diff options
| author | Mike Swanson | 2023-11-23 10:30:52 -0800 |
|---|---|---|
| committer | Mike Swanson | 2023-11-23 10:30:52 -0800 |
| commit | efdbd41d9dec83a3adc0702615a74ae6cb56451a (patch) | |
| tree | ea9e6ad26e0ed3d381c644cb282463629b618636 | |
| parent | 4b1d92f779474566498f9757e3396d225ff79b7e (diff) | |
| download | aur-efdbd41d9dec83a3adc0702615a74ae6cb56451a.tar.gz | |
Update to 2:2.12rc1, again bringing it in sync with main repo
| -rw-r--r-- | .SRCINFO | 31 | ||||
| -rw-r--r-- | 0003-support-dropins-for-default-configuration.patch | 28 | ||||
| -rw-r--r-- | 0004-ntfs-module-security.patch | 493 | ||||
| -rw-r--r-- | 0005-fix-xfs-boundary-check.patch | 214 | ||||
| -rw-r--r-- | PKGBUILD | 69 | ||||
| -rw-r--r-- | grub.default | 8 | ||||
| -rw-r--r-- | grub.install | 38 | ||||
| -rw-r--r-- | sbat.csv | 3 |
8 files changed, 853 insertions, 31 deletions
@@ -1,12 +1,12 @@ pkgbase = grub-libzfs pkgdesc = GNU GRand Unified Bootloader (2) - libzfs support - pkgver = 2.06 - pkgrel = 2 + pkgver = 2.12rc1 + pkgrel = 5 epoch = 2 url = https://www.gnu.org/software/grub/ install = grub-libzfs.install arch = x86_64 - license = GPL3 + license = GPL-3.0-or-later makedepends = git makedepends = rsync makedepends = xz @@ -18,15 +18,16 @@ pkgbase = grub-libzfs makedepends = help2man makedepends = gettext makedepends = device-mapper - makedepends = fuse2 + makedepends = fuse3 depends = sh depends = xz depends = gettext depends = device-mapper depends = zfs-utils optdepends = freetype2: For grub-mkfont usage - optdepends = fuse2: For grub-mount usage + optdepends = fuse3: For grub-mount usage optdepends = dosfstools: For grub-mkrescue FAT FS and EFI support + optdepends = lzop: For grub-mkrescue LZO support optdepends = efibootmgr: For grub-install EFI support optdepends = libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue optdepends = os-prober: To detect other OSes when generating grub.cfg in BIOS systems @@ -50,22 +51,30 @@ pkgbase = grub-libzfs options = !makeflags backup = etc/default/grub backup = etc/grub.d/40_custom - source = git+https://git.savannah.gnu.org/git/grub.git#tag=53c5000739db114c229fe69ec3d4b76b92441098?signed - source = git+https://git.savannah.gnu.org/git/gnulib.git#commit=be584c56eb1311606e5ea1a36363b97bddb6eed3 - source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.06/unifont-13.0.06.bdf.gz - source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.06/unifont-13.0.06.bdf.gz.sig + source = git+https://git.savannah.gnu.org/git/grub.git#tag=bb59f566e1e5c387dbfd342bb3767f761422c744?signed + source = git+https://git.savannah.gnu.org/git/gnulib.git + source = https://ftp.gnu.org/gnu/unifont/unifont-15.1.04/unifont-15.1.04.bdf.gz + source = https://ftp.gnu.org/gnu/unifont/unifont-15.1.04/unifont-15.1.04.bdf.gz.sig source = 0001-00_header-add-GRUB_COLOR_-variables.patch source = 0002-10_linux-detect-archlinux-initramfs.patch + source = 0003-support-dropins-for-default-configuration.patch + source = 0004-ntfs-module-security.patch + source = 0005-fix-xfs-boundary-check.patch source = grub.default + source = sbat.csv validpgpkeys = E53D497F3FA42AD8C9B4D1E835A93B74E82E4209 validpgpkeys = BE5C23209ACDDACEB20DB0A28C8189F1988C2166 validpgpkeys = 95D2E9AB8740D8046387FD151A09227B1F435A33 sha256sums = SKIP sha256sums = SKIP - sha256sums = b7668a5d498972dc4981250c49f83601babce797be19b4fdd0f2f1c6cfbd0fc5 + sha256sums = 88e00954b10528407e62e97ce6eaa88c847ebfd9a464cafde6bf55c7e4eeed54 sha256sums = SKIP sha256sums = 5dee6628c48eef79812bb9e86ee772068d85e7fcebbd2b2b8d1e19d24eda9dab sha256sums = 8488aec30a93e8fe66c23ef8c23aefda39c38389530e9e73ba3fbcc8315d244d - sha256sums = 791fadf182edf8d5bee4b45c008b08adce9689a9624971136527891a8f67d206 + sha256sums = b5d9fcd62ffb3c3950fdeb7089ec2dc2294ac52e9861980ad90a437dedbd3d47 + sha256sums = 4bdd5ceb13dbd4c41fde24163f16a0ba05447d821e74d938a0b9e5fce0431140 + sha256sums = 9f8921b2bacd69bde7ab0c3aff88c678d52c2a625c89264fb92184e7427b819b + sha256sums = 7df3f5cb5df7d2dfb17f4c9b5c5dedc9519ddce6f8d2c6cd43d1be17cecb65cb + sha256sums = f34c2b0aa2ed4ab9c7e7bcab5197470c30fedc6c2148f337839dd24bceae35fd pkgname = grub-libzfs diff --git a/0003-support-dropins-for-default-configuration.patch b/0003-support-dropins-for-default-configuration.patch new file mode 100644 index 000000000000..4840487a1f1d --- /dev/null +++ b/0003-support-dropins-for-default-configuration.patch @@ -0,0 +1,28 @@ +From ac560966d09295663fa9516d8d137e0c0fd04c06 Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail@eworm.de> +Date: Mon, 12 Jun 2023 07:42:01 +0200 +Subject: [PATCH 1/1] support dropins for default configuration + +--- + util/grub-mkconfig.in | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 1a945085c..4338dceef 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -160,6 +160,11 @@ fi + if test -f ${sysconfdir}/default/grub ; then + . ${sysconfdir}/default/grub + fi ++for dropin in ${sysconfdir}/default/grub.d/*.cfg ; do ++ if test -f "${dropin}" ; then ++ . "${dropin}" ++ fi ++done + + if [ "x${GRUB_DISABLE_UUID}" = "xtrue" ]; then + if [ -z "${GRUB_DISABLE_LINUX_UUID}" ]; then +-- +2.41.0 + diff --git a/0004-ntfs-module-security.patch b/0004-ntfs-module-security.patch new file mode 100644 index 000000000000..1b34974033a9 --- /dev/null +++ b/0004-ntfs-module-security.patch @@ -0,0 +1,493 @@ +From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:31:57 +0300 +Subject: fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute + for the $MFT file + +When parsing an extremely fragmented $MFT file, i.e., the file described +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer +containing bytes read from the underlying drive to store sector numbers, +which are consumed later to read data from these sectors into another buffer. + +These sectors numbers, two 32-bit integers, are always stored at predefined +offsets, 0x10 and 0x14, relative to first byte of the selected entry within +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. + +However, when parsing a specially-crafted file system image, this may cause +the NTFS code to write these integers beyond the buffer boundary, likely +causing the GRUB memory allocator to misbehave or fail. These integers contain +values which are controlled by on-disk structures of the NTFS file system. + +Such modification and resulting misbehavior may touch a memory range not +assigned to the GRUB and owned by firmware or another EFI application/driver. + +This fix introduces checks to ensure that these sector numbers are never +written beyond the boundary. + +Fixes: CVE-2023-4692 + +Reported-by: Maxim Suhanov <dfirblog@gmail.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index bbdbe24..c3c4db1 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + if (at->attr_end) + { +- grub_uint8_t *pa; ++ grub_uint8_t *pa, *pa_end; + + at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + if (at->emft_buf == NULL) +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + at->attr_nxt = at->edat_buf; + at->attr_end = at->edat_buf + u32at (pa, 0x30); ++ pa_end = at->edat_buf + n; + } + else + { + at->attr_nxt = at->attr_end + u16at (pa, 0x14); + at->attr_end = at->attr_end + u32at (pa, 4); ++ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + } + at->flags |= GRUB_NTFS_AF_ALST; + while (at->attr_nxt < at->attr_end) +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + at->flags |= GRUB_NTFS_AF_GPOS; + at->attr_cur = at->attr_nxt; + pa = at->attr_cur; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + grub_set_unaligned32 ((char *) pa + 0x10, + grub_cpu_to_le32 (at->mft->data->mft_start)); + grub_set_unaligned32 ((char *) pa + 0x14, +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + { + if (*pa != attr) + break; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + if (read_attr + (at, pa + 0x10, + u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), +-- +cgit v1.1 + +From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:32:33 +0300 +Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA + attribute + +When reading a file containing resident data, i.e., the file data is stored in +the $DATA attribute within the NTFS file record, not in external clusters, +there are no checks that this resident data actually fits the corresponding +file record segment. + +When parsing a specially-crafted file system image, the current NTFS code will +read the file data from an arbitrary, attacker-chosen memory offset and of +arbitrary, attacker-chosen length. + +This allows an attacker to display arbitrary chunks of memory, which could +contain sensitive information like password hashes or even plain-text, +obfuscated passwords from BS EFI variables. + +This fix implements a check to ensure that resident data is read from the +corresponding file record segment only. + +Fixes: CVE-2023-4693 + +Reported-by: Maxim Suhanov <dfirblog@gmail.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index c3c4db1..a68e173 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, + { + if (ofs + len > u32at (pa, 0x10)) + return grub_error (GRUB_ERR_BAD_FS, "read out of range"); +- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); ++ ++ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); ++ ++ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ if (u16at (pa, 0x14) + u32at (pa, 0x10) > ++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); + return 0; + } + +-- +cgit v1.1 + +From 7e5f031a6a6a3decc2360a7b0c71abbe598e7354 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:33:17 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing directory entries from resident + and non-resident index attributes + +This fix introduces checks to ensure that index entries are never read +beyond the corresponding directory index. + +The lack of this check is a minor issue, likely not exploitable in any way. + +Reported-by: Maxim Suhanov <dfirblog@gmail.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index a68e173..2d78b96 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len) + } + + static int +-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, ++list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos, + grub_fshelp_iterate_dir_hook_t hook, void *hook_data) + { + grub_uint8_t *np; +@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, + grub_uint8_t namespace; + char *ustr; + ++ if ((pos >= end_pos) || (end_pos - pos < 0x52)) ++ break; ++ + if (pos[0xC] & 2) /* end signature */ + break; + +@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, + ns = *(np++); + namespace = *(np++); + ++ if (2 * ns > end_pos - pos - 0x52) ++ break; ++ + /* + * Ignore files in DOS namespace, as they will reappear as Win32 + * names. +@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + } + + cur_pos += 0x10; /* Skip index root */ +- ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data); ++ ret = list_file (mft, cur_pos + u16at (cur_pos, 0), ++ at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), ++ hook, hook_data); + if (ret) + goto done; + +@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + (const grub_uint8_t *) "INDX"))) + goto done; + ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)], ++ indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR), + hook, hook_data); + if (ret) + goto done; +-- +cgit v1.1 + +From 7a5a116739fa6d8a625da7d6b9272c9a2462f967 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:33:44 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes + +This fix introduces checks to ensure that bitmaps for directory indices +are never read beyond their actual sizes. + +The lack of this check is a minor issue, likely not exploitable in any way. + +Reported-by: Maxim Suhanov <dfirblog@gmail.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index 2d78b96..bb70c89 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + + if (is_resident) + { ++ if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large"); ++ goto done; ++ } ++ ++ if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); ++ goto done; ++ } ++ ++ if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) > ++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); ++ goto done; ++ } ++ + grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14), + bitmap_len); + } +-- +cgit v1.1 + +From 1fe82c41e070385e273d7bb1cfb482627a3c28e8 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:38:19 +0300 +Subject: fs/ntfs: Fix an OOB read when parsing a volume label + +This fix introduces checks to ensure that an NTFS volume label is always +read from the corresponding file record segment. + +The current NTFS code allows the volume label string to be read from an +arbitrary, attacker-chosen memory location. However, the bytes read are +always treated as UTF-16LE. So, the final string displayed is mostly +unreadable and it can't be easily converted back to raw bytes. + +The lack of this check is a minor issue, likely not causing a significant +data leak. + +Reported-by: Maxim Suhanov <dfirblog@gmail.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index bb70c89..ff5e374 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -1213,13 +1213,29 @@ grub_ntfs_label (grub_device_t device, char **label) + + init_attr (&mft->attr, mft); + pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME); ++ ++ if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); ++ goto fail; ++ } ++ ++ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); ++ goto fail; ++ } ++ + if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10))) + { + int len; + + len = u32at (pa, 0x10) / 2; + pa += u16at (pa, 0x14); +- *label = get_utf8 (pa, len); ++ if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len) ++ *label = get_utf8 (pa, len); ++ else ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label"); + } + + fail: +-- +cgit v1.1 + +From e58b870ff926415e23fc386af41ff81b2f588763 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov <dfirblog@gmail.com> +Date: Mon, 28 Aug 2023 16:40:07 +0300 +Subject: fs/ntfs: Make code more readable + +Move some calls used to access NTFS attribute header fields into +functions with human-readable names. + +Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index ff5e374..de435aa 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs) + return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs)); + } + ++static grub_uint16_t ++first_attr_off (void *mft_buf_ptr) ++{ ++ return u16at (mft_buf_ptr, 0x14); ++} ++ ++static grub_uint16_t ++res_attr_data_off (void *res_attr_ptr) ++{ ++ return u16at (res_attr_ptr, 0x14); ++} ++ ++static grub_uint32_t ++res_attr_data_len (void *res_attr_ptr) ++{ ++ return u32at (res_attr_ptr, 0x10); ++} ++ + grub_ntfscomp_func_t grub_ntfscomp_func; + + static grub_err_t +@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft) + { + at->mft = mft; + at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0; +- at->attr_nxt = mft->buf + u16at (mft->buf, 0x14); ++ at->attr_nxt = mft->buf + first_attr_off (mft->buf); + at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL; + } + +@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + return NULL; + } + +- new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)]; ++ new_pos = &at->emft_buf[first_attr_off (at->emft_buf)]; + while (*new_pos != 0xFF) + { + if ((*new_pos == *at->attr_cur) +@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + else + { +- at->attr_nxt = at->attr_end + u16at (pa, 0x14); ++ at->attr_nxt = at->attr_end + res_attr_data_off (pa); + at->attr_end = at->attr_end + u32at (pa, 4); + pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + } +@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, + + if (pa[8] == 0) + { +- if (ofs + len > u32at (pa, 0x10)) ++ if (ofs + len > res_attr_data_len (pa)) + return grub_error (GRUB_ERR_BAD_FS, "read out of range"); + +- if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); + + if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); + +- if (u16at (pa, 0x14) + u32at (pa, 0x10) > ++ if (res_attr_data_off (pa) + res_attr_data_len (pa) > + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) + return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); + +- grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); ++ grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len); + return 0; + } + +@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno) + (unsigned long long) mftno); + + if (!pa[8]) +- mft->size = u32at (pa, 0x10); ++ mft->size = res_attr_data_len (pa); + else + mft->size = u64at (pa, 0x30); + +@@ -805,7 +823,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + (u32at (cur_pos, 0x18) != 0x490024) || + (u32at (cur_pos, 0x1C) != 0x300033)) + continue; +- cur_pos += u16at (cur_pos, 0x14); ++ cur_pos += res_attr_data_off (cur_pos); + if (*cur_pos != 0x30) /* Not filename index */ + continue; + break; +@@ -834,7 +852,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + { + int is_resident = (cur_pos[8] == 0); + +- bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) : ++ bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) : + u32at (cur_pos, 0x28)); + + bmp = grub_malloc (bitmap_len); +@@ -855,14 +873,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir, + goto done; + } + +- if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) > ++ if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) > + (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos) + { + grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range"); + goto done; + } + +- grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14), ++ grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos), + bitmap_len); + } + else +@@ -1226,12 +1244,12 @@ grub_ntfs_label (grub_device_t device, char **label) + goto fail; + } + +- if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10))) ++ if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa))) + { + int len; + +- len = u32at (pa, 0x10) / 2; +- pa += u16at (pa, 0x14); ++ len = res_attr_data_len (pa) / 2; ++ pa += res_attr_data_off (pa); + if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len) + *label = get_utf8 (pa, len); + else +-- +cgit v1.1 diff --git a/0005-fix-xfs-boundary-check.patch b/0005-fix-xfs-boundary-check.patch new file mode 100644 index 000000000000..f829ebdc57f5 --- /dev/null +++ b/0005-fix-xfs-boundary-check.patch @@ -0,0 +1,214 @@ +[PATCH v3] Fix XFS directory extent parsing +From: Jon DeVree +Subject: [PATCH v3] Fix XFS directory extent parsing +Date: Wed, 27 Sep 2023 20:43:55 -0400 + +The XFS directory entry parsing code has never been completely correct +for extent based directories. The parser correctly handles the case +where the directory is contained in a single extent, but then mistakenly +assumes the data blocks for the multiple extent case are each identical +to the single extent case. The difference in the format of the data +blocks between the two cases is tiny enough that its gone unnoticed for +a very long time. + +A recent change introduced some additional bounds checking into the XFS +parser. Like GRUB's existing parser, it is correct for the single extent +case but incorrect for the multiple extent case. When parsing a +directory with multiple extents, this new bounds checking is sometimes +(but not always) tripped and triggers an "invalid XFS diretory entry" +error. This probably would have continued to go unnoticed but the +/boot/grub/<arch> directory is large enough that it often has multiple +extents. + +The difference between the two cases is that when there are multiple +extents, the data blocks do not contain a trailer nor do they contain +any leaf information. That information is stored in a separate set of +extents dedicated to just the leaf information. These extents come after +the directory entry extents and are not included in the inode size. So +the existing parser already ignores the leaf extents. + +The only reason to read the trailer/leaf information at all is so that +the parser can avoid misinterpreting that data as directory entries. So +this updates the parser as follows: + +For the single extent case the parser doesn't change much: +1. Read the size of the leaf information from the trailer +2. Set the end pointer for the parser to the start of the leaf + information. (The previous bounds checking set the end pointer to the + start of the trailer, so this is actually a small improvement.) +3. Set the entries variable to the expected number of directory entries. + +For the multiple extent case: +1. Set the end pointer to the end of the block. +2. Do not set up the entries variable. Figuring out how many entries are + in each individual block is complex and does not seem worth it when + it appears to be safe to just iterate over the entire block. + +Notes: +* When there is only one extent there will only ever be one block. If + more than one block is required then XFS will always switch to holding + leaf information in a separate extent. +* B-tree based directories seems to be parsed properly by the same code + that handles multiple extents. This is unlikely to ever occur within + /boot though because its only used when there are an extremely large + number of directory entries. + +Fixes: ef7850c75 (fs/xfs: Fix issues found while fuzzing the XFS filesystem) +Fixes: b2499b29c (Adds support for the XFS filesystem.) +Fixes: https://savannah.gnu.org/bugs/?64376 + +Signed-off-by: Jon DeVree <nuxi@vault24.org> +--- + +Notes: + Changes from v2: + * Fix bounds check on filename + + Changes from v1: + * Address review feedback + + grub-core/fs/xfs.c | 51 +++++++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 14 deletions(-) + +diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c +index b91cd32b4..acdfb1a7b 100644 +--- a/grub-core/fs/xfs.c ++++ b/grub-core/fs/xfs.c +@@ -223,6 +223,12 @@ struct grub_xfs_inode + /* Size of struct grub_xfs_inode v2, up to unused4 member included. */ + #define XFS_V2_INODE_SIZE (XFS_V3_INODE_SIZE - 76) + ++struct grub_xfs_dir_leaf_entry ++{ ++ grub_uint32_t hashval; ++ grub_uint32_t address; ++} GRUB_PACKED; ++ + struct grub_xfs_dirblock_tail + { + grub_uint32_t leaf_count; +@@ -877,9 +883,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + { + struct grub_xfs_dir2_entry *direntry = + grub_xfs_first_de(dir->data, dirblock); +- int entries; +- struct grub_xfs_dirblock_tail *tail = +- grub_xfs_dir_tail(dir->data, dirblock); ++ int entries = -1; ++ char *end = dirblock + dirblk_size; + + numread = grub_xfs_read_file (dir, 0, 0, + blk << dirblk_log2, +@@ -890,14 +895,27 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + return 0; + } + +- entries = (grub_be_to_cpu32 (tail->leaf_count) +- - grub_be_to_cpu32 (tail->leaf_stale)); ++ /* leaf and tail information are only in the data block if the number ++ * of extents is 1 */ ++ if (dir->inode.nextents == grub_cpu_to_be32_compile_time (1)) ++ { ++ struct grub_xfs_dirblock_tail *tail = ++ grub_xfs_dir_tail(dir->data, dirblock); ++ end = (char *)tail; + +- if (!entries) +- continue; ++ /* subtract the space used by leaf nodes */ ++ end -= grub_be_to_cpu32 (tail->leaf_count) * ++ sizeof (struct grub_xfs_dir_leaf_entry); ++ ++ entries = (grub_be_to_cpu32 (tail->leaf_count) ++ - grub_be_to_cpu32 (tail->leaf_stale)); ++ ++ if (!entries) ++ continue; ++ } + + /* Iterate over all entries within this block. */ +- while ((char *)direntry < (char *)tail) ++ while ((char *)direntry < (char *)end) + { + grub_uint8_t *freetag; + char *filename; +@@ -917,7 +935,7 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + } + + filename = (char *)(direntry + 1); +- if (filename + direntry->len - 1 > (char *) tail) ++ if (filename + direntry->len + 1 > (char *) end) + return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry"); + + /* The byte after the filename is for the filetype, padding, or +@@ -931,11 +949,16 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + return 1; + } + +- /* Check if last direntry in this block is +- reached. */ +- entries--; +- if (!entries) +- break; ++ /* the expected number of directory entries is only tracked for the ++ * single extent case */ ++ if (dir->inode.nextents == grub_cpu_to_be32_compile_time (1)) ++ { ++ /* Check if last direntry in this block is ++ reached. */ ++ entries--; ++ if (!entries) ++ break; ++ } + + /* Select the next directory entry. */ + direntry = grub_xfs_next_de(dir->data, direntry); +-- +2.40.1 + +[PATCH 1/1] fs/xfs: Incorrect short form directory data boundary check +From: Lidong Chen +Subject: [PATCH 1/1] fs/xfs: Incorrect short form directory data boundary check +Date: Thu, 28 Sep 2023 22:33:44 +0000 + +After parsing of the current entry, the entry pointer is advanced +to the next entry at the end of the 'for' loop. In case where the +last entry is at the end of the data boundary, the advanced entry +pointer can point off the data boundary. The subsequent boundary +check for the advanced entry pointer can cause a failure. + +The fix is to include the boundary check into the 'for' loop +condition. + +Signed-off-by: Lidong Chen <lidong.chen@oracle.com> +--- + grub-core/fs/xfs.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c +index b91cd32b4..ebf962793 100644 +--- a/grub-core/fs/xfs.c ++++ b/grub-core/fs/xfs.c +@@ -816,7 +816,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + if (iterate_dir_call_hook (parent, "..", &ctx)) + return 1; + +- for (i = 0; i < head->count; i++) ++ for (i = 0; i < head->count && ++ (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++) + { + grub_uint64_t ino; + grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de); +@@ -852,10 +852,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir, + de->name[de->len] = c; + + de = grub_xfs_inline_next_de(dir->data, head, de); +- +- if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)) +- return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry"); +- + } + break; + } +-- +2.30.2 @@ -1,6 +1,6 @@ # Maintainer : Christian Hesse <mail@eworm.de> -# Maintainer : Ronald van Haren <ronald.archlinux.org> -# Contributor: Tobias Powalowski <tpowa@archlinux.org> +# Maintainer : Tobias Powalowski <tpowa@archlinux.org> +# Contributor: Ronald van Haren <ronald.archlinux.org> # Contributor: Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)> ## "1" to enable IA32-EFI build in Arch x86_64, "0" to disable @@ -18,15 +18,14 @@ _GRUB_EMU_BUILD="0" pkgname='grub-libzfs' pkgdesc='GNU GRand Unified Bootloader (2) - libzfs support' epoch=2 -_tag='53c5000739db114c229fe69ec3d4b76b92441098' # git rev-parse grub-${_pkgver} -_gnulib_commit='be584c56eb1311606e5ea1a36363b97bddb6eed3' -_unifont_ver='13.0.06' -_pkgver=2.06 +_tag='bb59f566e1e5c387dbfd342bb3767f761422c744' # git rev-parse grub-${_pkgver} +_pkgver=2.12rc1 +_unifont_ver='15.1.04' pkgver=${_pkgver/-/} -pkgrel=2 +pkgrel=5 url='https://www.gnu.org/software/grub/' arch=('x86_64') -license=('GPL3') +license=('GPL-3.0-or-later') backup=('etc/default/grub' 'etc/grub.d/40_custom') install="${pkgname}.install" @@ -37,11 +36,12 @@ replaces=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}" 'grub') provides=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}" 'grub') makedepends=('git' 'rsync' 'xz' 'freetype2' 'ttf-dejavu' 'python' 'autogen' - 'texinfo' 'help2man' 'gettext' 'device-mapper' 'fuse2') + 'texinfo' 'help2man' 'gettext' 'device-mapper' 'fuse3') depends=('sh' 'xz' 'gettext' 'device-mapper' 'zfs-utils') optdepends=('freetype2: For grub-mkfont usage' - 'fuse2: For grub-mount usage' + 'fuse3: For grub-mount usage' 'dosfstools: For grub-mkrescue FAT FS and EFI support' + 'lzop: For grub-mkrescue LZO support' 'efibootmgr: For grub-install EFI support' 'libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue' 'os-prober: To detect other OSes when generating grub.cfg in BIOS systems' @@ -58,29 +58,38 @@ validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209' # Vladimir 'phcoder' S '95D2E9AB8740D8046387FD151A09227B1F435A33') # Paul Hardy <unifoundry@unifoundry.com> source=("git+https://git.savannah.gnu.org/git/grub.git#tag=${_tag}?signed" - "git+https://git.savannah.gnu.org/git/gnulib.git#commit=${_gnulib_commit}" + 'git+https://git.savannah.gnu.org/git/gnulib.git' "https://ftp.gnu.org/gnu/unifont/unifont-${_unifont_ver}/unifont-${_unifont_ver}.bdf.gz"{,.sig} '0001-00_header-add-GRUB_COLOR_-variables.patch' '0002-10_linux-detect-archlinux-initramfs.patch' - 'grub.default') + '0003-support-dropins-for-default-configuration.patch' + '0004-ntfs-module-security.patch' + '0005-fix-xfs-boundary-check.patch' + 'grub.default' + 'sbat.csv') sha256sums=('SKIP' 'SKIP' - 'b7668a5d498972dc4981250c49f83601babce797be19b4fdd0f2f1c6cfbd0fc5' + '88e00954b10528407e62e97ce6eaa88c847ebfd9a464cafde6bf55c7e4eeed54' 'SKIP' '5dee6628c48eef79812bb9e86ee772068d85e7fcebbd2b2b8d1e19d24eda9dab' '8488aec30a93e8fe66c23ef8c23aefda39c38389530e9e73ba3fbcc8315d244d' - '791fadf182edf8d5bee4b45c008b08adce9689a9624971136527891a8f67d206') + 'b5d9fcd62ffb3c3950fdeb7089ec2dc2294ac52e9861980ad90a437dedbd3d47' + '4bdd5ceb13dbd4c41fde24163f16a0ba05447d821e74d938a0b9e5fce0431140' + '9f8921b2bacd69bde7ab0c3aff88c678d52c2a625c89264fb92184e7427b819b' + '7df3f5cb5df7d2dfb17f4c9b5c5dedc9519ddce6f8d2c6cd43d1be17cecb65cb' + 'f34c2b0aa2ed4ab9c7e7bcab5197470c30fedc6c2148f337839dd24bceae35fd') _backports=( - # fs/xfs: Fix unreadable filesystem with v4 superblock - 'a4b495520e4dc41a896a8b916a64eda9970c50ea' +) + +_reverts=( ) _configure_options=( + PACKAGE_VERSION="${epoch}:${pkgver}-${pkgrel}" FREETYPE="pkg-config freetype2" BUILD_FREETYPE="pkg-config freetype2" - --enable-mm-debug --enable-nls --enable-device-mapper --enable-cache-stats @@ -111,12 +120,32 @@ prepare() { git cherry-pick -n "${_c}" done + echo "Apply reverts..." + local _c + for _c in "${_reverts[@]}"; do + git log --oneline -1 "${_c}" + git revert -n "${_c}" + done + echo "Patch to enable GRUB_COLOR_* variables in grub-mkconfig..." ## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html - patch -Np1 -i "${srcdir}/0001-00_header-add-GRUB_COLOR_-variables.patch" + patch -Np1 -i "${srcdir}/0001-00_header-add-GRUB_COLOR_-variables.patch" echo "Patch to detect of Arch Linux initramfs images by grub-mkconfig..." - patch -Np1 -i "${srcdir}/0002-10_linux-detect-archlinux-initramfs.patch" + patch -Np1 -i "${srcdir}/0002-10_linux-detect-archlinux-initramfs.patch" + + echo "Patch to support dropins for default configuration..." + patch -Np1 -i "${srcdir}/0003-support-dropins-for-default-configuration.patch" + + # #79857 + # https://lists.gnu.org/archive/html/grub-devel/2023-09/msg00113.html + # https://savannah.gnu.org/bugs/?64514 + echo "Patch to fo fix XFS incorrect short form directory data boundary check" + patch -Np1 -i "${srcdir}/0005-fix-xfs-boundary-check.patch" + + echo "Patch to fix ntfs module security vulnerabilities" + patch -Np1 -i "${srcdir}/0004-ntfs-module-security.patch" + echo "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme..." sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" @@ -273,6 +302,8 @@ _package_grub-efi() { rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.module || true rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.image || true rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/{kernel.exec,gdb_grub,gmodule.pl} || true + + sed -e "s/%PKGVER%/${epoch}:${pkgver}-${pkgrel}/" < "${srcdir}/sbat.csv" > "${pkgdir}/usr/share/grub/sbat.csv" } _package_grub-emu() { diff --git a/grub.default b/grub.default index 6fd21c7fd223..5af66e3ca829 100644 --- a/grub.default +++ b/grub.default @@ -24,7 +24,7 @@ GRUB_TERMINAL_INPUT=console # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE -# you can see them in real GRUB with the command `vbeinfo' +# you can see them in real GRUB with the command `videoinfo' GRUB_GFXMODE=auto # Uncomment to allow the kernel use the same resolution used by grub @@ -55,3 +55,9 @@ GRUB_DISABLE_RECOVERY=true # Uncomment to disable submenus in boot menu #GRUB_DISABLE_SUBMENU=y + +# Probing for other operating systems is disabled for security reasons. Read +# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this +# functionality install os-prober and uncomment to detect and include other +# operating systems. +#GRUB_DISABLE_OS_PROBER=false diff --git a/grub.install b/grub.install new file mode 100644 index 000000000000..79693428ee8b --- /dev/null +++ b/grub.install @@ -0,0 +1,38 @@ +#!/bin/sh + +post_upgrade() { + # We used to package /boot/grub/grub.cfg, but there is no reason to. + # Remove the file from package, but move real file back in place. + if [ ! -f /boot/grub/grub.cfg -a -f /boot/grub/grub.cfg.pacsave ]; then + mv /boot/grub/grub.cfg.pacsave /boot/grub/grub.cfg + fi + + # Give a hint to update installation and configuration one after another. + cat <<EOM +:: To use the new features provided in this GRUB update, it is recommended + to install it to the MBR or UEFI. Due to potential configuration + incompatibilities, it is advised to run both, installation and generation + of configuration: + # grub-install ... + # grub-mkconfig -o /boot/grub/grub.cfg +EOM + + # return if old package version greater 2:2.06-0... + (( $(vercmp $2 '2:2.06-0') > 0 )) && return + + if [[ -e /sys/firmware/efi/efivars ]]; then + cat <<EOM +:: Grub does no longer support side-loading modules when secure boot is + enabled. Thus booting will fail, unless you have an efi executable + 'grubx64.efi' with bundled modules. +EOM + fi +} + +post_install() { + cat <<EOM +:: Install your bootloader and generate configuration with: + # grub-install ... + # grub-mkconfig -o /boot/grub/grub.cfg +EOM +} diff --git a/sbat.csv b/sbat.csv new file mode 100644 index 000000000000..66ce2882b0c0 --- /dev/null +++ b/sbat.csv @@ -0,0 +1,3 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,3,Free Software Foundation,grub,%PKGVER%,https//www.gnu.org/software/grub/ +grub.arch,1,Arch Linux,grub,%PKGVER%,https://archlinux.org/packages/core/x86_64/grub/ |