diff --git a/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch b/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f6f28d278ed7f20aad4aa62f62c1ac6fbf9a8fd --- /dev/null +++ b/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch @@ -0,0 +1,34 @@ +From cc9d621dd06bfa12eac511b37b4ceda5bd2f8246 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Fri, 9 May 2025 13:51:08 +0200 +Subject: [PATCH 1/8] commands/test: Fix error in recursion depth calculation + +The commit c68b7d236 (commands/test: Stack overflow due to unlimited +recursion depth) added recursion depth tests to the test command. But in +the error case it decrements the pointer to the depth value instead of +the value itself. Fix it. + +Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth) + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/commands/test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c +index b585c3d70..ee47ab264 100644 +--- a/grub-core/commands/test.c ++++ b/grub-core/commands/test.c +@@ -403,7 +403,7 @@ test_parse (char **args, int *argn, int argc, int *depth) + if (++(*depth) > MAX_TEST_RECURSION_DEPTH) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded")); +- depth--; ++ (*depth)--; + return ctx.or || ctx.and; + } + +-- +2.33.0 + diff --git a/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch b/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff1409610a10a88de5fdfb47a516f094fa571936 --- /dev/null +++ b/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch @@ -0,0 +1,32 @@ +From 7debdce1e98907e65223a4b4c53a41345ac45e53 Mon Sep 17 00:00:00 2001 +From: Jamie +Date: Mon, 14 Jul 2025 10:07:47 +0100 +Subject: [PATCH 8/8] commands/usbtest: Ensure string length is sufficient in + usb string processing + +If descstrp->length is less than 2 this will result in underflow in +"descstrp->length / 2 - 1" math. Let's fix the check to make sure the +value is sufficient. + +Signed-off-by: Jamie +Reviewed-by: Daniel Kiper +--- + grub-core/commands/usbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c +index 8ef187a9a..3184ac9af 100644 +--- a/grub-core/commands/usbtest.c ++++ b/grub-core/commands/usbtest.c +@@ -90,7 +90,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, + 0x06, (3 << 8) | index, + langid, descstr.length, (char *) descstrp); + +- if (descstrp->length == 0) ++ if (descstrp->length < 2) + { + grub_free (descstrp); + *string = grub_strdup (""); +-- +2.33.0 + diff --git a/backport-commands-usbtest-Use-correct-string-length-field.patch b/backport-commands-usbtest-Use-correct-string-length-field.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d89113173bdfc98b8f35d5d8fa5073795663433 --- /dev/null +++ b/backport-commands-usbtest-Use-correct-string-length-field.patch @@ -0,0 +1,34 @@ +From 549a9cc372fd0b96a4ccdfad0e12140476cc62a3 Mon Sep 17 00:00:00 2001 +From: Jamie +Date: Mon, 14 Jul 2025 09:52:59 +0100 +Subject: [PATCH 7/8] commands/usbtest: Use correct string length field + +An incorrect length field is used for buffer allocation. This leads to +grub_utf16_to_utf8() receiving an incorrect/different length and possibly +causing OOB write. This makes sure to use the correct length. + +Fixes: CVE-2025-61661 + +Reported-by: Jamie +Signed-off-by: Jamie +Reviewed-by: Daniel Kiper +--- + grub-core/commands/usbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c +index 2c6d93fe6..8ef187a9a 100644 +--- a/grub-core/commands/usbtest.c ++++ b/grub-core/commands/usbtest.c +@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, + return GRUB_USB_ERR_NONE; + } + +- *string = grub_malloc (descstr.length * 2 + 1); ++ *string = grub_malloc (descstrp->length * 2 + 1); + if (! *string) + { + grub_free (descstrp); +-- +2.33.0 + diff --git a/backport-gettext-gettext-Unregister-gettext-command-on-module.patch b/backport-gettext-gettext-Unregister-gettext-command-on-module.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c7b4f7ea6ef0bf7c519d4d9ee84ab5d7c2f2073 --- /dev/null +++ b/backport-gettext-gettext-Unregister-gettext-command-on-module.patch @@ -0,0 +1,66 @@ +From 8ed78fd9f0852ab218cc1f991c38e5a229e43807 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:06 +0000 +Subject: [PATCH 4/8] gettext/gettext: Unregister gettext command on module + unload + +When the gettext module is loaded, the gettext command is registered but +isn't unregistered when the module is unloaded. We need to add a call to +grub_unregister_command() when unloading the module. + +Fixes: CVE-2025-61662 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/gettext/gettext.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 9ffc73428..edebed998 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)), + return 0; + } + ++static grub_command_t cmd; ++ + GRUB_MOD_INIT (gettext) + { + const char *lang; +@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext) + grub_register_variable_hook ("locale_dir", NULL, read_main); + grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary); + +- grub_register_command_p1 ("gettext", grub_cmd_translate, +- N_("STRING"), +- /* TRANSLATORS: It refers to passing the string through gettext. +- So it's "translate" in the same meaning as in what you're +- doing now. +- */ +- N_("Translates the string with the current settings.")); ++ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate, ++ N_("STRING"), ++ /* ++ * TRANSLATORS: It refers to passing the string through gettext. ++ * So it's "translate" in the same meaning as in what you're ++ * doing now. ++ */ ++ N_("Translates the string with the current settings.")); + + /* Reload .mo file information if lang changes. */ + grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang); +@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext) + grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); + grub_register_variable_hook ("lang", NULL, NULL); + ++ grub_unregister_command (cmd); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + +-- +2.33.0 + diff --git a/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch b/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch new file mode 100644 index 0000000000000000000000000000000000000000..584e9f0e4dbf0be4858a78b095be91bcb145c7b1 --- /dev/null +++ b/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch @@ -0,0 +1,45 @@ +From c4fb4cbc941981894a00ba8e75d634a41967a27f Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Wed, 7 May 2025 16:15:22 +0200 +Subject: [PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() + +With commit 16f196874 (kern/file: Implement filesystem reference +counting) files hold a reference to their file systems. + +When closing a file in grub_file_close() we should not expect +file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. +So, grub_dl_unref() should be called after file->fs->fs_close(). + +Fixes: CVE-2025-54771 +Fixes: 16f196874 (kern/file: Implement filesystem reference counting) + +Reported-by: Thomas Frauendorfer | Miray Software +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/kern/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index 6e7efe89a..eb52fd25f 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len) + grub_err_t + grub_file_close (grub_file_t file) + { +- if (file->fs->mod) +- grub_dl_unref (file->fs->mod); +- + if (file->fs->fs_close) + (file->fs->fs_close) (file); + ++ if (file->fs->mod) ++ grub_dl_unref (file->fs->mod); ++ + if (file->device) + grub_device_close (file->device); + grub_free (file->name); +-- +2.33.0 + diff --git a/backport-net-net-Unregister-net_set_vlan-command-on-unload.patch b/backport-net-net-Unregister-net_set_vlan-command-on-unload.patch new file mode 100644 index 0000000000000000000000000000000000000000..0fd1c52648ac76fb71f870963cc459eee7719a91 --- /dev/null +++ b/backport-net-net-Unregister-net_set_vlan-command-on-unload.patch @@ -0,0 +1,35 @@ +From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Fri, 9 May 2025 14:20:47 +0200 +Subject: [PATCH 3/8] net/net: Unregister net_set_vlan command on unload + +The commit 954c48b9c (net/net: Add net_set_vlan command) added command +net_set_vlan to the net module. Unfortunately the commit only added the +grub_register_command() call on module load but missed the +grub_unregister_command() on unload. Let's fix this. + +Fixes: CVE-2025-54770 +Fixes: 954c48b9c (net/net: Add net_set_vlan command) + +Reported-by: Thomas Frauendorfer | Miray Software +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/net/net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 6ea33d1cd..6c94a3b1e 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -2146,6 +2146,7 @@ GRUB_MOD_FINI(net) + grub_unregister_command (cmd_deladdr); + grub_unregister_command (cmd_addroute); + grub_unregister_command (cmd_delroute); ++ grub_unregister_command (cmd_setvlan); + grub_unregister_command (cmd_lsroutes); + grub_unregister_command (cmd_lscards); + grub_unregister_command (cmd_lsaddr); +-- +2.33.0 + diff --git a/backport-normal-main-Unregister-commands-on-module-unload.patch b/backport-normal-main-Unregister-commands-on-module-unload.patch new file mode 100644 index 0000000000000000000000000000000000000000..c69d87d5ee73910e87788f56e4ac31abe71e9d54 --- /dev/null +++ b/backport-normal-main-Unregister-commands-on-module-unload.patch @@ -0,0 +1,58 @@ +From 05d3698b8b03eccc49e53491bbd75dba15f40917 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:07 +0000 +Subject: [PATCH 5/8] normal/main: Unregister commands on module unload + +When the normal module is loaded, the normal and normal_exit commands +are registered but aren't unregistered when the module is unloaded. We +need to add calls to grub_unregister_command() when unloading the module +for these commands. + +Fixes: CVE-2025-61663 +Fixes: CVE-2025-61664 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/normal/main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 8c2acf938..de9a3f961 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -510,7 +510,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)), + return 0; + } + +-static grub_command_t cmd_clear; ++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit; + + static void (*grub_xputs_saved) (const char *str); + static const char *features[] = { +@@ -554,10 +554,10 @@ GRUB_MOD_INIT(normal) + grub_env_export ("pager"); + + /* Register a command "normal" for the rescue mode. */ +- grub_register_command ("normal", grub_cmd_normal, +- 0, N_("Enter normal mode.")); +- grub_register_command ("normal_exit", grub_cmd_normal_exit, +- 0, N_("Exit from normal mode.")); ++ cmd_normal = grub_register_command ("normal", grub_cmd_normal, ++ 0, N_("Enter normal mode.")); ++ cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit, ++ 0, N_("Exit from normal mode.")); + + /* Reload terminal colors when these variables are written to. */ + grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); +@@ -599,4 +599,6 @@ GRUB_MOD_FINI(normal) + grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); ++ grub_unregister_command (cmd_normal); ++ grub_unregister_command (cmd_normal_exit); + } +-- +2.33.0 + diff --git a/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch b/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc95e294ce4b0421c65d6c911b03505e802cd0bb --- /dev/null +++ b/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch @@ -0,0 +1,47 @@ +From 9df1e693e70c5a274b6d60dc76efe2694b89c2fc Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:08 +0000 +Subject: [PATCH 6/8] tests/lib/functional_test: Unregister commands on module + unload + +When the functional_test module is loaded, both the functional_test and +all_functional_test commands are registered but only the all_functional_test +command is being unregistered since it was the last to set the cmd variable +that gets unregistered when the module is unloaded. To unregister both +commands, we need to create an additional grub_extcmd_t variable. + +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/tests/lib/functional_test.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c +index 94a606bf9..776934e1f 100644 +--- a/grub-core/tests/lib/functional_test.c ++++ b/grub-core/tests/lib/functional_test.c +@@ -92,17 +92,18 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)), + return GRUB_ERR_NONE; + } + +-static grub_extcmd_t cmd; ++static grub_extcmd_t cmd, cmd_all; + + GRUB_MOD_INIT (functional_test) + { + cmd = grub_register_extcmd ("functional_test", grub_functional_test, 0, 0, + "Run all loaded functional tests.", 0); +- cmd = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0, +- "Run all functional tests.", 0); ++ cmd_all = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0, ++ "Run all functional tests.", 0); + } + + GRUB_MOD_FINI (functional_test) + { + grub_unregister_extcmd (cmd); ++ grub_unregister_extcmd (cmd_all); + } +-- +2.33.0 + diff --git a/grub.patches b/grub.patches index f1563e4815e1de3b5e6983bf21546fc3c1713c8a..d9bcceb3a3ef907cefbae958c4a722bd5b2abe1d 100644 --- a/grub.patches +++ b/grub.patches @@ -339,3 +339,11 @@ Patch342: backport-term-ns8250-spcr-Return-if-redirection-is-disabled.patc Patch343: backport-fs-zfs-Fix-a-number-of-memory-leaks-in-ZFS-code.patch Patch344: backport-fs-btrfs-Fix-memory-leaks.patch Patch345: backport-kern-riscv-efi-init-Use-time-register-in-grub_efi_ge.patch +Patch346: backport-commands-test-Fix-error-in-recursion-depth-calculati.patch +Patch347: backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch +Patch348: backport-net-net-Unregister-net_set_vlan-command-on-unload.patch +Patch349: backport-gettext-gettext-Unregister-gettext-command-on-module.patch +Patch350: backport-normal-main-Unregister-commands-on-module-unload.patch +Patch351: backport-tests-lib-functional_test-Unregister-commands-on-mod.patch +Patch352: backport-commands-usbtest-Use-correct-string-length-field.patch +Patch353: backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch diff --git a/grub2.spec b/grub2.spec index 97a6fb6a093e55c4438a8e9c47c8a458ce9676fc..b558cfa2d4e1f9a835dcae38d600dbabaa4aa282 100644 --- a/grub2.spec +++ b/grub2.spec @@ -23,7 +23,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 46 +Release: 47 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -464,6 +464,19 @@ fi %{_datadir}/man/man* %changelog +* Fri Nov 21 2025 zhangqiumiao - 1:2.12-47 +- Type:CVE +- CVE:CVE-2025-61661,CVE-2025-61662,CVE-2025-54771,CVE-2025-54770,CVE-2025-61663,CVE-2025-61664 +- SUG:NA +- DESC:commands/usbtest: Ensure string length is sufficient in usb string processing + commands/usbtest: Use correct string length field + tests/lib/functional_test: Unregister commands on module unload + normal/main: Unregister commands on module unload + gettext/gettext: Unregister gettext command on module unload + net/net: Unregister net_set_vlan command on unload + kern/file: Call grub_dl_unref() after fs->fs_close() + commands/test: Fix error in recursion depth calculation + * Thu Oct 23 2025 yueyuankun - 1:2.12-46 - Type:bugfix - CVE:NA