diff -Nru grub2-2.12~rc1/debian/changelog grub2-2.12~rc1/debian/changelog --- grub2-2.12~rc1/debian/changelog 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/changelog 2023-10-02 14:23:58.000000000 +0000 @@ -1,3 +1,165 @@ +grub2 (2.12~rc1-10ubuntu4) mantic; urgency=high + + * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write + and may leak sensitive information into the GRUB pager. + - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume- + label.patch: + fs/ntfs: Fix an OOB read when parsing a volume label + - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for- + index-at.patch: + fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes + - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory- + entries-fr.patch: + fs/ntfs: Fix an OOB read when parsing directory entries from resident and + non-resident index attributes + - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe- + reside.patch: + fs/ntfs: Fix an OOB read when reading data from the resident $DATA + + attribute + - CVE-2023-4693 + * SECURITY UPDATE: Crafted file system images can cause heap-based buffer + overflow and may allow arbitrary code execution and secure boot bypass. + - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the- + ATTRIBUTE_LIST-.patch: + fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for + the $MFT file + - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch + fs/ntfs: Make code more readable + - CVE-2023-4692 + + -- Mate Kukri Mon, 02 Oct 2023 15:23:58 +0100 + +grub2 (2.12~rc1-10ubuntu2) mantic; urgency=medium + + * Merge from Debian unstable to pick up fixes (LP: #2028947); remaining changes: + - Add Ubuntu sbat data + - build-efi-images: do not produce -installer.efi.signed. LP: 1863994 + - grub-common: Install canonical-uefi-ca.crt + - Check signatures + - Support installing to multiple ESP (LP: 1871821) + - Disable various bits on i386 + - Split out unsigned artefacts into grub2-unsigned + - Vcs-Git: Point to ubuntu packaging branch + - Relax dependencies on grub-common and grub2-common + - grub-pc: Avoid the possibility of breaking grub on SRU update due + to ABI change + - UBUNTU: Default timeout changes + - Revert "Add jfs module to signed UEFI images. Closes: #950959" + - Revert "Add f2fs module to signed UEFI images" + - Install grub-initrd-fallback.service again + - Build using -O1 on s390x to avoid misoptimization + - grub-check-signatures: Support gzip compressed kernels (LP: #1954683) + - grub-multi-install: Reset partition type between partitions (LP: #1997795) + - Drop i386 from grub-efi-amd64* (LP: #2020907) + - Turn depends on grub-efi-amd64/arm64 unversioned + - forward port fix for LP: #1926748 + - Make the grub2/no_efi_extra_removable setting work correctly + - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only) + - Build grub2-unsigned packages with xz compression + - Replaced patches: + - installe-signed.patched + - grub-install-extra-removable.patch + - grub-install-removable-shim.patch + - Added patches: + + rhboot-f34-dont-use-int-for-efi-status.patch + + rhboot-f34-make-exit-take-a-return-code.patch + + suse-grub.texi-add-net_bootp6-document.patch + + ubuntu-add-devicetree-command-support.patch + + ubuntu-add-initrd-less-boot-fallback.patch + + ubuntu-add-initrd-less-boot-messages.patch + + ubuntu-boot-from-multipath-dependent-symlink.patch + + ubuntu-dont-verify-loopback-images.patch + + ubuntu-fix-lzma-decompressor-objcopy.patch + + ubuntu-grub-install-extra-removable.patch + + ubuntu-install-signed.patch + + ubuntu-mkconfig-leave-breadcrumbs.patch + + ubuntu-os-prober-auto.patch + + ubuntu-recovery-dis_ucode_ldr.patch + + ubuntu-resilient-boot-boot-order.patch + + ubuntu-resilient-boot-ignore-alternative-esps.patch + + ubuntu-shorter-version-info.patch + + ubuntu-speed-zsys-history.patch + + ubuntu-support-initrd-less-boot.patch + + ubuntu-verifiers-last.patch + + ubuntu-zfs-enhance-support.patch + + ubuntu-zfs-gfxpayload-dynamic.patch + + ubuntu-zfs-gfxpayload-keep-default.patch + + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch + + ubuntu-zfs-mkconfig-recovery-title.patch + + ubuntu-zfs-mkconfig-signed-kernel.patch + + ubuntu-zfs-mkconfig-ubuntu-distributor.patch + + ubuntu-zfs-mkconfig-ubuntu-recovery.patch + + ubuntu-zfs-vt-handoff.patch + * Dropped Ubuntu changes: + - Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810) + * Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not + compatible with our versioning schemes. + * Install a /usr/lib/grub/grub-sort-version and use that to sort versions as + it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so. + * rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned + + -- Julian Andres Klode Mon, 25 Sep 2023 17:31:09 +0200 + +grub2 (2.12~rc1-10) unstable; urgency=medium + + [ Julian Andres Klode ] + * Cherry pick fix for unmerged usr shebang (Closes: #1051251) + * grub-common.dirs: Install empty /etc/default/grub.d (Closes: #1051412) + + [ Mate Kukri ] + * efi: Eliminate globals from the `peimage.c` chainloader + + -- Julian Andres Klode Mon, 18 Sep 2023 12:23:29 +0200 + +grub2 (2.12~rc1-9) unstable; urgency=medium + + * Correct the Breaks to include the ~rc1 bit of the version + + -- Julian Andres Klode Tue, 05 Sep 2023 19:13:30 +0200 + +grub2 (2.12~rc1-8) unstable; urgency=medium + + * Have -bin packages Break pre-2.12 -signed packages. + On insecurely booted systems, upgrading the -bin packages with + the modules before the -signed packages caused the signed binaries + to crash when loading additional modules. (Closes: #1051271) + * Revert "In the signed packages, change the version dependency" + This reverts commit 680bb22c3308b7ccd0a7eb7923c7d68067b626f9. The + signed package needs the modules to be at the same version during + boot on insecure systems or it may crash trying to load further + modules. + * Set Protected: yes for -signed packages so they cannot easily be removed. + This ensures that the = depends in grub-efi-amd64-signed does not + cause it to be removed when it is out of sync with src:grub2 + + -- Julian Andres Klode Tue, 05 Sep 2023 19:06:05 +0200 + +grub2 (2.12~rc1-7) unstable; urgency=medium + + * Upload to unstable + + -- Julian Andres Klode Mon, 04 Sep 2023 20:03:09 +0200 + +grub2 (2.12~rc1-6) experimental; urgency=medium + + * Use rm_conffile instead of remove-on-upgrade. + This works with ftp-master's old lintian version and allows + easy backports + + -- Julian Andres Klode Mon, 04 Sep 2023 16:57:55 +0200 + +grub2 (2.12~rc1-5) experimental; urgency=medium + + [ Felix Zielcke ] + * Add salsa-ci.yml and disable blhc and reprotest pipelines. + * remove on upgrades /etc/default/grub.d/init-select.cfg. (Closes: #1042707) + + [ Julian Andres Klode ] + * peimage: Set file_path for loaded image (LP: #2030810, #2032294) + * Hack up the lintian overrides for stable lintian on ftp-master + + -- Julian Andres Klode Mon, 04 Sep 2023 14:16:12 +0200 + grub2 (2.12~rc1-4ubuntu3) mantic; urgency=medium * zfs: Drop `set -u`, incompatible with undefined variables in library diff -Nru grub2-2.12~rc1/debian/control grub2-2.12~rc1/debian/control --- grub2-2.12~rc1/debian/control 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/control 2023-10-02 14:23:58.000000000 +0000 @@ -76,7 +76,7 @@ Package: grub-common Architecture: any Built-Using: ${Built-Using} -Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends} +Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}, python3 Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4), init-select Recommends: os-prober (>= 1.33) Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], mtools [any-i386 any-amd64 any-ia64 any-arm any-arm64 riscv64], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup diff -Nru grub2-2.12~rc1/debian/grub-common.dirs grub2-2.12~rc1/debian/grub-common.dirs --- grub2-2.12~rc1/debian/grub-common.dirs 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/grub-common.dirs 2023-10-02 14:23:58.000000000 +0000 @@ -1,3 +1,4 @@ +etc/default/grub.d usr/sbin var/lib/grub/ucf var/lib/grub/esp diff -Nru grub2-2.12~rc1/debian/grub-common.install.in grub2-2.12~rc1/debian/grub-common.install.in --- grub2-2.12~rc1/debian/grub-common.install.in 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/grub-common.install.in 2023-10-02 14:23:58.000000000 +0000 @@ -1,8 +1,8 @@ ../../debian/apport/source_grub2.py usr/share/apport/package-hooks/ ../../debian/grub.d etc -../../debian/init-select.cfg etc/default/grub.d ../../debian/grub-check-signatures usr/share/grub/ ../../debian/grub-multi-install usr/lib/grub/ +../../debian/grub-sort-version usr/lib/grub ../../debian/canonical-uefi-ca.crt usr/share/grub/ etc/grub.d diff -Nru grub2-2.12~rc1/debian/grub-common.maintscript.in grub2-2.12~rc1/debian/grub-common.maintscript.in --- grub2-2.12~rc1/debian/grub-common.maintscript.in 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/grub-common.maintscript.in 2023-10-02 14:23:58.000000000 +0000 @@ -1 +1,2 @@ rm_conffile /etc/bash_completion.d/grub 2.02+dfsg1-9~ +rm_conffile /etc/default/grub.d/init-select.cfg 2.12~rc1-5~ diff -Nru grub2-2.12~rc1/debian/grub-sort-version grub2-2.12~rc1/debian/grub-sort-version --- grub2-2.12~rc1/debian/grub-sort-version 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/grub-sort-version 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,56 @@ +#!/usr/bin/python3 +# +"""Script to sort kernel versions.""" +import apt_pkg +import argparse +import re +import sys +import os +import typing + + +def order_index(order: list[re.Pattern[str]], abi: str) -> int: + """Return the index of abi in order""" + for i, entry in zip(range(len(order)), order): + if entry.match(abi): + return i + return len(order) + + +class KernelABI: + """Orderable kernel ABI string.""" + + def __init__(self, abi: str, order: list[re.Pattern[str]]): + self.abi = abi + self._index = order_index(order, self.abi) + + def __lt__(self, other: "KernelABI") -> bool: + if self._index != other._index: + # Ordering is reversed, what should be considered highest comes first. + return self._index > other._index + return apt_pkg.version_compare(self.abi, other.abi) < 0 + + +def main() -> None: + """Entry point.""" + apt_pkg.init() + + parser = argparse.ArgumentParser( + prog="grub-sort-version", description="sort kernel ABIs" + ) + parser.add_argument("-r", "--reverse", action="store_true") + args = parser.parse_args() + + order = [] + for flavour in os.environ.get("GRUB_FLAVOUR_ORDER", "").split(): + order.append(re.compile(f"[0-9]*-{flavour}$")) + + versions = [KernelABI(line.rstrip(), order) for line in sys.stdin] + versions.sort(reverse=args.reverse) + + for v in versions: + print(v.abi) + + +if __name__ == "__main__": + main() diff -Nru grub2-2.12~rc1/debian/grub-xen-host.lintian-overrides grub2-2.12~rc1/debian/grub-xen-host.lintian-overrides --- grub2-2.12~rc1/debian/grub-xen-host.lintian-overrides 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/grub-xen-host.lintian-overrides 2023-10-02 14:23:58.000000000 +0000 @@ -1,3 +1,3 @@ -grub-xen-host: statically-linked-binary [usr/lib/grub-xen/grub-i386-xen.bin] -grub-xen-host: statically-linked-binary [usr/lib/grub-xen/grub-i386-xen_pvh.bin] -grub-xen-host: statically-linked-binary [usr/lib/grub-xen/grub-x86_64-xen.bin] +grub-xen-host: statically-linked-binary *usr/lib/grub-xen/grub-i386-xen.bin* +grub-xen-host: statically-linked-binary *usr/lib/grub-xen/grub-i386-xen_pvh.bin* +grub-xen-host: statically-linked-binary *usr/lib/grub-xen/grub-x86_64-xen.bin* diff -Nru grub2-2.12~rc1/debian/init-select.cfg grub2-2.12~rc1/debian/init-select.cfg --- grub2-2.12~rc1/debian/init-select.cfg 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/init-select.cfg 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -# Work around a bug in the obsolete init-select package which broke -# grub-mkconfig when init-select was removed but not purged. This file does -# nothing and will be removed in a later release. -# -# See: -# https://bugs.debian.org/858528 -# https://bugs.debian.org/863801 diff -Nru grub2-2.12~rc1/debian/patches/grub-sort-version.patch grub2-2.12~rc1/debian/patches/grub-sort-version.patch --- grub2-2.12~rc1/debian/patches/grub-sort-version.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/grub-sort-version.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,37 @@ +From: Julian Andres Klode +Date: Mon, 25 Sep 2023 10:24:11 +0200 +Subject: grub-mkconfig: Use grub-sort-version + +We need to have support for GRUB_FLAVOUR_ORDER and it's arguably +the easiest way to hook this in, although you might be able to +write this as an awk script or something. +--- + util/grub-mkconfig_lib.in | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in +index f0c8860..3c2021d 100644 +--- a/util/grub-mkconfig_lib.in ++++ b/util/grub-mkconfig_lib.in +@@ -226,20 +226,7 @@ grub_file_is_not_garbage () + + version_sort () + { +- case $version_sort_sort_has_v in +- yes) +- LC_ALL=C sort -V "$@";; +- no) +- LC_ALL=C sort -n "$@";; +- *) +- if sort -V /dev/null 2>&1; then +- version_sort_sort_has_v=yes +- LC_ALL=C sort -V "$@" +- else +- version_sort_sort_has_v=no +- LC_ALL=C sort -n "$@" +- fi;; +- esac ++ LC_ALL=C /usr/lib/grub/grub-sort-version "$@" + } + + # Given an item as the first argument and a list as the subsequent arguments, diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,57 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:38:19 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing a volume label + +This fix introduces checks to ensure that an NTFS volume label is always +read from the corresponding file record segment. + +The current NTFS code allows the volume label string to be read from an +arbitrary, attacker-chosen memory location. However, the bytes read are +always treated as UTF-16LE. So, the final string displayed is mostly +unreadable and it can't be easily converted back to raw bytes. + +The lack of this check is a minor issue, likely not causing a significant +data leak. + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index bb70c89..ff5e374 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -1213,13 +1213,29 @@ grub_ntfs_label (grub_device_t device, char **label) + + init_attr (&mft->attr, mft); + pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME); ++ ++ if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); ++ goto fail; ++ } ++ ++ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); ++ goto fail; ++ } ++ + if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10))) + { + int len; + + len = u32at (pa, 0x10) / 2; + pa += u16at (pa, 0x14); +- *label = get_utf8 (pa, len); ++ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len) ++ *label = get_utf8 (pa, len); ++ else ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); + } + + fail: diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-index-at.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-index-at.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-index-at.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-index-at.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,46 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:33:44 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes + +This fix introduces checks to ensure that bitmaps for directory indices +are never read beyond their actual sizes. + +The lack of this check is a minor issue, likely not exploitable in any way. + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index 2d78b96..bb70c89 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + + if (is_resident) + { ++ if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large"); ++ goto done; ++ } ++ ++ if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); ++ goto done; ++ } ++ ++ if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) > ++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); ++ goto done; ++ } ++ + grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14), + bitmap_len); + } diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entries-fr.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entries-fr.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entries-fr.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entries-fr.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,69 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:33:17 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing directory entries from + resident and non-resident index attributes + +This fix introduces checks to ensure that index entries are never read +beyond the corresponding directory index. + +The lack of this check is a minor issue, likely not exploitable in any way. + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index a68e173..2d78b96 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len) + } + + static int +-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, ++list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos, + grub_fshelp_iterate_dir_hook_t hook, void *hook_data) + { + grub_uint8_t *np; +@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, + grub_uint8_t namespace; + char *ustr; + ++ if ((pos >= end_pos) || (end_pos - pos < 0x52)) ++ break; ++ + if (pos[0xC] & 2) /* end signature */ + break; + +@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, + ns = *(np++); + namespace = *(np++); + ++ if (2 * ns > end_pos - pos - 0x52) ++ break; ++ + /* + * Ignore files in DOS namespace, as they will reappear as Win32 + * names. +@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + } + + cur_pos += 0x10; /* Skip index root */ +- ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data); ++ ret = list_file (mft, cur_pos + u16at (cur_pos, 0), ++ at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), ++ hook, hook_data); + if (ret) + goto done; + +@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + (const grub_uint8_t *) "INDX"))) + goto done; + ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)], ++ indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR), + hook, hook_data); + if (ret) + goto done; diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-reside.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-reside.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-reside.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-reside.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,54 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:32:33 +0300 +Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA + attribute + +When reading a file containing resident data, i.e., the file data is stored in +the $DATA attribute within the NTFS file record, not in external clusters, +there are no checks that this resident data actually fits the corresponding +file record segment. + +When parsing a specially-crafted file system image, the current NTFS code will +read the file data from an arbitrary, attacker-chosen memory offset and of +arbitrary, attacker-chosen length. + +This allows an attacker to display arbitrary chunks of memory, which could +contain sensitive information like password hashes or even plain-text, +obfuscated passwords from BS EFI variables. + +This fix implements a check to ensure that resident data is read from the +corresponding file record segment only. + +Fixes: CVE-2023-4693 + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index c3c4db1..a68e173 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, + { + if (ofs + len > u32at (pa, 0x10)) + return grub_error (GRUB_ERR_BAD_FS, "read out of range"); +- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); ++ ++ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); ++ ++ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ if (u16at (pa, 0x14) + u32at (pa, 0x10) > ++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); + return 0; + } + diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_LIST-.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_LIST-.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_LIST-.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_LIST-.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,89 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:31:57 +0300 +Subject: fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute + for the $MFT file + +When parsing an extremely fragmented $MFT file, i.e., the file described +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer +containing bytes read from the underlying drive to store sector numbers, +which are consumed later to read data from these sectors into another buffer. + +These sectors numbers, two 32-bit integers, are always stored at predefined +offsets, 0x10 and 0x14, relative to first byte of the selected entry within +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. + +However, when parsing a specially-crafted file system image, this may cause +the NTFS code to write these integers beyond the buffer boundary, likely +causing the GRUB memory allocator to misbehave or fail. These integers contain +values which are controlled by on-disk structures of the NTFS file system. + +Such modification and resulting misbehavior may touch a memory range not +assigned to the GRUB and owned by firmware or another EFI application/driver. + +This fix introduces checks to ensure that these sector numbers are never +written beyond the boundary. + +Fixes: CVE-2023-4692 + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index bbdbe24..c3c4db1 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + if (at->attr_end) + { +- grub_uint8_t *pa; ++ grub_uint8_t *pa, *pa_end; + + at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + if (at->emft_buf == NULL) +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + at->attr_nxt = at->edat_buf; + at->attr_end = at->edat_buf + u32at (pa, 0x30); ++ pa_end = at->edat_buf + n; + } + else + { + at->attr_nxt = at->attr_end + u16at (pa, 0x14); + at->attr_end = at->attr_end + u32at (pa, 4); ++ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + } + at->flags |= GRUB_NTFS_AF_ALST; + while (at->attr_nxt < at->attr_end) +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + at->flags |= GRUB_NTFS_AF_GPOS; + at->attr_cur = at->attr_nxt; + pa = at->attr_cur; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + grub_set_unaligned32 ((char *) pa + 0x10, + grub_cpu_to_le32 (at->mft->data->mft_start)); + grub_set_unaligned32 ((char *) pa + 0x14, +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + { + if (*pa != attr) + break; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + if (read_attr + (at, pa + 0x10, + u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), diff -Nru grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch --- grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,155 @@ +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:40:07 +0300 +Subject: fs/ntfs: Make code more readable + +Move some calls used to access NTFS attribute header fields into +functions with human-readable names. + +Suggested-by: Daniel Kiper +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper +--- + grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index ff5e374..de435aa 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs) + return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs)); + } + ++static grub_uint16_t ++first_attr_off (void *mft_buf_ptr) ++{ ++ return u16at (mft_buf_ptr, 0x14); ++} ++ ++static grub_uint16_t ++res_attr_data_off (void *res_attr_ptr) ++{ ++ return u16at (res_attr_ptr, 0x14); ++} ++ ++static grub_uint32_t ++res_attr_data_len (void *res_attr_ptr) ++{ ++ return u32at (res_attr_ptr, 0x10); ++} ++ + grub_ntfscomp_func_t grub_ntfscomp_func; + + static grub_err_t +@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft) + { + at->mft = mft; + at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0; +- at->attr_nxt = mft->buf + u16at (mft->buf, 0x14); ++ at->attr_nxt = mft->buf + first_attr_off (mft->buf); + at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL; + } + +@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + return NULL; + } + +- new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)]; ++ new_pos = &at->emft_buf[first_attr_off (at->emft_buf)]; + while (*new_pos != 0xFF) + { + if ((*new_pos == *at->attr_cur) +@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + else + { +- at->attr_nxt = at->attr_end + u16at (pa, 0x14); ++ at->attr_nxt = at->attr_end + res_attr_data_off (pa); + at->attr_end = at->attr_end + u32at (pa, 4); + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + } +@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, + + if (pa[8] == 0) + { +- if (ofs + len > u32at (pa, 0x10)) ++ if (ofs + len > res_attr_data_len (pa)) + return grub_error (GRUB_ERR_BAD_FS, "read out of range"); + +- if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); + + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); + +- if (u16at (pa, 0x14) + u32at (pa, 0x10) > ++ if (res_attr_data_off (pa) + res_attr_data_len (pa) > + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); + +- grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); ++ grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len); + return 0; + } + +@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno) + (unsigned long long) mftno); + + if (!pa[8]) +- mft->size = u32at (pa, 0x10); ++ mft->size = res_attr_data_len (pa); + else + mft->size = u64at (pa, 0x30); + +@@ -805,7 +823,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + (u32at (cur_pos, 0x18) != 0x490024) || + (u32at (cur_pos, 0x1C) != 0x300033)) + continue; +- cur_pos += u16at (cur_pos, 0x14); ++ cur_pos += res_attr_data_off (cur_pos); + if (*cur_pos != 0x30) /* Not filename index */ + continue; + break; +@@ -834,7 +852,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + { + int is_resident = (cur_pos[8] == 0); + +- bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) : ++ bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) : + u32at (cur_pos, 0x28)); + + bmp = grub_malloc (bitmap_len); +@@ -855,14 +873,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + goto done; + } + +- if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) > ++ if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) > + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos) + { + grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); + goto done; + } + +- grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14), ++ grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos), + bitmap_len); + } + else +@@ -1226,12 +1244,12 @@ grub_ntfs_label (grub_device_t device, char **label) + goto fail; + } + +- if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10))) ++ if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa))) + { + int len; + +- len = u32at (pa, 0x10) / 2; +- pa += u16at (pa, 0x14); ++ len = res_attr_data_len (pa) / 2; ++ pa += res_attr_data_off (pa); + if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len) + *label = get_utf8 (pa, len); + else diff -Nru grub2-2.12~rc1/debian/patches/secure-boot/efi-use-peimage-shim.patch grub2-2.12~rc1/debian/patches/secure-boot/efi-use-peimage-shim.patch --- grub2-2.12~rc1/debian/patches/secure-boot/efi-use-peimage-shim.patch 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/secure-boot/efi-use-peimage-shim.patch 2023-10-02 14:23:58.000000000 +0000 @@ -33,9 +33,9 @@ Signed-off-by: Julian Andres Klode --- grub-core/Makefile.core.def | 12 + - grub-core/loader/efi/peimage.c | 837 +++++++++++++++++++++++++++++++++++++++++ + grub-core/loader/efi/peimage.c | 899 +++++++++++++++++++++++++++++++++++++++++ include/grub/efi/peimage.h | 23 ++ - 3 files changed, 872 insertions(+) + 3 files changed, 934 insertions(+) create mode 100644 grub-core/loader/efi/peimage.c create mode 100644 include/grub/efi/peimage.h @@ -64,10 +64,10 @@ efi = loader/efi/fdt.c; diff --git a/grub-core/loader/efi/peimage.c b/grub-core/loader/efi/peimage.c new file mode 100644 -index 0000000..56528b5 +index 0000000..d24871e --- /dev/null +++ b/grub-core/loader/efi/peimage.c -@@ -0,0 +1,837 @@ +@@ -0,0 +1,899 @@ +// SPDX-License-Identifier: GPL-3.0+ + +#include @@ -83,12 +83,29 @@ + +GRUB_MOD_LICENSE ("GPLv3+"); + ++#define GRUB_PEIMAGE_MARKER_GUID \ ++ { \ ++ 0xda24567a, 0xf899, 0x4566, \ ++ { \ ++ 0xb8, 0x27, 0x9f, 0x66, 0x00, 0xc2, 0x14, 0x39 \ ++ } \ ++ } ++ ++#define GRUB_EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID \ ++ { \ ++ 0xbc62157e, 0x3e33, 0x4fec, \ ++ { \ ++ 0x99, 0x20, 0x2d, 0x3b, 0x36, 0xd7, 0x50, 0xdf \ ++ } \ ++ } ++ +static grub_dl_t my_mod; + +struct image_info +{ + void *data; + grub_efi_uint32_t data_size; ++ grub_efi_device_path_t *file_path; + grub_efi_uint16_t machine; + grub_efi_uint16_t num_sections; + struct grub_pe32_section_table *section; @@ -101,18 +118,12 @@ + grub_uint32_t alloc_pages; + void *image_addr; + grub_efi_entry_point __grub_efi_api entry_point; -+}; + -+static struct -+{ ++ grub_efi_loaded_image_t loaded_image; ++ + grub_jmp_buf jmp; -+ grub_efi_handle_t image_handle; + grub_efi_status_t exit_status; -+ grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle, -+ grub_efi_status_t exit_status, -+ grub_efi_uintn_t exit_data_size, -+ grub_efi_char16_t *exit_data); -+} started_image; ++}; + +static int +debug_enabled (const char *condition) @@ -343,7 +354,8 @@ + section < &info->section[info->num_sections]; ++section) + { + if (section->virtual_address < info->header_size -+ || section->raw_data_offset < info->header_size) ++ || (section->raw_data_size ++ && section->raw_data_offset < info->header_size)) + { + grub_error (GRUB_ERR_BAD_OS, "section inside header"); + return GRUB_EFI_LOAD_ERROR; @@ -707,6 +719,11 @@ + return GRUB_EFI_LOAD_ERROR; +} + ++// Original exit handler ++static grub_efi_status_t (__grub_efi_api *exit_orig) ( ++ grub_efi_handle_t image_handle, grub_efi_status_t exit_status, ++ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data); ++ +/** + * efi_exit() - replacement for EFI_BOOT_SERVICES.Exit() + * @@ -720,22 +737,26 @@ + * @exit_data: null terminated string followed by optional data + */ +static grub_efi_status_t __grub_efi_api -+efi_exit (grub_efi_handle_t image_handle, grub_efi_status_t exit_status, -+ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data) ++exit_hook (grub_efi_handle_t image_handle, grub_efi_status_t exit_status, ++ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data) +{ -+ grub_efi_system_table->boot_services->exit = started_image.exit; ++ struct image_info *info; + + if (!image_handle) + return GRUB_EFI_INVALID_PARAMETER; + -+ if (image_handle != started_image.image_handle) ++ info = grub_efi_open_protocol ( ++ image_handle, ++ &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, ++ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL); ++ if (!info) + { + grub_dprintf ("linux", "delegating Exit()\n"); -+ return started_image.exit (image_handle, exit_status, exit_data_size, -+ (grub_efi_char16_t *)exit_data); ++ return exit_orig (image_handle, exit_status, exit_data_size, ++ (grub_efi_char16_t *)exit_data); + } + -+ started_image.exit_status = exit_status; ++ info->exit_status = exit_status; + + if (exit_status != GRUB_EFI_SUCCESS) + { @@ -755,136 +776,169 @@ + /* exit data must be freed by the caller */ + grub_efi_system_table->boot_services->free_pool (exit_data); + } -+ grub_longjmp (started_image.jmp, 1); ++ grub_longjmp (info->jmp, 1); +} + -+/** -+ * start_image() - our implementation of StartImage() -+ * -+ * As we do not load the image via LoadImage() we need our own implementation -+ * of StartImage() to launch the PE-COFF image. -+ */ ++static grub_efi_status_t do_unload_image (grub_efi_handle_t image_handle ++ __attribute__ ((unused))); ++ ++static grub_efi_status_t __grub_efi_api ++do_unload_image_ms (grub_efi_handle_t image_handle) ++{ ++ return do_unload_image (image_handle); ++} ++ ++/* TODO: move the creation of the load options here */ +static grub_efi_status_t -+start_image (struct image_info *info) ++do_load_image (grub_efi_boolean_t boot_policy __attribute__ ((unused)), ++ grub_efi_handle_t parent_image_handle, ++ grub_efi_device_path_t *file_path, void *source_buffer, ++ grub_efi_uintn_t source_size, grub_efi_handle_t *image_handle) +{ -+ int ret; + grub_efi_status_t status; -+ grub_efi_loaded_image_t *loaded_image; ++ struct image_info *info; + -+ /* -+ * TODO: It would better comply to the UEFI specification to -+ * use a separate handle for the image we are running. -+ */ -+ started_image.image_handle = grub_efi_image_handle; ++ info = grub_efi_allocate_pages_real ( ++ GRUB_EFI_MAX_USABLE_ADDRESS, GRUB_EFI_BYTES_TO_PAGES (sizeof *info), ++ GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA); ++ if (!info) ++ return GRUB_EFI_OUT_OF_RESOURCES; + -+ loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle); -+ if (loaded_image) -+ { -+ loaded_image->image_base = info->image_addr; -+ loaded_image->image_size = info->image_size; -+ } -+ else -+ { -+ grub_dprintf ("linux", "Loaded image protocol missing\n"); -+ } ++ grub_memset (info, 0, sizeof *info); + -+ ret = grub_setjmp (started_image.jmp); -+ if (ret) -+ { -+ started_image.image_handle = NULL; ++ // Load PE ++ info->data = source_buffer, info->data_size = source_size, ++ info->file_path = grub_efi_duplicate_device_path (file_path), + -+ return started_image.exit_status; -+ } ++ status = check_pe_header (info); ++ if (status != GRUB_EFI_SUCCESS) ++ goto err; + -+ started_image.exit = grub_efi_system_table->boot_services->exit; -+ grub_efi_system_table->boot_services->exit = efi_exit; ++ status = load_sections (info); ++ if (status != GRUB_EFI_SUCCESS) ++ goto err; + -+ grub_dprintf ( -+ "linux", -+ "Executing image loaded at 0x%lx\nEntry point 0x%lx\nSize 0x%08x\n", -+ (unsigned long)info->image_addr, (unsigned long)info->entry_point, -+ info->image_size); ++ status = relocate (info); ++ if (status != GRUB_EFI_SUCCESS) ++ goto err; + -+ /* Invalidate the instruction cache */ -+ grub_arch_sync_caches (info->image_addr, info->image_size); ++ // Setup EFI_LOADED_IMAGE_PROTOCOL ++ info->loaded_image.revision = 0x1000; ++ info->loaded_image.parent_handle = parent_image_handle; ++ info->loaded_image.system_table = grub_efi_system_table; ++ ++ // FIXME: We should be pulling file_path apart into dev_handle and ++ // file_path, however there are no functions to do so, and Windows ++ // chainloads fine this way, so meh? ++ // info.loaded_image->device_handle = ?; ++ info->loaded_image.file_path = info->file_path; ++ ++ info->loaded_image.image_base = info->image_addr; ++ info->loaded_image.image_size = info->image_size; ++ // FIXME2: we may want to support loading drivers? ++ // this should be good enough for chainloading bootloaders ++ info->loaded_image.image_code_type = GRUB_EFI_LOADER_CODE; ++ info->loaded_image.image_data_type = GRUB_EFI_LOADER_DATA; ++ info->loaded_image.unload = do_unload_image_ms; + -+ debug ("pestart"); ++ // Instruct EFI to create a new handle ++ *image_handle = NULL; + status -+ = info->entry_point (started_image.image_handle, grub_efi_system_table); ++ = grub_efi_system_table->boot_services ++ ->install_multiple_protocol_interfaces ( ++ image_handle, &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, info, ++ &(grub_guid_t)GRUB_EFI_LOADED_IMAGE_GUID, &info->loaded_image, ++ &(grub_guid_t)GRUB_EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID, ++ info->file_path, NULL); ++ if (status != GRUB_EFI_SUCCESS) ++ goto err; + -+ grub_dprintf ("linux", "Application returned\n"); ++ // Increment module refcount ++ grub_dl_ref (my_mod); + -+ return efi_exit (started_image.image_handle, status, 0, NULL); -+} ++ return status; + -+static struct image_info info; ++err: ++ grub_efi_free_pages ((unsigned long)info, ++ GRUB_EFI_BYTES_TO_PAGES (sizeof *info)); ++ return status; ++} + -+/* TODO: move the creation of the load options here */ +static grub_efi_status_t -+do_load_image (grub_efi_boolean_t boot_policy __attribute__ ((unused)), -+ grub_efi_handle_t parent_image_handle __attribute__ ((unused)), -+ grub_efi_device_path_t *file_path __attribute__ ((unused)), -+ void *source_buffer, grub_efi_uintn_t source_size, -+ grub_efi_handle_t *image_handle) ++do_start_image (grub_efi_handle_t image_handle, ++ grub_efi_uintn_t *exit_data_size __attribute__ ((unused)), ++ grub_efi_char16_t **exit_data __attribute__ ((unused))) +{ -+ grub_efi_status_t ret = GRUB_EFI_SUCCESS; -+ if (info.data != NULL) ++ int ret; ++ grub_efi_status_t status; ++ struct image_info *info; ++ ++ info = grub_efi_open_protocol ( ++ image_handle, ++ &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, ++ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL); ++ if (!info) + { -+ grub_error (GRUB_ERR_BAD_OS, "cannot load multiple images"); ++ grub_error (GRUB_ERR_BAD_OS, "image not loaded"); + return GRUB_EFI_LOAD_ERROR; + } + -+ grub_dl_ref (my_mod); ++ ret = grub_setjmp (info->jmp); ++ if (ret) ++ return info->exit_status; + -+ info = (struct image_info){ -+ .data = source_buffer, -+ .data_size = source_size, -+ }; ++ grub_dprintf ("linux", ++ "Executing image loaded at 0x%lx\n" ++ "Entry point 0x%lx\n" ++ "Size 0x%08x\n", ++ (unsigned long)info->image_addr, ++ (unsigned long)info->entry_point, info->image_size); + -+ ret = check_pe_header (&info); -+ if (ret != GRUB_EFI_SUCCESS) -+ goto err; ++ /* Invalidate the instruction cache */ ++ grub_arch_sync_caches (info->image_addr, info->image_size); + -+ ret = load_sections (&info); -+ if (ret != GRUB_EFI_SUCCESS) -+ goto err; ++ debug ("pestart"); ++ status = info->entry_point (image_handle, grub_efi_system_table); + -+ ret = relocate (&info); -+ if (ret != GRUB_EFI_SUCCESS) -+ goto err; ++ grub_dprintf ("linux", "Application returned\n"); + -+ // We are hacking this up as we go along -+ *image_handle = grub_efi_image_handle; -+err: -+ return ret; ++ return exit_hook (image_handle, status, 0, NULL); +} + +static grub_efi_status_t -+do_start_image (grub_efi_handle_t image_handle __attribute__ ((unused)), -+ grub_efi_uintn_t *exit_data_size __attribute__ ((unused)), -+ grub_efi_char16_t **exit_data __attribute__ ((unused))) ++do_unload_image (grub_efi_handle_t image_handle) +{ -+ if (info.data == NULL) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "image not loaded"); -+ return GRUB_EFI_LOAD_ERROR; -+ } -+ return start_image (&info); -+} ++ grub_efi_status_t status; ++ struct image_info *info; + -+static grub_efi_status_t -+do_unload_image (grub_efi_handle_t image_handle __attribute__ ((unused))) -+{ -+ if (info.data == NULL) ++ info = grub_efi_open_protocol ( ++ image_handle, ++ &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, ++ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL); ++ if (!info) + { + grub_error (GRUB_ERR_BAD_OS, "image not loaded"); + return GRUB_EFI_LOAD_ERROR; + } -+ if (info.alloc_addr) -+ grub_efi_free_pages ((unsigned long)info.alloc_addr, info.alloc_pages); ++ ++ status = grub_efi_system_table->boot_services ++ ->uninstall_multiple_protocol_interfaces ( ++ image_handle, &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, info, ++ &(grub_guid_t)GRUB_EFI_LOADED_IMAGE_GUID, &info->loaded_image, ++ &(grub_guid_t)GRUB_EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID, ++ info->file_path, NULL); ++ if (status != GRUB_EFI_SUCCESS) ++ return GRUB_EFI_LOAD_ERROR; ++ ++ if (info->alloc_addr) ++ grub_efi_free_pages ((unsigned long)info->alloc_addr, info->alloc_pages); ++ if (info->file_path) ++ grub_free (info->file_path); ++ ++ grub_efi_free_pages ((unsigned long)info, ++ GRUB_EFI_BYTES_TO_PAGES (sizeof *info)); + + grub_dl_unref (my_mod); -+ info = (struct image_info){}; + + return GRUB_EFI_SUCCESS; +} @@ -899,10 +953,18 @@ +{ + grub_efi_register_loader (&peimage_loader); + my_mod = mod; ++ ++ // Backup exit pointer ++ exit_orig = grub_efi_system_table->boot_services->exit; ++ // Replace exit handler ++ grub_efi_system_table->boot_services->exit = exit_hook; +} + +GRUB_MOD_FINI (peimage) +{ ++ // Restore exit handler ++ grub_efi_system_table->boot_services->exit = exit_orig; ++ + grub_efi_unregister_loader (&peimage_loader); +} diff --git a/include/grub/efi/peimage.h b/include/grub/efi/peimage.h diff -Nru grub2-2.12~rc1/debian/patches/secure-boot/temp-no-peimage-for-dualboot.patch grub2-2.12~rc1/debian/patches/secure-boot/temp-no-peimage-for-dualboot.patch --- grub2-2.12~rc1/debian/patches/secure-boot/temp-no-peimage-for-dualboot.patch 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/patches/secure-boot/temp-no-peimage-for-dualboot.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -From: Julian Andres Klode -Date: Mon, 21 Aug 2023 14:15:23 +0200 -Subject: Temporarily disable peimage for chainloading - -There is a bug trying to chainload windows - -LP: #2030810 ---- - util/grub.d/30_os-prober.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in -index 95d4b91..9bd72c0 100644 ---- a/util/grub.d/30_os-prober.in -+++ b/util/grub.d/30_os-prober.in -@@ -215,6 +215,9 @@ EOF - prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" - - cat < +Date: Mon, 10 Jul 2023 23:55:43 -0500 +Subject: util/grub.d/25_bli.in: Fix shebang on unmerged-usr + +On an unmerged-usr system, grub-mkconfig errors out with the following +error due to /usr/bin/sh not existing: + + /usr/sbin/grub-mkconfig: /etc/grub.d/25_bli: /usr/bin/sh: bad interpreter: No such file or directory + +Use a /bin/sh shebang to fix the error as well as match the other +existing files. + +Fixes: 158a6583e (util/grub.d/25_bli.in: Activate bli module on EFI) + +Signed-off-by: Oskari Pirhonen +Reviewed-by: Glenn Washburn +Reviewed-by: Daniel Kiper +Reviewed-by: Oliver Steffen + +Bug-Debian: https://bugs.debian.org/1051251 +--- + util/grub.d/25_bli.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub.d/25_bli.in b/util/grub.d/25_bli.in +index 6e45387..26e27a0 100644 +--- a/util/grub.d/25_bli.in ++++ b/util/grub.d/25_bli.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/sh ++#! /bin/sh + set -e + + # grub-mkconfig helper script. diff -Nru grub2-2.12~rc1/debian/rules grub2-2.12~rc1/debian/rules --- grub2-2.12~rc1/debian/rules 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/rules 2023-10-02 14:23:58.000000000 +0000 @@ -152,7 +152,7 @@ dpkg-buildpackage -S -d -nc -sa -uc -us \ --source-option=-I --source-option=-Idebian/control.unsigned --source-option=-Idebian/changelog.unsigned \ --source-option=-c$(CURDIR)/debian/control.unsigned --changes-option=-c$(CURDIR)/debian/control.unsigned --buildinfo-option=-c$(CURDIR)/debian/control.unsigned \ - --source-option=-l$(CURDIR)/debian/changelog.unsigned --changes-option=-l$(CURDIR)/debian/changelog.unsigned --buildinfo-option=-l$(CURDIR)/debian/changelog.unsigned + --source-option=-l$(CURDIR)/debian/changelog.unsigned --changes-option=-l$(CURDIR)/debian/changelog.unsigned --buildinfo-option=-l$(CURDIR)/debian/changelog.unsigned $(DPKG_BUILDPACKAGE_OPTIONS) rm debian/changelog.unsigned debian/control.unsigned rm -f debian/files sed '1s/^grub2-unsigned /grub2 /' -i debian/changelog @@ -540,6 +540,11 @@ >> $(CURDIR)/debian/$(package_dbg)/usr/share/lintian/overrides/$(package_dbg) ; \ fi + # Hack up the lintian overrides for stable lintian on ftp-master + sed -i -e 's%\[%*%g' -e 's%\]%*%g' \ + $(CURDIR)/debian/$(package_bin)/usr/share/lintian/overrides/* \ + $(CURDIR)/debian/$(package_dbg)/usr/share/lintian/overrides/* + # Avoid failures later if we're building from a tree with no .po # files. mkdir -p debian/tmp-$(package)/usr/share/locale diff -Nru grub2-2.12~rc1/debian/salsa-ci.yml grub2-2.12~rc1/debian/salsa-ci.yml --- grub2-2.12~rc1/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.12~rc1/debian/salsa-ci.yml 2023-10-02 14:23:58.000000000 +0000 @@ -0,0 +1,8 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + SALSA_CI_DISABLE_BLHC: 1 + SALSA_CI_DISABLE_REPROTEST: 1 + diff -Nru grub2-2.12~rc1/debian/sbat.ubuntu.csv.in grub2-2.12~rc1/debian/sbat.ubuntu.csv.in --- grub2-2.12~rc1/debian/sbat.ubuntu.csv.in 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/sbat.ubuntu.csv.in 2023-10-02 14:23:58.000000000 +0000 @@ -1,4 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,3,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/ +grub,4,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/ grub.ubuntu,1,Ubuntu,grub2,@DEB_VERSION@,https://www.ubuntu.com/ grub.peimage,1,Canonical,grub2,@DEB_VERSION@,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch diff -Nru grub2-2.12~rc1/debian/signing-template/control.in grub2-2.12~rc1/debian/signing-template/control.in --- grub2-2.12~rc1/debian/signing-template/control.in 2023-08-29 14:03:49.000000000 +0000 +++ grub2-2.12~rc1/debian/signing-template/control.in 2023-10-02 14:23:58.000000000 +0000 @@ -11,7 +11,7 @@ Package: @pkg_signed@ Architecture: @arch@ -Depends: grub-common (>= @version_binary@) +Depends: grub-common (= @version_binary@) Recommends: shim-signed Built-Using: grub2 (= @version_binary@) Description: GRand Unified Bootloader, version 2 (@arch@ UEFI signed by Debian) @@ -26,3 +26,4 @@ . This package contains the binaries signed by the Debian UEFI CA to be used by shim-signed. +Protected: yes