Glenn Washburn [Thu, 20 Nov 2025 18:56:47 +0000 (12:56 -0600)]
bootstrap: Condense and simplify LINGUAS generation
Remove unnecessary subshells. Loop over autogenerated po files only once.
Use existing LINGUAS created by bootstrap instead of finding po files
again.
Add wget as a soft requirement now that we are using bootstrap's code
for updating translation files. This should only be needed if updated
translations are desired, which is the default. There should be older
translation files already, and wget is not necessary if those will
suffice.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Thu, 20 Nov 2025 18:56:46 +0000 (12:56 -0600)]
bootstrap: Migrate linguas.sh into bootstrap.conf
Bootstrap has infrastructure for downloading/updating project po files
and generating the LINGUAS file. It uses wget instead of rsync, but
provides the same functionality, namely that only po files that have
a modification date before the corresponding one on the server will get
redownloaded. Bootstrap creates a pristine copy of the po files in
po/.reference, so update .gitignore to ignore that directory.
Bootstrap also creates the po/LINGUAS file, but it does not know to add
in GRUB's autogenerated po files. So move that code from linguas.sh into
the bootstrap epilogue.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Thu, 20 Nov 2025 18:56:45 +0000 (12:56 -0600)]
bootstrap: Run linguas.sh in bootstrap epilogue
Heretofore, linguas.sh had to be run by the user and a common mistake
made when building GRUB was to not run the command. By adding it to
the bootstrap epilogue it will by default get run at the end of the
bootstrap script. The user no longer needs to remember to run it.
If the --skip-po option is passed to bootstrap, do not run linguas.sh.
This allows for bootstrap to be run without updating the translations,
which might be desired in the future if we track po files so that
translations can be used as they were at time of release.
Update INSTALL file to reflect that it is no longer necessary to run
linguas.sh. Also, fix a list numbering error.
Avnish Chouhan [Thu, 20 Nov 2025 08:11:41 +0000 (13:41 +0530)]
normal/cmdline: Add grub_calloc() failure check and fix hist_lines state loss
If grub_calloc() fails hist_lines becomes NULL. It means we loose the
reference to the previously allocated hist_lines and leak memory. With
this change on failure hist_lines still points to the old memory. So,
no leak, no state corruption.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Thu, 20 Nov 2025 06:25:50 +0000 (14:25 +0800)]
blsuki: Fix grub_errno leakage in blsuki_is_default_entry()
The grub_strtol() call in blsuki_is_default_entry() can set grub_errno
to either GRUB_ERR_BAD_NUMBER or GRUB_ERR_OUT_OF_RANGE if the input
string is invalid or out of range.
This grub_errno value is currently left uncleared, which can lead to
unexpected behavior in subsequent functions that rely on checking
current state of grub_errno.
Clear grub_errno unconditionally when grub_strtol() reports error so
that we can plug the leak.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Wed, 19 Nov 2025 19:11:35 +0000 (13:11 -0600)]
Revert "tests: Remove -w param from mkfs.hfsplus command"
The original commit removes testing of GRUB's support for HFS+
wrapping and replaces it with testing that is an exact duplicate of
another test, namely HFS+ without wrapping. To start, the change is
misleading in that it suggests that the testing of HFS+ wrapping is
still taking place, when it is not. If it was desired to remove support
for testing the HFS+ wrapping, then the test should have been removed
entirely. Second, having a series of tests that are exactly the same is
just a waste of testing resources. And third, the justification for the
change is nonsensical. Just because a required program may not have
a required feature on a particular distro is not a reason that a test
should be removed. Reducing test coverage because some distros do not
have the tools GRUB needs to run certain tests goes against the testing
priority to have test coverage be as broad as possible. The fact is
that Debian, the officially supported distro for running the tests, does
have a mkfs.hfsplus that supports the -w parameter.
This reverts commit 2bc0929a2 (tests: Remove -w param from mkfs.hfsplus command).
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Wed, 19 Nov 2025 19:11:34 +0000 (13:11 -0600)]
Revert "tests: Skip tests if required tools are not available"
As explained in commit a21618c8a (tests: Test aborts due to missing
requirements should be marked as error instead of skipped) and in the
Automake manual[1], skipped tests are tests that should not be run, e.g.
running the ohci test on the powerpc-ieee1275 as there are no native ohci
drivers for that platform. Test that fail for reasons other than there is
a bug in GRUB code that is causing the test to fail are hard errors.
Commonly this is because the test is run in an improperly configured
environment, like required programs are missing. If a hard error condition
is identified with a SKIP return code, the person running the tests can not
know without investigating every skip if a SKIP in the tests was because
the test does not apply to the target being tested or because the user had
a misconfigured environment that was causing the test not to run. By
ensuring that a test is skipped only when it should not run, the person
running the test can be sure that there is no need to investigate why the
test was skipped.
This reverts commit bf13fed5f (tests: Skip tests if required tools are not available).
Segmentation faults or undefined behaviour may result from a NULL pointer
dereference in strip_trailing_digits() and grub_util_devname_to_ofpath()
if strdup() fails. Therefore, I added a NULL check to fix this.
In the function free_subchunk(), after checking that subchu->post isn't NULL,
grub_memset() is called on subchu->pre->freebytes but it should be called on
subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL,
then this could lead to a NULL pointer dereference.
Fixes: CID 473882 Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Nicholas Vinson [Wed, 19 Nov 2025 00:38:07 +0000 (19:38 -0500)]
configure: Check linker for --image-base support
In several scenarios, configure tests assume it's safe to use
"-Wl,-Ttext,<address>", but starting with ld.lld-21, blindly using that
flag may result in configure-test failures due to ld.lld failing to
link. The failure is because ld.lld-21 no longer allows the specified
address is less than the base address.
However, ld.lld-21+ and ld.bfd-2.44+ both provide support for the
--image-base flag making it preferable over the older -Ttext flag.
Fixes: https://savannah.gnu.org/bugs/?67662 Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 18 Nov 2025 00:01:44 +0000 (18:01 -0600)]
INSTALL: Make note that Linux kernel 6.12.x or earlier is needed for reiserfs testing
Also, remove wording suggesting that tests may be skipped if prerequisites
are not installed. Tests should never be skipped because of an environment
misconfiguration, instead they should return a hard error (code 99).
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 18 Nov 2025 00:01:43 +0000 (18:01 -0600)]
docs: Reorganize test section and add section on writing tests
Rename the main section to Tests and put the existing test section into
a subsection. A new subsection called "Writing tests" is added to give
a brief overview and make clear the difference in returning a SKIP code
versus a HARD ERROR code.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commands/usbtest: Ensure string length is sufficient in usb string processing
If descstrp->length is less than 2 this will result in underflow in
"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
value is sufficient.
Signed-off-by: Jamie <volticks@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.
Alec Brown [Thu, 21 Aug 2025 21:14:08 +0000 (21:14 +0000)]
tests/lib/functional_test: Unregister commands on module unload
When the functional_test module is loaded, both the functional_test and
all_functional_test commands are registered but only the all_functional_test
command is being unregistered since it was the last to set the cmd variable
that gets unregistered when the module is unloaded. To unregister both
commands, we need to create an additional grub_extcmd_t variable.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Thu, 21 Aug 2025 21:14:07 +0000 (21:14 +0000)]
normal/main: Unregister commands on module unload
When the normal module is loaded, the normal and normal_exit commands
are registered but aren't unregistered when the module is unloaded. We
need to add calls to grub_unregister_command() when unloading the module
for these commands.
Fixes: CVE-2025-61663 Fixes: CVE-2025-61664 Reported-by: Alec Brown <alec.r.brown@oracle.com> Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Thu, 21 Aug 2025 21:14:06 +0000 (21:14 +0000)]
gettext/gettext: Unregister gettext command on module unload
When the gettext module is loaded, the gettext command is registered but
isn't unregistered when the module is unloaded. We need to add a call to
grub_unregister_command() when unloading the module.
Fixes: CVE-2025-61662 Reported-by: Alec Brown <alec.r.brown@oracle.com> Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
net/net: Unregister net_set_vlan command on unload
The commit 954c48b9c (net/net: Add net_set_vlan command) added command
net_set_vlan to the net module. Unfortunately the commit only added the
grub_register_command() call on module load but missed the
grub_unregister_command() on unload. Let's fix this.
Fixes: CVE-2025-54770 Fixes: 954c48b9c (net/net: Add net_set_vlan command) Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
kern/file: Call grub_dl_unref() after fs->fs_close()
With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.
When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().
Fixes: CVE-2025-54771 Fixes: 16f196874 (kern/file: Implement filesystem reference counting) Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commands/test: Fix error in recursion depth calculation
The commit c68b7d236 (commands/test: Stack overflow due to unlimited
recursion depth) added recursion depth tests to the test command. But in
the error case it decrements the pointer to the depth value instead of
the value itself. Fix it.
Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth) Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Mon, 17 Nov 2025 07:11:15 +0000 (07:11 +0000)]
fs/zfs/zfs: Avoid pointer downcasting in dnode_get()
Coverity marks multiple issues in grub-core/fs/zfs/zfs.c as either "Untrusted
value as argument", "Untrusted pointer read", or "Untrusted loop bound". Each
of these issues share a common cause where Coverity finds that data->dnode_buf
gets tainted by dnbuf since it is downcasting from (void *) to (dnode_phys_t *)
and could imply that the data the pointer points to is tainted. However, the
function zio_read(), which reads this data from disk, sanitizes this data by
verifying its checksum. To resolve the issues for Coverity, setting dnbuf to
(dnode_phys_t *) at the start of the function dnode_get() seems to do the trick.
Alec Brown [Mon, 17 Nov 2025 07:11:14 +0000 (07:11 +0000)]
mmap/mmap: Fix resource leak
In the function grub_mmap_iterate(), memory is allocated to
"ctx.scanline_events" and "present" but isn't freed when error handling
grub_malloc(). Prior to returning grub_errno, these variables should be
freed to prevent a resource leak.
Fixes: CID 96655 Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 17 Nov 2025 04:23:41 +0000 (22:23 -0600)]
linguas: Ensure that linguas.sh runs from the directory that it resides
The script assumes that it is run from the root of the source tree,
which is where it is located. So this should be enforced to prevent
accidental misuses.
realpath is used instead of readlink as that is recommended in Debian's
readlink manpage since at least Debian 11. Also, use the shell variable's
parameter expansion for removing a suffix pattern to get the directory
in which the script resides. This is preferable to using the dirname binary
as it avoids creating a new process.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Tue, 11 Nov 2025 07:15:53 +0000 (01:15 -0600)]
gitignore: Remove po/*.po and po/LINGUAS
po files will now be tracked. This has the following benefits as listed
by Colin Watson:
* Build processes would no longer be vulnerable to an external server
potentially going down for an extended period of time; they'd be
stuck with outdated translations until the server was fixed or came
up with a workaround, but that's better than nothing.
* It would be easier to manage branches of stable releases, rather than
assuming that translations downloaded for master will match the POT
files for a stable release.
* Tests would be able to pass from a clean git checkout without relying
on an external server, improving QA reliability.
* It would be easier to make and test branches while offline.
* The translations shipped with a release tarball could be tagged in
git so that it's easy to investigate bugs in them.
* Downstream distributors would be able to use git branches without
having to fill in additional files.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 17 Nov 2025 06:40:26 +0000 (00:40 -0600)]
tests/grub_cmd_cryptomount: Use builddir shell variable and quote
Using a shell variable instead of an autoconf macro creates less changes
to the file, which can be desirable when modifying by hand later and
then diffing with the unexpanded file. It also makes it simpler to
change the builddir after expansion, which may need to happen when
moving the build dir to a different path and not being able to rerun
the autoconf expansion.
Also, add quoting around the builddir variable as there may be spaces
in the path.
Glenn Washburn [Mon, 17 Nov 2025 06:40:25 +0000 (00:40 -0600)]
tests/grub_cmd_cryptomount: Expect test success, now that GRUB supports Argon2
This test was included to verify that, while GRUB did not have Argon2
support, trying to open a LUKS2 volume with an Argon2 keyslot would fail
Now that Argon2 support is included, the test is failing because it
expected a failure, but is now getting success. Change the test to expect
success.
Glenn Washburn [Thu, 13 Nov 2025 03:10:42 +0000 (21:10 -0600)]
tests/erofs_test: Improve accuracy of FSTIME check
On resource constrained test runs, the last modification time on the
image is an unreliable date to check against the filesystem creation
time. Use dump.erofs to get the filesystem creation time from the
superblock. This should get the timestamp as shown by GRUB's "ls -l".
Glenn Washburn [Thu, 13 Nov 2025 03:10:41 +0000 (21:10 -0600)]
tests/erofs_test: Disable filetime check for erofs_compact
Compact EROFS inodes do not allow for modification times that are
different from FS creation times. The file modification time check is
done between the EROFS image and the file system where test temporary
files are written to, not the files as seen from the mounted EROFS image.
So its likely that the file modification time will be different, more
so when run on slower systems.
Andrew Hamilton [Fri, 14 Nov 2025 23:40:10 +0000 (17:40 -0600)]
tests: Support changed mkfs.ext2 behavior for -r flag
Correct nuisance ext234_test failure on newer Linux distros.
Recently, the mkfs.ext2 utility removed support for the -r flag to
specify old (version 0) formats of ext2. A new flag was added to allow
the same behavior. Support both ways of specifying version 0 ext2 file
systems when testing ext2 in GRUB.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Glenn Washburn <development@efficientek.com>
Andrew Hamilton [Fri, 14 Nov 2025 23:40:09 +0000 (17:40 -0600)]
tests: Avoid test failure in erofs for label length
Recently, mkfs.erofs began to enforce that the file system
label is 15 characters or less (excluding NUL terminator).
This causes the current erofs test in GRUB to fail. Reduce
the test label used to fit in this limit allowing the test
to work as expected.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Glenn Washburn <development@efficientek.com>
Andrew Hamilton [Fri, 14 Nov 2025 23:40:08 +0000 (17:40 -0600)]
tests: Split ZFS ZSTD test into new file
Split ZFS ZSTD test into its own test script. Add a check to the new
test script to see if the zfs utility installed on the host supports
"zstd" compression before running the test and fail the test if not. It
seems at least some zfs-fuse binaries do not support zstd compression
and the current test will fail in that case. Splitting into a new file
will avoid masking other test failures due to missing zstd support.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Glenn Washburn <development@efficientek.com>
Andrew Hamilton [Fri, 7 Nov 2025 00:24:33 +0000 (18:24 -0600)]
util/grub.d/00_header.in: Disable loading all_video for EFI
Loading all_video for EFI can cause video issues in some cases
since GRUB Bochs/Cirrus drivers may conflict with native EFI drivers.
Change default behavior for EFI to only load EFI specific video
modules. Also include a new environment variable to restore the old
behavior if needed.
Fixes: https://savannah.gnu.org/bugs/?66200 Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The check_xorriso() function appears to have been copy/pasted from
somewhere that was originally checking the mdadm command. So the file
handle to the output of the xorriso command is named "mdadm". Instead
rename it to the more generic "fout". Also change a comment referencing
mdadm to reference xorriso.
Andrew Hamilton [Fri, 7 Nov 2025 03:55:41 +0000 (21:55 -0600)]
docs: Add security hardening suggestions
Add some suggestions to the security section on maximizing the
security hardening of GRUB.
This change reveals sectioning issues introduced by commit 0b59d379f
(docs/grub: Document signing GRUB under UEFI) and commit 0f2dda8cf
(docs/grub: Document signing GRUB with an appended signature). Fix them
on the occasion.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Leo Sandoval [Fri, 19 Sep 2025 21:45:05 +0000 (15:45 -0600)]
tests: Remove -w param from mkfs.hfsplus command
Apparently the man page is outdated because the option "-w" is shown
but not on "mkfs.hfsplus --usage". According to Gemini:
The -w option is used to add an HFS wrapper around an HFS Plus file
system, which is sometimes required for compatibility with older
Mac OS 9 systems. However, this is not a standard or commonly used
option and may not be available in all versions of the hfsprogs package,
especially on Linux.
Signed-off-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Leo Sandoval [Fri, 19 Sep 2025 21:45:03 +0000 (15:45 -0600)]
tests: Skip tests if required tools are not available
There is no reason to fail a test if the required testing tool is not
present on the system, so skip the test instead of failing it.
Signed-off-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
Avnish Chouhan [Tue, 28 Oct 2025 16:28:51 +0000 (21:58 +0530)]
term/ieee1275/serial: Fix memory leak
The grub_zalloc() allocates memory for port. If the allocation for
port->name fails the function returns NULL without freeing the
previously allocated port memory. This results in a memory leak.
To avoid this we must free port before return.
Lars Wendler [Thu, 30 Oct 2025 06:31:59 +0000 (07:31 +0100)]
configure: Avoid bashisms
or else configure check doesn't succeed with non-bash shell (e.g. dash):
checking whether to enable AMD64 as(1) feature detection... /var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/configure: 39176: test: xx86_64: unexpected operator
no
and later build fails with
/var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/grub-core/lib/libgcrypt-grub/src/hwf-x86.c: In function ‘detect_x86_gnuc’:
/var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/grub-core/lib/libgcrypt-grub/src/hwf-x86.c:252:17: error: ‘HWF_INTEL_CPU’ undeclared (first use in this function)
252 | result |= HWF_INTEL_CPU;
| ^~~~~~~~~~~~~
and other corresponding HWF_INTEL_* definitions because HAVE_CPU_ARCH_X86 was
erroneously not defined by configure script.
Signed-off-by: Lars Wendler <polynomial-c@gmx.de> Reviewed-by: Gary Lin <glin@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel Kiper [Mon, 27 Oct 2025 16:17:01 +0000 (17:17 +0100)]
windows: Fix symbol table generation during module conversion from PE to ELF
According to the System V Application Binary Interface specification [1]
the sections holding a symbol table, SHT_SYMTAB and SHT_DYNSYM, have to
have sh_info set to "One greater than the symbol table index of the last
local symbol (binding STB_LOCAL)". Current code converting PE images to
ELF files does not do that and readelf complains in following way:
Symbol table '.symtab' contains 29 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
readelf: Warning: local symbol 0 found at index >= .symtab's sh_info value of 0
1: 0000144a 0 FUNC LOCAL DEFAULT 1 grub_mod_init
readelf: Warning: local symbol 1 found at index >= .symtab's sh_info value of 0
2: 000014aa 0 FUNC LOCAL DEFAULT 1 grub_mod_fini
readelf: Warning: local symbol 2 found at index >= .symtab's sh_info value of 0
3: 00000000 0 SECTION LOCAL DEFAULT 1 .text
readelf: Warning: local symbol 3 found at index >= .symtab's sh_info value of 0
4: 00000000 0 SECTION LOCAL DEFAULT 2 .data
readelf: Warning: local symbol 4 found at index >= .symtab's sh_info value of 0
5: 00000000 0 SECTION LOCAL DEFAULT 5 .bss
readelf: Warning: local symbol 5 found at index >= .symtab's sh_info value of 0
6: 00000000 0 SECTION LOCAL DEFAULT 3 .rdata
readelf: Warning: local symbol 6 found at index >= .symtab's sh_info value of 0
7: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_dma_get_phys
8: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_cs5536_write_msr
9: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_dma_free
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Ross Philipson <ross.philipson@oracle.com> Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
Daniel Kiper [Mon, 27 Oct 2025 15:56:39 +0000 (16:56 +0100)]
windows: Fix relocation sections generation during module conversion from PE to ELF
The commit 98ad84328 (kern/dl: Check for the SHF_INFO_LINK flag in
grub_dl_relocate_symbols()) revealed a bug in the code converting PE
module images to ELF files. The missing SHF_INFO_LINK flag for SHT_REL
and SHT_RELA sections lead to hangs during GRUB load. This only happens
for the GRUB images generated on Windows platforms. The *NIX platforms
are not affected due to lack of PE to ELF conversion step.
This patch fixes the issue...
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Ross Philipson <ross.philipson@oracle.com> Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
Andrew Hamilton [Sat, 25 Oct 2025 15:53:40 +0000 (10:53 -0500)]
loader/efi/linux: Fix compile error with Clang
Clang will produce a warning, which is treated as an error, that
"vendor_defined_data" is uninitialized. This is a "zero length" array
member of this struct. Add conditional compile pragma to allow this to
compile with Clang.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Yann Diorcet [Thu, 23 Oct 2025 12:02:50 +0000 (14:02 +0200)]
tss2: Always init out buffer before calling tpm2_submit_command_real()
When tpm2_submit_command_real() is called for a retry, the content of
out buffer can already be set with previous tpm2_submit_command_real()
call's reply. Add a call to grub_tpm2_buffer_init() before tpm2_submit_command_real().
This solves the issues occurring during TPM_CC_Load command on the
integrated TPM 2.0 in Intel Elkhart Lake chip.
Signed-off-by: Yann Diorcet <diorcet.yann@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Sun, 1 Jun 2025 15:52:22 +0000 (10:52 -0500)]
fs/ntfs: Correct next_attribute validation
Improved ad-hoc fuzzing coverage revealed a possible access violation
around line 342 of grub-core/fs/ntfs.c when accessing the attr_cur
pointer due to possibility of moving pointer "next" beyond of the end of
the valid buffer inside next_attribute. Prevent this for cases where
full attribute validation is not performed (such as on attribute lists)
by performing a sanity check on the newly calculated next pointer.
Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Mon, 13 Oct 2025 06:52:24 +0000 (14:52 +0800)]
kern/ieee1275/init: Use net config for boot location instead of firmware bootpath
On network boots grub_ieee1275_net_config() is used to determine the
boot device but the path continues to be taken from the Open Firmware
/chosen/bootpath property. This assumes the device node follows the
generic IEEE 1275 syntax which is not always the case. Different drivers
may extend or redefine the format and GRUB may then misinterpret the
argument as a filename and set $prefix incorrectly.
does not follow this form. The section after the colon (the device-argument)
contains driver-specific options and network parameters, not a valid filename.
The GRUB interprets this string as a filename which results in $prefix being
set to "/", effectively losing the intended boot directory.
The firmware is not at fault here since interpretation of device nodes
is driver-specific. Instead, GRUB should use the filename provided in
the cached DHCP packet which is consistent and reliable. This is also
the same mechanism already used on UEFI and legacy BIOS platforms.
This patch updates grub_machine_get_bootlocation() to prefer the result
from grub_ieee1275_net_config() when complete and only fall back to the
firmware bootpath otherwise.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Fri, 17 Oct 2025 18:35:59 +0000 (18:35 +0000)]
net/tftp: Fix NULL pointer dereference in grub_net_udp_close()
A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
when handling a malformed TFTP OACK packet.
This issue was discovered via fuzzing. When a malformed OACK packet
contains an invalid file size, "tsize", value tftp_receive() detects
the error and saves it via grub_error_save(&data->save_err). Later,
tftp_open() restores this error and calls grub_net_udp_close(data->sock)
assuming the socket is still valid.
However, the socket may have already been closed and set to NULL after
processing the final data block in tftp_receive() leading to a NULL
pointer dereference when attempting to close it again.
Fix it by checking if the socket is non-NULL before closing.
Lidong Chen [Tue, 21 Oct 2025 21:20:04 +0000 (21:20 +0000)]
net/dns: Prevent UAF and double free
In recv_hook(), *data->addresses is freed without being set to NULL.
Since *data->addresses can be cached in dns_cache[h].addresses, this
can lead to UAF or double free if dns_cache[h].addresses is accessed
or cleared later.
The fix sets *data->addresses to NULL after freeing to avoid dangling
pointer.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Tue, 21 Oct 2025 21:20:03 +0000 (21:20 +0000)]
net/bootp: Prevent a UAF in network interface unregister
A UAF occurs in grub_net_network_level_interface_unregister()
when inter->name is accessed after being freed in grub_cmd_bootp().
Fix it by deferring grub_free(ifaces[j].name) until after
grub_net_network_level_interface_unregister() completes.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Leo Sandoval [Tue, 21 Oct 2025 18:39:00 +0000 (12:39 -0600)]
commands/memtools: Add lsmemregions command
Prints memory regions general information including size, number of
blocks, total free and total allocated memory per region. The reason
behind is to have a tool that shows general information about regions
and how fragmented the memory is at some particular time.
Below is an example showing how this tool before and after memory stress.
Region 0x7af8e000 (size 4032 blocks 126 free 2720 alloc 1312)
Region 0x80c000 (size 81856 blocks 2558 free 81856 alloc 0)
Region 0x7d165000 (size 167872 blocks 5246 free 167872 alloc 0)
Region 0x7d0bf000 (size 655296 blocks 20478 free 655296 alloc 0)
Region 0x7ee00000 (size 1331136 blocks 41598 free 1331136 alloc 0)
Region 0x100000 (size 7385024 blocks 230782 free 7385024 alloc 0)
Region 0x7af95000 (size 25382848 blocks 793214 free 25382848 alloc 0)
Region 0x1780000 (size 2038357952 blocks 63698686 free 2077517536 alloc 5445568)
Signed-off-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Logan Gunthorpe [Tue, 21 Oct 2025 15:56:26 +0000 (09:56 -0600)]
tests/file_filter: Regenerate gpg keys
The "keys" file is not a valid GPG secret key so it is not possible to
generate new signatures.
Create a new key and use "gpg --export-secret-key" to export the key
and "gpg --export" to export the public key. Then resign all the
signatures with "gpg --detach-sign".
Signed-off-by: Logan Gunthorpe <logang@deltatee.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:42 +0000 (17:01 +0800)]
docs: Add Btrfs env block and special env vars
Update grub.texi to describe the external environment block in the
reserved area of Btrfs header used for grub-reboot and savedefault, and
add a section documenting the saved_entry, next_entry, and env_block
variables.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:41 +0000 (17:01 +0800)]
util/grub.d/00_header.in: Wire grub.cfg to use env_block when present
This patch extends the generated grub.cfg so that it can use the
external environment block when the variable env_block is defined.
During boot, if env_block is set, grub.cfg builds a device path for it,
exports the variable, and then loads its contents in addition to the
normal grubenv file.
When GRUB writes variables such as next_entry or saved_entry, the save
commands are changed to write into env_block if it is set, and to fall
back to the grubenv file otherwise. In this way the external environment
block is used automatically, and existing commands like savedefault or
save_env do not need to change.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:40 +0000 (17:01 +0800)]
fs/btrfs: Add environment block to reserved header area
This patch reserves space for the GRUB environment block inside the
Btrfs header. The block is placed at an offset of GRUB_ENV_BTRFS_OFFSET,
256 KiB from the start of the device, and occupies one sector. To
protect the space, overflow guard sectors are placed before and after
the reserved block.
The Btrfs header already defines regions for bootloader use. By adding
this entry, GRUB gains a fixed and safe location to store the environment
block without conflicting with other structures in the header.
Add Btrfs and its reserved area information to the fs_envblk_spec table.
With the groundworks done in previous patches, the function is now
complete and working in grub-editenv.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:39 +0000 (17:01 +0800)]
util/grub-editenv: Add probe call for external envblk
This patch adds the probe_fs_envblk() function to identify the root
filesystem and invoke fs_envblk_init() with the probed filesystem type
and device. This checks if the feature is available and initializes the
handle, fs_envblk, to access the external environment block. It avoids
configurations with diskfilter or cryptodisk where filesystem blocks may
be remapped or encrypted.
The probe is only invoked when grub-editenv is working on the default
environment file path. This restriction ensures that probing and
possible raw device access are not triggered for arbitrary user supplied
paths, but only for the standard grubenv file. In that case the code
checks if the filename equals DEFAULT_ENVBLK_PATH and then calls
probe_fs_envblk with fs_envblk_spec. The result is stored in the global
fs_envblk handle. At this stage the external environment block is only
detected and recorded, and the behavior of grub-editenv is unchanged.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:38 +0000 (17:01 +0800)]
util/grub-editenv: Wire list_variables() to optional fs_envblk
This patch updates list_variables() so that it also prints entries from
the external environment block when one is present. The function first
lists all variables from the file based envblk, then iterates over the
external envblk and prints those as well.
The output format remains the same as before. The change makes it
possible to inspect variables regardless of whether they are stored in
the file envblk or in the reserved block.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:37 +0000 (17:01 +0800)]
util/grub-editenv: Wire unset_variables() to optional fs_envblk
This patch updates unset_variables() so that removals are also applied
to the external environment block when it is present. The code opens the
external block, deletes the same named keys there, and then writes the
external block back using fs_envblk_write(). The file based envblk is
still updated and written as before.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:36 +0000 (17:01 +0800)]
util/grub-editenv: Wire set_variables() to optional fs_envblk
This patch changes set_variables() so that it can use an external
environment block when one is present. The variable next_entry is
written into the external block, env_block is treated as read only, and
all other variables are written into the normal file based envblk.
A cleanup step is added to handle cases where GRUB at runtime writes
variables into the external block because file based updates are not
safe on a copy on write filesystem such as Btrfs. For example, the
savedefault command can update saved_entry, and on Btrfs GRUB will place
that update in the external block instead of the file envblk. If an
older copy remains in the external block, it would override the newer
value from the file envblk when GRUB first loads the file and then
applies the external block on top of it. To avoid this, whenever
a variable is updated in the file envblk, any same named key in
the external block is deleted.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:35 +0000 (17:01 +0800)]
util/grub-editenv: Add fs_envblk write helper
This patch adds the function fs_envblk_write to update the reserved
environment block on disk. The helper takes an in memory envblk buffer
and writes it back to the device at the location defined by the
fs_envblk specification. It performs size checks and uses file sync to
ensure that the updated data is flushed.
The helper is also added into the fs_envblk ops table, together with the
open helper from the previous patch. With this change the basic input
and output path for an external environment block is complete. The
choice of which variables should be written externally will be handled
by later patches.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:34 +0000 (17:01 +0800)]
util/grub-editenv: Add fs_envblk open helper
This patch adds the logic to locate and open an environment block that
is stored in a reserved area on the device. It introduces the function
fs_envblk_open() together with helper routines to read the block pointed
to by the env_block variable, and to create the block on disk when it
does not exist yet. When a block is created, the code records its
location inside the file based envblk by setting env_block in block list
syntax of offset plus size in sectors.
The env_block variable acts as a link from the file envblk to the raw
disk region so that later runs of grub-editenv can follow it and access
the external block. The helper is exposed through a small ops table
attached to fs_envblk so that later patches can call
fs_envblk->ops->open() without touching core code again. At this stage
variables are still stored in the file envblk and no redirection has
been applied.
In relation to this, the fs_envblk_spec table defines the file-system
specific layout of the reserved raw blocks used for environment storage.
It is prepared to facilitate integration in grub-editenv, with Btrfs to
be added in the future once its reserved area is defined.
An fs_envblk_init() helper is added to prepare it for using the ops with
its associated data context if the feature is available. It is not used
yet, but will be used later when a filesystem and its device are probed
to initialize the fs_envblk handle and enable access to the feature.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 17 Oct 2025 09:01:32 +0000 (17:01 +0800)]
kern/misc: Add the "z" length modifier support
Add support for the "z" length modifier in the printf code. This allows
printing of size_t and ssize_t values using %zu, %zd and related
formats. The parser maps "z" to the correct integer width based on
sizeof(size_t).
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Wed, 22 Oct 2025 01:29:00 +0000 (09:29 +0800)]
disk/cryptodisk: Add --hw-accel to enable hardware acceleration
The --hw-accel option has been added to cryptomount to speed up
decryption by temporarily enabling hardware-specific instruction
sets (e.g., AVX, SSE) in libgcrypt.
A new feature, "feature_gcry_hw_accel", is also introduced to mark the
availability of the new option.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Wed, 22 Oct 2025 01:28:57 +0000 (09:28 +0800)]
libgcrypt: Declare the sha256 shaext function
There is no prototype of _gcry_sha256_transform_intel_shaext() defined
in the header or libgcrypt-grub/cipher/sha256.c, and gcc may complain
the missing-prototypes error when compiling sha256-intel-shaext.c.
Declare the prototype in sha256-intel-shaext.c to avoid the error.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Wed, 22 Oct 2025 01:28:52 +0000 (09:28 +0800)]
lib/hwfeatures-gcry: Introduce functions to manage hardware features
This commit introduces the generic functions to manage the hardware
features in libgcrypt. These functions are stubs for future
platform-specific implementations:
- grub_gcry_hwf_enabled() returns __gcry_use_hwf which indicates if
the hardware features are enabled specifically by grub_enable_gcry_hwf(),
- grub_enable_gcry_hwf() invokes the architecture specific enablement
functions and sets __gcry_use_hwf to true,
- grub_reset_gcry_hwf() invokes the architecture specific reset
functions and sets __gcry_use_hwf to false.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Wed, 22 Oct 2025 01:28:51 +0000 (09:28 +0800)]
configure: Tweak autoconf/automake files to detect x86_64 features
To enable hardware acceleration, this commit ports the feature detection
logic from libgcrypt. This allows us to check if the compiler supports
specific assembly instructions, including SSSE3, Intel SHA extensions,
SSE4.1, AVX, AVX2, AVX512, and BMI2.
To simplify the initial implementation, support for x86_64 feature
detection is currently limited to the x86_64 EFI target.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Thu, 14 Aug 2025 06:32:42 +0000 (14:32 +0800)]
lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle
The previous PBKDF2 implementation used grub_crypto_hmac_buffer() which
allocates and frees an HMAC handle on every call. This approach caused
significant performance overhead slowing down the boot process considerably.
This commit refactors the PBKDF2 code to use the new HMAC functions
allowing the HMAC handle and its buffers to be allocated once and reused
across multiple operations. This change significantly reduces disk
unlocking time.
In a QEMU/OVMF test environment this patch reduced the time to unlock
a LUKS2 (*) partition from approximately 15 seconds to 4 seconds.
Gary Lin [Thu, 14 Aug 2025 06:32:41 +0000 (14:32 +0800)]
lib/crypto: Introduce new HMAC functions to reuse buffers
To enable more efficient buffer reuse for HMAC operations three new
functions have been introduced. This change prevents the need to
reallocate memory for each HMAC operation:
- grub_crypto_hmac_reset(): reinitializes the hash contexts in the HMAC handle,
- grub_crypto_hmac_final(): provides the final HMAC result without freeing the
handle allowing it to be reused immediately,
- grub_crypto_hmac_free(): deallocates the HMAC handle and its associated memory.
To further facilitate buffer reuse ctx2 is now included within the HMAC handle
struct and the initialization of ctx2 is moved to grub_crypto_hmac_init().
The intermediate hash states, ctx and ctx2, for the inner and outer padded
keys are now cached. The grub_crypto_hmac_reset() restores these cached
states for new operations which avoids redundant hashing of the keys.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
projects / thirdparty / grub.git / log
