dgit.raspbian.org Git - grub2.git/log

Merge version 2.12-9+rpi1 and 2.14~git20250718.0e36779-2 to produce 2.14~git20250718.0e36779-2+rpi1

Merge grub2 (2.14~git20250718.0e36779-2) import into refs/heads/workingbranch

util/bash-completion.d/Makefile.am: s/mkrescure/mkrescue/g

This is a typo that was stopping this bash-completion from being
installed.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Gbp-Pq: Topic upstream
Gbp-Pq: Name util-bash-completion.d-Makefile.am-s-mkrescure-mkrescue-g.patch

Deal with --force-extra-removable with signed shim too

In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
and signed Grub as /EFI/BOOT/grubXXX.efi.

Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
NVRAM).

[cjwatson: Refactored also_install_removable somewhat for brevity and so
that we're using consistent case-insensitive logic.]

Bug-Debian: https://bugs.debian.org/930531
Last-Update: 2021-09-24

Patch-Name: grub-install-removable-shim.patch

Gbp-Pq: Name grub-install-removable-shim.patch

Add support for forcing EFI installation to the removable media path

Add an extra option to grub-install "--force-extra-removable". On EFI
platforms, this will cause an extra copy of the grub-efi image to be
written to the appropriate removable media patch
/boot/efi/EFI/BOOT/BOOT$ARCH.EFI as well. This will help with broken
UEFI implementations where the firmware does not work when configured
with new boot paths.

Signed-off-by: Steve McIntyre <93sam@debian.org>
Bug-Debian: https://bugs.debian.org/767037 https://bugs.debian.org/773092
Forwarded: Not yet
Last-Update: 2021-09-24

Patch-Name: grub-install-extra-removable.patch

Gbp-Pq: Name grub-install-extra-removable.patch

Install signed images if UEFI Secure Boot is enabled

Author: Stéphane Graber <stgraber@ubuntu.com>
Author: Steve Langasek <steve.langasek@ubuntu.com>
Author: Linn Crosetto <linn@hpe.com>
Author: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
Forwarded: no
Last-Update: 2023-01-15

Patch-Name: install-signed.patch

Gbp-Pq: Name install-signed.patch

Check out missing distfiles from upstream git branch

These files are missing from the release tarball due to upstream
Makefile mistakes.

Should be fixed by the real 2.14 release, so this is just a temporary
workaround that we will drop.

Gbp-Pq: Topic upstream
Gbp-Pq: Name Check-out-missing-distfiles-from-upstream-git-branch.patch

Add "noescape" argument to cmdline creation

If OS parses in a way different from sh-like that GRUB does, escaping does
more harm than good. Note that allows to specify entire command line in a
single argument e.g. multiboot --noescape /kernel "a b c".

Gbp-Pq: Topic upstream
Gbp-Pq: Name Add-noescape-argument-to-cmdline-creation.patch

zfs: fix LINUX_ROOT_DEVICE when grub-probe fails

When grub-probe fails, the current code is to just stuff an empty result
in which causes the user to not knowingly have a system that no longer
boots. grub-probe can fail because the ZFS pool that contains the root
filesystem might have features that grub does not yet support which is a
common configuration for people with a rpool and a bpool. This behavior
uses the zdb utility to dump the same value as the filesystem label
would print.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Gbp-Pq: Topic upstream
Gbp-Pq: Name zfs-fix-LINUX_ROOT_DEVICE-when-grub-probe-fails.patch

fs/xfs: Handle root inode read failure in grub_xfs_mount

Signed-off-by: Egor Ignatov <egori@altlinux.org>
Gbp-Pq: Topic upstream
Gbp-Pq: Name fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mount.patch

fs/xfs: Propagate incorrect inode error from grub_xfs_read_inode

The incorrect inode error from grub_xfs_read_inode did not propagate because
grub_print_error() resetted grub_errno, and grub_xfs_iterate_dir() did not
handle it at all.

Signed-off-by: Egor Ignatov <egori@altlinux.org>
Gbp-Pq: Topic upstream
Gbp-Pq: Name fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs_read.patch

efi: EFI Device Tree Fixup Protocol

Device-trees are used to convey information about hardware to the operating
system. Some of the properties are only known at boot time. (One example of
such a property is the number of the boot hart on RISC-V systems.) Therefore
the firmware applies fix-ups to the original device-tree. Some nodes and
properties are added or altered.

When using GRUB's device-tree command the same fix-ups have to be applied.
The EFI Device Tree Fixup Protocol allows to pass the loaded device tree
to the firmware for this purpose.

The protocol can

* add nodes and update properties
* reserve memory according to the /reserved-memory node and the memory
reservation block
* install the device-tree as configuration table

With the patch GRUB checks if the protocol is installed and invokes it if
available. (LP: #1965796)

Link: https://lists.gnu.org/archive/html/grub-devel/2021-02/msg00013.html
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
Gbp-Pq: Name fdt-device-tree-fixup-protocol.patch

fdt: add debug output to devicetree command

For debugging we need feedback that the devicetree command has be executed.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Gbp-Pq: Name fdt-add-debug-output-to-devicetree-command.patch

efivar: check that efivarfs is writeable

Some UEFI implementations (notably U-Boot) don't implement the
SetVariable() runtime service. On these systems the GRUB installation
must be completed manually. Write a warning in this case but avoid
throwing an error. (LP: #1965288)

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Gbp-Pq: Name efivar-check-that-efivarfs-is-writeable.patch

fat: fix listing the root directory

ls / for a FAT partition leads to

error: invalid modification timestamp for /.

Not all entries of the directory are displayed.

Linux never updates the modification timestamp of the /. directory entry.
The FAT specification allows the access and creation date fields to be
zero.

We should follow Linux and render initial FAT timestamps as start of
the epoch.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Origin: https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00116.html

Gbp-Pq: Name fat-fix-listing-the-root-directory.patch

Call hwmatch only on the grub-pc platform

Call hwmatch only on i386/pc as it is only available there.
This avoids "error: can't find command `hwmatch'." on e.g., x86_64/efi.

The equivalent behavior is linux_gfx_mode=keep because grub is special:
the `if hwmatch` clause is true on that error and `$match = 0` is true
too, as it is undefined (confirmed in grub shell.) A quick fix for now.

Before and After:

    grub> hwmatch
    error: can't find command `hwmatch'.

    grub> echo $grub_platform
    efi

    grub> echo $linux_gfx_mode
    keep

Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1840560
Bug-Debian: https://bugs.debian.org/990836
Forwarded: no
Last-Update: 2020-08-20

Gbp-Pq: Name hwmatch-only-on-grub-pc-platform.patch

Pass dis_ucode_ldr to kernel for recovery mode

In case of a botched microcode update, this allows people to
easily roll back.

It will of course break in the more unlikely event that you are
missing a microcode update in your firmware that is needed to boot
the system, but editing the entry to remove an option is easier than
having to figure out the option and add it.

LP: #1831789

Gbp-Pq: Name recovery-dis_ucode_ldr.patch

zstd: Require at least 8 byte buffer in entropy_common

This fixes the build on s390x which was rightfully complaining that
iend - 7 = buffer + 4 - 7 = buffer -3 is outside the array bounds.

../../grub-core/lib/zstd/entropy_common.c: In function ‘FSE_readNCount’:
../../grub-core/lib/zstd/entropy_common.c:121:28: error: array subscript -3 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
  121 |             if ((ip <= iend-7) || (ip + (bitCount>>3) <= iend-4)) {
      |                        ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
   77 |         char buffer[4];
      |              ^~~~~~
../../grub-core/lib/zstd/entropy_common.c:105:30: error: array subscript -1 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
  105 |                 if (ip < iend-5) {
      |                          ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
   77 |         char buffer[4];
      |              ^~~~~~
../../grub-core/lib/zstd/entropy_common.c:150:28: error: array subscript -3 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
  150 |             if ((ip <= iend-7) || (ip + (bitCount>>3) <= iend-4)) {
      |                        ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
   77 |         char buffer[4];
      |              ^~~~~~

This is fixed in more recent zstd versions in basically the same way,
but the new versions needs more work to import.

Patch-Name: zstd-require-8-byte-buffer.patch

Gbp-Pq: Name zstd-require-8-byte-buffer.patch

efi/peimage: Provide an implementation of load_image, start_image, unload_image

The code consumes a PE-COFF image loaded into memory. The functions

* check validity of header
* copy the sections
* relocate the code
* set memory attributes
* invalidate the instruction cache
* execute the image
* return to caller

Caveats:

- We do not always check for over and underflows, but at the
point we reach this loader, the file has been verified by
shim already, so this is not much of a concern.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Gbp-Pq: Topic secure-boot
Gbp-Pq: Name efi-peimage.patch

Disable fallback to legacy mode if shim is loaded on x86 archs

Gbp-Pq: Topic secure-boot
Gbp-Pq: Name disable-efi-fallback-to-legacy.patch

Only show os-prober disable warning if installed

It isn't very useful to see this message when os-prober is not
even available.

Gbp-Pq: Name Only-show-os-prober-disable-warning-if-installed.patch

util/mkimage: Some fixes to PE binaries section size calculation

Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
added a helper function to setup PE sections, but it caused regressions
in some arches where the natural alignment lead to wrong section sizes.

This patch fixes a few things that were caused the section sizes to be
calculated wrongly. These fixes are:

* Only align the virtual memory addresses but not the raw data offsets.
* Use aligned sizes for virtual memory sizes but not for raw data sizes.
* Always align the sizes to set the virtual memory sizes.

These seems to not cause problems for x64 and aa64 EFI platforms but was
a problem for ia64. Because the size of the ".data" and "mods" sections
were wrong and didn't have the correct content. Which lead to GRUB not
being able to load any built-in module.

Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Bug-Debian: https://bugs.debian.org/987103

Patch-Name: mkimage-fix-section-sizes.patch

Gbp-Pq: Name mkimage-fix-section-sizes.patch

Add debug to display what's going on with verifiers

Patch-Name: debug_verifiers.patch

Gbp-Pq: Name debug_verifiers.patch

i386-pc: build verifiers API as module

Given no core functions on i386-pc would require verifiers to work and
the only consumer of the verifier API is the pgp module, it looks good
to me that we can move the verifiers out of the kernel image and let
moddep.lst to auto-load it when pgp is loaded on i386-pc platform.

This helps to reduce the size of core image and thus can relax the
tension of exploding on some i386-pc system with very short MBR gap
size. See also a very comprehensive summary from Colin [1] about the
details.

[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html

V2:
Drop COND_NOT_i386_pc and use !COND_i386_pc.
Add comment in kern/verifiers.c to help understanding what's going on
without digging into the commit history.

Reported-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Colin Watson <cjwatson@debian.org>
Signed-off-by: Michael Chang <mchang@suse.com>
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html
Bug-Debian: https://bugs.debian.org/984488
Bug-Debian: https://bugs.debian.org/985374
Last-Update: 2025-07-21

Patch-Name: pc-verifiers-module.patch

Gbp-Pq: Name pc-verifiers-module.patch

20_linux_xen: Do not load XSM policy in non-XSM options

For complicated reasons, even if you have XSM/FLASK disabled (as is
the default) the Xen build system still builds a policy file and puts
it in /boot.

Even so, we shouldn't be loading this in the usual non-"XSM enabled"
entries. It doesn't do any particular harm but it is quite confusing.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Bug-Debian: https://bugs.debian.org/961673
Last-Update: 2020-05-29

Patch-Name: xen-no-xsm-policy-in-non-xsm-options.patch

Gbp-Pq: Name xen-no-xsm-policy-in-non-xsm-options.patch

Minimise writes to EFI variable storage

Some UEFI firmware is easily provoked into running out of space in its
variable storage.  This is usually due to certain kernel drivers (e.g.
pstore), but regardless of the cause it can cause grub-install to fail
because it currently asks efibootmgr to delete and re-add entries, and
the deletion often doesn't result in an immediate garbage collection.
Writing variables frequently also increases wear on the NVRAM which may
have limited write cycles.  For these reasons, it's desirable to find a
way to minimise writes while still allowing grub-install to ensure that
a suitable boot entry exists.

Unfortunately, efibootmgr doesn't offer an interface that would let
grub-install do this.  It doesn't in general make very much effort to
minimise writes; it doesn't allow modifying an existing Boot* variable
entry, except in certain limited ways; and current versions don't have a
way to export the expected variable data so that grub-install can
compare it to the current data.  While it would be possible (and perhaps
desirable?) to add at least some of this to efibootmgr, that would still
leave the problem that there isn't a good upstreamable way for
grub-install to guarantee that it has a new enough version of
efibootmgr.  In any case, it's cumbersome and slow for grub-install to
have to fork efibootmgr to get things done.

Fortunately, a few years ago Peter Jones helpfully factored out a
substantial part of efibootmgr to the efivar and efiboot libraries, and
so it's now possible to have grub-install use those directly.  We still
have to use some code from efibootmgr, but much less than would
previously have been necessary.

grub-install now reuses existing boot entries where possible, and avoids
writing to variables when the new contents are the same as the old
contents.  In the common upgrade case where nothing needs to change, it
no longer writes to NVRAM at all.  It's also now slightly faster, since
using libefivar is faster than forking efibootmgr.

Fixes Debian bug #891434.

Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
Bug-Debian: https://bugs.debian.org/891434
Forwarded: https://lists.gnu.org/archive/html/grub-devel/2019-03/msg00119.html
Last-Update: 2019-03-23

Patch-Name: efi-variable-storage-minimise-writes.patch

Gbp-Pq: Name efi-variable-storage-minimise-writes.patch

Fix setup on Secure Boot systems where cryptodisk is in use

On full-encrypted systems, including /boot, the current code omits
cryptodisk commands needed to open the drives if Secure Boot is enabled.
This prevents grub2 from reading any further configuration residing on
the encrypted disk.
This patch fixes this issue by adding the needed "cryptomount" commands in
the load.cfg file that is then copied in the EFI partition.

Bug-Debian: https://bugs.debian.org/917117
Last-Update: 2019-02-10

Patch-Name: uefi-secure-boot-cryptomount.patch

Gbp-Pq: Name uefi-secure-boot-cryptomount.patch

at_keyboard: initialize keyboard in module init if keyboard is ready

The change in 0c62a5b2 caused at_keyboard to fail on some
machines. Immediately initializing the keyboard in the module init if
the keyboard is ready makes the problem go away.

Bug-Debian: https://bugs.debian.org/741464
Last-Update: 2019-02-09

Patch-Name: at_keyboard-module-init.patch

Gbp-Pq: Name at_keyboard-module-init.patch

Skip flaky grub_cmd_set_date test

Bug-Debian: https://bugs.debian.org/906470
Last-Update: 2018-10-28

Patch-Name: skip-grub_cmd_set_date.patch

Gbp-Pq: Name skip-grub_cmd_set_date.patch

efi/http: change uint32_t to uintn_t

Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to
be UEFI 2.9 compliant.

Signed-off-by: Keng-Yu Lin <kengyu@hpe.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
Ubuntu-Bug: https://bugs.launchpad.net/bugs/2043084

Gbp-Pq: Topic network
Gbp-Pq: Name rhboot-http-message-field-size.patch

efinet: Add DHCP proxy support

If a proxyDHCP configuration is used, the server name, server IP and
boot file values should be taken from the DHCP proxy offer instead of
the DHCP server ack packet.

Signed-off-by: Ian Page Hands <iphands@gmail.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efinet-add-dhcp-proxy-support.patch

normal/main: Discover the device to read the config from as a fallback

When core.img is generated locally, the grub2-probe tool figures out the
device and partition that needs to be read to parse the GRUB
configuration file.

But in some cases the core.img can't be generated on the host and
instead has to be done at package build time. In particular, this will
be true when it needs to be signed with a key that's only available on
the package building infrastructure.

In that case, the prefix variable won't have a device and partition but
only a directory path. So there's no way for GRUB to know from which
device has to read the configuration file.

To allow GRUB to continue working on that scenario, fallback to
iterating over all the available devices if reading the config failed
when using the prefix and fw_path variables.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name discover-the-device-to-read-the-config-from-as-fallback.patch

http: Prepend prefix when the HTTP path is relative

There are two different HTTP drivers that can be used when requesting an
HTTP resource: the efi/http that uses the EFI_HTTP_PROTOCOL and the http
that uses GRUB's HTTP and TCP/IP implementation.

The efi/http driver appends a prefix that is defined in the variable
http_path, but the http driver doesn't. So using this driver and
attempting to fetch a resource using a relative path fails. Match the
behavior of efi/http.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name http-prepend-prefix-when-the-http-path-is-relative.patch

efi/http: Enclose literal IPv6 addresses in square brackets

According to RFC 2732 (https://www.ietf.org/rfc/rfc2732.txt), literal IPv6
addresses must be enclosed in square brackets. But GRUB currently does not
do this and is causing HTTP servers to send Bad Request (400) responses.

For example, the following is the HTTP stream when fetching a config file:

HEAD /EFI/BOOT/grub.cfg HTTP/1.1
Host: 2000:dead:beef:a::1
Accept: */*
User-Agent: UefiHttpBoot/1.0

HTTP/1.1 400 Bad Request
Date: Thu, 05 Mar 2020 14:46:02 GMT
Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d
Connection: close
Content-Type: text/html; charset=iso-8859-1

and after enclosing the IPv6 address the HTTP request is successful:

HEAD /EFI/BOOT/grub.cfg HTTP/1.1
Host: [2000:dead:beef:a::1]
Accept: */*
User-Agent: UefiHttpBoot/1.0

HTTP/1.1 200 OK
Date: Thu, 05 Mar 2020 14:48:04 GMT
Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d
Last-Modified: Thu, 27 Feb 2020 17:45:58 GMT
ETag: "206-59f924b24b1da"
Accept-Ranges: bytes
Content-Length: 518

Resolves: rhbz#1732765

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efi-http-enclose-literal-ipv6-addresses-in-square-br.patch

Prepend prefix when HTTP path is relative

This sets a couple of variables. With the url http://www.example.com/foo/bar :
http_path: /foo/bar
http_url: http://www.example.com/foo/bar

Resolves: rhbz#1616395
Co-authored-by: Javier Martinez Canillas <javierm@redhat.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Stephen Benjamin <stephen@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name prepend-prefix-when-http-path-is-relative.patch

Try mac/guid/etc before grub.cfg on tftp config files

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name try-prefixes-for-tftp-config-file.patch

use fw_path prefix when fallback searching for grub config

When PXE booting via UEFI firmware, grub was searching for grub.cfg in
the fw_path directory where the grub application was found.  If that
didn't exist, a fallback search would look for config file names based
on MAC and IP address.  However, the search would look in the prefix
directory which may not be the same fw_path.  This patch changes that
behavior to use the fw_path directory for the fallback search.  Only if
fw_path is NULL will the prefix directory be searched.

Signed-off-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name use-fw_path-prefix-when-fallback-searching-for-grub-config.patch

Add fw_path variable to detect config file on efi

This patch makes grub look for its config file on efi where the app was
found.

Resolves: rhbz#857936, rhbz#1616395
Co-authored-by: Matthew Garrett
Co-authored-by: Javier Martinez Canillas <javierm@redhat.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name add-fw_path-variable-to-detect-config-file-on-efi.patch

efi/http: match protocol+hostname of boot url in root_url

This lets you write config files that don't know urls.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efi-http-match-protocol-hostname-of-boot-url-in-root.patch

efinet: also use the firmware acceleration for http

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efinet-also-use-the-firmware-acceleration-for-http.patch

Support UEFI networking protocols

References: fate#320130, bsc#1015589, bsc#1076132, rhbz#1732765
Co-authored-by: Peter Jones <pjones@redhat.com>
Co-authored-by: Sebastian Krahmer <krahmer@suse.com>
Co-authored-by: Javier Martinez Canillas <javierm@redhat.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name support-uefi-networking-protocols.patch

efinet: set DNS server from UEFI protocol

In the URI device path node, any name rather than address can be used
for looking up the resources so that DNS service become needed to get
answer of the name's address.  Unfortunately, DNS is not defined in any
of the device path nodes so that we use the EFI_IP4_CONFIG2_PROTOCOL and
EFI_IP6_CONFIG_PROTOCOL to obtain it.

These two protcols are defined the sections of UEFI specification.

    27.5 EFI IPv4 Configuration II Protocol
    27.7 EFI IPv6 Configuration Protocol

include/grub/efi/api.h:
Add new structure and protocol UUID of EFI_IP4_CONFIG2_PROTOCOL and
EFI_IP6_CONFIG_PROTOCOL.

grub-core/net/drivers/efi/efinet.c:
Use the EFI_IP4_CONFIG2_PROTOCOL and EFI_IP6_CONFIG_PROTOCOL to obtain
the list of DNS server address for IPv4 and IPv6 respectively.  The
address of DNS servers is structured into DHCPACK packet and feed into
the same DHCP packet processing functions to ensure the network
interface is setting up the same way it used to be.

Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
(rebased against 2.12)

Gbp-Pq: Topic network
Gbp-Pq: Name efinet-set-dns-from-uefi-proto.patch

efinet Configure network from UEFI device path

The PXE Base Code protocol used to obtain cached PXE DHCPACK packet is
no longer provided for HTTP Boot.  Instead, we have to get the HTTP boot
information from the device path nodes defined in following UEFI
Specification sections.

    9.3.5.12 IPv4 Device Path
    9.3.5.13 IPv6 Device Path
    9.3.5.23 Uniform Resource Identifiers (URI) Device Path

This patch basically does:

include/grub/efi/api.h:
Add new structure for Uniform Resource Identifiers (URI) Device Path

grub-core/net/drivers/efi/efinet.c:

Check if PXE Base Code is available.  If not, try to obtain the netboot
information from the device path where the image booted from.  The
DHCPACK packet is recoverd from the information in device patch and fed
into the same DHCP packet processing functions to ensure the network
interface is set up the same way it used to be.

Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efinet-Configure-network-from-UEFI-device-path.patch

bootp: Process DHCPACK packet during HTTP Boot

The vendor class identifier with the string "HTTPClient" is used to
denote the packet as responding to HTTP boot request.  In DHCP4 config,
the filename for HTTP boot is the URL of the boot file, while for PXE
boot it is the path to the boot file.  As a consequence, the next-server
becomes obselete because the HTTP URL already contains the server
address for the boot file.  For DHCP6 config, there's no difference
definition in existing config as dhcp6.bootfile-url can be used to
specify URL for both HTTP and PXE boot file.

Add processing for "HTTPClient" vendor class identifier in DHCPACK
packet by treating it as HTTP format, not as the PXE format.

Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name bootp-process-dhcpack-http-boot.patch

efinet: add structures for PXE messages

When grub2 image is booted from UEFI IPv6 PXE, the DHCPv6 Reply packet
is cached in firmware buffer which can be obtained by PXE Base Code
protocol. The network interface can be setup through the parameters in
that obtained packet.

Augment existing structures to represent this, and make them agnostic
between ipv4 and ipv6.

Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name efinet-add-structures-for-PXE-messages.patch

efinet + bootp: add net_bootp6 command supporting dhcpv6

Implement new net_bootp6 command for IPv6 network auto configuration via
the DHCPv6 protocol (RFC3315).

Signed-off-by: Peter Jones <pjones@redhat.com>
Co-authored-by: Michael Chang <mchang@suse.com>
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Ken Lin <ken.lin@hpe.com>
Co-authored-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name bootp-new-net_bootp6-command.patch

net/http: check result of grub_netbuff_put() in http_receive()

Co-authored-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Gbp-Pq: Topic network
Gbp-Pq: Name net-http-check-result-of-grub_netbuff_put-in-http_receive.patch

Tell zpool to emit full device names

zfs-initramfs currently provides extraneous, undesired symlinks to
devices directly underneath /dev/ to satisfy zpool's historical output
of unqualified device names. By including this environment variable to
signal our intent to zpool, zfs-linux packages can drop the symlink
behavior when updating to its upstream or backported output behavior.

Bug: https://savannah.gnu.org/bugs/?43653
Bug-Debian: https://bugs.debian.org/824974
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1527727
Last-Update: 2016-11-01

Patch-Name: zpool-full-device-name.patch

Gbp-Pq: Name zpool-full-device-name.patch

Arrange to insmod xzio and lzopio when booting a kernel as a Xen guest

This is needed in case the Linux kernel is compiled with CONFIG_KERNEL_XZ or
CONFIG_KERNEL_LZO rather than CONFIG_KERNEL_GZ (gzio is already loaded by
grub.cfg today).

Signed-off-by: Ian Campbell <ijc@debian.org>
Bug-Debian: https://bugs.debian.org/755256
Forwarded: http://lists.gnu.org/archive/html/grub-devel/2014-11/msg00091.html
Last-Update: 2014-11-30

Patch-Name: insmod-xzio-and-lzopio-on-xen.patch

Gbp-Pq: Name insmod-xzio-and-lzopio-on-xen.patch

grub-install: Install PV Xen binaries into the upstream specified path

Upstream have defined a specification for where guests ought to place their
xenpv grub binaries in order to facilitate chainloading from a stage 1 grub
loaded from dom0.

http://xenbits.xen.org/docs/unstable-staging/misc/x86-xenpv-bootloader.html

The spec calls for installation into /boot/xen/pvboot-i386.elf or
/boot/xen/pvboot-x86_64.elf.

Signed-off-by: Ian Campbell <ijc@hellion.org.uk>
Bug-Debian: https://bugs.debian.org/762307
Forwarded: http://lists.gnu.org/archive/html/grub-devel/2014-10/msg00041.html
Last-Update: 2014-10-24

Patch-Name: grub-install-pvxen-paths.patch

Gbp-Pq: Name grub-install-pvxen-paths.patch

Disable VSX instruction

VSX bit is enabled by default for Power7 and Power8 CPU models,
so we need to disable them in order to avoid instruction exceptions.
Kernel will activate it when necessary.

* grub-core/kern/powerpc/ieee1275/startup.S: Disable VSX.

Also-By: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Also-By: Colin Watson <cjwatson@debian.org>
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2014-09/msg00078.html
Last-Update: 2015-01-27

Patch-Name: ppc64el-disable-vsx.patch

Gbp-Pq: Name ppc64el-disable-vsx.patch

Include a text attribute reset in the clear command for ppc

Always clear text attribute for clear command in order to avoid problems
after it boots.

* grub-core/term/terminfo.c: Add escape for text attribute reset

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1295255
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2014-09/msg00076.html
Last-Update: 2014-09-26

Patch-Name: ieee1275-clear-reset.patch

Gbp-Pq: Name ieee1275-clear-reset.patch

Port yaboot logic for various powerpc machine types

Some powerpc machines require not updating the NVRAM. This can be handled
by existing grub-install command-line options, but it's friendlier to detect
this automatically.

On chrp_ibm machines, use the nvram utility rather than nvsetenv. (This
is possibly suitable for other machines too, but that needs to be
verified.)

Forwarded: no
Last-Update: 2014-10-15

Patch-Name: install-powerpc-machtypes.patch

Gbp-Pq: Name install-powerpc-machtypes.patch

Add GRUB_RECOVERY_TITLE option

This allows the controversial "recovery mode" text to be customised.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1240360
Forwarded: no
Last-Update: 2013-12-25

Patch-Name: mkconfig-recovery-title.patch

Gbp-Pq: Name mkconfig-recovery-title.patch

Probe FusionIO devices

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1237519
Forwarded: no
Last-Update: 2016-09-18

Patch-Name: probe-fusionio.patch

Gbp-Pq: Name probe-fusionio.patch

Add configure option to use vt.handoff=7

This is used for non-recovery Linux entries only; it enables
flicker-free booting if gfxpayload=keep is in use and a suitable kernel
is present.

Author: Andy Whitcroft <apw@canonical.com>
Forwarded: not-needed
Last-Update: 2013-12-25

Patch-Name: vt-handoff.patch

Gbp-Pq: Name vt-handoff.patch

Add configure option to enable gfxpayload=keep dynamically

Set GRUB_GFXPAYLOAD_LINUX=keep unless it's known to be unsupported on
the current hardware. See
https://blueprints.launchpad.net/ubuntu/+spec/packageselection-foundations-n-grub2-boot-framebuffer.

Author: Colin Watson <cjwatson@ubuntu.com>
Forwarded: no
Last-Update: 2019-05-25

Patch-Name: gfxpayload-dynamic.patch

Gbp-Pq: Name gfxpayload-dynamic.patch

If we don't have writable grubenv and we're on EFI, always show the menu

If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).

Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.

Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.

Signed-off-by: Steve Langasek <steve.langasek@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1800722
Last-Update: 2019-06-24

Patch-Name: quick-boot-lvm.patch

Gbp-Pq: Name quick-boot-lvm.patch

Add configure option to bypass boot menu if possible

If other operating systems are installed, then automatically unhide the
menu.  Otherwise, if GRUB_HIDDEN_TIMEOUT is 0, then use keystatus if
available to check whether Shift is pressed.  If it is, show the menu,
otherwise boot immediately.  If keystatus is not available, then fall
back to a short delay interruptible with Escape.

This may or may not remain Ubuntu-specific, although it's not obviously
wanted upstream.  It implements a requirement of
https://wiki.ubuntu.com/DesktopExperienceTeam/KarmicBootExperienceDesignSpec#Bootloader.

If the previous boot failed (defined as failing to get to the end of one
of the normal runlevels), then show the boot menu regardless.

Author: Richard Laager <rlaager@wiktel.com>
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2015-09-04

Patch-Name: quick-boot.patch

Gbp-Pq: Name quick-boot.patch

Add configure option to reduce visual clutter at boot time

If this option is enabled, then do all of the following:

Don't display introductory message about line editing unless we're
actually offering a shell prompt.  (This is believed to be a workaround
for a different bug.  We'll go with this for now, but will drop this in
favour of a better fix upstream if somebody figures out what that is.)

Don't clear the screen just before booting if we never drew the menu in
the first place.

Remove verbose messages printed before reading configuration.  In some
ways this is awkward because it makes debugging harder, but it's a
requirement for a smooth-looking boot process; we may be able to do
better in future.  Upstream doesn't want this, though.

Disable the cursor as well, for similar reasons of tidiness.

Suppress kernel/initrd progress messages, except in recovery mode.

Suppress "GRUB loading" message unless Shift is held down.  Upstream
doesn't want this, as it makes debugging harder.  Ubuntu wants it to
provide a cleaner boot experience.

Author: Will Thompson <will@willthompson.co.uk>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/386922
Bug-Ubuntu: https://bugs.launchpad.net/bugs/861048
Forwarded: (partial) http://lists.gnu.org/archive/html/grub-devel/2009-09/msg00056.html
Last-Update: 2021-09-24

Patch-Name: maybe-quiet.patch

Gbp-Pq: Name maybe-quiet.patch

Don't add suffix to the distributor string

- Ubuntu is called "Ubuntu", not "Ubuntu GNU/Linux"
- Debian already has the suffix in `/etc/os-release`

Author: Colin Watson <cjwatson@debian.org>
Author: Harald Sitter <apachelogger@kubuntu.org>
Author: Mate Kukri <mate.kukri@canonical.com>
Forwarded: not-needed
Last-Update: 2024-11-05

Patch-Name: mkconfig-distributor.patch

Gbp-Pq: Name mkconfig-distributor.patch

Read /etc/default/grub.d/*.cfg after /etc/default/grub

Bug-Ubuntu: https://bugs.launchpad.net/bugs/901600
Forwarded: no
Last-Update: 2021-09-24

Patch-Name: default-grub-d.patch

Gbp-Pq: Name default-grub-d.patch

Prefer translations from Ubuntu language packs if available

Bug-Ubuntu: https://bugs.launchpad.net/bugs/537998
Forwarded: not-needed
Last-Update: 2013-12-25

Patch-Name: install-locale-langpack.patch

Gbp-Pq: Name install-locale-langpack.patch

"single" -> "recovery" when friendly-recovery is installed

If configured with --enable-ubuntu-recovery, also set nomodeset for
recovery mode, and disable 'set gfxpayload=keep' even if the system
normally supports it. See
https://launchpad.net/ubuntu/+spec/desktop-o-xorg-tools-and-processes.

Author: Stéphane Graber <stgraber@ubuntu.com>
Forwarded: no
Last-Update: 2025-07-21

Gbp-Pq: Name mkconfig-ubuntu-recovery.patch

Fall back to non-EFI if booted using EFI but -efi is missing

It may be possible, particularly in recovery situations, to be booted
using EFI on x86 when only the i386-pc target is installed, or on ARM
when only the arm-uboot target is installed. There's nothing actually
stopping us installing i386-pc or arm-uboot from an EFI environment, and
it's better than returning a confusing error.

Author: Steve McIntyre <93sam@debian.org>
Forwarded: no
Last-Update: 2019-05-24

Patch-Name: install-efi-fallback.patch

Gbp-Pq: Name install-efi-fallback.patch

Silence error messages when translations are unavailable

Bug: https://savannah.gnu.org/bugs/?35880
Forwarded: https://savannah.gnu.org/bugs/?35880
Last-Update: 2013-11-14

Patch-Name: gettext-quiet.patch

Gbp-Pq: Name gettext-quiet.patch

Restore grub-mkdevicemap

This is kind of a mess, requiring lots of OS-specific code to iterate
over all possible devices. However, we use it in a number of scripts to
discover devices and reimplementing those in terms of something else
would be very complicated.

Author: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Forwarded: no
Last-Update: 2021-09-24

Patch-Name: restore-mkdevicemap.patch

Gbp-Pq: Name restore-mkdevicemap.patch

Disable gfxpayload=keep by default

Setting gfxpayload=keep has been known to cause efifb to be
inappropriately enabled. In any case, with the current Linux kernel the
result of this option is that early kernelspace will be unable to print
anything to the console, so (for example) if boot fails and you end up
dumped to an initramfs prompt, you won't be able to see anything on the
screen. As such it shouldn't be enabled by default in Debian, no matter
what kernel options are enabled.

gfxpayload=keep is a good idea but rather ahead of its time ...

Bug-Debian: http://bugs.debian.org/567245
Forwarded: no
Last-Update: 2013-12-25

Patch-Name: gfxpayload-keep-default.patch

Gbp-Pq: Name gfxpayload-keep-default.patch

Disable use of floppy devices

An ugly kludge. Should this be merged upstream?

Author: Robert Millan

Patch-Name: disable-floppies.patch

Gbp-Pq: Name disable-floppies.patch

Write marker if core.img was written to filesystem

The Debian bug reporting script includes a warning in this case.

Patch-Name: core-in-fs.patch

Gbp-Pq: Name core-in-fs.patch

grub2 (2.14~git20250718.0e36779-2) unstable; urgency=medium

  [ Mate Kukri ]
  * Fix upstream typo in bash-completion Makefile
  * Bash-completions no longer live in one file, remove symlinks
  * d/control: Re-add grub-common as dummy transitional package (LP: #2122124)

  [ Julian Andres Klode ]
  * Upload to unstable

[dgit import unpatched grub2 2.14~git20250718.0e36779-2]

Import grub2_2.14~git20250718.0e36779-2.debian.tar.xz

[dgit import tarball grub2 2.14~git20250718.0e36779-2 grub2_2.14~git20250718.0e36779-2.debian.tar.xz]

Import grub2_2.14~git20250718.0e36779.orig.tar.xz

[dgit import orig grub2_2.14~git20250718.0e36779.orig.tar.xz]

Merge version 2.12-8+rpi1 and 2.12-9 to produce 2.12-9+rpi1

Merge version 2.12-5+rpi1 and 2.12-8 to produce 2.12-8+rpi1

Merge grub2 (2.12-9) import into refs/heads/workingbranch

fs/xfs: Handle root inode read failure in grub_xfs_mount

Signed-off-by: Egor Ignatov <egori@altlinux.org>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mount.patch

fs/xfs: Propagate incorrect inode error from grub_xfs_read_inode

The incorrect inode error from grub_xfs_read_inode did not propagate because
grub_print_error() resetted grub_errno, and grub_xfs_iterate_dir() did not
handle it at all.

Signed-off-by: Egor Ignatov <egori@altlinux.org>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs_read.patch

fs/xfs: Fix grub_xfs_iterate_dir return value in case of failure

Commit ef7850c757 introduced multiple boundary checks in grub_xfs_iterate_dir()
but handled the error incorrectly returning error code instead of 0.

Also change the error message so that it doesn't match the message
in grub_xfs_read_inode().

Fixes: ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
Signed-off-by: Egor Ignatov <egori@altlinux.org>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case-of-f.patch

fs/ext2: Rework out-of-bounds read for inline and external extents

Previously, the number of extent entries was not properly capped based
on the actual available space. This could lead to insufficient reads for
external extents, since the computation was based solely on the inline
extent layout.

In this patch, when processing the extent header, we determine whether
the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an
external extent block. We then clamp the number of entries accordingly
(using max_inline_ext for inline extents and max_external_ext for
external extent blocks).

This change ensures that only the valid number of extent entries is
processed, preventing out-of-bound reads and potential filesystem
corruption.

Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)
Signed-off-by: Michael Chang <mchang@suse.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-ext2-Rework-out-of-bounds-read-for-inline-and-external.patch

loader/i386/bsd: Use safe math to avoid underflow

The operation kern_end - kern_start may underflow when we input it into
grub_relocator_alloc_chunk_addr() call. To avoid this we can use safe
math for this subtraction.

Fixes: CID 73845
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch

loader/i386/linux: Cast left shift to grub_uint32_t

The Coverity complains that we might overflow into a negative value when
setting linux_params.kernel_alignment to (1 << align). We can remedy
this by casting it to grub_uint32_t.

Fixes: CID 473876
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch

kern/misc: Add sanity check after grub_strtoul() call

When the format string, fmt0, includes a positional argument
grub_strtoul() or grub_strtoull() is called to extract the argument
position. However, the returned argument position isn't fully validated.
If the format is something like "%0$x" then these functions return
0 which leads to an underflow in the calculation of the args index, curn.
The fix is to add a check to ensure the extracted argument position is
greater than 0 before computing curn. Additionally, replace one
grub_strtoull() with grub_strtoul() and change curn type to make code
more correct.

Fixes: CID 473841
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name kern-misc-Add-sanity-check-after-grub_strtoul-call.patch

kern/partition: Add sanity check after grub_strtoul() call

The current code incorrectly assumes that both the input and the values
returned by grub_strtoul() are always valid which can lead to potential
errors. This fix ensures proper validation to prevent any unintended issues.

Fixes: CID 473843
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name kern-partition-Add-sanity-check-after-grub_strtoul-call.patch

normal/menu: Use safe math to avoid an integer overflow

The Coverity indicates that the variable current_entry might overflow.
To prevent this use safe math when adding GRUB_MENU_PAGE_SIZE to current_entry.

On the occasion fix limiting condition which was broken.

Fixes: CID 473853
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name normal-menu-Use-safe-math-to-avoid-an-integer-overflow.patch

bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t

The Coverity indicates that GRUB_EHCI_TOGGLE is an int that contains
a negative value and we are using it for the variable token which is
grub_uint32_t. To remedy this we can cast the definition to grub_uint32_t.

Fixes: CID 473851
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name bus-usb-ehci-Define-GRUB_EHCI_TOGGLE-as-grub_uint32_t.patch

misc: Ensure consistent overflow error messages

Update the overflow error messages to make them consistent
across the GRUB code.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name misc-Ensure-consistent-overflow-error-messages.patch

osdep/unix/getroot: Fix potential underflow

The entry_len is initialized in grub_find_root_devices_from_mountinfo()
to 0 before the while loop iterates through /proc/self/mountinfo. If the
file is empty or contains only invalid entries entry_len remains
0 causing entry_len - 1 in the subsequent for loop initialization
to underflow. To prevent this add a check to ensure entry_len > 0 before
entering the for loop.

Fixes: CID 473877
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name osdep-unix-getroot-Fix-potential-underflow.patch

script/execute: Fix potential underflow and NULL dereference

The result is initialized to 0 in grub_script_arglist_to_argv().
If the for loop condition is not met both result.args and result.argc
remain 0 causing result.argc - 1 to underflow and/or result.args NULL
dereference. Fix the issues by adding relevant checks.

Fixes: CID 473880
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name script-execute-Fix-potential-underflow-and-NULL-dereferen.patch

fs/sfs: Check if allocated memory is NULL

When using grub_zalloc(), if we are out of memory, this function can fail.
After allocating memory, we should check if grub_zalloc() returns NULL.
If so, we should handle this error.

Fixes: CID 473856
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-sfs-Check-if-allocated-memory-is-NULL.patch

net: Check if returned pointer for allocated memory is NULL

When using grub_malloc(), the function can fail if we are out of memory.
After allocating memory we should check if this function returned NULL
and handle this error if it did.

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name net-Check-if-returned-pointer-for-allocated-memory-is-NUL.patch

net: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name net-Prevent-overflows-when-allocating-memory-for-arrays.patch

net: Use safe math macros to prevent overflows

Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflicts:
grub-core/net/bootp.c
grub-core/net/net.c

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name net-Use-safe-math-macros-to-prevent-overflows.patch

fs/zfs: Add missing NULL check after grub_strdup() call

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-zfs-Add-missing-NULL-check-after-grub_strdup-call.patch

fs/zfs: Check if returned pointer for allocated memory is NULL

When using grub_malloc() or grub_zalloc(), these functions can fail if
we are out of memory. After allocating memory we should check if these
functions returned NULL and handle this error if they did.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-zfs-Check-if-returned-pointer-for-allocated-memory-is-.patch

fs/zfs: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-zfs-Prevent-overflows-when-allocating-memory-for-array.patch

fs/zfs: Use safe math macros to prevent overflows

Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-zfs-Use-safe-math-macros-to-prevent-overflows.patch

fs: Prevent overflows when assigning returned values from read_number()

The direct assignment of the unsigned long long value returned by
read_number() can potentially lead to an overflow on a 32-bit systems.
The fix replaces the direct assignments with calls to grub_cast()
which detects the overflows and safely assigns the values if no
overflow is detected.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-Prevent-overflows-when-assigning-returned-values-from-.patch

fs: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanbaror@gmail.com>.

Fixes: CVE-2025-0678
Fixes: CVE-2025-1125
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-Prevent-overflows-when-allocating-memory-for-arrays.patch

fs: Use safe math macros to prevent overflows

Replace direct arithmetic operations with macros from include/grub/safemath.h
to prevent potential overflow issues when calculating the memory sizes.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflicts:
grub-core/fs/erofs.c

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name fs-Use-safe-math-macros-to-prevent-overflows.patch