Currently if the fallback option is enabled and no files are found in
the specified directory it searches the default (loader/conf) directory
but always in the device set by the root environment variable. It makes
more sense and also the comment in the code implies, that the default
directory on the current device should be searched.
Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The DIR parameter in the example should be specified after the -p|--path option
instead of after -f|fallback.
Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Fix possible and absolute memory leaks of "handles"
returned by grub_efi_locate_handle() using grub_malloc().
Signed-off-by: Khalid Ali <khaliidcaliy@gmail.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
grub-install allows to pass a parameter to install a theme in the boot partition.
This works fine for the default starfield theme. However, in general themes can
contain subdirectories, as, e.g. "icons", and these are not copied by grub-install.
As a result, the icons are missing on the screen.
Fix this by simple recursive copying.
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Let the lsefisystab command recognize the following table GUIDs:
- EFI_MEMORY_ATTRIBUTES_TABLE_GUID,
- EFI_TCG2_FINAL_EVENTS_TABLE_GUID.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
From Debian 12 to 13, recode had a major overhaul and now does not support
the macroman encoding. Its unclear if this is a bug or intentional.
Regardless, use the CSMACINTOSH encoding instead as MacRoman and it are
aliases and CSMACINTOSH is supported on both Debian 12 and 13.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The implementation in sd-boot was changed to return UINT32_MAX when
the EFI environment detects a working TPM2, but with an older firmware
that doesn't implement the protocol to get the list of active banks.
This allows distinguishing with the case where there is no working TPM2,
in which case userspace just gives up, and instead lets userspace try to
figure it out later.
Fixes: f326c5c47 (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable)
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
... in gettext_append() to handle allocation errors. This prevents NULL
pointer dereference and stops crashes during string translation.
Signed-off-by: Sridhar Markonda <sridharm@linux.ibm.com>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In case of an overflow "p" and "p->grub_devpath" will not be freed.
Fix both issues.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Add a failure check after grub_calloc() call. If grub_calloc()
fails, e.g., due to memory allocation failure, it returns NULL.
Then using grub_efiemu_elfsyms, which will be NULL, later will
result in a NULL pointer dereference.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Switch from "xorq %rax, %rax" to "xorl %eax, %eax". In 64-bit mode
zeroing EAX implicitly clears RAX and the 32-bit form encodes are one
byte smaller while keeping identical semantics.
Signed-off-by: George Hu <integral@archlinux.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The tests asn1_test and tpm2_key_protector_test should be labelled as
nonnative tests because they run tests on the target. A clue that
indicates a nonnative test is the usage of the grub-shell script.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
As of 1a5417f39a0c (configure: Check linker for --image-base support),
the GNU Autoconf Archive is now required to bootstrap GRUB.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Also, add more documentation mentioning that the tests require
a "specially crafted environment" to run. Just running as root
is not enough.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Remove unnecessary subshells. Loop over autogenerated po files only once.
Use existing LINGUAS created by bootstrap instead of finding po files
again.
Add wget as a soft requirement now that we are using bootstrap's code
for updating translation files. This should only be needed if updated
translations are desired, which is the default. There should be older
translation files already, and wget is not necessary if those will
suffice.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Bootstrap has infrastructure for downloading/updating project po files
and generating the LINGUAS file. It uses wget instead of rsync, but
provides the same functionality, namely that only po files that have
a modification date before the corresponding one on the server will get
redownloaded. Bootstrap creates a pristine copy of the po files in
po/.reference, so update .gitignore to ignore that directory.
Bootstrap also creates the po/LINGUAS file, but it does not know to add
in GRUB's autogenerated po files. So move that code from linguas.sh into
the bootstrap epilogue.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Heretofore, linguas.sh had to be run by the user and a common mistake
made when building GRUB was to not run the command. By adding it to
the bootstrap epilogue it will by default get run at the end of the
bootstrap script. The user no longer needs to remember to run it.
If the --skip-po option is passed to bootstrap, do not run linguas.sh.
This allows for bootstrap to be run without updating the translations,
which might be desired in the future if we track po files so that
translations can be used as they were at time of release.
Update INSTALL file to reflect that it is no longer necessary to run
linguas.sh. Also, fix a list numbering error.
Fixes: 9f73ebd49be (* INSTALL: Document linguas.sh.)
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If grub_calloc() fails hist_lines becomes NULL. It means we loose the
reference to the previously allocated hist_lines and leak memory. With
this change on failure hist_lines still points to the old memory. So,
no leak, no state corruption.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The grub_strtol() call in blsuki_is_default_entry() can set grub_errno
to either GRUB_ERR_BAD_NUMBER or GRUB_ERR_OUT_OF_RANGE if the input
string is invalid or out of range.
This grub_errno value is currently left uncleared, which can lead to
unexpected behavior in subsequent functions that rely on checking
current state of grub_errno.
Clear grub_errno unconditionally when grub_strtol() reports error so
that we can plug the leak.
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The original commit removes testing of GRUB's support for HFS+
wrapping and replaces it with testing that is an exact duplicate of
another test, namely HFS+ without wrapping. To start, the change is
misleading in that it suggests that the testing of HFS+ wrapping is
still taking place, when it is not. If it was desired to remove support
for testing the HFS+ wrapping, then the test should have been removed
entirely. Second, having a series of tests that are exactly the same is
just a waste of testing resources. And third, the justification for the
change is nonsensical. Just because a required program may not have
a required feature on a particular distro is not a reason that a test
should be removed. Reducing test coverage because some distros do not
have the tools GRUB needs to run certain tests goes against the testing
priority to have test coverage be as broad as possible. The fact is
that Debian, the officially supported distro for running the tests, does
have a mkfs.hfsplus that supports the -w parameter.
This reverts commit 2bc0929a2 (tests: Remove -w param from mkfs.hfsplus command).
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
As explained in commit a21618c8a (tests: Test aborts due to missing
requirements should be marked as error instead of skipped) and in the
Automake manual[1], skipped tests are tests that should not be run, e.g.
running the ohci test on the powerpc-ieee1275 as there are no native ohci
drivers for that platform. Test that fail for reasons other than there is
a bug in GRUB code that is causing the test to fail are hard errors.
Commonly this is because the test is run in an improperly configured
environment, like required programs are missing. If a hard error condition
is identified with a SKIP return code, the person running the tests can not
know without investigating every skip if a SKIP in the tests was because
the test does not apply to the target being tested or because the user had
a misconfigured environment that was causing the test not to run. By
ensuring that a test is skipped only when it should not run, the person
running the test can be sure that there is no need to investigate why the
test was skipped.
This reverts commit bf13fed5f (tests: Skip tests if required tools are not available).
[1] https://www.gnu.org/software/automake/manual/automake.html#Generalities-about-Testing
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Segmentation faults or undefined behaviour may result from a NULL pointer
dereference in strip_trailing_digits() and grub_util_devname_to_ofpath()
if strdup() fails. Therefore, I added a NULL check to fix this.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In the function free_subchunk(), after checking that subchu->post isn't NULL,
grub_memset() is called on subchu->pre->freebytes but it should be called on
subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL,
then this could lead to a NULL pointer dereference.
Fixes: CID 473882
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In several scenarios, configure tests assume it's safe to use
"-Wl,-Ttext,<address>", but starting with ld.lld-21, blindly using that
flag may result in configure-test failures due to ld.lld failing to
link. The failure is because ld.lld-21 no longer allows the specified
address is less than the base address.
However, ld.lld-21+ and ld.bfd-2.44+ both provide support for the
--image-base flag making it preferable over the older -Ttext flag.
Fixes: https://savannah.gnu.org/bugs/?67662
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Also, remove wording suggesting that tests may be skipped if prerequisites
are not installed. Tests should never be skipped because of an environment
misconfiguration, instead they should return a hard error (code 99).
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Rename the main section to Tests and put the existing test section into
a subsection. A new subsection called "Writing tests" is added to give
a brief overview and make clear the difference in returning a SKIP code
versus a HARD ERROR code.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
There are some other fixes outside of this section as well.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If descstrp->length is less than 2 this will result in underflow in
"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
value is sufficient.
Signed-off-by: Jamie <volticks@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.
Fixes: CVE-2025-61661
Reported-by: Jamie <volticks@gmail.com>
Signed-off-by: Jamie <volticks@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the functional_test module is loaded, both the functional_test and
all_functional_test commands are registered but only the all_functional_test
command is being unregistered since it was the last to set the cmd variable
that gets unregistered when the module is unloaded. To unregister both
commands, we need to create an additional grub_extcmd_t variable.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the normal module is loaded, the normal and normal_exit commands
are registered but aren't unregistered when the module is unloaded. We
need to add calls to grub_unregister_command() when unloading the module
for these commands.
Fixes: CVE-2025-61663
Fixes: CVE-2025-61664
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the gettext module is loaded, the gettext command is registered but
isn't unregistered when the module is unloaded. We need to add a call to
grub_unregister_command() when unloading the module.
Fixes: CVE-2025-61662
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The commit 954c48b9c (net/net: Add net_set_vlan command) added command
net_set_vlan to the net module. Unfortunately the commit only added the
grub_register_command() call on module load but missed the
grub_unregister_command() on unload. Let's fix this.
Fixes: CVE-2025-54770
Fixes: 954c48b9c (net/net: Add net_set_vlan command)
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.
When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().
Fixes: CVE-2025-54771
Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The commit c68b7d236 (commands/test: Stack overflow due to unlimited
recursion depth) added recursion depth tests to the test command. But in
the error case it decrements the pointer to the depth value instead of
the value itself. Fix it.
Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth)
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Coverity marks multiple issues in grub-core/fs/zfs/zfs.c as either "Untrusted
value as argument", "Untrusted pointer read", or "Untrusted loop bound". Each
of these issues share a common cause where Coverity finds that data->dnode_buf
gets tainted by dnbuf since it is downcasting from (void *) to (dnode_phys_t *)
and could imply that the data the pointer points to is tainted. However, the
function zio_read(), which reads this data from disk, sanitizes this data by
verifying its checksum. To resolve the issues for Coverity, setting dnbuf to
(dnode_phys_t *) at the start of the function dnode_get() seems to do the trick.
Fixes: CID 314020
Fixes: CID 896330
Fixes: CID 896331
Fixes: CID 896334
Fixes: CID 896336
Fixes: CID 896340
Fixes: CID 897337
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In the function grub_mmap_iterate(), memory is allocated to
"ctx.scanline_events" and "present" but isn't freed when error handling
grub_malloc(). Prior to returning grub_errno, these variables should be
freed to prevent a resource leak.
Fixes: CID 96655
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The script assumes that it is run from the root of the source tree,
which is where it is located. So this should be enforced to prevent
accidental misuses.
realpath is used instead of readlink as that is recommended in Debian's
readlink manpage since at least Debian 11. Also, use the shell variable's
parameter expansion for removing a suffix pattern to get the directory
in which the script resides. This is preferable to using the dirname binary
as it avoids creating a new process.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
po files will now be tracked. This has the following benefits as listed
by Colin Watson:
* Build processes would no longer be vulnerable to an external server
potentially going down for an extended period of time; they'd be
stuck with outdated translations until the server was fixed or came
up with a workaround, but that's better than nothing.
* It would be easier to manage branches of stable releases, rather than
assuming that translations downloaded for master will match the POT
files for a stable release.
* Tests would be able to pass from a clean git checkout without relying
on an external server, improving QA reliability.
* It would be easier to make and test branches while offline.
* The translations shipped with a release tarball could be tagged in
git so that it's easy to investigate bugs in them.
* Downstream distributors would be able to use git branches without
having to fill in additional files.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Using a shell variable instead of an autoconf macro creates less changes
to the file, which can be desirable when modifying by hand later and
then diffing with the unexpanded file. It also makes it simpler to
change the builddir after expansion, which may need to happen when
moving the build dir to a different path and not being able to rerun
the autoconf expansion.
Also, add quoting around the builddir variable as there may be spaces
in the path.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
This test was included to verify that, while GRUB did not have Argon2
support, trying to open a LUKS2 volume with an Argon2 keyslot would fail
Now that Argon2 support is included, the test is failing because it
expected a failure, but is now getting success. Change the test to expect
success.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
On resource constrained test runs, the last modification time on the
image is an unreliable date to check against the filesystem creation
time. Use dump.erofs to get the filesystem creation time from the
superblock. This should get the timestamp as shown by GRUB's "ls -l".
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Compact EROFS inodes do not allow for modification times that are
different from FS creation times. The file modification time check is
done between the EROFS image and the file system where test temporary
files are written to, not the files as seen from the mounted EROFS image.
So its likely that the file modification time will be different, more
so when run on slower systems.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
The erofs tests do not ever mount the generated erofs image. So root is
not needed, as with the squashfs and iso9660 filesystems.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
The shell used to run the tests is generally /bin/sh, which does not
support process substitution.
Fixes: b990df0bef9e (tests/util/grub-fs-tester: Fix EROFS label tests in grub-fs-tester)
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Correct nuisance ext234_test failure on newer Linux distros.
Recently, the mkfs.ext2 utility removed support for the -r flag to
specify old (version 0) formats of ext2. A new flag was added to allow
the same behavior. Support both ways of specifying version 0 ext2 file
systems when testing ext2 in GRUB.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Recently, mkfs.erofs began to enforce that the file system
label is 15 characters or less (excluding NUL terminator).
This causes the current erofs test in GRUB to fail. Reduce
the test label used to fit in this limit allowing the test
to work as expected.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
