]> git.ipfire.org Git - thirdparty/grub.git/log
thirdparty/grub.git
4 years agoconfigure: Check for -falign-jumps=1 beside -falign-loops=1
Fangrui Song via Grub-devel [Thu, 26 Aug 2021 16:02:32 +0000 (09:02 -0700)] 
configure: Check for -falign-jumps=1 beside -falign-loops=1

The Clang does not support -falign-jumps and only recently gained support
for -falign-loops. The -falign-jumps=1 should be tested beside
-fliang-loops=1 to avoid passing unrecognized options to the Clang:

  clang-14: error: optimization flag '-falign-jumps=1' is not supported [-Werror,-Wignored-optimization-argument]

The -falign-functions=1 is supported by GCC 5.1.0/Clang 3.8.0. So, just
add the option unconditionally.

Signed-off-by: Fangrui Song <maskray@google.com>
Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoconfigure: Remove obsoleted -malign-{jumps, loops, functions}
Fangrui Song via Grub-devel [Thu, 26 Aug 2021 16:02:31 +0000 (09:02 -0700)] 
configure: Remove obsoleted -malign-{jumps, loops, functions}

The GCC warns "cc1: warning: ‘-malign-loops’ is obsolete, use ‘-falign-loops’".
The Clang silently ignores -malign-{jumps,loops,functions}.

The preferred -falign-* forms have been supported since GCC 3.2. So, just
remove -malign-{jumps,loops,functions}.

Signed-off-by: Fangrui Song <maskray@google.com>
Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/xfs: Fix unreadable filesystem with v4 superblock
Erwan Velu [Wed, 25 Aug 2021 13:31:52 +0000 (15:31 +0200)] 
fs/xfs: Fix unreadable filesystem with v4 superblock

The commit 8b1e5d193 (fs/xfs: Add bigtime incompat feature support)
introduced the bigtime support by adding some features in v3 inodes.
This change extended grub_xfs_inode struct by 76 bytes but also changed
the computation of XFS_V2_INODE_SIZE and XFS_V3_INODE_SIZE. Prior this
commit, XFS_V2_INODE_SIZE was 100 bytes. After the commit it's 84 bytes
XFS_V2_INODE_SIZE becomes 16 bytes too small.

As a result, the data structures aren't properly aligned and the GRUB
generates "attempt to read or write outside of partition" errors when
trying to read the XFS filesystem:

                             GNU GRUB  version 2.11
....
grub> set debug=efi,gpt,xfs
grub> insmod part_gpt
grub> ls (hd0,gpt1)/
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (739521961424144223) - 344365866970255880, 3840
error: attempt to read or write outside of partition.

This commit change the XFS_V2_INODE_SIZE computation by subtracting 76
bytes instead of 92 bytes from the actual size of grub_xfs_inode struct.
This 76 bytes value comes from added members:
20 grub_uint8_t   unused5
 1 grub_uint64_t  flags2
        48 grub_uint8_t   unused6

This patch explicitly splits the v2 and v3 parts of the structure.
The unused4 is still ending of the v2 structures and the v3 starts
at unused5. Thanks to this we will avoid future corruptions of v2
or v3 inodes.

The XFS_V2_INODE_SIZE is returning to its expected size and the
filesystem is back to a readable state:

                      GNU GRUB  version 2.11
....
grub> set debug=efi,gpt,xfs
grub> insmod part_gpt
grub> ls (hd0,gpt1)/
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (131) - 64, 768
efi/ fs/xfs.c:515: Reading inode (3145856) - 1464904, 0
grub2/ fs/xfs.c:515: Reading inode (132) - 64, 1024
grub/ fs/xfs.c:515: Reading inode (139) - 64, 2816
grub>

Fixes: 8b1e5d193 (fs/xfs: Add bigtime incompat feature support)
Signed-off-by: Erwan Velu <e.velu@criteo.com>
Tested-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agolibgcrypt: Avoid -Wempty-body in rijndael do_setkey()
Heinrich Schuchardt [Fri, 13 Aug 2021 12:49:10 +0000 (14:49 +0200)] 
libgcrypt: Avoid -Wempty-body in rijndael do_setkey()

Avoid a warning

  lib/libgcrypt-grub/cipher/rijndael.c:229:9:
  warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
    229 |         ;
        |         ^

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agolibgcrypt: Avoid -Wsign-compare in rijndael do_setkey()
Heinrich Schuchardt [Fri, 13 Aug 2021 14:15:33 +0000 (16:15 +0200)] 
libgcrypt: Avoid -Wsign-compare in rijndael do_setkey()

Avoid a warning

  lib/libgcrypt-grub/cipher/rijndael.c:352:21: warning:
  comparison of integer expressions of different signedness:
  ‘int’ and ‘unsigned int’ [-Wsign-compare]
    352 |       for (i = 0; i < keylen; i++)
        |

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agocommands/setpci: Honor write mask argument
Wouter van Kesteren [Thu, 12 Aug 2021 14:56:13 +0000 (16:56 +0200)] 
commands/setpci: Honor write mask argument

In the case that one passes a write mask with ":" the write_mask is
obtained from grub_strtoul() and then promptly overwritten by 0xffffffff
three lines later.

This appears to have been so since the initial version of setpci in 2009.
I'm surprised no one else has hit this issue in the past 12 years...

Signed-off-by: Wouter van Kesteren <woutershep@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoosdep/linux/hostdisk: Use stat() instead of udevadm for partition lookup
Jeff Mahoney [Thu, 15 Jul 2021 15:35:28 +0000 (17:35 +0200)] 
osdep/linux/hostdisk: Use stat() instead of udevadm for partition lookup

The sysfs_partition_path() calls udevadm to resolve the sysfs path for
a block device. That can be accomplished by stating the device node
and using the major/minor to follow the symlinks in /sys/dev/block/.

This cuts the execution time of grub-mkconfig to somewhere near 55% on
system without LVM (which uses libdevmapper instead sysfs_partition_path()).

Remove udevadm call as it does not help us more than calling stat() directly.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoosdep: Introduce include/grub/osdep/major.h and use it
Petr Vorel [Thu, 15 Jul 2021 15:35:27 +0000 (17:35 +0200)] 
osdep: Introduce include/grub/osdep/major.h and use it

... to factor out fix for glibc 2.25 introduced in 7a5b301e3 (build: Use
AC_HEADER_MAJOR to find device macros).

Note: Once glibc 2.25 is old enough and this fix is not needed also
AC_HEADER_MAJOR in configure.ac should be removed.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoieee1275: Drop HEAP_MAX_ADDR and HEAP_MIN_SIZE constants
Daniel Axtens [Tue, 20 Jul 2021 21:14:46 +0000 (17:14 -0400)] 
ieee1275: Drop HEAP_MAX_ADDR and HEAP_MIN_SIZE constants

The HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except on
ieee1275 on x86, where it is 64MB.

There is a comment which purports to explain it:

  /* If possible, we will avoid claiming heap above this address, because it
     seems to cause relocation problems with OSes that link at 4 MiB */

This doesn't make a lot of sense when the constants are well above 4MB
already. It was not always this way. Prior to commit 7b5d0fe4440c
(Increase heap limit) in 2010, HEAP_MAX_SIZE and HEAP_MAX_ADDR were
indeed 4MB. However, when the constants were increased the comment was
left unchanged.

It's been over a decade. It doesn't seem like we have problems with
claims over 4MB on powerpc or x86 ieee1275. The SPARC does things
completely differently and never used the constant.

Drop the constant and the check.

The only use of HEAP_MIN_SIZE was to potentially override the
HEAP_MAX_ADDR check. It is now unused. Remove it too.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agotests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd"
Marius Bakke [Sun, 13 Jun 2021 13:11:51 +0000 (15:11 +0200)] 
tests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd"

The "ide-drive" device was removed in QEMU 6.0. The "ide-hd" has been
available for more than 10 years now in QEMU. Thus there shouldn't be
any need for backwards compatible names.

Signed-off-by: Marius Bakke <marius@gnu.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/ext2: Ignore checksum seed incompat feature
Javier Martinez Canillas [Fri, 11 Jun 2021 19:36:16 +0000 (21:36 +0200)] 
fs/ext2: Ignore checksum seed incompat feature

This incompat feature is used to denote that the filesystem stored its
metadata checksum seed in the superblock. This is used to allow tune2fs
changing the UUID on a mounted metdata_csum filesystem without having
to rewrite all the disk metadata. However, the GRUB doesn't use the
metadata checksum at all. So, it can just ignore this feature if it
is enabled. This is consistent with the GRUB filesystem code in general
which just does a best effort to access the filesystem's data.

The checksum seed incompat feature has to be removed from the ignore
list if the support for metadata checksum verification is added to the
GRUB ext2 driver later.

Suggested-by: Eric Sandeen <esandeen@redhat.com>
Suggested-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agozfs: Use grub_uint64_t instead of 1ULL in BF64_*CODE() macros
Glenn Washburn [Fri, 5 Mar 2021 00:22:45 +0000 (18:22 -0600)] 
zfs: Use grub_uint64_t instead of 1ULL in BF64_*CODE() macros

The underlying type of 1ULL does not change across architectures but
grub_uint64_t does. This allows using the BF64_*CODE() macros as
arguments to format string functions that use the PRI* format string
macros that also vary with architecture.

Change the grub_error() call, where this was previously an issue and
temporarily fixed by casting and using a format string literal code,
to now use PRI* macros and remove casting.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoBump version to 2.11
Daniel Kiper [Tue, 8 Jun 2021 15:13:50 +0000 (17:13 +0200)] 
Bump version to 2.11

Skip versions between 2.07 and 2.10 to avoid leading zeros in minor
version number. This way version parsing in scripts should be easier.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoRelease 2.06 grub-2.06
Daniel Kiper [Tue, 8 Jun 2021 14:28:15 +0000 (16:28 +0200)] 
Release 2.06

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoSECURITY: Add SECURITY file
Daniel Kiper [Wed, 12 May 2021 14:37:54 +0000 (16:37 +0200)] 
SECURITY: Add SECURITY file

The SECURITY file describes the GRUB project security policy.

It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoMAINTAINERS: Add MAINTAINERS file
Daniel Kiper [Wed, 12 May 2021 14:36:57 +0000 (16:36 +0200)] 
MAINTAINERS: Add MAINTAINERS file

The MAINTAINERS file provides basic information about the GRUB project
and its maintainers.

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agogrub-install: Add backup and restore
Dimitri John Ledkov [Tue, 1 Jun 2021 10:35:36 +0000 (11:35 +0100)] 
grub-install: Add backup and restore

Refactor clean_grub_dir() to create a backup of all the files, instead
of just irrevocably removing them as the first action. If available,
register atexit() handler to restore the backup if errors occur before
point of no return, or remove the backup if everything was successful.
If atexit() is not available, the backup remains on disk for manual
recovery.

Some platforms defined a point of no return, i.e. after modules & core
images were updated. Failures from any commands after that stage are
ignored, and backup is cleaned up. For example, on EFI platforms update
is not reverted when efibootmgr fails.

Extra care is taken to ensure atexit() handler is only invoked by the
parent process and not any children forks. Some older GRUB codebases
can invoke parent atexit() hooks from forks, which can mess up the
backup.

This allows safer upgrades of MBR & modules, such that
modules/images/fonts/translations are consistent with MBR in case of
errors. For example accidental grub-install /dev/non-existent-disk
currently clobbers and upgrades modules in /boot/grub, despite not
actually updating any MBR.

This patch only handles backup and restore of files copied to /boot/grub.
This patch does not perform backup (or restoration) of MBR itself or
blocklists. Thus when installing i386-pc platform, corruption may still
occur with MBR and blocklists which will not be attempted to be
automatically recovered.

Also add modinfo.sh and *.efi to the cleanup/backup/restore code path,
to ensure it is also cleaned, backed up and restored.

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoosdep/unix/exec: Avoid atexit() handlers when child execvp() fails
Dimitri John Ledkov [Thu, 29 Apr 2021 11:34:34 +0000 (12:34 +0100)] 
osdep/unix/exec: Avoid atexit() handlers when child execvp() fails

The functions grub_util_exec_pipe() and grub_util_exec_pipe_stderr()
currently call execvp(). If the call fails for any reason, the child
currently calls exit(127). This in turn executes the parents
atexit() handlers from the forked child, and then the same handlers
are called again from parent. This is usually not desired, and can
lead to deadlocks, and undesired behavior. So, change the exit() calls
to _exit() calls to avoid calling atexit() handlers from child.

Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits)
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agolib/i386/relocator64: Build fixes for i386
Jan (janneke) Nieuwenhuizen [Wed, 26 May 2021 18:18:24 +0000 (20:18 +0200)] 
lib/i386/relocator64: Build fixes for i386

This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of

    grub-core/lib/i386/relocator64.S

This file has six sections that only build with a 64-bit assembler,
yet only the first two sections had support for a 32-bit assembler.
This patch completes this for the remaining sections.

To reproduce, update the GRUB source description in your local Guix
archive and run

   ./pre-inst-env guix build --system=i686-linux --target=i586-pc-gnu grub

or install an x86 cross-build environment on x86-linux (32-bit!) and
configure to cross build and make, e.g., do something like

    ./configure \
       CC_FOR_BUILD=gcc \
       --build=i686-unknown-linux-gnu \
       --host=i586-pc-gnu
    make

Additionally, remove a line with redundant spaces.

Signed-off-by: Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/xfs: Add needsrepair incompat feature support
Javier Martinez Canillas [Mon, 24 May 2021 17:40:07 +0000 (19:40 +0200)] 
fs/xfs: Add needsrepair incompat feature support

The XFS now has an incompat feature flag to indicate that a filesystem
needs to be repaired. The Linux kernel refuses to mount the filesystem
that has it set and only the xfs_repair tool is able to clear that flag.

The GRUB doesn't have the concept of mounting filesystems and just
attempts to read the files. But it does some sanity checking before
attempting to read from the filesystem. Among the things which are tested,
is if the super block only has set of incompatible features flags that
are supported by GRUB. If it contains any flags that are not listed as
supported, reading the XFS filesystem fails.

Since the GRUB doesn't attempt to detect if the filesystem is inconsistent
nor replays the journal, the filesystem access is a best effort. For this
reason, ignore if the filesystem needs to be repaired and just print a debug
message. That way, if reading or booting fails later, the user is able to
figure out that the failures can be related to broken XFS filesystem.

Suggested-by: Eric Sandeen <esandeen@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/xfs: Add bigtime incompat feature support
Carlos Maiolino [Mon, 24 May 2021 17:40:06 +0000 (19:40 +0200)] 
fs/xfs: Add bigtime incompat feature support

The XFS filesystem supports a bigtime feature to overcome y2038 problem.
This patch makes the GRUB able to support the XFS filesystems with this
feature enabled.

The XFS counter for the bigtime enabled timestamps starts at 0, which
translates to GRUB_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy
timestamps. The conversion to Unix timestamps is made before passing the
value to other GRUB functions.

For this to work properly, GRUB requires an access to flags2 field in the
XFS ondisk inode. So, the grub_xfs_inode structure has been updated to
cover full ondisk inode.

Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs: Use 64-bit type for filesystem timestamp
Carlos Maiolino [Mon, 24 May 2021 17:40:05 +0000 (19:40 +0200)] 
fs: Use 64-bit type for filesystem timestamp

Some filesystems nowadays use 64-bit types for timestamps. So, update
grub_dirhook_info struct to use an grub_int64_t type to store mtime.
This also updates the grub_unixtime2datetime() function to receive
a 64-bit timestamp argument and do 64-bit-safe divisions.

All the remaining conversion from 32-bit to 64-bit should be safe, as
32-bit to 64-bit attributions will be implicitly casted. The most
critical part in the 32-bit to 64-bit conversion is in the function
grub_unixtime2datetime() where it needs to deal with the 64-bit type.
So, for that, the grub_divmod64() helper has been used.

These changes enables the GRUB to support dates beyond y2038.

Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agotypes: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers
Javier Martinez Canillas [Mon, 24 May 2021 17:40:04 +0000 (19:40 +0200)] 
types: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers

There are already PRI*_T constants defined for unsigned integers but not
for signed integers. Add format specifiers for the latter.

Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/efi/sb: Remove duplicate efi_shim_lock_guid variable
Tianjia Zhang [Mon, 17 May 2021 12:57:30 +0000 (20:57 +0800)] 
kern/efi/sb: Remove duplicate efi_shim_lock_guid variable

The efi_shim_lock_guid local variable and shim_lock_guid global variable
have the same GUID value. Only the latter is retained.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Fix wrong PE32+ section sizes for some arches grub-2.06-rc1a
Javier Martinez Canillas [Tue, 27 Apr 2021 10:25:08 +0000 (12:25 +0200)] 
util/mkimage: Fix wrong PE32+ section sizes for some arches

The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
added a helper function to setup PE sections. But it also changed how the
raw data offsets were calculated since all the section sizes are aligned.
However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image
size is not aligned using the section alignment. This leads to the situation
in which the mods section offset in its PE section header does not match its
real placement in the PE file. So, finally the GRUB is not able to locate
and load built-in modules.

The problem surfaces on ia64-efi and arm64-efi because both platforms
require additional relocation data which is added behind .bss section.
So, we have to add some padding behind this extra data to make the
beginning of mods section properly aligned in the PE file. Fix it by
aligning the kernel_size to the section alignment. That makes the sizes
and offsets in the PE section headers to match relevant sections in the
PE32+ binary file.

Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoterm/terminfo: Fix the terminfo command help and documentation
Daniel Kiper [Wed, 14 Apr 2021 14:45:31 +0000 (16:45 +0200)] 
term/terminfo: Fix the terminfo command help and documentation

Additionally, fix the terminfo spelling mistake in
the GRUB development documentation.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4 years agoi18n: Align N_() formatting with the rest of GRUB code
Daniel Kiper [Wed, 14 Apr 2021 14:55:10 +0000 (16:55 +0200)] 
i18n: Align N_() formatting with the rest of GRUB code

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4 years agoi18n: Format large integers before the translation message - take 2
Daniel Kiper [Wed, 14 Apr 2021 15:18:06 +0000 (17:18 +0200)] 
i18n: Format large integers before the translation message - take 2

This is an additional fix which has been missing from the commit 837fe48de
(i18n: Format large integers before the translation message).

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4 years agoi18n: Format large integers before the translation message
Miguel Ángel Arruga Vivas [Sat, 3 Apr 2021 13:33:33 +0000 (15:33 +0200)] 
i18n: Format large integers before the translation message

The GNU gettext only supports the ISO C99 macros for integral
types. If there is a need to use unsupported formatting macros,
e.g. PRIuGRUB_UINT64_T, according to [1] the number to a string
conversion should be separated from the code printing message
requiring the internationalization. So, the function grub_snprintf()
is used to print the numeric values to an intermediate buffer and
the internationalized message contains a string format directive.

[1] https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html#No-string-concatenation

Signed-off-by: Miguel Ángel Arruga Vivas <rosen644835@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agovideo/fb/fbfill: Use unsigned integers for width/height
Daniel Axtens [Thu, 1 Apr 2021 15:22:04 +0000 (02:22 +1100)] 
video/fb/fbfill: Use unsigned integers for width/height

Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer
overflow), clang builds of grub-emu have failed with messages like:

  /usr/bin/ld: libgrubmods.a(libgrubmods_a-fbfill.o): in function `grub_video_fbfill_direct24':
  fbfill.c:(.text+0x28e): undefined reference to `__muloti4'

This appears to be due to a weird quirk in how clang compiles

  grub_mul(dst->mode_info->bytes_per_pixel, width, &rowskip)

which is grub_mul(unsigned int, int, &grub_size_t).

It looks like clang somewhere promotes everything to 128-bit maths
before ultimately reducing down to 64 bit for grub_size_t. I think
this is because width is signed, and indeed converting width to an
unsigned int makes the problem go away.

This conversion also makes more sense generally:
  - the caller of all the fbfill_directN functions is
    grub_video_fb_fill_dispatch() and it takes width and height as
    unsigned ints already,
  - it doesn't make sense to fill a negative width or height.

Convert the width and height arguments and associated loop counters
to unsigned ints.

Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow)
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodocs: Conform badmem and cutmem description indentations with other commands
Glenn Washburn [Thu, 1 Apr 2021 00:11:53 +0000 (19:11 -0500)] 
docs: Conform badmem and cutmem description indentations with other commands

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodocs: Add note to cryptomount that UUIDs should be specified without dashes
Glenn Washburn [Thu, 1 Apr 2021 00:11:52 +0000 (19:11 -0500)] 
docs: Add note to cryptomount that UUIDs should be specified without dashes

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agotemplates: Fix user-facing typo with an incorrect use of "it's"
Aru Sahni [Tue, 23 Mar 2021 01:30:40 +0000 (21:30 -0400)] 
templates: Fix user-facing typo with an incorrect use of "it's"

Since the possessive form of "it" is being used, the apostrophe must be omitted.

Signed-off-by: Aru Sahni <aru@arusahni.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agobuffer: Sync up out-of-range error message
Colin Watson [Fri, 19 Mar 2021 23:54:38 +0000 (23:54 +0000)] 
buffer: Sync up out-of-range error message

The messages associated with other similar GRUB_ERR_OUT_OF_RANGE errors
were lacking the trailing full stop. Syncing up the strings saves a small
amount of precious core image space on i386-pc.

  DOWN: obj/i386-pc/grub-core/kernel.img (31740 > 31708) - change: -32
  DOWN: i386-pc core image (biosdisk ext2 part_msdos) (27453 > 27452) - change: -1
  DOWN: i386-pc core image (biosdisk ext2 part_msdos diskfilter mdraid09) (32367 > 32359) - change: -8

Signed-off-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agousb/usbhub: Use GRUB_USB_MAX_CONF macro instead of literal in hub for maximum configs
Glenn Washburn [Fri, 19 Mar 2021 01:35:46 +0000 (20:35 -0500)] 
usb/usbhub: Use GRUB_USB_MAX_CONF macro instead of literal in hub for maximum configs

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/minix: Avoid mistakenly probing ext2 filesystems
Daniel Drake [Fri, 12 Mar 2021 18:05:08 +0000 (12:05 -0600)] 
fs/minix: Avoid mistakenly probing ext2 filesystems

The ext2 (and ext3, ext4) filesystems write the number of free inodes to
location 0x410.

On a MINIX filesystem, that same location is used for the MINIX superblock
magic number.

If the number of free inodes on an ext2 filesystem is equal to any
of the four MINIX superblock magic values plus any multiple of 65536,
GRUB's MINIX filesystem code will probe it as a MINIX filesystem.

In the case of an OS using ext2 as the root filesystem, since there will
ordinarily be some amount of file creation and deletion on every bootup,
it effectively means that this situation has a 1:16384 chance of being hit
on every reboot.

This will cause GRUB's filesystem probing code to mistakenly identify an
ext2 filesystem as MINIX. This can be seen by e.g. "search --label"
incorrectly indicating that no such ext2 partition with matching label
exists, whereas in fact it does.

After spotting the rough cause of the issue I was facing here, I borrowed
much of the diagnosis/explanation from meierfra who found and investigated
the same issue in util-linux in 2010:

  https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/518582

This was fixed in util-linux by having the MINIX code check for the
ext2 magic. Do the same here.

Signed-off-by: Daniel Drake <drake@endlessm.com>
Reviewed-by: Derek Foreman <derek@endlessos.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoRelease 2.06~rc1 grub-2.06-rc1
Daniel Kiper [Fri, 12 Mar 2021 15:09:51 +0000 (16:09 +0100)] 
Release 2.06~rc1

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoarm/linux: Fix ARM Linux header layout
Ard Biesheuvel [Sun, 25 Oct 2020 13:49:34 +0000 (14:49 +0100)] 
arm/linux: Fix ARM Linux header layout

The hdr_offset member of the ARM Linux image header appears at
offset 0x3c, matching the PE/COFF spec's placement of the COFF
header offset in the MS-DOS header. We're currently off by four,
so fix that.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agostyle: Format string macro should have a space between quotes
Glenn Washburn [Thu, 4 Mar 2021 01:51:04 +0000 (19:51 -0600)] 
style: Format string macro should have a space between quotes

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agogrub/err: Do compile-time format string checking on grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:44 +0000 (18:22 -0600)] 
grub/err: Do compile-time format string checking on grub_error()

This should help prevent format string errors and thus improve the quality
of error reporting.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:43 +0000 (18:22 -0600)] 
fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error()

This is a temporary, less-intrusive change to get the build to success with
compiler format string checking turned on. There is a better fix which
addresses this issue, but it needs more testing. Use this change so that
format string checking on grub_error() can be turned on until the better
change is fully tested.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/hfsplus: Use format code PRIuGRUB_UINT64_T for 64-bit typed fileblock in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:42 +0000 (18:22 -0600)] 
fs/hfsplus: Use format code PRIuGRUB_UINT64_T for 64-bit typed fileblock in grub_error()

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:41 +0000 (18:22 -0600)] 
dl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error()

The macro ELF_R_TYPE does not change the underlying type. Here its argument
is a 64-bit Elf64_Xword. Make sure the format code matches.

For the RISC-V architecture, rel->r_info could be either Elf32_Xword or
Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast
to 64-bit value regardless.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/ata: Use format code PRIxGRUB_UINT64_T for 64-bit uint argument in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:40 +0000 (18:22 -0600)] 
disk/ata: Use format code PRIxGRUB_UINT64_T for 64-bit uint argument in grub_error()

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoloader/i386/pc/linux: Use PRI* macros to get correct format string code across archit...
Glenn Washburn [Fri, 5 Mar 2021 00:22:39 +0000 (18:22 -0600)] 
loader/i386/pc/linux: Use PRI* macros to get correct format string code across architectures

Also remove casting of format string args so that the architecture dependent
type is preserved.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/efi/mm: Format string error in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:38 +0000 (18:22 -0600)] 
kern/efi/mm: Format string error in grub_error()

The second format string argument, GRUB_EFI_MAX_USABLE_ADDRESS, is a macro
to a number literal. However, depending on what the target architecture, the
type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the
format string literals "%llx" to use PRIxGRUB_UINT64_T.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agocommands/pgp: Format code for grub_error() is incorrect
Glenn Washburn [Fri, 5 Mar 2021 00:22:37 +0000 (18:22 -0600)] 
commands/pgp: Format code for grub_error() is incorrect

The format code is for a 32-bit int, but the argument, keyid, is declared as
a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the
comment or declaration is wrong, so force the display of a 64-bit int for now.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agogrub_error: Use format code PRIuGRUB_SIZE for variables of type grub_size_t
Glenn Washburn [Fri, 5 Mar 2021 00:22:36 +0000 (18:22 -0600)] 
grub_error: Use format code PRIuGRUB_SIZE for variables of type grub_size_t

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/dmraid_nvidia: Format string error in grub_error()
Glenn Washburn [Fri, 5 Mar 2021 00:22:35 +0000 (18:22 -0600)] 
disk/dmraid_nvidia: Format string error in grub_error()

The grub_error() has a format string expecting two arguments, but only one
provided. According to the comments in the struct grub_nv_super definition,
the version field looks like a version number where major.minor is encoded
as each a byte in the two-byte short.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agovideo/bochs: grub_error() format string add missing format code
Glenn Washburn [Fri, 5 Mar 2021 00:22:34 +0000 (18:22 -0600)] 
video/bochs: grub_error() format string add missing format code

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoparttool/msdospart: grub_error() missing format string argument
Glenn Washburn [Fri, 5 Mar 2021 00:22:33 +0000 (18:22 -0600)] 
parttool/msdospart: grub_error() missing format string argument

Its obvious from the error message that the variable named "type" was
accidentally omitted.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agomisc: Format string for grub_error() should be a literal
Glenn Washburn [Fri, 5 Mar 2021 00:22:32 +0000 (18:22 -0600)] 
misc: Format string for grub_error() should be a literal

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agotemplates: Properly disable the os-prober by default
Philip Müller [Tue, 9 Mar 2021 21:10:14 +0000 (22:10 +0100)] 
templates: Properly disable the os-prober by default

This patch does the following:
 - really disables os-prober by default in the util/grub-mkconfig.in
   by setting GRUB_DISABLE_OS_PROBER to true,
 - fixes the logic in the util/grub.d/30_os-prober.in,
 - updates the grub_warn() lines.

Reason for the code shuffling in the util/grub-mkconfig.in:

  The default was GRUB_DISABLE_OS_PROBER=false if you don't set
  GRUB_DISABLE_OS_PROBER at all. To prevent os-prober from starting we
  have to set it by default to true and shuffle GRUB_DISABLE_OS_PROBER to
  code section, which is executed by the script. However we still give an
  option to the user to overwrite it with false, if he wants to execute
  os-prober after all.

Fixes: e3464147 (templates: Disable the os-prober by default)
Reported-by: Didier Spaier <didier@slint.fr>
Reported-by: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Philip Müller <philm@manjaro.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/efi/sb: Add chainloaded image as shim's verifiable object
Michael Chang [Fri, 5 Mar 2021 13:48:53 +0000 (21:48 +0800)] 
kern/efi/sb: Add chainloaded image as shim's verifiable object

While attempting to dual boot Microsoft Windows with UEFI chainloader,
it failed with below error when UEFI Secure Boot was enabled:

  error ../../grub-core/kern/verifiers.c:119:verification requested but
  nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.

It is a regression, as previously it worked without any problem.

It turns out chainloading PE image has been locked down by commit
578c95298 (kern: Add lockdown support). However, we should consider it
as verifiable object by shim to allow booting in UEFI Secure Boot mode.
The chainloaded PE image could also have trusted signature created by
vendor with their pubkey cert in db. For that matters it's usage should
not be locked down under UEFI Secure Boot, and instead shim should be
allowed to validate a PE binary signature before running it.

Fixes: 578c95298 (kern: Add lockdown support)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/pata: Suppress error message "no device connected"
Glenn Washburn [Mon, 1 Mar 2021 19:36:28 +0000 (13:36 -0600)] 
disk/pata: Suppress error message "no device connected"

This error message comes from the grub_print_error() in
grub_pata_device_initialize(), which does not pass on the error, and is
raised in check_device(). The function check_device() needs to return this
as an error because check_device() is also used in grub_pata_open(), which
does pass on this error to indicate that the device can not be used.

This is actually not an error when displayed by grub_pata_device_initialize()
because it just indicates that there are no pata devices seen. This may be
confusing to end users who do not have pata devices yet are loading the
pata module (perhaps implicitly via nativedisk). This also causes unnecessary
output which may need to be accounted for in functional testing.

Instead print to the debug log when check_device() raises this "error" and
pop the error from the error stack. If there is another error on the stack
then print the error stack as those should be real errors.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/ext2: Fix a file not found error when a symlink filesize is equal to 60
Yi Zhao [Fri, 8 Jan 2021 00:39:47 +0000 (08:39 +0800)] 
fs/ext2: Fix a file not found error when a symlink filesize is equal to 60

We encountered a file not found error when the symlink filesize is
equal to 60:

  $ ls -l initrd
  lrwxrwxrwx 1 root root 60 Jan  6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz

When booting, we got the following error in the GRUB:

  error: file `/initrd' not found

The root cause is that the size of diro->inode.symlink is equal to 60
and a symlink name has to be terminated with NUL there. So, if the
symlink filesize is exactly 60 then it is also stored in a separate
block rather than in the inode itself.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoloader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable
Tianjia Zhang [Mon, 11 Jan 2021 03:04:36 +0000 (11:04 +0800)] 
loader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable

The relocatable variable is defined as grub_uint8_t. Relevant
member in setup_header structure is also defined as one byte
in Linux boot protocol. By semantic definition it is a bool type.
It is not appropriate to treat it as a four bytes. This patch
fixes the issue.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoloader/i386/linux: Remove redundant code from in grub_cmd_linux()
Tianjia Zhang [Mon, 11 Jan 2021 03:04:51 +0000 (11:04 +0800)] 
loader/i386/linux: Remove redundant code from in grub_cmd_linux()

The preferred_address has been assigned to GRUB_LINUX_BZIMAGE_ADDR
during initialization in grub_cmd_linux(). The assignment here
is redundant and should be removed.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoefi: The device-tree must be in EfiACPIReclaimMemory
Heinrich Schuchardt [Fri, 29 Jan 2021 15:32:29 +0000 (16:32 +0100)] 
efi: The device-tree must be in EfiACPIReclaimMemory

According to the Embedded Base Boot Requirements (EBBR) specification the
device-tree passed to Linux as a configuration table must reside in
EfiACPIReclaimMemory.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agocommands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID
Heinrich Schuchardt [Tue, 2 Mar 2021 16:29:56 +0000 (17:29 +0100)] 
commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID

UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE
describing the services available at runtime.

The lsefisystab command is used to display installed EFI configuration
tables. Currently it only shows the GUID but not a short text for the
new table.

Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodocs/luks2: Mention key derivation function support
Petr Vorel [Tue, 2 Mar 2021 16:16:57 +0000 (17:16 +0100)] 
docs/luks2: Mention key derivation function support

To give users hint why Argon2, the default in cryptsetup for LUKS2, does
not work.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agocommands/file: Fix array/enum desync
Derek Foreman [Fri, 26 Feb 2021 18:05:07 +0000 (12:05 -0600)] 
commands/file: Fix array/enum desync

The commit f1957dc8a (RISC-V: Add to build system) added two entries to
the options array, but only 1 entry to the enum. This resulted in
everything after the insertion point being off by one.

This broke at least the "file --is-hibernated-hiberfil" command.

Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into
two, as is done for other architectures.

Signed-off-by: Derek Foreman <derek@endlessos.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/mm: Fix grub_debug_calloc() compilation error
Marco A Benatto [Tue, 9 Feb 2021 15:33:06 +0000 (12:33 -0300)] 
kern/mm: Fix grub_debug_calloc() compilation error

Fix compilation error due to missing parameter to
grub_printf() when MM_DEBUG is defined.

Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available)
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agotemplates: Disable the os-prober by default
Alex Burmashev [Tue, 16 Feb 2021 10:12:12 +0000 (11:12 +0100)] 
templates: Disable the os-prober by default

The os-prober is enabled by default what may lead to potentially
dangerous use cases and borderline opening attack vectors. This
patch disables the os-prober, adds warning messages and updates
GRUB_DISABLE_OS_PROBER configuration option documentation. This
way we make it clear that the os-prober usage is not recommended.

Simplistic nature of this change allows downstream vendors, who
really want os-prober to be enabled out of the box in their
relevant products, easily revert to it's old behavior.

Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec),
             working with SSD Secure Disclosure
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agogfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label
Thomas Frauendorfer | Miray Software [Tue, 4 Aug 2020 11:49:51 +0000 (13:49 +0200)] 
gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label

The gui_progress_bar and gui_label components can display the timeout
value. The format string can be set through a theme file. This patch
adds a validation step to the format string.

If a user loads a theme file into the GRUB without this patch then
a GUI label with the following settings

  + label {
  ...
  id = "__timeout__"
  text = "%s"
  }

will interpret the current timeout value as string pointer and print the
memory at that position on the screen. It is not desired behavior.

Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/misc: Add function to check printf() format against expected format
Thomas Frauendorfer | Miray Software [Thu, 4 Feb 2021 18:02:33 +0000 (19:02 +0100)] 
kern/misc: Add function to check printf() format against expected format

The grub_printf_fmt_check() function parses the arguments of an untrusted
printf() format and an expected printf() format and then compares the
arguments counts and arguments types. The arguments count in the untrusted
format string must be less or equal to the arguments count in the expected
format string and both arguments types must match.

To do this the parse_printf_arg_fmt() helper function is extended in the
following way:

  1. Add a return value to report errors to the grub_printf_fmt_check().

  2. Add the fmt_check argument to enable stricter format verification:
     - the function expects that arguments definitions are always
       terminated by a supported conversion specifier.
     - positional parameters, "$", are not allowed, as they cannot be
       validated correctly with the current implementation. For example
       "%s%1$d" would assign the first args entry twice while leaving the
       second one unchanged.
     - Return an error if preallocated space in args is too small and
       allocation fails for the needed size. The grub_printf_fmt_check()
       should verify all arguments. So, if validation is not possible for
       any reason it should return an error.
     This also adds a case entry to handle "%%", which is the escape
     sequence to print "%" character.

  3. Add the max_args argument to check for the maximum allowed arguments
     count in a printf() string. This should be set to the arguments count
     of the expected format. Then the parse_printf_arg_fmt() function will
     return an error if the arguments count is exceeded.

The two additional arguments allow us to use parse_printf_arg_fmt() in
printf() and grub_printf_fmt_check() calls.

When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the
function parse user provided untrusted format string too. So, in
that case it is better to be too strict than too lenient.

Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/misc: Add STRING type for internal printf() format handling
Thomas Frauendorfer | Miray Software [Mon, 15 Feb 2021 13:04:26 +0000 (14:04 +0100)] 
kern/misc: Add STRING type for internal printf() format handling

Set printf() argument type for "%s" to new type STRING. This is in
preparation for a follow up patch to compare a printf() format string
against an expected printf() format string.

For "%s" the corresponding printf() argument is dereferenced as pointer
while all other argument types are defined as integer value. However,
when validating a printf() format it is necessary to differentiate "%s"
from "%p" and other integers. So, let's do that.

Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/misc: Split parse_printf_args() into format parsing and va_list handling
Thomas Frauendorfer | Miray Software [Mon, 15 Feb 2021 12:40:16 +0000 (13:40 +0100)] 
kern/misc: Split parse_printf_args() into format parsing and va_list handling

This patch is preparing for a follow up patch which will use
the format parsing part to compare the arguments in a printf()
format from an external source against a printf() format with
expected arguments.

Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoshim_lock: Only skip loading shim_lock verifier with explicit consent
Dimitri John Ledkov [Sat, 20 Feb 2021 17:10:34 +0000 (17:10 +0000)] 
shim_lock: Only skip loading shim_lock verifier with explicit consent

Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled) reintroduced CVE-2020-15705 which
previously only existed in the out-of-tree linuxefi patches and was
fixed as part of the BootHole patch series.

Under Secure Boot enforce loading shim_lock verifier. Allow skipping
shim_lock verifier if SecureBoot/MokSBState EFI variables indicate
skipping validations, or if GRUB image is built with --disable-shim-lock.

Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock
       protocol is found and SB enabled)
Fixes: CVE-2020-15705
Fixes: CVE-2021-3418
Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agogrub-install-common: Add --sbat option
Dimitri John Ledkov [Mon, 22 Feb 2021 17:05:25 +0000 (17:05 +0000)] 
grub-install-common: Add --sbat option

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Add an option to import SBAT metadata into a .sbat section
Peter Jones [Mon, 15 Feb 2021 16:07:00 +0000 (17:07 +0100)] 
util/mkimage: Add an option to import SBAT metadata into a .sbat section

Add a --sbat option to the grub-mkimage tool which allows us to import
an SBAT metadata formatted as a CSV file into a .sbat section of the
EFI binary.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Refactor section setup to use a helper
Peter Jones [Mon, 15 Feb 2021 13:58:06 +0000 (14:58 +0100)] 
util/mkimage: Refactor section setup to use a helper

Add a init_pe_section() helper function to setup PE sections. This makes
the code simpler and easier to read.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Improve data_size value calculation
Peter Jones [Thu, 11 Feb 2021 16:07:33 +0000 (17:07 +0100)] 
util/mkimage: Improve data_size value calculation

According to "Microsoft Portable Executable and Common Object File Format
Specification", the Optional Header SizeOfInitializedData field contains:

  Size of the initialized data section, or the sum of all such sections if
  there are multiple data sections.

Make this explicit by adding the GRUB kernel data size to the sum of all
the modules sizes. The ALIGN_UP() is not required by the PE spec but do
it to avoid alignment issues.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Reorder PE optional header fields set-up
Peter Jones [Mon, 15 Feb 2021 13:21:48 +0000 (14:21 +0100)] 
util/mkimage: Reorder PE optional header fields set-up

This makes the PE32 and PE32+ header fields set-up easier to follow by
setting them closer to the initialization of their related sections.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Unify more of the PE32 and PE32+ header set-up
Peter Jones [Mon, 15 Feb 2021 13:19:31 +0000 (14:19 +0100)] 
util/mkimage: Unify more of the PE32 and PE32+ header set-up

There's quite a bit of code duplication in the code that sets the optional
header for PE32 and PE32+. The two are very similar with the exception of
a few fields that have type grub_uint64_t instead of grub_uint32_t.

Factor out the common code and add a PE_OHDR() macro that simplifies the
set-up and make the code more readable.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap...
Peter Jones [Mon, 15 Feb 2021 13:14:24 +0000 (14:14 +0100)] 
util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff

This change does not impact final result of initialization itself.
However, it eases PE code unification in subsequent patches.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
Peter Jones [Mon, 15 Feb 2021 12:59:21 +0000 (13:59 +0100)] 
util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()

The latter doesn't take into account the target image endianness. There is
a grub_cpu_to_le32_compile_time() but no compile time variant for function
grub_host_to_target32(). So, let's keep using the other one for this case.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoutil/mkimage: Remove unused code to add BSS section
Javier Martinez Canillas [Thu, 11 Feb 2021 16:06:49 +0000 (17:06 +0100)] 
util/mkimage: Remove unused code to add BSS section

The code is compiled out so there is no reason to keep it.

Additionally, don't set bss_size field since we do not add a BSS section.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/efi: Add initial stack protector implementation
Chris Coulson [Tue, 1 Dec 2020 23:03:39 +0000 (23:03 +0000)] 
kern/efi: Add initial stack protector implementation

It works only on UEFI platforms but can be quite easily extended to
others architectures and platforms if needed.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
4 years agokern/parser: Fix a stack buffer overflow
Chris Coulson [Thu, 7 Jan 2021 19:21:03 +0000 (19:21 +0000)] 
kern/parser: Fix a stack buffer overflow

grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1 kiB
stack buffer for temporary storage without sufficient bounds checking. If
the function is called with a command line that references a variable with
a sufficiently large payload, it is possible to overflow the stack
buffer via tab completion, corrupt the stack frame and potentially
control execution.

Fixes: CVE-2020-27749
Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/buffer: Add variable sized heap buffer
Chris Coulson [Thu, 7 Jan 2021 15:15:43 +0000 (15:15 +0000)] 
kern/buffer: Add variable sized heap buffer

Add a new variable sized heap buffer type (grub_buffer_t) with simple
operations for appending data, accessing the data and maintaining
a read cursor.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/parser: Refactor grub_parser_split_cmdline() cleanup
Chris Coulson [Wed, 6 Jan 2021 13:54:26 +0000 (13:54 +0000)] 
kern/parser: Refactor grub_parser_split_cmdline() cleanup

Introduce a common function epilogue used for cleaning up on all
return paths, which will simplify additional error handling to be
introduced in a subsequent commit.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/parser: Introduce terminate_arg() helper
Chris Coulson [Thu, 7 Jan 2021 19:53:55 +0000 (19:53 +0000)] 
kern/parser: Introduce terminate_arg() helper

process_char() and grub_parser_split_cmdline() use similar code for
terminating the most recent argument. Add a helper function for this.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/parser: Introduce process_char() helper
Chris Coulson [Tue, 5 Jan 2021 22:17:28 +0000 (22:17 +0000)] 
kern/parser: Introduce process_char() helper

grub_parser_split_cmdline() iterates over each command line character.
In order to add error checking and to simplify the subsequent error
handling, split the character processing in to a separate function.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agokern/parser: Fix a memory leak
Chris Coulson [Wed, 18 Nov 2020 00:59:24 +0000 (00:59 +0000)] 
kern/parser: Fix a memory leak

The getline() function supplied to grub_parser_split_cmdline() returns
a newly allocated buffer and can be called multiple times, but the
returned buffer is never freed.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/btrfs: Squash some uninitialized reads
Daniel Axtens [Mon, 18 Jan 2021 06:27:18 +0000 (17:27 +1100)] 
fs/btrfs: Squash some uninitialized reads

We need to check errors before calling into a function that uses the result.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/btrfs: Validate the number of stripes/parities in RAID5/6
Daniel Axtens [Mon, 18 Jan 2021 06:17:16 +0000 (17:17 +1100)] 
fs/btrfs: Validate the number of stripes/parities in RAID5/6

This prevents a divide by zero if nstripes == nparities, and
also prevents propagation of invalid values if nstripes ends up
less than nparities.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Do not allow a LV to be it's own segment's node's LV
Daniel Axtens [Fri, 22 Jan 2021 03:42:21 +0000 (14:42 +1100)] 
disk/lvm: Do not allow a LV to be it's own segment's node's LV

This prevents infinite recursion in the diskfilter verification code.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Sanitize rlocn->offset to prevent wild read
Daniel Axtens [Fri, 22 Jan 2021 03:43:58 +0000 (14:43 +1100)] 
disk/lvm: Sanitize rlocn->offset to prevent wild read

rlocn->offset is read directly from disk and added to the metadatabuf
pointer to create a pointer to a block of metadata. It's a 64-bit
quantity so as long as you don't overflow you can set subsequent
pointers to point anywhere in memory.

Require that rlocn->offset fits within the metadata buffer size.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Do not overread metadata
Daniel Axtens [Thu, 21 Jan 2021 07:35:22 +0000 (18:35 +1100)] 
disk/lvm: Do not overread metadata

We could reach the end of valid metadata and not realize, leading to
some buffer overreads. Check if we have reached the end and bail.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Do not crash if an expected string is not found
Daniel Axtens [Thu, 21 Jan 2021 07:35:22 +0000 (18:35 +1100)] 
disk/lvm: Do not crash if an expected string is not found

Clean up a bunch of cases where we could have strstr() fail and lead to
us dereferencing NULL.

We'll still leak memory in some cases (loops don't clean up allocations
from earlier iterations if a later iteration fails) but at least we're
not crashing.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Bail on missing PV list
Daniel Axtens [Thu, 21 Jan 2021 07:54:29 +0000 (18:54 +1100)] 
disk/lvm: Bail on missing PV list

There's an if block for the presence of "physical_volumes {", but if
that block is absent, then p remains NULL and a NULL-deref will result
when looking for logical volumes.

It doesn't seem like LVM makes sense without physical volumes, so error
out rather than crashing.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Don't blast past the end of the circular metadata buffer
Daniel Axtens [Thu, 21 Jan 2021 07:19:51 +0000 (18:19 +1100)] 
disk/lvm: Don't blast past the end of the circular metadata buffer

This catches at least some OOB reads, and it's possible I suppose that
if 2 * mda_size is less than GRUB_LVM_MDA_HEADER_SIZE it might catch some
OOB writes too (although that hasn't showed up as a crash in fuzzing yet).

It's a bit ugly and I'd appreciate better suggestions.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agodisk/lvm: Don't go beyond the end of the data we read from disk
Daniel Axtens [Thu, 21 Jan 2021 06:59:14 +0000 (17:59 +1100)] 
disk/lvm: Don't go beyond the end of the data we read from disk

We unconditionally trusted offset_xl from the LVM label header, even if
it told us that the PV header/disk locations were way off past the end
of the data we read from disk.

Require that the offset be sane, fixing an OOB read and crash.

Fixes: CID 314367, CID 314371
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoio/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails
Daniel Axtens [Thu, 21 Jan 2021 01:22:28 +0000 (12:22 +1100)] 
io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails

If huft_build() fails, gzio->tl or gzio->td could contain pointers that
are no longer valid. Zero them out.

This prevents a double free when grub_gzio_close() comes through and
attempts to free them again.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoio/gzio: Catch missing values in huft_build() and bail
Daniel Axtens [Thu, 21 Jan 2021 01:20:49 +0000 (12:20 +1100)] 
io/gzio: Catch missing values in huft_build() and bail

In huft_build(), "v" is a table of values in order of bit length.
The code later (when setting up table entries in "r") assumes that all
elements of this array corresponding to a code are initialized and less
than N_MAX. However, it doesn't enforce this.

With sufficiently manipulated inputs (e.g. from fuzzing), there can be
elements of "v" that are not filled. Therefore a lookup into "e" or "d"
will use an uninitialized value. This can lead to an invalid/OOB read on
those values, often leading to a crash.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoio/gzio: Add init_dynamic_block() clean up if unpacking codes fails
Daniel Axtens [Wed, 20 Jan 2021 13:05:58 +0000 (00:05 +1100)] 
io/gzio: Add init_dynamic_block() clean up if unpacking codes fails

init_dynamic_block() didn't clean up gzio->tl and td in some error
paths. This left td pointing to part of tl. Then in grub_gzio_close(),
when tl was freed the storage for td would also be freed. The code then
attempts to free td explicitly, performing a UAF and then a double free.

Explicitly clean up tl and td in the error paths.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agoio/gzio: Bail if gzio->tl/td is NULL
Daniel Axtens [Wed, 13 Jan 2021 09:59:09 +0000 (20:59 +1100)] 
io/gzio: Bail if gzio->tl/td is NULL

This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
However, it seems to be sufficient to patch up a bunch of NULL derefs.

It would be good to revisit this in future and see if we can have
a cleaner solution that addresses some of the causes of the unexpected
NULL pointers.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
Daniel Axtens [Mon, 18 Jan 2021 06:06:19 +0000 (17:06 +1100)] 
fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()

We just introduced an error return in grub_nilfs2_btree_node_lookup().
Make sure the callers catch it.

At the same time, make sure that grub_nilfs2_btree_node_lookup() always
inits the index pointer passed to it.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
4 years agofs/nilfs2: Don't search children if provided number is too large
Daniel Axtens [Mon, 18 Jan 2021 05:49:44 +0000 (16:49 +1100)] 
fs/nilfs2: Don't search children if provided number is too large

NILFS2 reads the number of children a node has from the node. Unfortunately,
that's not trustworthy. Check if it's beyond what the filesystem permits and
reject it if so.

This blocks some OOB reads. I'm not sure how controllable the read is and what
could be done with invalidly read data later on.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>