Also, remove wording suggesting that tests may be skipped if prerequisites
are not installed. Tests should never be skipped because of an environment
misconfiguration, instead they should return a hard error (code 99).
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Rename the main section to Tests and put the existing test section into
a subsection. A new subsection called "Writing tests" is added to give
a brief overview and make clear the difference in returning a SKIP code
versus a HARD ERROR code.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
There are some other fixes outside of this section as well.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If descstrp->length is less than 2 this will result in underflow in
"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
value is sufficient.
Signed-off-by: Jamie <volticks@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.
Fixes: CVE-2025-61661
Reported-by: Jamie <volticks@gmail.com>
Signed-off-by: Jamie <volticks@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the functional_test module is loaded, both the functional_test and
all_functional_test commands are registered but only the all_functional_test
command is being unregistered since it was the last to set the cmd variable
that gets unregistered when the module is unloaded. To unregister both
commands, we need to create an additional grub_extcmd_t variable.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the normal module is loaded, the normal and normal_exit commands
are registered but aren't unregistered when the module is unloaded. We
need to add calls to grub_unregister_command() when unloading the module
for these commands.
Fixes: CVE-2025-61663
Fixes: CVE-2025-61664
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When the gettext module is loaded, the gettext command is registered but
isn't unregistered when the module is unloaded. We need to add a call to
grub_unregister_command() when unloading the module.
Fixes: CVE-2025-61662
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The commit 954c48b9c (net/net: Add net_set_vlan command) added command
net_set_vlan to the net module. Unfortunately the commit only added the
grub_register_command() call on module load but missed the
grub_unregister_command() on unload. Let's fix this.
Fixes: CVE-2025-54770
Fixes: 954c48b9c (net/net: Add net_set_vlan command)
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.
When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().
Fixes: CVE-2025-54771
Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The commit c68b7d236 (commands/test: Stack overflow due to unlimited
recursion depth) added recursion depth tests to the test command. But in
the error case it decrements the pointer to the depth value instead of
the value itself. Fix it.
Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth)
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Coverity marks multiple issues in grub-core/fs/zfs/zfs.c as either "Untrusted
value as argument", "Untrusted pointer read", or "Untrusted loop bound". Each
of these issues share a common cause where Coverity finds that data->dnode_buf
gets tainted by dnbuf since it is downcasting from (void *) to (dnode_phys_t *)
and could imply that the data the pointer points to is tainted. However, the
function zio_read(), which reads this data from disk, sanitizes this data by
verifying its checksum. To resolve the issues for Coverity, setting dnbuf to
(dnode_phys_t *) at the start of the function dnode_get() seems to do the trick.
Fixes: CID 314020
Fixes: CID 896330
Fixes: CID 896331
Fixes: CID 896334
Fixes: CID 896336
Fixes: CID 896340
Fixes: CID 897337
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In the function grub_mmap_iterate(), memory is allocated to
"ctx.scanline_events" and "present" but isn't freed when error handling
grub_malloc(). Prior to returning grub_errno, these variables should be
freed to prevent a resource leak.
Fixes: CID 96655
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The script assumes that it is run from the root of the source tree,
which is where it is located. So this should be enforced to prevent
accidental misuses.
realpath is used instead of readlink as that is recommended in Debian's
readlink manpage since at least Debian 11. Also, use the shell variable's
parameter expansion for removing a suffix pattern to get the directory
in which the script resides. This is preferable to using the dirname binary
as it avoids creating a new process.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
po files will now be tracked. This has the following benefits as listed
by Colin Watson:
* Build processes would no longer be vulnerable to an external server
potentially going down for an extended period of time; they'd be
stuck with outdated translations until the server was fixed or came
up with a workaround, but that's better than nothing.
* It would be easier to manage branches of stable releases, rather than
assuming that translations downloaded for master will match the POT
files for a stable release.
* Tests would be able to pass from a clean git checkout without relying
on an external server, improving QA reliability.
* It would be easier to make and test branches while offline.
* The translations shipped with a release tarball could be tagged in
git so that it's easy to investigate bugs in them.
* Downstream distributors would be able to use git branches without
having to fill in additional files.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Using a shell variable instead of an autoconf macro creates less changes
to the file, which can be desirable when modifying by hand later and
then diffing with the unexpanded file. It also makes it simpler to
change the builddir after expansion, which may need to happen when
moving the build dir to a different path and not being able to rerun
the autoconf expansion.
Also, add quoting around the builddir variable as there may be spaces
in the path.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
This test was included to verify that, while GRUB did not have Argon2
support, trying to open a LUKS2 volume with an Argon2 keyslot would fail
Now that Argon2 support is included, the test is failing because it
expected a failure, but is now getting success. Change the test to expect
success.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
On resource constrained test runs, the last modification time on the
image is an unreliable date to check against the filesystem creation
time. Use dump.erofs to get the filesystem creation time from the
superblock. This should get the timestamp as shown by GRUB's "ls -l".
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Compact EROFS inodes do not allow for modification times that are
different from FS creation times. The file modification time check is
done between the EROFS image and the file system where test temporary
files are written to, not the files as seen from the mounted EROFS image.
So its likely that the file modification time will be different, more
so when run on slower systems.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
The erofs tests do not ever mount the generated erofs image. So root is
not needed, as with the squashfs and iso9660 filesystems.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
The shell used to run the tests is generally /bin/sh, which does not
support process substitution.
Fixes: b990df0bef9e (tests/util/grub-fs-tester: Fix EROFS label tests in grub-fs-tester)
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Correct nuisance ext234_test failure on newer Linux distros.
Recently, the mkfs.ext2 utility removed support for the -r flag to
specify old (version 0) formats of ext2. A new flag was added to allow
the same behavior. Support both ways of specifying version 0 ext2 file
systems when testing ext2 in GRUB.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Recently, mkfs.erofs began to enforce that the file system
label is 15 characters or less (excluding NUL terminator).
This causes the current erofs test in GRUB to fail. Reduce
the test label used to fit in this limit allowing the test
to work as expected.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Split ZFS ZSTD test into its own test script. Add a check to the new
test script to see if the zfs utility installed on the host supports
"zstd" compression before running the test and fail the test if not. It
seems at least some zfs-fuse binaries do not support zstd compression
and the current test will fail in that case. Splitting into a new file
will avoid masking other test failures due to missing zstd support.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Loading all_video for EFI can cause video issues in some cases
since GRUB Bochs/Cirrus drivers may conflict with native EFI drivers.
Change default behavior for EFI to only load EFI specific video
modules. Also include a new environment variable to restore the old
behavior if needed.
Fixes: https://savannah.gnu.org/bugs/?66200
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The check_xorriso() function appears to have been copy/pasted from
somewhere that was originally checking the mdadm command. So the file
handle to the output of the xorriso command is named "mdadm". Instead
rename it to the more generic "fout". Also change a comment referencing
mdadm to reference xorriso.
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If strdup() fails, it returns NULL and passing NULL further down to
the code can lead to segmentation fault or an undefined behavior.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If grub_strdup() fails, it returns NULL and passing NULL further down to
the code can lead to segmentation fault or an undefined behavior.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If grub_strdup() fails, it returns NULL and passing NULL further down to
the code can lead to segmentation fault or an undefined behavior.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If grub_strdup() fails, it returns NULL and passing NULL further down to
the code can lead to segmentation fault or an undefined behavior.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add some suggestions to the security section on maximizing the
security hardening of GRUB.
This change reveals sectioning issues introduced by commit 0b59d379f
(docs/grub: Document signing GRUB under UEFI) and commit 0f2dda8cf
(docs/grub: Document signing GRUB with an appended signature). Fix them
on the occasion.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Apparently the man page is outdated because the option "-w" is shown
but not on "mkfs.hfsplus --usage". According to Gemini:
The -w option is used to add an HFS wrapper around an HFS Plus file
system, which is sometimes required for compatibility with older
Mac OS 9 systems. However, this is not a standard or commonly used
option and may not be available in all versions of the hfsprogs package,
especially on Linux.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In this case it does not hurt to increase bash execution verbosity so
we can get more insight in case of issues.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
There is no reason to fail a test if the required testing tool is not
present on the system, so skip the test instead of failing it.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
HMAC-SHA1 is the only HMAC variant tested in the existing vectors.
Add vectors to test HMAC-SHA{256,512} as well.
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds a NULL check after grub_malloc() call. Missing a failure
check after calling grub_malloc() can lead to undefined behavior. If the
allocation fails and returns NULL subsequent dereferencing or writing to
the pointer will likely result in a runtime error such as a segmentation
fault.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The grub_zalloc() allocates memory for port. If the allocation for
port->name fails the function returns NULL without freeing the
previously allocated port memory. This results in a memory leak.
To avoid this we must free port before return.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
or else configure check doesn't succeed with non-bash shell (e.g. dash):
checking whether to enable AMD64 as(1) feature detection... /var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/configure: 39176: test: xx86_64: unexpected operator
no
and later build fails with
/var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/grub-core/lib/libgcrypt-grub/src/hwf-x86.c: In function ‘detect_x86_gnuc’:
/var/tmp/portage/sys-boot/grub-2.14_rc1/work/grub-2.14~rc1/grub-core/lib/libgcrypt-grub/src/hwf-x86.c:252:17: error: ‘HWF_INTEL_CPU’ undeclared (first use in this function)
252 | result |= HWF_INTEL_CPU;
| ^~~~~~~~~~~~~
and other corresponding HWF_INTEL_* definitions because HAVE_CPU_ARCH_X86 was
erroneously not defined by configure script.
Signed-off-by: Lars Wendler <polynomial-c@gmx.de>
Reviewed-by: Gary Lin <glin@suse.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
According to the System V Application Binary Interface specification [1]
the sections holding a symbol table, SHT_SYMTAB and SHT_DYNSYM, have to
have sh_info set to "One greater than the symbol table index of the last
local symbol (binding STB_LOCAL)". Current code converting PE images to
ELF files does not do that and readelf complains in following way:
...
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .text PROGBITS 00000000 000034 0014d4 00 AX 0 0 4
[ 2] .data PROGBITS 00000000 001508 000040 00 WA 0 0 32
[ 3] .rdata PROGBITS 00000000 001548 0006b8 00 A 0 0 4
[ 4] .module_license PROGBITS 00000000 001c00 000010 00 0 0 4
[ 5] .bss NOBITS 00000000 000000 000008 00 WA 0 0 4
[ 6] .moddeps PROGBITS 00000000 001c10 000010 00 0 0 4
[ 7] .modname PROGBITS 00000000 001c20 000008 00 0 0 4
[ 8] .rel.text REL 00000000 001c28 0008c8 08 11 1 4
[ 9] .rel.data REL 00000000 0024f0 000040 08 11 2 4
[10] .rel.rdata REL 00000000 002530 000070 08 11 3 4
[11] .symtab SYMTAB 00000000 0025a0 0001d0 10 12 0 4
[12] .strtab STRTAB 00000000 002770 000237 00 0 0 1
...
Symbol table '.symtab' contains 29 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
readelf: Warning: local symbol 0 found at index >= .symtab's sh_info value of 0
1: 0000144a 0 FUNC LOCAL DEFAULT 1 grub_mod_init
readelf: Warning: local symbol 1 found at index >= .symtab's sh_info value of 0
2: 000014aa 0 FUNC LOCAL DEFAULT 1 grub_mod_fini
readelf: Warning: local symbol 2 found at index >= .symtab's sh_info value of 0
3: 00000000 0 SECTION LOCAL DEFAULT 1 .text
readelf: Warning: local symbol 3 found at index >= .symtab's sh_info value of 0
4: 00000000 0 SECTION LOCAL DEFAULT 2 .data
readelf: Warning: local symbol 4 found at index >= .symtab's sh_info value of 0
5: 00000000 0 SECTION LOCAL DEFAULT 5 .bss
readelf: Warning: local symbol 5 found at index >= .symtab's sh_info value of 0
6: 00000000 0 SECTION LOCAL DEFAULT 3 .rdata
readelf: Warning: local symbol 6 found at index >= .symtab's sh_info value of 0
7: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_dma_get_phys
8: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_cs5536_write_msr
9: 00000000 0 NOTYPE GLOBAL DEFAULT UND grub_dma_free
...
Let's fix it...
[1] https://www.sco.com/developers/gabi/2012-12-31/contents.html
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
The commit 98ad84328 (kern/dl: Check for the SHF_INFO_LINK flag in
grub_dl_relocate_symbols()) revealed a bug in the code converting PE
module images to ELF files. The missing SHF_INFO_LINK flag for SHT_REL
and SHT_RELA sections lead to hangs during GRUB load. This only happens
for the GRUB images generated on Windows platforms. The *NIX platforms
are not affected due to lack of PE to ELF conversion step.
This patch fixes the issue...
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
Clang will produce a warning, which is treated as an error, that
"vendor_defined_data" is uninitialized. This is a "zero length" array
member of this struct. Add conditional compile pragma to allow this to
compile with Clang.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add the tpm2key.asn file to the dist archive for reference by end users.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Include the two new zstd test support files in the dist archive
so end users can successfully run this test.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Include the MAINTAINERS and SECURITY files in the dist archive
for reference in distributed archives by end users.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
