Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: grub2

grub2 (2.04-1ubuntu28) groovy; urgency=medium * Ensure that grub-multi-install can always find templates (LP: #1879948) * Fix changelog entries for security update -- Julian Andres Klode <juliank@ubuntu.com> Mon, 10 Aug 2020 15:07:29 +0200 grub2 (2.04-1ubuntu27) groovy; urgency=medium * debian/patches/ubuntu-flavour-order.patch: - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel flavours as preferred, and specify an order between those preferred flavours (LP: #1882663) * debian/patches/ubuntu-zfs-enhance-support.patch: - Use version_find_latest for ordering kernels, so it also supports the GRUB_FLAVOUR_ORDER setting. * debian/patches/ubuntu-dont-verify-loopback-images.patch: - disk/loopback: Don't verify loopback images (LP: #1878541), Thanks to Chris Coulson for the patch * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789) * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: - Merge changes from xnox to fix multiple initrds support (LP: #1878705) * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: - Remove, no longer needed thanks to xnox's patch -- Julian Andres Klode <juliank@ubuntu.com> Thu, 06 Aug 2020 14:47:52 +0200 grub2 (2.04-1ubuntu26.2) focal; urgency=medium * debian/postinst.in: Avoid calling grub-install on upgrade of the grub-pc package, since we cannot be certain that it will install to the correct disk and a grub-install failure will render the system unbootable. LP: #1889556. -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 30 Jul 2020 17:34:25 -0700 grub2 (2.04-1ubuntu26.1) focal; urgency=medium [ Julian Andres Klode ] * Move gettext patches out of git-dpm's way, so it does not delete them [ Chris Coulson ] * SECURITY UPDATE: Heap buffer overflow when encountering commands that cannot be tokenized to less than 8192 characters. - 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make fatal lexer errors actually be fatal - CVE-2020-10713 * SECURITY UPDATE: Multiple integer overflow bugs that could result in heap buffer allocations that were too small and subsequent heap buffer overflows when handling certain filesystems, font files or PNG images. - 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add arithmetic primitives that allow for overflows to be detected - 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch: Make sure that there is always an overflow checking implementation of calloc() available - 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where appropriate - 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use overflow-safe arithmetic primitives when performing allocations based on the results of operations that might overflow - 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in hfsplus - 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix more potential integer overflows in lvm - CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 * SECURITY UPDATE: Use-after-free when executing a command that causes a currently executing function to be redefined. - 0092-script-Remove-unused-fields-from-grub_script_functio.patch: Remove unused fields from grub_script_function - 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch: Avoid a use-after-free when redefining a function during execution - CVE-2020-15706 * SECURITY UPDATE: Integer overflows that could result in heap buffer allocations that were too small and subsequent heap buffer overflows during initrd loading. - 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix integer overflows in initrd size handling - 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix integer overflows in linuxefi grub_cmd_initrd - CVE-2020-15707 * Various fixes as a result of code review and static analysis: - 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a memory leak on realloc failures when processing symbolic links - 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a memory leak when processing font files with more than one NAME section - 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap after it is freed in order to avoid a potential double free later on - 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an out-of-bounds read in LzmaEncode - 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use priority queues and fix a double free - 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix various arithmetic errors with malformed device paths - 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix a NULL deref in the chainloader command introduced by a previous patch - 0099-efi-Fix-use-after-free-in-halt-reboot-path.patch: Fix a use-after-free in the halt and reboot commands by not freeing allocated memory in these paths - 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch: Avoid a double free in the chainloader command when validation fails - 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch: Protect grub_relocator_alloc_chunk_addr input arguments against integer overflow / underflow - 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch: Protect grub_relocator_alloc_chunk_align max_addr argument against integer underflow - 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix grub_relocator_alloc_chunk_align top memory allocation - 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch: Avoid overflow on initrd size calculation [ Dimitri John Ledkov ] * SECURITY UPDATE: Grub does not enforce kernel signature validation when the shim protocol isn't present. - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch: Fail kernel validation if the shim protocol isn't available - CVE-2020-15705 -- Chris Coulson <chris.coulson@canonical.com> Mon, 20 Jul 2020 19:19:08 +0100 grub2 (2.04-1ubuntu26) focal; urgency=medium [ Julian Andres Klode ] * Move /boot/efi -> debconf migration into wrapper, so it runs everywhere (LP: #1872077) * Display disk name and size in the ESP selection dialog, instead of ??? [ Sebastien Bacher ] * debian/patches/gettext, debian/patches/rules: - backport upstream patches to fix the list of translated strings, reported on the ubuntu-translators mailing list. The changes would be overwritten by autoreconf so applying from a rules override. -- Julian Andres Klode <juliank@ubuntu.com> Wed, 15 Apr 2020 13:31:27 +0200 grub2 (2.04-1ubuntu25) focal; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * debian/patches/ubuntu-zfs-enhance-support.patch: - fix trailing } when no advanced menu is printed - ensure we unmount all temporary snapshots path before zfs collect them out. * debian/patches/ubuntu-speed-zsys-history.patch: - Speed up navigating zsys history by reducing greatly grub.cfg file size. It used to take eg 80 seconds when loading 100 system snapshots. This is now instantaneous by using a function with parameters that the users can still easily edit. -- Didier Roche <didrocks@ubuntu.com> Mon, 13 Apr 2020 15:17:42 +0200 grub2 (2.04-1ubuntu24) focal; urgency=medium * Support installing to multiple ESPs (LP: #1871821) -- Julian Andres Klode <juliank@ubuntu.com> Thu, 09 Apr 2020 12:51:07 +0200 grub2 (2.04-1ubuntu23) focal; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Performance improvements for update-grub on ZFS systems (LP: #1869885) -- Didier Roche <didrocks@ubuntu.com> Tue, 31 Mar 2020 15:30:36 +0200 grub2 (2.04-1ubuntu22) focal; urgency=medium * smbios: Add a --linux argument to apply linux modalias-like filtering * Make the linux command in EFI grub always try EFI handover; thanks to Chris Coulson for the patches (LP: #1864533) -- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 17:46:35 +0100 grub2 (2.04-1ubuntu21) focal; urgency=medium * Make ZFS menu generation depending on new zsysd binary instead of eoan zsys compatibility symlink. -- Didier Roche <didrocks@ubuntu.com> Wed, 26 Feb 2020 09:59:49 +0100 grub2 (2.04-1ubuntu20) focal; urgency=medium * build-efi-images: do not produce -installer.efi.signed. LP: #1863994 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 25 Feb 2020 01:11:31 +0000 grub2 (2.04-1ubuntu19) focal; urgency=medium * uefi-firmware: rename fwsetup menuentry to UEFI Firmware Settings (LP: #1864547) * build-efi-images: add smbios module to the prebuilt signed EFI images (LP: #1856424) -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 24 Feb 2020 20:34:13 +0000 grub2 (2.04-1ubuntu18) focal; urgency=medium * Cherry-pick fix from Colin W. in debian to build with python3. -- Didier Roche <didrocks@ubuntu.com> Thu, 06 Feb 2020 18:37:44 +0100 grub2 (2.04-1ubuntu17) focal; urgency=medium * Fix ZFS menu generation with ZFS 0.8.x where mounted datasets can’t list snapshots due to an upstream change. https://github.com/zfsonlinux/zfs/issues/9958 -- Didier Roche <didrocks@ubuntu.com> Thu, 06 Feb 2020 18:20:16 +0100 grub2 (2.04-1ubuntu16) focal; urgency=medium * Revert "Add smbios module to build-efi-images script" from previous upload, pending review see https://bugs.launchpad.net/bugs/1856424 -- Dimitri John Ledkov <xnox@ubuntu.com> Sun, 15 Dec 2019 01:28:49 +0000 grub2 (2.04-1ubuntu15) focal; urgency=medium * ubuntu-efi-allow-loopmount-chainload.patch: - Enable chainloading EFI apps from loopmounts * cherrypick-lsefisystab-define-smbios3.patch: * cherrypick-smbios-modules.patch: - Cherrypick from 2.05 module for retrieving SMBIOS information * cherrypick-lsefisystab-show-dtb.patch: - If dtb is provided by the firmware / DtbLoader driver, display it in human form, rather than just UUID -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 13 Dec 2019 11:24:21 +0000 grub2 (2.04-1ubuntu14) focal; urgency=medium * debian/patches/ubuntu-zfs-enhance-support.patch: - Handle the case where grub-probe returns several devices for a single pool (LP: #1848856). Thanks jpb for the report and the proposed patch. - Add savedefault to non-recovery entries (LP: #1850202). Thanks Deltik for the patch. - Do not crash on invalid fstab and report the invalid entry. (LP: #1849347) Thanks Deltik for the patch. - When a pool fails to import, catch and display the error message and continue with other pools. Import all the pools in readonly mode so we can import other pools with unsupported features (LP: #1848399) Thanks satmandu for the investigation and the proposed patch -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Mon, 18 Nov 2019 11:22:43 +0100 grub2 (2.04-1ubuntu13) focal; urgency=medium * debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown" TPM errors as non-fatal, but still write up the details as debug messages so we can further track what happens with the systems throwing those up. (LP: #1848892) * debian/patches/ubuntu-linuxefi.patch: Drop extra check for Secure Boot status in linuxefi_secure_validate(); it's unnecessary and blocking boot in chainload (like chainloading Windows) when SB is disabled. (LP: #1845289) -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 31 Oct 2019 17:58:47 -0400 grub2 (2.04-1ubuntu12) eoan; urgency=medium * Move our identifier to com.ubuntu As we are not going to own org.zsys, move our identifier under com.ubuntu.zsys (LP: #1847711) -- Didier Roche <didrocks@ubuntu.com> Fri, 11 Oct 2019 15:57:47 +0200 grub2 (2.04-1ubuntu11) eoan; urgency=medium * Load all kernels (even those without .efi.signed) for secure boot mode as those are signed kernels on ubuntu, loaded by the shim. (LP: #1847581) -- Didier Roche <didrocks@ubuntu.com> Thu, 10 Oct 2019 11:40:44 +0200 grub2 (2.04-1ubuntu10) eoan; urgency=medium * debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch: skip /dev/disk/by-id/lvm-pvm-uuid entries from device iteration. (LP: #1838525) -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Mon, 07 Oct 2019 23:23:54 -0300 grub2 (2.04-1ubuntu9) eoan; urgency=medium * debian/patches/ubuntu-zfs-enhance-support.patch: - Handle case of pure zfs only snapshots giving additional "}", and as such, creating invalid grub menu. Spotted by grubzfs-testsuite autopkgtests. -- Didier Roche <didrocks@ubuntu.com> Wed, 02 Oct 2019 09:59:19 +0200 grub2 (2.04-1ubuntu8) eoan; urgency=medium * debian/patches/install-signed.patch -> ubuntu-install-signed.patch: Really fix the installation of UEFI artefacts to the distributor path (we only want shim, grub, and MokManager, and shim's boot.csv there), and to the removable /EFI/BOOT path (where we want shim and fallback only). Rename the patch to ubuntu- like others that are Ubuntu-specific or otherwise modified to avoid such confusion at merge time in the future. -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 01 Oct 2019 11:29:24 -0400 grub2 (2.04-1ubuntu7) eoan; urgency=medium * debian/patches/ubuntu-zfs-enhance-support.patch: Disable history entry under some conditions: - Don't show up if the system is a zsys one and zsys isn't installed (LP: #1845333) - Don't show for pure zfs systems: we identified multiple issues due to the mount generator in upstream zfs which makes it incompatible. Disable for now (LP: #1845913) -- Didier Roche <didrocks@ubuntu.com> Mon, 30 Sep 2019 09:35:03 +0200 grub2 (2.04-1ubuntu6) eoan; urgency=medium * debian/patches/install-signed.patch: fix paths for MokManager/fallback; shim no longer ships these with a .signed suffix. (LP: #1845466) -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 26 Sep 2019 09:48:07 -0400 grub2 (2.04-1ubuntu5) eoan; urgency=medium * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: fix mis-spelling of helper function in final computation of GRUB_DEVICE in multipath case. -- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 13 Aug 2019 08:56:16 +1200 grub2 (2.04-1ubuntu4) eoan; urgency=medium * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: when / is multipathed there will be multiple paths to the partition, so using root=UUID= exposes the boot process to udev races. In addition grub-probe --target device / in this case reports /dev/dm-1 or similar -- better to use a symlink that depends on the multipath name. (LP: #1429327) -- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 06 Aug 2019 12:37:18 +1200 grub2 (2.04-1ubuntu3) eoan; urgency=medium [ Mathieu Trudel-Lapierre ] * debian/patches/ubuntu-add-devicetree-command-support.patch: import patch into git-dpm: drop [PATCH] tag and add Patch-Name. [ Didier Roche ] * debian/patches/ubuntu-zfs-enhance-support.patch - Don't patch autoregenerated files. - rewrite generate MenuMeta implementation in shell (LP: #1834095) mawk doesn't support \s and other array features. + Change \s by their space or tab equivalent. + Rewrite the menumeta generation in pure shell, which is easier to debug, keeping globally the same algorithm + Support i18n in entry name generation. Co-authored with Jean-Baptiste. - Resplit all patches in debian/patches/*, so that we have upstreamable and non upstreamable parts separate. Also, any change in 10_linux patch will be reflected in 10_linux_zfs. - Always import pools (using force), as we don't mount them. Ensure also that we don't update the host cache, as we import all pools, and not only those attached to that system. -- Didier Roche <didrocks@ubuntu.com> Mon, 29 Jul 2019 08:08:48 +0200 grub2 (2.04-1ubuntu2) eoan; urgency=medium * Add device-tree command support as installed by flash-kernel. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 17 Jul 2019 23:47:27 +0100 grub2 (2.04-1ubuntu1) eoan; urgency=medium * Merge against Debian; remaining changes: - debian/control: Update Vcs fields for code location on Ubuntu. - debian/control: Breaks shim (<< 13). - debian/patches/linuxefi.patch: Secure Boot support: use newer patchset from rhboot repo, flattened to a single patch. - debian/patches/install_signed.patch, grub-install-extra-removable.patch: - Make sure if we install shim; it should also be exported as the default bootloader to install later to a removable path, if we do. - Rework grub-install-extra-removable.patch to reverse its logic: in the default case, install the bootloader to /EFI/BOOT, unless we're trying to install on a removable device, or explicitly telling grub *not* to do it. - Install a BOOT.CSV for fallback to use. - Make sure postinst and templates know about the replacement of --force-extra-removable with --no-extra-removable. - debian/patches/ubuntu-support-initrd-less-boot.patch: allow non-initrd boot config. - debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: If a kernel fails to boot without initrd, we will fallback to trying to boot the kernel with an initrd. - debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch: make sure grub-mkconfig leaves a trace of what files were sourced to help generate the config we're building. - debian/patches/ubuntu-efi-console-set-text-mode-as-needed.patch: in EFI console, only set text-mode when we're actually going to need it. - debian/patches/ubuntu-zfs-enhance-support.patch: Better ZFS grub support. - Disable os-prober for ppc64el on the PowerNV platform, to reduce the number of entries/clutter from other OSes in Petitboot - debian/patches/ubuntu-shorter-version-info.patch: Only show the upstream version in menu and console, and hide the package one in a package_version variable. - Verify that the current and newer kernels are signed when grub is updated, to make sure people do not accidentally shutdown without a signed kernel. - debian/default/grub: replace GRUB_HIDDEN_* variables with the less confusing GRUB_TIMEOUT_STYLE=hidden. - debian/rules: shuffle files around for now to keep build artefacts for signing at the same location as they were expected by Launchpad. - debian/rules, debian/control: enable dh-systemd. - debian/grub-common.install.in: install the systemd unit that's part of initrd fallback handling, missed when the feature landed. - debian/build-efi-images: add http module to NET_MODULES. * debian/patches/linuxefi*.patch: Flatten linuxefi patches into one. * debian/patches: rename patches to use "-" as a separator rather than "_". * debian/patches: rename Ubuntu-specific patches and commits to add "ubuntu" so it's clearer which are new or changed when doing a merge. * debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch: fix FTBFS due to objcopy building an invalid binary padded with zeroes (LP: #1833234) * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: clear up invalid spacing for the initrd command when not using early initrds. * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: move the initrd boot success/failure service to start later at boot time. (LP: #1823391) * debian/patches/fix-lockdown.patch: Drop lockdown patch from Debian, which breaks with new linuxefi patchset. * debian/patches/ubuntu-temp-keep-auto-nvram.patch: Temporarily keep the --auto-nvram option we previously had as a supported option in grub-install (with no effect now), to avoid breaking upgrades. "auto-nvram" is default behavior now that we use libefivar instead of calling efibootmgr. -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 16 Jul 2019 11:31:29 -0400 grub2 (2.04-2) UNRELEASED; urgency=medium [ James Clarke ] * Only Build-Depend on libefiboot-dev and libefivar-dev on Linux architectures, since they're Linux-only. -- Colin Watson <cjwatson@debian.org> Tue, 09 Jul 2019 15:04:41 +0100

Modifications :
  1. Download patch debian/patches/mkconfig-signed-kernel.patch

    --- 2.04-1/debian/patches/mkconfig-signed-kernel.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-signed-kernel.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,6 @@ -From 912c4e7152065635c44e433aeee86131e869d54b Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@ubuntu.com> -Date: Mon, 13 Jan 2014 12:13:21 +0000 +From 16c328eee53e3fe8c24db8c2438a7410755c58db Mon Sep 17 00:00:00 2001 +From: Didier Roche <didrocks@ubuntu.com> +Date: Tue, 31 Mar 2020 15:17:45 +0200 Subject: Generate configuration for signed UEFI kernels if available Forwarded: no @@ -8,14 +8,15 @@ Last-Update: 2013-12-25 Patch-Name: mkconfig-signed-kernel.patch --- - util/grub.d/10_linux.in | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) + util/grub.d/10_linux.in | 15 +++++++++++++++ + util/grub.d/10_linux_zfs.in | 21 +++++++++++++++++++++ + 2 files changed, 36 insertions(+) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index fd87a124d..61335e908 100644 +index 19e4df4ad8..cb1cc200e4 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in -@@ -161,8 +161,16 @@ linux_entry () +@@ -165,8 +165,16 @@ linux_entry () message="$(gettext_printf "Loading Linux %s ..." ${version})" sed "s/^/$submenu_indentation/" << EOF echo '$(echo "$message" | grub_quote)' @@ -32,7 +33,7 @@ index fd87a124d..61335e908 100644 if test -n "${initrd}" ; then # TRANSLATORS: ramdisk isn't identifier. Should be translated. message="$(gettext_printf "Loading initial ramdisk ...")" -@@ -214,6 +222,13 @@ submenu_indentation="" +@@ -218,6 +226,13 @@ submenu_indentation="" is_top_level=true while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` @@ -46,3 +47,42 @@ index fd87a124d..61335e908 100644 gettext_printf "Found linux image: %s\n" "$linux" >&2 basename=`basename $linux` dirname=`dirname $linux` +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index 7f88e771e0..bd4f1a2123 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -339,6 +339,16 @@ try_default_layout_bpool() { + validate_system_dataset "${candidate_dataset}" "boot" "${mntdir}" "${snapshot_name}" + } + ++# Return if secure boot is enabled on that system ++is_secure_boot_enabled() { ++ if LANG=C mokutil --sb-state 2>/dev/null | grep -qi enabled; then ++ echo "true" ++ return ++ fi ++ echo "false" ++ return ++} ++ + # Given a filesystem or snapshot dataset, returns dataset|machine id|pretty name|last used + # $1 is dataset we want information from + # $2 is the temporary mount directory to use +@@ -412,6 +422,17 @@ get_dataset_info() { + continue + fi + ++ # Filters entry if efi/non efi. ++ # Note that for now we allow kernel without .efi.signed as those are signed kernel ++ # on ubuntu, loaded by the shim. ++ case "${linux}" in ++ *.efi.signed) ++ if [ "$(is_secure_boot_enabled)" = "false" ]; then ++ continue ++ fi ++ ;; ++ esac ++ + linux_basename=$(basename "${linux}") + linux_dirname=$(dirname "${linux}") + version=$(echo "${linux_basename}" | sed -e "s,^[^0-9]*-,,g")
  2. Download patch debian/patches/mkconfig-other-inits.patch

    --- 2.04-1/debian/patches/mkconfig-other-inits.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-other-inits.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 025817840e1674f9159bb602dde699deec035181 Mon Sep 17 00:00:00 2001 +From 22359dec23434867f467cb704aa771fd63e5ecd9 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Sat, 3 Jan 2015 12:04:59 +0000 Subject: Generate alternative init entries in advanced menu @@ -18,7 +18,7 @@ Patch-Name: mkconfig-other-inits.patch 2 files changed, 21 insertions(+) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 8a74c677b..0cd4cf5c0 100644 +index 85b30084ad..dff84edea5 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -32,6 +32,7 @@ export TEXTDOMAIN=@PACKAGE@ @@ -29,7 +29,7 @@ index 8a74c677b..0cd4cf5c0 100644 if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then OS=GNU/Linux -@@ -127,6 +128,8 @@ linux_entry () +@@ -131,6 +132,8 @@ linux_entry () case $type in recovery) title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; @@ -38,7 +38,7 @@ index 8a74c677b..0cd4cf5c0 100644 *) title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; esac -@@ -381,6 +384,13 @@ while [ "x$list" != "x" ] ; do +@@ -385,6 +388,13 @@ while [ "x$list" != "x" ] ; do linux_entry "${OS}" "${version}" advanced \ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" @@ -53,7 +53,7 @@ index 8a74c677b..0cd4cf5c0 100644 linux_entry "${OS}" "${version}" recovery \ "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in -index f2ee0532b..81e5f0d7e 100644 +index f2ee0532bd..81e5f0d7e4 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -27,6 +27,7 @@ export TEXTDOMAIN=@PACKAGE@
  3. Download patch debian/patches/efinet-set-network-from-uefi-devpath.patch

    --- 2.04-1/debian/patches/efinet-set-network-from-uefi-devpath.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/efinet-set-network-from-uefi-devpath.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 9ac73ba5acca6446e278cdff274ef679783d9919 Mon Sep 17 00:00:00 2001 +From 521dfb27bc786d0567c97b704381677f57c4cfe4 Mon Sep 17 00:00:00 2001 From: Michael Chang <mchang@suse.com> Date: Thu, 27 Oct 2016 17:43:05 -0400 Subject: efinet: Setting network from UEFI device path @@ -34,7 +34,7 @@ Patch-Name: efinet-set-network-from-uefi 2 files changed, 270 insertions(+), 9 deletions(-) diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c -index fc90415f2..2d3b00f0e 100644 +index fc90415f29..2d3b00f0e1 100644 --- a/grub-core/net/drivers/efi/efinet.c +++ b/grub-core/net/drivers/efi/efinet.c @@ -23,6 +23,7 @@ @@ -358,7 +358,7 @@ index fc90415f2..2d3b00f0e 100644 } } diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h -index ca6cdc159..664cea37b 100644 +index ca6cdc1596..664cea37b5 100644 --- a/include/grub/efi/api.h +++ b/include/grub/efi/api.h @@ -825,6 +825,8 @@ struct grub_efi_ipv4_device_path
  4. Download patch debian/patches/at_keyboard-module-init.patch

    --- 2.04-1/debian/patches/at_keyboard-module-init.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/at_keyboard-module-init.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 030f7c065c91bdfa93fbe666b7bc284af3bb5167 Mon Sep 17 00:00:00 2001 +From 5365f46e0c28babd3ec09fa2c665b946ac9b3d0f Mon Sep 17 00:00:00 2001 From: Jeroen Dekkers <jeroen@dekkers.ch> Date: Sat, 12 Jan 2019 21:02:18 +0100 Subject: at_keyboard: initialize keyboard in module init if keyboard is ready @@ -16,7 +16,7 @@ Patch-Name: at_keyboard-module-init.patc 1 file changed, 9 insertions(+) diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c -index f0a986eb1..d4395c201 100644 +index f0a986eb17..d4395c2019 100644 --- a/grub-core/term/at_keyboard.c +++ b/grub-core/term/at_keyboard.c @@ -244,6 +244,14 @@ grub_at_keyboard_getkey (struct grub_term_input *term __attribute__ ((unused)))
  5. Download patch debian/patches/grub.cfg-400.patch

    --- 2.04-1/debian/patches/grub.cfg-400.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/grub.cfg-400.patch 2020-08-10 13:07:29.000000000 +0000 @@ -9,7 +9,7 @@ Patch-Name: grub.cfg-400.patch 1 file changed, 4 insertions(+) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index 9f477ff05..45cd4cc54 100644 +index 9f477ff054..45cd4cc541 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -276,6 +276,10 @@ for i in "${grub_mkconfig_dir}"/* ; do
  6. Download patch debian/patches/0102-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch

    --- 2.04-1/debian/patches/0102-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0102-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,42 @@ +From f5102243ac5d0cc9a319b2f5c4cbc2c518d0d137 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov <amakhalov@vmware.com> +Date: Fri, 17 Jul 2020 05:17:26 +0000 +Subject: relocator: Fix grub_relocator_alloc_chunk_align() top memory + allocation + +Current implementation of grub_relocator_alloc_chunk_align() +does not allow allocation of the top byte. + +Assuming input args are: + max_addr = 0xfffff000; + size = 0x1000; + +And this is valid. But following overflow protection will +unnecessarily move max_addr one byte down (to 0xffffefff): + if (max_addr > ~size) + max_addr = ~size; + +~size + 1 will fix the situation. In addition, check size +for non zero to do not zero max_addr. + +Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/lib/relocator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c +index 5847aac364..f2c1944c28 100644 +--- a/grub-core/lib/relocator.c ++++ b/grub-core/lib/relocator.c +@@ -1386,8 +1386,8 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel, + }; + grub_addr_t min_addr2 = 0, max_addr2; + +- if (max_addr > ~size) +- max_addr = ~size; ++ if (size && (max_addr > ~size)) ++ max_addr = ~size + 1; + + #ifdef GRUB_MACHINE_PCBIOS + if (min_addr < 0x1000)
  7. Download patch debian/patches/0095-efi-fix-some-malformed-device-path-arithmetic-errors.patch
  8. Download patch debian/patches/0103-linux-loader-avoid-overflow-on-initrd-size-calculati.patch

    --- 2.04-1/debian/patches/0103-linux-loader-avoid-overflow-on-initrd-size-calculati.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0103-linux-loader-avoid-overflow-on-initrd-size-calculati.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,25 @@ +From 3390bca8bde1f29b8d449f28d5a1fa4f08598af8 Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Fri, 24 Jul 2020 13:57:27 -0400 +Subject: linux loader: avoid overflow on initrd size calculation + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + grub-core/loader/linux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 471b214d6c..25624ebc11 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -151,8 +151,8 @@ grub_initrd_init (int argc, char *argv[], + initrd_ctx->nfiles = 0; + initrd_ctx->components = 0; + +- initrd_ctx->components = grub_zalloc (argc +- * sizeof (initrd_ctx->components[0])); ++ initrd_ctx->components = grub_calloc (argc, ++ sizeof (initrd_ctx->components[0])); + if (!initrd_ctx->components) + return grub_errno; +
  9. Download patch debian/grub-extras/disabled/zfs/.bzrignore

    --- 2.04-1/debian/grub-extras/disabled/zfs/.bzrignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-extras/disabled/zfs/.bzrignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -**/.deps-core -**/.deps-util -**/.dirstamp -Makefile.core.am -Makefile.util.am
  10. Download patch debian/patches/gfxpayload-dynamic.patch

    --- 2.04-1/debian/patches/gfxpayload-dynamic.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/gfxpayload-dynamic.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From bff220e7e6189f09678b9a25e9e92fc65b327268 Mon Sep 17 00:00:00 2001 +From 40e9945c86cb9ea3d2a23789e7cdbce9905387e1 Mon Sep 17 00:00:00 2001 From: Evan Broder <evan@ebroder.net> Date: Mon, 13 Jan 2014 12:13:29 +0000 Subject: Add configure option to enable gfxpayload=keep dynamically @@ -18,11 +18,12 @@ Patch-Name: gfxpayload-dynamic.patch grub-core/commands/i386/pc/hwmatch.c | 146 +++++++++++++++++++++++++++ include/grub/file.h | 1 + util/grub.d/10_linux.in | 37 ++++++- - 5 files changed, 200 insertions(+), 3 deletions(-) + util/grub.d/10_linux_zfs.in | 46 ++++++++- + 6 files changed, 243 insertions(+), 6 deletions(-) create mode 100644 grub-core/commands/i386/pc/hwmatch.c diff --git a/configure.ac b/configure.ac -index 7dda5bb32..dbc429ce0 100644 +index 7dda5bb32b..dbc429ce0a 100644 --- a/configure.ac +++ b/configure.ac @@ -1879,6 +1879,17 @@ else @@ -44,7 +45,7 @@ index 7dda5bb32..dbc429ce0 100644 AC_SUBST([FONT_SOURCE]) diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def -index 67a98abbb..836bf0a59 100644 +index 474a63e68c..aadb4cdff8 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -971,6 +971,14 @@ module = { @@ -64,7 +65,7 @@ index 67a98abbb..836bf0a59 100644 common = commands/keystatus.c; diff --git a/grub-core/commands/i386/pc/hwmatch.c b/grub-core/commands/i386/pc/hwmatch.c new file mode 100644 -index 000000000..6de07cecc +index 0000000000..6de07cecc8 --- /dev/null +++ b/grub-core/commands/i386/pc/hwmatch.c @@ -0,0 +1,146 @@ @@ -215,7 +216,7 @@ index 000000000..6de07cecc + grub_unregister_command (cmd); +} diff --git a/include/grub/file.h b/include/grub/file.h -index 31567483c..e3c4cae2b 100644 +index 31567483cc..e3c4cae2b5 100644 --- a/include/grub/file.h +++ b/include/grub/file.h @@ -122,6 +122,7 @@ enum grub_file_type @@ -227,7 +228,7 @@ index 31567483c..e3c4cae2b 100644 GRUB_FILE_TYPE_LOADENV, GRUB_FILE_TYPE_SAVEENV, diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 51cdb5e1d..2f5217358 100644 +index 2be66c7028..09393c28ee 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -23,6 +23,7 @@ datarootdir="@datarootdir@" @@ -238,7 +239,7 @@ index 51cdb5e1d..2f5217358 100644 . "$pkgdatadir/grub-mkconfig_lib" -@@ -145,9 +146,10 @@ linux_entry () +@@ -149,9 +150,10 @@ linux_entry () if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then echo " load_video" | sed "s/^/$submenu_indentation/" fi @@ -252,7 +253,7 @@ index 51cdb5e1d..2f5217358 100644 fi echo " insmod gzio" | sed "s/^/$submenu_indentation/" -@@ -226,6 +228,35 @@ prepare_root_cache= +@@ -230,6 +232,35 @@ prepare_root_cache= boot_device_id= title_correction_code= @@ -288,3 +289,81 @@ index 51cdb5e1d..2f5217358 100644 # Extra indentation to add to menu entries in a submenu. We're not in a submenu # yet, so it's empty. In a submenu it will be equal to '\t' (one tab). submenu_indentation="" +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index ec4b49d9d7..8cd7d12851 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -22,6 +22,7 @@ datarootdir="@datarootdir@" + ubuntu_recovery="@UBUNTU_RECOVERY@" + quiet_boot="@QUIET_BOOT@" + quick_boot="@QUICK_BOOT@" ++gfxpayload_dynamic="@GFXPAYLOAD_DYNAMIC@" + + . "${pkgdatadir}/grub-mkconfig_lib" + +@@ -716,6 +717,41 @@ generate_grub_menu_metadata() { + done + } + ++# Print the configuration part common to all sections ++# Note: ++# If 10_linux runs these part will be defined twice in grub configuration ++print_menu_prologue() { ++ # Use ELILO's generic "efifb" when it's known to be available. ++ # FIXME: We need an interface to select vesafb in case efifb can't be used. ++ GRUB_GFXPAYLOAD_LINUX="${GRUB_GFXPAYLOAD_LINUX:-}" ++ if [ "${GRUB_GFXPAYLOAD_LINUX}" != "" ] || [ "${gfxpayload_dynamic}" = 0 ]; then ++ echo "set linux_gfx_mode=${GRUB_GFXPAYLOAD_LINUX}" ++ else ++ cat << EOF ++if [ "\${recordfail}" != 1 ]; then ++ if [ -e \${prefix}/gfxblacklist.txt ]; then ++ if hwmatch \${prefix}/gfxblacklist.txt 3; then ++ if [ \${match} = 0 ]; then ++ set linux_gfx_mode=keep ++ else ++ set linux_gfx_mode=text ++ fi ++ else ++ set linux_gfx_mode=text ++ fi ++ else ++ set linux_gfx_mode=keep ++ fi ++else ++ set linux_gfx_mode=text ++fi ++EOF ++ fi ++ cat << EOF ++export linux_gfx_mode ++EOF ++} ++ + # Cache for prepare_grub_to_access_device call + # $1: boot_device + # $2: submenu_level +@@ -776,9 +812,11 @@ zfs_linux_entry () { + if [ "${GRUB_GFXPAYLOAD_LINUX}" != "text" ]; then + echo "${submenu_indentation} load_video" + fi +- if [ "${ubuntu_recovery}" = 0 ] || [ "${type}" != "recovery" ]; then +- echo "${submenu_indentation} set gfxpayload=\${linux_gfx_mode}" +- fi ++ fi ++ ++ if ([ "${ubuntu_recovery}" = 0 ] || [ "${type}" != "recovery" ]) && \ ++ ([ "${GRUB_GFXPAYLOAD_LINUX}" != "" ] || [ "${gfxpayload_dynamic}" = 1 ]); then ++ echo "${submenu_indentation} set gfxpayload=\${linux_gfx_mode}" + fi + + echo "${submenu_indentation} insmod gzio" +@@ -841,6 +879,8 @@ generate_grub_menu() { + GRUB_CMDLINE_LINUX_RECOVERY="${GRUB_CMDLINE_LINUX_RECOVERY} nomodeset" + fi + ++ print_menu_prologue ++ + # IFS is set to TAB (ASCII 0x09) + echo "${menu_metadata}" | + {
  11. Download patch debian/patches/default-grub-d.patch

    --- 2.04-1/debian/patches/default-grub-d.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/default-grub-d.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 413121ddac2aa1484b0dc6fd3a32aad0d417aa80 Mon Sep 17 00:00:00 2001 +From c3ad86f659b0a1af2033086101936f3a17e67a0a Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:10 +0000 Subject: Read /etc/default/grub.d/*.cfg after /etc/default/grub @@ -14,7 +14,7 @@ Patch-Name: default-grub-d.patch 2 files changed, 98 insertions(+), 21 deletions(-) diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c -index 65effa9f3..5478030fd 100644 +index 65effa9f3a..5478030fde 100644 --- a/grub-core/osdep/unix/config.c +++ b/grub-core/osdep/unix/config.c @@ -24,6 +24,8 @@ @@ -178,7 +178,7 @@ index 65effa9f3..5478030fd 100644 + free (cfgdir); } diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index b506d63bf..d18bf972f 100644 +index b506d63bf9..d18bf972f7 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -164,6 +164,11 @@ fi
  12. Download patch debian/patches/gfxpayload-keep-default.patch

    --- 2.04-1/debian/patches/gfxpayload-keep-default.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/gfxpayload-keep-default.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,6 @@ -From d768f3c486db716fe662b32afc1327f27fad012b Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@debian.org> -Date: Mon, 13 Jan 2014 12:12:57 +0000 +From 6b3668640698cff6e0f57bba665a594c11f02841 Mon Sep 17 00:00:00 2001 +From: Didier Roche <didrocks@ubuntu.com> +Date: Tue, 31 Mar 2020 15:09:45 +0200 Subject: Disable gfxpayload=keep by default Setting gfxpayload=keep has been known to cause efifb to be @@ -19,14 +19,15 @@ Last-Update: 2013-12-25 Patch-Name: gfxpayload-keep-default.patch --- - util/grub.d/10_linux.in | 4 ---- - 1 file changed, 4 deletions(-) + util/grub.d/10_linux.in | 4 ---- + util/grub.d/10_linux_zfs.in | 4 ---- + 2 files changed, 8 deletions(-) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 4532266be..dd5a60c71 100644 +index a75096609a..f839b3b55f 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in -@@ -114,10 +114,6 @@ linux_entry () +@@ -118,10 +118,6 @@ linux_entry () # FIXME: We need an interface to select vesafb in case efifb can't be used. if [ "x$GRUB_GFXPAYLOAD_LINUX" = x ]; then echo " load_video" | sed "s/^/$submenu_indentation/" @@ -37,3 +38,18 @@ index 4532266be..dd5a60c71 100644 else if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then echo " load_video" | sed "s/^/$submenu_indentation/" +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index 5ec65fa941..b24587f0a5 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -744,10 +744,6 @@ zfs_linux_entry () { + # FIXME: We need an interface to select vesafb in case efifb can't be used. + if [ "${GRUB_GFXPAYLOAD_LINUX}" = "" ]; then + echo "${submenu_indentation} load_video" +- if grep -qx "CONFIG_FB_EFI=y" "${config}" 2> /dev/null \ +- && grep -qx "CONFIG_VT_HW_CONSOLE_BINDING=y" "${config}" 2> /dev/null; then +- echo "${submenu_indentation} set gfxpayload=keep" +- fi + else + if [ "${GRUB_GFXPAYLOAD_LINUX}" != "text" ]; then + echo "${submenu_indentation} load_video"
  13. Download patch debian/patches/install-locale-langpack.patch

    --- 2.04-1/debian/patches/install-locale-langpack.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/install-locale-langpack.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From b7350821785e3c924f70720532c19a3a91966115 Mon Sep 17 00:00:00 2001 +From 50921522fab0f4ce529b6c7acd6354b1b3cff2b1 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:07 +0000 Subject: Prefer translations from Ubuntu language packs if available @@ -13,7 +13,7 @@ Patch-Name: install-locale-langpack.patc 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/util/grub-install-common.c b/util/grub-install-common.c -index ca0ac612a..fdfe2c7ea 100644 +index ca0ac612ac..fdfe2c7ead 100644 --- a/util/grub-install-common.c +++ b/util/grub-install-common.c @@ -609,17 +609,25 @@ get_localedir (void)
  14. Download patch debian/patches/grub-install-extra-removable.patch
  15. Download patch debian/patches/install-efi-ubuntu-flavours.patch

    --- 2.04-1/debian/patches/install-efi-ubuntu-flavours.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/install-efi-ubuntu-flavours.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 8054cd148e7a9e3cfa546d60c06b436fb73cf803 Mon Sep 17 00:00:00 2001 +From 73faf5c430fe03ec081a838af0e96ad4c42ab26f Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:27 +0000 Subject: Cope with Kubuntu setting GRUB_DISTRIBUTOR @@ -17,7 +17,7 @@ Patch-Name: install-efi-ubuntu-flavours. 1 file changed, 2 insertions(+) diff --git a/util/grub-install.c b/util/grub-install.c -index b0c7c7c37..e5e9e439d 100644 +index e1e40cf2b5..f0d59c1809 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -1115,6 +1115,8 @@ main (int argc, char *argv[])
  16. Download patch debian/patches/insmod-xzio-and-lzopio-on-xen.patch

    --- 2.04-1/debian/patches/insmod-xzio-and-lzopio-on-xen.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/insmod-xzio-and-lzopio-on-xen.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 7b5ed0cc355424e434744162d03cc43a483ac0f4 Mon Sep 17 00:00:00 2001 +From c58c9d77ccd16511db098247b5cbba5abcaac99f Mon Sep 17 00:00:00 2001 From: Ian Campbell <ijc@debian.org> Date: Sun, 30 Nov 2014 12:12:52 +0000 Subject: Arrange to insmod xzio and lzopio when booting a kernel as a Xen @@ -16,14 +16,15 @@ Last-Update: 2014-11-30 Patch-Name: insmod-xzio-and-lzopio-on-xen.patch --- - util/grub.d/10_linux.in | 1 + - 1 file changed, 1 insertion(+) + util/grub.d/10_linux.in | 1 + + util/grub.d/10_linux_zfs.in | 1 + + 2 files changed, 2 insertions(+) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index ba945582e..8a74c677b 100644 +index 2c418c5ec8..85b30084ad 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in -@@ -162,6 +162,7 @@ linux_entry () +@@ -166,6 +166,7 @@ linux_entry () fi echo " insmod gzio" | sed "s/^/$submenu_indentation/" @@ -31,3 +32,15 @@ index ba945582e..8a74c677b 100644 if [ x$dirname = x/ ]; then if [ -z "${prepare_root_cache}" ]; then +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index 4477fa6061..4c48abef01 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -838,6 +838,7 @@ zfs_linux_entry () { + fi + + echo "${submenu_indentation} insmod gzio" ++ echo "${submenu_indentation} if [ \"\${grub_platform}\" = xen ]; then insmod xzio; insmod lzopio; fi" + + echo "$(prepare_grub_to_access_device_cached "${boot_device}" "${submenu_level}")" +
  17. Download patch debian/patches/install-efi-fallback.patch

    --- 2.04-1/debian/patches/install-efi-fallback.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/install-efi-fallback.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 4b5ab05a5428e6acae087a819b5daeb17b36e5f5 Mon Sep 17 00:00:00 2001 +From 8a5b764a450f0d67f940c2ffbe80eae053753c19 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:05 +0000 Subject: Fall back to non-EFI if booted using EFI but -efi is missing @@ -19,7 +19,7 @@ Patch-Name: install-efi-fallback.patch 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/grub-core/osdep/linux/platform.c b/grub-core/osdep/linux/platform.c -index e28a79dab..2e7f72086 100644 +index e28a79dab3..2e7f720869 100644 --- a/grub-core/osdep/linux/platform.c +++ b/grub-core/osdep/linux/platform.c @@ -19,10 +19,12 @@
  18. Download patch debian/patches/efinet-uefi-ipv6-pxe-support.patch

    --- 2.04-1/debian/patches/efinet-uefi-ipv6-pxe-support.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/efinet-uefi-ipv6-pxe-support.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 36a71e2c21b5cdfb93617dc4faff628672e9a2b7 Mon Sep 17 00:00:00 2001 +From efa94cf400cddc721b15210e46471c867cf727e1 Mon Sep 17 00:00:00 2001 From: Michael Chang <mchang@suse.com> Date: Thu, 27 Oct 2016 17:41:21 -0400 Subject: efinet: UEFI IPv6 PXE support @@ -17,7 +17,7 @@ Patch-Name: efinet-uefi-ipv6-pxe-support 2 files changed, 73 insertions(+), 6 deletions(-) diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c -index 5388f952b..fc90415f2 100644 +index 5388f952ba..fc90415f29 100644 --- a/grub-core/net/drivers/efi/efinet.c +++ b/grub-core/net/drivers/efi/efinet.c @@ -378,11 +378,25 @@ grub_efi_net_config_real (grub_efi_handle_t hnd, char **device, @@ -52,7 +52,7 @@ index 5388f952b..fc90415f2 100644 } } diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h -index addcbfa8f..ca6cdc159 100644 +index addcbfa8fb..ca6cdc1596 100644 --- a/include/grub/efi/api.h +++ b/include/grub/efi/api.h @@ -1452,14 +1452,67 @@ typedef struct grub_efi_simple_text_output_interface grub_efi_simple_text_output
  19. Download patch debian/patches/gettext-quiet.patch

    --- 2.04-1/debian/patches/gettext-quiet.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/gettext-quiet.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 5264381cd94fc29aea05e50654df364e131e777f Mon Sep 17 00:00:00 2001 +From 02b91d62746f4bde8349bbd605b18fb354a85048 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:02 +0000 Subject: Silence error messages when translations are unavailable @@ -13,7 +13,7 @@ Patch-Name: gettext-quiet.patch 1 file changed, 5 insertions(+) diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c -index 4d02e62c1..2a19389f2 100644 +index 4d02e62c10..2a19389f2a 100644 --- a/grub-core/gettext/gettext.c +++ b/grub-core/gettext/gettext.c @@ -427,6 +427,11 @@ grub_gettext_init_ext (struct grub_gettext_context *ctx,
  20. Download patch debian/patches/0088-gfxmenu-Fix-double-free-in-load_image.patch

    --- 2.04-1/debian/patches/0088-gfxmenu-Fix-double-free-in-load_image.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0088-gfxmenu-Fix-double-free-in-load_image.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,32 @@ +From 58e72a15fa61adffe8015da0eb093d2e93380ee0 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov <amakhalov@vmware.com> +Date: Wed, 8 Jul 2020 20:41:56 +0000 +Subject: gfxmenu: Fix double free in load_image() + +self->bitmap should be zeroed after free. Otherwise, there is a chance +to double free (USE_AFTER_FREE) it later in rescale_image(). + +Fixes: CID 292472 + +Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/gfxmenu/gui_image.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c +index 29784ed2d9..6b2e976f16 100644 +--- a/grub-core/gfxmenu/gui_image.c ++++ b/grub-core/gfxmenu/gui_image.c +@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path) + return grub_errno; + + if (self->bitmap && (self->bitmap != self->raw_bitmap)) +- grub_video_bitmap_destroy (self->bitmap); ++ { ++ grub_video_bitmap_destroy (self->bitmap); ++ self->bitmap = 0; ++ } + if (self->raw_bitmap) + grub_video_bitmap_destroy (self->raw_bitmap); +
  21. Download patch debian/grub-common.install.in

    --- 2.04-1/debian/grub-common.install.in 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-common.install.in 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,9 @@ ../../debian/apport/source_grub2.py usr/share/apport/package-hooks/ ../../debian/grub.d etc ../../debian/init-select.cfg etc/default/grub.d +../../debian/grub-check-signatures usr/share/grub/ +../../debian/grub-multi-install usr/lib/grub/ +../../debian/canonical-uefi-ca.crt usr/share/grub/ etc/grub.d usr/bin/grub-editenv @@ -20,6 +23,7 @@ usr/bin/grub-mkstandalone usr/bin/grub-render-label usr/bin/grub-script-check usr/bin/grub-syslinux2cfg +usr/lib/systemd/system/grub-initrd-fallback.service lib/systemd/system usr/sbin/grub-macbless usr/sbin/grub-mkconfig usr/sbin/grub-mkdevicemap
  22. Download patch debian/gettext-patches/0003-Make-msgfmt-output-in-little-endian.patch

    --- 2.04-1/debian/gettext-patches/0003-Make-msgfmt-output-in-little-endian.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/gettext-patches/0003-Make-msgfmt-output-in-little-endian.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,34 @@ +From 156c523e2945c9b43c5500fb93988b0dd2f08d75 Mon Sep 17 00:00:00 2001 +From: Vladimir Serbinenko <phcoder@gmail.com> +Date: Sun, 1 Mar 2020 12:09:25 +0000 +Subject: [PATCH 3/4] Make msgfmt output in little-endian + +GRUB expects this. +--- + gettext-runtime/po/Makefile.in.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gettext-runtime/po/Makefile.in.in b/gettext-runtime/po/Makefile.in.in +index 32e0c99a2..f3ef54c39 100644 +--- a/gettext-runtime/po/Makefile.in.in ++++ b/gettext-runtime/po/Makefile.in.in +@@ -84,13 +84,13 @@ CATALOGS = @CATALOGS@ + + .po.mo: + @echo "$(MSGFMT) -c -o $@ $<"; \ +- $(MSGFMT) -c -o t-$@ $< && mv t-$@ $@ ++ $(MSGFMT) --endianness=little -c -o t-$@ $< && mv t-$@ $@ + + .po.gmo: + @lang=`echo $* | sed -e 's,.*/,,'`; \ + test "$(srcdir)" = . && cdcmd="" || cdcmd="cd $(srcdir) && "; \ +- echo "$${cdcmd}rm -f $${lang}.gmo && $(GMSGFMT) -c --statistics --verbose -o $${lang}.gmo $${lang}.po"; \ +- cd $(srcdir) && rm -f $${lang}.gmo && $(GMSGFMT) -c --statistics --verbose -o t-$${lang}.gmo $${lang}.po && mv t-$${lang}.gmo $${lang}.gmo ++ echo "$${cdcmd}rm -f $${lang}.gmo && $(GMSGFMT) --endianness=little -c --statistics --verbose -o $${lang}.gmo $${lang}.po"; \ ++ cd $(srcdir) && rm -f $${lang}.gmo && $(GMSGFMT) --endianness=little -c --statistics --verbose -o t-$${lang}.gmo $${lang}.po && mv t-$${lang}.gmo $${lang}.gmo + + .sin.sed: + sed -e '/^#/d' $< > t-$@ +-- +2.17.1 +
  23. Download patch debian/patches/install-stage2-confusion.patch

    --- 2.04-1/debian/patches/install-stage2-confusion.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/install-stage2-confusion.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 81cb5ffcbdc273cb57ccc355342d81cf34d8a7b7 Mon Sep 17 00:00:00 2001 +From bd93043d187b87d8faa11135f3414d67da95a167 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Mon, 13 Jan 2014 12:12:58 +0000 Subject: If GRUB Legacy is still around, tell packaging to ignore it @@ -13,7 +13,7 @@ Patch-Name: install-stage2-confusion.pat 1 file changed, 14 insertions(+) diff --git a/util/grub-install.c b/util/grub-install.c -index 8a55ad4b8..3b4606eef 100644 +index 8a55ad4b8d..3b4606eef1 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -42,6 +42,7 @@
  24. Download patch debian/gettext-patches/0004-Use-SHELL-rather-than-bin-sh.patch

    --- 2.04-1/debian/gettext-patches/0004-Use-SHELL-rather-than-bin-sh.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/gettext-patches/0004-Use-SHELL-rather-than-bin-sh.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,26 @@ +From f36f12e77798223ee7ee882c0d09e0e63db11454 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Sun, 1 Mar 2020 12:14:07 +0000 +Subject: [PATCH 4/4] Use @SHELL rather than /bin/sh + +/bin/sh might not exist. +--- + gettext-runtime/po/Makefile.in.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gettext-runtime/po/Makefile.in.in b/gettext-runtime/po/Makefile.in.in +index f3ef54c39..285a55a9d 100644 +--- a/gettext-runtime/po/Makefile.in.in ++++ b/gettext-runtime/po/Makefile.in.in +@@ -16,7 +16,7 @@ VERSION = @VERSION@ + PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + + SED = @SED@ +-SHELL = /bin/sh ++SHELL = @SHELL@ + @SET_MAKE@ + + srcdir = @srcdir@ +-- +2.17.1 +
  25. Download patch debian/patches/0083-calloc-Make-sure-we-always-have-an-overflow-checking.patch
  26. Download patch debian/control

    --- 2.04-1/debian/control 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/control 2020-08-10 13:07:29.000000000 +0000 @@ -1,11 +1,15 @@ Source: grub2 Section: admin Priority: optional -Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net> Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Colin Watson <cjwatson@debian.org>, Ian Campbell <ijc@debian.org>, Steve McIntyre <93sam@debian.org> Build-Depends: debhelper (>= 10~), patchutils, - python, + dh-autoreconf, + dh-systemd, + automake, + python3, flex, bison, po-debconf, @@ -32,13 +36,13 @@ Build-Depends: debhelper (>= 10~), libparted-dev [any-powerpc any-ppc64 any-ppc64el], pkg-config, bash-completion, - libefiboot-dev [any-i386 any-amd64 any-ia64 any-arm any-arm64], - libefivar-dev [any-i386 any-amd64 any-ia64 any-arm any-arm64], + libefiboot-dev [any-linux-i386 any-linux-amd64 any-linux-ia64 any-linux-arm any-linux-arm64], + libefivar-dev [any-linux-i386 any-linux-amd64 any-linux-ia64 any-linux-arm any-linux-arm64], Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev Standards-Version: 3.9.6 Homepage: https://www.gnu.org/software/grub/ -Vcs-Git: https://salsa.debian.org/grub-team/grub.git -Vcs-Browser: https://salsa.debian.org/grub-team/grub +Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu +Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu Rules-Requires-Root: no Package: grub2 @@ -94,7 +98,7 @@ Architecture: any-i386 any-amd64 any-pow Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends} Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4) Conflicts: grub-legacy -Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4) +Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 13), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4) Multi-Arch: foreign Description: GRand Unified Bootloader (common files for version 2) This package contains common files shared by the distinct flavours of GRUB.
  27. Download patch debian/patches/mkconfig-nonexistent-loopback.patch

    --- 2.04-1/debian/patches/mkconfig-nonexistent-loopback.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-nonexistent-loopback.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 0207e6937271a475ec2f89fc9f751e138254579d Mon Sep 17 00:00:00 2001 +From 0a12aab871f0e938738305d89fc1e32915ea7fda Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:08 +0000 Subject: Avoid getting confused by inaccessible loop device backing paths @@ -14,7 +14,7 @@ Patch-Name: mkconfig-nonexistent-loopbac 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in -index b05df554d..fe6319abe 100644 +index b05df554da..fe6319abe0 100644 --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -143,7 +143,7 @@ prepare_grub_to_access_device () @@ -27,7 +27,7 @@ index b05df554d..fe6319abe 100644 esac ;; diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in -index 775ceb2e0..b7e1147c4 100644 +index 775ceb2e04..b7e1147c41 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -219,6 +219,11 @@ EOF
  28. Download patch debian/grub-common.templates

    --- 2.04-1/debian/grub-common.templates 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-common.templates 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,53 @@ +Template: grub-efi/install_devices +Type: multiselect +Choices-C: ${RAW_CHOICES} +Choices: ${CHOICES} +_Description: GRUB EFI system partitions: + The grub-efi package is being upgraded. This menu allows you to select which + EFI system partions you'd like grub-install to be automatically run for, if any. + . + Running grub-install automatically is recommended in most situations, to + prevent the installed GRUB core image from getting out of sync with GRUB + modules or grub.cfg. + +Template: grub-efi/install_devices_disks_changed +Type: multiselect +Choices-C: ${RAW_CHOICES} +Choices: ${CHOICES} +_Description: GRUB install devices: + The GRUB boot loader was previously installed to a disk that is no longer + present, or whose unique identifier has changed for some reason. It is + important to make sure that the installed GRUB core image stays in sync + with GRUB modules and grub.cfg. Please check again to make sure that GRUB + is written to the appropriate boot devices. + +Template: grub-efi/partition_description +Type: text +_Description: ${DEVICE} (${SIZE} MB; ${PATH}) on ${DISK_SIZE} MB ${DISK_MODEL} + +Template: grub-efi/install_devices_failed +Type: boolean +Default: false +#flag:translate!:3 +_Description: Writing GRUB to boot device failed - continue? + GRUB failed to install to the following devices: + . + ${FAILED_DEVICES} + . + Do you want to continue anyway? If you do, your computer may not start up + properly. + +Template: grub-efi/install_devices_empty +Type: boolean +Default: false +_Description: Continue without installing GRUB? + You chose not to install GRUB to any devices. If you continue, the boot + loader may not be properly configured, and when this computer next starts + up it will use whatever was previously configured. If there is an + earlier version of GRUB 2 in the EFI system partition, it may be unable to load + modules or handle the current configuration file. + . + If you are already using a different boot loader and want to carry on + doing so, or if this is a special environment where you do not need a boot + loader, then you should continue anyway. Otherwise, you should install + GRUB somewhere.
  29. Download patch debian/patches/dpkg-version-comparison.patch

    --- 2.04-1/debian/patches/dpkg-version-comparison.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/dpkg-version-comparison.patch 2020-08-10 13:07:29.000000000 +0000 @@ -12,7 +12,7 @@ Patch-Name: dpkg-version-comparison.patc 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in -index 0f801cab3..b6606c16e 100644 +index 0f801cab3e..b6606c16e0 100644 --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -239,8 +239,9 @@ version_test_numeric ()
  30. Download patch debian/patches/cherrypick-lsefisystab-define-smbios3.patch

    --- 2.04-1/debian/patches/cherrypick-lsefisystab-define-smbios3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/cherrypick-lsefisystab-define-smbios3.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,45 @@ +From 7a7aa7f7da952420277726d4e2279716d1738aa6 Mon Sep 17 00:00:00 2001 +From: David Michael <fedora.dm0@gmail.com> +Date: Fri, 5 Jul 2019 08:47:02 -0400 +Subject: lsefisystab: Define SMBIOS3 entry point structures for EFI + +This adds the GUID and includes it in lsefisystab output. + +Signed-off-by: David Michael <fedora.dm0@gmail.com> +Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +(cherry picked from commit 261df54f170c6d87258eb37ef17d62690720696b) +Patch-Name: cherrypick-lsefisystab-define-smbios3.patch +--- + grub-core/commands/efi/lsefisystab.c | 1 + + include/grub/efi/api.h | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c +index df10302218..7c039c5097 100644 +--- a/grub-core/commands/efi/lsefisystab.c ++++ b/grub-core/commands/efi/lsefisystab.c +@@ -48,6 +48,7 @@ static const struct guid_mapping guid_mappings[] = + { GRUB_EFI_MPS_TABLE_GUID, "MPS"}, + { GRUB_EFI_SAL_TABLE_GUID, "SAL"}, + { GRUB_EFI_SMBIOS_TABLE_GUID, "SMBIOS"}, ++ { GRUB_EFI_SMBIOS3_TABLE_GUID, "SMBIOS3"}, + { GRUB_EFI_SYSTEM_RESOURCE_TABLE_GUID, "SYSTEM RESOURCE TABLE"}, + { GRUB_EFI_TIANO_CUSTOM_DECOMPRESS_GUID, "TIANO CUSTOM DECOMPRESS"}, + { GRUB_EFI_TSC_FREQUENCY_GUID, "TSC FREQUENCY"}, +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index 75befd10e5..9824fbcd0d 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h +@@ -314,6 +314,11 @@ + { 0x9a, 0x16, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \ + } + ++#define GRUB_EFI_SMBIOS3_TABLE_GUID \ ++ { 0xf2fd1544, 0x9794, 0x4a2c, \ ++ { 0x99, 0x2e, 0xe5, 0xbb, 0xcf, 0x20, 0xe3, 0x94 } \ ++ } ++ + #define GRUB_EFI_SAL_TABLE_GUID \ + { 0xeb9d2d32, 0x2d88, 0x11d3, \ + { 0x9a, 0x16, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \
  31. Download patch debian/grub-multi-install
  32. Download patch debian/patches/0093-hfsplus-fix-two-more-overflows.patch

    --- 2.04-1/debian/patches/0093-hfsplus-fix-two-more-overflows.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0093-hfsplus-fix-two-more-overflows.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,53 @@ +From 4be2c61fdd94238b4e529f018eddea12f6ba5361 Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Sun, 19 Jul 2020 14:43:31 -0400 +Subject: hfsplus: fix two more overflows + +Both node->size and node->namelen come from the supplied filesystem, +which may be user-supplied. We can't trust them for the math unless we +know they don't overflow; making sure they go through calloc() first +will give us that. + +Signed-off-by: Peter Jones <pjones@redhat.com> +Reviewed-by: Darren Kenny <darren.kenny@oracle.com> +--- + grub-core/fs/hfsplus.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index dae43becc9..9c4e4c88c9 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -31,6 +31,7 @@ + #include <grub/hfs.h> + #include <grub/charset.h> + #include <grub/hfsplus.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) + { + char *symlink; + grub_ssize_t numread; ++ grub_size_t sz = node->size; + +- symlink = grub_malloc (node->size + 1); ++ if (grub_add (sz, 1, &sz)) ++ return NULL; ++ ++ symlink = grub_malloc (sz); + if (!symlink) + return 0; + +@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg) + if (type == GRUB_FSHELP_UNKNOWN) + return 0; + +- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) +- * GRUB_MAX_UTF8_PER_UTF16 + 1); ++ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), ++ GRUB_MAX_UTF8_PER_UTF16 + 1); + if (! filename) + return 0; +
  33. Download patch debian/patches/0082-safemath-Add-some-arithmetic-primitives-that-check-f.patch

    --- 2.04-1/debian/patches/0082-safemath-Add-some-arithmetic-primitives-that-check-f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0082-safemath-Add-some-arithmetic-primitives-that-check-f.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,120 @@ +From daa399d191529cbbe465cfe3ecf5e90cada76786 Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Mon, 15 Jun 2020 10:58:42 -0400 +Subject: safemath: Add some arithmetic primitives that check for overflow + +This adds a new header, include/grub/safemath.h, that includes easy to +use wrappers for __builtin_{add,sub,mul}_overflow() declared like: + + bool OP(a, b, res) + +where OP is grub_add, grub_sub or grub_mul. OP() returns true in the +case where the operation would overflow and res is not modified. +Otherwise, false is returned and the operation is executed. + +These arithmetic primitives require newer compiler versions. So, bump +these requirements in the INSTALL file too. + +Signed-off-by: Peter Jones <pjones@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + INSTALL | 22 ++-------------------- + include/grub/compiler.h | 8 ++++++++ + include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 20 deletions(-) + create mode 100644 include/grub/safemath.h + +diff --git a/INSTALL b/INSTALL +index 342c158e91..991479b521 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If + you don't have any of them, please obtain and install them before + configuring the GRUB. + +-* GCC 4.1.3 or later +- Note: older versions may work but support is limited +- +- Experimental support for clang 3.3 or later (results in much bigger binaries) ++* GCC 5.1.0 or later ++ Experimental support for clang 3.8.0 or later (results in much bigger binaries) + for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64 +- Note: clang 3.2 or later works for i386 and x86_64 targets but results in +- much bigger binaries. +- earlier versions not tested +- Note: clang 3.2 or later works for arm +- earlier versions not tested +- Note: clang on arm64 is not supported due to +- https://llvm.org/bugs/show_bug.cgi?id=26030 +- Note: clang 3.3 or later works for mips(el) +- earlier versions fail to generate .reginfo and hence gprel relocations +- fail. +- Note: clang 3.2 or later works for powerpc +- earlier versions not tested +- Note: clang 3.5 or later works for sparc64 +- earlier versions return "error: unable to interface with target machine" +- Note: clang has no support for ia64 and hence you can't compile GRUB +- for ia64 with clang + * GNU Make + * GNU Bison 2.3 or later + * GNU gettext 0.17 or later +diff --git a/include/grub/compiler.h b/include/grub/compiler.h +index c9e1d7a73d..8f3be3ae70 100644 +--- a/include/grub/compiler.h ++++ b/include/grub/compiler.h +@@ -48,4 +48,12 @@ + # define WARN_UNUSED_RESULT + #endif + ++#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__) ++# define CLANG_PREREQ(maj,min) \ ++ ((__clang_major__ > (maj)) || \ ++ (__clang_major__ == (maj) && __clang_minor__ >= (min))) ++#else ++# define CLANG_PREREQ(maj,min) 0 ++#endif ++ + #endif /* ! GRUB_COMPILER_HEADER */ +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +new file mode 100644 +index 0000000000..c17b89bba1 +--- /dev/null ++++ b/include/grub/safemath.h +@@ -0,0 +1,37 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2020 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. ++ * ++ * Arithmetic operations that protect against overflow. ++ */ ++ ++#ifndef GRUB_SAFEMATH_H ++#define GRUB_SAFEMATH_H 1 ++ ++#include <grub/compiler.h> ++ ++/* These appear in gcc 5.1 and clang 3.8. */ ++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8) ++ ++#define grub_add(a, b, res) __builtin_add_overflow(a, b, res) ++#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) ++#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) ++ ++#else ++#error gcc 5.1 or newer or clang 3.8 or newer is required ++#endif ++ ++#endif /* GRUB_SAFEMATH_H */
  34. Download patch debian/patches/mkconfig-loopback.patch

    --- 2.04-1/debian/patches/mkconfig-loopback.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-loopback.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From eac8d3f2f35c3478673698c800b21d425faf6326 Mon Sep 17 00:00:00 2001 +From 3883a00c8f4a4f59b6a677622776d5bf51337b65 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Mon, 13 Jan 2014 12:13:00 +0000 Subject: Handle filesystems loop-mounted on file images @@ -21,7 +21,7 @@ Patch-Name: mkconfig-loopback.patch 3 files changed, 34 insertions(+) diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in -index b6606c16e..b05df554d 100644 +index b6606c16e0..b05df554da 100644 --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -133,6 +133,22 @@ prepare_grub_to_access_device () @@ -63,7 +63,7 @@ index b6606c16e..b05df554d 100644 grub_get_device_id () diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index dd5a60c71..8c22c79f6 100644 +index f839b3b55f..d927b60ae2 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -40,6 +40,11 @@ fi @@ -79,7 +79,7 @@ index dd5a60c71..8c22c79f6 100644 esac diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in -index 96179ea61..9a8d42fb5 100644 +index 96179ea613..9a8d42fb57 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -40,6 +40,11 @@ fi
  35. Download patch debian/patches/efi-variable-storage-minimise-writes.patch

    --- 2.04-1/debian/patches/efi-variable-storage-minimise-writes.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/efi-variable-storage-minimise-writes.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 4746efb5deb68fb95ea5b172fef043a03c0532b7 Mon Sep 17 00:00:00 2001 +From b18e6318f49373c1018be8b6d34266a009f10ae8 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 11 Mar 2019 11:17:43 +0000 Subject: Minimise writes to EFI variable storage @@ -60,7 +60,7 @@ Patch-Name: efi-variable-storage-minimis create mode 100644 grub-core/osdep/unix/efivar.c diff --git a/INSTALL b/INSTALL -index 8acb40902..342c158e9 100644 +index 8acb409023..342c158e91 100644 --- a/INSTALL +++ b/INSTALL @@ -41,6 +41,11 @@ configuring the GRUB. @@ -76,10 +76,10 @@ index 8acb40902..342c158e9 100644 * libdevmapper 1.02.34 or later (recommended) diff --git a/Makefile.util.def b/Makefile.util.def -index 8a24b23f0..59e41423b 100644 +index ce133e694e..504d1c0581 100644 --- a/Makefile.util.def +++ b/Makefile.util.def -@@ -558,6 +558,8 @@ program = { +@@ -565,6 +565,8 @@ program = { common = grub-core/osdep/compress.c; extra_dist = grub-core/osdep/unix/compress.c; extra_dist = grub-core/osdep/basic/compress.c; @@ -88,7 +88,7 @@ index 8a24b23f0..59e41423b 100644 common = util/editenv.c; common = grub-core/osdep/blocklist.c; common = grub-core/osdep/config.c; -@@ -571,12 +573,15 @@ program = { +@@ -578,12 +580,15 @@ program = { common = grub-core/kern/emu/argp_common.c; common = grub-core/osdep/init.c; @@ -104,7 +104,7 @@ index 8a24b23f0..59e41423b 100644 condition = COND_HAVE_EXEC; }; -@@ -605,6 +610,8 @@ program = { +@@ -612,6 +617,8 @@ program = { extra_dist = grub-core/osdep/basic/no_platform.c; extra_dist = grub-core/osdep/unix/platform.c; common = grub-core/osdep/compress.c; @@ -113,7 +113,7 @@ index 8a24b23f0..59e41423b 100644 common = util/editenv.c; common = grub-core/osdep/blocklist.c; common = grub-core/osdep/config.c; -@@ -618,12 +625,15 @@ program = { +@@ -625,12 +632,15 @@ program = { common = grub-core/kern/emu/argp_common.c; common = grub-core/osdep/init.c; @@ -129,7 +129,7 @@ index 8a24b23f0..59e41423b 100644 }; program = { -@@ -645,6 +655,8 @@ program = { +@@ -652,6 +662,8 @@ program = { common = grub-core/osdep/platform.c; common = grub-core/osdep/platform_unix.c; common = grub-core/osdep/compress.c; @@ -138,7 +138,7 @@ index 8a24b23f0..59e41423b 100644 common = util/editenv.c; common = grub-core/osdep/blocklist.c; common = grub-core/osdep/config.c; -@@ -657,12 +669,15 @@ program = { +@@ -664,12 +676,15 @@ program = { common = grub-core/kern/emu/argp_common.c; common = grub-core/osdep/init.c; @@ -154,7 +154,7 @@ index 8a24b23f0..59e41423b 100644 }; program = { -@@ -684,6 +699,8 @@ program = { +@@ -691,6 +706,8 @@ program = { common = grub-core/osdep/platform.c; common = grub-core/osdep/platform_unix.c; common = grub-core/osdep/compress.c; @@ -163,7 +163,7 @@ index 8a24b23f0..59e41423b 100644 common = util/editenv.c; common = grub-core/osdep/blocklist.c; common = grub-core/osdep/config.c; -@@ -693,12 +710,15 @@ program = { +@@ -700,12 +717,15 @@ program = { common = grub-core/kern/emu/argp_common.c; common = grub-core/osdep/init.c; @@ -180,7 +180,7 @@ index 8a24b23f0..59e41423b 100644 script = { diff --git a/configure.ac b/configure.ac -index e382c7480..883245553 100644 +index e382c7480d..883245553d 100644 --- a/configure.ac +++ b/configure.ac @@ -443,6 +443,18 @@ AC_CHECK_HEADER([util.h], [ @@ -204,7 +204,7 @@ index e382c7480..883245553 100644 CFLAGS="$HOST_CFLAGS -Wtrampolines -Werror" diff --git a/grub-core/osdep/efivar.c b/grub-core/osdep/efivar.c new file mode 100644 -index 000000000..d2750e252 +index 0000000000..d2750e2524 --- /dev/null +++ b/grub-core/osdep/efivar.c @@ -0,0 +1,3 @@ @@ -213,7 +213,7 @@ index 000000000..d2750e252 +#endif diff --git a/grub-core/osdep/unix/efivar.c b/grub-core/osdep/unix/efivar.c new file mode 100644 -index 000000000..4a58328b4 +index 0000000000..4a58328b42 --- /dev/null +++ b/grub-core/osdep/unix/efivar.c @@ -0,0 +1,508 @@ @@ -726,7 +726,7 @@ index 000000000..4a58328b4 + +#endif /* HAVE_EFIVAR */ diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c -index 9c439326a..b561174ea 100644 +index 9c439326a0..b561174ea9 100644 --- a/grub-core/osdep/unix/platform.c +++ b/grub-core/osdep/unix/platform.c @@ -19,15 +19,12 @@ @@ -856,7 +856,7 @@ index 9c439326a..b561174ea 100644 void diff --git a/include/grub/util/install.h b/include/grub/util/install.h -index 8aeb5c4f2..a521f1663 100644 +index 8aeb5c4f20..a521f1663f 100644 --- a/include/grub/util/install.h +++ b/include/grub/util/install.h @@ -219,6 +219,11 @@ grub_install_get_default_x86_platform (void); @@ -872,10 +872,10 @@ index 8aeb5c4f2..a521f1663 100644 grub_install_register_efi (grub_device_t efidir_grub_dev, const char *efifile_path, diff --git a/util/grub-install.c b/util/grub-install.c -index 6462d3c70..d66de7f8e 100644 +index 4bad8de612..63462e4e09 100644 --- a/util/grub-install.c +++ b/util/grub-install.c -@@ -2059,7 +2059,7 @@ main (int argc, char *argv[]) +@@ -2084,7 +2084,7 @@ main (int argc, char *argv[]) "\\System\\Library\\CoreServices", efi_distributor); if (ret) @@ -884,7 +884,7 @@ index 6462d3c70..d66de7f8e 100644 strerror (ret)); } -@@ -2173,7 +2173,7 @@ main (int argc, char *argv[]) +@@ -2201,7 +2201,7 @@ main (int argc, char *argv[]) ret = grub_install_register_efi (efidir_grub_dev, efifile_path, efi_distributor); if (ret)
  36. Download patch debian/patches/efinet-set-dns-from-uefi-proto.patch

    --- 2.04-1/debian/patches/efinet-set-dns-from-uefi-proto.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/efinet-set-dns-from-uefi-proto.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 2a8c1fc36074fe7ac673839c5434e7e2f1498cd3 Mon Sep 17 00:00:00 2001 +From 5e2600c379b6ef398a18081b65367f0674c935dc Mon Sep 17 00:00:00 2001 From: Michael Chang <mchang@suse.com> Date: Thu, 27 Oct 2016 17:43:21 -0400 Subject: efinet: Setting DNS server from UEFI protocol @@ -35,7 +35,7 @@ Patch-Name: efinet-set-dns-from-uefi-pro 2 files changed, 239 insertions(+) diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c -index 2d3b00f0e..82a28fb6e 100644 +index 2d3b00f0e1..82a28fb6e9 100644 --- a/grub-core/net/drivers/efi/efinet.c +++ b/grub-core/net/drivers/efi/efinet.c @@ -30,6 +30,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); @@ -244,7 +244,7 @@ index 2d3b00f0e..82a28fb6e 100644 } diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h -index 664cea37b..75befd10e 100644 +index 664cea37b5..75befd10e5 100644 --- a/include/grub/efi/api.h +++ b/include/grub/efi/api.h @@ -334,6 +334,16 @@
  37. Download patch debian/build-efi-images

    --- 2.04-1/debian/build-efi-images 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/build-efi-images 2020-08-10 13:07:29.000000000 +0000 @@ -129,6 +129,7 @@ CD_MODULES=" search_fs_file search_label sleep + smbios squash4 test true @@ -189,6 +190,7 @@ GRUB_MODULES="$CD_MODULES raid6rec " NET_MODULES="$CD_MODULES + http tftp " @@ -212,9 +214,12 @@ NET_MODULES="$CD_MODULES # Special network boot image for d-i to use. Just the same as the # normal network boot image, but with a different value baked in for # the prefix setting -"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ - -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ - -m "$workdir/memdisk-netboot.fat" \ - -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES +# +# but not on Ubuntu LP: #1863994 +# +#"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ +# -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ +# -m "$workdir/memdisk-netboot.fat" \ +# -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES exit 0
  38. Download patch debian/patches/disable-floppies.patch

    --- 2.04-1/debian/patches/disable-floppies.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/disable-floppies.patch 2020-08-10 13:07:29.000000000 +0000 @@ -13,7 +13,7 @@ Patch-Name: disable-floppies.patch 1 file changed, 12 insertions(+) diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c -index e9ec680cd..8ac523953 100644 +index e9ec680cdb..8ac5239538 100644 --- a/grub-core/kern/emu/hostdisk.c +++ b/grub-core/kern/emu/hostdisk.c @@ -532,6 +532,18 @@ read_device_map (const char *dev_map)
  39. Download patch debian/patches/install-powerpc-machtypes.patch

    --- 2.04-1/debian/patches/install-powerpc-machtypes.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/install-powerpc-machtypes.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 786580f06e6f715d6cb9a778926959b33134bb32 Mon Sep 17 00:00:00 2001 +From 2b3e762ebb12ce0d5a562dd36d23bca5d78aa61c Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Tue, 28 Jan 2014 14:40:02 +0000 Subject: Port yaboot logic for various powerpc machine types @@ -25,7 +25,7 @@ Patch-Name: install-powerpc-machtypes.pa 6 files changed, 119 insertions(+), 6 deletions(-) diff --git a/grub-core/osdep/basic/platform.c b/grub-core/osdep/basic/platform.c -index a7dafd85a..6c293ed2d 100644 +index a7dafd85a9..6c293ed2d0 100644 --- a/grub-core/osdep/basic/platform.c +++ b/grub-core/osdep/basic/platform.c @@ -30,3 +30,8 @@ grub_install_get_default_x86_platform (void) @@ -38,7 +38,7 @@ index a7dafd85a..6c293ed2d 100644 + return "generic"; +} diff --git a/grub-core/osdep/linux/platform.c b/grub-core/osdep/linux/platform.c -index 2e7f72086..5b37366d4 100644 +index 2e7f720869..5b37366d4d 100644 --- a/grub-core/osdep/linux/platform.c +++ b/grub-core/osdep/linux/platform.c @@ -24,6 +24,7 @@ @@ -125,7 +125,7 @@ index 2e7f72086..5b37366d4 100644 + return machtype; +} diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c -index 55b8f4016..9c439326a 100644 +index 55b8f40162..9c439326a0 100644 --- a/grub-core/osdep/unix/platform.c +++ b/grub-core/osdep/unix/platform.c @@ -218,13 +218,29 @@ grub_install_register_ieee1275 (int is_prep, const char *install_device, @@ -165,7 +165,7 @@ index 55b8f4016..9c439326a 100644 free (boot_device); diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c -index 7eb53fe01..e19a3d9a8 100644 +index 7eb53fe01b..e19a3d9a8a 100644 --- a/grub-core/osdep/windows/platform.c +++ b/grub-core/osdep/windows/platform.c @@ -128,6 +128,12 @@ grub_install_get_default_x86_platform (void) @@ -182,7 +182,7 @@ index 7eb53fe01..e19a3d9a8 100644 get_efi_variable (const wchar_t *varname, ssize_t *len) { diff --git a/include/grub/util/install.h b/include/grub/util/install.h -index 2631b1074..8aeb5c4f2 100644 +index 2631b10745..8aeb5c4f20 100644 --- a/include/grub/util/install.h +++ b/include/grub/util/install.h @@ -216,6 +216,9 @@ grub_install_get_default_arm_platform (void); @@ -196,7 +196,7 @@ index 2631b1074..8aeb5c4f2 100644 grub_install_register_efi (grub_device_t efidir_grub_dev, const char *efifile_path, diff --git a/util/grub-install.c b/util/grub-install.c -index e5e9e439d..73c623107 100644 +index f0d59c1809..70d6700de8 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -1177,7 +1177,18 @@ main (int argc, char *argv[])
  40. Download patch debian/patches/grub-install-removable-shim.patch

    --- 2.04-1/debian/patches/grub-install-removable-shim.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/grub-install-removable-shim.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,193 +0,0 @@ -From 3d51b212987d47da2b8c65a911140bbbc2fd3153 Mon Sep 17 00:00:00 2001 -From: Steve McIntyre <93sam@debian.org> -Date: Fri, 14 Jun 2019 16:37:11 +0100 -Subject: Deal with --force-extra-removable with signed shim too - -In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI -and signed Grub as /EFI/BOOT/grubXXX.efi. - -Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into -/EFI/BOOT/ so that it can work when needed (*iff* we're updating the -NVRAM). - -[cjwatson: Refactored also_install_removable somewhat for brevity and so -that we're using consistent case-insensitive logic.] - -Bug-Debian: https://bugs.debian.org/930531 -Last-Update: 2019-06-14 - -Patch-Name: grub-install-removable-shim.patch ---- - util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 67 insertions(+), 17 deletions(-) - -diff --git a/util/grub-install.c b/util/grub-install.c -index d66de7f8e..35d150c33 100644 ---- a/util/grub-install.c -+++ b/util/grub-install.c -@@ -883,17 +883,13 @@ check_component_exists(const char *dir, - static void - also_install_removable(const char *src, - const char *base_efidir, -- const char *efi_suffix_upper) -+ const char *efi_file, -+ int is_needed) - { -- char *efi_file = NULL; - char *dst = NULL; - char *cur = NULL; - char *found = NULL; - -- if (!efi_suffix_upper) -- grub_util_error ("%s", _("efi_suffix_upper not set")); -- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); -- - /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we - * need to cope with case-insensitive stuff here. Build the path one - * component at a time, checking for existing matches each time. */ -@@ -927,10 +923,9 @@ also_install_removable(const char *src, - cur = xstrdup (dst); - free (dst); - free (found); -- grub_install_copy_file (src, cur, 1); -+ grub_install_copy_file (src, cur, is_needed); - - free (cur); -- free (efi_file); - } - - int -@@ -2076,11 +2071,14 @@ main (int argc, char *argv[]) - case GRUB_INSTALL_PLATFORM_IA64_EFI: - { - char *dst = grub_util_path_concat (2, efidir, efi_file); -+ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); -+ - if (uefi_secure_boot) - { - char *shim_signed = NULL; - char *mok_signed = NULL, *mok_file = NULL; - char *fb_signed = NULL, *fb_file = NULL; -+ char *csv_file = NULL; - char *config_dst; - FILE *config_dst_f; - -@@ -2089,11 +2087,15 @@ main (int argc, char *argv[]) - mok_file = xasprintf ("mm%s.efi", efi_suffix); - fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix); - fb_file = xasprintf ("fb%s.efi", efi_suffix); -+ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper); -+ -+ /* If we have a signed shim binary, install that and all -+ its helpers in the normal vendor path */ - - if (grub_util_is_regular (shim_signed)) - { - char *chained_base, *chained_dst; -- char *mok_src, *mok_dst, *fb_src, *fb_dst; -+ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst; - if (!removable) - { - free (efi_file); -@@ -2105,8 +2107,6 @@ main (int argc, char *argv[]) - chained_base = xasprintf ("grub%s.efi", efi_suffix); - chained_dst = grub_util_path_concat (2, efidir, chained_base); - grub_install_copy_file (efi_signed, chained_dst, 1); -- free (chained_dst); -- free (chained_base); - - /* Not critical, so not an error if they are not present (as it - won't be for older releases); but if we have them, make -@@ -2117,8 +2117,6 @@ main (int argc, char *argv[]) - mok_file); - grub_install_copy_file (mok_src, - mok_dst, 0); -- free (mok_src); -- free (mok_dst); - - fb_src = grub_util_path_concat (2, "/usr/lib/shim/", - fb_signed); -@@ -2126,27 +2124,79 @@ main (int argc, char *argv[]) - fb_file); - grub_install_copy_file (fb_src, - fb_dst, 0); -+ -+ csv_src = grub_util_path_concat (2, "/usr/lib/shim/", -+ csv_file); -+ csv_dst = grub_util_path_concat (2, efidir, -+ csv_file); -+ grub_install_copy_file (csv_src, -+ csv_dst, 0); -+ -+ /* Install binaries into .../EFI/BOOT too: -+ the shim binary -+ the grub binary -+ the shim fallback binary (not fatal on failure) */ -+ if (force_extra_removable) -+ { -+ grub_util_info ("Secure boot: installing shim and image into rm path"); -+ also_install_removable (shim_signed, base_efidir, removable_file, 1); -+ -+ also_install_removable (efi_signed, base_efidir, chained_base, 1); -+ -+ /* If we're updating the NVRAM, add fallback too - it -+ will re-update the NVRAM later if things break */ -+ if (update_nvram) -+ also_install_removable (fb_src, base_efidir, fb_file, 0); -+ } -+ -+ free (chained_dst); -+ free (chained_base); -+ free (mok_src); -+ free (mok_dst); - free (fb_src); - free (fb_dst); -+ free (csv_src); -+ free (csv_dst); - } - else -- grub_install_copy_file (efi_signed, dst, 1); -+ { -+ /* Tried to install for secure boot, but no signed -+ shim found. Fall back to just installing the signed -+ grub binary */ -+ grub_util_info ("Secure boot (no shim): installing signed grub binary"); -+ grub_install_copy_file (efi_signed, dst, 1); -+ if (force_extra_removable) -+ { -+ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path"); -+ also_install_removable (efi_signed, base_efidir, removable_file, 1); -+ } -+ } - -+ /* In either case, install our grub.cfg */ - config_dst = grub_util_path_concat (2, efidir, "grub.cfg"); - grub_install_copy_file (load_cfg, config_dst, 1); - config_dst_f = grub_util_fopen (config_dst, "ab"); - fprintf (config_dst_f, "configfile $prefix/grub.cfg\n"); - fclose (config_dst_f); - free (config_dst); -- if (force_extra_removable) -- also_install_removable(efi_signed, base_efidir, efi_suffix_upper); -+ -+ free (csv_file); -+ free (fb_file); -+ free (fb_signed); -+ free (mok_file); -+ free (mok_signed); -+ free (shim_signed); - } - else - { -+ /* No secure boot - just install our newly-generated image */ -+ grub_util_info ("No Secure Boot: installing core image"); - grub_install_copy_file (imgfile, dst, 1); - if (force_extra_removable) -- also_install_removable(imgfile, base_efidir, efi_suffix_upper); -+ also_install_removable (imgfile, base_efidir, removable_file, 1); - } -+ -+ free (removable_file); - free (dst); - } - if (!removable && update_nvram)
  41. Download patch debian/patches/bootp-new-net_bootp6-command.patch

    --- 2.04-1/debian/patches/bootp-new-net_bootp6-command.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/bootp-new-net_bootp6-command.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From ed6f9313a2965716f779f23826e9f74f3074bc8b Mon Sep 17 00:00:00 2001 +From c5375c14deee6e8fd23a018d583495e5c4f95930 Mon Sep 17 00:00:00 2001 From: Michael Chang <mchang@suse.com> Date: Thu, 27 Oct 2016 17:41:04 -0400 Subject: bootp: New net_bootp6 command @@ -17,7 +17,7 @@ Patch-Name: bootp-new-net_bootp6-command 3 files changed, 1018 insertions(+), 1 deletion(-) diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c -index 04cfbb045..21c1824ef 100644 +index 04cfbb0450..21c1824efb 100644 --- a/grub-core/net/bootp.c +++ b/grub-core/net/bootp.c @@ -24,6 +24,98 @@ @@ -969,7 +969,7 @@ index 04cfbb045..21c1824ef 100644 + grub_unregister_command (cmd_bootp6); } diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c -index ea5edf8f1..01410798b 100644 +index ea5edf8f1f..01410798b3 100644 --- a/grub-core/net/ip.c +++ b/grub-core/net/ip.c @@ -239,6 +239,45 @@ handle_dgram (struct grub_net_buff *nb, @@ -1019,7 +1019,7 @@ index ea5edf8f1..01410798b 100644 { const struct grub_net_bootp_packet *bootp; diff --git a/include/grub/net.h b/include/grub/net.h -index cc114286e..58cff96d2 100644 +index cc114286ea..58cff96d2a 100644 --- a/include/grub/net.h +++ b/include/grub/net.h @@ -448,6 +448,66 @@ struct grub_net_bootp_packet
  42. Download patch debian/patches/0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch

    --- 2.04-1/debian/patches/0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,86 @@ +From 484c805e1361fd010e0c3e2c44585f5f7e3899c1 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Tue, 3 Mar 2020 16:06:34 +0100 +Subject: smbios: Add a --linux argument to apply linux modalias-like filtering + +Linux creates modalias strings by filtering out non-ASCII, space, +and colon characters. Provide an option that does the same filtering +so people can create a modalias string in GRUB, and then match their +modalias patterns against it. + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=87049f9716fb095aecb595fb8f45497bbbb1b4a2 +--- + grub-core/commands/smbios.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/grub-core/commands/smbios.c b/grub-core/commands/smbios.c +index 7a6a391fc1..1a9086ddd4 100644 +--- a/grub-core/commands/smbios.c ++++ b/grub-core/commands/smbios.c +@@ -64,6 +64,21 @@ grub_smbios_get_eps3 (void) + return eps; + } + ++static char * ++linux_string (const char *value) ++{ ++ char *out = grub_malloc( grub_strlen (value) + 1); ++ const char *src = value; ++ char *dst = out; ++ ++ for (; *src; src++) ++ if (*src > ' ' && *src < 127 && *src != ':') ++ *dst++ = *src; ++ ++ *dst = 0; ++ return out; ++} ++ + /* + * These functions convert values from the various SMBIOS structure field types + * into a string formatted to be returned to the user. They expect that the +@@ -176,6 +191,7 @@ static const struct { + /* List command options, with structure field getters ordered as above. */ + #define FIRST_GETTER_OPT (3) + #define SETTER_OPT (FIRST_GETTER_OPT + ARRAY_SIZE(field_extractors)) ++#define LINUX_OPT (FIRST_GETTER_OPT + ARRAY_SIZE(field_extractors) + 1) + + static const struct grub_arg_option options[] = { + {"type", 't', 0, N_("Match structures with the given type."), +@@ -198,6 +214,8 @@ static const struct grub_arg_option options[] = { + N_("offset"), ARG_TYPE_INT}, + {"set", '\0', 0, N_("Store the value in the given variable name."), + N_("variable"), ARG_TYPE_STRING}, ++ {"linux", '\0', 0, N_("Filter the result like linux does."), ++ N_("variable"), ARG_TYPE_NONE}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -261,6 +279,7 @@ grub_cmd_smbios (grub_extcmd_context_t ctxt, + + const grub_uint8_t *structure; + const char *value; ++ char *modified_value = NULL; + grub_int32_t option; + grub_int8_t field_type = -1; + grub_uint8_t i; +@@ -334,12 +353,17 @@ grub_cmd_smbios (grub_extcmd_context_t ctxt, + return grub_error (GRUB_ERR_IO, + N_("failed to retrieve the structure field")); + ++ if (state[LINUX_OPT].set) ++ value = modified_value = linux_string (value); ++ + /* Store or print the formatted value. */ + if (state[SETTER_OPT].set) + grub_env_set (state[SETTER_OPT].arg, value); + else + grub_printf ("%s\n", value); + ++ grub_free(modified_value); ++ + return GRUB_ERR_NONE; + } +
  43. Download patch debian/grub-extras/lua/.bzrignore

    --- 2.04-1/debian/grub-extras/lua/.bzrignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-extras/lua/.bzrignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -**/.deps-core -**/.dirstamp -Makefile.core.am
  44. Download patch debian/patches/0097-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch

    --- 2.04-1/debian/patches/0097-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0097-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,84 @@ +From 77a41770dfb138bc68c43f86a6e9d05188a0da4f Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Wed, 22 Jul 2020 17:06:04 +0100 +Subject: Fix a regression caused by "efi: fix some malformed device path + arithmetic errors" + +This commit introduced a bogus check inside copy_file_path to +determine whether the destination grub_efi_file_path_device_path_t +was valid before anything was copied to it. Depending on the +contents of the heap buffer, this check could fail which would +result in copy_file_path returning early. + +Without any error propagated to the caller, make_file_path would +then try to advance the invalid device path node with +GRUB_EFI_NEXT_DEVICE_PATH, which would also fail, returning a NULL +pointer that would subsequently be dereferenced. + +Remove the bogus check, and also propagate errors from copy_file_path. +--- + grub-core/loader/efi/chainloader.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index cf89cedf8d..d0c53077e8 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -116,7 +116,7 @@ grub_chainloader_boot (void) + return grub_errno; + } + +-static void ++static grub_err_t + copy_file_path (grub_efi_file_path_device_path_t *fp, + const char *str, grub_efi_uint16_t len) + { +@@ -126,15 +126,9 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, + fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE; + fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE; + +- if (!GRUB_EFI_DEVICE_PATH_VALID ((grub_efi_device_path_t *)fp)) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI Device Path is invalid"); +- return; +- } +- + path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); + if (!path_name) +- return; ++ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path buffer"); + + size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8, + (const grub_uint8_t *) str, len, 0); +@@ -147,6 +141,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, + fp->path_name[size++] = '\0'; + fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp); + grub_free (path_name); ++ return GRUB_ERR_NONE; + } + + static grub_efi_device_path_t * +@@ -204,13 +199,19 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + /* Fill the file path for the directory. */ + d = (grub_efi_device_path_t *) ((char *) file_path + + ((char *) d - (char *) dp)); +- copy_file_path ((grub_efi_file_path_device_path_t *) d, +- dir_start, dir_end - dir_start); ++ if (copy_file_path ((grub_efi_file_path_device_path_t *) d, ++ dir_start, dir_end - dir_start) != GRUB_ERR_NONE) ++ { ++ fail: ++ grub_free (file_path); ++ return 0; ++ } + + /* Fill the file path for the file. */ + d = GRUB_EFI_NEXT_DEVICE_PATH (d); +- copy_file_path ((grub_efi_file_path_device_path_t *) d, +- dir_end + 1, grub_strlen (dir_end + 1)); ++ if (copy_file_path ((grub_efi_file_path_device_path_t *) d, ++ dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE) ++ goto fail; + + /* Fill the end of device path nodes. */ + d = GRUB_EFI_NEXT_DEVICE_PATH (d);
  45. Download patch debian/canonical-uefi-ca.crt

    --- 2.04-1/debian/canonical-uefi-ca.crt 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/canonical-uefi-ca.crt 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD +VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx +FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk +LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX +DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m +IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x +NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h +7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 +v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO ++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr +yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk +YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO +BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj +MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB +Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu +b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB +CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd +B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH +WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx +U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd +7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p +9JkU284DDgtmxBxtvbgnd8FClL38agq8 +-----END CERTIFICATE-----
  46. Download patch debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch

    --- 2.04-1/debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,50 @@ +From c15dfc896951a0d1fa03576a3354c59a873cb019 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Mon, 27 Jul 2020 14:22:12 +0100 +Subject: efilinux: Fix integer overflows in grub_cmd_initrd + +These could be triggered by an extremely large number of arguments to +the initrd command on 32-bit architectures, or a crafted filesystem with +very large files on any architecture. + +Fixes: CVE-2020-15707 + +Signed-off-by: Colin Watson <cjwatson@debian.org> +--- + grub-core/loader/i386/efi/linux.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index e357bf67c6..381459ce08 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -28,6 +28,7 @@ + #include <grub/efi/efi.h> + #include <grub/efi/linux.h> + #include <grub/efi/sb.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -94,7 +95,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + +- files = grub_zalloc (argc * sizeof (files[0])); ++ files = grub_calloc (argc, sizeof (files[0])); + if (!files) + goto fail; + +@@ -104,7 +105,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + if (! files[i]) + goto fail; + nfiles++; +- size += ALIGN_UP (grub_file_size (files[i]), 4); ++ if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ goto fail; ++ } + } + + initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
  47. Download patch debian/grub-common.dirs

    --- 2.04-1/debian/grub-common.dirs 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-common.dirs 2020-08-10 13:07:29.000000000 +0000 @@ -1,2 +1,3 @@ usr/sbin var/lib/grub/ucf +var/lib/grub/esp
  48. Download patch debian/patches/0086-iso9660-Don-t-leak-memory-on-realloc-failures.patch

    --- 2.04-1/debian/patches/0086-iso9660-Don-t-leak-memory-on-realloc-failures.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0086-iso9660-Don-t-leak-memory-on-realloc-failures.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,65 @@ +From 3daaf33550e0fc35de5a51de337e7d5e4bd1bbfd Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Sat, 4 Jul 2020 12:25:09 -0400 +Subject: iso9660: Don't leak memory on realloc() failures + +Signed-off-by: Peter Jones <pjones@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 7ba5b300bc..5ec4433b8f 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, + { + int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; + grub_size_t sz; ++ char *new; + + if (grub_add (size, len2, &sz) || + grub_add (sz, 1, &sz)) + return; + +- ctx->symlink = grub_realloc (ctx->symlink, sz); +- if (! ctx->symlink) +- return; ++ new = grub_realloc (ctx->symlink, sz); ++ if (!new) ++ { ++ grub_free (ctx->symlink); ++ ctx->symlink = NULL; ++ return; ++ } ++ ctx->symlink = new; + + grub_memcpy (ctx->symlink + size, part, len2); + ctx->symlink[size + len2] = 0; +@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + is the length. Both are part of the `Component + Record'. */ + if (ctx->symlink && !ctx->was_continue) +- add_part (ctx, "/", 1); ++ { ++ add_part (ctx, "/", 1); ++ if (grub_errno) ++ return grub_errno; ++ } ++ + add_part (ctx, (char *) &entry->data[pos + 2], + entry->data[pos + 1]); + ctx->was_continue = (entry->data[pos] & 1); +@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + add_part (ctx, "/", 1); + break; + } ++ ++ /* Check if grub_realloc() failed in add_part(). */ ++ if (grub_errno) ++ return grub_errno; ++ + /* In pos + 1 the length of the `Component Record' is + stored. */ + pos += entry->data[pos + 1] + 2;
  49. Download patch debian/patches/olpc-prefix-hack.patch

    --- 2.04-1/debian/patches/olpc-prefix-hack.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/olpc-prefix-hack.patch 2020-08-10 13:07:29.000000000 +0000 @@ -11,7 +11,7 @@ Patch-Name: olpc-prefix-hack.patch 1 file changed, 11 insertions(+) diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c -index d483e35ee..8b089b48d 100644 +index d483e35eed..8b089b48d0 100644 --- a/grub-core/kern/ieee1275/init.c +++ b/grub-core/kern/ieee1275/init.c @@ -76,6 +76,7 @@ grub_exit (void)
  50. Download patch debian/patches/mkconfig-mid-upgrade.patch

    --- 2.04-1/debian/patches/mkconfig-mid-upgrade.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-mid-upgrade.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From d9aea1d0f76bb3e284531a0076c08665fb98b591 Mon Sep 17 00:00:00 2001 +From 16f168810740a2fd3defa4856ead7b8ded2d1fb5 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:03 +0000 Subject: Bail out if trying to run grub-mkconfig during upgrade to 2.00 @@ -20,7 +20,7 @@ Patch-Name: mkconfig-mid-upgrade.patch 1 file changed, 7 insertions(+) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index 45cd4cc54..b506d63bf 100644 +index 45cd4cc541..b506d63bf9 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -102,6 +102,13 @@ do
  51. Download patch debian/patches/install-signed.patch
  52. Download patch debian/patches/0101-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
  53. Download patch debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch

    --- 2.04-1/debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,118 @@ +From 80b0e6a9375628f209b96173ce0a3af70060131c Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Wed, 11 Mar 2020 16:46:00 +0100 +Subject: ubuntu: Make the linux command in EFI grub always try EFI handover + +The previous implementation only boots via the EFI handover protocol when +secure boot is enabled. This means that disabling secure boot breaks some +features that depend on the kernel being booted via the EFI handover entry +point, such as retrieval of the TCG event log. + +Update the linux command to always attempt to defer to linuxefi in EFI grub +builds, regardless of whether secure boot is enabled or not. This also allows +a fallback to the non-EFI handover path on kernels that don't support it, but +only if secure boot is disabled. +--- + grub-core/loader/i386/efi/linux.c | 14 +++++---- + grub-core/loader/i386/linux.c | 47 +++++++++++++++++-------------- + 2 files changed, 35 insertions(+), 26 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 6b6aef87f7..fe3ca2c596 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -27,6 +27,7 @@ + #include <grub/lib/cmdline.h> + #include <grub/efi/efi.h> + #include <grub/efi/linux.h> ++#include <grub/efi/sb.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + +- rc = grub_linuxefi_secure_validate (kernel, filelen); +- if (rc < 0) ++ if (grub_efi_secure_boot ()) + { +- grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"), +- argv[0]); +- goto fail; ++ rc = grub_linuxefi_secure_validate (kernel, filelen); ++ if (rc < 0) ++ { ++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"), ++ argv[0]); ++ goto fail; ++ } + } + + params = grub_efi_allocate_pages_max (0x3fffffff, +diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c +index 4328bcbdb0..991eb29db9 100644 +--- a/grub-core/loader/i386/linux.c ++++ b/grub-core/loader/i386/linux.c +@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + + #ifdef GRUB_MACHINE_EFI + using_linuxefi = 0; +- if (grub_efi_secure_boot ()) +- { +- /* linuxefi requires a successful signature check and then hand over +- to the kernel without calling ExitBootServices. */ +- grub_dl_t mod; +- grub_command_t linuxefi_cmd; + +- grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n"); ++ grub_dl_t mod; ++ grub_command_t linuxefi_cmd; ++ ++ grub_dprintf ("linux", "Trying linuxefi\n"); + +- mod = grub_dl_load ("linuxefi"); +- if (mod) ++ mod = grub_dl_load ("linuxefi"); ++ if (mod) ++ { ++ grub_dl_ref (mod); ++ linuxefi_cmd = grub_command_find ("linuxefi"); ++ initrdefi_cmd = grub_command_find ("initrdefi"); ++ if (linuxefi_cmd && initrdefi_cmd) + { +- grub_dl_ref (mod); +- linuxefi_cmd = grub_command_find ("linuxefi"); +- initrdefi_cmd = grub_command_find ("initrdefi"); +- if (linuxefi_cmd && initrdefi_cmd) ++ (linuxefi_cmd->func) (linuxefi_cmd, argc, argv); ++ if (grub_errno == GRUB_ERR_NONE) ++ { ++ grub_dprintf ("linux", "Handing off to linuxefi\n"); ++ using_linuxefi = 1; ++ return GRUB_ERR_NONE; ++ } ++ else if (grub_efi_secure_boot ()) + { +- (linuxefi_cmd->func) (linuxefi_cmd, argc, argv); +- if (grub_errno == GRUB_ERR_NONE) +- { +- grub_dprintf ("linux", "Handing off to linuxefi\n"); +- using_linuxefi = 1; +- return GRUB_ERR_NONE; +- } +- grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno); ++ grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno); + goto fail; + } + } + } ++ ++ if (grub_efi_secure_boot ()) ++ { ++ grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n"); ++ goto fail; ++ } + #endif + + if (argc == 0)
  54. Download patch debian/patches/ppc64el-disable-vsx.patch

    --- 2.04-1/debian/patches/ppc64el-disable-vsx.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/ppc64el-disable-vsx.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From ed02b830bb2ecc1cce75a75f6985fd92e9332365 Mon Sep 17 00:00:00 2001 +From 7736a6a5e58402b8f88d053ce2409b2d16262be5 Mon Sep 17 00:00:00 2001 From: Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com> Date: Thu, 25 Sep 2014 19:33:39 -0300 Subject: Disable VSX instruction @@ -21,7 +21,7 @@ Patch-Name: ppc64el-disable-vsx.patch 1 file changed, 12 insertions(+) diff --git a/grub-core/kern/powerpc/ieee1275/startup.S b/grub-core/kern/powerpc/ieee1275/startup.S -index 21c884b43..de9a9601a 100644 +index 21c884b433..de9a9601a9 100644 --- a/grub-core/kern/powerpc/ieee1275/startup.S +++ b/grub-core/kern/powerpc/ieee1275/startup.S @@ -20,6 +20,8 @@
  55. Download patch debian/patches/maybe-quiet.patch

    --- 2.04-1/debian/patches/maybe-quiet.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/maybe-quiet.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,6 @@ -From 2904de3e9a1f2789442813696c3fbbd59b993443 Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@ubuntu.com> -Date: Mon, 13 Jan 2014 12:13:26 +0000 +From 139c9faecee68370e4b46d50ca51d0524029212c Mon Sep 17 00:00:00 2001 +From: Didier Roche <didrocks@ubuntu.com> +Date: Tue, 31 Mar 2020 15:20:15 +0200 Subject: Add configure option to reduce visual clutter at boot time If this option is enabled, then do all of the following: @@ -43,10 +43,11 @@ Patch-Name: maybe-quiet.patch grub-core/normal/main.c | 11 +++++++++++ grub-core/normal/menu.c | 17 +++++++++++++++-- util/grub.d/10_linux.in | 15 +++++++++++---- - 9 files changed, 111 insertions(+), 6 deletions(-) + util/grub.d/10_linux_zfs.in | 9 +++++++-- + 10 files changed, 118 insertions(+), 8 deletions(-) diff --git a/config.h.in b/config.h.in -index 9e8f9911b..d2c4ce8e5 100644 +index 9e8f9911b1..d2c4ce8e51 100644 --- a/config.h.in +++ b/config.h.in @@ -12,6 +12,8 @@ @@ -59,7 +60,7 @@ index 9e8f9911b..d2c4ce8e5 100644 /* We don't need those. */ #define MINILZO_CFG_SKIP_LZO_PTR 1 diff --git a/configure.ac b/configure.ac -index 1e5abc67d..ea00ccd69 100644 +index 1e5abc67d9..ea00ccd691 100644 --- a/configure.ac +++ b/configure.ac @@ -1857,6 +1857,17 @@ else @@ -92,7 +93,7 @@ index 1e5abc67d..ea00ccd69 100644 echo "*******************************************************" ] diff --git a/grub-core/boot/i386/pc/boot.S b/grub-core/boot/i386/pc/boot.S -index 2bd0b2d28..b0c0f2225 100644 +index 2bd0b2d286..b0c0f2225e 100644 --- a/grub-core/boot/i386/pc/boot.S +++ b/grub-core/boot/i386/pc/boot.S @@ -19,6 +19,9 @@ @@ -124,7 +125,7 @@ index 2bd0b2d28..b0c0f2225 100644 movw $disk_address_packet, %si diff --git a/grub-core/boot/i386/pc/diskboot.S b/grub-core/boot/i386/pc/diskboot.S -index c1addc0df..9b6d7a7ed 100644 +index c1addc0df2..9b6d7a7edc 100644 --- a/grub-core/boot/i386/pc/diskboot.S +++ b/grub-core/boot/i386/pc/diskboot.S @@ -18,6 +18,9 @@ @@ -204,7 +205,7 @@ index c1addc0df..9b6d7a7ed 100644 notification_step: .asciz "." diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c -index 9cad0c448..714b63d67 100644 +index 9cad0c4485..714b63d674 100644 --- a/grub-core/kern/main.c +++ b/grub-core/kern/main.c @@ -264,15 +264,25 @@ reclaim_module_space (void) @@ -247,7 +248,7 @@ index 9cad0c448..714b63d67 100644 grub_rescue_run (); } diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c -index dcd7d4439..a93524eab 100644 +index dcd7d44397..a93524eabb 100644 --- a/grub-core/kern/rescue_reader.c +++ b/grub-core/kern/rescue_reader.c @@ -78,7 +78,9 @@ grub_rescue_read_line (char **line, int cont, @@ -261,7 +262,7 @@ index dcd7d4439..a93524eab 100644 while (1) { diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c -index 1b03dfd57..0aa389fa1 100644 +index 1b03dfd57b..0aa389fa16 100644 --- a/grub-core/normal/main.c +++ b/grub-core/normal/main.c @@ -389,6 +389,15 @@ static grub_err_t @@ -291,7 +292,7 @@ index 1b03dfd57..0aa389fa1 100644 while (1) { diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index 3611ee9ea..ebf5a0f10 100644 +index 3611ee9ea7..ebf5a0f109 100644 --- a/grub-core/normal/menu.c +++ b/grub-core/normal/menu.c @@ -827,12 +827,18 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) @@ -338,7 +339,7 @@ index 3611ee9ea..ebf5a0f10 100644 if (auto_boot) grub_menu_execute_with_fallback (menu, e, autobooted, diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 61335e908..2e4dff9fb 100644 +index cb1cc200e4..479a8bf4e5 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -21,6 +21,7 @@ prefix="@prefix@" @@ -349,7 +350,7 @@ index 61335e908..2e4dff9fb 100644 . "$pkgdatadir/grub-mkconfig_lib" -@@ -158,10 +159,12 @@ linux_entry () +@@ -162,10 +163,12 @@ linux_entry () fi printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" fi @@ -364,7 +365,7 @@ index 61335e908..2e4dff9fb 100644 if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then sed "s/^/$submenu_indentation/" << EOF linux ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args} -@@ -173,13 +176,17 @@ EOF +@@ -177,13 +180,17 @@ EOF fi if test -n "${initrd}" ; then # TRANSLATORS: ramdisk isn't identifier. Should be translated. @@ -384,3 +385,37 @@ index 61335e908..2e4dff9fb 100644 initrd $(echo $initrd_path) EOF fi +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index bd4f1a2123..3a0e6d1035 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -20,6 +20,7 @@ set -e + prefix="@prefix@" + datarootdir="@datarootdir@" + ubuntu_recovery="@UBUNTU_RECOVERY@" ++quiet_boot="@QUIET_BOOT@" + + . "${pkgdatadir}/grub-mkconfig_lib" + +@@ -779,7 +780,9 @@ zfs_linux_entry () { + + echo "$(prepare_grub_to_access_device_cached "${boot_device}" "${submenu_level}")" + +- echo "${submenu_indentation} echo $(gettext_printf "Loading Linux %s ..." ${kernel_version} | grub_quote)" ++ if [ "${quiet_boot}" = 0 ] || [ "${type}" != simple ]; then ++ echo "${submenu_indentation} echo $(gettext_printf "Loading Linux %s ..." ${kernel_version} | grub_quote)" ++ fi + + linux_default_args="${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + if [ ${type} = "recovery" ]; then +@@ -788,7 +791,9 @@ zfs_linux_entry () { + + echo "${submenu_indentation} linux ${kernel} root=ZFS=${dataset} ro ${linux_default_args} ${kernel_additional_args}" + +- echo "${submenu_indentation} echo '$(gettext_printf "Loading initial ramdisk ..." | grub_quote)'" ++ if [ "${quiet_boot}" = 0 ] || [ "${type}" != simple ]; then ++ echo "${submenu_indentation} echo '$(gettext_printf "Loading initial ramdisk ..." | grub_quote)'" ++ fi + echo "${submenu_indentation} initrd ${initrd}" + echo "${submenu_indentation}}" + }
  56. Download patch debian/patches/bash-completion-drop-have-checks.patch

    --- 2.04-1/debian/patches/bash-completion-drop-have-checks.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/bash-completion-drop-have-checks.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From c4f631afd9d93fcfdf4a8a41e72c37818220b31a Mon Sep 17 00:00:00 2001 +From c3bac3061438a6308dc0191e72e295957270c755 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Fri, 16 Nov 2018 16:37:02 +0000 Subject: bash-completion: Drop "have" checks @@ -16,7 +16,7 @@ Patch-Name: bash-completion-drop-have-ch 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/util/bash-completion.d/grub-completion.bash.in b/util/bash-completion.d/grub-completion.bash.in -index 44bf135b9..d4235e7ef 100644 +index 44bf135b9f..d4235e7ef8 100644 --- a/util/bash-completion.d/grub-completion.bash.in +++ b/util/bash-completion.d/grub-completion.bash.in @@ -166,13 +166,11 @@ _grub_set_entry () {
  57. Download patch debian/patches/0098-efi-Fix-use-after-free-in-halt-reboot-path.patch

    --- 2.04-1/debian/patches/0098-efi-Fix-use-after-free-in-halt-reboot-path.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0098-efi-Fix-use-after-free-in-halt-reboot-path.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,175 @@ +From 1e7e07cfd5c1caa76479b10e85e6a703d64e0fea Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov <amakhalov@vmware.com> +Date: Mon, 20 Jul 2020 23:03:05 +0000 +Subject: efi: Fix use-after-free in halt/reboot path + +commit 92bfc33db984 ("efi: Free malloc regions on exit") +introduced memory freeing in grub_efi_fini(), which is +used not only by exit path but by halt/reboot one as well. +As result of memory freeing, code and data regions used by +modules, such as halt, reboot, acpi (used by halt) also got +freed. After return to module code, CPU executes, filled +by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as +a code. Which leads to #UD exception later. + +grub> halt +!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!! +RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246 +RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41 +RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000 +RSI - 00000000064DB768, RDI - 000000000832C5C3 +R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52 +R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4 +R14 - 0000000003E10D80, R15 - 00000000061E2F60 +DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 +GS - 0000000000000030, SS - 0000000000000030 +CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 +CR4 - 0000000000000668, CR8 - 0000000000000000 +DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 +DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 +GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000 +IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000 +FXSAVE_STATE - 0000000007F0F4C0 + +Proposal here is to continue to free allocated memory for +exit boot services path but keep it for halt/reboot path +as it won't be much security concern here. +Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY +loader flag to be used by efi halt/reboot path. + +Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> +Reviewed-by: Darren Kenny <darren.kenny@oracle.com> +--- + grub-core/kern/arm/efi/init.c | 3 +++ + grub-core/kern/arm64/efi/init.c | 3 +++ + grub-core/kern/efi/efi.c | 3 ++- + grub-core/kern/efi/init.c | 1 - + grub-core/kern/i386/efi/init.c | 9 +++++++-- + grub-core/kern/ia64/efi/init.c | 9 +++++++-- + grub-core/kern/riscv/efi/init.c | 3 +++ + grub-core/lib/efi/halt.c | 3 ++- + include/grub/loader.h | 1 + + 9 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/grub-core/kern/arm/efi/init.c b/grub-core/kern/arm/efi/init.c +index 06df60e2f0..40c3b467fc 100644 +--- a/grub-core/kern/arm/efi/init.c ++++ b/grub-core/kern/arm/efi/init.c +@@ -71,4 +71,7 @@ grub_machine_fini (int flags) + efi_call_1 (b->close_event, tmr_evt); + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/arm64/efi/init.c b/grub-core/kern/arm64/efi/init.c +index 6224999ec9..5010caefd6 100644 +--- a/grub-core/kern/arm64/efi/init.c ++++ b/grub-core/kern/arm64/efi/init.c +@@ -57,4 +57,7 @@ grub_machine_fini (int flags) + return; + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c +index b1a8b39b49..88bbd34eac 100644 +--- a/grub-core/kern/efi/efi.c ++++ b/grub-core/kern/efi/efi.c +@@ -157,7 +157,8 @@ grub_efi_get_loaded_image (grub_efi_handle_t image_handle) + void + grub_reboot (void) + { +- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN); ++ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN | ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY); + efi_call_4 (grub_efi_system_table->runtime_services->reset_system, + GRUB_EFI_RESET_COLD, GRUB_EFI_SUCCESS, 0, NULL); + for (;;) ; +diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c +index 3dfdf2d22b..2c31847bf6 100644 +--- a/grub-core/kern/efi/init.c ++++ b/grub-core/kern/efi/init.c +@@ -80,5 +80,4 @@ grub_efi_fini (void) + { + grub_efidisk_fini (); + grub_console_fini (); +- grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/i386/efi/init.c b/grub-core/kern/i386/efi/init.c +index da499aba04..deb2eacd8d 100644 +--- a/grub-core/kern/i386/efi/init.c ++++ b/grub-core/kern/i386/efi/init.c +@@ -39,6 +39,11 @@ grub_machine_init (void) + void + grub_machine_fini (int flags) + { +- if (flags & GRUB_LOADER_FLAG_NORETURN) +- grub_efi_fini (); ++ if (!(flags & GRUB_LOADER_FLAG_NORETURN)) ++ return; ++ ++ grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/ia64/efi/init.c b/grub-core/kern/ia64/efi/init.c +index b5ecbd0912..f1965571b1 100644 +--- a/grub-core/kern/ia64/efi/init.c ++++ b/grub-core/kern/ia64/efi/init.c +@@ -70,6 +70,11 @@ grub_machine_init (void) + void + grub_machine_fini (int flags) + { +- if (flags & GRUB_LOADER_FLAG_NORETURN) +- grub_efi_fini (); ++ if (!(flags & GRUB_LOADER_FLAG_NORETURN)) ++ return; ++ ++ grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/riscv/efi/init.c b/grub-core/kern/riscv/efi/init.c +index 7eb1969d0b..38795fe674 100644 +--- a/grub-core/kern/riscv/efi/init.c ++++ b/grub-core/kern/riscv/efi/init.c +@@ -73,4 +73,7 @@ grub_machine_fini (int flags) + return; + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/lib/efi/halt.c b/grub-core/lib/efi/halt.c +index 5859f0498a..29d4136416 100644 +--- a/grub-core/lib/efi/halt.c ++++ b/grub-core/lib/efi/halt.c +@@ -28,7 +28,8 @@ + void + grub_halt (void) + { +- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN); ++ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN | ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY); + #if !defined(__ia64__) && !defined(__arm__) && !defined(__aarch64__) && \ + !defined(__riscv) + grub_acpi_halt (); +diff --git a/include/grub/loader.h b/include/grub/loader.h +index 7f82a499fd..b208642821 100644 +--- a/include/grub/loader.h ++++ b/include/grub/loader.h +@@ -33,6 +33,7 @@ enum + { + GRUB_LOADER_FLAG_NORETURN = 1, + GRUB_LOADER_FLAG_PXE_NOT_UNLOAD = 2, ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY = 4, + }; + + void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
  58. Download patch debian/patches/0090-tftp-Do-not-use-priority-queue.patch
  59. Download patch debian/patches/cherrypick-lsefisystab-show-dtb.patch

    --- 2.04-1/debian/patches/cherrypick-lsefisystab-show-dtb.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/cherrypick-lsefisystab-show-dtb.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,40 @@ +From b67cba441eece77123d08105d447128e09593194 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt <xypron.glpk@gmx.de> +Date: Sat, 6 Jul 2019 11:11:02 +0200 +Subject: lsefisystab: Add support for device tree table + +The device tree may passed by the firmware as UEFI configuration +table. Let lsefisystab display a short text and not only the GUID +for the device tree. + +Here is an example output: + + grub> lsefisystab + Address: 0xbff694d8 + Signature: 5453595320494249 revision: 00020046 + Vendor: Das U-Boot, Version=20190700 + 2 tables: + 0xbe741000 eb9d2d31-2d88-11d3-9a160090273fc14d SMBIOS + 0x87f00000 b1b621d5-f19c-41a5-830bd9152c69aae0 DEVICE TREE + +Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> +Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +(cherry picked from commit 15cfd02b74e862bda20626a6e4e2f8a1d201733a) +Patch-Name: cherrypick-lsefisystab-show-dtb.patch +--- + grub-core/commands/efi/lsefisystab.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c +index 7c039c5097..902788250e 100644 +--- a/grub-core/commands/efi/lsefisystab.c ++++ b/grub-core/commands/efi/lsefisystab.c +@@ -40,6 +40,7 @@ static const struct guid_mapping guid_mappings[] = + { GRUB_EFI_CRC32_GUIDED_SECTION_EXTRACTION_GUID, + "CRC32 GUIDED SECTION EXTRACTION"}, + { GRUB_EFI_DEBUG_IMAGE_INFO_TABLE_GUID, "DEBUG IMAGE INFO"}, ++ { GRUB_EFI_DEVICE_TREE_GUID, "DEVICE TREE"}, + { GRUB_EFI_DXE_SERVICES_TABLE_GUID, "DXE SERVICES"}, + { GRUB_EFI_HCDP_TABLE_GUID, "HCDP"}, + { GRUB_EFI_HOB_LIST_GUID, "HOB LIST"},
  60. Download patch debian/patches/0091-script-Remove-unused-fields-from-grub_script_functio.patch

    --- 2.04-1/debian/patches/0091-script-Remove-unused-fields-from-grub_script_functio.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0091-script-Remove-unused-fields-from-grub_script_functio.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,29 @@ +From fd60c9a66288bf80f4da18e9832436bf2e6c1e65 Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Fri, 10 Jul 2020 11:21:14 +0100 +Subject: script: Remove unused fields from grub_script_function struct + +Signed-off-by: Chris Coulson <chris.coulson@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + include/grub/script_sh.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h +index 360c2be1f0..b382bcf09b 100644 +--- a/include/grub/script_sh.h ++++ b/include/grub/script_sh.h +@@ -359,13 +359,8 @@ struct grub_script_function + /* The script function. */ + struct grub_script *func; + +- /* The flags. */ +- unsigned flags; +- + /* The next element. */ + struct grub_script_function *next; +- +- int references; + }; + typedef struct grub_script_function *grub_script_function_t; +
  61. Download patch debian/patches/0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch

    --- 2.04-1/debian/patches/0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,26 @@ +From 7bae32b384bf0129a980b77447e21abb4024f693 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov <xnox@ubuntu.com> +Date: Mon, 24 Feb 2020 20:29:53 +0000 +Subject: uefi-firmware: rename fwsetup menuentry to UEFI Firmware Settings + +LP: #1864547 +--- + util/grub.d/30_uefi-firmware.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/util/grub.d/30_uefi-firmware.in b/util/grub.d/30_uefi-firmware.in +index 3c9f533d8c..b072d219f6 100644 +--- a/util/grub.d/30_uefi-firmware.in ++++ b/util/grub.d/30_uefi-firmware.in +@@ -32,9 +32,9 @@ OsIndications="$efi_vars_dir/OsIndicationsSupported-$EFI_GLOBAL_VARIABLE/data" + + if [ -e "$OsIndications" ] && \ + [ "$(( $(printf 0x%x \'"$(cat $OsIndications | cut -b1)") & 1 ))" = 1 ]; then +- LABEL="System setup" ++ LABEL="UEFI Firmware Settings" + +- gettext_printf "Adding boot menu entry for EFI firmware configuration\n" >&2 ++ gettext_printf "Adding boot menu entry for UEFI Firmware Settings\n" >&2 + + onstr="$(gettext_printf "(on %s)" "${DEVICE}")" +
  62. Download patch debian/grub-extras/disabled/gpxe/.bzrignore

    --- 2.04-1/debian/grub-extras/disabled/gpxe/.bzrignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-extras/disabled/gpxe/.bzrignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -**/.deps-core -**/.dirstamp -Makefile.core.am
  63. Download patch debian/patches/ignore-grub_func_test-failures.patch

    --- 2.04-1/debian/patches/ignore-grub_func_test-failures.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/ignore-grub_func_test-failures.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 2efd14b497f45150a23c7977e5c45285d258d42c Mon Sep 17 00:00:00 2001 +From a4eaed2b739501db9b1009cd778fc72e9670f9ce Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@debian.org> Date: Mon, 13 Jan 2014 12:13:32 +0000 Subject: Ignore functional test failures for now as they are broken @@ -14,7 +14,7 @@ Patch-Name: ignore-grub_func_test-failur 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/grub_func_test.in b/tests/grub_func_test.in -index c67f9e422..728cd6e06 100644 +index c67f9e4225..728cd6e066 100644 --- a/tests/grub_func_test.in +++ b/tests/grub_func_test.in @@ -16,6 +16,8 @@ out=`echo all_functional_test | @builddir@/grub-shell --timeout=3600 --files="/b
  64. Download patch debian/patches/mkconfig-ubuntu-recovery.patch

    --- 2.04-1/debian/patches/mkconfig-ubuntu-recovery.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-ubuntu-recovery.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,6 @@ -From 8d20c29dbd3dfb7a475ade30d33b9d9b80069107 Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@ubuntu.com> -Date: Mon, 13 Jan 2014 12:13:06 +0000 +From 51814873e68db3d990a080f705e6562ef140b416 Mon Sep 17 00:00:00 2001 +From: Didier Roche <didrocks@ubuntu.com> +Date: Tue, 31 Mar 2020 15:16:36 +0200 Subject: "single" -> "recovery" when friendly-recovery is installed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -19,11 +19,12 @@ Patch-Name: mkconfig-ubuntu-recovery.pat --- configure.ac | 11 +++++++++++ util/grub.d/10_linux.in | 16 ++++++++++++++-- + util/grub.d/10_linux_zfs.in | 15 +++++++++++++-- util/grub.d/30_os-prober.in | 2 +- - 3 files changed, 26 insertions(+), 3 deletions(-) + 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac -index 7656f2434..1e5abc67d 100644 +index 7656f2434e..1e5abc67d9 100644 --- a/configure.ac +++ b/configure.ac @@ -1846,6 +1846,17 @@ fi @@ -45,7 +46,7 @@ index 7656f2434..1e5abc67d 100644 AC_SUBST([FONT_SOURCE]) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 8c22c79f6..0509ac680 100644 +index d927b60ae2..fcd3033872 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -20,6 +20,7 @@ set -e @@ -56,7 +57,7 @@ index 8c22c79f6..0509ac680 100644 . "$pkgdatadir/grub-mkconfig_lib" -@@ -84,6 +85,15 @@ esac +@@ -88,6 +89,15 @@ esac title_correction_code= @@ -72,7 +73,7 @@ index 8c22c79f6..0509ac680 100644 linux_entry () { os="$1" -@@ -123,7 +133,9 @@ linux_entry () +@@ -127,7 +137,9 @@ linux_entry () if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then echo " load_video" | sed "s/^/$submenu_indentation/" fi @@ -83,7 +84,7 @@ index 8c22c79f6..0509ac680 100644 fi echo " insmod gzio" | sed "s/^/$submenu_indentation/" -@@ -280,7 +292,7 @@ while [ "x$list" != "x" ] ; do +@@ -284,7 +296,7 @@ while [ "x$list" != "x" ] ; do "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then linux_entry "${OS}" "${version}" recovery \ @@ -92,8 +93,55 @@ index 8c22c79f6..0509ac680 100644 fi list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '` +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index b24587f0a5..de4d215900 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -19,6 +19,7 @@ set -e + + prefix="@prefix@" + datarootdir="@datarootdir@" ++ubuntu_recovery="@UBUNTU_RECOVERY@" + + . "${pkgdatadir}/grub-mkconfig_lib" + +@@ -748,7 +749,9 @@ zfs_linux_entry () { + if [ "${GRUB_GFXPAYLOAD_LINUX}" != "text" ]; then + echo "${submenu_indentation} load_video" + fi +- echo "${submenu_indentation} set gfxpayload=\${linux_gfx_mode}" ++ if [ "${ubuntu_recovery}" = 0 ] || [ "${type}" != "recovery" ]; then ++ echo "${submenu_indentation} set gfxpayload=\${linux_gfx_mode}" ++ fi + fi + + echo "${submenu_indentation} insmod gzio" +@@ -759,7 +762,7 @@ zfs_linux_entry () { + + linux_default_args="${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + if [ ${type} = "recovery" ]; then +- linux_default_args="single ${GRUB_CMDLINE_LINUX}" ++ linux_default_args="${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" + fi + + echo "${submenu_indentation} linux ${kernel} root=ZFS=${dataset} ro ${linux_default_args} ${kernel_additional_args}" +@@ -791,6 +794,14 @@ generate_grub_menu() { + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1 | LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" + fi + ++ if [ -x /lib/recovery-mode/recovery-menu ]; then ++ GRUB_CMDLINE_LINUX_RECOVERY=recovery ++ else ++ GRUB_CMDLINE_LINUX_RECOVERY=single ++ fi ++ if [ "${ubuntu_recovery}" = 1 ]; then ++ GRUB_CMDLINE_LINUX_RECOVERY="${GRUB_CMDLINE_LINUX_RECOVERY} nomodeset" ++ fi + + # IFS is set to TAB (ASCII 0x09) + echo "${menu_metadata}" | diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in -index 515a68c7a..775ceb2e0 100644 +index 515a68c7aa..775ceb2e04 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -220,7 +220,7 @@ EOF
  65. Download patch debian/patches/0089-lzma-Make-sure-we-don-t-dereference-past-array.patch

    --- 2.04-1/debian/patches/0089-lzma-Make-sure-we-don-t-dereference-past-array.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0089-lzma-Make-sure-we-don-t-dereference-past-array.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,48 @@ +From d6f176758a8d2ab9cd81646e7e2e825682a0fdfe Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Thu, 9 Jul 2020 03:05:23 +0000 +Subject: lzma: Make sure we don't dereference past array + +The two dimensional array p->posSlotEncoder[4][64] is being dereferenced +using the GetLenToPosState() macro which checks if len is less than 5, +and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. +Obviously we don't want to dereference that far out so we check if the +position found is greater or equal kNumLenToPosStates (4) and bail out. + +N.B.: Upstream LZMA 18.05 and later has this function completely rewritten +without any history. + +Fixes: CID 51526 + +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/lib/LzmaEnc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c +index f2ec04a8c2..753e56a95e 100644 +--- a/grub-core/lib/LzmaEnc.c ++++ b/grub-core/lib/LzmaEnc.c +@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize + } + else + { +- UInt32 posSlot; ++ UInt32 posSlot, lenToPosState; + RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0); + p->state = kMatchNextStates[p->state]; + LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices); + pos -= LZMA_NUM_REPS; + GetPosSlot(pos, posSlot); +- RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot); ++ lenToPosState = GetLenToPosState(len); ++ if (lenToPosState >= kNumLenToPosStates) ++ { ++ p->result = SZ_ERROR_DATA; ++ return CheckErrors(p); ++ } ++ RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot); + + if (posSlot >= kStartPosModelIndex) + {
  66. Download patch debian/patches/0087-font-Do-not-load-more-than-one-NAME-section.patch

    --- 2.04-1/debian/patches/0087-font-Do-not-load-more-than-one-NAME-section.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0087-font-Do-not-load-more-than-one-NAME-section.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,34 @@ +From b762411ec388017c77379629298e90f93dec75d7 Mon Sep 17 00:00:00 2001 +From: Daniel Kiper <daniel.kiper@oracle.com> +Date: Tue, 7 Jul 2020 15:36:26 +0200 +Subject: font: Do not load more than one NAME section + +The GRUB font file can have one NAME section only. Though if somebody +crafts a broken font file with many NAME sections and loads it then the +GRUB leaks memory. So, prevent against that by loading first NAME +section and failing in controlled way on following one. + +Reported-by: Chris Coulson <chris.coulson@canonical.com> +Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> +Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> +--- + grub-core/font/font.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 5edb477ac2..d09bb38d89 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -532,6 +532,12 @@ grub_font_load (const char *filename) + if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME, + sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0) + { ++ if (font->name != NULL) ++ { ++ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections"); ++ goto fail; ++ } ++ + font->name = read_section_as_string (&section); + if (!font->name) + goto fail;
  67. Download patch debian/patches/fix-lockdown.patch

    --- 2.04-1/debian/patches/fix-lockdown.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/fix-lockdown.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -From 5f17e85530102bc92cb09796d878d6e399a4986d Mon Sep 17 00:00:00 2001 -From: Luca Boccassi <bluca@debian.org> -Date: Tue, 15 May 2018 11:36:46 +0100 -Subject: Do not overwrite sentinel byte in boot_params, breaks lockdown - -grub currently copies the entire boot_params, which includes setting -sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel -which in turn clears various boot_params variables, including the -indication that the bootloader chain is verified and thus the kernel -disables lockdown mode. According to the information on the Fedora bug -tracker, only the information from byte 0x1f1 is necessary, so start -copying from there instead. - -Author: Luca Boccassi <bluca@debian.org> -Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360 -Forwarded: no - -Patch-Name: fix-lockdown.patch ---- - grub-core/loader/i386/efi/linux.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c -index 16372a0c8..34605dfed 100644 ---- a/grub-core/loader/i386/efi/linux.c -+++ b/grub-core/loader/i386/efi/linux.c -@@ -28,6 +28,7 @@ - #include <grub/lib/cmdline.h> - #include <grub/linux.h> - #include <grub/efi/efi.h> -+#include <stddef.h> - - GRUB_MOD_LICENSE ("GPLv3+"); - -@@ -334,7 +335,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), - lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem; - } - -- grub_memcpy (params, &lh, 2 * 512); -+ /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */ -+ start = offsetof (struct linux_kernel_params, setup_sects); -+ grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start); - - params->type_of_loader = 0x21; -
  68. Download patch debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch

    --- 2.04-1/debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,42 @@ +From 06a88955852ba3c301f3a37c99faa813bd7262c8 Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Thu, 23 Jul 2020 14:02:17 +0100 +Subject: chainloader: Avoid a double free when validation fails + +--- + grub-core/loader/efi/chainloader.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index d0c53077e8..144a6549df 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -1085,6 +1085,9 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + if (rc > 0) + { + grub_file_close (file); ++ if (orig_dev) ++ dev = orig_dev; ++ grub_device_close (dev); + grub_loader_set (grub_secureboot_chainloader_boot, + grub_secureboot_chainloader_unload, 0); + return 0; +@@ -1093,15 +1096,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + { + grub_load_and_start_image(boot_image); + grub_file_close (file); ++ if (orig_dev) ++ dev = orig_dev; ++ grub_device_close (dev); + grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); + + return 0; + } + // -1 fall-through to fail + +- grub_file_close (file); +- grub_device_close (dev); +- + fail: + if (orig_dev) + {
  69. Download patch debian/patches/0081-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch

    --- 2.04-1/debian/patches/0081-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0081-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,66 @@ +From e25ff4f02fae2c006408a8fa1283320cd81ff87d Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Wed, 15 Apr 2020 15:45:02 -0400 +Subject: yylex: Make lexer fatal errors actually be fatal + +When presented with a command that can't be tokenized to anything +smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), +expecting that will stop further processing, as such: + + #define YY_DO_BEFORE_ACTION \ + yyg->yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yyg->yy_hold_char = *yy_cp; \ + *yy_cp = '\0'; \ + if ( yyleng >= YYLMAX ) \ + YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ + yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ + yyg->yy_c_buf_p = yy_cp; + +The code flex generates expects that YY_FATAL_ERROR() will either return +for it or do some form of longjmp(), or handle the error in some way at +least, and so the strncpy() call isn't in an "else" clause, and thus if +YY_FATAL_ERROR() is *not* actually fatal, it does the call with the +questionable limit, and predictable results ensue. + +Unfortunately, our implementation of YY_FATAL_ERROR() is: + + #define YY_FATAL_ERROR(msg) \ + do { \ + grub_printf (_("fatal error: %s\n"), _(msg)); \ + } while (0) + +The same pattern exists in yyless(), and similar problems exist in users +of YY_INPUT(), several places in the main parsing loop, +yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, +yy_scan_buffer(), etc. + +All of these callers expect YY_FATAL_ERROR() to actually be fatal, and +the things they do if it returns after calling it are wildly unsafe. + +Fixes: CVE-2020-10713 + +Signed-off-by: Peter Jones <pjones@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/script/yylex.l | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l +index 7b44c37b76..b7203c8230 100644 +--- a/grub-core/script/yylex.l ++++ b/grub-core/script/yylex.l +@@ -37,11 +37,11 @@ + + /* + * As we don't have access to yyscanner, we cannot do much except to +- * print the fatal error. ++ * print the fatal error and exit. + */ + #define YY_FATAL_ERROR(msg) \ + do { \ +- grub_printf (_("fatal error: %s\n"), _(msg)); \ ++ grub_fatal (_("fatal error: %s\n"), _(msg));\ + } while (0) + + #define COPY(str, hint) \
  70. Download patch debian/patches/probe-fusionio.patch

    --- 2.04-1/debian/patches/probe-fusionio.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/probe-fusionio.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From d13c402298bbee39239f4378e312c128e5fb0a88 Mon Sep 17 00:00:00 2001 +From c89a80f695775566c7f184ec19b4ad34f58906bb Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:31 +0000 Subject: Probe FusionIO devices @@ -14,7 +14,7 @@ Patch-Name: probe-fusionio.patch 2 files changed, 32 insertions(+) diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c -index 90d92d3ad..7adc0f30e 100644 +index 90d92d3ad5..7adc0f30ee 100644 --- a/grub-core/osdep/linux/getroot.c +++ b/grub-core/osdep/linux/getroot.c @@ -950,6 +950,19 @@ grub_util_part_to_disk (const char *os_dev, struct stat *st, @@ -38,7 +38,7 @@ index 90d92d3ad..7adc0f30e 100644 return path; diff --git a/util/deviceiter.c b/util/deviceiter.c -index a4971ef42..dddc50da7 100644 +index a4971ef429..dddc50da7a 100644 --- a/util/deviceiter.c +++ b/util/deviceiter.c @@ -383,6 +383,12 @@ get_nvme_disk_name (char *name, int controller, int namespace)
  71. Download patch debian/patches/core-in-fs.patch

    --- 2.04-1/debian/patches/core-in-fs.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/core-in-fs.patch 2020-08-10 13:07:29.000000000 +0000 @@ -11,7 +11,7 @@ Patch-Name: core-in-fs.patch 1 file changed, 8 insertions(+) diff --git a/util/setup.c b/util/setup.c -index 6f88f3cc4..fbdf2fcc5 100644 +index 6f88f3cc43..fbdf2fcc59 100644 --- a/util/setup.c +++ b/util/setup.c @@ -58,6 +58,8 @@
  72. Download patch debian/patches/0084-calloc-Use-calloc-at-most-places.patch
  73. Download patch debian/gettext-patches/0002-Handle-gettext_printf-shell-function.patch

    --- 2.04-1/debian/gettext-patches/0002-Handle-gettext_printf-shell-function.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/gettext-patches/0002-Handle-gettext_printf-shell-function.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,46 @@ +From fd17c51f2e6c87427679fbdfb5f6224ff48795db Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Sun, 1 Mar 2020 12:00:41 +0000 +Subject: [PATCH 2/4] Handle gettext_printf shell function + +Extract gettext_printf arguments. + +Run grub.d.sed over strings extracted from util/grub.d/, in order to set +c-format flags (xgettext refuses to include these itself for strings it +extracted from a shell file, but these really are c-format). +--- + gettext-runtime/po/Makefile.in.in | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/gettext-runtime/po/Makefile.in.in b/gettext-runtime/po/Makefile.in.in +index 32e9323d3..32e0c99a2 100644 +--- a/gettext-runtime/po/Makefile.in.in ++++ b/gettext-runtime/po/Makefile.in.in +@@ -183,7 +183,8 @@ $(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in $(srcdir)/POTFILES-shell + --files-from=$(srcdir)/POTFILES-shell.in \ + --copyright-holder='$(COPYRIGHT_HOLDER)' \ + --msgid-bugs-address="$$msgid_bugs_address" \ +- --join-existing --language=Shell --keyword=gettext_quoted \ ++ --join-existing --language=Shell \ ++ --keyword=gettext_quoted --keyword=gettext_printf \ + ;; \ + *) \ + $(XGETTEXT) --default-domain=$(DOMAIN) --directory=$(top_srcdir) \ +@@ -193,10 +194,13 @@ $(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in $(srcdir)/POTFILES-shell + --package-name="$${package_gnu}@PACKAGE@" \ + --package-version='@VERSION@' \ + --msgid-bugs-address="$$msgid_bugs_address" \ +- --join-existing --language=Shell --keyword=gettext_quoted \ ++ --join-existing --language=Shell \ ++ --keyword=gettext_quoted --keyword=gettext_printf \ + ;; \ + esac; \ + test ! -f $(DOMAIN).po || { \ ++ sed -f grub.d.sed < $(DOMAIN).po > $(DOMAIN).1po && \ ++ mv $(DOMAIN).1po $(DOMAIN).po; \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \ + sed -f remove-potcdate.sed < $(DOMAIN).po > $(DOMAIN).2po && \ +-- +2.17.1 +
  74. Download patch debian/patches/0094-lvm-fix-two-more-potential-data-dependent-alloc-over.patch

    --- 2.04-1/debian/patches/0094-lvm-fix-two-more-potential-data-dependent-alloc-over.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0094-lvm-fix-two-more-potential-data-dependent-alloc-over.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,98 @@ +From 9082c7d5ed8d9ffb15a12d6bcb10a86ca9c8a860 Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Sun, 19 Jul 2020 15:48:20 -0400 +Subject: lvm: fix two more potential data-dependent alloc overflows + +It appears to be possible to make a (possibly invalid) lvm PV with a +metadata size field that overflows our type when adding it to the +address we've allocated. Even if it doesn't, it may be possible to do +so with the math using the outcome of that as an operand. Check them +both. + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + grub-core/disk/lvm.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index d1df640b31..d154f7c01b 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -25,6 +25,7 @@ + #include <grub/lvm.h> + #include <grub/partition.h> + #include <grub/i18n.h> ++#include <grub/safemath.h> + + #ifdef GRUB_UTIL + #include <grub/emu/misc.h> +@@ -102,10 +103,11 @@ grub_lvm_detect (grub_disk_t disk, + { + grub_err_t err; + grub_uint64_t mda_offset, mda_size; ++ grub_size_t ptr; + char buf[GRUB_LVM_LABEL_SIZE]; + char vg_id[GRUB_LVM_ID_STRLEN+1]; + char pv_id[GRUB_LVM_ID_STRLEN+1]; +- char *metadatabuf, *p, *q, *vgname; ++ char *metadatabuf, *mda_end, *p, *q, *vgname; + struct grub_lvm_label_header *lh = (struct grub_lvm_label_header *) buf; + struct grub_lvm_pv_header *pvh; + struct grub_lvm_disk_locn *dlocn; +@@ -205,19 +207,31 @@ grub_lvm_detect (grub_disk_t disk, + grub_le_to_cpu64 (rlocn->size) - + grub_le_to_cpu64 (mdah->size)); + } +- p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset); + +- while (*q != ' ' && q < metadatabuf + mda_size) +- q++; +- +- if (q == metadatabuf + mda_size) ++ if (grub_add ((grub_size_t)metadatabuf, ++ (grub_size_t)grub_le_to_cpu64 (rlocn->offset), ++ &ptr)) + { ++error_parsing_metadata: + #ifdef GRUB_UTIL + grub_util_info ("error parsing metadata"); + #endif + goto fail2; + } + ++ p = q = (char *)ptr; ++ ++ if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr)) ++ goto error_parsing_metadata; ++ ++ mda_end = (char *)ptr; ++ ++ while (*q != ' ' && q < mda_end) ++ q++; ++ ++ if (q == mda_end) ++ goto error_parsing_metadata; ++ + vgname_len = q - p; + vgname = grub_malloc (vgname_len + 1); + if (!vgname) +@@ -367,8 +381,17 @@ grub_lvm_detect (grub_disk_t disk, + { + const char *iptr; + char *optr; +- lv->fullname = grub_malloc (sizeof ("lvm/") - 1 + 2 * vgname_len +- + 1 + 2 * s + 1); ++ grub_size_t sz0 = vgname_len, sz1 = s; ++ ++ if (grub_mul (sz0, 2, &sz0) || ++ grub_add (sz0, 1, &sz0) || ++ grub_mul (sz1, 2, &sz1) || ++ grub_add (sz1, 1, &sz1) || ++ grub_add (sz0, sz1, &sz0) || ++ grub_add (sz0, sizeof ("lvm/") - 1, &sz0)) ++ goto lvs_fail; ++ ++ lv->fullname = grub_malloc (sz0); + if (!lv->fullname) + goto lvs_fail; +
  75. Download patch debian/.gitignore

    --- 2.04-1/debian/.gitignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -*.bash-completion -*.config -*.debhelper* -*.postinst -*.postrm -*.preinst -*.templates -files -grub-common -grub-common.maintscript -grub-coreboot -grub-coreboot*.dirs -grub-coreboot*.install -grub-coreboot*.links -grub-coreboot*.maintscript -grub-coreboot-bin -grub-coreboot-dbg -grub-efi -grub-efi-amd64 -grub-efi-amd64*.dirs -grub-efi-amd64*.install -grub-efi-amd64*.links -grub-efi-amd64*.maintscript -grub-efi-amd64-bin -grub-efi-amd64-dbg -grub-efi-amd64-signed-template -grub-efi-arm -grub-efi-arm*.dirs -grub-efi-arm*.install -grub-efi-arm*.links -grub-efi-arm*.maintscript -grub-efi-arm-bin -grub-efi-arm-dbg -grub-efi-arm64 -grub-efi-arm64*.dirs -grub-efi-arm64*.install -grub-efi-arm64*.links -grub-efi-arm64*.maintscript -grub-efi-arm64-bin -grub-efi-arm64-dbg -grub-efi-arm64-signed-template -grub-efi-ia32 -grub-efi-ia32*.dirs -grub-efi-ia32*.install -grub-efi-ia32*.links -grub-efi-ia32*.maintscript -grub-efi-ia32-bin -grub-efi-ia32-dbg -grub-efi-ia32-signed-template -grub-efi-ia64 -grub-efi-ia64*.dirs -grub-efi-ia64*.install -grub-efi-ia64*.links -grub-efi-ia64*.maintscript -grub-efi-ia64-bin -grub-efi-ia64-dbg -grub-emu -grub-emu*.dirs -grub-emu*.install -grub-emu*.links -grub-emu*.maintscript -grub-emu-dbg -grub-extras-enabled -grub-extras/*/conf/*.mk -grub-firmware-qemu -grub-ieee1275 -grub-ieee1275*.dirs -grub-ieee1275*.install -grub-ieee1275*.links -grub-ieee1275*.maintscript -grub-ieee1275-bin -grub-ieee1275-dbg -grub-linuxbios -grub-mount-udeb -grub-pc -grub-pc*.dirs -grub-pc*.install -grub-pc*.links -grub-pc*.maintscript -grub-pc-bin -grub-pc-dbg -grub-rescue-pc -grub-theme-starfield -grub-uboot -grub-uboot*.dirs -grub-uboot*.install -grub-uboot*.links -grub-uboot*.maintscript -grub-uboot-bin -grub-uboot-dbg -grub-xen -grub-xen*.dirs -grub-xen*.install -grub-xen*.links -grub-xen*.maintscript -grub-xen-bin -grub-xen-dbg -grub-xen-host -grub-yeeloong -grub-yeeloong*.dirs -grub-yeeloong*.install -grub-yeeloong*.links -grub-yeeloong*.maintscript -grub-yeeloong-bin -grub-yeeloong-dbg -grub2 -grub2-common -prep-bootdev -stamps -tmp-*
  76. Download patch debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch

    --- 2.04-1/debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,90 @@ +From a37688a7dd2a14b66aa88005a9473f017aa84d17 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov <xnox@ubuntu.com> +Date: Wed, 22 Jul 2020 11:31:43 +0100 +Subject: linuxefi: fail kernel validation without shim protocol. + +If certificates that signed grub are installed into db, grub can be +booted directly. It will then boot any kernel without signature +validation. The booted kernel will think it was booted in secureboot +mode and will implement lockdown, yet it could have been tampered. + +CVE-2020-15705 + +Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + grub-core/loader/arm64/linux.c | 13 +++++++++---- + grub-core/loader/efi/chainloader.c | 1 + + grub-core/loader/efi/linux.c | 1 + + grub-core/loader/i386/efi/linux.c | 2 +- + 4 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index 1a5296a60c..3f5496fc55 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -34,6 +34,7 @@ + #include <grub/i18n.h> + #include <grub/lib/cmdline.h> + #include <grub/verify.h> ++#include <grub/efi/sb.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -342,11 +343,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + + grub_dprintf ("linux", "kernel @ %p\n", kernel_addr); + +- rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size); +- if (rc < 0) ++ if (grub_efi_secure_boot ()) + { +- grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]); +- goto fail; ++ rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size); ++ if (rc <= 0) ++ { ++ grub_error (GRUB_ERR_INVALID_COMMAND, ++ N_("%s has invalid signature"), argv[0]); ++ goto fail; ++ } + } + + cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE); +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index f8a34cd491..cf89cedf8d 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -1096,6 +1096,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + + return 0; + } ++ // -1 fall-through to fail + + grub_file_close (file); + grub_device_close (dev); +diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c +index e372b26a1b..f6d30bcf7c 100644 +--- a/grub-core/loader/efi/linux.c ++++ b/grub-core/loader/efi/linux.c +@@ -34,6 +34,7 @@ struct grub_efi_shim_lock + }; + typedef struct grub_efi_shim_lock grub_efi_shim_lock_t; + ++// Returns 1 on success, -1 on error, 0 when not available + int + grub_linuxefi_secure_validate (void *data, grub_uint32_t size) + { +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 2929da7a29..e357bf67c6 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -199,7 +199,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + if (grub_efi_secure_boot ()) + { + rc = grub_linuxefi_secure_validate (kernel, filelen); +- if (rc < 0) ++ if (rc <= 0) + { + grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"), + argv[0]);
  77. Download patch debian/.git-dpm

    --- 2.04-1/debian/.git-dpm 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/.git-dpm 2020-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -3d51b212987d47da2b8c65a911140bbbc2fd3153 -3d51b212987d47da2b8c65a911140bbbc2fd3153 +398371c71cd52b6c48fa1d888903bd8a85682ec0 +398371c71cd52b6c48fa1d888903bd8a85682ec0 578bb115fbd47e1c464696f1f8d6183e5443975d 578bb115fbd47e1c464696f1f8d6183e5443975d grub2_2.04.orig.tar.xz
  78. Download patch debian/gettext-patches/0001-Support-POTFILES-shell.patch

    --- 2.04-1/debian/gettext-patches/0001-Support-POTFILES-shell.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/gettext-patches/0001-Support-POTFILES-shell.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,54 @@ +From d5bbd8f60aacb0f73ea5a0bde999152c467d0e78 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Sun, 1 Mar 2020 11:57:58 +0000 +Subject: [PATCH 1/4] Support POTFILES-shell + +--- + gettext-runtime/po/Makefile.in.in | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/gettext-runtime/po/Makefile.in.in b/gettext-runtime/po/Makefile.in.in +index fabdc76c9..32e9323d3 100644 +--- a/gettext-runtime/po/Makefile.in.in ++++ b/gettext-runtime/po/Makefile.in.in +@@ -142,7 +142,7 @@ stamp-po: $(srcdir)/$(DOMAIN).pot + # The determination of whether the package xyz is a GNU one is based on the + # heuristic whether some file in the top level directory mentions "GNU xyz". + # If GNU 'find' is available, we avoid grepping through monster files. +-$(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in remove-potcdate.sed ++$(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in $(srcdir)/POTFILES-shell.in remove-potcdate.sed + if { if (LC_ALL=C find --version) 2>/dev/null | grep GNU >/dev/null; then \ + LC_ALL=C find -L $(top_srcdir) -maxdepth 1 -type f -size -10000000c -exec grep 'GNU @PACKAGE@' /dev/null '{}' ';' 2>/dev/null; \ + else \ +@@ -175,7 +175,27 @@ $(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in remove-potcdate.sed + --package-version='@VERSION@' \ + --msgid-bugs-address="$$msgid_bugs_address" \ + ;; \ +- esac ++ esac; \ ++ case `$(XGETTEXT) --version | sed 1q | sed -e 's,^[^0-9]*,,'` in \ ++ '' | 0.[0-9] | 0.[0-9].* | 0.1[0-5] | 0.1[0-5].* | 0.16 | 0.16.[0-1]*) \ ++ $(XGETTEXT) --default-domain=$(DOMAIN) --directory=$(top_srcdir) \ ++ --add-comments=TRANSLATORS: @XGETTEXT_EXTRA_OPTIONS@ \ ++ --files-from=$(srcdir)/POTFILES-shell.in \ ++ --copyright-holder='$(COPYRIGHT_HOLDER)' \ ++ --msgid-bugs-address="$$msgid_bugs_address" \ ++ --join-existing --language=Shell --keyword=gettext_quoted \ ++ ;; \ ++ *) \ ++ $(XGETTEXT) --default-domain=$(DOMAIN) --directory=$(top_srcdir) \ ++ --add-comments=TRANSLATORS: @XGETTEXT_EXTRA_OPTIONS@ \ ++ --files-from=$(srcdir)/POTFILES-shell.in \ ++ --copyright-holder='$(COPYRIGHT_HOLDER)' \ ++ --package-name="$${package_gnu}@PACKAGE@" \ ++ --package-version='@VERSION@' \ ++ --msgid-bugs-address="$$msgid_bugs_address" \ ++ --join-existing --language=Shell --keyword=gettext_quoted \ ++ ;; \ ++ esac; \ + test ! -f $(DOMAIN).po || { \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \ +-- +2.17.1 +
  79. Download patch debian/patches/quick-boot-lvm.patch

    --- 2.04-1/debian/patches/quick-boot-lvm.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/quick-boot-lvm.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 23e25d42b55a01146a4683c4bc30e821f0366101 Mon Sep 17 00:00:00 2001 +From 193f060dd7c98d850e81a0b73383ff19c4374d64 Mon Sep 17 00:00:00 2001 From: Steve Langasek <steve.langasek@ubuntu.com> Date: Tue, 30 Oct 2018 15:04:16 -0700 Subject: If we don't have writable grubenv and we're on EFI, always show the @@ -26,7 +26,7 @@ Patch-Name: quick-boot-lvm.patch 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in -index 674a76140..b7135b655 100644 +index 674a761402..b7135b655f 100644 --- a/util/grub.d/00_header.in +++ b/util/grub.d/00_header.in @@ -115,7 +115,7 @@ EOF
  80. Download patch debian/patches/ieee1275-clear-reset.patch

    --- 2.04-1/debian/patches/ieee1275-clear-reset.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/ieee1275-clear-reset.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From e1ceeb130e1dc5b4206107fb41488eff08316820 Mon Sep 17 00:00:00 2001 +From 8bec2a413fc7fe8f2a48d37d8127322ebc96971d Mon Sep 17 00:00:00 2001 From: Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com> Date: Thu, 25 Sep 2014 18:41:29 -0300 Subject: Include a text attribute reset in the clear command for ppc @@ -18,7 +18,7 @@ Patch-Name: ieee1275-clear-reset.patch 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c -index d317efa36..63892ad42 100644 +index d317efa368..63892ad427 100644 --- a/grub-core/term/terminfo.c +++ b/grub-core/term/terminfo.c @@ -151,7 +151,7 @@ grub_terminfo_set_current (struct grub_term_output *term,
  81. Download patch debian/patches/grub-legacy-0-based-partitions.patch

    --- 2.04-1/debian/patches/grub-legacy-0-based-partitions.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/grub-legacy-0-based-partitions.patch 2020-08-10 13:07:29.000000000 +0000 @@ -13,7 +13,7 @@ Patch-Name: grub-legacy-0-based-partitio 1 file changed, 14 insertions(+) diff --git a/util/getroot.c b/util/getroot.c -index 847406fba..cdd41153c 100644 +index 847406fbab..cdd41153c5 100644 --- a/util/getroot.c +++ b/util/getroot.c @@ -245,6 +245,20 @@ find_partition (grub_disk_t dsk __attribute__ ((unused)),
  82. Download patch debian/patches/grub-install-pvxen-paths.patch

    --- 2.04-1/debian/patches/grub-install-pvxen-paths.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/grub-install-pvxen-paths.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 8e6b05dbc0a21e8d2a6e8ef2bb831f0bf8ff3a6d Mon Sep 17 00:00:00 2001 +From 66bbce074947abe680475dacfb1cde35b7c17ef3 Mon Sep 17 00:00:00 2001 From: Ian Campbell <ijc@hellion.org.uk> Date: Sat, 6 Sep 2014 12:20:12 +0100 Subject: grub-install: Install PV Xen binaries into the upstream specified @@ -28,10 +28,10 @@ v2: Respect bootdir, create /boot/xen as 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/util/grub-install.c b/util/grub-install.c -index 73c623107..f511cfc72 100644 +index 70d6700de8..64c292383f 100644 --- a/util/grub-install.c +++ b/util/grub-install.c -@@ -2055,6 +2055,28 @@ main (int argc, char *argv[]) +@@ -2058,6 +2058,28 @@ main (int argc, char *argv[]) } break; @@ -60,7 +60,7 @@ index 73c623107..f511cfc72 100644 case GRUB_INSTALL_PLATFORM_MIPSEL_LOONGSON: case GRUB_INSTALL_PLATFORM_MIPSEL_QEMU_MIPS: case GRUB_INSTALL_PLATFORM_MIPS_QEMU_MIPS: -@@ -2064,8 +2086,6 @@ main (int argc, char *argv[]) +@@ -2067,8 +2089,6 @@ main (int argc, char *argv[]) case GRUB_INSTALL_PLATFORM_MIPSEL_ARC: case GRUB_INSTALL_PLATFORM_ARM_UBOOT: case GRUB_INSTALL_PLATFORM_I386_QEMU:
  83. Download patch debian/patches/no-insmod-on-sb.patch

    --- 2.04-1/debian/patches/no-insmod-on-sb.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/no-insmod-on-sb.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 46b1bebed9ab58e5e769a6239dec7a295d9212aa Mon Sep 17 00:00:00 2001 +From df8702b930179447a7ecaf8bb0f9842522967a41 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg@redhat.com> Date: Mon, 13 Jan 2014 12:13:09 +0000 Subject: Don't permit loading modules on UEFI secure boot @@ -16,7 +16,7 @@ Patch-Name: no-insmod-on-sb.patch 3 files changed, 42 insertions(+) diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c -index 48eb5e7b6..074dfc3c6 100644 +index 48eb5e7b62..074dfc3c6f 100644 --- a/grub-core/kern/dl.c +++ b/grub-core/kern/dl.c @@ -38,6 +38,10 @@ @@ -47,7 +47,7 @@ index 48eb5e7b6..074dfc3c6 100644 file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE); diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c -index 6e1ceb905..96204e39b 100644 +index 6e1ceb9051..96204e39b9 100644 --- a/grub-core/kern/efi/efi.c +++ b/grub-core/kern/efi/efi.c @@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, @@ -86,7 +86,7 @@ index 6e1ceb905..96204e39b 100644 /* Search the mods section from the PE32/PE32+ image. This code uses diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h -index e90e00dc4..a237952b3 100644 +index e90e00dc43..a237952b37 100644 --- a/include/grub/efi/efi.h +++ b/include/grub/efi/efi.h @@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
  84. Download patch debian/patches/net-read-bracketed-ipv6-addr.patch

    --- 2.04-1/debian/patches/net-read-bracketed-ipv6-addr.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/net-read-bracketed-ipv6-addr.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 9d6491949d9e80faa4ef9f699db08a68b6f0d9ba Mon Sep 17 00:00:00 2001 +From 370386aaaed787b4b9082cd75f155f1b21350878 Mon Sep 17 00:00:00 2001 From: Aaron Miller <aaronmiller@fb.com> Date: Thu, 27 Oct 2016 17:39:49 -0400 Subject: net: read bracketed ipv6 addrs and port numbers @@ -16,7 +16,7 @@ Patch-Name: net-read-bracketed-ipv6-addr 4 files changed, 110 insertions(+), 11 deletions(-) diff --git a/grub-core/net/http.c b/grub-core/net/http.c -index 5aa4ad3be..f182d7b87 100644 +index 5aa4ad3bef..f182d7b871 100644 --- a/grub-core/net/http.c +++ b/grub-core/net/http.c @@ -312,12 +312,14 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial) @@ -74,7 +74,7 @@ index 5aa4ad3be..f182d7b87 100644 file); if (!data->sock) diff --git a/grub-core/net/net.c b/grub-core/net/net.c -index d5d726a31..b917a75d5 100644 +index d5d726a315..b917a75d54 100644 --- a/grub-core/net/net.c +++ b/grub-core/net/net.c @@ -437,6 +437,12 @@ parse_ip6 (const char *val, grub_uint64_t *ip, const char **rest) @@ -211,7 +211,7 @@ index d5d726a31..b917a75d5 100644 } } diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c -index 7d90bf66e..a0817a075 100644 +index 7d90bf66e7..a0817a075d 100644 --- a/grub-core/net/tftp.c +++ b/grub-core/net/tftp.c @@ -314,6 +314,7 @@ tftp_open (struct grub_file *file, const char *filename) @@ -241,7 +241,7 @@ index 7d90bf66e..a0817a075 100644 if (!data->sock) { diff --git a/include/grub/net.h b/include/grub/net.h -index 4a9069a14..cc114286e 100644 +index 4a9069a147..cc114286ea 100644 --- a/include/grub/net.h +++ b/include/grub/net.h @@ -270,6 +270,7 @@ typedef struct grub_net
  85. Download patch debian/patches/linuxefi.patch
  86. Download patch debian/patches/bootp-process-dhcpack-http-boot.patch

    --- 2.04-1/debian/patches/bootp-process-dhcpack-http-boot.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/bootp-process-dhcpack-http-boot.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From cddbc2be5f993322a43b2660da588129c19b510a Mon Sep 17 00:00:00 2001 +From 6e1e440798cf53f89f0e5a177d781f0b3d4bc1ca Mon Sep 17 00:00:00 2001 From: Michael Chang <mchang@suse.com> Date: Thu, 27 Oct 2016 17:42:19 -0400 Subject: bootp: Add processing DHCPACK packet from HTTP Boot @@ -24,7 +24,7 @@ Patch-Name: bootp-process-dhcpack-http-b 2 files changed, 60 insertions(+), 1 deletion(-) diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c -index 21c1824ef..558d97ba1 100644 +index 21c1824efb..558d97ba1e 100644 --- a/grub-core/net/bootp.c +++ b/grub-core/net/bootp.c @@ -154,7 +154,7 @@ struct grub_dhcp_request_options @@ -109,7 +109,7 @@ index 21c1824ef..558d97ba1 100644 }, GRUB_NET_BOOTP_END, diff --git a/include/grub/net.h b/include/grub/net.h -index 58cff96d2..b5f9e617e 100644 +index 58cff96d2a..b5f9e617e5 100644 --- a/include/grub/net.h +++ b/include/grub/net.h @@ -523,6 +523,7 @@ enum
  87. Download patch debian/patches/0104-linux-Fix-integer-overflows-in-initrd-size-handling.patch

    --- 2.04-1/debian/patches/0104-linux-Fix-integer-overflows-in-initrd-size-handling.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0104-linux-Fix-integer-overflows-in-initrd-size-handling.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,165 @@ +From 5ae3595759c09e23b48fa2bb35abbe1f66c529bc Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Sat, 25 Jul 2020 12:15:37 +0100 +Subject: linux: Fix integer overflows in initrd size handling + +These could be triggered by a crafted filesystem with very large files. + +Fixes: CVE-2020-15707 + +Signed-off-by: Colin Watson <cjwatson@debian.org> +Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> +--- + grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++----------- + 1 file changed, 54 insertions(+), 20 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 25624ebc11..e9f819ee95 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -4,6 +4,7 @@ + #include <grub/misc.h> + #include <grub/file.h> + #include <grub/mm.h> ++#include <grub/safemath.h> + + struct newc_head + { +@@ -98,13 +99,13 @@ free_dir (struct dir *root) + grub_free (root); + } + +-static grub_size_t ++static grub_err_t + insert_dir (const char *name, struct dir **root, +- grub_uint8_t *ptr) ++ grub_uint8_t *ptr, grub_size_t *size) + { + struct dir *cur, **head = root; + const char *cb, *ce = name; +- grub_size_t size = 0; ++ *size = 0; + while (1) + { + for (cb = ce; *cb == '/'; cb++); +@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root, + ptr = make_header (ptr, name, ce - name, + 040777, 0); + } +- size += ALIGN_UP ((ce - (char *) name) +- + sizeof (struct newc_head), 4); ++ if (grub_add (*size, ++ ALIGN_UP ((ce - (char *) name) ++ + sizeof (struct newc_head), 4), ++ size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ grub_free (n->name); ++ grub_free (n); ++ return grub_errno; ++ } + *head = n; + cur = n; + } + root = &cur->next; + } +- return size; ++ return GRUB_ERR_NONE; + } + + grub_err_t +@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[], + eptr = grub_strchr (ptr, ':'); + if (eptr) + { ++ grub_size_t dir_size, name_len; ++ + initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr); +- if (!initrd_ctx->components[i].newc_name) ++ if (!initrd_ctx->components[i].newc_name || ++ insert_dir (initrd_ctx->components[i].newc_name, &root, 0, ++ &dir_size)) + { + grub_initrd_close (initrd_ctx); + return grub_errno; + } +- initrd_ctx->size +- += ALIGN_UP (sizeof (struct newc_head) +- + grub_strlen (initrd_ctx->components[i].newc_name), +- 4); +- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name, +- &root, 0); ++ name_len = grub_strlen (initrd_ctx->components[i].newc_name); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) + name_len, 4), ++ &initrd_ctx->size) || ++ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size)) ++ goto overflow; + newc = 1; + fname = eptr + 1; + } + } + else if (newc) + { +- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) ++ + sizeof ("TRAILER!!!") - 1, 4), ++ &initrd_ctx->size)) ++ goto overflow; + free_dir (root); + root = 0; + newc = 0; +@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[], + initrd_ctx->nfiles++; + initrd_ctx->components[i].size + = grub_file_size (initrd_ctx->components[i].file); +- initrd_ctx->size += initrd_ctx->components[i].size; ++ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size, ++ &initrd_ctx->size)) ++ goto overflow; + } + + if (newc) + { + initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); +- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) ++ + sizeof ("TRAILER!!!") - 1, 4), ++ &initrd_ctx->size)) ++ goto overflow; + free_dir (root); + root = 0; + } + + return GRUB_ERR_NONE; ++ ++overflow: ++ free_dir (root); ++ grub_initrd_close (initrd_ctx); ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + } + + grub_size_t +@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + + if (initrd_ctx->components[i].newc_name) + { +- ptr += insert_dir (initrd_ctx->components[i].newc_name, +- &root, ptr); ++ grub_size_t dir_size; ++ ++ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr, ++ &dir_size)) ++ { ++ free_dir (root); ++ grub_initrd_close (initrd_ctx); ++ return grub_errno; ++ } ++ ptr += dir_size; + ptr = make_header (ptr, initrd_ctx->components[i].newc_name, + grub_strlen (initrd_ctx->components[i].newc_name), + 0100777,
  88. Download patch debian/patches/mkrescue-efi-modules.patch

    --- 2.04-1/debian/patches/mkrescue-efi-modules.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkrescue-efi-modules.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From b1e5197cab859b271d539c8e4a9f2928b23b66b2 Mon Sep 17 00:00:00 2001 +From 20edd1abb590756c35b886849a15d17d80f82170 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <Mario_Limonciello@dell.com> Date: Mon, 13 Jan 2014 12:12:59 +0000 Subject: Build vfat into EFI boot images @@ -14,7 +14,7 @@ Patch-Name: mkrescue-efi-modules.patch 1 file changed, 2 insertions(+) diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c -index ce2cbc4f1..45d6140d3 100644 +index ce2cbc4f10..45d6140d3e 100644 --- a/util/grub-mkrescue.c +++ b/util/grub-mkrescue.c @@ -750,6 +750,7 @@ main (int argc, char *argv[])
  89. Download patch debian/patches/mkconfig-recovery-title.patch

    --- 2.04-1/debian/patches/mkconfig-recovery-title.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-recovery-title.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 1ff07175f797154b36c322acaf33ec7e562c7502 Mon Sep 17 00:00:00 2001 +From cc1216264113d2471a5ee5d472358e265fde1ab5 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:33 +0000 Subject: Add GRUB_RECOVERY_TITLE option @@ -16,12 +16,13 @@ Patch-Name: mkconfig-recovery-title.patc util/grub.d/10_hurd.in | 4 ++-- util/grub.d/10_kfreebsd.in | 2 +- util/grub.d/10_linux.in | 2 +- + util/grub.d/10_linux_zfs.in | 8 ++++---- util/grub.d/10_netbsd.in | 2 +- util/grub.d/20_linux_xen.in | 2 +- - 7 files changed, 17 insertions(+), 7 deletions(-) + 8 files changed, 21 insertions(+), 11 deletions(-) diff --git a/docs/grub.texi b/docs/grub.texi -index a835d0ae4..3ec35d315 100644 +index a835d0ae42..3ec35d315a 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -1536,6 +1536,11 @@ a console is restricted or limited. @@ -37,7 +38,7 @@ index a835d0ae4..3ec35d315 100644 The following options are still accepted for compatibility with existing diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index 307214310..9c1da6477 100644 +index 3072143105..9c1da64771 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -196,6 +196,10 @@ GRUB_ACTUAL_DEFAULT="$GRUB_DEFAULT" @@ -62,7 +63,7 @@ index 307214310..9c1da6477 100644 if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_hurd.in b/util/grub.d/10_hurd.in -index 59a9a48a2..7fa3a3fbd 100644 +index 59a9a48a2f..7fa3a3fbd8 100644 --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -88,8 +88,8 @@ hurd_entry () { @@ -77,7 +78,7 @@ index 59a9a48a2..7fa3a3fbd 100644 title="$(gettext_printf "%s, with Hurd %s" "${OS}" "${kernel_base}")" oldtitle="$OS using $kernel_base" diff --git a/util/grub.d/10_kfreebsd.in b/util/grub.d/10_kfreebsd.in -index 9d8e8fd85..8301d361a 100644 +index 9d8e8fd852..8301d361a1 100644 --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -76,7 +76,7 @@ kfreebsd_entry () @@ -90,10 +91,10 @@ index 9d8e8fd85..8301d361a 100644 title="$(gettext_printf "%s, with kFreeBSD %s" "${os}" "${version}")" fi diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 174d547bb..ba945582e 100644 +index cc2dd855ab..2c418c5ec8 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in -@@ -126,7 +126,7 @@ linux_entry () +@@ -130,7 +130,7 @@ linux_entry () if [ x$type != xsimple ] ; then case $type in recovery) @@ -102,8 +103,42 @@ index 174d547bb..ba945582e 100644 *) title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; esac +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index 48a4e68976..4477fa6061 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -957,7 +957,7 @@ generate_grub_menu() { + + GRUB_DISABLE_RECOVERY=${GRUB_DISABLE_RECOVERY:-} + if [ "${GRUB_DISABLE_RECOVERY}" != "true" ]; then +- title="$(gettext_printf "%s%s, with Linux %s (recovery mode)" "${last_booted_kernel_marker}" "${name}" "${kernel_version}")" ++ title="$(gettext_printf "%s%s, with Linux %s (%s)" "${last_booted_kernel_marker}" "${name}" "${kernel_version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + zfs_linux_entry 1 "${title}" "recovery" "${dataset}" "${device}" "${initrd}" "${kernel}" + fi + at_least_one_entry=1 +@@ -985,9 +985,9 @@ generate_grub_menu() { + + GRUB_DISABLE_RECOVERY="${GRUB_DISABLE_RECOVERY:-}" + if [ "${GRUB_DISABLE_RECOVERY}" != "true" ]; then +- title="$(gettext_printf "Revert system only (recovery mode)")" ++ title="$(gettext_printf "Revert system only (%s)" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + zfs_linux_entry 2 "${title}" "recovery" "${dataset}" "${device}" "${initrd}" "${kernel}" +- title="$(gettext_printf "Revert system and user data (recovery mode)")" ++ title="$(gettext_printf "Revert system and user data (%s)" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + zfs_linux_entry 2 "${title}" "recovery" "${dataset}" "${device}" "${initrd}" "${kernel}" "zsys-revert=userdata" + fi + # Non-zsys: boot temporarly on snapshots or rollback (destroying intermediate snapshots) +@@ -997,7 +997,7 @@ generate_grub_menu() { + + GRUB_DISABLE_RECOVERY="${GRUB_DISABLE_RECOVERY:-}" + if [ "${GRUB_DISABLE_RECOVERY}" != "true" ]; then +- title="$(gettext_printf "One time boot (recovery mode)")" ++ title="$(gettext_printf "One time boot (%s)" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + zfs_linux_entry 2 "${title}" "recovery" "${dataset}" "${device}" "${initrd}" "${kernel}" + fi + diff --git a/util/grub.d/10_netbsd.in b/util/grub.d/10_netbsd.in -index 874f59969..bb29cc046 100644 +index 874f59969e..bb29cc0468 100644 --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -102,7 +102,7 @@ netbsd_entry () @@ -116,7 +151,7 @@ index 874f59969..bb29cc046 100644 title="$(gettext_printf "%s, with kernel %s (via %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}")" fi diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in -index 9a8d42fb5..f2ee0532b 100644 +index 9a8d42fb57..f2ee0532bd 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -105,7 +105,7 @@ linux_entry ()
  90. Download patch debian/patches/mkconfig-ubuntu-distributor.patch

    --- 2.04-1/debian/patches/mkconfig-ubuntu-distributor.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/mkconfig-ubuntu-distributor.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From b81e9404d10f1af1715c0c5f8783d712bf5af660 Mon Sep 17 00:00:00 2001 +From 77ada294ae9feca7e4202f454ddf56245eee16bf Mon Sep 17 00:00:00 2001 From: Mario Limonciello <Mario_Limonciello@dell.com> Date: Mon, 13 Jan 2014 12:13:14 +0000 Subject: Remove GNU/Linux from default distributor string for Ubuntu @@ -12,11 +12,12 @@ Last-Update: 2013-12-25 Patch-Name: mkconfig-ubuntu-distributor.patch --- - util/grub.d/10_linux.in | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) + util/grub.d/10_linux.in | 9 ++++++++- + util/grub.d/10_linux_zfs.in | 9 ++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index 0509ac680..fd87a124d 100644 +index fcd3033872..19e4df4ad8 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -32,7 +32,14 @@ CLASS="--class gnu-linux --class gnu --class os" @@ -35,3 +36,23 @@ index 0509ac680..fd87a124d 100644 CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" fi +diff --git a/util/grub.d/10_linux_zfs.in b/util/grub.d/10_linux_zfs.in +index de4d215900..7f88e771e0 100755 +--- a/util/grub.d/10_linux_zfs.in ++++ b/util/grub.d/10_linux_zfs.in +@@ -790,7 +790,14 @@ generate_grub_menu() { + if [ "${GRUB_DISTRIBUTOR}" = "" ] ; then + OS=GNU/Linux + else +- OS="${GRUB_DISTRIBUTOR} GNU/Linux" ++ case ${GRUB_DISTRIBUTOR} in ++ Ubuntu|Kubuntu) ++ OS="${GRUB_DISTRIBUTOR}" ++ ;; ++ *) ++ OS="${GRUB_DISTRIBUTOR} GNU/Linux" ++ ;; ++ esac + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1 | LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" + fi +
  91. Download patch debian/patches/0085-malloc-Use-overflow-checking-primitives-where-we-do-.patch
  92. Download patch debian/patches/cherrypick-smbios-module.patch
  93. Download patch debian/grub-extras/915resolution/.bzrignore

    --- 2.04-1/debian/grub-extras/915resolution/.bzrignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-extras/915resolution/.bzrignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -**/.deps-core -**/.dirstamp -Makefile.core.am
  94. Download patch debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch

    --- 2.04-1/debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,25 @@ +From f59fbf2d6ae70d8872d8b680cfccb6e139410944 Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Wed, 11 Mar 2020 16:46:41 +0100 +Subject: ubuntu: Update the linux boot protocol version check. + +The EFI implementation of grub_cmd_linux makes use of xloadflags which was +introduced in to version 2.12 of the kernel's boot protocol, so update the +check accordingly. +--- + grub-core/loader/i386/efi/linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index fe3ca2c596..2929da7a29 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -245,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + } + + grub_dprintf ("linuxefi", "checking lh->version\n"); +- if (lh->version < grub_cpu_to_le16 (0x020b)) ++ if (lh->version < grub_cpu_to_le16 (0x020c)) + { + grub_error (GRUB_ERR_BAD_OS, N_("kernel too old")); + goto fail;
  95. Download patch debian/grub-check-signatures

    --- 2.04-1/debian/grub-check-signatures 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-check-signatures 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,129 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# Check if we are on an EFI system +efivars=/sys/firmware/efi/efivars +secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c +moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 +tmpdir=$(mktemp -d) + +on_secure_boot() { + # Validate any queued actions before we go try to do them. + local moksbstatert=0 + + if ! [ -d $efivars ]; then + return 1 + fi + + if ! [ -f $efivars/$secureboot_var ] \ + || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] + then + return 1 + fi + + if [ -f /proc/sys/kernel/moksbstate_disabled ]; then + moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) + elif [ -f $efivars/$moksbstatert_var ]; then + # MokSBStateRT set to 1 means validation is disabled + moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ + awk '{ print $NF; }') + fi + + if [ $moksbstatert -eq 1 ]; then + return 1 + fi + + return 0 +} + +# Retrieve the keys we do trust from PK, DB, KEK, and MokList. +extract_known_keys() { + # Make the Canonical CA cert available for validation too; in case + # MokListRT is empty due to a bug. + cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir + + # Extract known UEFI certs from firmware variables + ( cd $tmpdir; \ + mokutil --export --db >/dev/null 2>/dev/null; \ + mokutil --export --mok >/dev/null 2>/dev/null; ) + find $tmpdir -name "*.der" -exec openssl x509 -inform der -in {} -outform pem -out {}.crt \; +} + +# Check if a given kernel image is signed +is_signed() { + tmp=$(mktemp) + sbattach --detach $tmp $1 >/dev/null 2>/dev/null # that's ugly... + test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size + result=$? + if [ $result -eq 0 ]; then + sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: ) + fi + rm $tmp + if [ $result -eq 0 ]; then + for crtfile in $tmpdir/*.crt; do + sbverify --cert $crtfile $1 >/dev/null 2>/dev/null + result=$? + if [ $result -eq 0 ]; then + return $result; + fi + done + echo "$1 is signed, but using an unknown key:" >&2 + echo "$sig_subject" >&2 + else + echo "$1 is unsigned." >&2 + fi + return $result +} + +# Check that our current kernel and every newer one is signed +find_unsigned() { + uname_r="$(uname -r)" + for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do + # no kernels :( + if [ "$kernel" = "/boot/vmlinuz-*" ]; then + break + fi + this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')" + if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then + continue + fi + if [ -e "$kernel.efi.signed" ]; then + continue + fi + if ! is_signed $kernel; then + echo "$this_uname_r" + fi + done +} + +# Only reached from show_warning +error() { + echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2 + exit 1 +} + +# Either shows a debconf note or prints an error with error() above if +# that fails +show_warning() { + # kernels should be an indented list of one version per line + escaped="$(printf "%s" "$unsigned" | sed "s#^# #" | debconf-escape -e )" + db_capb escape + db_settitle grub2/unsigned_kernels_title || error + db_fset grub2/unsigned_kernels seen 0 || error + db_subst grub2/unsigned_kernels unsigned_versions "$escaped" || error + db_input critical grub2/unsigned_kernels || error + db_go || error + error +} + +if on_secure_boot; then + extract_known_keys + unsigned="$(find_unsigned)" + if [ -n "$unsigned" ]; then + show_warning "$unsigned" + fi + rm -rf "$tmpdir" +fi
  96. Download patch debian/patches/no-devicetree-if-secure-boot.patch

    --- 2.04-1/debian/patches/no-devicetree-if-secure-boot.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/no-devicetree-if-secure-boot.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 68414261f692279b987ecccb9cb80e4e84d3c1dc Mon Sep 17 00:00:00 2001 +From 7419d200192a1214872a70852200922529baa7b8 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Wed, 24 Apr 2019 10:03:04 -0400 Subject: Forbid the "devicetree" command when Secure Boot is enabled. @@ -17,7 +17,7 @@ Patch-Name: no-devicetree-if-secure-boot 2 files changed, 20 insertions(+) diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c -index 51684914c..092e8e307 100644 +index 51684914cf..092e8e3077 100644 --- a/grub-core/loader/arm/linux.c +++ b/grub-core/loader/arm/linux.c @@ -30,6 +30,10 @@ @@ -47,7 +47,7 @@ index 51684914c..092e8e307 100644 if (!dtb) return grub_errno; diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c -index ee9c5592c..f0c2d91be 100644 +index ee9c5592c7..f0c2d91be2 100644 --- a/grub-core/loader/efi/fdt.c +++ b/grub-core/loader/efi/fdt.c @@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
  97. Download patch debian/patches/0092-script-Avoid-a-use-after-free-when-redefining-a-func.patch

    --- 2.04-1/debian/patches/0092-script-Avoid-a-use-after-free-when-redefining-a-func.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0092-script-Avoid-a-use-after-free-when-redefining-a-func.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,104 @@ +From ce9f66f0a86e6cbfd866e431df87f205537380f5 Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Fri, 10 Jul 2020 14:41:45 +0100 +Subject: script: Avoid a use-after-free when redefining a function during + execution + +Defining a new function with the same name as a previously defined +function causes the grub_script and associated resources for the +previous function to be freed. If the previous function is currently +executing when a function with the same name is defined, this results +in use-after-frees when processing subsequent commands in the original +function. + +Instead, reject a new function definition if it has the same name as +a previously defined function, and that function is currently being +executed. Although a behavioural change, this should be backwards +compatible with existing configurations because they can't be +dependent on the current behaviour without being broken. + +Signed-off-by: Chris Coulson <chris.coulson@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/script/execute.c | 2 ++ + grub-core/script/function.c | 16 +++++++++++++--- + grub-core/script/parser.y | 3 ++- + include/grub/script_sh.h | 2 ++ + 4 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index c8d6806fe0..7e028e1355 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) + old_scope = scope; + scope = &new_scope; + ++ func->executing++; + ret = grub_script_execute (func->func); ++ func->executing--; + + function_return = 0; + active_loops = loops; +diff --git a/grub-core/script/function.c b/grub-core/script/function.c +index d36655e510..3aad04bf9d 100644 +--- a/grub-core/script/function.c ++++ b/grub-core/script/function.c +@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, + func = (grub_script_function_t) grub_malloc (sizeof (*func)); + if (! func) + return 0; ++ func->executing = 0; + + func->name = grub_strdup (functionname_arg->str); + if (! func->name) +@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, + grub_script_function_t q; + + q = *p; +- grub_script_free (q->func); +- q->func = cmd; + grub_free (func); +- func = q; ++ if (q->executing > 0) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("attempt to redefine a function being executed")); ++ func = NULL; ++ } ++ else ++ { ++ grub_script_free (q->func); ++ q->func = cmd; ++ func = q; ++ } + } + else + { +diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y +index 4f0ab8319e..f80b86b6f1 100644 +--- a/grub-core/script/parser.y ++++ b/grub-core/script/parser.y +@@ -289,7 +289,8 @@ function: "function" "name" + grub_script_mem_free (state->func_mem); + else { + script->children = state->scripts; +- grub_script_function_create ($2, script); ++ if (!grub_script_function_create ($2, script)) ++ grub_script_free (script); + } + + state->scripts = $<scripts>3; +diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h +index b382bcf09b..6c48e07512 100644 +--- a/include/grub/script_sh.h ++++ b/include/grub/script_sh.h +@@ -361,6 +361,8 @@ struct grub_script_function + + /* The next element. */ + struct grub_script_function *next; ++ ++ unsigned executing; + }; + typedef struct grub_script_function *grub_script_function_t; +
  98. Download patch debian/grub-extras/ntldr-img/.bzrignore

    --- 2.04-1/debian/grub-extras/ntldr-img/.bzrignore 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/grub-extras/ntldr-img/.bzrignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -**/.deps-core -**/.dirstamp -Makefile.core.am
  99. Download patch debian/patches/0100-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch

    --- 2.04-1/debian/patches/0100-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/0100-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch 2020-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,146 @@ +From d1e511e940a1f2577f568e11076df02c7a221042 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov <amakhalov@vmware.com> +Date: Wed, 15 Jul 2020 06:42:37 +0000 +Subject: relocator: Protect grub_relocator_alloc_chunk_addr() input args + against integer underflow/overflow + +Use arithmetic macros from safemath.h to accomplish it. In this commit, +I didn't want to be too paranoid to check every possible math equation +for overflow/underflow. Only obvious places (with non zero chance of +overflow/underflow) were refactored. + +Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/loader/i386/linux.c | 9 +++++++-- + grub-core/loader/i386/pc/linux.c | 9 +++++++-- + grub-core/loader/i386/xen.c | 12 ++++++++++-- + grub-core/loader/xnu.c | 11 +++++++---- + 4 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c +index 991eb29db9..4e14eb1887 100644 +--- a/grub-core/loader/i386/linux.c ++++ b/grub-core/loader/i386/linux.c +@@ -36,6 +36,7 @@ + #include <grub/lib/cmdline.h> + #include <grub/linux.h> + #include <grub/machine/kernel.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -550,9 +551,13 @@ grub_linux_boot (void) + + { + grub_relocator_chunk_t ch; ++ grub_size_t sz; ++ ++ if (grub_add (ctx.real_size, efi_mmap_size, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ + err = grub_relocator_alloc_chunk_addr (relocator, &ch, +- ctx.real_mode_target, +- (ctx.real_size + efi_mmap_size)); ++ ctx.real_mode_target, sz); + if (err) + return err; + real_mode_mem = get_virtual_current_address (ch); +diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c +index 3866f048bb..81ab3c0c15 100644 +--- a/grub-core/loader/i386/pc/linux.c ++++ b/grub-core/loader/i386/pc/linux.c +@@ -36,6 +36,7 @@ + #include <grub/lib/cmdline.h> + #include <grub/linux.h> + #include <grub/efi/sb.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -231,8 +232,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS; + + real_size = setup_sects << GRUB_DISK_SECTOR_BITS; +- grub_linux16_prot_size = grub_file_size (file) +- - real_size - GRUB_DISK_SECTOR_SIZE; ++ if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) || ++ grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ goto fail; ++ } + + if (! grub_linux_is_bzimage + && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size +diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c +index 8f662c8ac8..cd24874ca3 100644 +--- a/grub-core/loader/i386/xen.c ++++ b/grub-core/loader/i386/xen.c +@@ -41,6 +41,7 @@ + #include <grub/linux.h> + #include <grub/i386/memory.h> + #include <grub/verify.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), + grub_relocator_chunk_t ch; + grub_addr_t kern_start; + grub_addr_t kern_end; ++ grub_size_t sz; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), + + xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE); + +- err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, +- kern_end - kern_start); ++ ++ if (grub_sub (kern_end, kern_start, &sz)) ++ { ++ err = GRUB_ERR_OUT_OF_RANGE; ++ goto fail; ++ } ++ ++ err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz); + if (err) + goto fail; + kern_chunk_src = get_virtual_current_address (ch); +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index 2f0ebd0b8b..3fd653993f 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -35,6 +35,7 @@ + #include <grub/i18n.h> + #include <grub/verify.h> + #include <grub/efi/sb.h> ++#include <grub/safemath.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -60,15 +61,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target) + { + grub_err_t err; + grub_relocator_chunk_t ch; ++ grub_addr_t tgt; ++ ++ if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt)) ++ return GRUB_ERR_OUT_OF_RANGE; + +- err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, +- grub_xnu_heap_target_start +- + grub_xnu_heap_size, size); ++ err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size); + if (err) + return err; + + *src = get_virtual_current_address (ch); +- *target = grub_xnu_heap_target_start + grub_xnu_heap_size; ++ *target = tgt; + grub_xnu_heap_size += size; + grub_dprintf ("xnu", "val=%p\n", *src); + return GRUB_ERR_NONE;
  100. Download patch debian/patches/blacklist-1440x900x32.patch

    --- 2.04-1/debian/patches/blacklist-1440x900x32.patch 2019-07-09 10:48:01.000000000 +0000 +++ 2.04-1ubuntu28/debian/patches/blacklist-1440x900x32.patch 2020-08-10 13:07:29.000000000 +0000 @@ -1,4 +1,4 @@ -From 49e89abd1779d3b755d3fbc56a7d4859f39f7792 Mon Sep 17 00:00:00 2001 +From a48eec06d4c5c5d1e808b52c1193044c09d638c2 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Mon, 13 Jan 2014 12:13:11 +0000 Subject: Blacklist 1440x900x32 from VBE preferred mode handling @@ -13,7 +13,7 @@ Patch-Name: blacklist-1440x900x32.patch 1 file changed, 9 insertions(+) diff --git a/grub-core/video/i386/pc/vbe.c b/grub-core/video/i386/pc/vbe.c -index b7f911926..4b1bd7d5e 100644 +index b7f911926d..4b1bd7d5ea 100644 --- a/grub-core/video/i386/pc/vbe.c +++ b/grub-core/video/i386/pc/vbe.c @@ -1054,6 +1054,15 @@ grub_video_vbe_setup (unsigned int width, unsigned int height,
  101. ...
  1. grub2