: Paul Menzel + Reviewed-by: Daniel Kiper - * grub-core/normal/main.c (read_config_file): Buffer config file. - Reduces boot time. +2021-03-10 Yi Zhao -2014-01-18 Andrey Borzenkov + fs/ext2: Fix a file not found error when a symlink filesize is equal to 60 + We encountered a file not found error when the symlink filesize is + equal to 60: - * acinclude.m4 (grub_CHECK_LINK_DIR): Check that we can also remove - symbolic link to directory. It fails in Msys shell on Windows 2003. + $ ls -l initrd + lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz -2014-01-18 Vladimir Serbinenko + When booting, we got the following error in the GRUB: - * Makefile.am (default_payload.elf): Add modules - multiboot cbmemc linux16 gzio echo help. + error: file `/initrd' not found -2014-01-18 Mike Gilbert + The root cause is that the size of diro->inode.symlink is equal to 60 + and a symlink name has to be terminated with NUL there. So, if the + symlink filesize is exactly 60 then it is also stored in a separate + block rather than in the inode itself. - * Makefile.util.def: Link grub-ofpathname with zfs libs. + Reviewed-by: Daniel Kiper -2014-01-18 Vladimir Serbinenko +2021-03-02 Tianjia Zhang - * grub-core/commands/macbless.c: Rename FILE and DIR to avoid - conflicts. + loader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable + The relocatable variable is defined as grub_uint8_t. Relevant + member in setup_header structure is also defined as one byte + in Linux boot protocol. By semantic definition it is a bool type. + It is not appropriate to treat it as a four bytes. This patch + fixes the issue. - Reported by: Andrey Borzenkov. + Reviewed-by: Daniel Kiper -2014-01-18 Andrey Borzenkov +2021-03-02 Tianjia Zhang - * include/grub/misc.h: Move macros for compiler features to ... - * include/grub/compiler.h: ... new file. - * include/grub/list.h: Include instead of . - * grub-core/commands/fileXX.c: Include . - * grub-core/efiemu/prepare.c: Include . - * grub-core/loader/i386/xen_file.c: Include . - * grub-core/loader/i386/xen_fileXX.c: Include . - * grub-core/video/capture.c: Include . - * include/grub/command.h: Include . - * include/grub/dl.h: Include . - * include/grub/procfs.h: Include . + loader/i386/linux: Remove redundant code from in grub_cmd_linux() + The preferred_address has been assigned to GRUB_LINUX_BZIMAGE_ADDR + during initialization in grub_cmd_linux(). The assignment here + is redundant and should be removed. -2014-01-18 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * configure.ac: Add support for BUILD_EXEEXT and use it ... - * Makefile.am: ... here. - * Makefile.util.def: ... and here. - * grub-core/Makefile.am: ... and here. +2021-03-02 Heinrich Schuchardt -2014-01-18 Andrey Borzenkov + efi: The device-tree must be in EfiACPIReclaimMemory + According to the Embedded Base Boot Requirements (EBBR) specification the + device-tree passed to Linux as a configuration table must reside in + EfiACPIReclaimMemory. - * include/grub/osdep/hostfile_windows.h: Use _W64 instead of - FILE_OFFSET_BITS to differentiate between native MinGW and Mingw W64. + Reviewed-by: Daniel Kiper -2014-01-18 Vladimir Serbinenko +2021-03-02 Heinrich Schuchardt - * grub-core/term/terminfo.c: Recognize keys F1-F12. + commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID + UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE + describing the services available at runtime. -2014-01-18 Andrey Borzenkov + The lsefisystab command is used to display installed EFI configuration + tables. Currently it only shows the GUID but not a short text for the + new table. - * configure.ac: Add support for BUILD_LDFLAGS. - * Makefile.am: Use BUILD_LDFLAGS for build time programs here ... - * grub-core/Makefile.am: ... and here. - * INSTALL: Mention BUILD_LDFLAGS. + Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID. -2014-01-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-mount.c: Extend GCC warning workaround to grub-mount. +2021-03-02 Petr Vorel -2014-01-18 Vladimir Serbinenko + docs/luks2: Mention key derivation function support + To give users hint why Argon2, the default in cryptsetup for LUKS2, does + not work. - * grub-core/kern/efi/efi.c: Ensure that the result starts with / - and has no //. + Acked-by: Paul Menzel + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2014-01-18 Vladimir Serbinenko +2021-03-02 Derek Foreman - * NEWS: Add few missing entries. + commands/file: Fix array/enum desync + The commit f1957dc8a (RISC-V: Add to build system) added two entries to + the options array, but only 1 entry to the enum. This resulted in + everything after the insertion point being off by one. -2014-01-17 Colin Watson + This broke at least the "file --is-hibernated-hiberfil" command. - * util/grub.d/00_header.in (make_timeout): Use && rather than test - -a. - * util/grub.d/10_windows.in: Likewise. - * util/grub.d/10_netbsd.in (netbsd_load_fs_module): Use || rather - than test -o. - * util/grub.d/30_os-prober.in: Use && rather than test -a, and || - rather than test -o. + Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into + two, as is done for other architectures. -2014-01-17 Colin Watson + Reviewed-by: Daniel Kiper - * grub-core/osdep/freebsd/hostdisk.c (grub_util_fd_open): Remove - redundant preprocessor conditional. +2021-03-02 Marco A Benatto -2014-01-08 Colin Watson + kern/mm: Fix grub_debug_calloc() compilation error + Fix compilation error due to missing parameter to + grub_printf() when MM_DEBUG is defined. - * Makefile.util.def (grub-macbless): Change mansection to 8. + Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available) -2014-01-07 Leif Lindholm + Reviewed-by: Daniel Kiper - * grub-core/loader/arm64/linux.c: correctly set device path end length. +2021-03-02 Alex Burmashev -2014-01-07 Andrey Borzenkov + templates: Disable the os-prober by default + The os-prober is enabled by default what may lead to potentially + dangerous use cases and borderline opening attack vectors. This + patch disables the os-prober, adds warning messages and updates + GRUB_DISABLE_OS_PROBER configuration option documentation. This + way we make it clear that the os-prober usage is not recommended. - * util/grub-install.c: Use bootaa64.efi instead of bootaarch64.efi on - arm64 to comply with EFI specification. Also use grubaa64.efi for - consistency. - * util/grub-mkrescue.c: Change to use bootaa64.efi too. + Simplistic nature of this change allows downstream vendors, who + really want os-prober to be enabled out of the box in their + relevant products, easily revert to it's old behavior. -2014-01-07 Andrey Borzenkov + Reported-by: NyankoSec (, https://twitter.com/NyankoSec), + working with SSD Secure Disclosure + Reviewed-by: Daniel Kiper - * include/grub/osdep/hostfile_windows.h: Do not redefine fseeko/ftello - on MinGW-64 when compiling for 32 bits. +2021-03-02 Thomas Frauendorfer | Miray Software -2013-12-30 Andrey Borzenkov + gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label + The gui_progress_bar and gui_label components can display the timeout + value. The format string can be set through a theme file. This patch + adds a validation step to the format string. - * grub-core/Makefile.core.def: strip .eh_frame section for arm64-efi. + If a user loads a theme file into the GRUB without this patch then + a GUI label with the following settings -2013-12-30 Vladimir Serbinenko + + label { + ... + id = "__timeout__" + text = "%s" + } - * NEWS: Add few missing entries. Correct existing ones. + will interpret the current timeout value as string pointer and print the + memory at that position on the screen. It is not desired behavior. -2013-12-28 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Don't abort() on unavailable coreboot tables if not running on coreboot. +2021-03-02 Thomas Frauendorfer | Miray Software -2013-12-28 Andrey Borzenkov + kern/misc: Add function to check printf() format against expected format + The grub_printf_fmt_check() function parses the arguments of an untrusted + printf() format and an expected printf() format and then compares the + arguments counts and arguments types. The arguments count in the untrusted + format string must be less or equal to the arguments count in the expected + format string and both arguments types must match. - * grub-core/kern/emu/misc.c: Remove unused error.h; fixes compilation - on mingw. + To do this the parse_printf_arg_fmt() helper function is extended in the + following way: -2013-12-28 Colin Watson + 1. Add a return value to report errors to the grub_printf_fmt_check(). - * NEWS: The cmosclean command in fact dates back to 1.99. Remove - mention of it from 2.02. + 2. Add the fmt_check argument to enable stricter format verification: + - the function expects that arguments definitions are always + terminated by a supported conversion specifier. + - positional parameters, "$", are not allowed, as they cannot be + validated correctly with the current implementation. For example + "%s%1$d" would assign the first args entry twice while leaving the + second one unchanged. + - Return an error if preallocated space in args is too small and + allocation fails for the needed size. The grub_printf_fmt_check() + should verify all arguments. So, if validation is not possible for + any reason it should return an error. + This also adds a case entry to handle "%%", which is the escape + sequence to print "%" character. -2013-12-27 Vladimir Serbinenko + 3. Add the max_args argument to check for the maximum allowed arguments + count in a printf() string. This should be set to the arguments count + of the expected format. Then the parse_printf_arg_fmt() function will + return an error if the arguments count is exceeded. - * grub-core/kern/arm/cache_armv6.S: Remove .arch directive. + The two additional arguments allow us to use parse_printf_arg_fmt() in + printf() and grub_printf_fmt_check() calls. - As these functions are used on pre-ARMv6 CPUs as well we don't want - to make assembler assume that architecture is higher than default one. + When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the + function parse user provided untrusted format string too. So, in + that case it is better to be too strict than too lenient. -2013-12-27 Colin Watson + Reviewed-by: Daniel Kiper - * NEWS: First draft of 2.02 entry. +2021-03-02 Thomas Frauendorfer | Miray Software -2013-12-27 Colin Watson + kern/misc: Add STRING type for internal printf() format handling + Set printf() argument type for "%s" to new type STRING. This is in + preparation for a follow up patch to compare a printf() format string + against an expected printf() format string. - * INSTALL (Cross-compiling the GRUB): Fix some spelling mistakes. - * docs/grub.texi (Getting the source code): Likewise. + For "%s" the corresponding printf() argument is dereferenced as pointer + while all other argument types are defined as integer value. However, + when validating a printf() format it is necessary to differentiate "%s" + from "%p" and other integers. So, let's do that. -2013-12-25 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * grub-core/osdep/windows/platform.c (get_platform): Fix EFI - detection. +2021-03-02 Thomas Frauendorfer | Miray Software -2013-12-24 Vladimir Serbinenko + kern/misc: Split parse_printf_args() into format parsing and va_list handling + This patch is preparing for a follow up patch which will use + the format parsing part to compare the arguments in a printf() + format from an external source against a printf() format with + expected arguments. - * configure.ac: Set version to 2.02~beta2. + Reviewed-by: Daniel Kiper -2013-12-24 Vladimir Serbinenko +2021-03-02 Dimitri John Ledkov - * grub-core/disk/efi/efidisk.c (name_devices): Skip Apple ghosts. + shim_lock: Only skip loading shim_lock verifier with explicit consent + Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock + protocol is found and SB enabled) reintroduced CVE-2020-15705 which + previously only existed in the out-of-tree linuxefi patches and was + fixed as part of the BootHole patch series. -2013-12-24 Andrey Borzenkov + Under Secure Boot enforce loading shim_lock verifier. Allow skipping + shim_lock verifier if SecureBoot/MokSBState EFI variables indicate + skipping validations, or if GRUB image is built with --disable-shim-lock. - * util/grub-probe.c: Improve help message and simplify list handling. + Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock + protocol is found and SB enabled) + Fixes: CVE-2020-15705 + Fixes: CVE-2021-3418 -2013-12-24 Vladimir Serbinenko + Reported-by: Dimitri John Ledkov + Reviewed-by: Daniel Kiper - Fix buffer overflow in grub_efi_print_device_path. +2021-03-02 Dimitri John Ledkov -2013-12-24 Vladimir Serbinenko + grub-install-common: Add --sbat option + Reviewed-by: Daniel Kiper - Show SATA device path. +2021-03-02 Peter Jones -2013-12-24 Vladimir Serbinenko + util/mkimage: Add an option to import SBAT metadata into a .sbat section + Add a --sbat option to the grub-mkimage tool which allows us to import + an SBAT metadata formatted as a CSV file into a .sbat section of the + EFI binary. - Revert grub-file usage in grub-mkconfig. + Reviewed-by: Daniel Kiper -2013-12-24 Vladimir Serbinenko +2021-03-02 Peter Jones - Make newly-created files other than grub.cfg world-readable. + util/mkimage: Refactor section setup to use a helper + Add a init_pe_section() helper function to setup PE sections. This makes + the code simpler and easier to read. -2013-12-24 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * util/grub.d/00_header.in: Improve compatibility with old config. +2021-03-02 Peter Jones -2013-12-24 Vladimir Serbinenko + util/mkimage: Improve data_size value calculation + According to "Microsoft Portable Executable and Common Object File Format + Specification", the Optional Header SizeOfInitializedData field contains: - Make rijndael.c respect aliasing rules. + Size of the initialized data section, or the sum of all such sections if + there are multiple data sections. - Trivial backport of dfb4673da8ee52d95e0a62c9f49ca8599943f22e. + Make this explicit by adding the GRUB kernel data size to the sum of all + the modules sizes. The ALIGN_UP() is not required by the PE spec but do + it to avoid alignment issues. -2013-12-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Make grub_util_device_is_mapped_stat available in grub-emu core. +2021-03-02 Peter Jones -2013-12-24 Vladimir Serbinenko + util/mkimage: Reorder PE optional header fields set-up + This makes the PE32 and PE32+ header fields set-up easier to follow by + setting them closer to the initialization of their related sections. - Add -Qn to TARGET_CFLAGS if it's supported. - Fixes compilation on cygwin. + Reviewed-by: Daniel Kiper - Reported by: Andrey Borzenkov. - Suggested by: Andrey Borzenkov. +2021-03-02 Peter Jones -2013-12-24 Vladimir Serbinenko + util/mkimage: Unify more of the PE32 and PE32+ header set-up + There's quite a bit of code duplication in the code that sets the optional + header for PE32 and PE32+. The two are very similar with the exception of + a few fields that have type grub_uint64_t instead of grub_uint32_t. - Save TARGET_CC version in modinfo.sh. + Factor out the common code and add a PE_OHDR() macro that simplifies the + set-up and make the code more readable. - Suggested by: Andrey Borzenkov. + Reviewed-by: Daniel Kiper -2013-12-24 Vladimir Serbinenko +2021-03-02 Peter Jones - Make grub_util_devmapper_part_to_disk and grub_util_find_partition_start - follow the same algorithm to avoid method mismatch. Don't assume - DMRAID- UUID to mean full disk but instead check that mapping is linear. + util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff + This change does not impact final result of initialization itself. + However, it eases PE code unification in subsequent patches. -2013-12-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Declare GRUB_EFI_VENDOR_APPLE_GUID. +2021-03-02 Peter Jones -2013-12-24 Vladimir Serbinenko + util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32() + The latter doesn't take into account the target image endianness. There is + a grub_cpu_to_le32_compile_time() but no compile time variant for function + grub_host_to_target32(). So, let's keep using the other one for this case. - Dump type and vendor specific data when printing device path. + Reviewed-by: Daniel Kiper -2013-12-23 Colin Watson +2021-03-02 Javier Martinez Canillas - Update some documentation to refer to Git rather than Bazaar. + util/mkimage: Remove unused code to add BSS section + The code is compiled out so there is no reason to keep it. - * docs/grub.texi (Obtaining and Building GRUB): Refer to Git rather - than Bazaar. - * po/README: Likewise. Fix spelling mistake. + Additionally, don't set bss_size field since we do not add a BSS section. -2013-12-23 Colin Watson + Reviewed-by: Daniel Kiper - Don't distribute config.h. +2021-03-02 Chris Coulson - * Makefile.am (platform_HEADERS): Move to ... - (nodist_platform_HEADERS): ... here. Fixes gettext_strings_test - failure when building from a distributed tarball. + kern/efi: Add initial stack protector implementation + It works only on UEFI platforms but can be quite easily extended to + others architectures and platforms if needed. -2013-12-23 Colin Watson + Reviewed-by: Marco A Benatto + Reviewed-by: Javier Martinez Canillas - * configure.ac: Fix spelling. - * grub-core/commands/parttool.c: Fix grammar. - * grub-core/disk/ldm.c: Use consistent capitalisation for "LDM - Embedding Partition". +2021-03-02 Chris Coulson -2013-12-23 Vladimir Serbinenko + kern/parser: Fix a stack buffer overflow + grub_parser_split_cmdline() expands variable names present in the supplied + command line in to their corresponding variable contents and uses a 1 kiB + stack buffer for temporary storage without sufficient bounds checking. If + the function is called with a command line that references a variable with + a sufficiently large payload, it is possible to overflow the stack + buffer via tab completion, corrupt the stack frame and potentially + control execution. - ARM64 support for grub-mkrescue. + Fixes: CVE-2020-27749 -2013-12-23 Vladimir Serbinenko + Reported-by: Chris Coulson + Reviewed-by: Daniel Kiper - Install modinfo.sh to keep build information around. +2021-03-02 Chris Coulson -2013-12-23 Vladimir Serbinenko + kern/buffer: Add variable sized heap buffer + Add a new variable sized heap buffer type (grub_buffer_t) with simple + operations for appending data, accessing the data and maintaining + a read cursor. - * grub-core/modinfo.sh.in: Add build config information. + Reviewed-by: Daniel Kiper -2013-12-23 Vladimir Serbinenko +2021-03-02 Chris Coulson - ARM64 grub-file and grub-mkconfig support. + kern/parser: Refactor grub_parser_split_cmdline() cleanup + Introduce a common function epilogue used for cleaning up on all + return paths, which will simplify additional error handling to be + introduced in a subsequent commit. -2013-12-23 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Remove leftover options defines. +2021-03-02 Chris Coulson -2013-12-23 Vladimir Serbinenko + kern/parser: Introduce terminate_arg() helper + process_char() and grub_parser_split_cmdline() use similar code for + terminating the most recent argument. Add a helper function for this. - * include/grub/arm64/linux.h: Remove leftovers. Add missing prefixes. + Reviewed-by: Daniel Kiper -2013-12-23 Vladimir Serbinenko +2021-03-02 Chris Coulson - * grub-core/loader/arm64/linux.c: Add missing bracket. + kern/parser: Introduce process_char() helper + grub_parser_split_cmdline() iterates over each command line character. + In order to add error checking and to simplify the subsequent error + handling, split the character processing in to a separate function. -2013-12-23 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Add arm64-efi recognition to grub-file. +2021-03-02 Chris Coulson -2013-12-23 Vladimir Serbinenko + kern/parser: Fix a memory leak + The getline() function supplied to grub_parser_split_cmdline() returns + a newly allocated buffer and can be called multiple times, but the + returned buffer is never freed. - Fix ia64-efi recognition in grub-file. + Reviewed-by: Daniel Kiper -2013-12-23 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Recognize raspberry pi kernel in grub-file. + fs/btrfs: Squash some uninitialized reads + We need to check errors before calling into a function that uses the result. -2013-12-23 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Enable cache on ARM U-Boot port. +2021-03-02 Daniel Axtens - Without it the port is reidiculously slow. + fs/btrfs: Validate the number of stripes/parities in RAID5/6 + This prevents a divide by zero if nstripes == nparities, and + also prevents propagation of invalid values if nstripes ends up + less than nparities. -2013-12-23 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Fix ARM cache maintainance. +2021-03-02 Daniel Axtens - More code was converted from ASM to C for easier handling. + disk/lvm: Do not allow a LV to be it's own segment's node's LV + This prevents infinite recursion in the diskfilter verification code. -2013-12-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/arm/cache.c (grub_arm_disable_caches_mmu): Use v6 - algorithm on v5. +2021-03-02 Daniel Axtens - Suggested by: Leif Lindholm. + disk/lvm: Sanitize rlocn->offset to prevent wild read + rlocn->offset is read directly from disk and added to the metadatabuf + pointer to create a pointer to a block of metadata. It's a 64-bit + quantity so as long as you don't overflow you can set subsequent + pointers to point anywhere in memory. -2013-12-22 Andrey Borzenkov + Require that rlocn->offset fits within the metadata buffer size. - * util/grub-mkconfig.in: Fix Xen platform conditions. + Reviewed-by: Daniel Kiper -2013-12-22 Andrey Borzenkov +2021-03-02 Daniel Axtens - * util/grub-mkrescue.c: Split single help message string in several - strings used in previous shell version. + disk/lvm: Do not overread metadata + We could reach the end of valid metadata and not realize, leading to + some buffer overreads. Check if we have reached the end and bail. -2013-12-22 Leif Lindholm + Reviewed-by: Daniel Kiper - Add arm64 Linux loader. +2021-03-02 Daniel Axtens -2013-12-22 Leif Lindholm + disk/lvm: Do not crash if an expected string is not found + Clean up a bunch of cases where we could have strstr() fail and lead to + us dereferencing NULL. - Add grub_fdt_create_empty_tree() and grub_fdt_set_prop64(). + We'll still leak memory in some cases (loops don't clean up allocations + from earlier iterations if a later iteration fails) but at least we're + not crashing. -2013-12-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Add module loading and parsing boot time checkpoints. +2021-03-02 Daniel Axtens -2013-12-22 Vladimir Serbinenko + disk/lvm: Bail on missing PV list + There's an if block for the presence of "physical_volumes {", but if + that block is absent, then p remains NULL and a NULL-deref will result + when looking for logical volumes. - * grub-core/loader/arm/linux.c: Pass arguments through on ATAG - platforms. - -2013-12-22 Lars Wendler - - * util/grub-mkconfig.in: Skip non-executable files. - -2013-12-22 Vladimir Serbinenko - - Workaround buggy timer in raspberry pie by using our own timer - implementation. - -2013-12-22 Vladimir Serbinenko - - * include/grub/arm/uboot/kernel.h (GRUB_KERNEL_MACHINE_HEAP_SIZE): - Increase to 16 MiB to allow loading the whole memdisk. - -2013-12-22 Vladimir Serbinenko - - Fix ARM Linux Loader on non-FDT platforms. - -2013-12-21 Vladimir Serbinenko - - * configure.ac: Choose link format based on host_os on emu. - -2013-12-21 Vladimir Serbinenko - - * grub-core/osdep/unix/getroot.c: Non-unix build fix. - -2013-12-21 Vladimir Serbinenko - - * grub-core/kern/emu/main.c: Build fix for emu. - -2013-12-21 Vladimir Serbinenko - - Build fixes for argp.h with older gcc. - -2013-12-21 Vladimir Serbinenko - - * util/grub-glue-efi.c: Use "universal binary" rather "fat binary" - in strings. - - Suggested by: David Prévot. - -2013-12-21 Vladimir Serbinenko - - * include/grub/crypto.h (grub_crypto_xor): Fix cast-align warning. - -2013-12-21 Vladimir Serbinenko - - Enable -Wformat=2 if it's supported. - -2013-12-21 Vladimir Serbinenko - - * configure.ac: Add -Wmissing-include-dirs -Wmissing-prototypes - -Wmissing-declarations if supported. - -2013-12-21 Vladimir Serbinenko - - * grub-core/commands/macbless.c (grub_mac_bless_inode): Pass inode as - u32 as both HFS and HFS+ have 32-bit inodes. - -2013-12-21 Vladimir Serbinenko - - * include/grub/misc.h (grub_strtol): Fix overflow. - -2013-12-21 Vladimir Serbinenko - - * include/grub/term.h (grub_unicode_estimate_width): Use grub_size_t - as return type in both conditionals. + It doesn't seem like LVM makes sense without physical volumes, so error + out rather than crashing. -2013-12-21 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/video.h (grub_video_rgba_color_rgb): Fix prototype - to use uint8_t for color. +2021-03-02 Daniel Axtens -2013-12-21 Vladimir Serbinenko + disk/lvm: Don't blast past the end of the circular metadata buffer + This catches at least some OOB reads, and it's possible I suppose that + if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some + OOB writes too (although that hasn't showed up as a crash in fuzzing yet). - * util/misc.c (grub_util_get_image_size): Check for overflow. + It's a bit ugly and I'd appreciate better suggestions. -2013-12-21 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/disk/raid6_recover.c (grub_raid_block_mulx): Use grub_size_t - for size. +2021-03-02 Daniel Axtens -2013-12-21 Vladimir Serbinenko + disk/lvm: Don't go beyond the end of the data we read from disk + We unconditionally trusted offset_xl from the LVM label header, even if + it told us that the PV header/disk locations were way off past the end + of the data we read from disk. - * grub-core/disk/lvm.c: Use grub_size_t for sizes and grub_ssize_t - for pointer difference. + Require that the offset be sane, fixing an OOB read and crash. -2013-12-21 Vladimir Serbinenko + Fixes: CID 314367, CID 314371 - * util/import_gcry.py: Skip sample keys. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * util/misc.c (grub_qsort_strcmp): Don't discard const attribute. + io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails + If huft_build() fails, gzio->tl or gzio->td could contain pointers that + are no longer valid. Zero them out. -2013-12-21 Vladimir Serbinenko + This prevents a double free when grub_gzio_close() comes through and + attempts to free them again. - * configure.ac: Remove duplicate warning arguments. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Add missing static qualifiers. + io/gzio: Catch missing values in huft_build() and bail + In huft_build(), "v" is a table of values in order of bit length. + The code later (when setting up table entries in "r") assumes that all + elements of this array corresponding to a code are initialized and less + than N_MAX. However, it doesn't enforce this. -2013-12-21 Vladimir Serbinenko + With sufficiently manipulated inputs (e.g. from fuzzing), there can be + elements of "v" that are not filled. Therefore a lookup into "e" or "d" + will use an uninitialized value. This can lead to an invalid/OOB read on + those values, often leading to a crash. - Add missing includes. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Inline printf templates when possible to enable format checking. + io/gzio: Add init_dynamic_block() clean up if unpacking codes fails + init_dynamic_block() didn't clean up gzio->tl and td in some error + paths. This left td pointing to part of tl. Then in grub_gzio_close(), + when tl was freed the storage for td would also be freed. The code then + attempts to free td explicitly, performing a UAF and then a double free. -2013-12-21 Vladimir Serbinenko + Explicitly clean up tl and td in the error paths. - * include/grub/crypto.h: Don't discard const attribute. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/net/bootp.c (grub_cmd_dhcpopt): Use snprintf where it - was intended. + io/gzio: Bail if gzio->tl/td is NULL + This is an ugly fix that doesn't address why gzio->tl comes to be NULL. + However, it seems to be sufficient to patch up a bunch of NULL derefs. -2013-12-21 Vladimir Serbinenko + It would be good to revisit this in future and see if we can have + a cleaner solution that addresses some of the causes of the unexpected + NULL pointers. - * grub-core/lib/crypto.c: Don't discard const attribute. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/lib/disk.c: Fix potential overflow. + fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup() + We just introduced an error return in grub_nilfs2_btree_node_lookup(). + Make sure the callers catch it. -2013-12-21 Vladimir Serbinenko + At the same time, make sure that grub_nilfs2_btree_node_lookup() always + inits the index pointer passed to it. - * grub-core/lib/arg.c: Don't discard const attribute. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/kern/dl.c: Don't discard const attribute. + fs/nilfs2: Don't search children if provided number is too large + NILFS2 reads the number of children a node has from the node. Unfortunately, + that's not trustworthy. Check if it's beyond what the filesystem permits and + reject it if so. -2013-12-21 Vladimir Serbinenko + This blocks some OOB reads. I'm not sure how controllable the read is and what + could be done with invalidly read data later on. - * grub-core/kern/disk.c: Fix potential overflow. + Reviewed-by: Daniel Kiper -2013-12-21 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * conf/Makefile.common: Don't include non-existing directory - grub-core/lib/libgcrypt-grub/include. + fs/nilfs2: Reject too-large keys + NILFS2 has up to 7 keys, per the data structure. Do not permit array + indices in excess of that. -2013-12-21 Vladimir Serbinenko + This catches some OOB reads. I don't know how controllable the invalidly + read data is or if that could be used later in the program. - Clarify several translatable messages. + Reviewed-by: Daniel Kiper -2013-12-21 David Prévot +2021-03-02 Daniel Axtens - Correct some translatable strings. + fs/jfs: Catch infinite recursion + It's possible with a fuzzed filesystem for JFS to keep getblk()-ing + the same data over and over again, leading to stack exhaustion. -2013-12-21 Colin Watson + Check if we'd be calling the function with exactly the same data as + was passed in, and if so abort. - * util/grub-mkrescue.c: Rephrase mkrescue description. + I'm not sure what the performance impact of this is and am open to + better ideas. -2013-12-21 Vladimir Serbinenko -2013-12-21 Colin Watson + Reviewed-by: Daniel Kiper - Clarify several translatable messages. +2021-03-02 Daniel Axtens -2013-12-20 Colin Watson + fs/jfs: Limit the extents that getblk() can consider + getblk() implicitly trusts that treehead->count is an accurate count of + the number of extents. However, that value is read from disk and is not + trustworthy, leading to OOB reads and crashes. I am not sure to what + extent the data read from OOB can influence subsequent program execution. - Be more verbose about some configure failures. + Require callers to pass in the maximum number of extents for which + they have storage. -2013-12-20 Colin Watson + Reviewed-by: Daniel Kiper - Fix various build problems on GNU/Hurd. +2021-03-02 Daniel Axtens - * grub-core/osdep/unix/getroot.c (strip_extra_slashes): Move inside - !defined (__GNU__). - (xgetcwd): Likewise. - * include/grub/emu/hostdisk.h (grub_util_hurd_get_disk_info) - [__GNU__]: Add prototype. - * util/getroot.c (grub_util_biosdisk_get_grub_dev) [__GNU__]: Format - long int using %ld rather than %d. + fs/jfs: Do not move to leaf level if name length is negative + Fuzzing JFS revealed crashes where a negative number would be passed + to le_to_cpu16_copy(). There it would be cast to a large positive number + and the copy would read and write off the end of the respective buffers. -2013-12-18 Vladimir Serbinenko + Catch this at the top as well as the bottom of the loop. - * util/grub-install.c: Inform user about install platform. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * configure.ac: Set version to 2.02~beta1. + fs/sfs: Fix over-read of root object name + There's a read of the name of the root object that assumes that the name + is nul-terminated within the root block. This isn't guaranteed - it seems + SFS would require you to read multiple blocks to get a full name in general, + but maybe that doesn't apply to the root object. -2013-12-18 Allen Pais -2013-12-18 Bob Picco + Either way, figure out how much space is left in the root block and don't + over-read it. This fixes some OOB reads. - * grub-core/boot/sparc64/ieee1275/boot.S: Fix order of fields. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Make grub_zlib_decompress handle incomplete chunks. + fs/hfs: Disable under lockdown + HFS has issues such as infinite mutual recursion that are simply too + complex to fix for such a legacy format. So simply do not permit + it to be loaded under lockdown. - Fixes squash4. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/Makefile.am: Don't attempt to export grub_bios_interrupt - on i386-multiboot. + fs/hfsplus: Don't use uninitialized data on corrupt filesystems + Valgrind identified the following use of uninitialized data: -2013-12-18 Aleš Nesrsta + ==2782220== Conditional jump or move depends on uninitialised value(s) + ==2782220== at 0x42B364: grub_hfsplus_btree_search (hfsplus.c:566) + ==2782220== by 0x42B21D: grub_hfsplus_read_block (hfsplus.c:185) + ==2782220== by 0x42A693: grub_fshelp_read_file (fshelp.c:386) + ==2782220== by 0x42C598: grub_hfsplus_read_file (hfsplus.c:219) + ==2782220== by 0x42C598: grub_hfsplus_mount (hfsplus.c:330) + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) + ==2782220== by 0x4045A6: main (grub-fstest.c:772) + ==2782220== Uninitialised value was created by a heap allocation + ==2782220== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) + ==2782220== by 0x4C0305: grub_malloc (mm.c:42) + ==2782220== by 0x42C21D: grub_hfsplus_mount (hfsplus.c:239) + ==2782220== by 0x42B8C5: grub_hfsplus_dir (hfsplus.c:958) + ==2782220== by 0x4C1AE6: grub_fs_probe (fs.c:73) + ==2782220== by 0x407C94: grub_ls_list_files (ls.c:186) + ==2782220== by 0x407C94: grub_cmd_ls (ls.c:284) + ==2782220== by 0x4D7130: grub_extcmd_dispatcher (extcmd.c:55) + ==2782220== by 0x4045A6: execute_command (grub-fstest.c:59) + ==2782220== by 0x4045A6: fstest (grub-fstest.c:433) + ==2782220== by 0x4045A6: main (grub-fstest.c:772) - * grub-core/disk/usbms.c: Retry on unknown errors. - Reuse the same tag on retries. + This happens when the process of reading the catalog file goes sufficiently + wrong that there's an attempt to read the extent overflow file, which has + not yet been loaded. Keep track of when the extent overflow file is + fully loaded and refuse to use it before then. -2013-12-18 Aleš Nesrsta + The load valgrind doesn't like is btree->nodesize, and that's then used + to allocate a data structure. It looks like there are subsequently a lot + of reads based on that pointer so OOB reads are likely, and indeed crashes + (albeit difficult-to-replicate ones) have been observed in fuzzing. - * grub-core/bus/usb/ehci.c: Fix handling of newborn transfers. + Reviewed-by: Daniel Kiper - Avoid confusing them with already completed transfers. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + fs/hfsplus: Don't fetch a key beyond the end of the node + Otherwise you get a wild pointer, leading to a bunch of invalid reads. + Check it falls inside the given node. - Remove xen VFB. + Reviewed-by: Daniel Kiper - Due to XEN bug it prevents Linux boot. Remove it at least, until - workaround is found. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + fs/fshelp: Catch impermissibly large block sizes in read helper + A fuzzed HFS+ filesystem had log2blocksize = 22. This gave + log2blocksize + GRUB_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000, + which is -1 as an int. This caused some wacky behavior later on in + the function, leading to out-of-bounds writes on the destination buffer. - * po/exclude.pot: Add 2 missing excludes. + Catch log2blocksize + GRUB_DISK_SECTOR_BITS >= 31. We could be stricter, + but this is the minimum that will prevent integer size weirdness. -2013-12-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Add missing license section in macbless.mod and macho.mod. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + term/gfxterm: Don't set up a font with glyphs that are too big + Catch the case where we have a font so big that it causes the number of + rows or columns to be 0. Currently we continue and allocate a + virtual_screen.text_buffer of size 0. We then try to use that for glpyhs + and things go badly. - Allow compilation without thumb-interwork as long as no thumb is - involved or only thumb2 is used. + On the emu platform, malloc() may give us a valid pointer, in which case + we'll access heap memory which we shouldn't. Alternatively, it may give us + NULL, in which case we'll crash. For other platforms, if I understand + grub_memalign() correctly, we will receive a valid but small allocation + that we will very likely later overrun. -2013-12-18 Vladimir Serbinenko + Prevent the creation of a virtual screen that isn't at least 40 cols + by 12 rows. This is arbitrary, but it seems that if your width or height + is half a standard 80x24 terminal, you're probably going to struggle to + read anything anyway. - Use -Wl,--no-relax rather than -mno-relax for uniformity. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * INSTALL: Update comment as to why sparc64 clang isn't usable. + video/readers/jpeg: Don't decode data before start of stream + When a start of stream marker is encountered, we call grub_jpeg_decode_sos() + which allocates space for a bitmap. -2013-12-18 Vladimir Serbinenko + When a restart marker is encountered, we call grub_jpeg_decode_data() which + then fills in that bitmap. - Add __attribute__ ((sysv_abi)) only if it's really needed. + If we get a restart marker before the start of stream marker, we will + attempt to write to a bitmap_ptr that hasn't been allocated. Catch this + and bail out. This fixes an attempt to write to NULL. - Some compilers don't support it. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/lib/syslinux_parse.c: Declare timeout unsigned. + video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() + The key line is: -2013-12-18 Vladimir Serbinenko + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; - Remove -Wold-style-definition. + jpeg_zigzag_order is grub_uint8_t[64]. - Not very useful and interaction of it with regexp depends on GCC - version. + I don't understand JPEG decoders quite well enough to explain what's + going on here. However, I observe sometimes pos=64, which leads to an + OOB read of the jpeg_zigzag_order global then an OOB write to du. + That leads to various unpleasant memory corruption conditions. -2013-12-18 Vladimir Serbinenko + Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. - Make grub_util_get_windows_path_real static. + Reviewed-by: Daniel Kiper -2013-12-18 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/commands/fileXX.c: Silence cast-align. - * grub-core/loader/i386/xen_fileXX.c: Likewise. + video/readers/jpeg: Catch files with unsupported quantization or Huffman tables + Our decoder only supports 2 quantization tables. If a file asks for + a quantization table with index > 1, reject it. -2013-12-18 Vladimir Serbinenko + Similarly, our decoder only supports 4 Huffman tables. If a file asks + for a Huffman table with index > 3, reject it. - * include/grub/efi/api.h (GRUB_EFI_ERROR_CODE): Use explicit cast - rather than LL suffix. + This fixes some out of bounds reads. It's not clear what degree of control + over subsequent execution could be gained by someone who can carefully + set up the contents of memory before loading an invalid JPEG file. -2013-12-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/efi/api.h (PRIxGRUB_EFI_UINTN_T): Remove leftover. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + kern/misc: Always set *end in grub_strtoull() + Currently, if there is an error in grub_strtoull(), *end is not set. + This differs from the usual behavior of strtoull(), and also means that + some callers may use an uninitialized value for *end. - * grub-core/loader/arm/linux.c: Use common initrd functions. + Set *end unconditionally. -2013-12-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Decrease number of strings to translate. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + commands/menuentry: Fix quoting in setparams_prefix() + Commit 9acdcbf32542 (use single quotes in menuentry setparams command) + says that expressing a quoted single quote will require 3 characters. It + actually requires (and always did require!) 4 characters: - * grub-core/kern/arm/dl.c: Remove unnecessarry execution mode check. + str: a'b => a'\''b + len: 3 => 6 (2 for the letters + 4 for the quote) -2013-12-18 Vladimir Serbinenko + This leads to not allocating enough memory and thus out of bounds writes + that have been observed to cause heap corruption. - Mark strings for translation and add remaining ones to exclude list. + Allocate 4 bytes for each single quote. -2013-12-18 Vladimir Serbinenko + Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same + quoting, but it adds 3 as extra overhead on top of the single byte that + the quote already needs. So it's correct. - * util/grub-file.c (main): Fix sizeof usage. + Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) + Fixes: CVE-2021-20233 -2013-12-18 Vladimir Serbinenko + Reported-by: Daniel Axtens + Reviewed-by: Daniel Kiper - Silence spurious warning. +2021-03-02 Daniel Axtens -2013-12-18 Vladimir Serbinenko + script/execute: Don't crash on a "for" loop with no items + The following crashes the parser: - Remove check_nt_hiberfil as it's been superseeded by file command. + for x in; do + 0 + done -2013-12-17 Vladimir Serbinenko + This is because grub_script_arglist_to_argv() doesn't consider the + possibility that arglist is NULL. Catch that explicitly. - * docs/osdetect.cfg: Add isolinux config to detected OSes. + This avoids a NULL pointer dereference. -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Implement syslinux parser. +2021-03-02 Daniel Axtens -2013-12-17 Vladimir Serbinenko + lib/arg: Block repeated short options that require an argument + Fuzzing found the following crash: - * grub-core/commands/legacycfg.c: Use 32-bit Linux protocol on non-BIOS. + search -hhhhhhhhhhhhhf -2013-12-17 Vladimir Serbinenko + We didn't allocate enough option space for 13 hints because the + allocation code counts the number of discrete arguments (i.e. argc). + However, the shortopt parsing code will happily keep processing + a combination of short options without checking if those short + options require an argument. This means you can easily end writing + past the allocated option space. - Support cpuid --pae. + This fixes a OOB write which can cause heap corruption. -2013-12-17 Vladimir Serbinenko + Fixes: CVE-2021-20225 - Use AT keyboard on Yeeloong 3A. + Reported-by: Daniel Axtens + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Add Yeeloong 3A reboot and halt. + script/execute: Avoid crash when using "$#" outside a function scope + "$#" represents the number of arguments to a function. It is only + defined in a function scope, where "scope" is non-NULL. Currently, + if we attempt to evaluate "$#" outside a function scope, "scope" will + be NULL and we will crash with a NULL pointer dereference. -2013-12-17 Vladimir Serbinenko + Do not attempt to count arguments for "$#" if "scope" is NULL. This + will result in "$#" being interpreted as an empty string if evaluated + outside a function scope. - Add Radeon Yeeloong 3A support. + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Daniel Axtens - Add bonito 3A support. + commands/ls: Require device_name is not NULL before printing + This can be triggered with: + ls -l (0 0*) + and causes a NULL deref in grub_normal_print_device_info(). -2013-12-17 Vladimir Serbinenko + I'm not sure if there's any implication with the IEEE 1275 platform. - * grub-core/loader/machoXX.c: Fix compilation on non-i386. + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Daniel Axtens - * grub-core/loader/i386/xen_fileXX.c: Silence cast-align. + script/execute: Fix NULL dereference in grub_script_execute_cmdline() + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/loader/macho.c: Fix compilation on non-i386. + util/glue-efi: Fix incorrect use of a possibly negative value + It is possible for the ftell() function to return a negative value, + although it is fairly unlikely here, we should be checking for + a negative value before we assign it to an unsigned value. -2013-12-17 Vladimir Serbinenko + Fixes: CID 73744 - Add missing format_arg attribute to check that printf with translated - messages has proper arguments. + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Darren Kenny - Use grub_xasprintf to format translated error messages containing - 64-bit quantity. + util/grub-editenv: Fix incorrect casting of a signed value + The return value of ftell() may be negative (-1) on error. While it is + probably unlikely to occur, we should not blindly cast to an unsigned + value without first testing that it is not negative. -2013-12-17 Jon McCune + Fixes: CID 73856 - Fix double-free introduced by commit 33d02a42d64cf06cada1c389 + Reviewed-by: Daniel Kiper -2013-12-17 Vladimir Serbinenko +2021-03-02 Daniel Kiper - Unify message for unsupported relocation. + util/grub-install: Fix NULL pointer dereferences + Two grub_device_open() calls does not have associated NULL checks + for returned values. Fix that and appease the Coverity. -2013-12-17 Vladimir Serbinenko + Fixes: CID 314583 - Mark miscompile error for translation. + Reviewed-by: Javier Martinez Canillas -2013-12-17 Vladimir Serbinenko +2021-03-02 Paulo Flabiano Smorigo - Use %I64 and not %ll when using OS printf if compiling for windows. + loader/xnu: Check if pointer is NULL before using it + Fixes: CID 73654 -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Update Mac code to match new register_efi prototype. +2021-03-02 Marco A Benatto -2013-12-17 Vladimir Serbinenko + loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap() + ... to avoid memory leaks. - Implement better integration with Mac firmware. + Fixes: CID 96640 -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/loader/multiboot_mbi2.c: Implement special value for - load_addr. +2021-03-02 Darren Kenny -2013-12-17 Vladimir Serbinenko + loader/xnu: Fix memory leak + The code here is finished with the memory stored in name, but it only + frees it if there curvalue is valid, while it could actually free it + regardless. - Include serial module in default_payload.elf. + The fix is a simple relocation of the grub_free() to before the test + of curvalue. -2013-12-17 Vladimir Serbinenko + Fixes: CID 96646 - Add explicit thumb interwork bx in asm files. + Reviewed-by: Daniel Kiper - Shouldn't matter for armv >= 5 but let's be safe. +2021-03-02 Darren Kenny -2013-12-17 Vladimir Serbinenko + loader/bsd: Check for NULL arg up-front + The code in the next block suggests that it is possible for .set to be + true but .arg may still be NULL. - Implement Truecrypt ISO loader. + This code assumes that it is never NULL, yet later is testing if it is + NULL - that is inconsistent. -2013-12-17 Vladimir Serbinenko + So we should check first if .arg is not NULL, and remove this check that + is being flagged by Coverity since it is no longer required. - * grub-core/lib/arg.c: Ensure at least a single space between commands. + Fixes: CID 292471 -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Implement grub_file tool and use it to implement generating of config - in separate root. +2021-03-02 Darren Kenny -2013-12-17 Vladimir Serbinenko + gfxmenu/gui_list: Remove code that coverity is flagging as dead + The test of value for NULL before calling grub_strdup() is not required, + since the if condition prior to this has already tested for value being + NULL and cannot reach this code if it is. - Change to v1 xen grants. + Fixes: CID 73659 -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/i386/xen/relocator.S: Fix hypercall ABI violation. +2021-03-02 Darren Kenny - GRUB relied on %ebx being preserved across hypercall which isn't true. + video/readers/jpeg: Test for an invalid next marker reference from a jpeg file + While it may never happen, and potentially could be caught at the end of + the function, it is worth checking up front for a bad reference to the + next marker just in case of a maliciously crafted file being provided. -2013-12-17 Vladimir Serbinenko + Fixes: CID 73694 - * grub-core/lib/x86_64/xen/relocator.S: Fix hypercall ABI violation. + Reviewed-by: Daniel Kiper - GRUB relied on %rdi being preserved across hypercall which isn't true. +2021-03-02 Darren Kenny -2013-12-17 Vladimir Serbinenko + video/fb/video_fb: Fix possible integer overflow + It is minimal possibility that the values being used here will overflow. + So, change the code to use the safemath function grub_mul() to ensure + that doesn't happen. - Implement XEN VFB support. + Fixes: CID 73761 -2013-12-17 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Remove grub_bios_interrupt on coreboot. +2021-03-02 Darren Kenny - It's not used currently and cannot be used safely currently. + video/fb/video_fb: Fix multiple integer overflows + The calculation of the unsigned 64-bit value is being generated by + multiplying 2, signed or unsigned, 32-bit integers which may overflow + before promotion to unsigned 64-bit. Fix all of them. -2013-12-16 Vladimir Serbinenko + Fixes: CID 73703, CID 73767, CID 73833 - Update exclude.pot and mark few strings for translation. + Reviewed-by: Daniel Kiper -2013-12-16 Vladimir Serbinenko +2021-03-02 Darren Kenny - * util/grub-mkrescue.c: Fix incorrect file usage in fallback code. + video/fb/fbfill: Fix potential integer overflow + The multiplication of 2 unsigned 32-bit integers may overflow before + promotion to unsigned 64-bit. We should ensure that the multiplication + is done with overflow detection. Additionally, use grub_sub() for + subtraction. - Reported by: Jon McCune + Fixes: CID 73640, CID 73697, CID 73702, CID 73823 -2013-12-16 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * grub-core/osdep/linux/platform.c (grub_install_get_default_x86_platform): - Add verbose information which firmware directories were tried. +2021-03-02 Darren Kenny -2013-12-16 Andrey Borzenkov + video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info() + The return value of grub_video_gop_fill_mode_info() is never able to be + anything other than GRUB_ERR_NONE. So, rather than continue to return + a value and checking it each time, it is more correct to redefine the + function to not return anything and remove checks of its return value + altogether. - * grub-core/osdep/unix/exec.c (grub_util_exec_redirect_all): New - function to optionally redirect all three standard descriptors. - Redefine grub_util_exec, grub_util_exec_redirect and - grub_util_exec_redirect_null to use it. - * include/grub/emu/exec.h: Define it. - * include/grub/osdep/exec_unix.h: Delete, it is unused. - * grub-core/osdep/linux/platform.c (grub_install_get_default_x86_platform): - Use grub_util_exec_redirect_all to redirect error to NULL. + Fixes: CID 96701 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/tests/sleep_test.c: Silence spurious warning. +2021-03-02 Darren Kenny -2013-12-16 Vladimir Serbinenko + commands/probe: Fix a resource leak when probing disks + Every other return statement in this code is calling grub_device_close() + to clean up dev before returning. This one should do that too. - Make grub_xen_hypercall on i386 cdecl rather than stdcall to avoid - linker trying to "fixup" the code. + Fixes: CID 292443 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/x86_64/xen/startup.S: Align stack. +2021-03-02 Chris Coulson -2013-12-16 Vladimir Serbinenko + commands/hashsum: Fix a memory leak + check_list() uses grub_file_getline(), which allocates a buffer. + If the hash list file contains invalid lines, the function leaks + this buffer when it returns an error. - Add support for converting PE+ to Elf64. + Fixes: CID 176635 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/commands/minicmd.c (grub_mini_cmd_dump): Handle LLP case. +2021-03-02 Darren Kenny -2013-12-16 Vladimir Serbinenko + normal/completion: Fix leaking of memory when processing a completion + It is possible for the code to reach the end of the function without + freeing the memory allocated to argv and argc still to be 0. - Remove practice of assigning random const pointers to device id. + We should always call grub_free(argv). The grub_free() will handle + a NULL argument correctly if it reaches that code without the memory + being allocated. - This is not required as cache code already checks driver id as well. + Fixes: CID 96672 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/x86_64/types.h: Define sizeof (long) as 4 when compiling - with mingw. +2021-03-02 Darren Kenny -2013-12-16 Vladimir Serbinenko + syslinux: Fix memory leak while parsing + In syslinux_parse_real() the 2 points where return is being called + didn't release the memory stored in buf which is no longer required. - * include/grub/efi/api.h: Don't use call wrappers when compiled with - mingw or cygwin as API already matches. + Fixes: CID 176634 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/posix_wrap/errno.h: Undefine errno before redefining. +2021-03-02 Darren Kenny -2013-12-16 Vladimir Serbinenko + libgcrypt/mpi: Fix possible NULL dereference + The code in gcry_mpi_scan() assumes that buffer is not NULL, but there + is no explicit check for that, so we add one. - * include/grub/efi/api.h: Define (u)intn_t based on pointer size and - not on long. + Fixes: CID 73757 -2013-12-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Handle X86_64_PC64 relocation. +2021-03-02 Darren Kenny - Those are generated by some cygwin compilers. + libgcrypt/mpi: Fix possible unintended sign extension + The array of unsigned char gets promoted to a signed 32-bit int before + it is finally promoted to a size_t. There is the possibility that this + may result in the signed-bit being set for the intermediate signed + 32-bit int. We should ensure that the promotion is to the correct type + before we bitwise-OR the values. -2013-12-16 Vladimir Serbinenko + Fixes: CID 96697 - Determine the need for mingw-related stubs at compile time rather than - using not very significant $target_os. + Reviewed-by: Daniel Kiper -2013-12-16 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/genmod.sh.in: Strip before converting to ELF as strip - may not work with ELF. + affs: Fix memory leaks + The node structure reference is being allocated but not freed if it + reaches the end of the function. If any of the hooks had returned + a non-zero value, then node would have been copied in to the context + reference, but otherwise node is not stored and should be freed. -2013-12-16 Vladimir Serbinenko + Similarly, the call to grub_affs_create_node() replaces the allocated + memory in node with a newly allocated structure, leaking the existing + memory pointed by node. - Use unix functions for temporary files and special files on cygwin. + Finally, when dir->parent is set, then we again replace node with newly + allocated memory, which seems unnecessary when we copy in the values + from dir->parent immediately after. -2013-12-16 Vladimir Serbinenko + Fixes: CID 73759 - Define functions explicitly rather than using --defsym in tests - whenever possible. Respect locality in remaining cases. + Reviewed-by: Daniel Kiper -2013-12-16 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/genmoddep.awk: Remove explicit getline < /dev/stdin. + zfsinfo: Correct a check for error allocating memory + While arguably the check for grub_errno is correct, we should really be + checking the return value from the function since it is always possible + that grub_errno was set elsewhere, making this code behave incorrectly. -2013-12-15 Andrey Borzenkov + Fixes: CID 73668 - * grub-core/osdep/windows/platform.c (grub_install_register_efi): Handle - unlikely errors when getting EFI variables and make exhaustive search - for all BootNNNN variables to find matching one. + Reviewed-by: Daniel Kiper -2013-12-15 Ian Campbell +2021-03-02 Darren Kenny - * grub-core/kern/uboot/init.c: Fix units of uboot timer. + zfs: Fix possible integer overflows + In all cases the problem is that the value being acted upon by + a left-shift is a 32-bit number which is then being used in the + context of a 64-bit number. -2013-12-15 Vladimir Serbinenko + To avoid overflow we ensure that the number being shifted is 64-bit + before the shift is done. - New functional test for sleep function. + Fixes: CID 73684, CID 73695, CID 73764 - This test allows to check sleep without qemu. Keep qemu version as - well as functional test won't notice if all clocks are going too fast - or too slow. + Reviewed-by: Daniel Kiper -2013-12-15 Vladimir Serbinenko +2021-03-02 Paulo Flabiano Smorigo - Add explicit sysv_abi on amd64 asm routines. + zfs: Fix resource leaks while constructing path + There are several exit points in dnode_get_path() that are causing possible + memory leaks. -2013-12-15 Vladimir Serbinenko + In the while(1) the correct exit mechanism should not be to do a direct return, + but to instead break out of the loop, setting err first if it is not already set. - * grub-core/commands/efi/lsefisystab.c: Use %lld to show - num_table_entries. + The reason behind this is that the dnode_path is a linked list, and while doing + through this loop, it is being allocated and built up - the only way to + correctly unravel it is to traverse it, which is what is being done at the end + of the function outside of the loop. -2013-12-15 Vladimir Serbinenko + Several of the existing exit points correctly did a break, but not all so this + change makes that more consistent and should resolve the leaking of memory as + found by Coverity. - * include/grub/test.h: Use gnu_printf rather than printf on GRUB - functions. - -2013-12-15 Vladimir Serbinenko - - * grub-core/loader/i386/linux.c: Use grub_addr_t rather than long when - appropriate. - -2013-12-15 Vladimir Serbinenko - - * grub-core/loader/i386/linux.c: Use %p rather than %lx for pointers. - -2013-12-15 Vladimir Serbinenko - - * grub-core/kern/elfXX.c: Use grub_addr_t rather than long when - appropriate. - -2013-12-15 Vladimir Serbinenko - - * grub-core/disk/loopback.c: Use sequential IDs rather than pointer. - - In case of quick removal of loopback and adding another one it may - get same ID, confusing the cache system. - -2013-12-15 Vladimir Serbinenko - - * grub-core/commands/acpi.c: Use grub_addr_t rather than long when - appropriate. - -2013-12-15 Vladimir Serbinenko + Fixes: CID 73741 - * grub-core/kern/i386/coreboot/cbtable.c: Use char * arithmetic rather - than converting to long. + Reviewed-by: Daniel Kiper -2013-12-15 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/disk/cryptodisk.c: Rename "n" to "last_cryptodisk_id". + zfs: Fix possible negative shift operation + While it is possible for the return value from zfs_log2() to be zero + (0), it is quite unlikely, given that the previous assignment to blksz + is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the + assignment to epbs. -2013-12-15 Vladimir Serbinenko + But, while unlikely during a normal operation, it may be that a carefully + crafted ZFS filesystem could result in a zero (0) value to the + dn_datalbkszsec field, which means that the shift left does nothing + and assigns zero (0) to blksz, resulting in a negative epbs value. - * util/grub-mkimagexx.c (relocate_addresses): Display offset rather - than almost useless pointer. + Fixes: CID 73608 -2013-12-15 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Add gcc_struct to all packed structures when compiling with mingw. +2021-03-02 Darren Kenny - Just "packed" doesn't always pack the way we expect. + hfsplus: Check that the volume name length is valid + HFS+ documentation suggests that the maximum filename and volume name is + 255 Unicode characters in length. -2013-12-14 Vladimir Serbinenko + So, when converting from big-endian to little-endian, we should ensure + that the name of the volume has a length that is between 0 and 255, + inclusive. - * include/grub/i386/coreboot/lbio.h: Add missing attribute (packed). + Fixes: CID 73641 -2013-12-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-pe2elf.c: Fix handling of .bss. +2021-03-02 Darren Kenny -2013-12-14 Vladimir Serbinenko + disk/cryptodisk: Fix potential integer overflow + The encrypt and decrypt functions expect a grub_size_t. So, we need to + ensure that the constant bit shift is using grub_size_t rather than + unsigned int when it is performing the shift. - Implement windows flavour of EFI install routines. + Fixes: CID 307788 -2013-12-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * conf/Makefile.extra-dist: Adjust path to conf/i386-cygwin-img-ld.sc. +2021-03-02 Darren Kenny -2013-12-14 Vladimir Serbinenko + disk/ldm: Fix memory leak on uninserted lv references + The problem here is that the memory allocated to the variable lv is not + yet inserted into the list that is being processed at the label fail2. - Change grub_install_register_efi interface to pass GRUB device. + As we can already see at line 342, which correctly frees lv before going + to fail2, we should also be doing that at these earlier jumps to fail2. - This allows grub_install_register_efi to request partition info - directly. + Fixes: CID 73824 -2013-12-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Workaround cygwin bug when using \\?\Volume{GUID} syntax. +2021-03-02 Paulo Flabiano Smorigo -2013-12-14 Vladimir Serbinenko + disk/ldm: If failed then free vg variable too + Fixes: CID 73809 - Do not use TCHAR string functions as they are not available on cygwin. + Reviewed-by: Daniel Kiper -2013-12-14 Vladimir Serbinenko +2021-03-02 Marco A Benatto - Workaround windows bug when querying EFI system partition parameters. + disk/ldm: Make sure comp data is freed before exiting from make_vg() + Several error handling paths in make_vg() do not free comp data before + jumping to fail2 label and returning from the function. This will leak + memory. So, let's fix all issues of that kind. -2013-12-14 Vladimir Serbinenko + Fixes: CID 73804 - * grub-core/kern/i386/qemu/init.c (resource): Decrease struct size - by using bitfields. + Reviewed-by: Daniel Kiper -2013-12-14 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/boot/i386/qemu/boot.S: Add missing EXT_C. + kern/partition: Check for NULL before dereferencing input string + There is the possibility that the value of str comes from an external + source and continuing to use it before ever checking its validity is + wrong. So, needs fixing. -2013-12-14 Vladimir Serbinenko + Additionally, drop unneeded part initialization. - Make i386-* other than i386-pc compileable under cygwin. + Fixes: CID 292444 -2013-12-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Fix definition of grub_efi_hard_drive_device_path. Take care that - existing code would work even if by some reason bogus definition is - used by EFI implementations. +2021-03-02 Darren Kenny -2013-12-14 Vladimir Serbinenko - - * grub-core/osdep/windows/hostdisk.c: Fix cygwin compilation. - -2013-12-14 Vladimir Serbinenko - - * grub-core/osdep/windows/blocklist.c: Add missing cast in printf - invocation. - -2013-12-14 Vladimir Serbinenko - - * util/config.c: Remove trailing newline from distributor in simple - parsing. - -2013-12-14 Vladimir Serbinenko - - * include/grub/efi/api.h: Rename protocol and interface to avoid - conflict. - -2013-12-14 Vladimir Serbinenko - - * .gitignore: add .exe variants. add missing files. remove few outdated - entries. - -2013-12-14 Vladimir Serbinenko - - * grub-core/osdep/exec.c: Use unix version on cygwin. - -2013-12-13 Vladimir Serbinenko - - Implement multiboot2 EFI BS specification. - -2013-12-11 Vladimir Serbinenko + zstd: Initialize seq_t structure fully + While many compilers will initialize this to zero, not all will, so it + is better to be sure that fields not being explicitly set are at known + values, and there is code that checks this fields value elsewhere in the + code. - * grub-core/normal/charset.c: Fix premature line wrap and crash. - Crash happened only in some cases like a string starting at the - half of the screen of same length. + Fixes: CID 292440 -2013-12-11 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/efiemu/efiemu.h: Sync configuration table declaration - with EFI counterpart. +2021-03-02 Darren Kenny -2013-12-11 Vladimir Serbinenko + io/lzopio: Resolve unnecessary self-assignment errors + These 2 assignments are unnecessary since they are just assigning + to themselves. - Propagate the EFI commits to x86-efi specific parts. + Fixes: CID 73643 -2013-12-11 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/commands/efi/lssal.c: Fix terminating condition. +2021-03-02 Darren Kenny -2013-12-11 Vladimir Serbinenko + gnulib/regcomp: Fix uninitialized re_token + This issue has been fixed in the latest version of gnulib, so to + maintain consistency, I've backported that change rather than doing + something different. - Introduce grub_efi_packed_guid and use it where alignment is not - guaranteed. + Fixes: CID 73828 -2013-12-11 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * include/grub/efi/api.h (grub_efi_device_path): Define length as - unaligned u16 rather than u8[2]. +2021-03-02 Darren Kenny -2013-12-11 Vladimir Serbinenko + gnulib/regexec: Fix possible null-dereference + It appears to be possible that the mctx->state_log field may be NULL, + and the name of this function, clean_state_log_if_needed(), suggests + that it should be checking that it is valid to be cleaned before + assuming that it does. - * grub-core/kern/ia64/dl.c (grub_arch_dl_relocate_symbols): Add checks - for relocation range. + Fixes: CID 86720 -2013-12-11 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/ia64/dl.c (grub_arch_dl_relocate_symbols): Handle - non-function pcrel21b relocation. It happens with .text.unlikely - section. +2021-03-02 Darren Kenny -2013-12-10 Leif Lindholm + gnulib/argp-help: Fix dereference of a possibly NULL state + All other instances of call to __argp_failure() where there is + a dgettext() call is first checking whether state is NULL before + attempting to dereference it to get the root_argp->argp_domain. - * make MAX_USABLE_ADDRESS platform-specific - * grub-core/kern/efi/mm.c: add Vladimir's new BYTES_TO_PAGES_DOWN macro. + Fixes: CID 292436 -2013-12-10 Leif Lindholm + Reviewed-by: Daniel Kiper - * grub-core/lib/fdt.c: change memcpy => grub_memcpy +2021-03-02 Darren Kenny -2013-12-09 Jon McCune + gnulib/regcomp: Fix uninitialized token structure + The code is assuming that the value of br_token.constraint was + initialized to zero when it wasn't. - * Add --no-rs-codes flag to optionally disable reed-solomon codes - in grub-install and grub-bios-setup for x86 BIOS targets. + While some compilers will ensure that, not all do, so it is better to + fix this explicitly than leave it to chance. -2013-12-09 Vladimir Serbinenko + Fixes: CID 73749 - Add missing compile and link options for sparc64-emu. + Reviewed-by: Daniel Kiper -2013-12-09 Vladimir Serbinenko +2021-03-02 Darren Kenny - Implement sparc64 trampolines (needed for sparc64-emu). + gnulib/regexec: Resolve unused variable + This is a really minor issue where a variable is being assigned to but + not checked before it is overwritten again. -2013-12-09 Vladimir Serbinenko + The reason for this issue is that we are not building with DEBUG set and + this in turn means that the assert() that reads the value of the + variable match_last is being processed out. - * grub-core/kern/sparc64/dl.c (grub_arch_dl_relocate_symbols): Check - range of R_SPARC_HI22. - Implement R_SPARC_LM22. + The solution, move the assignment to match_last in to an ifdef DEBUG too. -2013-12-09 Vladimir Serbinenko + Fixes: CID 292459 - * grub-core/kern/powerpc/dl_helper.c (grub_arch_dl_get_tramp_got_size): - Do not explicitly check for symbol table as it's already checked in - platform-independent layer. + Reviewed-by: Daniel Kiper -2013-12-09 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/kern/emu/cache.c [__ia64__]: Use our cache cleaning routine - on ia64 as __clear_cache is a dummy on ia64. + kern/efi/mm: Fix possible NULL pointer dereference + The model of grub_efi_get_memory_map() is that if memory_map is NULL, + then the purpose is to discover how much memory should be allocated to + it for the subsequent call. -2013-12-09 Vladimir Serbinenko + The problem here is that with grub_efi_is_finished set to 1, there is no + check at all that the function is being called with a non-NULL memory_map. - * grub-core/kern/ia64/dl_helper.c (grub_ia64_dl_get_tramp_got_size): - Do not explicitly check for symbol table as it's already checked in - platform-independent layer. + While this MAY be true, we shouldn't assume it. -2013-12-09 Colin Watson + The solution to this is to behave as expected, and if memory_map is NULL, + then don't try to use it and allow memory_map_size to be filled in, and + return 0 as is done later in the code if the buffer is too small (or NULL). - * util/grub-mkconfig.in: Add missing newline to output. + Additionally, drop unneeded ret = 1. -2013-12-08 Vladimir Serbinenko + Fixes: CID 96632 - * grub-core/kern/ia64/efi/init.c (grub_arch_sync_caches): Move to ... - * grub-core/kern/ia64/cache.c (grub_arch_sync_caches): ... here. + Reviewed-by: Daniel Kiper -2013-12-08 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/kern/emu/main.c: Silence missing prototypes to allow emu - compilation with GCC <= 4.2. - * grub-core/kern/emu/argp_common.c: Likewise. + kern/efi: Fix memory leak on failure + Free the memory allocated to name before returning on failure. -2013-12-08 Vladimir Serbinenko + Fixes: CID 296222 - * include/grub/kernel.h [__sparc__]: Restrict sparc64-ieee1275 to - right platform rather than leaking to sparc64-emu. + Reviewed-by: Daniel Kiper -2013-12-08 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/osdep/windows/emuconsole.c: Remove unsigned comparison >= 0. - But ensure that the variables in question are indeed unsigned. + kern/parser: Fix resource leak if argc == 0 + After processing the command-line yet arriving at the point where we are + setting argv, we are allocating memory, even if argc == 0, which makes + no sense since we never put anything into the allocated argv. -2013-12-08 Vladimir Serbinenko + The solution is to simply return that we've successfully processed the + arguments but that argc == 0, and also ensure that argv is NULL when + we're not allocating anything in it. - * grub-core/kern/emu/lite.c: Add missing include of ../ia64/dl_helper.c. + There are only 2 callers of this function, and both are handling a zero + value in argc assuming nothing is allocated in argv. -2013-12-08 Vladimir Serbinenko + Fixes: CID 96680 - Remove grub_memalign on emu. + Reviewed-by: Daniel Kiper -2013-12-08 Vladimir Serbinenko +2021-03-02 Darren Kenny - * grub-core/kern/ia64/efi/init.c: Fix alignment code so it doesn't - truncate incomplete lines but instead flushes them. + net/tftp: Fix dangling memory pointer + The static code analysis tool, Parfait, reported that the valid of + file->data was left referencing memory that was freed by the call to + grub_free(data) where data was initialized from file->data. -2013-12-08 Vladimir Serbinenko + To ensure that there is no unintentional access to this memory + referenced by file->data we should set the pointer to NULL. - Move OS-dependent mprotect for module loading to grub-core/osdep/*/dl.c - and implement windows variant. + Reviewed-by: Daniel Kiper -2013-12-08 Vladimir Serbinenko +2021-03-02 Darren Kenny - Fix mips-emu compilation. + net/net: Fix possible dereference to of a NULL pointer + It is always possible that grub_zalloc() could fail, so we should check for + a NULL return. Otherwise we run the risk of dereferencing a NULL pointer. -2013-12-08 Vladimir Serbinenko + Fixes: CID 296221 - * configure.ac: Check for freetype library usability. + Reviewed-by: Daniel Kiper -2013-12-08 Vladimir Serbinenko +2021-03-02 Darren Kenny - Make arm-emu work. + mmap: Fix memory leak when iterating over mapped memory + When returning from grub_mmap_iterate() the memory allocated to present + is not being released causing it to leak. -2013-12-07 Vladimir Serbinenko + Fixes: CID 96655 - * util/grub-mkfont.c: Replace stpcpy with grub_stpcpy. + Reviewed-by: Daniel Kiper -2013-12-07 Andrey Borzenkov +2021-03-02 Javier Martinez Canillas - * docs/grub.texi (Environment): Update color_normal and color_highlight - defaults (light-gray instead of white). + usb: Avoid possible out-of-bound accesses caused by malicious devices + The maximum number of configurations and interfaces are fixed but there is + no out-of-bound checking to prevent a malicious USB device to report large + values for these and cause accesses outside the arrays' memory. -2013-12-07 Andrey Borzenkov + Fixes: CVE-2020-25647 - * grub-core/normal/main.c (INIT): Set default color to light-gray - to match GRUB_TERM_DEFAULT_NORMAL_COLOR (i.e. rescue mode), Linux - and apparently BIOS defaults. + Reported-by: Joseph Tartaro + Reported-by: Ilja Van Sprundel + Reviewed-by: Daniel Kiper -2013-12-07 Vladimir Serbinenko +2021-03-02 Javier Martinez Canillas - Transform -C option to grub-mkstandalone to --core-compress available - in all grub-install flavours. + dl: Only allow unloading modules that are not dependencies + When a module is attempted to be removed its reference counter is always + decremented. This means that repeated rmmod invocations will cause the + module to be unloaded even if another module depends on it. -2013-12-07 Vladimir Serbinenko + This may lead to a use-after-free scenario allowing an attacker to execute + arbitrary code and by-pass the UEFI Secure Boot protection. - Merge GRUBFS and GRUB_FS variables. + While being there, add the extern keyword to some function declarations in + that header file. -2013-12-07 Andrey Borzenkov + Fixes: CVE-2020-25632 - Revert commit 69ca97c820, it caused failures when using OS device name - in grub-install. Instead just strip off parenthesis in grub-install - if (hdX) was passed. + Reported-by: Chris Coulson + Reviewed-by: Daniel Kiper -2013-12-07 Andrey Borzenkov +2021-03-02 Javier Martinez Canillas - * util/grub-install.c (push_partmap_module): Add helper to convert - partmap names to module names and use it in probe_mods(). Fixes - failure to find partmap modules in diskfilter case. + docs: Document the cutmem command + The command is not present in the docs/grub.texi user documentation. -2013-12-07 Vladimir Serbinenko + Reported-by: Daniel Kiper + Reviewed-by: Javier Martinez Canillas - * configure.ac: Make unifont mandatory on coreboot. +2021-03-02 Javier Martinez Canillas -2013-12-07 Vladimir Serbinenko + loader/xnu: Don't allow loading extension and packages when locked down + The shim_lock verifier validates the XNU kernels but no its extensions + and packages. Prevent these to be loaded when the GRUB is locked down. - * configure.ac: Skip unifont 6.3 pcf and bdf. + Reviewed-by: Daniel Kiper -2013-12-07 Vladimir Serbinenko +2021-03-02 Javier Martinez Canillas - * Makefile.am: Remove partial font files if generation failed. + gdb: Restrict GDB access when locked down + The gdbstub* commands allow to start and control a GDB stub running on + local host that can be used to connect from a remote debugger. Restrict + this functionality when the GRUB is locked down. -2013-12-07 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * util/misc.c (grub_qsort_strcmp): Add qsort helper function to sort - strings. - * include/grub/util/misc.h: Define it ... - * util/grub-install.c (device_map_check_duplicates): ... and use it. +2021-03-02 Javier Martinez Canillas -2013-12-07 Andrey Borzenkov + commands/hdparm: Restrict hdparm command when locked down + The command can be used to get/set ATA disk parameters. Some of these can + be dangerous since change the disk behavior. Restrict it when locked down. - * util/grub.d/30_os-prober.in: Fix use of grub-probe instead of - ${grub_probe}. + Reviewed-by: Daniel Kiper -2013-12-06 Vladimir Serbinenko +2021-03-02 Javier Martinez Canillas - Don't add -mlong-calls when compiling with clang. + commands/setpci: Restrict setpci command when locked down + This command can set PCI devices register values, which makes it dangerous + in a locked down configuration. Restrict it so can't be used on this setup. -2013-12-06 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * configure.ac: Fix a typo. +2021-03-02 Javier Martinez Canillas -2013-12-06 Vladimir Serbinenko + commands: Restrict commands that can load BIOS or DT blobs when locked down + There are some more commands that should be restricted when the GRUB is + locked down. Following is the list of commands and reasons to restrict: - Revamp relocation handling. + * fakebios: creates BIOS-like structures for backward compatibility with + existing OSes. This should not be allowed when locked down. - Move more code to common dl.c. Add missing veneers for arm and arm64. - Decreases kernel size by 70 bytes on i386-pc (40-50 compressed) + * loadbios: reads a BIOS dump from storage and loads it. This action + should not be allowed when locked down. -2013-12-05 Vladimir Serbinenko + * devicetree: loads a Device Tree blob and passes it to the OS. It replaces + any Device Tree provided by the firmware. This also should + not be allowed when locked down. - * util/grub-mkimagexx.c: Fix reloc section generation for ia64. + Reviewed-by: Daniel Kiper -2013-12-05 Mike Gilbert +2021-03-02 Javier Martinez Canillas - * INSTALL: Raise minimum python version to 2.6. - * gentpl.py: Use python3-style print function. + mmap: Don't register cutmem and badram commands when lockdown is enforced + The cutmem and badram commands can be used to remove EFI memory regions + and potentially disable the UEFI Secure Boot. Prevent the commands to be + registered if the GRUB is locked down. -2013-12-05 Vladimir Serbinenko + Fixes: CVE-2020-27779 - * util/grub-install.c: Mention Boot* variable. + Reported-by: Teddy Reed + Reviewed-by: Daniel Kiper -2013-12-05 Colin Watson +2021-03-02 Javier Martinez Canillas - * grub-core/osdep/linux/hostdisk.c - (grub_util_find_partition_start_os): Initialise start to avoid - spurious compiler warning. + acpi: Don't register the acpi command when locked down + The command is not allowed when lockdown is enforced. Otherwise an + attacker can instruct the GRUB to load an SSDT table to overwrite + the kernel lockdown configuration and later load and execute + unsigned code. -2013-12-05 Colin Watson + Fixes: CVE-2020-14372 - On Linux, read partition start offsets from sysfs if possible, to - cope with block device drivers that don't implement HDIO_GETGEO. - Fixes Ubuntu bug #1237519. + Reported-by: Máté Kukri + Reviewed-by: Daniel Kiper - * grub-core/osdep/linux/hostdisk.c (sysfs_partition_path): New - function. - (sysfs_partition_start): Likewise. - (grub_util_find_partition_start_os): Try sysfs_partition_start - before HDIO_GETGEO. +2021-03-02 Javier Martinez Canillas -2013-12-05 Leif Lindholm + efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list + Now the GRUB can check if it has been locked down and this can be used to + prevent executing commands that can be utilized to circumvent the UEFI + Secure Boot mechanisms. So, instead of hardcoding a list of modules that + have to be disabled, prevent the usage of commands that can be dangerous. - * grub-core/kern/fdt.c: Update struct size when adding node. + This not only allows the commands to be disabled on other platforms, but + also properly separate the concerns. Since the shim_lock verifier logic + should be only about preventing to run untrusted binaries and not about + defining these kind of policies. -2013-12-05 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Handle unaligned .bss on sparc64. +2021-03-02 Javier Martinez Canillas - Current code improperly assumes that both __bss_start and _end are - aligned to 8-bytes. Eliminating this assumption and explicitly align - modules. + efi: Lockdown the GRUB when the UEFI Secure Boot is enabled + If the UEFI Secure Boot is enabled then the GRUB must be locked down + to prevent executing code that can potentially be used to subvert its + verification mechanisms. -2013-12-04 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/boot/sparc64/ieee1275/boot.S [CDBOOT]: Move scratchpad - so it doesn't land in the middle of loaded image. +2021-03-02 Javier Martinez Canillas -2013-12-04 Vladimir Serbinenko + kern/lockdown: Set a variable if the GRUB is locked down + It may be useful for scripts to determine whether the GRUB is locked + down or not. Add the lockdown variable which is set to "y" when the GRUB + is locked down. - * configure.ac: Move all warning options that may be absent in - gcc >= 3.1 to optional. + Suggested-by: Dimitri John Ledkov + Reviewed-by: Daniel Kiper - Note: while this allows to compile with older GCC, official requirements - remain the same and no support for older GCC. +2021-03-02 Javier Martinez Canillas -2013-12-04 Colin Watson + kern: Add lockdown support + When the GRUB starts on a secure boot platform, some commands can be + used to subvert the protections provided by the verification mechanism and + could lead to booting untrusted system. - Copying the themes directory in grub-shell isn't - parallel-test-friendly and breaks on the second test when the source - directory is read-only (as in "make distcheck"). Instead, add a - hidden --themes-directory option to grub-mkrescue et al, and use it - in grub-shell. + To prevent that situation, allow GRUB to be locked down. That way the code + may check if GRUB has been locked down and further restrict the commands + that are registered or what subset of their functionality could be used. -2013-12-04 Vladimir Serbinenko + The lockdown support adds the following components: - * conf/Makefile.common (CFLAGS_GNULIB): Remove -Wno-old-style-definition - as it's no longer necessarry. + * The grub_lockdown() function which can be used to lockdown GRUB if, + e.g., UEFI Secure Boot is enabled. -2013-12-04 Vladimir Serbinenko + * The grub_is_lockdown() function which can be used to check if the GRUB + was locked down. - * configure.ac: Allow compilation with older GCC for ARM. + * A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI + tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other + verifiers. These files are only successfully verified if another registered + verifier returns success. Otherwise, the whole verification process fails. -2013-12-04 Vladimir Serbinenko + For example, PE/COFF binaries verification can be done by the shim_lock + verifier which validates the signatures using the shim_lock protocol. + However, the verification is not deferred directly to the shim_lock verifier. + The shim_lock verifier is hooked into the verification process instead. - * configure.ac: Add -no-integrated-as if {addme|ame} isn't supported. - * INSTALL: Note that GRUBwas successfully compiled with clang 3.2 for - ppc. + * A set of grub_{command,extcmd}_lockdown functions that can be used by + code registering command handlers, to only register unsafe commands if + the GRUB has not been locked down. -2013-12-04 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/emu/main.c: Ignore missing prototype for main. +2021-03-02 Marco A Benatto -2013-12-04 Vladimir Serbinenko + efi: Move the shim_lock verifier to the GRUB core + Move the shim_lock verifier from its own module into the core image. The + Secure Boot lockdown mechanism has the intent to prevent the load of any + unsigned code or binary when Secure Boot is enabled. - Pass font config to config.h and not by TARGET_CFLAGS as adding - arguments doesn't work if TARGET_CFLAGS is specified on command - line. + The reason is that GRUB must be able to prevent executing untrusted code + if UEFI Secure Boot is enabled, without depending on external modules. -2013-12-04 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * configure.ac: Add -Wvla if compiler supports it. +2021-03-02 Marco A Benatto -2013-12-04 Vladimir Serbinenko + verifiers: Move verifiers API to kernel image + Move verifiers API from a module to the kernel image, so it can be + used there as well. There are no functional changes in this patch. - * grub-core/osdep/windows/emuconsole.c (grub_console_putchar): - Remove variable length arrays. - * grub-core/term/efi/console.c (grub_console_putchar): Likewise. + Reviewed-by: Daniel Kiper -2013-12-04 Vladimir Serbinenko +2020-12-18 Glenn Washburn - * grub-core/kern/i386/qemu/init.c: Remove variable length arrays. + docs: Add documentation of disk size limitations + Document the artificially imposed 1 EiB disk size limit and size limitations + with LUKS volumes. -2013-12-04 Vladimir Serbinenko + Fix a few punctuation issues. - * include/grub/types.h: Declare all byteswaps as inline functions - except compile-time ones. + Reviewed-by: Daniel Kiper - Solves variable shadowing in constructions like - cpu_to_le (le_to_cpu(x) + 1). +2020-12-18 Glenn Washburn -2013-12-04 Vladimir Serbinenko + luks2: Use grub_log2ull() to calculate log_sector_size and improve readability + Reviewed-by: Daniel Kiper - * grub-core/kern/efi/efi.c: Remove variable length arrays. + misc: Add grub_log2ull() macro for calculating log base 2 of 64-bit integers + Reviewed-by: Daniel Kiper -2013-12-04 Vladimir Serbinenko +2020-12-18 Glenn Washburn - * grub-core/kern/uboot/init.c (uboot_timer_ms): Fix overflow after 71 - minutes. + mips: Enable __clzdi2() + This patch is similar to commit 9dab2f51e (sparc: Enable __clzsi2() and + __clzdi2()) but for MIPS target and __clzdi2() only, __clzsi2() was + already enabled. -2013-12-04 Vladimir Serbinenko + Suggested-by: Daniel Kiper + Reviewed-by: Daniel Kiper - * grub-core/disk/ieee1275/ofdisk.c: Remove variable length arrays. - * grub-core/net/drivers/ieee1275/ofnet.c: Likewise. +2020-12-18 Glenn Washburn -2013-12-03 Colin Watson + luks2: Better error handling when setting up the cryptodisk + Do some sanity checking on data coming from the LUKS2 header. If segment.size + is "dynamic", verify that the offset is not past the end of disk. Otherwise, + check for errors from grub_strtoull() when converting segment size from + string. If a GRUB_ERR_BAD_NUMBER error was returned, then the string was + not a valid parsable number, so skip the key. If GRUB_ERR_OUT_OF_RANGE was + returned, then there was an overflow in converting to a 64-bit unsigned + integer. So this could be a very large disk (perhaps large RAID array). + In this case skip the key too. Additionally, enforce some other limits + and fail if needed. - * grub-core/Makefile.core.def (setjmp): Distribute - lib/arm64/setjmp.S. + Reviewed-by: Daniel Kiper -2013-12-03 Colin Watson +2020-12-18 Glenn Washburn - Add a new timeout_style environment variable and a corresponding - GRUB_TIMEOUT_STYLE configuration key for grub-mkconfig. This - controls hidden-timeout handling more simply than the previous - arrangements, and pressing any hotkeys associated with menu entries - during the hidden timeout will now boot the corresponding menu entry - immediately. + luks2: Do not handle disks of size GRUB_DISK_SIZE_UNKNOWN for now + Check to make sure that source disk has a known size. If not, print + a message and return error. There are 4 cases where GRUB_DISK_SIZE_UNKNOWN + is set (biosdisk, obdisk, ofdisk, and uboot), and in all those cases + processing continues. So this is probably a bit conservative. However, + 3 of the cases seem pathological, and the other, biosdisk, happens when + booting from a CD-ROM. Since I doubt booting from a LUKS2 volume on + a CD-ROM is a big use case, we'll error until someone complains. - GRUB_HIDDEN_TIMEOUT= + GRUB_TIMEOUT= now - generates a warning, and if it shows the menu it will do so as if - the second timeout were not present. Other combinations are - translated into reasonable equivalents. + Reviewed-by: Daniel Kiper - Based loosely on work by Franz Hsieh. Fixes Ubuntu bug #1178618. +2020-12-18 Glenn Washburn -2013-12-02 Vladimir Serbinenko + luks2: Convert to crypt sectors from GRUB native sectors + The function grub_disk_native_sectors(source) returns the number of sectors + of source in GRUB native (512-byte) sectors, not source sized sectors. So + the conversion needs to use GRUB_DISK_SECTOR_BITS, the GRUB native sector + size. - * util/config.c: Add missing pointer adjustment. - Reported by: qwertial + Reviewed-by: Daniel Kiper -2013-11-30 Andrey Borzenkov +2020-12-12 Glenn Washburn - * grub-core/kern/arm64/dl_helper.c: Include grub/arm64/reloc.h - directly, not via `cpu' link, to fix libgrub.pp generation. + luks2: Error check segment.sector_size + Reviewed-by: Daniel Kiper -2013-11-30 Leif Lindholm +2020-12-12 Glenn Washburn - New port arm64-efi. + cryptodisk: Properly handle non-512 byte sized sectors + By default, dm-crypt internally uses an IV that corresponds to 512-byte + sectors, even when a larger sector size is specified. What this means is + that when using a larger sector size, the IV is incremented every sector. + However, the amount the IV is incremented is the number of 512 byte blocks + in a sector (i.e. 8 for 4K sectors). Confusingly the IV does not correspond + to the number of, for example, 4K sectors. So each 512 byte cipher block in + a sector will be encrypted with the same IV and the IV will be incremented + afterwards by the number of 512 byte cipher blocks in the sector. -2013-11-30 Andrey Borzenkov + There are some encryption utilities which do it the intuitive way and have + the IV equal to the sector number regardless of sector size (ie. the fifth + sector would have an IV of 4 for each cipher block). And this is supported + by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.3.3 + with the --iv-large-sectors, though not with LUKS headers (only with --type + plain). However, support for this has not been included as grub does not + support plain devices right now. - * docs/grub.texi (sleep): Document exit codes. + One gotcha here is that the encrypted split keys are encrypted with a hard- + coded 512-byte sector size. So even if your data is encrypted with 4K sector + sizes, the split key encrypted area must be decrypted with a block size of + 512 (ie the IV increments every 512 bytes). This made these changes less + aesthetically pleasing than desired. -2013-11-30 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Ensure that -mno-unaligned-access or some equivalent option is used. +2020-12-12 Glenn Washburn -2013-11-30 Vladimir Serbinenko + luks2: grub_cryptodisk_t->total_sectors is the max number of device native sectors + We need to convert the sectors from the size of the underlying device to the + cryptodisk sector size; segment.size is in bytes which need to be converted + to cryptodisk sectors as well. - * grub-core/lib/libgcrypt/mpi/longlong.h: Fix compilation error with - -march=armv3. + Also, removed an empty statement. -2013-11-30 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Remove leftover GRUB_IA64_DL_TRAMP_SIZE. +2020-12-12 Glenn Washburn -2013-11-29 Colin Watson + cryptodisk: Add macros GRUB_TYPE_U_MAX/MIN(type) to replace literals + Add GRUB_TYPE_U_MAX/MIN(type) macros to get the max/min values for an + unsigned number with size of type. - * docs/grub-dev.texi (Font Metrics): Exclude @image command from DVI - builds, since we don't have an EPS version of font_char_metrics.png. - Add leading dot to image extension per the Texinfo documentation. + Reviewed-by: Daniel Kiper -2013-11-29 Colin Watson +2020-12-12 Glenn Washburn - * util/grub-gen-asciih.c: Include FT_SYNTHESIS_H rather than - , fixing build with FreeType 2.5.1. - * util/grub-gen-widthspec.c: Likewise. - * util/grub-mkfont.c: Likewise. + cryptodisk: Add macro GRUB_TYPE_BITS() to replace some literals + The new macro GRUB_TYPE_BITS(type) returns the number of bits + allocated for type. -2013-11-29 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * util/grub-setup.c (main): Move parsing of (hdX) syntax to ... - * util/setup.c (SETUP): ... here. Fixes regression: grub-install - failed to install on (hdX). - * util/grub-setup.c (get_device_name): Remove, not needed after - above change. +2020-12-12 Glenn Washburn -2013-11-29 Vladimir Serbinenko + luks2: Add string "index" to user strings using a json index + This allows error messages to be more easily distinguishable between indexes + and slot keys. The former include the string "index" in the error/debug + string, and the later are surrounded in quotes. - * grub-core/kern/emu/hostfs.c (is_dir): Remove variable length arrays. + Reviewed-by: Daniel Kiper -2013-11-29 Vladimir Serbinenko +2020-12-12 Glenn Washburn - * util/grub-fstest.c: Remove variable length arrays. + luks2: Rename json index variables to names that they are obviously json indexes + Reviewed-by: Daniel Kiper -2013-11-29 Vladimir Serbinenko +2020-12-12 Glenn Washburn - * grub-core/osdep/linux/ofpath.c: Check return value of read. + luks2: Use more intuitive object name instead of json index in user messages + Use the object name in the json array rather than the 0 based index in the + json array for keyslots, segments, and digests. This is less confusing for + the end user. For example, say you have a LUKS2 device with a key in slot 1 + and slot 4. When using the password for slot 4 to unlock the device, the + messages using the index of the keyslot will mention keyslot 1 (its a + zero-based index). Furthermore, with this change the keyslot number will + align with the number used to reference the keyslot when using the + --key-slot argument to cryptsetup. -2013-11-29 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/mkimage.c (grub_install_generate_image): Use grub_crypto_hash for - computing crc32 rather than handling with md fundtions directly. +2020-12-12 Glenn Washburn -2013-11-29 Vladimir Serbinenko + luks2: Add idx member to struct grub_luks2_keyslot/segment/digest + This allows code using these structs to know the named key associated with + these json data structures. In the future we can use these to provide better + error messages to the user. - * util/mkimage.c (grub_install_generate_image): Use grub_crypto_hash for - checking fwstart.img rather than md fundtions directly. + Get rid of idx local variable in luks2_get_keyslot() which was overloaded to + be used for both keyslot and segment slot keys. -2013-11-29 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-mkrescue.c (main): Check that fread succeeded. +2020-12-12 Glenn Washburn -2013-11-29 Vladimir Serbinenko + luks2: Make sure all fields of output argument in luks2_parse_digest() are written to + We should assume that the output argument "out" is uninitialized and could + have random data. So, make sure to initialize the segments and keyslots bit + fields because potentially not all bits of those fields are written to. + Otherwise, the digest could say it belongs to keyslots and segments that it + does not. - * conf/Makefile.common: Remove -mexplicit-relocs and - -DUSE_ASCII_FALLBACK on yeeloong. + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - -DUSE_ASCII_FALLBACK is already added by font snippets. - -mexplicit-relocs isn't needed is compiler/assemblera are - configured properly. - If they're not we shouldn't attempt to fix it by ourselves. - Binary compare between before and after shows no difference. +2020-12-12 Glenn Washburn -2013-11-29 Vladimir Serbinenko + luks2: Remove unused argument in grub_error() call + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - * grub-core/Makefile.core.def: Remove libgnulib.a and use its - sources in dependencies directly. + luks2: Convert 8 spaces to tabs + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - This was the only instance of "library" in core config. A bug was - reported that -fno-stack-protector wasn't passed to it. Instead of - figuring out why it failed just remove this construction used - needlessly. +2020-12-12 Glenn Washburn -2013-11-29 Vladimir Serbinenko + misc: Add parentheses around ALIGN_UP() and ALIGN_DOWN() arguments + This ensures that expected order of operations is preserved when arguments + are expressions. - * grub-core/osdep/unix/password.c (grub_password_get): Check that - fgets succeeded. + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2013-11-27 Francesco Lavra +2020-12-12 Glenn Washburn - * docs/grub.texi (ls): Fix command description in case of a device name - passed as argument. + disk: Rename grub_disk_get_size() to grub_disk_native_sectors() + The function grub_disk_get_size() is confusingly named because it actually + returns a sector count where the sectors are sized in the GRUB native sector + size. Rename to something more appropriate. -2013-11-27 Vladimir Serbinenko + Suggested-by: Daniel Kiper + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - Eliminate variable length arrays in grub_vsnprintf_real. +2020-12-12 Glenn Washburn - A bit tricky because this function has to continue to work without - heap for short strings. Fixing prealloc to 32 arguments is reasonable - but make all stack references use 32-bit offset rather than 8-bit one. - So split va_args preparsing to separate function and put the prealloc - into the caller. + loopback: Do not automaticaly replace existing loopback dev, error instead + If there is a loopback device with the same name as the one to be created, + instead of closing the old one and replacing it with the new one, return an + error instead. If the loopback device was created, its probably being used + by something and just replacing it may cause GRUB to crash unexpectedly. + This fixes obvious problems like "loopback d (d)/somefile". Its not too + onerous to force the user to delete the loopback first with the "-d" switch. -2013-11-27 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Introduce grub_util_file_sync and use it instead of fsync(fileno(f)). - Fixes build for windows. +2020-12-12 Glenn Washburn -2013-11-27 Vladimir Serbinenko + disk: Move hardcoded max disk size literal to a GRUB_DISK_MAX_SECTORS in disk.h + There is a hardcoded maximum disk size that can be read or written from, + currently set at 1 EiB in grub_disk_adjust_range(). Move the literal into a + macro in disk.h, so our assumptions are more visible. This hard coded limit + does not prevent using larger disks, just GRUB won't read/write past the + limit. The comment accompanying this restriction didn't quite make sense to + me, so its been modified too. - * gentpl.py: Don't generate platform-dependent conditionals for - platform-independent targets. + Reviewed-by: Daniel Kiper -2013-11-27 Colin Watson +2020-12-12 Glenn Washburn - * grub-core/osdep/unix/exec.c (grub_util_exec_redirect): Remove - references to mdadm from otherwise generic code. - (grub_util_exec_pipe): Likewise. - (grub_util_exec_pipe_stderr): Likewise. - * grub-core/osdep/unix/getroot.c (grub_util_pull_lvm_by_command): - This function calls vgs, not mdadm; adjust variable names - accordingly. + fs: Fix block lists not being able to address to end of disk sometimes + When checking if a block list goes past the end of the disk, make sure + the total size of the disk is in GRUB native sector sizes, otherwise there + will be blocks at the end of the disk inaccessible by block lists. -2013-11-27 Colin Watson + Reviewed-by: Daniel Kiper - Generate Makefile.*.am directly from gentpl.py, eliminating the use - of Autogen. The Autogen definitions files remain intact as they - offer a useful abstraction. +2020-12-12 Vladimir Serbinenko -2013-11-27 Colin Watson + mbr: Document new limitations on MBR gap support + Reviewed-by: Daniel Kiper - Add grub_util_disable_fd_syncs call to turn grub_util_fd_sync calls - into no-ops, and use it in programs that copy files but do not need - to take special care to sync writes (grub-mknetdir, grub-rescue, - grub-mkstandalone). +2020-12-12 Vladimir Serbinenko -2013-11-26 Colin Watson + mbr: Warn if MBR gap is small and user uses advanced modules + We don't want to support small MBR gap in pair with anything but the + simplest config of biosdisk + part_msdos + simple filesystem. In this + path "simple filesystems" are all current filesystems except ZFS and + Btrfs. - * tests/util/grub-fs-tester.in: Execute xorriso from $PATH rather - than hardcoding /usr/local/bin/xorriso. + Reviewed-by: Daniel Kiper -2013-11-26 Vladimir Serbinenko +2020-12-12 Tianjia Zhang - Add PCI command activation to all PCI drivers as required for coreboot - and maybe some other firmwares. + efi/tpm: Extract duplicate code into independent functions + Part of the code logic for processing the return value of efi + log_extend_event is repetitive and complicated. Extract the + repetitive code into an independent function. -2013-11-26 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/Makefile.am: Reduce gratuituous differences between Apple - and non-Apple variants of efiemu compile. +2020-12-12 Tianjia Zhang -2013-11-25 Andrey Borzenkov + efi/tpm: Add debug information for device protocol and eventlog + Add a number of debug logs to the tpm module. The condition tag + for opening debugging is "tpm". On TPM machines, this will bring + great convenience to diagnosis and debugging. - * configure.ac: Add explicit check for linking format of - efiemu64; save it as EFIEMU64_LINK_FORMAT. - * grub-core/Makefile.am: Use EFIEMU64_LINK_FORMAT instead of - hardcoding linking format. + Reviewed-by: Daniel Kiper -2013-11-25 Vladimir Serbinenko +2020-12-12 Daniel Kiper - * util/grub-mknetdir.c: Look for platform directories under pkglibdir - and not pkgdatadir. + loader/linux: Report the UEFI Secure Boot status to the Linux kernel + Now that the GRUB has a grub_efi_get_secureboot() function to check the + UEFI Secure Boot status, use it to report that to the Linux kernel. -2013-11-25 Colin Watson -2013-11-25 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Add a --locale-directory option to grub-install and related tools. +2020-12-12 Javier Martinez Canillas - * include/grub/util/install.h (GRUB_INSTALL_OPTIONS): Add - --locale-directory option. - (enum grub_install_options): Add - GRUB_INSTALL_OPTIONS_LOCALE_DIRECTORY. - * util/grub-install-common.c (grub_install_help_filter): Handle - GRUB_INSTALL_OPTIONS_LOCALE_DIRECTORY. - (grub_install_parse): Likewise. - (get_localedir): New function to check for a user-provided option - before trying grub_util_get_localedir. - (copy_locales): Use get_localedir rather than - grub_util_get_localedir. Handle differing locale directory layouts. - (grub_install_copy_files): Likewise. + efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled + The shim_lock module registers a verifier to call shim's verify, but the + handler is registered even when the shim_lock protocol was not installed. -2013-11-25 Vladimir Serbinenko + This doesn't cause a NULL pointer dereference in shim_lock_write() because + the shim_lock_init() function just returns GRUB_ERR_NONE if sl isn't set. - * grub-core/osdep/unix/platform.c (get_ofpathname): Trim ending newline. - Don't rely on PATH_MAX. + But in that case there's no point to even register the shim_lock verifier + since won't do anything. Additionally, it is only useful when Secure Boot + is enabled. -2013-11-25 Vladimir Serbinenko + Finally, don't assume that the shim_lock protocol will always be present + when the shim_lock_write() function is called, and check for it on every + call to this function. - * grub-core/genmoddep.awk: Use more portable && rather than and. + Reported-by: Michael Chang + Reported-by: Peter Jones + Reviewed-by: Daniel Kiper -2013-11-24 Vladimir Serbinenko +2020-12-11 Daniel Kiper - * grub-core/kern/i386/pc/startup.S [__APPLE__]: Create _edata by placing - an object after data. While it doesn't seem right solution, it - works well enough and OSX isn't main compilation platform. + efi: Add secure boot detection + Introduce grub_efi_get_secureboot() function which returns whether + UEFI Secure Boot is enabled or not on UEFI systems. -2013-11-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * gentpl.py: Add -ed2016 in order to make objconv accept our binary. - While it doesn't seem right solution, it works well enough and - OSX isn't main compilation platform. +2020-12-11 Daniel Kiper -2013-11-24 Vladimir Serbinenko + efi: Add a function to read EFI variables with attributes + It will be used to properly detect and report UEFI Secure Boot status to + the x86 Linux kernel. The functionality will be added by subsequent patches. - * configure.ac: Add -static to LDFLAGS when using apple linker to - prevent it from pulling in dynamic linker. + Reviewed-by: Daniel Kiper -2013-11-24 Vladimir Serbinenko +2020-12-11 Daniel Kiper - Apple assembly doesn't handle symbol arithmetic well. So define an - offset symbol in boot.S and use it. + efi: Return grub_efi_status_t from grub_efi_get_variable() + This is needed to properly detect and report UEFI Secure Boot status + to the x86 Linux kernel. The functionality will be added by subsequent + patches. -2013-11-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Apple assembly doesn't handle symbol arithmetic well. So instead - of getting addres of kernel_sector + 4 define kernel_sector_high. - It also makes code more readable. +2020-12-11 Daniel Kiper -2013-11-24 Vladimir Serbinenko + efi: Make shim_lock GUID and protocol type public + The GUID will be used to properly detect and report UEFI Secure Boot + status to the x86 Linux kernel. The functionality will be added by + subsequent patches. The shim_lock protocol type is made public for + completeness. - With Apple assembly in .macro environvemnt you have to use $$ instead - of $. So introduce new preprocessor macro MACRO_DOLLAR(x) which expands - to $$x on Apple and to $x on everything else. + Additionally, fix formatting of four preceding GUIDs. -2013-11-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/Makefile.am: Use correct TARGET_OBJCONV rather than - OBJCONV. +2020-12-11 Javier Martinez Canillas -2013-11-24 Vladimir Serbinenko + arm/term: Fix linking error due multiple ps2_state definitions + When building with --target=arm-linux-gnu --with-platform=coreboot + a linking error occurs caused by multiple definitions of the + ps2_state variable. - * grub-core/gdb/i386/machdep.S: Use xorl %eax, %eax on both Apple - and non-Apple. This instruction is shorter and faster, - so no reason not to use it on both. + Mark them as static since they aren't used outside their compilation unit. -2013-11-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/reed_solomon.c: Use section _text, _text rather than - .text when compiling for Apple. +2020-12-11 Javier Martinez Canillas -2013-11-24 Vladimir Serbinenko + include/grub/i386/linux.h: Include missing header + This header uses types defined in but does not include it, + which leads to compile errors like the following: - * grub-core/term/arc/console.c: Add missing cast to silence warning. + In file included from ../include/grub/cpu/linux.h:19, + from kern/efi/sb.c:21: + ../include/grub/i386/linux.h:80:3: error: unknown type name ‘grub_uint64_t’ + 80 | grub_uint64_t addr; -2013-11-24 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/boot/i386/pc/boot.S: Fix floppy probe. Due to missing - %dx restore the probe worked on non-existant drive. Reorganize the - code a little bit to free 2 bytes necessary for push/pop. +2020-12-11 Javier Martinez Canillas -2013-11-23 Vladimir Serbinenko + i386: Don't include in coreboot and ieee1275 startup.S + Nothing defined in the header file is used in the assembly code but it + may lead to build errors if some headers are included through this and + contains definitions that are not recognized by the assembler, e.g.: - * grub-core/kern/mips/arc/init.c (grub_machine_get_bootlocation): - Add missing cast to silence warning. + ../include/grub/types.h: Assembler messages: + ../include/grub/types.h:76: Error: no such instruction: `typedef signed char grub_int8_t' + ../include/grub/types.h:77: Error: no such instruction: `typedef short grub_int16_t' + ../include/grub/types.h:78: Error: no such instruction: `typedef int grub_int32_t' -2013-11-23 Keshav Padram Amburay + Reviewed-by: Daniel Kiper - * util/grub-install.c (update_nvram): Support --no-nvram flag - for EFI targets. +2020-11-20 Glenn Washburn -2013-11-23 Vladimir Serbinenko + luks2: Rename index variable "j" to "i" in luks2_get_keyslot() + Looping variable "j" was named such because the variable name "i" was taken. + Since "i" has been renamed in the previous patch, we can rename "j" to "i". - * INSTALL: Add note about sparc64/ia64 with clang (unsupported). + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2013-11-23 Vladimir Serbinenko +2020-11-20 Glenn Washburn - * util/garbage-gen.c: Add missing include of sys/time.h. + luks2: Rename variable "i" to "keyslot_idx" in luks2_get_keyslot() + Variables named "i" are usually looping variables. So, rename it to + "keyslot_idx" to ease luks2_get_keyslot() reading. -2013-11-23 Vladimir Serbinenko + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - Don't add -mflush-func if it's not supported by compiler. +2020-11-20 Glenn Washburn -2013-11-23 Vladimir Serbinenko + luks2: Use correct index variable when looping in luks2_get_keyslot() + The loop variable "j" should be used to index the digests and segments json + array, instead of the variable "i", which is the keyslot index. - Move common BIOS/coreboot memory map declarations to - include/grub/i386/memory_raw.h and eliminate duplicate declarations. + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2013-11-22 Andrey Borzenkov +2020-11-20 Glenn Washburn - * Makefile.am: Add util/garbage-gen.c to EXTRA_DIST. + luks2: Rename source disk variable named "disk" to "source" as in luks.c + This makes it more obvious to the reader that the disk referred to is the + source disk, as opposed to say the disk holding the cryptodisk. -2013-11-22 Vladimir Serbinenko + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - * INSTALL: Document why older clang versions aren't appropriate. +2020-11-20 Glenn Washburn -2013-11-22 Vladimir Serbinenko + cryptodisk: Rename "offset" in grub_cryptodisk_t to "offset_sectors" + This makes it clear that the offset represents sectors, not bytes, in + order to improve readability. - * INSTALL: Document about clang for mips. + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2013-11-22 Vladimir Serbinenko +2020-11-20 Glenn Washburn - * grub-core/lib/libgcrypt/mpi/longlong.h: Use C version with mips - clang. + cryptodisk: Rename "total_length" field in grub_cryptodisk_t to "total_sectors" + This creates an alignment with grub_disk_t naming of the same field and is + more intuitive as to how it should be used. -2013-11-22 Vladimir Serbinenko + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - Add *-xen to the list of grub-install-common platforms. +2020-11-20 Glenn Washburn -2013-11-22 Vladimir Serbinenko + types: Define GRUB_CHAR_BIT based on compiler macro instead of using literal + Reviewed-by: Daniel Kiper - * configure.ac: Do not enforce -mcmodel=large. It's not necessarry with - 3 last commits. +2020-11-20 Javier Martinez Canillas -2013-11-22 Vladimir Serbinenko + include/grub/arm64/linux.h: Include missing header + This header uses types defined in but does not include it, + which leads to compile errors like the following: - * grub-core/kern/xen/init.c: Do not map more pages than we can address. + ../include/grub/cpu/linux.h:27:3: error: unknown type name ‘grub_uint32_t’ + 27 | grub_uint32_t code0; /* Executable code */ + | ^~~~~~~~~~~~~ -2013-11-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/efi/mm.c: Limit allocations to 2GiB when not compiling - with -mcmodel=large. +2020-11-20 Javier Martinez Canillas -2013-11-22 Vladimir Serbinenko + include/grub/arm/system.h: Include missing header + The header uses the EXPORT_FUNC() macro defined in but + doesn't include it, which leads to the following compile error on arm: - * grub-core/kern/x86_64/dl.c (grub_arch_dl_relocate_symbols): Add - range-checking for 32-bit quantities. + ../include/grub/cpu/system.h:12:13: error: ‘EXPORT_FUNC’ declared as function returning a function + 12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void); + | ^~~~~~~~~~~ + ../include/grub/cpu/system.h:12:1: warning: parameter names (without types) in function declaration + 12 | extern void EXPORT_FUNC(grub_arm_disable_caches_mmu) (void); + | ^~~~~~ + make[3]: *** [Makefile:36581: kern/efi/kernel_exec-sb.o] Error 1 -2013-11-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * configure.ac: Compile with -fPIC when compiling with clang on - mips. +2020-11-20 Daniel Axtens -2013-11-22 Vladimir Serbinenko + docs: grub-install --pubkey has been supported for some time + grub-install --pubkey is supported, so we can now document it. - * configure.ac: Add -no-integrated-as on mips(el) to TARGET_CCASFLAGS - when compiling with clang. + Reviewed-by: Daniel Kiper -2013-11-22 Vladimir Serbinenko +2020-11-20 Daniel Axtens - clang emits calls to abort () under some unknown conditions. - Export abort () when compiling with clang. + docs: grub-install is no longer a shell script + Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell + script. The para doesn't really add that much, especially since it's + the user manual, so just drop it. -2013-11-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * docs/grub-dev.texi: Document stack and heap sizes. +2020-10-30 Jacob Kroon -2013-11-22 Vladimir Serbinenko + Makefile: Remove unused GRUB_PKGLIBDIR definition + Reviewed-by: Daniel Kiper - * include/grub/i386/pc/memory.h: Decrease - GRUB_MEMORY_MACHINE_SCRATCH_SIZE and increase - GRUB_MEMORY_MACHINE_PROT_STACK_SIZE. - The binary doesn't change (checked). It's more to better reflect actual - usage. +2020-10-30 Daniel Axtens -2013-11-22 Vladimir Serbinenko + lzma: Fix compilation error under clang 10 + Compiling under clang 10 gives: - * grub-core/disk/i386/pc/biosdisk.c (grub_biosdisk_open): Ensure - at compile time that enough of scratch size is available. + grub-core/lib/LzmaEnc.c:1362:9: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation] + { + ^ + grub-core/lib/LzmaEnc.c:1358:7: note: previous statement is here + if (repIndex == 0) + ^ + 1 error generated. -2013-11-22 Vladimir Serbinenko + It's not really that unclear in context: there's a commented-out + if-statement. But tweak the alignment anyway so that clang is happy. - * grub-core/kern/x86_64/efi/callwrap.S: Fix stack alignment. - Previously we misaligned stack by 8 in startup.S and compensated - for it in callwrap.S. According to ABI docs (EFI and sysv amd64) - right behaviour is to align stack in startup.S and keep it aligned - in callwrap.S. startup.S part was committed few commits before. This - takes care of callwrap.S. - Reported by: Gary Lin. + Reviewed-by: Daniel Kiper -2013-11-22 Vladimir Serbinenko +2020-10-30 Cao jin - * grub-core/boot/mips/startup_raw.S: Handle the case of gap between - .data and .bss. May happen if compiler and assembly use different - alignment. + kern/i386/realmode: Update comment + Commit b81d609e4c did not update it. -2013-11-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - On MIPS handle got16 relocations to local symbols in an ABI-compliant - way. +2020-10-30 Glenn Washburn -2013-11-22 Vladimir Serbinenko + cryptodisk: Fix cipher IV mode "plain64" always being set as "plain" + When setting cipher IV mode, detection is done by prefix matching the + cipher IV mode part of the cipher mode string. Since "plain" matches + "plain64", we must check for "plain64" first. Otherwise, "plain64" will + be detected as "plain". - Add support for a new magic symbol _gp_disp on mips to handle PIC - binaries. + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper -2013-11-22 Vladimir Serbinenko +2020-09-18 Glenn Washburn - Use $t9 for indirect calls from asm to C as PIC ABI requires. + crypto: Remove GPG_ERROR_CFLAGS from gpg_err_code_t enum + This was probably added by accident when originally creating the file. -2013-11-22 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Remove -march=mips3 from TARGET_CCASFLAGS as it creates linking problem - when rest of GRUB is compiled for hisher stepping. Instead use - .set mips3/.set mips1 around cache and sync opcodes. +2020-09-18 Glenn Washburn -2013-11-21 Vladimir Serbinenko + script: Do not allow a delimiter between function name and block start + Currently the following is valid syntax but should be a syntax error: - Unify GOT/trampoline handling between PPC, MIPS and IA64 as they - do essentially the same thing, do it in similar way. + grub> function f; { echo HERE; } + grub> f + HERE -2013-11-21 Colin Watson + This fix is not backward compatible, but current syntax is not documented + either and has no functional value. So any scripts with this unintended + syntax are technically syntactically incorrect and should not be relying + on this behavior. - * util/grub-mkrescue.c (main): If a source directory is not - specified, read platform-specific files from subdirectories of - pkglibdir, not pkgdatadir. + Reviewed-by: Daniel Kiper -2013-11-21 Colin Watson +2020-09-18 Glenn Washburn - * grub-core/normal/progress.c: Remove unused file. + docs: Support for loading and concatenating multiple initrds + This has been available since January of 2012 but has not been documented. -2013-11-20 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/crypto.c (grub_crypto_hash): Remove variable length - array. +2020-09-18 Glenn Washburn -2013-11-20 Vladimir Serbinenko + lexer: char const * should be const char * + Reviewed-by: Daniel Kiper - * util/grub-mkconfig.in: Say explicit "grub configuration" rather - than grub.cfg. + cryptodisk: Use cipher name instead of object in error message + Reviewed-by: Daniel Kiper -2013-11-20 Vladimir Serbinenko +2020-09-18 Glenn Washburn - * coreboot.cfg: Add missing file. + tests: F2FS test should use MOUNTDEVICE like other tests + LODEVICES is not an array variable and should not be accessed as such. + This allows the f2fs test to pass as it was failing because a device + name had a space prepended to the path. -2013-11-19 Vladimir Serbinenko + Acked-by: Jaegeuk Kim + Tested-by: Paul Menzel + Reviewed-by: Daniel Kiper - * Makefile.am: Allow STRIP to be empty when creating windowszip. +2020-09-18 Florian La Roche -2013-11-19 Axel Kellermann + grub-mkconfig: If $hints is not set reduce the output into grub.cfg to just 1 line + Reviewed-by: Daniel Kiper - * util/grub.d/30_os-prober.in: Add GRUB_OS_PROBER_SKIP_LIST to - selectively skipping systems. +2020-09-18 Petr Vorel -2013-11-19 Colin Watson + travis: Run bootstrap to fix build + autogen.sh isn't enough: - * Makefile.util.def (grub-mkimage): Add - grub-core/osdep/aros/config.c to extra_dist. - * conf/Makefile.extra-dist (EXTRA_DIST): Add docs/autoiso.cfg, - docs/osdetect.cfg, grub-core/gnulib-fix-null-deref.diff, - grub-core/gnulib-fix-width.diff, grub-core/gnulib-no-abort.diff, and - grub-core/gnulib-no-gets.diff. + $ ./autogen.sh + Gnulib not yet bootstrapped; run ./bootstrap instead. + The command "./autogen.sh" exited with 1. -2013-11-19 Vladimir Serbinenko + Additionally, using bootstrap requires to install autopoint package. - Add automated filesystem checking based on scripts I've used now for - quite some time locally. Most of the test require root so they are - skipped when run without necessarry privelegies. + Reviewed-by: Daniel Kiper -2013-11-19 Colin Watson +2020-09-18 Patrick Steinhardt - * util/grub-install.c (main): Adjust info messages to match - installed paths of grub-bios-setup and grub-sparc64-setup. + luks2: Strip dashes off of the UUID + The UUID header for LUKS2 uses a format with dashes, same as for + LUKS(1). But while we strip these dashes for the latter, we don't for + the former. This isn't wrong per se, but it's definitely inconsistent + for users as they need to use the dashed format for LUKS2 and the + non-dashed format for LUKS when e.g. calling "cryptomount -u $UUID". -2013-11-19 Colin Watson + Fix this inconsistency by stripping dashes off of the LUKS2 UUID. - * util/grub-install-common.c (copy_locales): Consistently use - grub_util_get_localedir () rather than LOCALEDIR. - (grub_install_copy_files): Likewise. + Reviewed-by: Daniel Kiper -2013-11-19 Josh Triplett +2020-09-18 Tianjia Zhang - * grub-core/kern/x86_64/efi/startup.S (_start): Align the stack to a - 16-byte boundary, as required by the x86-64 ABI, before calling - grub_main. In some cases, GCC emits code that assumes this - alignment, which crashes if not aligned. The EFI firmware is also - entitled to assume that stack alignment without checking. + efi/tpm: Remove unused functions and structures + Although the tpm_execute() series of functions are defined they are not + used anywhere. Several structures in the include/grub/efi/tpm.h header + file are not used too. There is even nonexistent grub_tpm_init() + declaration in this header. Delete all that unneeded stuff. -2013-11-18 Josh Triplett + If somebody needs the functionality implemented in the dropped code then + he/she can re-add it later. Now it needlessly increases the GRUB + code/image size. - * grub-core/mmap/efi/mmap.c (grub_mmap_register): Round up/down to - 4k page boundaries as expected by firmware rather than 1k - boundaries. - (grub_mmap_malign_and_register): Likewise. + Reviewed-by: Daniel Kiper -2013-11-18 Vladimir Serbinenko +2020-09-18 Tianjia Zhang - * tests/grub_func_test.in: Decrease RAM size to 512M. With less - fragmentation 512M is enough. + shim_lock: Enable module for all EFI architectures + Like the tpm the shim_lock module is only enabled for x86_64 target. + However, there's nothing specific to x86_64 in the implementation and + it can be enabled for all EFI architectures. -2013-11-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/mm.c (grub_real_malloc): Decrease cut-off of moving the - pointer to 32K. This is the size of cache element which is the most - common allocation >1K. This way the pointer is always around blocks - of 32K and so we keep performance while decreasing fragmentation. +2020-09-18 Daniel Kiper -2013-11-18 Vladimir Serbinenko + efi/tpm: Fix typo in grub_efi_tpm2_protocol struct + Rename get_active_pcr_blanks() to get_active_pcr_banks(). - * grub-core/kern/mm.c (grub_real_malloc): Don't update the pointer to - current memory when allocating large chunks. This significantly - decreases memory fragmentation. + Reviewed-by: Javier Martinez Canillas -2013-11-18 Colin Watson +2020-09-18 Daniel Kiper - * tests/gzcompress_test.in: Skip if gzip is not installed (unlikely, - but for symmetry). - * tests/lzocompress_test.in: Skip if lzop is not installed. - * tests/xzcompress_test.in: Skip if xz is not installed. + i386/efi/init: Drop bogus include + Reviewed-by: Javier Martinez Canillas -2013-11-18 Colin Watson +2020-09-18 Daniel Kiper - * util/grub-mkrescue.c (main): Fix typo. + docs: Fix devicetree command description + Specifically fix the subsection and drop bogus reference to the GNU/Linux. -2013-11-18 Vladimir Serbinenko + Reported-by: Patrick Higgins + Reviewed-by: Javier Martinez Canillas - * grub-core/kern/mips/qemu_mips/init.c (grub_machine_init): Update - clock frequency to 200 MHz, +2020-09-18 Martin Whitaker -2013-11-18 Vladimir Serbinenko + grub-install: Fix inverted test for NLS enabled when copying locales + Commit 3d8439da8 (grub-install: Locale depends on nls) attempted to avoid + copying locale files to the target directory when NLS was disabled. + However the test is inverted, and it does the opposite. - * tests/util/grub-shell.in: Increase console size to 1024x1024. + Reviewed-by: Javier Martinez Canillas -2013-11-18 Vladimir Serbinenko +2020-09-11 Javier Martinez Canillas - * Makefile.am (default_payload.elf): Add pata to loaded modules. - Load config file from (cbfsdisk)/etc/grub.cfg. + tftp: Roll-over block counter to prevent data packets timeouts + Commit 781b3e5efc3 (tftp: Do not use priority queue) caused a regression + when fetching files over TFTP whose size is bigger than 65535 * block size. -2013-11-18 Vladimir Serbinenko + grub> linux /images/pxeboot/vmlinuz + grub> echo $? + 0 + grub> initrd /images/pxeboot/initrd.img + error: timeout reading '/images/pxeboot/initrd.img'. + grub> echo $? + 28 - * util/grub-install-common.c (grub_install_copy_files): Fix module - destination directory. + It is caused by the block number counter being a 16-bit field, which leads + to a maximum file size of ((1 << 16) - 1) * block size. Because GRUB sets + the block size to 1024 octets (by using the TFTP Blocksize Option from RFC + 2348 [0]), the maximum file size that can be transferred is 67107840 bytes. -2013-11-18 Colin Watson + The TFTP PROTOCOL (REVISION 2) RFC 1350 [1] does not mention what a client + should do when a file size is bigger than the maximum, but most TFTP hosts + support the block number counter to be rolled over. That is, acking a data + packet with a block number of 0 is taken as if the 65356th block was acked. - * tests/util/grub-shell.in: Don't fail on emu platform if po/*.gmo - files have not been built. + It was working before because the block counter roll-over was happening due + an overflow. But that got fixed by the mentioned commit, which led to the + regression when attempting to fetch files larger than the maximum size. -2013-11-18 Colin Watson + To allow TFTP file transfers of unlimited size again, re-introduce a block + counter roll-over so the data packets are acked preventing the timeouts. - * grub-core/osdep/unix/hostdisk.c (grub_util_make_temporary_file): - Handle errors from mkstemp. - (grub_util_make_temporary_dir): Handle errors from mkdtemp. + [0]: https://tools.ietf.org/html/rfc2348 + [1]: https://tools.ietf.org/html/rfc1350 -2013-11-18 Vladimir Serbinenko + Fixes: 781b3e5efc3 (tftp: Do not use priority queue) - * tests/util/grub-shell.in: Use -cdrom and don't force cdrom - on primary master on pseries. + Suggested-by: Peter Jones + Reviewed-by: Daniel Kiper -2013-11-18 Vladimir Serbinenko +2020-09-11 Florian La Roche - * grub-core/tests/videotest_checksum.c: Don't reload unifont if it's - already loaded. This saves memory needed for tests, + templates: Remove unnecessary trailing semicolon + Reviewed-by: Daniel Kiper -2013-11-18 Vladimir Serbinenko +2020-09-11 Glenn Washburn - * util/grub-mkrescue.c (main): Fix a typo to make yeeloong part - work again. + cryptodisk: Fix incorrect calculation of start sector + Here dev is a grub_cryptodisk_t and dev->offset is offset in sectors of size + native to the cryptodisk device. The sector is correctly transformed into + native grub sector size, but then added to dev->offset which is not + transformed. It would be nice if the type system would help us with this. -2013-11-18 Vladimir Serbinenko + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - * grub-core/term/terminfo.c (grub_cmd_terminfo): Fix a typo to make -g - work again. +2020-09-11 Glenn Washburn -2013-11-18 Vladimir Serbinenko + cryptodisk: Unregister cryptomount command when removing module + Reviewed-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper - * tests/util/grub-shell.in: For powerpc tests put the CD-ROM as primary - master since with some combinations of qemu and firmware only primary - IDE channel is available. +2020-09-11 Patrick Steinhardt -2013-11-18 Vladimir Serbinenko + luks2: Improve error reporting when decrypting/verifying key + While we already set up error messages in both luks2_verify_key() and + luks2_decrypt_key(), we do not ever print them. This makes it really + hard to discover why a given key actually failed to decrypt a disk. - * grub-core/tests/gfxterm_menu.c: Skip high-resolution tests on - low-memory platforms where we don't have enough memory for them. - * grub-core/tests/videotest_checksum.c: Likewise. + Improve this by including the error message in the user-visible output. -2013-11-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/tests/cmdline_cat_test.c: Don't reload unifont if it's - already loaded. This saves memory needed for tests, +2020-09-11 Patrick Steinhardt -2013-11-18 Vladimir Serbinenko + luks: Fix out-of-bounds copy of UUID + When configuring a LUKS disk, we copy over the UUID from the LUKS header + into the new grub_cryptodisk_t structure via grub_memcpy(). As size + we mistakenly use the size of the grub_cryptodisk_t UUID field, which + is guaranteed to be strictly bigger than the LUKS UUID field we're + copying. As a result, the copy always goes out-of-bounds and copies some + garbage from other surrounding fields. During runtime, this isn't + noticed due to the fact that we always NUL-terminate the UUID and thus + never hit the trailing garbage. - Fix handling of install lists. + Fix the issue by using the size of the local stripped UUID field. -2013-11-18 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/sparc64/setjmp.S: Force spilling of current window. +2020-09-11 Patrick Steinhardt -2013-11-18 Vladimir Serbinenko + json: Remove invalid typedef redefinition + The C standard does not allow for typedef redefinitions, even if they + map to the same underlying type. In order to avoid including the + jsmn.h in json.h and thus exposing jsmn's internals, we have exactly + such a forward-declaring typedef in json.h. If enforcing the GNU99 C + standard, clang may generate a warning about this non-standard + construct. - On i386-ieee1275 we run in paged mode. So we need to explicitly map - the devices before accessing them. + Fix the issue by using a simple "struct jsmntok" forward declaration + instead of using a typedef. -2013-11-18 Vladimir Serbinenko + Tested-by: Chuck Tuffli + Reviewed-by: Daniel Kiper - * grub-core/lib/relocator.c (grub_mm_check_real): Accept const char * - as file argument. +2020-09-11 Cao jin -2013-11-18 Vladimir Serbinenko + i386/relocator_common: Drop empty #ifdef + Reviewed-by: Daniel Kiper - * grub-core/normal/cmdline.c (grub_cmdline_get): Plug memory leak. +2020-09-11 Ave Milia -2013-11-18 Vladimir Serbinenko + video/bochs: Fix typo + Reviewed-by: Daniel Kiper - * grub-core/kern/file.c (grub_file_open): Free file->name on failure. - (grub_file_close): Free file->name. +2020-07-29 Colin Watson -2013-11-18 Vladimir Serbinenko + linux: Fix integer overflows in initrd size handling + These could be triggered by a crafted filesystem with very large files. - * grub-core/commands/verify.c (free_pk): Plug memory leak. - (grub_load_public_key): Likewise. - (grub_verify_signature_real): Likewise. - (grub_cmd_verify_signature): Likewise. + Fixes: CVE-2020-15707 -2013-11-18 Vladimir Serbinenko + Reviewed-by: Jan Setje-Eilers + Reviewed-by: Daniel Kiper - * grub-core/commands/legacycfg.c (grub_legacy_check_md5_password): Plug - memory leak. +2020-07-29 Peter Jones -2013-11-18 Vladimir Serbinenko + loader/linux: Avoid overflow on initrd size calculation + Reviewed-by: Daniel Kiper - * grub-core/lib/powerpc/setjmp.S (grub_setjmp): Save r31. - (grub_longjmp): Restore r31. - * include/grub/powerpc/setjmp.h (grub_jmp_buf): Reserve space for r31. +2020-07-29 Alexey Makhalov -2013-11-18 Vladimir Serbinenko + efi: Fix use-after-free in halt/reboot path + commit 92bfc33db984 ("efi: Free malloc regions on exit") + introduced memory freeing in grub_efi_fini(), which is + used not only by exit path but by halt/reboot one as well. + As result of memory freeing, code and data regions used by + modules, such as halt, reboot, acpi (used by halt) also got + freed. After return to module code, CPU executes, filled + by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as + a code. Which leads to #UD exception later. - * util/grub-mkrescue.c (make_image_fwdisk_abs): Insert all partmap - modules to be in line with make_image_abs. + grub> halt + !!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!! + RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246 + RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41 + RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000 + RSI - 00000000064DB768, RDI - 000000000832C5C3 + R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52 + R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4 + R14 - 0000000003E10D80, R15 - 00000000061E2F60 + DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 + GS - 0000000000000030, SS - 0000000000000030 + CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 + CR4 - 0000000000000668, CR8 - 0000000000000000 + DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 + DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 + GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000 + IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000 + FXSAVE_STATE - 0000000007F0F4C0 -2013-11-18 Vladimir Serbinenko + Proposal here is to continue to free allocated memory for + exit boot services path but keep it for halt/reboot path + as it won't be much security concern here. + Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY + loader flag to be used by efi halt/reboot path. - * include/grub/mips/setjmp.h (grub_jmp_buf): Fix buffer size. + Reviewed-by: Darren Kenny + Reviewed-by: Daniel Kiper - setjmp.S uses 12 entries but buffer is declared with only 11 entries. +2020-07-29 Daniel Kiper -2013-11-17 Ian Campbell + efi/chainloader: Propagate errors from copy_file_path() + Without any error propagated to the caller, make_file_path() + would then try to advance the invalid device path node with + GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL + pointer that would subsequently be dereferenced. Hence, propagate + errors from copy_file_path(). - * grub-core/disk/uboot/ubootdisk.c: Include SCSI disks. + Reviewed-by: Daniel Kiper -2013-11-17 Vladimir Serbinenko +2020-07-29 Peter Jones - * tests/grub_func_test.in: Increase memory reservation as on EFI we need - to leave some memory to firmware. + efi: Fix some malformed device path arithmetic errors + Several places we take the length of a device path and subtract 4 from + it, without ever checking that it's >= 4. There are also cases where + this kind of malformation will result in unpredictable iteration, + including treating the length from one dp node as the type in the next + node. These are all errors, no matter where the data comes from. -2013-11-17 Vladimir Serbinenko + This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which + can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH() + return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when + the length is too small. Additionally, it makes several places in the + code check for and return errors in these cases. - * grub-core/tests/cmdline_cat_test.c (cmdline_cat_test): Ignore errors - of loading gfxterm as gfxterm is embed in kernel on some platforms. - * grub-core/tests/gfxterm_menu.c (gfxterm_menu): Likewise. - Load gfxmenu. + Reviewed-by: Daniel Kiper -2013-11-17 Vladimir Serbinenko +2020-07-29 Peter Jones - * tests/core_compress_test.in: Use full arguments as grub-mkimage-extra - now needs full arguments. + emu: Make grub_free(NULL) safe + The grub_free() implementation in grub-core/kern/mm.c safely handles + NULL pointers, and code at many places depends on this. We don't know + that the same is true on all host OSes, so we need to handle the same + behavior in grub-emu's implementation. -2013-11-17 Vladimir Serbinenko + Reviewed-by: Darren Kenny + Reviewed-by: Daniel Kiper - * util/grub-mkrescue.c (main): Add trailing \n in - .disk_label.contentDetails to be in line with previous shell script. +2020-07-29 Peter Jones + + lvm: Fix two more potential data-dependent alloc overflows + It appears to be possible to make a (possibly invalid) lvm PV with + a metadata size field that overflows our type when adding it to the + address we've allocated. Even if it doesn't, it may be possible to do so + with the math using the outcome of that as an operand. Check them both. + + Reviewed-by: Daniel Kiper + +2020-07-29 Peter Jones + + hfsplus: Fix two more overflows + Both node->size and node->namelen come from the supplied filesystem, + which may be user-supplied. We can't trust them for the math unless we + know they don't overflow. Making sure they go through grub_add() or + grub_calloc() first will give us that. + + Reviewed-by: Darren Kenny + Reviewed-by: Daniel Kiper + +2020-07-29 Alexey Makhalov + + relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation + Current implementation of grub_relocator_alloc_chunk_align() + does not allow allocation of the top byte. + + Assuming input args are: + max_addr = 0xfffff000; + size = 0x1000; + + And this is valid. But following overflow protection will + unnecessarily move max_addr one byte down (to 0xffffefff): + if (max_addr > ~size) + max_addr = ~size; + + ~size + 1 will fix the situation. In addition, check size + for non zero to do not zero max_addr. + + Reviewed-by: Daniel Kiper + +2020-07-29 Chris Coulson -2013-11-17 Vladimir Serbinenko + script: Avoid a use-after-free when redefining a function during execution + Defining a new function with the same name as a previously defined + function causes the grub_script and associated resources for the + previous function to be freed. If the previous function is currently + executing when a function with the same name is defined, this results + in use-after-frees when processing subsequent commands in the original + function. - * util/grub-mkrescue.c (main): Use right source file for bootinfo.txt. + Instead, reject a new function definition if it has the same name as + a previously defined function, and that function is currently being + executed. Although a behavioural change, this should be backwards + compatible with existing configurations because they can't be + dependent on the current behaviour without being broken. -2013-11-17 Vladimir Serbinenko + Fixes: CVE-2020-15706 - * util/grub-install-common.c (grub_install_parse): Recognize - --compress=none like shell script did. + Reviewed-by: Daniel Kiper -2013-11-17 Vladimir Serbinenko +2020-07-29 Chris Coulson - * include/grub/misc.h: Replace check for __sparc64__ with one for - __sparc__ as __sparc64__ isn't actually defined. + script: Remove unused fields from grub_script_function struct + Reviewed-by: Daniel Kiper -2013-11-17 Vladimir Serbinenko +2020-07-29 Alexey Makhalov - * tests/util/grub-shell.in: Use escc-ch-b on powerpc. This is missing - counterpart of fixing the naming of escc ports. + relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow + This commit introduces integer underflow mitigation in max_addr calculation + in grub_relocator_alloc_chunk_align() invocation. -2013-11-17 Vladimir Serbinenko + It consists of 2 fixes: + 1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform + sanity check for min/max and size values, and to make safe invocation of + grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all + invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...) + by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...). + 2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top + address (0xffffffff - size + 1) or similar. - * util/grub-install-common.c (platforms): Fix the order of entries and - remove useless field val. + Reviewed-by: Daniel Kiper -2013-11-16 Vladimir Serbinenko +2020-07-29 Alexey Makhalov - * util/grub-install.c: Add new option --no-bootsector to skip - installing of bootsector. Accept --grub-setup=/bin/true as - backwards-compatible synonym. + relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow + Use arithmetic macros from safemath.h to accomplish it. In this commit, + I didn't want to be too paranoid to check every possible math equation + for overflow/underflow. Only obvious places (with non zero chance of + overflow/underflow) were refactored. -2013-11-16 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * util/grub-install.c (device_map_check_duplicates): Fix incorrect - order of qsort arguments (number of elements vs. element size). +2020-07-29 Alexey Makhalov -2013-11-16 Vladimir Serbinenko + tftp: Do not use priority queue + There is not need to reassemble the order of blocks. Per RFC 1350, + server must wait for the ACK, before sending next block. Data packets + can be served immediately without putting them to priority queue. - Rewrite grub-install, grub-mkrescue, grub-mkstandalone and grub-mknetdir - the function of these files exceeds what can be sanely handled in shell - in posix-comaptible way. Also writing it in C extends the functionality - to non-UNIX-like OS and minimal environments. + Logic to handle incoming packet is this: + - if packet block id equal to expected block id, then + process the packet, + - if packet block id is less than expected - this is retransmit + of old packet, then ACK it and drop the packet, + - if packet block id is more than expected - that shouldn't + happen, just drop the packet. -2013-11-16 Vladimir Serbinenko + It makes the tftp receive path code simpler, smaller and faster. + As a benefit, this change fixes CID# 73624 and CID# 96690, caused + by following while loop: - * grub-core/kern/arm/cache.S: Don't switch back to ARM mode when - compiling to thumb2. - * grub-core/kern/arm/cache_armv7.S: Likewise. - * grub-core/lib/arm/setjmp.S: Likewise. + while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) -2013-11-16 Leif Lindholm + where tftph pointer is not moving from one iteration to another, causing + to serve same packet again. Luckily, double serving didn't happen due to + data->block++ during the first iteration. - * grub-core/kern/arm/uboot/startup.S: delete superflouous save of r8 - in grub_uboot_syscall + Fixes: CID 73624, CID 96690 -2013-11-16 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Decrease stack usage in lexer. +2020-07-29 Konrad Rzeszutek Wilk - We have only 92K of stack and using over 4K per frame is wasteful + multiboot2: Fix memory leak if grub_create_loader_cmdline() fails + Fixes: CID 292468 - * grub-core/script/yylex.l (yyalloc), (yyfree), (yyrealloc): Declare - as macros so that compiler would remove useless structure on stack. - Better solution would be to fix flex not to put this structure on - the stack but flex is external program. + Reviewed-by: Daniel Kiper -2013-11-16 Vladimir Serbinenko +2020-07-29 Konrad Rzeszutek Wilk - Decrease stack usage in signature verification. + udf: Fix memory leak + Fixes: CID 73796 - We have only 92K of stack and using over 4K per frame is wasteful + Reviewed-by: Daniel Kiper + Reviewed-by: Jan Setje-Eilers - * grub-core/commands/verify.c (grub_load_public_key): Allocate on heap - rather than stack. - (grub_verify_signature_real): Likewise. +2020-07-29 Konrad Rzeszutek Wilk -2013-11-16 Vladimir Serbinenko + term: Fix overflow on user inputs + This requires a very weird input from the serial interface but can cause + an overflow in input_buf (keys) overwriting the next variable (npending) + with the user choice: - Decrease stack usage in mdraid 0.9x. + (pahole output) - We have only 92K of stack and using over 4K per frame is wasteful + struct grub_terminfo_input_state { + int input_buf[6]; /* 0 24 */ + int npending; /* 24 4 */ <- CORRUPT + ...snip... - * grub-core/disk/mdraid_linux.c (grub_mdraid_detect): Allocate on heap - rather than stack. + The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow + npending with "q" (aka increase npending to 161). The simplest fix is to + just to disallow overwrites input_buf, which exactly what this patch does. -2013-11-16 Vladimir Serbinenko + Fixes: CID 292449 - Decrease stack usage in BtrFS. + Reviewed-by: Daniel Kiper - We have only 92K of stack and using over 4K per frame is wasteful +2020-07-29 Konrad Rzeszutek Wilk - * grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Allocate on heap - rather than stack. + lzma: Make sure we don't dereference past array + The two dimensional array p->posSlotEncoder[4][64] is being dereferenced + using the GetLenToPosState() macro which checks if len is less than 5, + and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. + Obviously we don't want to dereference that far out so we check if the + position found is greater or equal kNumLenToPosStates (4) and bail out. -2013-11-16 Vladimir Serbinenko + N.B.: Upstream LZMA 18.05 and later has this function completely rewritten + without any history. - Decrease stack usage in JFS. + Fixes: CID 51526 - We have only 92K of stack and using over 4K per frame is wasteful + Reviewed-by: Daniel Kiper - * grub-core/fs/jfs.c (getblk): Allocate on heap rather than on - stack. Note: this function is recursive. - (grub_jfs_read_inode): Read only part we care about. +2020-07-29 Chris Coulson -2013-11-16 Leif Lindholm + json: Avoid a double-free when parsing fails. + When grub_json_parse() succeeds, it returns the root object which + contains a pointer to the provided JSON string. Callers are + responsible for ensuring that this string outlives the root + object and for freeing its memory when it's no longer needed. - * grub-core/kern/arm/uboot/startup.S: fix grub_uboot_syscall va_arg - handling + If grub_json_parse() fails to parse the provided JSON string, + it frees the string before returning an error. This results + in a double free in luks2_recover_key(), which also frees the + same string after grub_json_parse() returns an error. -2013-11-16 Andrey Borzenkov + This changes grub_json_parse() to never free the JSON string + passed to it, and updates the documentation for it to make it + clear that callers are responsible for ensuring that the string + outlives the root JSON object. - * configure.ac: Restore -nostdlib for libgcc symbols tests. + Fixes: CID 292465 -2013-11-16 Andrey Borzenkov + Reviewed-by: Daniel Kiper - * docs/grub.texi (Environment): Document cmdpath. +2020-07-29 Alexey Makhalov -2013-11-16 Andrey Borzenkov + xnu: Fix double free in grub_xnu_devprop_add_property() + grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get + allocated and freed in the caller. - * grub-core/kern/mips/arc/init.c (grub_machine_get_bootlocation): - Remove "unused" attribute from arguments, they are used. + Minor improvement: do prop fields initialization after memory allocations. -2013-11-15 Colin Watson + Fixes: CID 292442, CID 292457, CID 292460, CID 292466 - * .gitignore: Only ignore grub-mk* at the top level. + Reviewed-by: Daniel Kiper -2013-11-15 Colin Watson +2020-07-29 Alexey Makhalov - * util/grub-reboot.in (usage): Fix a typo. + gfxmenu: Fix double free in load_image() + self->bitmap should be zeroed after free. Otherwise, there is a chance + to double free (USE_AFTER_FREE) it later in rescale_image(). -2013-11-15 Vladimir Serbinenko + Fixes: CID 292472 - Replace libgcc version of ctz with our own. + Reviewed-by: Daniel Kiper - On upcoming arm64 port libgcc ctz* are not usable in standalone - environment. Since we need ctz* for this case and implementation is - in C we may as well use it on all concerned platforms. +2020-07-29 Daniel Kiper -2013-11-14 Vladimir Serbinenko + font: Do not load more than one NAME section + The GRUB font file can have one NAME section only. Though if somebody + crafts a broken font file with many NAME sections and loads it then the + GRUB leaks memory. So, prevent against that by loading first NAME + section and failing in controlled way on following one. - * configure.ac: Probe for linking format rather than guessing it based - on target_os. + Reported-by: Chris Coulson + Reviewed-by: Jan Setje-Eilers -2013-11-14 Vladimir Serbinenko +2020-07-29 Peter Jones - * grub-core/disk/xen/xendisk.c (grub_xendisk_fini): Set state to - "1" prior to handoff. + iso9660: Don't leak memory on realloc() failures + Reviewed-by: Daniel Kiper - Reported by: M A Young. +2020-07-29 Peter Jones -2013-11-14 Vladimir Serbinenko + malloc: Use overflow checking primitives where we do complex allocations + This attempts to fix the places where we do the following where + arithmetic_expr may include unvalidated data: - * grub-core/kern/xen/init.c (grub_xenstore_write_file): Don't add - \0 to all files. + X = grub_malloc(arithmetic_expr); - Reported by: M A Young. + It accomplishes this by doing the arithmetic ahead of time using grub_add(), + grub_sub(), grub_mul() and testing for overflow before proceeding. -2013-11-14 Vladimir Serbinenko + Among other issues, this fixes: + - allocation of integer overflow in grub_video_bitmap_create() + reported by Chris Coulson, + - allocation of integer overflow in grub_png_decode_image_header() + reported by Chris Coulson, + - allocation of integer overflow in grub_squash_read_symlink() + reported by Chris Coulson, + - allocation of integer overflow in grub_ext2_read_symlink() + reported by Chris Coulson, + - allocation of integer overflow in read_section_as_string() + reported by Chris Coulson. - * grub-core/osdep/bsd/hostdisk.c (grub_util_get_fd_size_os): Fix - compilation on NetBSD. + Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 -2013-11-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * acinclude.m4: Don't add -P on initial nm test. +2020-07-29 Peter Jones - Note: even though this patch postdates Andrey's it bears 14 Nov as - date due to timezone difference. + calloc: Use calloc() at most places + This modifies most of the places we do some form of: -2013-11-15 Andrey Borzenkov + X = malloc(Y * Z); - * grub-core/Makefile.core.def (signature_test): Add missing - tests/signatures.h. + to use calloc(Y, Z) instead. -2013-11-14 Colin Watson + Among other issues, this fixes: + - allocation of integer overflow in grub_png_decode_image_header() + reported by Chris Coulson, + - allocation of integer overflow in luks_recover_key() + reported by Chris Coulson, + - allocation of integer overflow in grub_lvm_detect() + reported by Chris Coulson. - * util/grub-install_header: Set localedir here, since this file is - where it's used. - * util/grub-install.in: Remove setting of localedir. - * util/grub-mkrescue.in: Likewise. + Fixes: CVE-2020-14308 -2013-11-14 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * Makefile.am (default_payload.elf): Add uhci, ohci and usb_keyboard. +2020-07-29 Peter Jones -2013-11-14 Vladimir Serbinenko + calloc: Make sure we always have an overflow-checking calloc() available + This tries to make sure that everywhere in this source tree, we always have + an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.) + available, and that they all safely check for overflow and return NULL when + it would occur. - * configure.ac: Move nm checks to the end. - Call grub_PROG_NM_WORKS. - * acinclude.m4: New check grub_PROG_NM_WORKS. - Use $TARGET_CFLAGS -c when compiling test binary. + Reviewed-by: Daniel Kiper -2013-11-14 Colin Watson +2020-07-29 Peter Jones - * util/getroot.c (grub_util_biosdisk_get_grub_dev) [__GNU__]: Remove - unused variables. + safemath: Add some arithmetic primitives that check for overflow + This adds a new header, include/grub/safemath.h, that includes easy to + use wrappers for __builtin_{add,sub,mul}_overflow() declared like: -2013-11-14 Matthew Garrett + bool OP(a, b, res) - * grub-core/kern/main.c (grub_set_prefix_and_root): Set variable - cmdpath to firmware directory. + where OP is grub_add, grub_sub or grub_mul. OP() returns true in the + case where the operation would overflow and res is not modified. + Otherwise, false is returned and the operation is executed. -2013-11-14 Vladimir Serbinenko + These arithmetic primitives require newer compiler versions. So, bump + these requirements in the INSTALL file too. - * grub-core/kern/efi/efi.c (grub_efi_get_filename): Reset the pointer - at the start of second iteration. + Reviewed-by: Daniel Kiper -2013-11-14 Vladimir Serbinenko +2020-07-29 Peter Jones - * grub-core/Makefile.am (efiemu64.o): Explicitly set link format. + yylex: Make lexer fatal errors actually be fatal + When presented with a command that can't be tokenized to anything + smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), + expecting that will stop further processing, as such: -2013-11-14 Vladimir Serbinenko + #define YY_DO_BEFORE_ACTION \ + yyg->yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yyg->yy_hold_char = *yy_cp; \ + *yy_cp = '\0'; \ + if ( yyleng >= YYLMAX ) \ + YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ + yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ + yyg->yy_c_buf_p = yy_cp; - * Makefile.am (default_payload.elf): New target for easier coreboot - build. + The code flex generates expects that YY_FATAL_ERROR() will either return + for it or do some form of longjmp(), or handle the error in some way at + least, and so the strncpy() call isn't in an "else" clause, and thus if + YY_FATAL_ERROR() is *not* actually fatal, it does the call with the + questionable limit, and predictable results ensue. -2013-11-14 Vladimir Serbinenko + Unfortunately, our implementation of YY_FATAL_ERROR() is: - * grub-core/kern/arm/cache_armv6.S: Remove special handling for - clang (not necessarry with -no-integrated-as). - * include/grub/symbol.h [__arm__]: Likewise. + #define YY_FATAL_ERROR(msg) \ + do { \ + grub_printf (_("fatal error: %s\n"), _(msg)); \ + } while (0) -2013-11-14 Vladimir Serbinenko + The same pattern exists in yyless(), and similar problems exist in users + of YY_INPUT(), several places in the main parsing loop, + yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, + yy_scan_buffer(), etc. - * configure.ac: Use -no-integrated-as on arm with clang. - * INSTALL: Mention ARM compilation with clang. + All of these callers expect YY_FATAL_ERROR() to actually be fatal, and + the things they do if it returns after calling it are wildly unsafe. -2013-11-14 Vladimir Serbinenko + Fixes: CVE-2020-10713 - * conf/Makefile.common (CCASFLAGS_PLATFORM) [COND_arm]: Add - -mthumb-interwork. + Reviewed-by: Daniel Kiper -2013-11-14 Colin Watson +2020-05-25 Marc Zyngier - * grub-core/fs/ext2.c (grub_ext2_read_block): Factor out common - code for indirect block handling. + arm: Fix 32-bit ARM handling of the CTR register + When booting on an ARMv8 core that implements either CTR.IDC or CTR.DIC + (indicating that some of the cache maintenance operations can be + removed when dealing with I/D-cache coherency, GRUB dies with a + "Unsupported cache type 0x........" message. - Saves 185 bytes on compressed image. + This is pretty likely to happen when running in a virtual machine + hosted on an arm64 machine (I've triggered it on a system built around + a bunch of Cortex-A55 cores, which implements CTR.IDC). -2013-11-13 Paulo Flabiano Smorigo + It turns out that the way GRUB deals with the CTR register is a bit + harsh for anything from ARMv7 onwards. The layout of the register is + backward compatible, meaning that nothing that gets added is allowed to + break earlier behaviour. In this case, ignoring IDC is completely fine, + and only results in unnecessary cache maintenance. - Fix make clean. + We can thus avoid being paranoid, and align the 32bit behaviour with + its 64bit equivalent. - * Makefile.am: Remove build-grub-* in make clean. + This patch has the added benefit that it gets rid of a (gnu-specific) + case range too. -2013-11-13 Paulo Flabiano Smorigo + Reviewed-by: Leif Lindholm + Reviewed-by: Daniel Kiper - New files to gitignore. +2020-05-25 Ian Jackson - * .gitignore: Add build-grub-gen-asciih, build-grub-gen-widthspec, - build-grub-mkfont, and grub-emu-lite. Remove .bzrignore. + templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK) + XSM is enabled by adding "flask=enforcing" as a Xen command line + argument, and providing the policy file as a grub module. -2013-11-13 Leif Lindholm + We make entries for both with and without XSM. If XSM is not compiled + into Xen, then there are no policy files, so no change to the boot + options. - * grub-core/kern/arm/misc.S: Make thumb2-compatible. + Reviewed-by: Daniel Kiper -2013-11-13 Leif Lindholm +2020-05-25 Ian Jackson - * .gitignore: fix rules for .dep* and add *.a post git migration + templates/20_linux_xen: Ignore xenpolicy and config files too + file_is_not_sym() currently only checks for xen-syms. Extend it to + disregard xenpolicy (XSM policy files) and files ending .config (which + are built by the Xen upstream build system in some configurations and + can therefore end up in /boot). -2013-11-13 Colin Watson + Rename the function accordingly, to file_is_not_xen_garbage(). - * configure.ac (AM_INIT_AUTOMAKE): Require at least version 1.10.1, - to match INSTALL. + Reviewed-by: Daniel Kiper -2013-11-13 Colin Watson +2020-05-25 Javier Martinez Canillas - * grub-core/kern/misc.c: Don't redirect divisions in the - GRUB_UTIL case. - * include/grub/misc.h: Likewise. + net: Break out nested function + Nested functions are not supported in C, but are permitted as an extension + in the GNU C dialect. Commit cb2f15c5448 ("normal/main: Search for specific + config files for netboot") added a nested function which caused the build + to break when compiling with clang. -2013-11-13 Colin Watson + Break that out into a static helper function to make the code portable again. - * grub-core/osdep/unix/emuconsole.c (put): Pacify the compiler on - systems that require checking the return value of write. + Reported-by: Daniel Axtens + Tested-by: Daniel Axtens + Reviewed-by: Daniel Kiper -2013-11-13 Colin Watson +2020-05-25 Javier Martinez Canillas - * util/grub-install.in (efi_quiet): Fix inverted logic: make - efibootmgr quiet when --debug is not used, rather than when it is. + tpm: Enable module for all EFI platforms + The module is only enabled for x86_64, but there's nothing specific to + x86_64 in the implementation and can be enabled for all EFI platforms. -2013-11-13 Colin Watson + Reviewed-by: Daniel Kiper - * gentpl.py (define_macro_for_platform_dependencies): Remove - first (and thus unused) of two definitions for this function. - (platform_dependencies): Likewise. +2020-05-25 Daniel Kiper -2013-11-13 Colin Watson + INSTALL/configure: Update install doc and configure comment + ..to reflect the GRUB build reality in them. - * acinclude.m4 (grub_apple_cc): Remove; since the removal of nested - functions, we only need to check this for the target, not the host. - * configure.ac (grub_apple_cc): Likewise. + Additionally, fix text formatting a bit. -2013-11-13 Vladimir Serbinenko + Reviewed-by: Leif Lindholm - * grub-core/kern/arm/cache.c (probe_caches): Move asm part to ... - * grub-core/kern/arm/cache_armv6.S: ... here. This allows this - asm to stay in arm even if surrounding is thumb. +2020-05-25 Daniel Kiper -2013-11-13 Vladimir Serbinenko + configure: Set gnu99 C language standard by default + Commit d5a32255d (misc: Make grub_strtol() "end" pointers have safer + const qualifiers) introduced "restrict" keyword into some functions + definitions. This keyword was introduced in C99 standard. However, some + compilers by default may use C89 or something different. This behavior + leads to the breakage during builds when c89 or gnu89 is in force. So, + let's set gnu99 C language standard for all compilers by default. This + way a bit random build issue will be fixed and the GRUB source will be + build consistently regardless of type and version of the compiler. - * grub-core/kern/arm/misc.S: Add __muldi3 and __aeabi_lmul. Those - helper functions are needed for thumb. + It was decided to use gnu99 C language standard because it fixes the + issue mentioned above and also provides some useful extensions which are + used here and there in the GRUB source. Potentially we can use gnu11 + too. However, this may reduce pool of older compilers which can be used + to build the GRUB. So, let's live with gnu99 until we discover that we + strongly require a feature from newer C standard. -2013-11-13 Vladimir Serbinenko + The user is still able to override C language standard using relevant + *_CFLAGS variables. - * grub-core/disk/diskfilter.c (grub_diskfilter_make_raid): Make - level / 3 division explicitly unsigned. Saves few bytes. + Reviewed-by: Leif Lindholm -2013-11-13 Vladimir Serbinenko +2020-05-15 Tianjia Zhang - * grub-core/fs/zfs/zfs.c (ZAP_LEAF_NUMCHUNKS): Use unsigned arithmetics. + tpm: Rename function grub_tpm_log_event() to grub_tpm_measure() + grub_tpm_log_event() and grub_tpm_measure() are two functions that + have the same effect. So, keep grub_tpm_log_event() and rename it + to grub_tpm_measure(). This way we get also a more clear semantics. -2013-11-13 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/normal/datetime.c (grub_get_weekday): Use if rather than - division. +2020-05-15 Daniel Kiper -2013-11-13 Vladimir Serbinenko + autogen: Replace -iname with -ipath in find command + ..because -iname cannot be used to match paths. - * grub-core/kern/uboot/init.c: Move grub_uboot_machine_type and - grub_uboot_boot_data to asm part. + Reviewed-by: Javier Martinez Canillas + Reviewed-by: Leif Lindholm + Reviewed-by: Daniel Axtens -2013-11-13 Vladimir Serbinenko +2020-05-15 Daniel Kiper - * grub-core/kern/arm/uboot/startup.S: Remove = by replacing with - literal load. - (grub_uboot_syscall): Save/restore r9 and align stack. + INSTALL: Update configure example + ..to make it more relevant. -2013-11-13 Vladimir Serbinenko + Reviewed-by: Leif Lindholm - * grub-core/kern/arm/cache.S: Replace = with explicit litteral load. +2020-05-15 Daniel Kiper -2013-11-13 Vladimir Serbinenko + configure: Drop unneeded TARGET_CFLAGS expansion + Reviewed-by: Javier Martinez Canillas + Reviewed-by: Leif Lindholm - * include/grub/symbol.h (END) [__arm__]: New macros. Replace all .end - occurencies with END. +2020-05-15 Jacob Kroon -2013-11-13 Colin Watson + docs/grub: Support for probing partition UUID on MSDOS disks + Support was implemented in commit c7cb11b21 (probe: Support probing for + msdos PARTUUID). - * util/grub-editenv.c (help_filter, argp): Document how to delete - the whole environment block. - Reported by Dan Jacobson. Fixes Debian bug #726265. + Reviewed-by: Daniel Kiper -2013-11-13 Colin Watson +2020-05-15 Tianjia Zhang - * docs/grub.texi (Internationalisation, Supported kernels): Fix - sectioning. + verifiers: Add verify string debug message + Like grub_verifiers_open(), the grub_verify_string() should also + display this debug message, which is very helpful for debugging. -2013-11-13 Josh Triplett + Reviewed-by: Daniel Kiper - * grub-core/normal/term.c (grub_set_more): Use bool logic rather than - increment/decrement. +2020-05-15 Javier Martinez Canillas -2013-11-13 Vladimir Serbinenko + envblk: Fix buffer overrun when attempting to shrink a variable value + If an existing variable is set with a value whose length is smaller than + the current value, a memory corruption can happen due copying padding '#' + characters outside of the environment block buffer. - * grub-core/kern/arm/cache_armv6.S [__clang__]: Don't add .armv6 when - compiling with clang. + This is caused by a wrong calculation of the previous free space position + after moving backward the characters that followed the old variable value. -2013-11-13 Vladimir Serbinenko + That position is calculated to fill the remaining of the buffer with the + padding '#' characters. But since isn't calculated correctly, it can lead + to copies outside of the buffer. - * grub-core/kern/arm/uboot/startup.S: Use .org rather than assigning - ".". + The issue can be reproduced by creating a variable with a large value and + then try to set a new value that is much smaller: -2013-11-13 Vladimir Serbinenko + $ grub2-editenv --version + grub2-editenv (GRUB) 2.04 - Redirect all divisions to grub_divmod64. + $ grub2-editenv env create -2013-11-12 Vladimir Serbinenko + $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" - * grub-core/term/tparm.c (tparam_internal): Use unsigned divisions. + $ wc -c env + 1024 grubenv -2013-11-12 Vladimir Serbinenko + $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" + malloc(): corrupted top size + Aborted (core dumped) - Add missing includes of loader.h. + $ wc -c env + 0 grubenv -2013-11-12 Vladimir Serbinenko + Reported-by: Renaud Métrich + Reviewed-by: Daniel Kiper - * configure.ac: Allow disabling themes. +2020-05-15 Hans Ulrich Niedermann -2013-11-12 Lukas Schwaighofer + docs: Remove docs for non-existing uppermem command + Remove all documentation of and mentions of the uppermem + command from the docs/grub.texi file. - * util/grub.d/20_linux_xen.in: Don't decompress initrd. + The uppermem command is not implemented in the GRUB source + at all and appears to never have been implemented despite + former plans to add an uppermem command. -2013-11-12 Vladimir Serbinenko + To reduce user confusion, this even removes the paragraph + describing how GRUB's uppermem command was supposed to + complement the Linux kernel's mem= parameter. - * grub-core/term/at_keyboard.c: Don't poll non-functional AT controller - until it becomes operational. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Hans Ulrich Niedermann - * grub-core/Makefile.core.def (legacy_password_test): Disable - on platforms where no legacycfg is compiled. - * grub-core/tests/lib/functional_test.c: Tolerate failure to - load legacy_password_test. + docs: Remove docs for non-existing pxe_unload command + Remove the documentation of the pxe_unload command from the + docs/grub.texi file. -2013-11-12 Vladimir Serbinenko + The pxe_unload command is not implemented in the grub source + at this time at all. It appears to have been removed in commit + 671a78acb (cleanup pxe and efi network release). - * grub-core/loader/i386/bsd.c: Remove variable length arrays. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Hans Ulrich Niedermann - * grub-core/efiemu/prepare.c: Remove variable length arrays. + gitignore: Add a few forgotten file patterns + Add a few patterns to .gitignore to cover files which are generated + by building grub ("make", "make check", "make dist") but which have + been forgotten to add to .gitignore in the past. -2013-11-12 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/osdep/windows/hostdisk.c (grub_util_fd_strerror): Silence - strict-aliasing warning. - (fsync): Silence cast warning. +2020-05-15 Hans Ulrich Niedermann -2013-11-12 Vladimir Serbinenko + gitignore: Add leading slashes where appropriate + Going through the list of gitignore patterns without a leading slash, + this adds a leading slash where it appears to have been forgotten. - * grub-core/commands/verify.c: Remove variable length arrays. - Load gcry_dsa/gcry_rsa automatically. + Some gitignore patterns like ".deps/" or "Makefile" clearly should + match everywhere, so those definitively need no leading slash. -2013-11-12 Vladimir Serbinenko + For some patterns like "ascii.bitmaps", it is unclear where in the + source tree they should match. Those patterns are kept as they are, + matching the patterns in the whole tree of subdirectories. - * grub-core/tests/signature_test.c: New test. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Hans Ulrich Niedermann - * grub-core/disk/cryptodisk.c (luks_script_get): Adapt to new procfs - API. + gitignore: Add trailing slashes for directories + Add trailing slashes for all patterns matching directories. -2013-11-12 Vladimir Serbinenko + Note that we do *not* add trailing slashes for *symlinks* + to directories. - * grub-core/tests/legacy_password_test.c (vectors): Make static. - * grub-core/tests/pbkdf2_test.c (vectors): Likewise. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Hans Ulrich Niedermann - * grub-core/tests/setjmp_test.c: Reset counter to 0 before starting. + gitignore: Sort both pattern groups alphabetically + Alphabetically sort the two groups of gitignore patterns: -2013-11-12 Vladimir Serbinenko + * The group of patterns without slashes, matching anywhere + in the directory subtree. - * grub-core/fs/proc.c: Allow \0 in proc files. + * The group of patterns with slashes, matching relative to the + .gitignore file's directory -2013-11-12 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/tests/xnu_uuid_test.c: Fix assert message. +2020-05-15 Hans Ulrich Niedermann -2013-11-12 Vladimir Serbinenko + gitignore: Group patterns with and without slash + Group the .gitignore patterns into two groups: - * grub-core/tests/xnu_uuid_test.c: Fix copyright year. + * Pattern not including a slash, i.e. matching files anywhere in + the .gitignore file's directory and all of its subdirectories. -2013-11-12 Vladimir Serbinenko + * Patterns including a slash, i.e. matching only relative to the + .gitignore file's directory. - * grub-core/fs/ext2.c: Remove variable length arrays. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Hans Ulrich Niedermann - * grub-core/lib/crypto.c (grub_crypto_cbc_decrypt): Remove variable - length arrays. + gitignore: Consistent leading slash is easier to read + As all gitignore patterns containing a left or middle slash match + only relative to the .gitignore file's directory, we write them + all in the same manner with a leading slash. -2013-11-12 Vladimir Serbinenko + This makes the file significantly easier to read. - * grub-core/disk/AFSplitter.c: Remove variable length arrays. - * grub-core/disk/cryptodisk.c: Likewise. - * grub-core/disk/geli.c: Likewise. - * grub-core/disk/luks.c: Likewise. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-05-15 Daniel Kiper - * grub-core/tests/legacy_password_test.c: New test. - * grub-core/commands/legacycfg.c: Remove variable length arrays. + mips/cache: Add missing nop's in delay slots + Lack of them causes random instructions to be executed before the + jump really happens. -2013-11-12 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/pbkdf2.c: Remove variable length arrays. +2020-04-21 Patrick Steinhardt -2013-11-12 Vladimir Serbinenko + luks2: Propagate error when reading area key fails + When decrypting a given keyslot, all error cases except for one set up + an error and return the error code. The only exception is when we try to + read the area key: instead of setting up an error message, we directly + print it via grub_dprintf(). - * grub-core/tests/pbkdf2_test.c: New test. + Convert the outlier to use grub_error() to allow more uniform handling + of errors. -2013-11-12 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/xzembed/xz_dec_stream.c: Remove variable length arrays. +2020-04-21 Patrick Steinhardt -2013-11-12 Vladimir Serbinenko + json: Get rid of casts for "jsmntok_t" + With the upstream change having landed that adds a name to the + previously anonymous "jsmntok" typedef, we can now add a forward + declaration for that struct in our code. As a result, we no longer have + to store the "tokens" member of "struct grub_json" as a void pointer but + can instead use the forward declaration, allowing us to get rid of casts + of that field. - * grub-core/io/lzopio.c: Remove variable length arrays. + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-04-21 Patrick Steinhardt - * include/grub/crypto.h: Add maximums on hash size and cipher block - size. + json: Update jsmn library to upstream commit 053d3cd + Update our embedded version of the jsmn library to upstream commit + 053d3cd (Merge pull request #175 from pks-t/pks/struct-type, + 2020-04-02). -2013-11-12 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/commands/xnu_uuid.c: Remove variable length arrays. +2020-04-21 Steve Langasek -2013-11-12 Vladimir Serbinenko + templates: Output a menu entry for firmware setup on UEFI FastBoot systems + The fwsetup command allows to reboot into the EFI firmware setup menu, add + a template to include a menu entry on EFI systems that makes use of that + command to reboot into the EFI firmware settings. - * grub-core/tests/xnu_uuid_test.c: New test. + This is useful for users since the hotkey to enter into the EFI setup menu + may not be the same on all systems so users can use the menu entry without + needing to figure out what key needs to be pressed. -2013-11-12 Vladimir Serbinenko + Also, if fastboot is enabled in the BIOS then often it is not possible to + enter the firmware setup menu. So the entry is again useful for this case. - * grub-core/commands/hashsum.c: Remove unneeded memset (zalloc already - covers it). + Reviewed-by: Daniel Kiper -2013-11-12 Vladimir Serbinenko +2020-04-21 Hans de Goede - * grub-core/commands/hashsum.c: Remove variable length arrays. + kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys + On some devices the ESC key is the hotkey to enter the BIOS/EFI setup + screen, making it really hard to time pressing it right. Besides that + ESC is also pretty hard to discover for a user who does not know it + will unhide the menu. -2013-11-11 Vladimir Serbinenko + This commit makes F4, which was chosen because is not used as a hotkey + to enter the BIOS setup by any vendor, also interrupt sleeps / stop the + menu countdown. - * grub-core/tests/gfxterm_menu.c (gfxterm_menu): Handle out-of-memory - condition. - * tests/grub_func_test.in: Increase memory allocation. + This solves the ESC gets into the BIOS setup and also somewhat solves + the discoverability issue, but leaves the timing issue unresolved. -2013-11-11 Vladimir Serbinenko + This commit fixes the timing issue by also adding support for keeping + SHIFT pressed during boot to stop the menu countdown. This matches + what Ubuntu is doing, which should also help with discoverability. - * grub-core/osdep/unix/getroot.c [HAVE_STRUCT_STATFS_F_FSTYPENAME - && HAVE_STRUCT_STATFS_F_MNTFROMNAME]: Include sys/param.h and - sys/mount.h. + Reviewed-by: Daniel Kiper -2013-11-11 Vladimir Serbinenko +2020-04-21 Hans de Goede - * grub-core/osdep/apple/hostdisk.c (grub_util_get_fd_size): Rename to .. - (grub_util_get_fd_size_os): ...this. - (grub_hostdisk_flush_initial_buffer): New empty function. + efi/console: Do not set text-mode until we actually need it + If we're running with a hidden menu we may never need text mode, so do not + change the video-mode to text until we actually need it. -2013-11-11 Vladimir Serbinenko + This allows to boot a machine without unnecessary graphical transitions and + provide a seamless boot experience to users. - * grub-core/gensyminfo.sh.in: Handle the case of portable output - without --defined-only. + Reviewed-by: Daniel Kiper -2013-11-11 Vladimir Serbinenko +2020-04-21 Hans de Goede - * grub-core/lib/i386/relocator_common.S [__APPLE__ && __x86_64__]: Use - rip-relative addressing in prologue. + efi/console: Implement getkeystatus() support + Implement getkeystatus() support in the EFI console driver. -2013-11-11 Vladimir Serbinenko + This is needed because the logic to determine if a key was pressed to make + the menu countdown stop will be changed by a later patch to also take into + account the SHIFT key being held down. - * include/grub/misc.h [__APPLE__]: Do not add regparm(0) on x86_64. - * grub-core/kern/misc.c (__bzero) [__APPLE__]: New function. + For this reason the EFI console driver has to support getkeystatus() to + allow detecting that event. -2013-11-11 Vladimir Serbinenko + Note that if a non-modifier key gets pressed and repeated calls to + getkeystatus() are made then it will return the modifier status at the + time of the non-modifier key, until that key-press gets consumed by a + getkey() call. - * util/getroot.c (grub_util_biosdisk_get_grub_dev) [__APPLE__]: - Add missing semicolon. + This is a side-effect of how the EFI simple-text-input protocol works + and cannot be avoided. -2013-11-11 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * util/grub-macho2img.c: Use plain fopen rather than grub_util_fopen. +2020-04-21 Hans de Goede -2013-11-11 Vladimir Serbinenko + efi/console: Add grub_console_read_key_stroke() helper function + This is a preparatory patch for adding getkeystatus() support to the + EFI console driver. - * configure.ac: Check for lzma.h for enabling liblzma and allow - manual disabling. + We can get modifier status through the simple_text_input read_key_stroke() + method, but if a non-modifier key is (also) pressed the read_key_stroke() + call will consume that key from the firmware's queue. -2013-11-11 Vladimir Serbinenko + The new grub_console_read_key_stroke() helper buffers upto 1 key-stroke. + If it has a non-modifier key buffered, it will return that one, if its + buffer is empty, it will fills its buffer by getting a new key-stroke. - Add missing includes of loader.h. + If called with consume=1 it will empty its buffer after copying the + key-data to the callers buffer, this is how getkey() will use it. -2013-11-11 Fam Zheng + If called with consume=0 it will keep the last key-stroke buffered, this + is how getkeystatus() will call it. This means that if a non-modifier + key gets pressed, repeated getkeystatus() calls will return the modifiers + of that key-press until it is consumed by a getkey() call. - * util/grub.d/30_os-prober.in: Add minix entry. + Reviewed-by: Daniel Kiper -2013-11-10 Vladimir Serbinenko +2020-04-21 Hans de Goede - * grub-core/loader/i386/coreboot/chainloader.c (load_segment): Use - right buffer for temporary load. + kern/term: Make grub_getkeystatus() helper function available everywhere + Move grub_getkeystatushelper() function from grub-core/commands/keystatus.c + to grub-core/kern/term.c and export it so that it can be used outside of + the keystatus command code too. -2013-11-10 Vladimir Serbinenko + There's no logic change in this patch. The function definition is moved so + it can be called from grub-core/kern/term.c in a subsequent patch. It will + be used to determine if a SHIFT key has was held down and use that also to + interrupt the countdown, without the need to press a key at the right time. - * grub-core/loader/i386/coreboot/chainloader.c: Support tianocore. + Reviewed-by: Daniel Kiper -2013-11-10 Vladimir Serbinenko +2020-04-21 Javier Martinez Canillas - * grub-core/loader/i386/coreboot/chainloader.c: Support lzma-compressed - payload. + efi/console: Move grub_console_set{colorstate,cursor} higher in the file + This is just a preparatory patch to move the functions higher in the file, + since these will be called by the grub_prepare_for_text_output() function + that will be introduced in a later patch. -2013-11-10 Vladimir Serbinenko + The logic is unchanged by this patch. Functions definitions are just moved + to avoid a forward declaration in a later patch, keeping the code clean. - * include/grub/lib/LzmaDec.h: Fix to include LzmaTypes.h and - not Types.h. - * grub-core/lib/LzmaDec.c: Fix prologue to make it compileable in GRUB - environment. - (LzmaDec_InitDicAndState): Make static. + Reviewed-by: Daniel Kiper -2013-11-10 Vladimir Serbinenko +2020-04-21 Paul Menzel - * util/grub-mkimagexx.c (generate_elf): Fix module address on coreboot. + docs/grub: Fix typo in *preferred* + Reviewed-by: Daniel Kiper -2013-11-10 Vladimir Serbinenko +2020-04-21 Daniel Axtens - * grub-core/term/ieee1275/escc.c (GRUB_MOD_INIT): Fix order of channels. + powerpc/mkimage: Fix CHRP note descsz + Currently, an image generated with 'grub-mkimage -n' causes an error when + read with 'readelf -a': - Reported by: Aaro Koskinen + Displaying notes found at file offset 0x000106f0 with length 0x0000002c: + Owner Data size Description + readelf: Warning: note with invalid namesz and/or descsz found at offset 0x0 + readelf: Warning: type: 0x1275, namesize: 0x00000008, descsize: 0x0000002c, alignment: 4 -2013-11-10 Vladimir Serbinenko + This is because the descsz of the CHRP note is set to + sizeof (struct grub_ieee1275_note) + which is the size of the entire note, including name and elf header. The + desczs should contain only the contents, not the name and header sizes. - * docs/grub-dev.texi: Replace bzr references with git ones. + Set the descsz instead to 'sizeof (struct grub_ieee1275_note_desc)' -2013-11-10 Andrey Borzenkov + Resultant readelf output: - * docs/grub.texi (Simple configuration): Remove reference to - grub-reboot from saved default entry description - grub-default - does not use it anymore. + Displaying notes found at file offset 0x00010710 with length 0x0000002c: + Owner Data size Description + PowerPC 0x00000018 Unknown note type: (0x00001275) + description data: ff ff ff ff 00 c0 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 40 00 -2013-11-10 Vladimir Serbinenko + So far as I can tell this issue has existed for as long as the note + generation code has existed, but I guess nothing really checks descsz. - * configure.ac: Make efiemu test cflags match the cflags efiemu is - compiled with. + Reviewed-by: Daniel Kiper -2013-11-10 Andrey Borzenkov +2020-03-31 Flavio Suligoi - * docs/grub.texi (Simple configuration): Document GRUB_DISABLE_SUBMENU. + efi: Add missed space in GRUB_EFI_GLOBAL_VARIABLE_GUID + Reviewed-by: Daniel Kiper -2013-11-10 Vladimir Serbinenko +2020-03-31 Michael Chang - Fix grub_machine_fini bitrot. + zfs: Fix gcc10 error -Werror=zero-length-bounds + We bumped into the build error while testing gcc-10 pre-release. - Reported by: Glenn Washburn. + In file included from ../../include/grub/file.h:22, + from ../../grub-core/fs/zfs/zfs.c:34: + ../../grub-core/fs/zfs/zfs.c: In function 'zap_leaf_lookup': + ../../grub-core/fs/zfs/zfs.c:2263:44: error: array subscript '' is outside the bounds of an interior zero-length array 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=zero-length-bounds] + 2263 | for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); + ../../include/grub/types.h:241:48: note: in definition of macro 'grub_le_to_cpu16' + 241 | # define grub_le_to_cpu16(x) ((grub_uint16_t) (x)) + | ^ + ../../grub-core/fs/zfs/zfs.c:2263:16: note: in expansion of macro 'grub_zfs_to_cpu16' + 2263 | for (chunk = grub_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); + | ^~~~~~~~~~~~~~~~~ + In file included from ../../grub-core/fs/zfs/zfs.c:48: + ../../include/grub/zfs/zap_leaf.h:72:16: note: while referencing 'l_hash' + 72 | grub_uint16_t l_hash[0]; + | ^~~~~~ -2013-11-10 Vladimir Serbinenko + Here I'd like to quote from the gcc document [1] which seems best to + explain what is going on here. - * configure.ac: Remove leftover -fnested-funcions -Wl,-allow_execute. + "Although the size of a zero-length array is zero, an array member of + this kind may increase the size of the enclosing type as a result of + tail padding. The offset of a zero-length array member from the + beginning of the enclosing structure is the same as the offset of an + array with one or more elements of the same type. The alignment of a + zero-length array is the same as the alignment of its elements. -2013-11-10 Vladimir Serbinenko + Declaring zero-length arrays in other contexts, including as interior + members of structure objects or as non-member objects, is discouraged. + Accessing elements of zero-length arrays declared in such contexts is + undefined and may be diagnosed." - * grub-core/Makefile.am (efiemu): Remove leftover -DAPPLE_CC and - -DELF. - * grub-core/efiemu/runtime/config.h: Use __i386__ and __x86_64__ - instead of ELF*. + The l_hash[0] is apparnetly an interior member to the enclosed structure + while l_entries[0] is the trailing member. And the offending code tries + to access members in l_hash[0] array that triggers the diagnose. -2013-11-10 Vladimir Serbinenko + Given that the l_entries[0] is used to get proper alignment to access + leaf chunks, we can accomplish the same thing through the ALIGN_UP macro + thus eliminating l_entries[0] from the structure. In this way we can + pacify the warning as l_hash[0] now becomes the last member to the + enclosed structure. - * configure.ac: Restore CFLAGS to TARGET_CFLAGS before external tests. - Add -march=core2 when testing compile of efiemu64. + [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html - Thanks Andrey Borzenkov for spotting this. + Reviewed-by: Daniel Kiper -2013-11-09 Vladimir Serbinenko +2020-03-31 Michael Chang - Add new ports: i386-xen and x86_64-xen. This allows running GRUB in - XEN PV environment and load kernels. + mdraid1x_linux: Fix gcc10 error -Werror=array-bounds + We bumped into the build error while testing gcc-10 pre-release. -2013-11-09 Vladimir Serbinenko + ../../grub-core/disk/mdraid1x_linux.c: In function 'grub_mdraid_detect': + ../../grub-core/disk/mdraid1x_linux.c:181:15: error: array subscript is outside array bounds of 'grub_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=array-bounds] + 181 | (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)] + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ../../grub-core/disk/mdraid1x_linux.c:98:17: note: while referencing 'dev_roles' + 98 | grub_uint16_t dev_roles[0]; /* Role in array, or 0xffff for a spare, or 0xfffe for faulty. */ + | ^~~~~~~~~ + ../../grub-core/disk/mdraid1x_linux.c:127:33: note: defined here 'sb' + 127 | struct grub_raid_super_1x sb; + | ^~ + cc1: all warnings being treated as errors - * grub-core/loader/i386/multiboot_mbi.c: Handle space in command line. - * grub-core/loader/multiboot_mbi2.c: Likewise. + Apparently gcc issues the warning when trying to access sb.dev_roles + array's member, since it is a zero length array as the last element of + struct grub_raid_super_1x that is allocated sparsely without extra + chunks for the trailing bits, so the warning looks legitimate in this + regard. -2013-11-09 Vladimir Serbinenko + As the whole thing here is doing offset computation, it is undue to use + syntax that would imply array member access then take address from it + later. Instead we could accomplish the same thing through basic array + pointer arithmetic to pacify the warning. - * grub-core/lib/cmdline.c (grub_loader_cmdline_size): Fix empty cmdline - handling. + Reviewed-by: Daniel Kiper -2013-11-09 Vladimir Serbinenko +2020-03-31 Simon Hardy - * grub-core/commands/i386/cmostest.c: Add new command "cmosset". + build: Fix GRUB i386-pc build with Ubuntu gcc + With recent versions of gcc on Ubuntu a very large lzma_decompress.img file is + output. (e.g. 134479600 bytes instead of 2864.) This causes grub-mkimage to + fail with: "error: Decompressor is too big." - Tested by: Denis 'GNUtoo' Carikli. + This seems to be caused by a section .note.gnu.property that is placed at an + offset such that objcopy needs to pad the img file with zeros. -2013-11-08 Vladimir Serbinenko + This issue is present on: + Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0 + Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008 - * grub-core/normal/datetime.c (grub_get_weekday): Use unsigned types. + This issue is not present on: + Ubuntu 19.10 with gcc (Ubuntu 7.5.0-3ubuntu1~19.10) 7.5.0 + RHEL 8.0 with gcc 8.3.1 20190507 (Red Hat 8.3.1-4) + + The issue can be fixed by removing the section using objcopy as shown in + this patch. + + Reviewed-by: Daniel Kiper + +2020-03-31 Tianjia Zhang + + efi/tpm: Fix memory leak in grub_tpm1/2_log_event() + The memory requested for the event is not released here, + causing memory leaks. This patch fixes this problem. + + Reviewed-by: Javier Martinez Canillas + Reviewed-by: Daniel Kiper + +2020-03-31 Michael Chang -2013-11-08 Vladimir Serbinenko + docs: Document notes on LVM cache booting + Add notes on LVM cache booting to the GRUB manual to help user understanding + the outstanding issue and status. - * grub-core/gfxmenu/gui_circular_progress.c (parse_angle): - Use to get rounded angle rather than truncated. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Serbinenko +2020-03-31 Michael Chang - * grub-core/term/serial.c: Add option for enabling/disabling - RTS/CTS flow control. + lvm: Add LVM cache logical volume handling + The LVM cache logical volume is the logical volume consisting of the original + and the cache pool logical volume. The original is usually on a larger and + slower storage device while the cache pool is on a smaller and faster one. The + performance of the original volume can be improved by storing the frequently + used data on the cache pool to utilize the greater performance of faster + device. -2013-11-08 Vladimir Serbinenko + The default cache mode "writethrough" ensures that any data written will be + stored both in the cache and on the origin LV, therefore grub can be straight + to read the original lv as no data loss is guarenteed. + + The second cache mode is "writeback", which delays writing from the cache pool + back to the origin LV to have increased performance. The drawback is potential + data loss if losing the associated cache device. + + During the boot time grub reads the LVM offline i.e. LVM volumes are not + activated and mounted, hence it should be fine to read directly from original + lv since all cached data should have been flushed back in the process of taking + it offline. + + It is also not much helpful to the situation by adding fsync calls to the + install code. The fsync did not force to write back dirty cache to the original + device and rather it would update associated cache metadata to complete the + write transaction with the cache device. IOW the writes to cached blocks still + go only to the cache device. + + To write back dirty cache, as LVM cache did not support dirty cache flush per + block range, there'no way to do it for file. On the other hand the "cleaner" + policy is implemented and can be used to write back "all" dirty blocks in a + cache, which effectively drain all dirty cache gradually to attain and last in + the "clean" state, which can be useful for shrinking or decommissioning a + cache. The result and effect is not what we are looking for here. + + In conclusion, as it seems no way to enforce file writes to the original + device, grub may suffer from power failure as it cannot assemble the cache + device and read the dirty data from it. However since the case is only + applicable to writeback mode which is sensitive to data lost in nature, I'd + still like to propose my (relatively simple) patch and treat reading dirty + cache as improvement. + + Reviewed-by: Daniel Kiper + +2020-03-10 Patrick Steinhardt + + gnulib: Fix build of base64 when compiling with memory debugging + When building GRUB with memory management debugging enabled, then the + build fails because of `grub_debug_malloc()` and `grub_debug_free()` + being undefined in the luks2 module. The cause is that we patch + "base64.h" to unconditionaly include "config-util.h", which shouldn't be + included for modules at all. As a result, `MM_DEBUG` is defined when + building the module, causing it to use the debug memory allocation + functions. As these are not built into modules, we end up with a linker + error. - * grub-core/lib/libgcrypt/cipher/idea.c (mul_inv): Remove signed - divisions. + Fix the issue by removing the include altogether. The + sole reason it was included was for the `_GL_ATTRIBUTE_CONST` macro, + which we can simply define as empty in case it's not set. -2013-11-08 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/lib/libgcrypt/mpi/mpih-div.c (_gcry_mpih_divrem): - Use grub_fatal rather than divide by zero. - * grub-core/lib/libgcrypt/mpi/mpi-pow.c (gcry_mpi_powm): Likewise. +2020-03-10 Patrick Steinhardt + + build: Fix option to explicitly disable memory debugging + The memory management system supports a debug mode that can be enabled + at build time by passing "--enable-mm-debug" to the configure script. + Passing the option will cause us define MM_DEBUG as expected, but in + fact the reverse option "--disable-mm-debug" will do the exact same + thing and also set up the define. This currently causes the build of + "lib/gnulib/base64.c" to fail as it tries to use `grub_debug_malloc()` + and `grub_debug_free()` even though both symbols aren't defined. + + Seemingly, `AC_ARG_ENABLE()` will always execute the third argument if + either the positive or negative option was passed. Let's thus fix the + issue by moving the call to`AC_DEFINE()` into an explicit `if test + $xenable_mm_debug` block, similar to how other defines work. + + Reviewed-by: Daniel Kiper + Reviewed-by: Paul Menzel + +2020-03-10 David Michael + + fat: Support file modification times + This allows comparing file ages on EFI system partitions. + + Reviewed-by: Daniel Kiper + +2020-03-10 David Michael + + exfat: Save the matching directory entry struct when searching + This provides the node's attributes outside the iterator function + so the file modification time can be accessed and reported. + + Reviewed-by: Daniel Kiper + +2020-03-10 Mike Gilbert + + datetime: Enable the datetime module for the emu platform + Fixes a build failure: + + grub-core/commands/date.c:49: undefined reference to `grub_get_weekday_name' + grub-core/commands/ls.c:155: undefined reference to `grub_unixtime2datetime' + + Bug: https://bugs.gentoo.org/711512 + + Reviewed-by: Javier Martinez Canillas + Tested-by: Javier Martinez Canillas + Reviewed-by: Daniel Kiper + +2020-03-10 John Paul Adrian Glaubitz + + build: Add soft-float handling for SuperH (sh4) + While GRUB has no platform support for SuperH (sh4) yet, this change + adds the target-specific handling of soft-floats such that the GRUB + utilities can be built on this target. + + Reviewed-by: Daniel Kiper + +2020-03-10 Peter Jones + + efi: Fix the type of grub_efi_status_t + Currently, in some builds with some checkers, we see: + + 1. grub-core/disk/efi/efidisk.c:601: error[shiftTooManyBitsSigned]: Shifting signed 64-bit value by 63 bits is undefined behaviour + + This is because grub_efi_status_t is defined as grub_efi_intn_t, which is + signed, and shifting into the sign bit is not defined behavior. UEFI fixed + this in the spec in 2.3: + + 2.3 | Change the defined type of EFI_STATUS from INTN to UINTN | May 7, 2009 + + And the current EDK2 code has: + MdePkg/Include/Base.h-// + MdePkg/Include/Base.h-// Status codes common to all execution phases + MdePkg/Include/Base.h-// + MdePkg/Include/Base.h:typedef UINTN RETURN_STATUS; + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-/** + MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit set. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. + MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit set. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-**/ + MdePkg/Include/Base.h-#define ENCODE_ERROR(StatusCode) ((RETURN_STATUS)(MAX_BIT | (StatusCode))) + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-/** + MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit clear. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. + MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit clear. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-**/ + MdePkg/Include/Base.h-#define ENCODE_WARNING(StatusCode) ((RETURN_STATUS)(StatusCode)) + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-/** + MdePkg/Include/Base.h- Returns TRUE if a specified RETURN_STATUS code is an error code. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- This function returns TRUE if StatusCode has the high bit set. Otherwise, FALSE is returned. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @param StatusCode The status code value to evaluate. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h- @retval TRUE The high bit of StatusCode is set. + MdePkg/Include/Base.h- @retval FALSE The high bit of StatusCode is clear. + MdePkg/Include/Base.h- + MdePkg/Include/Base.h-**/ + MdePkg/Include/Base.h-#define RETURN_ERROR(StatusCode) (((INTN)(RETURN_STATUS)(StatusCode)) < 0) + ... + Uefi/UefiBaseType.h:typedef RETURN_STATUS EFI_STATUS; -2013-11-08 Vladimir Serbinenko + This patch makes grub's implementation match the Edk2 declaration with regards + to the signedness of the type. - * include/grub/gui.h (grub_fixed_sfs_divide): Round rather than - truncate. - (grub_fixed_fsf_divide): Likewise. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Serbinenko +2020-03-10 Peter Jones - * grub-core/gfxmenu/gui_list.c (draw_scrollbar): Avoid - division by-zero and senseless negative divisions. + efi/gop: Add debug output on GOP probing + Add debug information to EFI GOP video driver probing function. -2013-11-08 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/gfxmenu/gui_circular_progress.c (circprog_paint): Avoid - division by-zero and senseless negative divisions. - (circprog_set_property): Don't accept negative num_ticks. +2020-03-10 Peter Jones -2013-11-08 Vladimir Serbinenko + efi/uga: Use video instead of fb as debug condition + All other video drivers use "video" as the debug condition instead of "fb" + so change this in the efi/uga driver to make it consistent with the others. - * grub-core/gfxmenu/gui_progress_bar.c (draw_pixmap_bar): Avoid - division by-zero and senseless negative divisions. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Serbinenko +2020-03-10 Peter Jones - * configure.ac: Use elf_*_fbsd on kfreebsd. + efi: Print error messages to grub_efi_allocate_pages_real() + No messages were printed in this function, add some to ease debugging. -2013-11-08 Vladimir Serbinenko + Also, the function returns a void * pointer so return NULL instead of + 0 to make the code more readable. - * grub-core/tests/div_test.c: New test. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Testov +2020-03-10 Andrei Borzenkov - * grub-core/gfxmenu/gui_box.c: Updated to work with area status. - * grub-core/gfxmenu/gui_canvas.c: Likewise. - * grub-core/gfxmenu/view.c: Likewise. - * grub-core/video/fb/video_fb.c: Introduce new functions: - grub_video_set_area_status, grub_video_get_area_status, - grub_video_set_region, grub_video_get_region. - * grub-core/video/bochs.c: Likewise. - * grub-core/video/capture.c: Likewise. - * grub-core/video/video.c: Likewise. - * grub-core/video/cirrus.c: Likewise. - * grub-core/video/efi_gop.c: Likewise. - * grub-core/video/efi_uga.c: Likewise. - * grub-core/video/emu/sdl.c: Likewise. - * grub-core/video/radeon_fuloong2e.c: Likewise. - * grub-core/video/sis315pro.c: Likewise. - * grub-core/video/sm712.c: Likewise. - * grub-core/video/i386/pc/vbe.c: Likewise. - * grub-core/video/i386/pc/vga.c: Likewise. - * grub-core/video/ieee1275.c: Likewise. - * grub-core/video/i386/coreboot/cbfb.c: Likewise. - * include/grub/video.h: Likewise. - * include/grub/video_fb.h: Likewise. - * include/grub/fbfill.h: Updated render_target structure. - grub_video_rect_t viewport, region, area - int area_offset_x, area_offset_y, area_enabled - * include/grub/gui.h: New helper function - grub_video_bounds_inside_region. - * docs/grub-dev.texi: Added information about new functions. + efi/uga: Use 64 bit for fb_base + We get 64 bit from PCI BAR but then truncate by assigning to 32 bit. + Make sure to check that pointer does not overflow on 32 bit platform. -2013-11-08 Vladimir Serbinenko + Closes: 50931 - * grub-core/kern/mm.c (grub_real_malloc): Use AND rather than MOD - for alignment. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Serbinenko +2020-03-10 Alexander Graf - * grub-core/lib/reed_solomon.c (grub_reed_solomon_recover): Add - missing attribute. - * grub-core/gdb/cstub.c (grub_gdb_trap): Likewise. + efi/gop: Add support for BLT_ONLY adapters + EFI GOP has support for multiple different bitness types of frame buffers + and for a special "BLT only" type which is always defined to be RGBx. -2013-11-08 Vladimir Serbinenko + Because grub2 doesn't ever directly access the frame buffer but instead + only renders graphics via the BLT interface anyway, we can easily support + these adapters. - * grub-core/kern/misc.c (grub_divmod64): Don't fallback to - simple division on arm and ia64. + The reason this has come up now is the emerging support for virtio-gpu + in OVMF. That adapter does not have the notion of a memory mapped frame + buffer and thus is BLT only. -2013-11-08 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/arm/misc.S (__aeabi_unwind_cpp_pr0): Add dummy to - link with libgcc. +2020-03-10 Peter Jones -2013-11-08 Vladimir Serbinenko + normal/completion: Fix possible NULL pointer dereference + Coverity Scan reports that the grub_strrchr() function can return NULL if + the character is not found. Check if that's the case for dirfile pointer. - * include/grub/symbol.h (FUNCTION), (VARIABLE): Fix precedence logic. + Reviewed-by: Daniel Kiper -2013-11-08 Vladimir Serbinenko +2020-03-10 Peter Jones - * include/grub/symbol.h (FUNCTION), (VARIABLE) [__arm__]: Use % as - prefix symbol, not @. + kern: Add grub_debug_enabled() + Add a grub_debug_enabled() helper function instead of open coding it. -2013-11-08 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * INSTALL: Add note about older gcc and clang. +2020-03-10 Peter Jones -2013-11-08 Vladimir Serbinenko + Makefile: Make libgrub.pp depend on config-util.h + If you build with "make -j48" a lot, sometimes you see: - * tests/util/grub-shell.in: Boot as hdd on ppc by default. + gcc -E -DHAVE_CONFIG_H -I. -I.. -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/ -I../grub-core/lib/minilzo -I../grub-core/lib/xzembed -DMINILZO_HAVE_CONFIG_H -Wall -W -DGRUB_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DGRUB_FILE=\"grub_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../grub-core/lib/libgcrypt-grub/src/ -I./grub-core/gnulib -I../grub-core/gnulib -I/builddir/build/BUILD/grub-2.02/grub-aarch64-efi-2.02 -D_FILE_OFFSET_BITS=64 \ + -D'GRUB_MOD_INIT(x)=@MARKER@x@' grub_script.tab.h grub_script.yy.h ../grub-core/commands/blocklist.c ../grub-core/commands/macbless.c ../grub-core/commands/xnu_uuid.c ../grub-core/commands/testload.c ../grub-core/commands/ls.c ../grub-core/disk/dmraid_nvidia.c ../grub-core/disk/loopback.c ../grub-core/disk/lvm.c ../grub-core/disk/mdraid_linux.c ../grub-core/disk/mdraid_linux_be.c ../grub-core/disk/mdraid1x_linux.c ../grub-core/disk/raid5_recover.c ../grub-core/disk/raid6_recover.c ../grub-core/font/font.c ../grub-core/gfxmenu/font.c ../grub-core/normal/charset.c ../grub-core/video/fb/fbblit.c ../grub-core/video/fb/fbutil.c ../grub-core/video/fb/fbfill.c ../grub-core/video/fb/video_fb.c ../grub-core/video/video.c ../grub-core/video/capture.c ../grub-core/video/colors.c ../grub-core/unidata.c ../grub-core/io/bufio.c ../grub-core/fs/affs.c ../grub-core/fs/afs.c ../grub-core/fs/bfs.c ../grub-core/fs/btrfs.c ../grub-core/fs/cbfs.c ../grub-core/fs/cpio.c ../grub-core/fs/cpio_be.c ../grub-core/fs/odc.c ../grub-core/fs/newc.c ../grub-core/fs/ext2.c ../grub-core/fs/fat.c ../grub-core/fs/exfat.c ../grub-core/fs/fshelp.c ../grub-core/fs/hfs.c ../grub-core/fs/hfsplus.c ../grub-core/fs/hfspluscomp.c ../grub-core/fs/iso9660.c ../grub-core/fs/jfs.c ../grub-core/fs/minix.c ../grub-core/fs/minix2.c ../grub-core/fs/minix3.c ../grub-core/fs/minix_be.c ../grub-core/fs/minix2_be.c ../grub-core/fs/minix3_be.c ../grub-core/fs/nilfs2.c ../grub-core/fs/ntfs.c ../grub-core/fs/ntfscomp.c ../grub-core/fs/reiserfs.c ../grub-core/fs/romfs.c ../grub-core/fs/sfs.c ../grub-core/fs/squash4.c ../grub-core/fs/tar.c ../grub-core/fs/udf.c ../grub-core/fs/ufs2.c ../grub-core/fs/ufs.c ../grub-core/fs/ufs_be.c ../grub-core/fs/xfs.c ../grub-core/fs/zfs/zfscrypt.c ../grub-core/fs/zfs/zfs.c ../grub-core/fs/zfs/zfsinfo.c ../grub-core/fs/zfs/zfs_lzjb.c ../grub-core/fs/zfs/zfs_lz4.c ../grub-core/fs/zfs/zfs_sha256.c ../grub-core/fs/zfs/zfs_fletcher.c ../grub-core/lib/envblk.c ../grub-core/lib/hexdump.c ../grub-core/lib/LzFind.c ../grub-core/lib/LzmaEnc.c ../grub-core/lib/crc.c ../grub-core/lib/adler32.c ../grub-core/lib/crc64.c ../grub-core/normal/datetime.c ../grub-core/normal/misc.c ../grub-core/partmap/acorn.c ../grub-core/partmap/amiga.c ../grub-core/partmap/apple.c ../grub-core/partmap/sun.c ../grub-core/partmap/plan.c ../grub-core/partmap/dvh.c ../grub-core/partmap/sunpc.c ../grub-core/partmap/bsdlabel.c ../grub-core/partmap/dfly.c ../grub-core/script/function.c ../grub-core/script/lexer.c ../grub-core/script/main.c ../grub-core/script/script.c ../grub-core/script/argv.c ../grub-core/io/gzio.c ../grub-core/io/xzio.c ../grub-core/io/lzopio.c ../grub-core/kern/ia64/dl_helper.c ../grub-core/kern/arm/dl_helper.c ../grub-core/kern/arm64/dl_helper.c ../grub-core/lib/minilzo/minilzo.c ../grub-core/lib/xzembed/xz_dec_bcj.c ../grub-core/lib/xzembed/xz_dec_lzma2.c ../grub-core/lib/xzembed/xz_dec_stream.c ../util/misc.c ../grub-core/kern/command.c ../grub-core/kern/device.c ../grub-core/kern/disk.c ../grub-core/lib/disk.c ../util/getroot.c ../grub-core/osdep/unix/getroot.c ../grub-core/osdep/getroot.c ../grub-core/osdep/devmapper/getroot.c ../grub-core/osdep/relpath.c ../grub-core/kern/emu/hostdisk.c ../grub-core/osdep/devmapper/hostdisk.c ../grub-core/osdep/hostdisk.c ../grub-core/osdep/unix/hostdisk.c ../grub-core/osdep/exec.c ../grub-core/osdep/sleep.c ../grub-core/osdep/password.c ../grub-core/kern/emu/misc.c ../grub-core/kern/emu/mm.c ../grub-core/kern/env.c ../grub-core/kern/err.c ../grub-core/kern/file.c ../grub-core/kern/fs.c ../grub-core/kern/list.c ../grub-core/kern/misc.c ../grub-core/kern/partition.c ../grub-core/lib/crypto.c ../grub-core/disk/luks.c ../grub-core/disk/geli.c ../grub-core/disk/cryptodisk.c ../grub-core/disk/AFSplitter.c ../grub-core/lib/pbkdf2.c ../grub-core/commands/extcmd.c ../grub-core/lib/arg.c ../grub-core/disk/ldm.c ../grub-core/disk/diskfilter.c ../grub-core/partmap/gpt.c ../grub-core/partmap/msdos.c ../grub-core/fs/proc.c ../grub-core/fs/archelp.c > libgrub.pp || (rm -f libgrub.pp; exit 1) + rm -f stamp-h1 + touch ../config-util.h.in + cd . && /bin/sh ./config.status config-util.h + config.status: creating config-util.h + In file included from ../include/grub/mm.h:25:0, + from ../include/grub/disk.h:29, + from ../include/grub/file.h:26, + from ../grub-core/fs/btrfs.c:21: + ./config.h:38:10: fatal error: ./config-util.h: No such file or directory + #include + ^~~~~~~~~~~~~~~ + compilation terminated. + make: *** [Makefile:13098: libgrub.pp] Error 1 -2013-11-08 Vladimir Serbinenko + This is because libgrub.pp is built with -DGRUB_UTIL=1, which means + it'll try to include config-util.h, but a parallel make is actually + building that file. I think. - * grub-core/loader/multiboot_mbi2.c (grub_multiboot_add_module): Fix - NULL pointer dereference. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-03-10 Peter Jones - * grub-core/Makefile.am: Do not include libgcc.h when compiling with - clang. + efi: Print more debug info in our module loader + The function that searches the mods section base address does not have + any debug information. Add some debugging outputs that could be useful. -2013-11-07 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/kern/powerpc/dl.c: Add missing pragma to silence cast-align - warnings. +2020-03-10 Peter Jones -2013-11-07 Vladimir Serbinenko + linux/getroot: Handle rssd storage device names + The Micron PCIe SSDs Linux driver (mtip32xx) exposes block devices + as /dev/rssd[a-z]+[0-9]*. Add support for these rssd device names. - * grub-core/net/net.c (grub_net_route_unregister): Remove unused - function. - * grub-core/loader/i386/xnu.c (hextoval): Likewise. - * grub-core/disk/geli.c (ascii2hex): Likewise. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-03-10 Julian Andres Klode - * configure.ac: Run linker tests without -Werror. - Define TARGET_LDFLAGS_STATIC_LIBGCC and TARGET_LIBGCC. - Change all occurences of -static-libgcc resp -lgcc to - TARGET_LDFLAGS_STATIC_LIBGCC resp TARGET_LIBGCC. + smbios: Add a --linux argument to apply linux modalias-like filtering + Linux creates modalias strings by filtering out non-ASCII, space, + and colon characters. Provide an option that does the same filtering + so people can create a modalias string in GRUB, and then match their + modalias patterns against it. -2013-11-07 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * configure.ac: Don't add -no-itegrated-as on clang on non-x86. +2020-03-10 Mike Gilbert -2013-11-07 Vladimir Serbinenko + po: Fix replacement of %m in sed programs + When running make dist, I hit this error: - Allow compiling with clang (not really supported though). + rm -f en@arabic.gmo && /usr/bin/gmsgfmt -c --statistics --verbose -o en@arabic.gmo en@arabic.po + en@arabic.po:5312: 'msgstr' is not a valid C format string, unlike 'msgid'. + Reason: The character that terminates the directive number 3 is not a valid conversion specifier. + /usr/bin/gmsgfmt: found 1 fatal error - * conf/Makefile.common (CFLAGS_PLATFORM): Don't add -mrtd -mregparm=3 - unconditionally. - * configure.ac: Add -no-integrated-as when using clangfor asm files. - Add -mrtd -mregparm=3 on i386 when not using clang. - * grub-core/kern/misc.c (grub_memset): Add volatile when on clang. + This was caused by "%m" being replaced with foreign Unicode characters. + For example: -2013-11-07 Vladimir Serbinenko + msgid "cannot rename the file %s to %s: %m" + msgstr "ﺹﺎﻨﻧﻮﺗ ﺮﻌﻧﺎﻤﻋ ﺖﻬﻋ ﻒִﻴﻠﻋ %s ﺕﻭ %s: %ﻡ" - * grub-core/kern/ieee1275/cmain.c: Add explicit attribute on asm - bindings. - * grub-core/lib/reed_solomon.c: Likewise. - * include/grub/i386/gdb.h: Likewise. - * include/grub/i386/pc/int.h: Likewise. - * include/grub/i386/pc/pxe.h: Likewise. - * include/grub/ieee1275/ieee1275.h: Likewise. + Mimic the workaround used for "%s" by reversing the replacement of "%m" at + the end of the sed programs. -2013-11-07 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - Import libgcrypt 1.5.3. +2020-03-10 Colin Watson -2013-11-07 Vladimir Serbinenko + gettext: Restore patches to po/Makefile.in.in + These were inadvertently lost during the conversion to Gnulib (gnulib: + Upgrade Gnulib and switch to bootstrap tool; commit 35b909062). The + files in po/gettext-patches/ can be imported using "git am" on top of + the gettext tag corresponding to AM_GNU_GETTEXT_VERSION in configure.ac + (currently 0.18.3). They handle translation of messages in shell files, + make msgfmt output in little-endian format, and arrange to use @SHELL@ + rather than /bin/sh. - * configure.ac: Don't add -Wcast-align on x86. + There were some changes solely for the purpose of distributing extra + files; for ease of maintenance, I've added these to + conf/Makefile.extra-dist instead. -2013-11-07 Vladimir Serbinenko + Fixes: https://savannah.gnu.org/bugs/?57298 - * configure.ac: Add -freg-struct-return on all platforms that - support it. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-28 Peter Jones - * acinclude.m4: Use -Werror on parameter tests. - * configure.ac: Likewise. + misc: Make grub_strtol() "end" pointers have safer const qualifiers + Currently the string functions grub_strtol(), grub_strtoul(), and + grub_strtoull() don't declare the "end" pointer in such a way as to + require the pointer itself or the character array to be immutable to the + implementation, nor does the C standard do so in its similar functions, + though it does require us not to change any of it. -2013-11-07 Vladimir Serbinenko + The typical declarations of these functions follow this pattern: + + long + strtol(const char * restrict nptr, char ** restrict endptr, int base); + + Much of the reason for this is historic, and a discussion of that + follows below, after the explanation of this change. (GRUB currently + does not include the "restrict" qualifiers, and we name the arguments a + bit differently.) + + The implementation is semantically required to treat the character array + as immutable, but such accidental modifications aren't stopped by the + compiler, and the semantics for both the callers and the implementation + of these functions are sometimes also helped by adding that requirement. - * acinclude.m4: Add missing TARGET_CCASFLAGS on asm tests. + This patch changes these declarations to follow this pattern instead: -2013-11-07 Vladimir Serbinenko + long + strtol(const char * restrict nptr, + const char ** const restrict endptr, + int base); + + This means that if any modification to these functions accidentally + introduces either an errant modification to the underlying character + array, or an accidental assignment to endptr rather than *endptr, the + compiler should generate an error. (The two uses of "restrict" in this + case basically mean strtol() isn't allowed to modify the character array + by going through *endptr, and endptr isn't allowed to point inside the + array.) + + It also means the typical use case changes to: + + char *s = ...; + const char *end; + long l; + + l = strtol(s, &end, 10); + + Or even: + + const char *p = str; + while (p && *p) { + long l = strtol(p, &p, 10); + ... + } + + This fixes 26 places where we discard our attempts at treating the data + safely by doing: + + const char *p = str; + long l; + + l = strtol(p, (char **)&ptr, 10); + + It also adds 5 places where we do: + + char *p = str; + while (p && *p) { + long l = strtol(p, (const char ** const)&p, 10); + ... + /* more calls that need p not to be pointer-to-const */ + } + + While moderately distasteful, this is a better problem to have. + + With one minor exception, I have tested that all of this compiles + without relevant warnings or errors, and that /much/ of it behaves + correctly, with gcc 9 using 'gcc -W -Wall -Wextra'. The one exception + is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea + how to build. + + Because the C standard defined type-qualifiers in a way that can be + confusing, in the past there's been a slow but fairly regular stream of + churn within our patches, which add and remove the const qualifier in many + of the users of these functions. This change should help avoid that in + the future, and in order to help ensure this, I've added an explanation + in misc.h so that when someone does get a compiler warning about a type + error, they have the fix at hand. + + The reason we don't have "const" in these calls in the standard is + purely anachronistic: C78 (de facto) did not have type qualifiers in the + syntax, and the "const" type qualifier was added for C89 (I think; it + may have been later). strtol() appears to date from 4.3BSD in 1986, + which means it could not be added to those functions in the standard + without breaking compatibility, which is usually avoided. + + The syntax chosen for type qualifiers is what has led to the churn + regarding usage of const, and is especially confusing on string + functions due to the lack of a string type. Quoting from C99, the + syntax is: + + declarator: + pointer[opt] direct-declarator + direct-declarator: + identifier + ( declarator ) + direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ] + ... + direct-declarator [ type-qualifier-list[opt] * ] + ... + pointer: + * type-qualifier-list[opt] + * type-qualifier-list[opt] pointer + type-qualifier-list: + type-qualifier + type-qualifier-list type-qualifier + ... + type-qualifier: + const + restrict + volatile + + So the examples go like: + + const char foo; // immutable object + const char *foo; // mutable pointer to object + char * const foo; // immutable pointer to mutable object + const char * const foo; // immutable pointer to immutable object + const char const * const foo; // XXX extra const keyword in the middle + const char * const * const foo; // immutable pointer to immutable + // pointer to immutable object + const char ** const foo; // immutable pointer to mutable pointer + // to immutable object + + Making const left-associative for * and right-associative for everything + else may not have been the best choice ever, but here we are, and the + inevitable result is people using trying to use const (as they should!), + putting it at the wrong place, fighting with the compiler for a bit, and + then either removing it or typecasting something in a bad way. I won't + go into describing restrict, but its syntax has exactly the same issue + as with const. + + Anyway, the last example above actually represents the *behavior* that's + required of strtol()-like functions, so that's our choice for the "end" + pointer. - * configure.ac: Check that -malign-loops works rather than assuming that - either -falign-loops or -malign-loops work. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-28 Mike Gilbert - * configure.ac: Remove -fnested-functions. We don't need it anymore. + build: Disable PIE in TARGET_CCASFLAGS if needed + PIE should be disabled in assembly sources as well, or else GRUB will + fail to boot. -2013-11-07 Vladimir Serbinenko + Bug: https://bugs.gentoo.org/667852 - * configure.ac: Prevent cflags leaking to subsequent tests by always - resetting cflags to target_cflags in target tests. + Reviewed-by: Daniel Kiper + Tested-by: John Paul Adrian Glaubitz -2013-11-07 Vladimir Serbinenko +2020-02-28 Mike Gilbert - * grub-core/kern/parser.c (grub_parser_split_cmdline): Remove nested - function. + build: Move TARGET_* assignments earlier + On a 32-bit SPARC userland, configure fails to compile assembly and the + build fails: -2013-11-07 Vladimir Serbinenko + checking for options to compile assembly... configure: error: could not compile assembly - * grub-core/kern/misc.c (grub_vsnprintf_real): Remove nested functions. + config.log shows: -2013-11-07 Vladimir Serbinenko + asm-tests/sparc64.S: Assembler messages: + asm-tests/sparc64.S:5: Error: Architecture mismatch on "lduw [%o4+4],%o4". + asm-tests/sparc64.S:5: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) + asm-tests/sparc64.S:7: Error: Architecture mismatch on "stw %o5,[%o3]". + asm-tests/sparc64.S:7: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) + asm-tests/sparc64.S:8: Error: Architecture mismatch on "bne,pt %icc,1b ,pt %icc,1b". + asm-tests/sparc64.S:8: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) - * grub-core/lib/arg.c (grub_arg_parse): Remove nested function. + Simply moving these blocks earlier in configure.ac is sufficient to + ensure that the tests are executed with the appropriate flags + (specifically -m64 in this case). -2013-11-07 Vladimir Serbinenko + Bug: https://bugs.gentoo.org/667850 - * grub-core/normal/cmdline.c (grub_cmdline_get): - Remove nested functions. + Reviewed-by: Daniel Kiper + Tested-by: John Paul Adrian Glaubitz -2013-11-07 Vladimir Serbinenko +2020-02-28 Patrick Steinhardt - * tests/test_sha512sum.in: Make it work on emu. + luks2: Add missing newline to debug message + The debug message printed when decryption with a keyslot fails is + missing its trailing newline. Add it to avoid mangling it with + subsequent output. -2013-11-07 Vladimir Serbinenko + Reviewed-by: Daniel Kiper - * grub-core/normal/charset.c (bidi_line_wrap): Eliminate nested - functions. - (grub_bidi_line_logical_to_visual): Likewise. +2020-02-18 Michael Chang -2013-11-07 Vladimir Serbinenko + verifiers: Fix calling uninitialized function pointer + The necessary check for NULL before use of function ver->close is not + taking place in the failure path. This patch simply adds the missing + check and fixes the problem that GRUB hangs indefinitely after booting + rogue image without valid signature if secure boot is turned on. - Remove vestiges of -Wunsafe-loop-optimisations. + Now it displays like this for booting rogue UEFI image: - * conf/Makefile.common (CFLAGS_GNULIB): Remove - -Wno-unsafe-loop-optimisations. - * grub-core/commands/legacycfg.c: Remove -Wunsafe-loop-optimisations - pragma. - * grub-core/io/gzio.c: Likewise. - * grub-core/script/parser.y: Likewise. - * grub-core/script/yylex.l: Likewise. - * util/grub-mkfont.c: Likewise. + error: bad shim signature + error: you need to load the kernel first -2013-11-07 Vladimir Serbinenko + Press any key to continue... - * util/grub-mkfont.c (process_cursive): Remove nested function. + and then you can go back to boot menu by pressing any key or after a few + seconds expired. -2013-11-07 Vladimir Serbinenko + Reviewed-by: Javier Martinez Canillas + Reviewed-by: Daniel Kiper - * include/grub/misc.h (grub_dprintf): Use unnamed vararg. - (grub_boot_time): Likewise. +2020-02-18 Peter Jones -2013-11-07 Vladimir Serbinenko + grub-editenv: Make grub-editenv chase symlinks including those across devices + The grub-editenv create command will wrongly overwrite /boot/grub2/grubenv + with a regular file if grubenv is a symbolic link. But instead, it should + create a new file in the path the symlink points to. - * include/grub/symbol.h (FUNCTION): Use @function rather than - "function". - (VARIABLE): Likewise. + This lets /boot/grub2/grubenv be a symlink to /boot/efi/EFI/fedora/grubenv + even when they're different mount points, which allows grub2-editenv to be + the same across platforms (i.e. UEFI vs BIOS). -2013-11-07 Vladimir Serbinenko + For example, in Fedora the GRUB EFI builds have prefix set to /EFI/fedora + (on the EFI System Partition), but for BIOS machine it'll be /boot/grub2 + (which may or may not be its own mountpoint). - * grub-core/net/bootp.c (OFFSET_OF): Explicitly cast to grub_size_t. + With this patch, on EFI machines we can make /boot/grub2/grubenv a symlink + to /boot/efi/EFI/fedora/grubenv, and the same copy of grub-set-default will + work on both kinds of systems. -2013-11-07 Vladimir Serbinenko + Windows doesn't implement a readlink primitive, so the current behaviour is + maintained for this operating system. - * grub-core/net/bootp.c (set_env_limn_ro): Make pointer const. - (parse_dhcp_vendor): Likewise. + Reviewed-by: Adam Jackson + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-18 Peter Jones - * util/grub-mkimagexx.c (relocate_symbols): Remove unneeded brackets. + grub-editenv: Add grub_util_readlink() + Currently grub-editenv and related tools are not able to follow symbolic + links when finding their config file. For example the grub-editenv create + command will wrongly overwrite a symlink in /boot/grub2/grubenv with a new + regular file, instead of creating a file in the path the symlink points to. -2013-11-07 Vladimir Serbinenko + A following patch will change that and add support in grub-editenv to + follow symbolic links when finding the grub environment variables file. - * grub-core/gettext/gettext.c (main_context), (secondary_context): - Define after defining type and not before. + Add a grub_util_readlink() helper function that is just a wrapper around + the platform specific function to read the value of a symbolic link. This + helper function will be used by the following patch for grub-editenv. -2013-11-07 Vladimir Serbinenko + The helper function is not added for Windows, since this operating system + doesn't have a primitive to read the contents of a symbolic link. - * grub-core/fs/zfs/zfscrypt.c (grub_ccm_decrypt): Return right error - type. - (grub_gcm_decrypt): Likewise. - (algo_decrypt): Likewise. - (grub_zfs_decrypt_real): Transform error type. + Reviewed-by: Adam Jackson + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-18 Robert Marshall - * grub-core/disk/geli.c (geli_rekey): Fix error return type. + docs: Update info with grub.cfg netboot selection order + Add documentation to the GRUB manual that specifies the order netboot + clients use to select a GRUB configuration file. -2013-11-07 Vladimir Serbinenko + Also explain that the feature is enabled by default but can be disabled + by setting the "feature_net_search_cfg" environment variable to "n" in + an embedded configuration file. - * grub-core/disk/usbms.c (grub_usbms_cbi_cmd): Fix error type. - (grub_usbms_cbi_reset): Likewise. - (grub_usbms_bo_reset): Likewise. - (grub_usbms_reset): Likewise. - (grub_usbms_attach): Likewise. - (grub_usbms_transfer_cbi): Likewise. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-18 Paulo Flabiano Smorigo - * grub-core/io/lzopio.c (test_header): Simplify code and remove useless - "checksum = checksum;". + normal/main: Search for specific config files for netboot + This patch implements a search for a specific configuration when the config + file is on a remoteserver. It uses the following order: + 1) DHCP client UUID option. + 2) MAC address (in lower case hexadecimal with dash separators); + 3) IP (in upper case hexadecimal) or IPv6; + 4) The original grub.cfg file. -2013-11-07 Vladimir Serbinenko + This procedure is similar to what is used by pxelinux and yaboot: + http://www.syslinux.org/wiki/index.php/PXELINUX#config - * grub-core/fs/reiserfs.c (grub_reiserfs_iterate_dir): Fix type of - entry_type. + It is enabled by default but can be disabled by setting the environment + variable "feature_net_search_cfg" to "n" in an embedded configuration. -2013-11-07 Vladimir Serbinenko + Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=873406 - * grub-core/commands/legacycfg.c (grub_cmd_legacy_kernel): Fix - BIOS disk check. + Reviewed-by: Daniel Kiper -2013-11-07 Vladimir Serbinenko +2020-02-18 Paulo Flabiano Smorigo - * grub-core/bus/usb/ehci.c (grub_ehci_restore_hw): Return right enum - type. - (grub_ehci_fini_hw): Likewise. - * grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Likewise. + net/dhcp: Set net__client{id, uuid} variables from DHCP options + This patch sets a net__clientid and net__clientuuid + GRUB environment variables, using the DHCP client ID and UUID options if + these are found. -2013-11-07 Vladimir Serbinenko + In the same way than net__