The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
hfsplus, iso9660, squash4, tar, xfs and zfs.
The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
Fixes: CVE-2025-0677
Fixes: CVE-2025-0684
Fixes: CVE-2025-0685
Fixes: CVE-2025-0686
Fixes: CVE-2025-0689
Suggested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The grub_file_open() and grub_file_close() should be the only places
that allow a reference to a filesystem to stay open. So, add grub_dl_t
to grub_fs_t and set this in the GRUB_MOD_INIT() for each filesystem to
avoid issues when filesystems forget to do it themselves or do not track
their own references, e.g. squash4.
The fs_label(), fs_uuid(), fs_mtime() and fs_read() should all ref and
unref in the same function but it is essentially redundant in GRUB
single threaded model.
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Implemented a boundary check before advancing the allocation
descriptors pointer.
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Validate the length of Allocation Extent Descriptor in grub_udf_read_block(),
based on the details in UDF spec. v2.01 section 2.3.11.
Fixes: CID 314037
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This code was broken by commit 3f05d693 (malloc: Use overflow checking
primitives where we do complex allocations), which added overflow
checking in many areas. The problem here is that the changes update the
local variable sz, which was already in use and which was not updated
before the change. So the code using sz was getting a different value of
than it would have previously for the same UDF image. This causes the
logic getting the destination of the symlink to not realize that its
gotten the full destination, but keeps trying to read past the end of
the destination. The bytes after the end are generally NULL padding
bytes, but that's not a valid component type (ECMA-167 14.16.1.1). So
grub_udf_read_symlink() branches to error logic, returning NULL, instead
of the symlink destination path.
The result of this bug is that the UDF filesystem tests were failing in
the symlink test with the grub-fstest error message:
grub-fstest: error: cannot open `(loop0)/sym': invalid symlink.
This change stores the result of doubling sz in another local variable s,
so as not to modify sz. Also remove unnecessary grub_add(), which increased
the output by 1, presumably to account for a NULL byte. This isn't needed
because an output buffer of size twice sz is already guaranteed to be more
than enough to contain the path components converted to UTF-8. The value of
sz contains at least 4 bytes for the path component header (ECMA-167 14.16.1),
which means that 2 * 4 bytes are allocated but will not be used for UTF-8
characters, so the NULL byte is accounted for.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Use same algorithm as in libblkid from util-linux v2.30.
1. Take first 16 bytes from UTF-8 encoded string of VolumeSetIdentifier
2. If all bytes are hexadecimal digits, convert to lowercase and use as UUID
3. If first 8 bytes are not all hexadecimal digits, convert those 8 bytes
to their hexadecimal representation, resulting in 16 bytes for UUID
4. Otherwise, compose UUID from two parts:
1. part: converted first 8 bytes (which are hexadecimal digits) to lowercase
2. part: encoded following 4 bytes to their hexadecimal representation (16 bytes)
So UUID would always have 16 hexadecimal digits in lowercase variant.
According to UDF specification, first 16 Unicode characters of
VolumeSetIdentifier should be unique value and first 8 should be
hexadecimal characters.
In most cases all 16 characters are hexadecimal, but e.g. MS Windows
format.exe set only first 8 as hexadecimal and remaining as fixed
(non-unique) which violates specification.
UDF dstring has stored length in the last byte of buffer. Therefore last
byte is not part of recorded characters. And empty string in dstring is
encoded as empty buffer, including first byte (compression id).
* grub-core/fs/udf.c (read_string): New argument outbuf.
All users updated.
(grub_ufs_read_symlink): Rename to ...
(grub_udf_read_symlink): ... this. All users updated.
Handle symlinks with more than one component.
* grub-core/fs/udf.c (grub_udf_file_entry): Don't specify padding size.
(grub_udf_extended_file_entry): Likewise.
(grub_fshelp_node): Name the anonymous union. Put block at the end.
All users updated.
(get_fshelp_size): New function.
(grub_udf_read_icb): Read whole block.
(grub_udf_iterate_dir): Likewise.
(grub_udf_dir): Likewise.
(grub_udf_open): Likewise.
* grub-core/fs/affs.c (grub_affs_time): New struct.
(grub_affs_file): New field mtime.
(grub_fshelp_node): Changed 'block' and 'parent' to more appropriate
type. Removed 'size'. New field 'di'. All users updated.
(grub_affs_mount): Simplify checsum checking.
(grub_affs_iterate_dir): New helper grub_affs_create_node.
(grub_affs_dir): Handle mtime.
* grub-core/fs/cpio.c (grub_cpio_find_file): Handle mtime.
(grub_cpio_dir): Likewise.
* grub-core/fs/hfs.c (grub_hfs_dirrec): New fields 'ctime' and 'mtime'.
(grub_hfs_filerec): New field mtime.
(grub_hfs_dir): Handle mtime.
(grub_hfs_mtime): New function.
(grub_hfs_fs): Register grub_hfs_mtime.
* grub-core/fs/iso9660.c (grub_iso9660_date2): New struct.
(grub_iso9660_dir): New field mtime.
(grub_fshelp_node): New field dirent.
(iso9660_to_unixtime): New function.
(iso9660_to_unixtime2): Likewise.
(grub_iso9660_read_symlink): Use node->dirent.
(grub_iso9660_iterate_dir): Likewise.
(grub_iso9660_dir): Set mtime.
(grub_iso9660_mtime): New function.
(grub_iso9660_fs): Register grub_iso9660_mtime.
* grub-core/fs/jfs.c (grub_jfs_time): New struct.
(grub_jfs_inode): New fields atime, ctime and mtime.
(grub_jfs_dir): Set mtime.
* grub-core/fs/minix.c (grub_minix_dir): Likewise.
* grub-core/fs/ntfs.c (list_file): Set mtime.
(grub_ntfs_dir): Likewise.
* grub-core/fs/reiserfs.c (grub_fshelp_node): New field 'mtime'.
(grub_reiserfs_iterate_dir): Set mtime.
(grub_reiserfs_dir): Likewise.
* grub-core/fs/sfs.c (grub_sfs_obj): New field mtime.
(grub_fshelp_node): Likewise.
(grub_sfs_iterate_dir): Set mtime.
(grub_sfs_dir): Likewise.
* grub-core/fs/udf.c (grub_udf_dir): Set mtime.
* grub-core/fs/xfs.c (grub_xfs_time): New struct.
(grub_xfs_inode): New fields atime, mtime, ctime.
(grub_xfs_dir): Set mtime.
* include/grub/datetime.h (grub_datetime2unixtime): New function.
* include/grub/hfs.h (grub_hfs_sblock): New fields ctime and mtime.
* include/grub/ntfs.h (grub_fshelp_node): New field mtime.
Support UDF symlinks.
* grub-core/fs/udf.c (grub_udf_iterate_dir): Handle symlinks.
(grub_ufs_read_symlink): New function. All users updated.
Check amiga partmap checksum.
* grub-core/partmap/amiga.c (grub_amiga_rdsk): Pad to 128 bytes.
(grub_amiga_partition): Likewise.
(amiga_partition_map_checksum): New function.
(amiga_partition_map_iterate): Check checksum.
* grub-core/fs/udf.c (GRUB_UDF_LOG2_BLKSIZE): Removed.
(GRUB_UDF_BLKSZ): Removed.
(struct grub_udf_data): New field "lbshift" to hold the logical block
size of the file system in log2 format. All users updated.
(sblocklist): Change type to unsigned.
(grub_udf_mount): Change type of "sblklist" to unsigned.
Move AVDP search before VRS recognition, because the latter requires
knowledge of the logical block size, which is detected during the
former.
Detect and validate logical block size during AVDP search, adding
support for block sizes 512, 1024 and 4096.
Make VRS recognition independent of block size.
* grub-core/fs/udf.c (GRUB_UDF_LOG2_BLKSIZE): Removed.
(GRUB_UDF_BLKSZ): Removed.
(struct grub_udf_data): New field "lbshift" to hold the logical block
size of the file system in log2 format. All users updated.
(sblocklist): Change type to unsigned.
(grub_udf_mount): Change type of "sblklist" to unsigned.
Move AVDP search before VRS recognition, because the latter requires
knowledge of the logical block size, which is detected during the
former.
Detect and validate logical block size during AVDP search, adding
support for block sizes 512, 1024 and 4096.
Make VRS recognition independent of block size.
