osdep/hurd/getroot: Remove unused variables in grub_util_find_hurd_root_device()
Found during a test build on Debian/hurd-i386 with --disable-werror enabled:
In file included from grub-core/osdep/getroot.c:12:
grub-core/osdep/hurd/getroot.c: In function ‘grub_util_find_hurd_root_device’:
grub-core/osdep/hurd/getroot.c:126:13: error: unused variable ‘next’ [-Werror=unused-variable]
126 | char *next;
| ^~~~
grub-core/osdep/hurd/getroot.c:125:14: error: unused variable ‘size’ [-Werror=unused-variable]
125 | size_t size;
| ^~~~
Fixes: e981b0a24 (osdep/hurd/getroot: Use "part:" qualifier) Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 21 Feb 2023 18:28:48 +0000 (12:28 -0600)]
gdb: If no modules have been loaded, do not try to load module symbols
This prevents load_all_modules from failing when called before any
modules have been loaded. Failures in GDB user-defined functions cause
any function which called them to also fail.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 21 Feb 2023 18:28:47 +0000 (12:28 -0600)]
gdb: Prevent wrapping when writing to .segments.tmp
GDB logging is redirected to write .segments.tmp, which means that GDB
will wrap lines longer than what it thinks is the screen width
(typically 80 characters). When wrapping does occur it causes gmodule.pl
to misbehave. So disable line wrapping by using GDB's "with" command so
that its guaranteed to return the width to the previous value upon
command completion.
Also disable command tracing when dumping the module sections because that
output will go to .segments.tmp and thus cause gmodule.pl to misbehave.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 21 Feb 2023 18:28:46 +0000 (12:28 -0600)]
gdb: Fix redirection issue in dump_module_sections
An error in any GDB command causes it to immediately abort with an error,
this includes any command that calls that command. This leads to an issue
in dump_module_sections where an error causes the command to exit without
turning off file redirection. The user then ends up with a GDB command
line where commands output nothing to the console.
Instead do the work of dump_module_sections in the command
dump_module_sections_helper and run the command using GDB's pipe command
which does the redirection and undoes the redirection when it finishes
regardless of any errors in the command.
Also, remove .segments.tmp file prior to loading modules in case one was
left from a previous run.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 21 Feb 2023 18:20:32 +0000 (12:20 -0600)]
efi: Allow expression as func argument to efi_call_* macros on all platforms
On EFI platforms where EFI calls do not require a wrapper (notably i386-efi
and arm64-efi), the func argument needs to be wrapped in parenthesis to
allow valid syntax when func is an expression which evaluates to a function
pointer. On EFI platforms that do need a wrapper, this was never an issue
because func is passed to the C function wrapper as an argument and thus
does not need parenthesis to be evaluated.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Jeremy Szu [Mon, 20 Feb 2023 23:42:51 +0000 (07:42 +0800)]
loader/i386/linux: Correct wrong initrd address for debug
The "addr" is used to request the memory with specific ranges but the real
loadable address come from the relocator. Thus, print the final retrieved
addresses, virtual and physical, for initrd.
On the occasion migrate to PRIxGRUB_ADDR and PRIxGRUB_SIZE format specifiers.
Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Thu, 16 Feb 2023 07:04:37 +0000 (01:04 -0600)]
tests: Add pathological iso9660 filesystem tests
These are not added to grub-fs-tester because they are not generated and
none of the filesystem tests are run on these ISOs. The test is to run the
command "ls /" on the ISO, and a failure is determined if the command
times out, has non-zero return value or has any output.
Signed-off-by: Glenn Washburn <development@efficientek.com> Tested-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
osdep/linux/hostdisk: Modify sector by sysfs as disk sector
The disk sector size provided by sysfs file system considers the sector
size of 512 irrespective of disk sector size, thus causing the read by
the GRUB to an incorrect offset from what was originally intended.
Considering the 512 sector size of sysfs data the actual sector needs to
be modified corresponding to disk sector size.
Signed-off-by: Mukesh Kumar Chaurasiya <mchauras@linux.vnet.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 29 Jan 2023 11:49:33 +0000 (19:49 +0800)]
mm: Avoid complex heap growth math in hot path
We do a lot of math about heap growth in hot path of grub_memalign().
However, the result is only used if out of memory is encountered, which
is seldom.
This patch moves these calculations away from hot path. These
calculations are now only done if out of memory is encountered. This
change can also help compiler to optimize integer overflow checks away.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 29 Jan 2023 11:49:32 +0000 (19:49 +0800)]
mm: Preallocate some space when adding new regions
When grub_memalign() encounters out-of-memory, it will try
grub_mm_add_region_fn() to request more memory from system firmware.
However, it doesn't preallocate memory space for future allocation
requests. In extreme cases, it requires one call to
grub_mm_add_region_fn() for each memory allocation request. This can
be very slow.
This patch introduces GRUB_MM_HEAP_GROW_EXTRA, the minimal heap growth
granularity. The new region size is now set to the bigger one of its
original value and GRUB_MM_HEAP_GROW_EXTRA. Thus, it will result in some
memory space preallocated if current allocations request is small.
The value of GRUB_MM_HEAP_GROW_EXTRA is set to 1MB. If this value is
smaller, the cost of small memory allocations will be higher. If this
value is larger, more memory will be wasted and it might cause
out-of-memory on machines with small amount of RAM.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 29 Jan 2023 11:49:31 +0000 (19:49 +0800)]
mm: Adjust new region size to take management overhead into account
When grub_memalign() encounters out-of-memory, it will try
grub_mm_add_region_fn() to request more memory from system firmware.
However, the size passed to it doesn't take region management overhead
into account. Adding a memory area of "size" bytes may result in a heap
region of less than "size" bytes really available. Thus, the new region
may not be adequate for current allocation request, confusing
out-of-memory handling code.
This patch introduces GRUB_MM_MGMT_OVERHEAD to address the region
management overhead (e.g. metadata, padding). The value of this new
constant must be large enough to make sure grub_memalign(align, size)
always succeeds after a successful call to
grub_mm_init_region(addr, size + align + GRUB_MM_MGMT_OVERHEAD),
for any given addr and size (assuming no integer overflow).
The size passed to grub_mm_add_region_fn() is now correctly adjusted,
thus if grub_mm_add_region_fn() succeeded, current allocation request
can always succeed.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Sat, 21 Jan 2023 06:10:46 +0000 (00:10 -0600)]
tests/util/grub-shell: Add $GRUB_QEMU_OPTS to run.sh to easily see unofficial QEMU arguments
When re-running a failed test, even the non-standard grub-shell QEMU
arguments should be preserved in the run.sh to more precisely replay
the failed test run.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Sat, 21 Jan 2023 06:10:45 +0000 (00:10 -0600)]
tests/util/grub-shell: Create run.sh in working directory for easily running test again
Now it becomes trivial to re-run a test from the output in its working
directory. This also makes it easy to send a reproducible failing test to
the mailing list. This has allowed a refactor so that the duplicated code
to call QEMU has be condensed (e.g. the use of timeout and file descriptor
redirection). The run.sh script will pass any arguments given to QEMU.
This allows QEMU to be easily started in a state ready for GDB to be
attached.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Sat, 21 Jan 2023 06:10:44 +0000 (00:10 -0600)]
tests: Allow turning on shell tracing from environment variables
This allows turning on shell tracing for grub-shell and grub-fs-tester
when its not practical or not possible to use command line arguments
(e.g. from "make check"). Turn on tracing when the envvar is an integer
greater than 1, since these can generate a lot of output. Since this
change uses the environment variables to set the default value for debug
in grub-shell, this allows enabling grub-shell's debug mode which will
preserve various generated output files that are helpful for debugging
tests.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Thomas Schmitt [Wed, 1 Feb 2023 16:28:49 +0000 (17:28 +0100)]
fs/iso9660: Prevent skipping CE or ST at start of continuation area
If processing of a SUSP CE entry leads to a continuation area which
begins by entry CE or ST, then these entries were skipped without
interpretation. In case of CE this would lead to premature end of
processing the SUSP entries of the file. In case of ST this could
cause following non-SUSP bytes to be interpreted as SUSP entries.
Signed-off-by: Thomas Schmitt <scdbackup@gmx.net> Tested-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Fri, 20 Jan 2023 19:39:41 +0000 (19:39 +0000)]
fs/iso9660: Incorrect check for entry boundary
An SL entry consists of the entry info and the component area.
The entry info should take up 5 bytes instead of sizeof(*entry).
The area after the first 5 bytes is the component area. It is
incorrect to use the sizeof(*entry) to check the entry boundary.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Wed, 1 Feb 2023 16:08:44 +0000 (17:08 +0100)]
fs/iso9660: Prevent read past the end of system use area
In the code, the for loop advanced the entry pointer to the next entry before
checking if the next entry is within the system use area boundary. Another
issue in the code was that there is no check for the size of system use area.
For a corrupted system, the size of system use area can be less than the size
of minimum SUSP entry size (4 bytes). These can cause buffer overrun. The fixes
added the checks to ensure the read is valid and within the boundary.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Fri, 20 Jan 2023 19:39:38 +0000 (19:39 +0000)]
fs/iso9660: Add check to prevent infinite loop
There is no check for the end of block when reading
directory extents. It resulted in read_node() always
read from the same offset in the while loop, thus
caused infinite loop. The fix added a check for the
end of the block and ensure the read is within directory
boundary.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to
4069 bytes. The default password used is "pass", but can be overridden
by setting the PASS environment variable. The device mapper name is set
to the name of the temp directory so that its easy to correlate device
mapper name with a particular test run. Also since this name is unique
per test run, multiple simultaneous test runs are allowed.
Note that cryptsetup is passing the --disable-locks parameter to allow
cryptsetup run successfully when /run/lock/cryptsetup is not accessible.
Since the device mapper name is unique per test run, there is no need to
worry about locking the device to serialize access.
Signed-off-by: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr> Tested-by: Glenn Washburn <development@efficientek.com> Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Patrick Steinhardt <ps@pks.im> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Fabian Vogt [Thu, 12 Jan 2023 23:05:07 +0000 (17:05 -0600)]
disk/cryptodisk: When cheatmounting, use the sector info of the cheat device
When using grub-probe with cryptodisk, the mapped block device from the host
is used directly instead of decrypting the source device in GRUB code.
In that case, the sector size and count of the host device needs to be used.
This is especially important when using LUKS2, which does not assign
total_sectors and log_sector_size when scanning, but only later when the
segments in the JSON area are evaluated. With an unset log_sector_size,
grub_device_open() complains.
This fixes grub-probe failing with
"error: sector sizes of 1 bytes aren't supported yet.".
Signed-off-by: Fabian Vogt <fvogt@suse.de> Reviewed-by: Patrick Steinhardt <ps@pks.im> Tested-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Patrick Steinhardt <ps@pks.im> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel Axtens [Sat, 14 Jan 2023 13:19:50 +0000 (00:19 +1100)]
fs/f2fs: Fix off-by-one error in nat journal entries check
Oops. You're allowed to have up to n = NAT_JOURNAL_ENTRIES entries
_inclusive_, because the loop below uses i < n, not i <= n. D'oh.
Fixes: 4bd9877f6216 (fs/f2fs: Do not read past the end of nat journal entries) Reported-by: программист нект <programmer11180@programist.ru> Tested-by: программист нект <programmer11180@programist.ru> Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Nicholas Vinson [Fri, 13 Jan 2023 07:56:35 +0000 (02:56 -0500)]
gentpl.py: Remove .interp section from .img files
When building .img files, a .interp section from the .image files will
sometimes be copied into the .img file. This additional section pushes
the .img file beyond the 512-byte limit and causes grub-install to fail
to run for i386-pc platforms.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 22:09:00 +0000 (16:09 -0600)]
tests: Add cryptomount functional test
The grub_cmd_cryptomount make check test performs some functional testing
of cryptomount and by extension the underlying cryptodisk infrastructure.
A utility test script named grub-shell-luks-tester is created to handle the
complexities of the testing, making it simpler to add new test cases in
grub_cmd_cryptomount.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 22:08:59 +0000 (16:08 -0600)]
tests/util/grub-shell: Add halt_cmd variable to testcase namespace
This allows test case scripts to use the appropriate halt command for
the built architecture to end execution early. Otherwise, test case
scripts have no way to know the appropriate mechanism for halting the
test case early.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 22:08:58 +0000 (16:08 -0600)]
tests/util/grub-shell: Trim line should always be matched from the beginning of the line
When turning on shell tracing the trim line will be output before we
actually want to start the trim. However, in this case the trim line never
starts from the beginning of the line. So start trimming from the correct
line by matching from the beginning of the line.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 22:08:57 +0000 (16:08 -0600)]
tests/util/grub-shell: Allow specifying non-default trim line contents
This will be useful for tests that have unwanted output from setup. This is
not documented because its only intended to be internal at the moment. Also,
--no-trim is allowed to explicitly turn off trim.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 22:08:55 +0000 (16:08 -0600)]
tests/util/grub-shell: Set exit status to QEMU exit status
This allows us to test if unexpected output in test scripts is because of
a bug in GRUB, because there was an error in QEMU, or QEMU was killed due
to a timeout.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 21:10:34 +0000 (15:10 -0600)]
io/gzio: Remove confusing, out-dated comment
The "transparent" parameter to grub_gzio_open() was removed in 2010, fc2ef1172c
(* grub-core/io/gzio.c (grub_gzio_open): Removed "transparent" parameter.)
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 10 Jan 2023 21:02:15 +0000 (15:02 -0600)]
tests: Fix help test to reflect updated help output
Commit f5759a878 (normal/help: Add paging instructions to normal and help
prompts) changed the output of the help command, which broke the help
test. This change allows the test to pass.
On the occasion do s/outpu/output/.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The various functions to add a port used to return port->name, and
the callers would immediately iterate all registered ports to "find"
the one just created by comparing that return value with ... port->name.
This is a waste of cycles and code. Instead, have those functions
return "port" directly.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
It is common for PCI based UARTs to use larger than one byte access
sizes. This adds support for this and uses the information present
in SPCR accordingly.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
term/ns8250: Use ACPI SPCR table when available to configure serial
"serial auto" is now equivalent to just "serial" and will use the
SPCR to discover the port if present, otherwise defaults to "com0"
as before.
This allows to support MMIO ports specified by ACPI which is needed
on AWS EC2 "metal" instances, and will enable GRUB to pickup the
port configuration specified by ACPI in other cases.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This adds the ability for the driver to access UARTs via MMIO instead
of PIO selectively at runtime, and exposes a new function to add an
MMIO port.
In an ideal world, MMIO accessors would be generic and have architecture
specific memory barriers. However, existing drivers don't have them and
most of those "bare metal" drivers tend to be for x86 which doesn't need
them. If necessary, those can be added later.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Maxim Fomin [Wed, 28 Dec 2022 17:40:06 +0000 (17:40 +0000)]
kern/fs: Fix possible integer overflow in i386-pc mode with large partitions
The i386-pc mode supports MBR partition scheme where maximum partition
size is 2 TiB. In case of large partitions left shift expression with
unsigned long int "length" object may cause integer overflow making
calculated partition size less than true value. This issue is fixed by
increasing the size of "length" integer type.
Signed-off-by: Maxim Fomin <maxim@fomin.one> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Thu, 15 Dec 2022 18:13:30 +0000 (12:13 -0600)]
commands/cmp: Only return success when both files have the same contents
This allows the cmp command to be used in GRUB scripts to conditionally
run commands based on whether two files are the same.
The command is now quiet by default and the -v switch can be given to enable
verbose mode, the previous behavior.
Update documentation accordingly.
Suggested-by: Li Gen <ligenlive@gmail.com> Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The xenpolicy variable was left set from previous function call. This
resulted in all-but-first menu entries including XSM policy, even if it
did not exist.
Fix this by initializing the xenpolicy variable.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Mon, 5 Dec 2022 11:29:38 +0000 (19:29 +0800)]
font: Reject fonts with negative max_char_width or max_char_height
If max_char_width or max_char_height are negative wrong values can be propagated
by grub_font_get_max_char_width() or grub_font_get_max_char_height(). Prevent
this from happening.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Mon, 5 Dec 2022 11:29:36 +0000 (19:29 +0800)]
font: Check return value of grub_malloc() in ascii_glyph_lookup()
There is a problem in ascii_glyph_lookup(). It doesn't check the return
value of grub_malloc(). If memory can't be allocated, then NULL pointer
will be written to.
This patch fixes the problem by fallbacking to unknown_glyph when
grub_malloc() returns NULL.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Pete Batard [Fri, 25 Nov 2022 17:22:17 +0000 (17:22 +0000)]
util/grub-mkrescue: Search by file UUID rather than partition UUID for EFI boot
The final piece needed to add UEFI file system transposition support is to
ensure the boot media can be located regardless of how the boot partition
was instantiated. Especially, we do not want to be reliant on brittle
partition UUIDs, as these only work if a boot media is duplicated at the
block level and not at the file system level.
To accomplish this for EFI boot, we now create a UUID file in a .disk/
directory, that can then be searched for.
Note: The switch from make_image_fwdisk_abs() to make_image_abs() is
needed in order to use the search functionality.
Signed-off-by: Pete Batard <pete@akeo.ie> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Pete Batard [Fri, 25 Nov 2022 17:22:16 +0000 (17:22 +0000)]
util/grub-mkrescue: Preserve a copy of the EFI bootloaders on the ISO 9660 file system
To enable file system transposition support for UEFI, we also must ensure that
there exists a copy of the EFI bootloaders, that are currently embedded in the
efi.img for xorriso, at their expected UEFI location on the ISO 9660 file system.
This is accomplished by removing the use of a temporary directory to create the
efi/ content, to instead place it at the root of the ISO 9660 content.
Signed-off-by: Pete Batard <pete@akeo.ie> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Pete Batard [Fri, 25 Nov 2022 17:22:15 +0000 (17:22 +0000)]
util/grub-mkrescue: Add support for FAT and NTFS on EFI boot
In order to add file system transposition support for UEFI, i.e. the ability
to copy the content of an grub-mkrescue ISO 9660 image onto user-formatted
media, and have that boot on UEFI systems, the first thing we need to do is
add support for the file systems that are natively handled by UEFI. This
mandatorily includes FAT, but we also include NTFS as the latter is also
commonly supported on modern x64 platforms.
Signed-off-by: Pete Batard <pete@akeo.ie> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
SC2120 (warning): function references arguments, but none are ever passed.
In grub-completion.bash.in line 63:
__grub_get_options_from_help () {
^-- SC2120 (warning)
local prog
if [ $# -ge 1 ]; then
prog="$1"
The arg of __grub_get_options_from_help() is optional. So, the current
code meets the exception and does not need to be modified. Ignoring the
warning then.
SC2207 (warning): Prefer mapfile or read -a to split
command output (or quote to avoid splitting).
In grub-completion.bash.in line 56:
COMPREPLY=($(compgen -P "${2-}" -W "${1-}" -S "${4-}" -- "$cur"))
^-- SC2207 (warning)
In grub-completion.bash.in line 119:
COMPREPLY=( $(compgen \
^-- SC2207 (warning)
In grub-completion.bash.in line 128:
COMPREPLY=( $( compgen -f -X '!*/*.mod' -- "${grub_dir}/$cur" | {
^-- SC2207 (warning)
COMPREPLY=($(command)) are doing unquoted command expansion in an array.
This will invoke the shell's sloppy word splitting and glob expansion.
If we want to split the output into lines or words, use read -r and
loops will be better. This prevents the shell from doing unwanted
splitting and glob expansion, and therefore avoiding problems with
output containing spaces or special characters.
Steve McIntyre [Tue, 6 Dec 2022 01:45:11 +0000 (01:45 +0000)]
kern/file: Fix error handling in grub_file_open()
grub_file_open() calls grub_file_get_device_name(), but doesn't check
the return. Instead, it checks if grub_errno is set.
However, nothing initialises grub_errno here when grub_file_open()
starts. This means that trying to open one file that doesn't exist and
then trying to open another file that does will (incorrectly) also
fail to open that second file.
Let's fix that.
Signed-off-by: Steve McIntyre <steve@einval.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Only perform call to fwsetup if one is on EFI platform. On all other
platforms fwsetup command does not exists, and thus returns 0 and
a useless uefi-firmware menu entry gets generated.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
t.feng [Tue, 29 Nov 2022 09:14:12 +0000 (17:14 +0800)]
fs/hfsplus: Fix memory leak in grub_hfsplus_btree_search()
Fixes: 58ea11d5b (fs/hfsplus: Don't fetch a key beyond the end of the node) Signed-off-by: t.feng <fengtao40@huawei.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
t.feng [Tue, 29 Nov 2022 09:14:11 +0000 (17:14 +0800)]
fs/bfs: Fix memory leak in read_bfs_file()
The l1_entries and l2_entries were not freed at the end of file read.
Fixes: 5825b3794 (BFS implementation based on the specification) Signed-off-by: t.feng <fengtao40@huawei.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
t.feng [Tue, 29 Nov 2022 09:14:07 +0000 (17:14 +0800)]
fs/affs: Fix memory leaks in grub_affs_create_node()
The hashtable is not freed if GRUB_AFFS_FILETYPE_HARDLINK and
grub_disk_read() failed. If grub_affs_create_node() returns non-zero
the hashtable should be freed too.
By the way, the hashtable argument is unused in grub_affs_create_node().
So, we can remove the argument and free it in grub_affs_iterate_dir().
It allocates the memory and it should be responsible for releasing it.
This is why commit ebf32bc4e9 (fs/affs: Fix resource leaks) missed
this memory leak.
Ryan Cohen [Sat, 26 Nov 2022 22:22:52 +0000 (17:22 -0500)]
normal/cmdline: Fix two related integer underflows
An unchecked decrement operation in cl_print() would cause a few
integers to underflow. Where an output terminal's state is stored in
cl_term, the values cl_term->ystart and cl_term->pos.y both underflow.
This can be replicated with the following steps:
1. Get to the GRUB command line
2. Hold down the "d" key (or any key that enters a visible character)
until it fills the entire row
3. Press "HOME" and then press "CTRL-k". This will clear every
character entered in step 2
4. Continuously press "CTRL-y" until the terminal scrolls the original
prompt ("grub> ") passed the terminal's top row. Now, no prompt
should be visible. This step causes cl_term->ystart to underflow
5. Press "HOME" and then "d" (or any visible character). This can have
different visual effects for different systems, but it will always
cause cl_term->pos.y to underflow
On BIOS systems, these underflows cause the output terminal to
completely stop displaying anything. Characters can still be
entered and commands can be run, but nothing will display on the
terminal. From here, you can only get the display working by running
a command to switch the current output terminal to a different type:
terminal_output <OTHER_TERMINAL>
On UEFI systems, these replication steps do not break the output
terminal. Until you press "ENTER", the cursor stops responding to input,
but you can press "ENTER" after step 5 and the command line will
work properly again. This patch is mostly important for BIOS systems
where the output terminal is rendered unusable after the underflows
occur.
This patch adds two checks, one for each variable. It ensures that
cl_term->ystart does not decrement passed 0. It also ensures that
cl_term->pos.y does not get set passed the terminal's bottom row.
When the previously listed replication steps are followed with this
patch, the terminal's cursor will be set to the top row and the command
line is still usable, even on BIOS systems.
Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Ryan Cohen [Sat, 26 Nov 2022 22:22:51 +0000 (17:22 -0500)]
term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer
Coordinates passed to screen_write_char() did not have any checks to
ensure they are not out-of-bounds. This adds an if statement to prevent
out-of-bounds writes to the VGA text buffer.
Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 25 Nov 2022 07:37:35 +0000 (15:37 +0800)]
loader/linux: Ensure the newc pathname is NULL-terminated
Per "man 5 cpio", the namesize in the cpio header includes the trailing
NUL byte of the pathname and the pathname is followed by NUL bytes, but
the current implementation ignores the trailing NUL byte when making
the newc header. Although make_header() tries to pad the pathname string,
the padding won't happen when strlen(name) + sizeof(struct newc_head)
is a multiple of 4, and the non-NULL-terminated pathname may lead to
unexpected results.
Assume that a file is created with 'echo -n aaaa > /boot/test12' and
loaded by grub2:
linux /boot/vmlinuz
initrd newc:test12:/boot/test12 /boot/initrd
The initrd command eventually invoked grub_initrd_load() and sent
't''e''s''t''1''2' to make_header() to generate the header:
Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4,
make_header() didn't pad the pathname, and the file content followed
"test12" immediately. This violates the cpio format and may trigger such
error during linux boot:
Initramfs unpacking failed: ZSTD-compressed data is trunc
To avoid the potential problems, this commit counts the trailing NUL byte
in when calling make_header() and adjusts the initrd size accordingly.
Glenn Washburn [Mon, 22 Aug 2022 23:19:02 +0000 (18:19 -0500)]
tests: Put all generated files into working dir and use better file names
When running tests there are many invocations of grub-shell, and because
the output files are all random names in the same tmp directory, it
becomes more work to figure out which files went with which grub-shell
invocations. So all generated files from one invocation of grub-shell
are put into a randomly named directory, so as not to collide with other
grub-shell invocations. And now that the generated files can be put in
a location where they will not get stepped on, and they can be named
sensible names.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Fri, 28 Oct 2022 13:31:39 +0000 (21:31 +0800)]
normal/charset: Fix an integer overflow in grub_unicode_aglomerate_comb()
The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.
This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.
Reported-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Fri, 28 Oct 2022 09:29:16 +0000 (17:29 +0800)]
font: Assign null_font to glyphs in ascii_font_glyph[]
The calculations in blit_comb() need information from glyph's font, e.g.
grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
NULL if main_glyph comes from ascii_font_glyph[]. Therefore
grub_font_get_*() crashes because of NULL pointer.
There is already a solution, the null_font. So, assign it to those glyphs
in ascii_font_glyph[].
Reported-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 23 Oct 2022 23:15:41 +0000 (07:15 +0800)]
font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()
As a mitigation and hardening measure add sanity checks to
grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
makes these two functions do nothing if target blitting area isn't fully
contained in target bitmap. Therefore, if complex calculations in caller
overflows and malicious coordinates are given, we are still safe because
any coordinates which result in out-of-bound-write are rejected. However,
this patch only checks for invalid coordinates, and doesn't provide any
protection against invalid source glyph or destination glyph, e.g.
mismatch between glyph size and buffer size.
This hardening measure is designed to mitigate possible overflows in
blit_comb(). If overflow occurs, it may return invalid bounding box
during dry run and call grub_font_blit_glyph() with malicious
coordinates during actual blitting. However, we are still safe because
the scratch glyph itself is valid, although its size makes no sense, and
any invalid coordinates are rejected.
It would be better to call grub_fatal() if illegal parameter is detected.
However, doing this may end up in a dangerous recursion because grub_fatal()
would print messages to the screen and we are in the progress of drawing
characters on the screen.
Reported-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Mon, 24 Oct 2022 00:05:35 +0000 (08:05 +0800)]
font: Fix an integer underflow in blit_comb()
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
evaluate to a very big invalid value even if both ctx.bounds.height and
combining_glyphs[i]->height are small integers. For example, if
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
expression evaluates to 2147483647 (expected -1). This is because
coordinates are allowed to be negative but ctx.bounds.height is an
unsigned int. So, the subtraction operates on unsigned ints and
underflows to a very big value. The division makes things even worse.
The quotient is still an invalid value even if converted back to int.
This patch fixes the problem by casting ctx.bounds.height to int. As
a result the subtraction will operate on int and grub_uint16_t which
will be promoted to an int. So, the underflow will no longer happen. Other
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
to ensure coordinates are always calculated on signed integers.
Fixes: CVE-2022-3775 Reported-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Expressions like u64 = u32 * u32 are unsafe because their products are
truncated to u32 even if left hand side is u64. This patch fixes all
problems like that one in fbutil.
To get right result not only left hand side have to be u64 but it's also
necessary to cast at least one of the operands of all leaf operators of
right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
u64 = (u64)u32 * u32 + (u64)u32 * u32.
For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
not overflow grub_uint64_t.
Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
This patch also adds a comment to grub_video_fb_get_video_ptr() which
says it's arguments must be valid and no sanity check is performed
(like its siblings in grub-core/video/fb/fbutil.c).
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 14 Aug 2022 07:51:54 +0000 (15:51 +0800)]
kern/efi/sb: Enforce verification of font files
As a mitigation and hardening measure enforce verification of font
files. Then only trusted font files can be load. This will reduce the
attack surface at cost of losing the ability of end-users to customize
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
fonts because they have ability to pack fonts into their GRUB bundles.
This goal is achieved by:
* Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
skip-verification list.
* Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
so font files must be verified by a verifier before they can be loaded.
Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Sun, 14 Aug 2022 18:04:58 +0000 (02:04 +0800)]
font: Fix integer overflow in BMP index
The BMP index (font->bmp_idx) is designed as a reverse lookup table of
char entries (font->char_index), in order to speed up lookups for BMP
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
means not found.
This patch fixes the problem of large subscript truncated to grub_uint16_t,
leading BMP index to return wrong char entry or report false miss. The
code now checks for bounds and uses BMP index as a hint, and fallbacks
to binary-search if necessary.
On the occasion add a comment about BMP index is initialized to 0xffff.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Zhang Boyang [Thu, 4 Aug 2022 18:27:05 +0000 (02:27 +0800)]
font: Fix integer overflow in ensure_comb_space()
In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
in the future. This patch also fixes the inconsistency between
render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
returns NULL.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
projects / thirdparty / grub.git / log
