A issue was found when I run "runqemu genericx86-64 ovmf", grub failed
to boot, it's a known issue has been fixed in grub upstream, backport
the fix.
(From OE-Core rev: 6992437d725f9cc88da4261814b69aaadc5ef0f2)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51eab4bb0cae46c9c32d28986eb97badf47594b7)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.
This issue may allow an attacker to present a specially crafted NTFS
filesystem image, leading to grub's heap metadata corruption. In some
circumstances, the attack may also corrupt the UEFI firmware heap metadata.
As a result, arbitrary code execution and secure boot protection bypass
may be achieved.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4692https://bugzilla.redhat.com/show_bug.cgi?id=2236613
(From OE-Core rev: c89835b37366dde6c74f8221fd5a295ecabf8225)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport CVE patches from upstream to fix:
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734
CVE-2022-28735
Backport the following 5 patches to make CVE patches be applied smoothly.
video-Remove-trailing-whitespaces.patch
video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
(From OE-Core rev: 5e99aaaa4f36aacaf005d9721c3b6cd7c9526943)
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit db43401a3a4c201f02f4128fa4bac8ce993bfec0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the patch as submitted upstream to grub2
(From OE-Core rev: a1ce702bb5317712083ae32332051c36923c4a50)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
New versions of binutils caused object files to be 128MB in size,
backporting this fix reduced them back to a sensible size, e.g.
1024 bytes. This avoids initramfix size issues!
(From OE-Core rev: b72b9e81268719436e4bad5062cb0e1781da0395)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix the ordering in the generated unidata.c file to aid reproducibility.
[YOCTO #14167]
(From OE-Core rev: 6d9c9f7604fd32ef926726a46ae053bbab6ccb4f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The "CVE:" line in the patch for CVEs 2020-14309, CVE-2020-14310, and
CVE-2020-14311 had commas between the CVE numbers, which resulted in
CVE-2020-14310 not being picked up as patched by cve-check.bbclass's
parsing. Remove the commas to match cve-check.bbclass's expectations.
(From OE-Core rev: 396d5c0f9cffa4b54ae94738b1ef2b6fb545f082)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is a second list sorting problem in a generator script within grub,
add a sort() of a list to resolve this.
(From OE-Core rev: cb5e96e05930eaff4d679166416d6c84d6e3236b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing reproducibility issue on the autobuilder due to changing
module dependency ordering. Add some sorting to an awk script to fix this.
(From OE-Core rev: 925ddd5edccbfec52ff45c1b54ab2ae1bfe0d57c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Clean up several patches introduced in commit 6732918498 ("grub:fix
several CVEs in grub 2.04").
1) Add CVE tags to individual patches.
2) Rename upstream patches and prefix them with CVE tags.
3) Add description of reference to upstream patch.
(From OE-Core rev: bcb8b6719beaf6625e6b703e91958fe8afba5819)
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patches from https://git.savannah.gnu.org/git/grub.git
to fix some CVEs. Here is the list.
CVE-2020-14308:
0001-calloc-Make-sure-we-always-have-an-overflow-checking.patch
0002-lvm-Add-LVM-cache-logical-volume-handling.patch
0003-calloc-Use-calloc-at-most-places.patch
CVE-2020-14309, CVE-2020-14310, CVE-2020-14311:
0004-safemath-Add-some-arithmetic-primitives-that-check-f.patch
0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
CVE-2020-15706:
0006-script-Remove-unused-fields-from-grub_script_functio.patch
0007-script-Avoid-a-use-after-free-when-redefining-a-func.patch
CVE-2020-15707:
0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch
(From OE-Core rev: 67329184985a03534f11f95e9df5f9fb2305a261)
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In practice the warnings were disabled individually instead of fixes added,
so just make all warnings non-fatal to achieve the same.
(From OE-Core rev: 330fc83d4519da3c13eb55e8c060ba3e191c9906)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was not compiled for x86_64 when previously testing aarch64
so some tests were missed.
(From OE-Core rev: c2cb8827dc5bdeadd78f462398630c05e5a9ebb7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch that helps with this error which is found
by gcc9
(From OE-Core rev: 93419fb569b827056a422614d3dc29cd41b2b6bb)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 856a70cf6ca9137d5c07c2aa9ef447032589504d)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e.g. with gentoo gcc-7.1 they define _FORTIFY_SOURCE by default with:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/gcc/7.1.0/gentoo/10_all_default-fortify-source.patch?view=markup
which results in following error while building grub-efi-native:
./config-util.h:1504:48: error: this use of "defined" may not be portable [-Werror=expansion-to-defined]
|| (defined _FORTIFY_SOURCE && 0 < _FORTIFY_SOURCE \
^~~~~~~~~~~~~~~
this part comes from gnulib and it's used only for Apple and BSD,
so we can ignore it, but we cannot add -Wno-error=expansion-to-defined
because this warning was introduced only in gcc-7 and older gcc
will fail with:
cc1: error: -Werror=expansion-to-defined: no option -Wexpansion-to-defined
use #pragma to work around this
(From OE-Core rev: f5302b0ad2942f7705d46c33949ebc1c5ddf3f58)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rather than erroring out on a single attempt while
terminating EFI services, make a few retries because
such quirks are found in a few implementations.
Also fix a div by zero issue in the same framework
which causes an infinite reboot on the target.
Both patches included here are backports.
(From OE-Core rev: 5e6ac806bd9b8bf885ef1e88484e91e4cdaaa69a)
Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While using oe-core toolchain to strip grub module 'all_video.mod',
it stripped symbol table:
--------------
root@localhost:~# objdump -t all_video.mod
all_video.mod: file format elf64-x86-64
SYMBOL TABLE:
no symbols
--------------
It caused grub to load module all_video failed.
(This module will be loaded by defalut which configed in grub.cfg)
--------------
grub> insmod all_video
error: no symbol table.
--------------
Tweak strip option to keep symbol .module_license could workaround
the issue.
--------------
root@localhost:~# objdump -t all_video.mod
all_video.mod: file format elf64-x86-64
SYMBOL TABLE:
0000000000000000 l d .text 0000000000000000 .text
0000000000000000 l d .data 0000000000000000 .data
0000000000000000 l d .module_license 0000000000000000 .module_license
0000000000000000 l d .bss 0000000000000000 .bss
0000000000000000 l d .moddeps 0000000000000000 .moddeps
0000000000000000 l d .modname 0000000000000000 .modname
--------------
(From OE-Core rev: 17e7eb96e5446821ad81977ac9ccac26b05e67a7)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* When adding new source files from upstream the autogen.sh
script needs to be run
* Rework grub2-remove-sparc64-setup-from-x86-builds.patch
to remove the grub-setup helper program grub-sparc64-setup
in Makefile.util.def instead of the previous Makefile.util.am
to avoid the update for Makefile.util.am in do_patch phase is
overwritten by the autogen.sh in do_configure phase
(From OE-Core rev: 949df030cf39e7f551302e1e6f86b0a270cd2181)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enforce the correct tag names across all of oe-core for consistency.
(From OE-Core rev: 606a43dc38a00cc243f933722db657aea4129f8e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It was used for building with glibc 2.20, now is glibc 2.23, so remove it.
(From OE-Core rev: cee2794c8312a2f8266c018acfd475b1882fc0f6)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the documentation needs to rebuild then it will fail as the syntax isn't
valid with modern texinfo. Backport a patch from git to fix the syntax.
[ YOCTO #9306 ]
(From OE-Core rev: f59263a2d1a4918e8dd12fcf968a826b3e8fa018)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is inspired by musl porting, where grub's configure is enabling
largefile support based on glibc versions, instead an upstream patch
turns it into autoconf check
Update git version recipe
arm platforms use this recipe to provide grub and it needed fixes from
upstream so upgrade to latest tip of git and forward port patches as
well as drop the ones already applied upstream
(From OE-Core rev: a290429c8415042cb8c2f4258e76a3cc6815a172)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
(From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669)
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
(From OE-Core rev: bd220fe6ce8c3a0805f13a14706d3130ea872604)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current grub2 fails on loading large initrd file (> 500M) since
the initrd size is added to the addr_min and causes the failure.
Fix it by picking a patch from grub2 upstream.
(From OE-Core rev: 156d8fecf31a7a9dc257e55e25645c561d5ba0b8)
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gcc-5 is stricter and complains about const to non-const
conversions, we backport the patch from upstream into 2.00
Change-Id: I17db365fdd253daaa1ab726e2a70ecad0ac7b2ae
(From OE-Core rev: 7d79a7bfffbc39090b22bb7696cc5dbc832e49b6)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
