diff --git a/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch b/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch new file mode 100644 index 0000000000000000000000000000000000000000..d70a0b0283109a29570405b61017ae3ea973881e --- /dev/null +++ b/backport-commands-test-Fix-error-in-recursion-depth-calculati.patch @@ -0,0 +1,34 @@ +From a87b035e42217b2e5eb4ae195a9991aff4134371 Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Fri, 9 May 2025 13:51:08 +0200 +Subject: [PATCH 1/7] commands/test: Fix error in recursion depth calculation + +The commit c68b7d236 (commands/test: Stack overflow due to unlimited +recursion depth) added recursion depth tests to the test command. But in +the error case it decrements the pointer to the depth value instead of +the value itself. Fix it. + +Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth) + +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/commands/test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c +index b585c3d..ee47ab2 100644 +--- a/grub-core/commands/test.c ++++ b/grub-core/commands/test.c +@@ -403,7 +403,7 @@ test_parse (char **args, int *argn, int argc, int *depth) + if (++(*depth) > MAX_TEST_RECURSION_DEPTH) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded")); +- depth--; ++ (*depth)--; + return ctx.or || ctx.and; + } + +-- +2.33.0 + diff --git a/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch b/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch new file mode 100644 index 0000000000000000000000000000000000000000..9dafd0da827946edf32232b2446dfddb45efa3b1 --- /dev/null +++ b/backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch @@ -0,0 +1,32 @@ +From 8c11c3ef3e195467d53a53104c965c3279dca486 Mon Sep 17 00:00:00 2001 +From: Jamie +Date: Mon, 14 Jul 2025 10:07:47 +0100 +Subject: [PATCH 7/7] commands/usbtest: Ensure string length is sufficient in + usb string processing + +If descstrp->length is less than 2 this will result in underflow in +"descstrp->length / 2 - 1" math. Let's fix the check to make sure the +value is sufficient. + +Signed-off-by: Jamie +Reviewed-by: Daniel Kiper +--- + grub-core/commands/usbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c +index 8ef187a..3184ac9 100644 +--- a/grub-core/commands/usbtest.c ++++ b/grub-core/commands/usbtest.c +@@ -90,7 +90,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, + 0x06, (3 << 8) | index, + langid, descstr.length, (char *) descstrp); + +- if (descstrp->length == 0) ++ if (descstrp->length < 2) + { + grub_free (descstrp); + *string = grub_strdup (""); +-- +2.33.0 + diff --git a/backport-commands-usbtest-Use-correct-string-length-field.patch b/backport-commands-usbtest-Use-correct-string-length-field.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9b4bfd9ac3e6193862de757c266d42603eec9be --- /dev/null +++ b/backport-commands-usbtest-Use-correct-string-length-field.patch @@ -0,0 +1,34 @@ +From 0d62842095edd090b60ed8ebc205b5ab856adb15 Mon Sep 17 00:00:00 2001 +From: Jamie +Date: Mon, 14 Jul 2025 09:52:59 +0100 +Subject: [PATCH 6/7] commands/usbtest: Use correct string length field + +An incorrect length field is used for buffer allocation. This leads to +grub_utf16_to_utf8() receiving an incorrect/different length and possibly +causing OOB write. This makes sure to use the correct length. + +Fixes: CVE-2025-61661 + +Reported-by: Jamie +Signed-off-by: Jamie +Reviewed-by: Daniel Kiper +--- + grub-core/commands/usbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c +index 2c6d93f..8ef187a 100644 +--- a/grub-core/commands/usbtest.c ++++ b/grub-core/commands/usbtest.c +@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, + return GRUB_USB_ERR_NONE; + } + +- *string = grub_malloc (descstr.length * 2 + 1); ++ *string = grub_malloc (descstrp->length * 2 + 1); + if (! *string) + { + grub_free (descstrp); +-- +2.33.0 + diff --git a/backport-gettext-gettext-Unregister-gettext-command-on-module.patch b/backport-gettext-gettext-Unregister-gettext-command-on-module.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e76956223c2aa4b6ace78d90969be02908ed87f --- /dev/null +++ b/backport-gettext-gettext-Unregister-gettext-command-on-module.patch @@ -0,0 +1,66 @@ +From 2b1c92012862a4db27e61b5217dcaad904a2ae3d Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:06 +0000 +Subject: [PATCH 3/7] gettext/gettext: Unregister gettext command on module + unload + +When the gettext module is loaded, the gettext command is registered but +isn't unregistered when the module is unloaded. We need to add a call to +grub_unregister_command() when unloading the module. + +Fixes: CVE-2025-61662 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/gettext/gettext.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 0e51b5d..fe1c333 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)), + return 0; + } + ++static grub_command_t cmd; ++ + GRUB_MOD_INIT (gettext) + { + const char *lang; +@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext) + grub_register_variable_hook ("locale_dir", NULL, read_main); + grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary); + +- grub_register_command_p1 ("gettext", grub_cmd_translate, +- N_("STRING"), +- /* TRANSLATORS: It refers to passing the string through gettext. +- So it's "translate" in the same meaning as in what you're +- doing now. +- */ +- N_("Translates the string with the current settings.")); ++ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate, ++ N_("STRING"), ++ /* ++ * TRANSLATORS: It refers to passing the string through gettext. ++ * So it's "translate" in the same meaning as in what you're ++ * doing now. ++ */ ++ N_("Translates the string with the current settings.")); + + /* Reload .mo file information if lang changes. */ + grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang); +@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext) + grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); + grub_register_variable_hook ("lang", NULL, NULL); + ++ grub_unregister_command (cmd); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + +-- +2.33.0 + diff --git a/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch b/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd383e25ef8414d9e4351043134ca5b92984f0df --- /dev/null +++ b/backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch @@ -0,0 +1,46 @@ +From 5a429dab7bfb2f19a1db62f426acee2dd545f55c Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Wed, 7 May 2025 16:15:22 +0200 +Subject: [PATCH 2/7] kern/file: Call grub_dl_unref() after fs->fs_close() + +With commit 16f196874 (kern/file: Implement filesystem reference +counting) files hold a reference to their file systems. + +When closing a file in grub_file_close() we should not expect +file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. +So, grub_dl_unref() should be called after file->fs->fs_close(). + +Fixes: CVE-2025-54771 +Fixes: 16f196874 (kern/file: Implement filesystem reference counting) + +Reported-by: Thomas Frauendorfer | Miray Software +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/kern/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index 8506a8a..cb62d52 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -208,13 +208,13 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len) + grub_err_t + grub_file_close (grub_file_t file) + { +- if (file->fs->mod) +- grub_dl_unref (file->fs->mod); +- + grub_dprintf ("file", "Closing `%s' ...\n", file->name); + if (file->fs->fs_close) + (file->fs->fs_close) (file); + ++ if (file->fs->mod) ++ grub_dl_unref (file->fs->mod); ++ + if (file->device) + grub_device_close (file->device); + +-- +2.33.0 + diff --git a/backport-normal-main-Unregister-commands-on-module-unload.patch b/backport-normal-main-Unregister-commands-on-module-unload.patch new file mode 100644 index 0000000000000000000000000000000000000000..68c9cd2f82a8553be820f15a639240af2eed1eba --- /dev/null +++ b/backport-normal-main-Unregister-commands-on-module-unload.patch @@ -0,0 +1,58 @@ +From 917cccb1132806fecbd8024f41a4c5c4c3eee34c Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:07 +0000 +Subject: [PATCH 4/7] normal/main: Unregister commands on module unload + +When the normal module is loaded, the normal and normal_exit commands +are registered but aren't unregistered when the module is unloaded. We +need to add calls to grub_unregister_command() when unloading the module +for these commands. + +Fixes: CVE-2025-61663 +Fixes: CVE-2025-61664 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/normal/main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 49e5792..2107520 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -603,7 +603,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)), + return 0; + } + +-static grub_command_t cmd_clear; ++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit; + + static void (*grub_xputs_saved) (const char *str); + static const char *features[] = { +@@ -645,10 +645,10 @@ GRUB_MOD_INIT(normal) + grub_env_export ("pager"); + + /* Register a command "normal" for the rescue mode. */ +- grub_register_command ("normal", grub_cmd_normal, +- 0, N_("Enter normal mode.")); +- grub_register_command ("normal_exit", grub_cmd_normal_exit, +- 0, N_("Exit from normal mode.")); ++ cmd_normal = grub_register_command ("normal", grub_cmd_normal, ++ 0, N_("Enter normal mode.")); ++ cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit, ++ 0, N_("Exit from normal mode.")); + + /* Reload terminal colors when these variables are written to. */ + grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); +@@ -690,4 +690,6 @@ GRUB_MOD_FINI(normal) + grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); ++ grub_unregister_command (cmd_normal); ++ grub_unregister_command (cmd_normal_exit); + } +-- +2.33.0 + diff --git a/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch b/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch new file mode 100644 index 0000000000000000000000000000000000000000..d21dd30e3ea9e7d0a64a0aad3a38f32e0ee68895 --- /dev/null +++ b/backport-tests-lib-functional_test-Unregister-commands-on-mod.patch @@ -0,0 +1,47 @@ +From 2abc7dac687a9de2f9e3b2a4e9c0cdf9af0a4ac4 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:08 +0000 +Subject: [PATCH 5/7] tests/lib/functional_test: Unregister commands on module + unload + +When the functional_test module is loaded, both the functional_test and +all_functional_test commands are registered but only the all_functional_test +command is being unregistered since it was the last to set the cmd variable +that gets unregistered when the module is unloaded. To unregister both +commands, we need to create an additional grub_extcmd_t variable. + +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/tests/lib/functional_test.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c +index 0dd0aec..81dc1b8 100644 +--- a/grub-core/tests/lib/functional_test.c ++++ b/grub-core/tests/lib/functional_test.c +@@ -87,17 +87,18 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)), + return GRUB_ERR_NONE; + } + +-static grub_extcmd_t cmd; ++static grub_extcmd_t cmd, cmd_all; + + GRUB_MOD_INIT (functional_test) + { + cmd = grub_register_extcmd ("functional_test", grub_functional_test, 0, 0, + "Run all loaded functional tests.", 0); +- cmd = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0, +- "Run all functional tests.", 0); ++ cmd_all = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0, ++ "Run all functional tests.", 0); + } + + GRUB_MOD_FINI (functional_test) + { + grub_unregister_extcmd (cmd); ++ grub_unregister_extcmd (cmd_all); + } +-- +2.33.0 + diff --git a/grub.patches b/grub.patches index d3b8426e2e5a5f4c90db1f5d6bd557cbd42f81c3..eabc39b0c40fe3beab52299d3f4ac2d6bee2d06b 100644 --- a/grub.patches +++ b/grub.patches @@ -441,3 +441,10 @@ Patch0440: backport-0080-kern-misc-Add-sanity-check-after-grub_strtoul-call.patc Patch0441: backport-0081-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch Patch0442: backport-0082-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch Patch0443: backport-fix-CVE-2024-56738.patch +Patch0444: backport-commands-test-Fix-error-in-recursion-depth-calculati.patch +Patch0445: backport-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch +Patch0446: backport-gettext-gettext-Unregister-gettext-command-on-module.patch +Patch0447: backport-normal-main-Unregister-commands-on-module-unload.patch +Patch0448: backport-tests-lib-functional_test-Unregister-commands-on-mod.patch +Patch0449: backport-commands-usbtest-Use-correct-string-length-field.patch +Patch0450: backport-commands-usbtest-Ensure-string-length-is-sufficient-.patch diff --git a/grub2.spec b/grub2.spec index 7e3d9be81b52749ce25dce23e68e7c3401a1a804..40e33aec15a418f6cb15677c891f1aa3a4e16b18 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 52 +Release: 53 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -453,6 +453,18 @@ fi %{_datadir}/man/man* %changelog +* Fri Nov 21 2025 zhangqiumiao - 1:2.06-53 +- Type:CVE +- CVE:CVE-2025-61661,CVE-2025-61662,CVE-2025-54771,CVE-2025-61663,CVE-2025-61664 +- SUG:NA +- DESC:commands/usbtest: Ensure string length is sufficient in usb string processing + commands/usbtest: Use correct string length field + tests/lib/functional_test: Unregister commands on module unload + normal/main: Unregister commands on module unload + gettext/gettext: Unregister gettext command on module unload + kern/file: Call grub_dl_unref() after fs->fs_close() + commands/test: Fix error in recursion depth calculation + * Tue Apr 8 2025 zhangqiumiao - 1:2.06-52 - Type:CVE - CVE:CVE-2024-56738