summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp/grub
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-bsp/grub')
-rw-r--r--meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0001-configure-Remove-obsoleted-malign-jumps-loops-functi.patch48
-rw-r--r--meta/recipes-bsp/grub/files/0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch47
-rw-r--r--meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch115
-rw-r--r--meta/recipes-bsp/grub/files/0002-configure-Check-for-falign-jumps-1-beside-falign-loo.patch59
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-10713.patch73
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch1863
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch1330
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch117
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch177
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch179
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch50
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch84
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch49
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-2601.patch85
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch63
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch58
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch56
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch111
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch86
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-3775.patch95
-rw-r--r--meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch15
-rw-r--r--meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch246
-rw-r--r--meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch168
-rw-r--r--meta/recipes-bsp/grub/files/determinism.patch58
-rw-r--r--meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch129
-rw-r--r--meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch287
-rw-r--r--meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch94
-rw-r--r--meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch37
-rw-r--r--meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch693
-rw-r--r--meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch264
-rw-r--r--meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch53
-rw-r--r--meta/recipes-bsp/grub/grub-bootconf_1.00.bb4
-rw-r--r--meta/recipes-bsp/grub/grub-efi_2.06.bb (renamed from meta/recipes-bsp/grub/grub-efi_2.04.bb)38
-rw-r--r--meta/recipes-bsp/grub/grub2.inc63
-rw-r--r--meta/recipes-bsp/grub/grub_2.04.bb38
-rw-r--r--meta/recipes-bsp/grub/grub_2.06.bb41
37 files changed, 2683 insertions, 4329 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch b/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch
new file mode 100644
index 0000000000..2f15a91f68
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch
@@ -0,0 +1,39 @@
+From e4c41db74b8972285cbdfe614c95c1ffd97d70e1 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 26 Mar 2021 11:59:43 -0700
+Subject: [PATCH] RISC-V: Restore the typcast to 64bit type
+
+this makes the type promotions clear and explicit
+It was already typecasted to long but was accidentally dropped in [1]
+which stated to cause failures on riscv32 as reported in [2]
+
+[1] https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2bf40e9e5be9808b17852e688eead87acff14420
+[2] https://savannah.gnu.org/bugs/index.php?60283
+
+Upstream-Status: Submitted
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Cc: Andreas Schwab <schwab@suse.de>
+Cc: Daniel Kiper <daniel.kiper@oracle.com>
+Cc: Chester Lin <clin@suse.com>
+Cc: Nikita Ermakov <arei@altlinux.org>
+Cc: Alistair Francis <alistair.francis@wdc.com>
+---
+ util/grub-mkimagexx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index 00f49ccaa..ac677d03d 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -1242,7 +1242,7 @@ SUFFIX (relocate_addrs) (Elf_Ehdr *e, struct section_metadata *smd,
+ */
+
+ sym_addr += addend;
+- off = sym_addr - target_section_addr - offset - image_target->vaddr_offset;
++ off = (grub_int64_t)sym_addr - target_section_addr - offset - image_target->vaddr_offset;
+
+ switch (ELF_R_TYPE (info))
+ {
+--
+2.31.1
+
diff --git a/meta/recipes-bsp/grub/files/0001-configure-Remove-obsoleted-malign-jumps-loops-functi.patch b/meta/recipes-bsp/grub/files/0001-configure-Remove-obsoleted-malign-jumps-loops-functi.patch
new file mode 100644
index 0000000000..98142a7b60
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-configure-Remove-obsoleted-malign-jumps-loops-functi.patch
@@ -0,0 +1,48 @@
+From eb486898dac8cbc29b2cc39f911b657c3417ae34 Mon Sep 17 00:00:00 2001
+From: Fangrui Song via Grub-devel <grub-devel@gnu.org>
+Date: Thu, 26 Aug 2021 09:02:31 -0700
+Subject: [PATCH 1/2] configure: Remove obsoleted -malign-{jumps, loops,
+ functions}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The GCC warns "cc1: warning: ‘-malign-loops’ is obsolete, use ‘-falign-loops’".
+The Clang silently ignores -malign-{jumps,loops,functions}.
+
+The preferred -falign-* forms have been supported since GCC 3.2. So, just
+remove -malign-{jumps,loops,functions}.
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=eb486898dac8cbc29b2cc39f911b657c3417ae34]
+Signed-off-by: Fangrui Song <maskray@google.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ configure.ac | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index bee28dbeb..9a12151bd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -805,17 +805,8 @@ if test "x$target_cpu" = xi386; then
+ [grub_cv_cc_falign_loop=no])
+ ])
+
+- AC_CACHE_CHECK([whether -malign-loops works], [grub_cv_cc_malign_loop], [
+- CFLAGS="$TARGET_CFLAGS -malign-loops=1 -Werror"
+- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+- [grub_cv_cc_malign_loop=yes],
+- [grub_cv_cc_malign_loop=no])
+- ])
+-
+ if test "x$grub_cv_cc_falign_loop" = xyes; then
+ TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -falign-loops=1 -falign-functions=1"
+- elif test "x$grub_cv_cc_malign_loop" = xyes; then
+- TARGET_CFLAGS="$TARGET_CFLAGS -malign-jumps=1 -malign-loops=1 -malign-functions=1"
+ fi
+ fi
+
+--
+2.37.3
+
diff --git a/meta/recipes-bsp/grub/files/0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch b/meta/recipes-bsp/grub/files/0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch
new file mode 100644
index 0000000000..c575a31161
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch
@@ -0,0 +1,47 @@
+From f1217c803cec90813eb834dde7829f4961b2a2e4 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 17 Feb 2022 15:07:02 -0800
+Subject: [PATCH] configure.ac: Use _zicsr_zifencei extentions on riscv
+
+From version 2.38, binutils defaults to ISA spec version 20191213. This
+means that the csr read/write (csrr*/csrw*) instructions and fence.i
+instruction has separated from the `I` extension, become two standalone
+extensions: Zicsr and Zifencei.
+
+The fix is to specify those extensions explicitely in -march. Since we
+are now using binutils 2.38+ in OE this is ok, a more upstreamable fix for
+grub will be to detect these extentions, however thats not easy to
+implement
+
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.ac | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c7fc55a..072f2c9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -849,14 +849,14 @@ if test x"$platform" != xemu ; then
+ [grub_cv_target_cc_soft_float="-mgeneral-regs-only"], [])
+ fi
+ if test "x$target_cpu" = xriscv32; then
+- CFLAGS="$TARGET_CFLAGS -march=rv32imac -mabi=ilp32 -Werror"
++ CFLAGS="$TARGET_CFLAGS -march=rv32imac_zicsr_zifencei -mabi=ilp32 -Werror"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+- [grub_cv_target_cc_soft_float="-march=rv32imac -mabi=ilp32"], [])
++ [grub_cv_target_cc_soft_float="-march=rv32imac_zicsr_zifencei -mabi=ilp32"], [])
+ fi
+ if test "x$target_cpu" = xriscv64; then
+- CFLAGS="$TARGET_CFLAGS -march=rv64imac -mabi=lp64 -Werror"
++ CFLAGS="$TARGET_CFLAGS -march=rv64imac_zicsr_zifencei -mabi=lp64 -Werror"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+- [grub_cv_target_cc_soft_float="-march=rv64imac -mabi=lp64"], [])
++ [grub_cv_target_cc_soft_float="-march=rv64imac_zicsr_zifencei -mabi=lp64"], [])
+ fi
+ if test "x$target_cpu" = xia64; then
+ CFLAGS="$TARGET_CFLAGS -mno-inline-float-divide -mno-inline-sqrt -Werror"
+--
+2.35.1
+
diff --git a/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..efa00a3c6c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,115 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 17 +++++++++++++----
+ include/grub/bitmap.h | 18 ++++++++++++++++++
+ include/grub/safemath.h | 2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d09bb38..876b5b6 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ grub_int16_t xoff;
+ grub_int16_t yoff;
+ grub_int16_t dwidth;
+- int len;
++ grub_ssize_t len;
++ grub_size_t sz;
+
+ if (index_entry->glyph)
+ /* Return cached glyph. */
+@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ return 0;
+ }
+
+- len = (width * height + 7) / 8;
+- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+- if (!glyph)
++ /* Calculate real struct size of current glyph. */
++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++ grub_add (sizeof (struct grub_font_glyph), len, &sz))
++ {
++ remove_font (font);
++ return 0;
++ }
++
++ /* Allocate and initialize the glyph struct. */
++ glyph = grub_malloc (sz);
++ if (glyph == NULL)
+ {
+ remove_font (font);
+ return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+ return bitmap->mode_info.height;
+ }
+
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++ grub_uint64_t _bitmap_pixels; \
++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ struct grub_video_mode_info *mode_info);
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
diff --git a/meta/recipes-bsp/grub/files/0002-configure-Check-for-falign-jumps-1-beside-falign-loo.patch b/meta/recipes-bsp/grub/files/0002-configure-Check-for-falign-jumps-1-beside-falign-loo.patch
new file mode 100644
index 0000000000..437e5b29b2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0002-configure-Check-for-falign-jumps-1-beside-falign-loo.patch
@@ -0,0 +1,59 @@
+From e372dcb0d4541ee9b9682cde088ec87a7b238ca2 Mon Sep 17 00:00:00 2001
+From: Fangrui Song via Grub-devel <grub-devel@gnu.org>
+Date: Thu, 26 Aug 2021 09:02:32 -0700
+Subject: [PATCH 2/2] configure: Check for -falign-jumps=1 beside
+ -falign-loops=1
+
+The Clang does not support -falign-jumps and only recently gained support
+for -falign-loops. The -falign-jumps=1 should be tested beside
+-fliang-loops=1 to avoid passing unrecognized options to the Clang:
+
+ clang-14: error: optimization flag '-falign-jumps=1' is not supported [-Werror,-Wignored-optimization-argument]
+
+The -falign-functions=1 is supported by GCC 5.1.0/Clang 3.8.0. So, just
+add the option unconditionally.
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e372dcb0d4541ee9b9682cde088ec87a7b238ca2]
+Signed-off-by: Fangrui Song <maskray@google.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ configure.ac | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9a12151bd..eeb5d2211 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -798,6 +798,8 @@ fi
+
+ # Force no alignment to save space on i386.
+ if test "x$target_cpu" = xi386; then
++ TARGET_CFLAGS="$TARGET_CFLAGS -falign-functions=1"
++
+ AC_CACHE_CHECK([whether -falign-loops works], [grub_cv_cc_falign_loop], [
+ CFLAGS="$TARGET_CFLAGS -falign-loops=1 -Werror"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+@@ -806,7 +808,18 @@ if test "x$target_cpu" = xi386; then
+ ])
+
+ if test "x$grub_cv_cc_falign_loop" = xyes; then
+- TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -falign-loops=1 -falign-functions=1"
++ TARGET_CFLAGS="$TARGET_CFLAGS -falign-loops=1"
++ fi
++
++ AC_CACHE_CHECK([whether -falign-jumps works], [grub_cv_cc_falign_jumps], [
++ CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -Werror"
++ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
++ [grub_cv_cc_falign_jumps=yes],
++ [grub_cv_cc_falign_jumps=no])
++ ])
++
++ if test "x$grub_cv_cc_falign_jumps" = xyes; then
++ TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1"
+ fi
+ fi
+
+--
+2.37.3
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
deleted file mode 100644
index c507ed3ea8..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 15 Apr 2020 15:45:02 -0400
-Subject: yylex: Make lexer fatal errors actually be fatal
-
-When presented with a command that can't be tokenized to anything
-smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
-expecting that will stop further processing, as such:
-
- #define YY_DO_BEFORE_ACTION \
- yyg->yytext_ptr = yy_bp; \
- yyleng = (int) (yy_cp - yy_bp); \
- yyg->yy_hold_char = *yy_cp; \
- *yy_cp = '\0'; \
- if ( yyleng >= YYLMAX ) \
- YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
- yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
- yyg->yy_c_buf_p = yy_cp;
-
-The code flex generates expects that YY_FATAL_ERROR() will either return
-for it or do some form of longjmp(), or handle the error in some way at
-least, and so the strncpy() call isn't in an "else" clause, and thus if
-YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
-questionable limit, and predictable results ensue.
-
-Unfortunately, our implementation of YY_FATAL_ERROR() is:
-
- #define YY_FATAL_ERROR(msg) \
- do { \
- grub_printf (_("fatal error: %s\n"), _(msg)); \
- } while (0)
-
-The same pattern exists in yyless(), and similar problems exist in users
-of YY_INPUT(), several places in the main parsing loop,
-yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
-yy_scan_buffer(), etc.
-
-All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
-the things they do if it returns after calling it are wildly unsafe.
-
-Fixes: CVE-2020-10713
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
-CVE: CVE-2020-10713
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- grub-core/script/yylex.l | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
-index 7b44c37b7..b7203c823 100644
---- a/grub-core/script/yylex.l
-+++ b/grub-core/script/yylex.l
-@@ -37,11 +37,11 @@
-
- /*
- * As we don't have access to yyscanner, we cannot do much except to
-- * print the fatal error.
-+ * print the fatal error and exit.
- */
- #define YY_FATAL_ERROR(msg) \
- do { \
-- grub_printf (_("fatal error: %s\n"), _(msg)); \
-+ grub_fatal (_("fatal error: %s\n"), _(msg));\
- } while (0)
-
- #define COPY(str, hint) \
---
-cgit v1.2.1
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch b/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
deleted file mode 100644
index 637e368cb0..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
+++ /dev/null
@@ -1,1863 +0,0 @@
-From bcdd6a55952222ec9829a59348240a4f983b0b56 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 15 Jun 2020 12:26:01 -0400
-Subject: [PATCH 4/9] calloc: Use calloc() at most places
-
-This modifies most of the places we do some form of:
-
- X = malloc(Y * Z);
-
-to use calloc(Y, Z) instead.
-
-Among other issues, this fixes:
- - allocation of integer overflow in grub_png_decode_image_header()
- reported by Chris Coulson,
- - allocation of integer overflow in luks_recover_key()
- reported by Chris Coulson,
- - allocation of integer overflow in grub_lvm_detect()
- reported by Chris Coulson.
-
-Fixes: CVE-2020-14308
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-14308
-
-Reference to upstream patch:
-https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f725fa7cb2ece547c5af01eeeecfe8d95802ed41
-
-[YL: don't patch on grub-core/lib/json/json.c, which is not existing in grub 2.04]
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/bus/usb/usbhub.c | 8 ++++----
- grub-core/commands/efi/lsefisystab.c | 3 ++-
- grub-core/commands/legacycfg.c | 6 +++---
- grub-core/commands/menuentry.c | 2 +-
- grub-core/commands/nativedisk.c | 2 +-
- grub-core/commands/parttool.c | 12 +++++++++---
- grub-core/commands/regexp.c | 2 +-
- grub-core/commands/search_wrap.c | 2 +-
- grub-core/disk/diskfilter.c | 4 ++--
- grub-core/disk/ieee1275/ofdisk.c | 2 +-
- grub-core/disk/ldm.c | 14 +++++++-------
- grub-core/disk/luks.c | 2 +-
- grub-core/disk/lvm.c | 12 ++++++------
- grub-core/disk/xen/xendisk.c | 2 +-
- grub-core/efiemu/loadcore.c | 2 +-
- grub-core/efiemu/mm.c | 6 +++---
- grub-core/font/font.c | 3 +--
- grub-core/fs/affs.c | 6 +++---
- grub-core/fs/btrfs.c | 6 +++---
- grub-core/fs/hfs.c | 2 +-
- grub-core/fs/hfsplus.c | 6 +++---
- grub-core/fs/iso9660.c | 2 +-
- grub-core/fs/ntfs.c | 4 ++--
- grub-core/fs/sfs.c | 2 +-
- grub-core/fs/tar.c | 2 +-
- grub-core/fs/udf.c | 4 ++--
- grub-core/fs/zfs/zfs.c | 4 ++--
- grub-core/gfxmenu/gui_string_util.c | 2 +-
- grub-core/gfxmenu/widget-box.c | 4 ++--
- grub-core/io/gzio.c | 2 +-
- grub-core/kern/efi/efi.c | 6 +++---
- grub-core/kern/emu/hostdisk.c | 2 +-
- grub-core/kern/fs.c | 2 +-
- grub-core/kern/misc.c | 2 +-
- grub-core/kern/parser.c | 2 +-
- grub-core/kern/uboot/uboot.c | 2 +-
- grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++----
- grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++--
- grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++--
- grub-core/lib/priority_queue.c | 2 +-
- grub-core/lib/reed_solomon.c | 7 +++----
- grub-core/lib/relocator.c | 10 +++++-----
- grub-core/lib/zstd/fse_decompress.c | 2 +-
- grub-core/loader/arm/linux.c | 2 +-
- grub-core/loader/efi/chainloader.c | 2 +-
- grub-core/loader/i386/bsdXX.c | 2 +-
- grub-core/loader/i386/xnu.c | 4 ++--
- grub-core/loader/macho.c | 2 +-
- grub-core/loader/multiboot_elfxx.c | 2 +-
- grub-core/loader/xnu.c | 2 +-
- grub-core/mmap/mmap.c | 4 ++--
- grub-core/net/bootp.c | 2 +-
- grub-core/net/dns.c | 10 +++++-----
- grub-core/net/net.c | 4 ++--
- grub-core/normal/charset.c | 10 +++++-----
- grub-core/normal/cmdline.c | 14 +++++++-------
- grub-core/normal/menu_entry.c | 14 +++++++-------
- grub-core/normal/menu_text.c | 4 ++--
- grub-core/normal/term.c | 4 ++--
- grub-core/osdep/linux/getroot.c | 6 +++---
- grub-core/osdep/unix/config.c | 2 +-
- grub-core/osdep/windows/getroot.c | 2 +-
- grub-core/osdep/windows/hostdisk.c | 4 ++--
- grub-core/osdep/windows/init.c | 2 +-
- grub-core/osdep/windows/platform.c | 4 ++--
- grub-core/osdep/windows/relpath.c | 2 +-
- grub-core/partmap/gpt.c | 2 +-
- grub-core/partmap/msdos.c | 2 +-
- grub-core/script/execute.c | 2 +-
- grub-core/tests/fake_input.c | 2 +-
- grub-core/tests/video_checksum.c | 6 +++---
- grub-core/video/capture.c | 2 +-
- grub-core/video/emu/sdl.c | 2 +-
- grub-core/video/i386/pc/vga.c | 2 +-
- grub-core/video/readers/png.c | 2 +-
- include/grub/unicode.h | 4 ++--
- util/getroot.c | 2 +-
- util/grub-file.c | 2 +-
- util/grub-fstest.c | 4 ++--
- util/grub-install-common.c | 2 +-
- util/grub-install.c | 4 ++--
- util/grub-mkimagexx.c | 6 ++----
- util/grub-mkrescue.c | 4 ++--
- util/grub-mkstandalone.c | 2 +-
- util/grub-pe2elf.c | 12 +++++-------
- util/grub-probe.c | 4 ++--
- 86 files changed, 178 insertions(+), 177 deletions(-)
-
-diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
-index 34a7ff1..a06cce3 100644
---- a/grub-core/bus/usb/usbhub.c
-+++ b/grub-core/bus/usb/usbhub.c
-@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
- grub_usb_set_configuration (dev, 1);
-
- dev->nports = hubdesc.portcnt;
-- dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
-- dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
-+ dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
-+ dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
- if (!dev->children || !dev->ports)
- {
- grub_free (dev->children);
-@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
-
- /* Query the number of ports the root Hub has. */
- hub->nports = controller->dev->hubports (controller);
-- hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
-- hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
-+ hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
-+ hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
- if (!hub->devices || !hub->ports)
- {
- grub_free (hub->devices);
-diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c
-index df10302..cd81507 100644
---- a/grub-core/commands/efi/lsefisystab.c
-+++ b/grub-core/commands/efi/lsefisystab.c
-@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
- grub_printf ("Vendor: ");
-
- for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
-- vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
-+ /* Allocate extra 3 bytes to simplify math. */
-+ vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
- if (!vendor)
- return grub_errno;
- *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
-diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
-index db7a8f0..5e3ec0d 100644
---- a/grub-core/commands/legacycfg.c
-+++ b/grub-core/commands/legacycfg.c
-@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
- if (argc < 2)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
-
-- cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
-+ cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
- if (!cutargs)
- return grub_errno;
- cutargc = argc - 1;
-@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
- {
- char rbuf[3] = "-r";
- bsdargc = cutargc + 2;
-- bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
-+ bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
- if (!bsdargs)
- {
- err = grub_errno;
-@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
- "module");
-
-- newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
-+ newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
- if (!newargs)
- return grub_errno;
- grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
-diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
-index 2c5363d..9164df7 100644
---- a/grub-core/commands/menuentry.c
-+++ b/grub-core/commands/menuentry.c
-@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
- goto fail;
-
- /* Save argc, args to pass as parameters to block arg later. */
-- menu_args = grub_malloc (sizeof (char*) * (argc + 1));
-+ menu_args = grub_calloc (argc + 1, sizeof (char *));
- if (! menu_args)
- goto fail;
-
-diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c
-index 699447d..7c8f97f 100644
---- a/grub-core/commands/nativedisk.c
-+++ b/grub-core/commands/nativedisk.c
-@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
- else
- path_prefix = prefix;
-
-- mods = grub_malloc (argc * sizeof (mods[0]));
-+ mods = grub_calloc (argc, sizeof (mods[0]));
- if (!mods)
- return grub_errno;
-
-diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c
-index 22b46b1..051e313 100644
---- a/grub-core/commands/parttool.c
-+++ b/grub-core/commands/parttool.c
-@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
- for (nargs = 0; args[nargs].name != 0; nargs++);
- cur->nargs = nargs;
- cur->args = (struct grub_parttool_argdesc *)
-- grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
-+ grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
-+ if (!cur->args)
-+ {
-+ grub_free (cur);
-+ curhandle--;
-+ return -1;
-+ }
- grub_memcpy (cur->args, args,
- (nargs + 1) * sizeof (struct grub_parttool_argdesc));
-
-@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
- return err;
- }
-
-- parsed = (int *) grub_zalloc (argc * sizeof (int));
-+ parsed = (int *) grub_calloc (argc, sizeof (int));
-
- for (i = 1; i < argc; i++)
- if (! parsed[i])
-@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
- }
- ptool = cur;
- pargs = (struct grub_parttool_args *)
-- grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
-+ grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
- for (j = i; j < argc; j++)
- if (! parsed[j])
- {
-diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c
-index f00b184..4019164 100644
---- a/grub-core/commands/regexp.c
-+++ b/grub-core/commands/regexp.c
-@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
- if (ret)
- goto fail;
-
-- matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
-+ matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
- if (! matches)
- goto fail;
-
-diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
-index d7fd26b..47fc8eb 100644
---- a/grub-core/commands/search_wrap.c
-+++ b/grub-core/commands/search_wrap.c
-@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
- for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
- nhints++;
-
-- hints = grub_malloc (sizeof (hints[0]) * nhints);
-+ hints = grub_calloc (nhints, sizeof (hints[0]));
- if (!hints)
- return grub_errno;
- j = 0;
-diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
-index c3b578a..68ca9e0 100644
---- a/grub-core/disk/diskfilter.c
-+++ b/grub-core/disk/diskfilter.c
-@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
- array->lvs->segments->node_count = nmemb;
- array->lvs->segments->raid_member_size = disk_size;
- array->lvs->segments->nodes
-- = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
-+ = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
- array->lvs->segments->stripe_size = stripe_size;
- for (i = 0; i < nmemb; i++)
- {
-@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
- grub_partition_t p;
- for (p = disk->partition; p; p = p->parent)
- s++;
-- pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
-+ pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
- s = 0;
- for (p = disk->partition; p; p = p->parent)
- pv->partmaps[s++] = xstrdup (p->partmap->name);
-diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
-index f73257e..03674cb 100644
---- a/grub-core/disk/ieee1275/ofdisk.c
-+++ b/grub-core/disk/ieee1275/ofdisk.c
-@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
- /* Power machines documentation specify 672 as maximum SAS disks in
- one system. Using a slightly larger value to be safe. */
- table_size = 768;
-- table = grub_malloc (table_size * sizeof (grub_uint64_t));
-+ table = grub_calloc (table_size, sizeof (grub_uint64_t));
-
- if (!table)
- {
-diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
-index 2a22d2d..e632370 100644
---- a/grub-core/disk/ldm.c
-+++ b/grub-core/disk/ldm.c
-@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
- lv->segments->type = GRUB_DISKFILTER_MIRROR;
- lv->segments->node_count = 0;
- lv->segments->node_alloc = 8;
-- lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
-- * lv->segments->node_alloc);
-+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
-+ sizeof (*lv->segments->nodes));
- if (!lv->segments->nodes)
- goto fail2;
- ptr = vblk[i].dynamic;
-@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
- {
- comp->segment_alloc = 8;
- comp->segment_count = 0;
-- comp->segments = grub_malloc (sizeof (*comp->segments)
-- * comp->segment_alloc);
-+ comp->segments = grub_calloc (comp->segment_alloc,
-+ sizeof (*comp->segments));
- if (!comp->segments)
- goto fail2;
- }
-@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
- }
- comp->segments->node_count = read_int (ptr + 1, *ptr);
- comp->segments->node_alloc = comp->segments->node_count;
-- comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
-- * comp->segments->node_alloc);
-+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
-+ sizeof (*comp->segments->nodes));
- if (!lv->segments->nodes)
- goto fail2;
- }
-@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
- *nsectors = lv->size;
- if (*nsectors > max_nsectors)
- *nsectors = max_nsectors;
-- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
-+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
- if (!*sectors)
- return grub_errno;
- for (i = 0; i < *nsectors; i++)
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 86c50c6..18b3a8b 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source,
- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
- max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
-
-- split_key = grub_malloc (keysize * max_stripes);
-+ split_key = grub_calloc (keysize, max_stripes);
- if (!split_key)
- return grub_errno;
-
-diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
-index dc6b83b..7b5fbbc 100644
---- a/grub-core/disk/lvm.c
-+++ b/grub-core/disk/lvm.c
-@@ -209,7 +209,7 @@ grub_lvm_detect (grub_disk_t disk,
- first one. */
-
- /* Allocate buffer space for the circular worst-case scenario. */
-- metadatabuf = grub_malloc (2 * mda_size);
-+ metadatabuf = grub_calloc (2, mda_size);
- if (! metadatabuf)
- goto fail;
-
-@@ -464,7 +464,7 @@ grub_lvm_detect (grub_disk_t disk,
- #endif
- goto lvs_fail;
- }
-- lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
-+ lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
- seg = lv->segments;
-
- for (i = 0; i < lv->segment_count; i++)
-@@ -521,8 +521,8 @@ grub_lvm_detect (grub_disk_t disk,
- if (seg->node_count != 1)
- seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
-
-- seg->nodes = grub_zalloc (sizeof (*stripe)
-- * seg->node_count);
-+ seg->nodes = grub_calloc (seg->node_count,
-+ sizeof (*stripe));
- stripe = seg->nodes;
-
- p = grub_strstr (p, "stripes = [");
-@@ -898,7 +898,7 @@ grub_lvm_detect (grub_disk_t disk,
- break;
- if (lv)
- {
-- cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
-+ cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments));
- if (!cache->lv->segments)
- {
- grub_lvm_free_cache_lvs (cache_lvs);
-@@ -911,7 +911,7 @@ grub_lvm_detect (grub_disk_t disk,
- struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
- grub_size_t node_count = lv->segments[i].node_count;
-
-- cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
-+ cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes));
- if (!cache->lv->segments[i].nodes)
- {
- for (j = 0; j < i; ++j)
-diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c
-index 48476cb..d6612ee 100644
---- a/grub-core/disk/xen/xendisk.c
-+++ b/grub-core/disk/xen/xendisk.c
-@@ -426,7 +426,7 @@ grub_xendisk_init (void)
- if (!ctr)
- return;
-
-- virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
-+ virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
- if (!virtdisks)
- return;
- if (grub_xenstore_dir ("device/vbd", fill, &ctr))
-diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c
-index 44085ef..2b92462 100644
---- a/grub-core/efiemu/loadcore.c
-+++ b/grub-core/efiemu/loadcore.c
-@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
-
- grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
- grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
-- grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
-+ grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
-
- /* Relocators */
- for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
-diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c
-index 52a032f..9b8e0d0 100644
---- a/grub-core/efiemu/mm.c
-+++ b/grub-core/efiemu/mm.c
-@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
- /* Initialize variables*/
- grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
- scanline_events = (struct grub_efiemu_mmap_scan *)
-- grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
-+ grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
-
- /* Number of chunks can't increase more than by factor of 2 */
- result = (grub_efi_memory_descriptor_t *)
-- grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
-+ grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
- if (!result || !scanline_events)
- {
- grub_free (result);
-@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
-
- /* Preallocate mmap */
- efiemu_mmap = (grub_efi_memory_descriptor_t *)
-- grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
-+ grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
- if (!efiemu_mmap)
- {
- grub_efiemu_unload ();
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 85a2925..8e118b3 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
- font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
-
- /* Allocate the character index array. */
-- font->char_index = grub_malloc (font->num_chars
-- * sizeof (struct char_index_entry));
-+ font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
- if (!font->char_index)
- return 1;
- font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
-diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
-index 6b6a2bc..220b371 100644
---- a/grub-core/fs/affs.c
-+++ b/grub-core/fs/affs.c
-@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
- return 0;
- }
- latin1[symlink_size] = 0;
-- utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
-+ utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
- if (!utf8)
- {
- grub_free (latin1);
-@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
- return 1;
- }
-
-- hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
-+ hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
- if (!hashtable)
- return 1;
-
-@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
- len = file.namelen;
- if (len > sizeof (file.name))
- len = sizeof (file.name);
-- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
-+ *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
- if (*label)
- *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
- }
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index 48bd3d0..11272ef 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data,
- {
- desc->allocated = 16;
- desc->depth = 0;
-- desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
-+ desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
- if (!desc->data)
- return grub_errno;
- }
-@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
- grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
- grub_uint64_t i, failed_devices;
-
-- buffers = grub_zalloc (sizeof(*buffers) * nstripes);
-+ buffers = grub_calloc (nstripes, sizeof (*buffers));
- if (!buffers)
- goto cleanup;
-
-@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
- *nsectors = 64 * 2 - 1;
- if (*nsectors > max_nsectors)
- *nsectors = max_nsectors;
-- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
-+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
- if (!*sectors)
- return grub_errno;
- for (i = 0; i < *nsectors; i++)
-diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
-index ac0a409..3fe842b 100644
---- a/grub-core/fs/hfs.c
-+++ b/grub-core/fs/hfs.c
-@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
- grub_size_t len = data->sblock.volname[0];
- if (len > sizeof (data->sblock.volname) - 1)
- len = sizeof (data->sblock.volname) - 1;
-- *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
-+ *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
- if (*label)
- macroman_to_utf8 (*label, data->sblock.volname + 1,
- len + 1, 0);
-diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
-index 54786bb..dae43be 100644
---- a/grub-core/fs/hfsplus.c
-+++ b/grub-core/fs/hfsplus.c
-@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
- if (! filename)
- return 0;
-
-- keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
-+ keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
- if (!keyname)
- {
- grub_free (filename);
-@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
- grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
-
- label_len = grub_be_to_cpu16 (catkey->namelen);
-- label_name = grub_malloc (label_len * sizeof (*label_name));
-+ label_name = grub_calloc (label_len, sizeof (*label_name));
- if (!label_name)
- {
- grub_free (node);
-@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
- }
- }
-
-- *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
-+ *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
- if (! *label)
- {
- grub_free (label_name);
-diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
-index 49c0c63..4f1b52a 100644
---- a/grub-core/fs/iso9660.c
-+++ b/grub-core/fs/iso9660.c
-@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len)
- int i;
- grub_uint16_t t[MAX_NAMELEN / 2 + 1];
-
-- p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
-+ p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
- if (! p)
- return NULL;
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index fc4e1f6..2f34f76 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
- grub_uint16_t *tmp;
- grub_size_t i;
-
-- buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
-- tmp = grub_malloc (len * sizeof (tmp[0]));
-+ buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
-+ tmp = grub_calloc (len, sizeof (tmp[0]));
- if (!buf || !tmp)
- {
- grub_free (buf);
-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
-index 50c1fe7..90f7fb3 100644
---- a/grub-core/fs/sfs.c
-+++ b/grub-core/fs/sfs.c
-@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
- node->next_extent = node->block;
- node->cache_size = 0;
-
-- node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size);
-+ node->cache = grub_calloc (cache_size, sizeof (node->cache[0]));
- if (!node->cache)
- {
- grub_errno = 0;
-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
-index 7d63e0c..c551ed6 100644
---- a/grub-core/fs/tar.c
-+++ b/grub-core/fs/tar.c
-@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
- if (data->linkname_alloc < linksize + 1)
- {
- char *n;
-- n = grub_malloc (2 * (linksize + 1));
-+ n = grub_calloc (2, linksize + 1);
- if (!n)
- return grub_errno;
- grub_free (data->linkname);
-diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
-index dc8b6e2..a837616 100644
---- a/grub-core/fs/udf.c
-+++ b/grub-core/fs/udf.c
-@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
- {
- unsigned i;
- utf16len = sz - 1;
-- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
-+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
- if (!utf16)
- return NULL;
- for (i = 0; i < utf16len; i++)
-@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
- {
- unsigned i;
- utf16len = (sz - 1) / 2;
-- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
-+ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
- if (!utf16)
- return NULL;
- for (i = 0; i < utf16len; i++)
-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
-index 2f72e42..381dde5 100644
---- a/grub-core/fs/zfs/zfs.c
-+++ b/grub-core/fs/zfs/zfs.c
-@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,
- }
- subvol->nkeys = 0;
- zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data);
-- subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0]));
-+ subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0]));
- if (!subvol->keyring)
- {
- grub_free (fsname);
-@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)),
- *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS);
- if (*nsectors > max_nsectors)
- *nsectors = max_nsectors;
-- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
-+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
- if (!*sectors)
- return grub_errno;
- for (i = 0; i < *nsectors; i++)
-diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c
-index a9a415e..ba1e1ea 100644
---- a/grub-core/gfxmenu/gui_string_util.c
-+++ b/grub-core/gfxmenu/gui_string_util.c
-@@ -55,7 +55,7 @@ canonicalize_path (const char *path)
- if (*p == '/')
- components++;
-
-- char **path_array = grub_malloc (components * sizeof (*path_array));
-+ char **path_array = grub_calloc (components, sizeof (*path_array));
- if (! path_array)
- return 0;
-
-diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c
-index b606028..470597d 100644
---- a/grub-core/gfxmenu/widget-box.c
-+++ b/grub-core/gfxmenu/widget-box.c
-@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix,
- box->content_height = 0;
- box->raw_pixmaps =
- (struct grub_video_bitmap **)
-- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
-+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
- box->scaled_pixmaps =
- (struct grub_video_bitmap **)
-- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
-+ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
-
- /* Initialize all pixmap pointers to NULL so that proper destruction can
- be performed if an error is encountered partway through construction. */
-diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
-index 6208a97..43d98a7 100644
---- a/grub-core/io/gzio.c
-+++ b/grub-core/io/gzio.c
-@@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
- z = 1 << j; /* table entries for j-bit table */
-
- /* allocate and link in new table */
-- q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft));
-+ q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft));
- if (! q)
- {
- if (h)
-diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
-index 6e1ceb9..dc31caa 100644
---- a/grub-core/kern/efi/efi.c
-+++ b/grub-core/kern/efi/efi.c
-@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
-
- len = grub_strlen (var);
- len16 = len * GRUB_MAX_UTF16_PER_UTF8;
-- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
-+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
- if (!var16)
- return grub_errno;
- len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
-@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
-
- len = grub_strlen (var);
- len16 = len * GRUB_MAX_UTF16_PER_UTF8;
-- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
-+ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
- if (!var16)
- return NULL;
- len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
-@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
- while (len > 0 && fp->path_name[len - 1] == 0)
- len--;
-
-- dup_name = grub_malloc (len * sizeof (*dup_name));
-+ dup_name = grub_calloc (len, sizeof (*dup_name));
- if (!dup_name)
- {
- grub_free (name);
-diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c
-index e9ec680..d975265 100644
---- a/grub-core/kern/emu/hostdisk.c
-+++ b/grub-core/kern/emu/hostdisk.c
-@@ -615,7 +615,7 @@ static char *
- grub_util_path_concat_real (size_t n, int ext, va_list ap)
- {
- size_t totlen = 0;
-- char **l = xmalloc ((n + ext) * sizeof (l[0]));
-+ char **l = xcalloc (n + ext, sizeof (l[0]));
- char *r, *p, *pi;
- size_t i;
- int first = 1;
-diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
-index 2b85f49..f90be65 100644
---- a/grub-core/kern/fs.c
-+++ b/grub-core/kern/fs.c
-@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name)
- while (p);
-
- /* Allocate a block list. */
-- blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1));
-+ blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block));
- if (! blocks)
- return 0;
-
-diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
-index 3b633d5..a7abd36 100644
---- a/grub-core/kern/misc.c
-+++ b/grub-core/kern/misc.c
-@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
- args->ptr = args->prealloc;
- else
- {
-- args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
-+ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
- if (!args->ptr)
- {
- grub_errno = GRUB_ERR_NONE;
-diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
-index 78175aa..619db31 100644
---- a/grub-core/kern/parser.c
-+++ b/grub-core/kern/parser.c
-@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline,
- return grub_errno;
- grub_memcpy (args, buffer, bp - buffer);
-
-- *argv = grub_malloc (sizeof (char *) * (*argc + 1));
-+ *argv = grub_calloc (*argc + 1, sizeof (char *));
- if (!*argv)
- {
- grub_free (args);
-diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c
-index be4816f..aac8f9a 100644
---- a/grub-core/kern/uboot/uboot.c
-+++ b/grub-core/kern/uboot/uboot.c
-@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void)
- return num_devices;
-
- max_devices = 2;
-- enum_devices = grub_malloc (sizeof(struct device_info) * max_devices);
-+ enum_devices = grub_calloc (max_devices, sizeof(struct device_info));
- if (!enum_devices)
- return 0;
-
-diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c
-index f5e946a..63f6fcd 100644
---- a/grub-core/lib/libgcrypt/cipher/ac.c
-+++ b/grub-core/lib/libgcrypt/cipher/ac.c
-@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n,
- gcry_mpi_t mpi;
- char *label;
-
-- data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n);
-+ data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new));
- if (! data_mpis_new)
- {
- err = gcry_error_from_errno (errno);
-@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp,
- }
-
- /* Add MPI list. */
-- arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1));
-+ arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list));
- if (! arg_list)
- {
- err = gcry_error_from_errno (errno);
-@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags,
- /* We build a list of arguments to pass to
- gcry_sexp_build_array(). */
- data_length = _gcry_ac_data_length (data);
-- arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2));
-+ arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2);
- if (! arg_list)
- {
- err = gcry_error_from_errno (errno);
-@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits,
- arg_list_n += 2;
-
- /* Allocate list. */
-- arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n);
-+ arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list));
- if (! arg_list)
- {
- err = gcry_error_from_errno (errno);
-diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c
-index 2788e34..b12e79b 100644
---- a/grub-core/lib/libgcrypt/cipher/primegen.c
-+++ b/grub-core/lib/libgcrypt/cipher/primegen.c
-@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor,
- }
-
- /* Allocate an array to track pool usage. */
-- pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
-+ pool_in_use = gcry_calloc (n, sizeof *pool_in_use);
- if (!pool_in_use)
- {
- err = gpg_err_code_from_errno (errno);
-@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
- if (nbits < 16)
- log_fatal ("can't generate a prime with less than %d bits\n", 16);
-
-- mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
-+ mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods);
- /* Make nbits fit into gcry_mpi_t implementation. */
- val_2 = mpi_alloc_set_ui( 2 );
- val_3 = mpi_alloc_set_ui( 3);
-diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c
-index 9109821..ca087ad 100644
---- a/grub-core/lib/libgcrypt/cipher/pubkey.c
-+++ b/grub-core/lib/libgcrypt/cipher/pubkey.c
-@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey)
- * array to a format string, so we have to do it this way :-(. */
- /* FIXME: There is now such a format specifier, so we can
- change the code to be more clear. */
-- arg_list = malloc (nelem * sizeof *arg_list);
-+ arg_list = calloc (nelem, sizeof *arg_list);
- if (!arg_list)
- {
- rc = gpg_err_code_from_syserror ();
-@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
- }
- strcpy (p, "))");
-
-- arg_list = malloc (nelem * sizeof *arg_list);
-+ arg_list = calloc (nelem, sizeof *arg_list);
- if (!arg_list)
- {
- rc = gpg_err_code_from_syserror ();
-diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c
-index 659be0b..7d5e7c0 100644
---- a/grub-core/lib/priority_queue.c
-+++ b/grub-core/lib/priority_queue.c
-@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize,
- {
- struct grub_priority_queue *ret;
- void *els;
-- els = grub_malloc (elsize * 8);
-+ els = grub_calloc (8, elsize);
- if (!els)
- return 0;
- ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret));
-diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c
-index ee9fa7b..467305b 100644
---- a/grub-core/lib/reed_solomon.c
-+++ b/grub-core/lib/reed_solomon.c
-@@ -20,6 +20,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
-+#define xcalloc calloc
- #define xmalloc malloc
- #define grub_memset memset
- #define grub_memcpy memcpy
-@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs)
- gf_single_t *rs_polynomial;
- int i, j;
- gf_single_t *m;
-- m = xmalloc ((s + rs) * sizeof (gf_single_t));
-+ m = xcalloc (s + rs, sizeof (gf_single_t));
- grub_memcpy (m, data, s * sizeof (gf_single_t));
-- grub_memset (m + s, 0, rs * sizeof (gf_single_t));
-- rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t));
-- grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t));
-+ rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t));
- rs_polynomial[rs] = 1;
- /* Multiply with X - a^r */
- for (j = 0; j < rs; j++)
-diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
-index ea3ebc7..5847aac 100644
---- a/grub-core/lib/relocator.c
-+++ b/grub-core/lib/relocator.c
-@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel,
- }
- #endif
-
-- eventt = grub_malloc (maxevents * sizeof (events[0]));
-+ eventt = grub_calloc (maxevents, sizeof (events[0]));
- counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0]));
-- events = grub_malloc (maxevents * sizeof (events[0]));
-+ events = grub_calloc (maxevents, sizeof (events[0]));
- if (!events || !eventt || !counter)
- {
- grub_dprintf ("relocator", "events or counter allocation failed %d\n",
-@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel,
- #endif
- unsigned cural = 0;
- int oom = 0;
-- res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs);
-+ res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0]));
- if (!res->subchunks)
- oom = 1;
- res->nsubchunks = nallocs;
-@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr,
- count[(chunk->src & 0xff) + 1]++;
- }
- }
-- from = grub_malloc (nchunks * sizeof (sorted[0]));
-- to = grub_malloc (nchunks * sizeof (sorted[0]));
-+ from = grub_calloc (nchunks, sizeof (sorted[0]));
-+ to = grub_calloc (nchunks, sizeof (sorted[0]));
- if (!from || !to)
- {
- grub_free (from);
-diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c
-index 72bbead..2227b84 100644
---- a/grub-core/lib/zstd/fse_decompress.c
-+++ b/grub-core/lib/zstd/fse_decompress.c
-@@ -82,7 +82,7 @@
- FSE_DTable* FSE_createDTable (unsigned tableLog)
- {
- if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX;
-- return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) );
-+ return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) );
- }
-
- void FSE_freeDTable (FSE_DTable* dt)
-diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
-index 5168491..d70c174 100644
---- a/grub-core/loader/arm/linux.c
-+++ b/grub-core/loader/arm/linux.c
-@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag)
-
- /* some place for cmdline, initrd and terminator. */
- tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4;
-- tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t));
-+ tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t));
- if (!tmp_atag)
- return grub_errno;
-
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index cd92ea3..daf8c6b 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
- fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
- fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
-
-- path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
-+ path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
- if (!path_name)
- return;
-
-diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c
-index af6741d..a8d8bf7 100644
---- a/grub-core/loader/i386/bsdXX.c
-+++ b/grub-core/loader/i386/bsdXX.c
-@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr)
- if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS))
- return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic"));
-
-- *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize);
-+ *shdr = grub_calloc (e->e_shnum, e->e_shentsize);
- if (! *shdr)
- return grub_errno;
-
-diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
-index e64ed08..b7d176b 100644
---- a/grub-core/loader/i386/xnu.c
-+++ b/grub-core/loader/i386/xnu.c
-@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d
- return grub_errno;
-
- len = grub_strlen (name);
-- utf16 = grub_malloc (sizeof (grub_uint16_t) * len);
-+ utf16 = grub_calloc (len, sizeof (grub_uint16_t));
- if (!utf16)
- {
- grub_free (utf8);
-@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor *
- grub_uint16_t *utf16;
- grub_err_t err;
-
-- utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen);
-+ utf16 = grub_calloc (namelen, sizeof (grub_uint16_t));
- if (!utf16)
- return grub_errno;
- grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen);
-diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c
-index 085f9c6..05710c4 100644
---- a/grub-core/loader/macho.c
-+++ b/grub-core/loader/macho.c
-@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit)
- if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header))
- == (grub_off_t) -1)
- goto fail;
-- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
-+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
- if (!archs)
- goto fail;
- if (grub_file_read (macho->file, archs,
-diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
-index 70cd1db..cc68536 100644
---- a/grub-core/loader/multiboot_elfxx.c
-+++ b/grub-core/loader/multiboot_elfxx.c
-@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
- {
- grub_uint8_t *shdr, *shdrptr;
-
-- shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize);
-+ shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize);
- if (!shdr)
- return grub_errno;
-
-diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
-index 7f74d1d..77d7060 100644
---- a/grub-core/loader/xnu.c
-+++ b/grub-core/loader/xnu.c
-@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)),
- if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC)
- {
- narchs = grub_be_to_cpu32 (head.nfat_arch);
-- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
-+ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
- if (! archs)
- {
- grub_file_close (file);
-diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
-index 6a31cba..57b4e9a 100644
---- a/grub-core/mmap/mmap.c
-+++ b/grub-core/mmap/mmap.c
-@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
-
- /* Initialize variables. */
- ctx.scanline_events = (struct grub_mmap_scan *)
-- grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num);
-+ grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2);
-
-- present = grub_zalloc (sizeof (present[0]) * current_priority);
-+ present = grub_calloc (current_priority, sizeof (present[0]));
-
- if (! ctx.scanline_events || !present)
- {
-diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
-index 04cfbb0..6539572 100644
---- a/grub-core/net/bootp.c
-+++ b/grub-core/net/bootp.c
-@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
- if (ncards == 0)
- return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found"));
-
-- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
-+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
- if (!ifaces)
- return grub_errno;
-
-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
-index 5d9afe0..e332d5e 100644
---- a/grub-core/net/dns.c
-+++ b/grub-core/net/dns.c
-@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
- ptr++;
- ptr += 4;
- }
-- *data->addresses = grub_malloc (sizeof ((*data->addresses)[0])
-- * grub_be_to_cpu16 (head->ancount));
-+ *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount),
-+ sizeof ((*data->addresses)[0]));
- if (!*data->addresses)
- {
- grub_errno = GRUB_ERR_NONE;
-@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
- dns_cache[h].addresses = 0;
- dns_cache[h].name = grub_strdup (data->oname);
- dns_cache[h].naddresses = *data->naddresses;
-- dns_cache[h].addresses = grub_malloc (*data->naddresses
-- * sizeof (dns_cache[h].addresses[0]));
-+ dns_cache[h].addresses = grub_calloc (*data->naddresses,
-+ sizeof (dns_cache[h].addresses[0]));
- dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all;
- if (!dns_cache[h].addresses || !dns_cache[h].name)
- {
-@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name,
- }
- }
-
-- sockets = grub_malloc (sizeof (sockets[0]) * n_servers);
-+ sockets = grub_calloc (n_servers, sizeof (sockets[0]));
- if (!sockets)
- return grub_errno;
-
-diff --git a/grub-core/net/net.c b/grub-core/net/net.c
-index d5d726a..38f19df 100644
---- a/grub-core/net/net.c
-+++ b/grub-core/net/net.c
-@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)),
- ncards++;
- }
-
-- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
-- slaacs = grub_zalloc (ncards * sizeof (slaacs[0]));
-+ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
-+ slaacs = grub_calloc (ncards, sizeof (slaacs[0]));
- if (!ifaces || !slaacs)
- {
- grub_free (ifaces);
-diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
-index b0ab47d..d57fb72 100644
---- a/grub-core/normal/charset.c
-+++ b/grub-core/normal/charset.c
-@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg,
- {
- grub_size_t msg_len = grub_strlen (msg);
-
-- *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
-+ *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
-
- if (!*unicode_msg)
- return -1;
-@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
- }
- else
- {
-- n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1));
-+ n = grub_calloc (out->ncomb + 1, sizeof (n[0]));
- if (!n)
- {
- grub_errno = GRUB_ERR_NONE;
-@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical,
- } \
- }
-
-- visual = grub_malloc (sizeof (visual[0]) * logical_len);
-+ visual = grub_calloc (logical_len, sizeof (visual[0]));
- if (!visual)
- return -1;
-
-@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical,
- {
- const grub_uint32_t *line_start = logical, *ptr;
- struct grub_unicode_glyph *visual_ptr;
-- *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0])
-- * (logical_len + 2));
-+ *visual_out = visual_ptr = grub_calloc (logical_len + 2,
-+ 3 * sizeof (visual_ptr[0]));
- if (!visual_ptr)
- return -1;
- for (ptr = logical; ptr <= logical + logical_len; ptr++)
-diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
-index c037d50..c57242e 100644
---- a/grub-core/normal/cmdline.c
-+++ b/grub-core/normal/cmdline.c
-@@ -41,7 +41,7 @@ grub_err_t
- grub_set_history (int newsize)
- {
- grub_uint32_t **old_hist_lines = hist_lines;
-- hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize);
-+ hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *));
-
- /* Copy the old lines into the new buffer. */
- if (old_hist_lines)
-@@ -114,7 +114,7 @@ static void
- grub_history_set (int pos, grub_uint32_t *s, grub_size_t len)
- {
- grub_free (hist_lines[pos]);
-- hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t));
-+ hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t));
- if (!hist_lines[pos])
- {
- grub_print_error ();
-@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated)
- char *ret;
- unsigned nterms;
-
-- buf = grub_malloc (max_len * sizeof (grub_uint32_t));
-+ buf = grub_calloc (max_len, sizeof (grub_uint32_t));
- if (!buf)
- return 0;
-
-@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated)
- FOR_ACTIVE_TERM_OUTPUTS(cur)
- nterms++;
-
-- cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms);
-+ cl_terms = grub_calloc (nterms, sizeof (cl_terms[0]));
- if (!cl_terms)
- {
- grub_free (buf);
-@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated)
- }
- cl_term_cur = cl_terms;
-
-- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
-+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
- if (!unicode_msg)
- {
- grub_free (buf);
-@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated)
- grub_uint32_t *insert;
-
- insertlen = grub_strlen (insertu8);
-- insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t));
-+ insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t));
- if (!insert)
- {
- grub_free (insertu8);
-@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated)
-
- grub_free (kill_buf);
-
-- kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t));
-+ kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t));
- if (grub_errno)
- {
- grub_print_error ();
-diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
-index cdf3590..1993995 100644
---- a/grub-core/normal/menu_entry.c
-+++ b/grub-core/normal/menu_entry.c
-@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep)
- {
- linep->len = 0;
- linep->max_len = 80;
-- linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0]));
-- linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0]));
-+ linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0]));
-+ linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0]));
- if (! linep->buf || !linep->pos)
- {
- grub_free (linep->buf);
-@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen,
- pos = linep->pos + (term_screen - screen->terms);
-
- if (!*pos)
-- *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos));
-+ *pos = grub_calloc (linep->len + 1, sizeof (**pos));
-
- if (i == region_start || linep == screen->lines + screen->line
- || (i > region_start && mode == ALL_LINES))
-@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update)
-
- /* Insert the string. */
- current_linep = screen->lines + screen->line;
-- unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t));
-+ unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t));
-
- if (!unicode_msg)
- return 0;
-@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update)
- if (completion_buffer.buf)
- {
- buflen = grub_strlen (completion_buffer.buf);
-- ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1));
-+ ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t));
-
- if (!ucs4)
- {
-@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
- for (i = 0; i < (unsigned) screen->num_lines; i++)
- {
- grub_free (screen->lines[i].pos);
-- screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0]));
-+ screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0]));
- if (! screen->lines[i].pos)
- {
- grub_print_error ();
-@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
- }
- }
-
-- screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0]));
-+ screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0]));
- if (!screen->terms)
- {
- grub_print_error ();
-diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
-index e22bb91..18240e7 100644
---- a/grub-core/normal/menu_text.c
-+++ b/grub-core/normal/menu_text.c
-@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left,
- grub_size_t msg_len = grub_strlen (msg) + 2;
- int ret = 0;
-
-- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
-+ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
-
- if (!unicode_msg)
- return 0;
-@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry,
-
- title = entry ? entry->title : "";
- title_len = grub_strlen (title);
-- unicode_title = grub_malloc (title_len * sizeof (*unicode_title));
-+ unicode_title = grub_calloc (title_len, sizeof (*unicode_title));
- if (! unicode_title)
- /* XXX How to show this error? */
- return;
-diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c
-index a1e5c5a..cc8c173 100644
---- a/grub-core/normal/term.c
-+++ b/grub-core/normal/term.c
-@@ -264,7 +264,7 @@ grub_term_save_pos (void)
- FOR_ACTIVE_TERM_OUTPUTS(cur)
- cnt++;
-
-- ret = grub_malloc (cnt * sizeof (ret[0]));
-+ ret = grub_calloc (cnt, sizeof (ret[0]));
- if (!ret)
- return NULL;
-
-@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len)
-
- grub_error_push ();
-
-- unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t));
-+ unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t));
-
- grub_error_pop ();
-
-diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
-index 90d92d3..5b41ad0 100644
---- a/grub-core/osdep/linux/getroot.c
-+++ b/grub-core/osdep/linux/getroot.c
-@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable)
- if (ret != 0)
- grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno));
-
-- devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *));
-+ devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
-
- for (i = 0, j = 0; j < info.nr_disks; i++)
- {
-@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir)
- return NULL;
- }
-
-- ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0]));
-+ ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0]));
-
- for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++)
- {
-@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
- if (relroot)
- *relroot = NULL;
-
-- entries = xmalloc (entry_max * sizeof (*entries));
-+ entries = xcalloc (entry_max, sizeof (*entries));
-
- again:
- fp = grub_util_fopen ("/proc/self/mountinfo", "r");
-diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c
-index 65effa9..7d63251 100644
---- a/grub-core/osdep/unix/config.c
-+++ b/grub-core/osdep/unix/config.c
-@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg)
- argv[0] = "sh";
- argv[1] = "-c";
-
-- script = xmalloc (4 * strlen (cfgfile) + 300);
-+ script = xcalloc (4, strlen (cfgfile) + 300);
-
- ptr = script;
- memcpy (ptr, ". '", 3);
-diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c
-index 661d954..eada663 100644
---- a/grub-core/osdep/windows/getroot.c
-+++ b/grub-core/osdep/windows/getroot.c
-@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path)
-
- for (ptr = path; *ptr; ptr++);
- allocsize = (ptr - path + 10) * 2;
-- out = xmalloc (allocsize * sizeof (out[0]));
-+ out = xcalloc (allocsize, sizeof (out[0]));
-
- /* When pointing to EFI system partition GetVolumePathName fails
- for ESP root and returns abberant information for everything
-diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c
-index 3551007..0be3273 100644
---- a/grub-core/osdep/windows/hostdisk.c
-+++ b/grub-core/osdep/windows/hostdisk.c
-@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path)
-
- while (1)
- {
-- fpa = xmalloc (alloc * sizeof (fpa[0]));
-+ fpa = xcalloc (alloc, sizeof (fpa[0]));
-
- len = GetFullPathName (tpath, alloc, fpa, NULL);
- if (len >= alloc)
-@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name)
- for (l = 0; name_windows[l]; l++);
- for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--);
- l++;
-- pattern = xmalloc ((l + 3) * sizeof (pattern[0]));
-+ pattern = xcalloc (l + 3, sizeof (pattern[0]));
- memcpy (pattern, name_windows, l * sizeof (pattern[0]));
- pattern[l] = '\\';
- pattern[l + 1] = '*';
-diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c
-index e8ffd62..6297de6 100644
---- a/grub-core/osdep/windows/init.c
-+++ b/grub-core/osdep/windows/init.c
-@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)),
- LPWSTR *targv;
-
- targv = CommandLineToArgvW (tcmdline, argc);
-- *argv = xmalloc ((*argc + 1) * sizeof (argv[0]));
-+ *argv = xcalloc (*argc + 1, sizeof (argv[0]));
-
- for (i = 0; i < *argc; i++)
- (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]);
-diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c
-index 7eb53fe..1ef86bf 100644
---- a/grub-core/osdep/windows/platform.c
-+++ b/grub-core/osdep/windows/platform.c
-@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev,
- grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode"));
-
- distrib8_len = grub_strlen (efi_distributor);
-- distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8
-- * sizeof (grub_uint16_t));
-+ distributor16 = xcalloc (distrib8_len + 1,
-+ GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t));
- distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8,
- (const grub_uint8_t *) efi_distributor,
- distrib8_len, 0);
-diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c
-index cb08617..478e8ef 100644
---- a/grub-core/osdep/windows/relpath.c
-+++ b/grub-core/osdep/windows/relpath.c
-@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path)
- if (dirwindows[0] && dirwindows[1] == ':')
- offset = 2;
- }
-- ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2));
-+ ret = xcalloc (flen - offset + 2, sizeof (ret[0]));
- if (dirwindows[offset] != '\\'
- && dirwindows[offset] != '/'
- && dirwindows[offset])
-diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
-index 103f679..72a2e37 100644
---- a/grub-core/partmap/gpt.c
-+++ b/grub-core/partmap/gpt.c
-@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
- *nsectors = ctx.len;
- if (*nsectors > max_nsectors)
- *nsectors = max_nsectors;
-- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
-+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
- if (!*sectors)
- return grub_errno;
- for (i = 0; i < *nsectors; i++)
-diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
-index 7b8e450..ee3f249 100644
---- a/grub-core/partmap/msdos.c
-+++ b/grub-core/partmap/msdos.c
-@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
- avail_nsectors = *nsectors;
- if (*nsectors > max_nsectors)
- *nsectors = max_nsectors;
-- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
-+ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
- if (!*sectors)
- return grub_errno;
- for (i = 0; i < *nsectors; i++)
-diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
-index ee299fd..c8d6806 100644
---- a/grub-core/script/execute.c
-+++ b/grub-core/script/execute.c
-@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
- for (iptr = orig_str; *iptr; iptr++)
- if (*iptr == '$')
- dollar_cnt++;
-- ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt);
-+ ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
-
- if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
- goto fail;
-diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c
-index 2d60852..b5eb516 100644
---- a/grub-core/tests/fake_input.c
-+++ b/grub-core/tests/fake_input.c
-@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in)
- saved = grub_term_inputs;
- if (seq)
- grub_free (seq);
-- seq = grub_malloc (nseq_in * sizeof (seq[0]));
-+ seq = grub_calloc (nseq_in, sizeof (seq[0]));
- if (!seq)
- return;
-
-diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c
-index 74d5b65..44d0810 100644
---- a/grub-core/tests/video_checksum.c
-+++ b/grub-core/tests/video_checksum.c
-@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname,
- {
- case 4:
- {
-- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
-+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
- grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
- grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
- grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
-@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname,
- }
- case 3:
- {
-- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
-+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
- grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
- grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
- grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
-@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname,
- }
- case 2:
- {
-- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
-+ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
- grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1);
- grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1);
- grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1);
-diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
-index 4f83c74..4d3195e 100644
---- a/grub-core/video/capture.c
-+++ b/grub-core/video/capture.c
-@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
- framebuffer.mode_info = *mode_info;
- framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info);
-
-- framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch);
-+ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
- if (!framebuffer.ptr)
- return grub_errno;
-
-diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c
-index a2f639f..0ebab6f 100644
---- a/grub-core/video/emu/sdl.c
-+++ b/grub-core/video/emu/sdl.c
-@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count,
- if (start + count > mode_info.number_of_colors)
- count = mode_info.number_of_colors - start;
-
-- tmp = grub_malloc (count * sizeof (tmp[0]));
-+ tmp = grub_calloc (count, sizeof (tmp[0]));
- for (i = 0; i < count; i++)
- {
- tmp[i].r = palette_data[i].r;
-diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
-index 01f4711..b2f776c 100644
---- a/grub-core/video/i386/pc/vga.c
-+++ b/grub-core/video/i386/pc/vga.c
-@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
-
- vga_height = height ? : 480;
-
-- framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH);
-+ framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH);
- framebuffer.front_page = 0;
- framebuffer.back_page = 0;
- if (!framebuffer.temporary_buffer)
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index 777e713..61bd645 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
- if (data->is_16bit || data->is_gray || data->is_palette)
- #endif
- {
-- data->image_data = grub_malloc (data->image_height * data->row_bytes);
-+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
- if (grub_errno)
- return grub_errno;
-
-diff --git a/include/grub/unicode.h b/include/grub/unicode.h
-index a0403e9..4de986a 100644
---- a/include/grub/unicode.h
-+++ b/include/grub/unicode.h
-@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in)
- grub_memcpy (out, in, sizeof (*in));
- if (in->ncomb > ARRAY_SIZE (out->combining_inline))
- {
-- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
-+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
- if (!out->combining_ptr)
- {
- grub_free (out);
-@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out,
- grub_memcpy (out, in, sizeof (*in));
- if (in->ncomb > ARRAY_SIZE (out->combining_inline))
- {
-- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
-+ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
- if (!out->combining_ptr)
- return;
- grub_memcpy (out->combining_ptr, in->combining_ptr,
-diff --git a/util/getroot.c b/util/getroot.c
-index 847406f..a5eaa64 100644
---- a/util/getroot.c
-+++ b/util/getroot.c
-@@ -200,7 +200,7 @@ make_device_name (const char *drive)
- char *ret, *ptr;
- const char *iptr;
-
-- ret = xmalloc (strlen (drive) * 2);
-+ ret = xcalloc (2, strlen (drive));
- ptr = ret;
- for (iptr = drive; *iptr; iptr++)
- {
-diff --git a/util/grub-file.c b/util/grub-file.c
-index 50c18b6..b2e7dd6 100644
---- a/util/grub-file.c
-+++ b/util/grub-file.c
-@@ -54,7 +54,7 @@ main (int argc, char *argv[])
-
- grub_util_host_init (&argc, &argv);
-
-- argv2 = xmalloc (argc * sizeof (argv2[0]));
-+ argv2 = xcalloc (argc, sizeof (argv2[0]));
-
- if (argc == 2 && strcmp (argv[1], "--version") == 0)
- {
-diff --git a/util/grub-fstest.c b/util/grub-fstest.c
-index f14e02d..57246af 100644
---- a/util/grub-fstest.c
-+++ b/util/grub-fstest.c
-@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
- if (args_count < num_disks)
- {
- if (args_count == 0)
-- images = xmalloc (num_disks * sizeof (images[0]));
-+ images = xcalloc (num_disks, sizeof (images[0]));
- images[args_count] = grub_canonicalize_file_name (arg);
- args_count++;
- return 0;
-@@ -734,7 +734,7 @@ main (int argc, char *argv[])
-
- grub_util_host_init (&argc, &argv);
-
-- args = xmalloc (argc * sizeof (args[0]));
-+ args = xcalloc (argc, sizeof (args[0]));
-
- argp_parse (&argp, argc, argv, 0, 0, 0);
-
-diff --git a/util/grub-install-common.c b/util/grub-install-common.c
-index ca0ac61..0295d40 100644
---- a/util/grub-install-common.c
-+++ b/util/grub-install-common.c
-@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val,
- il->n_entries++;
- }
- il->n_alloc = il->n_entries + 1;
-- il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0]));
-+ il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0]));
- ptr = val;
- for (ce = il->entries; ; ce++)
- {
-diff --git a/util/grub-install.c b/util/grub-install.c
-index 8a55ad4..a82725f 100644
---- a/util/grub-install.c
-+++ b/util/grub-install.c
-@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map)
- if (! fp)
- return;
-
-- d = xmalloc (alloced * sizeof (d[0]));
-+ d = xcalloc (alloced, sizeof (d[0]));
-
- while (fgets (buf, sizeof (buf), fp))
- {
-@@ -1260,7 +1260,7 @@ main (int argc, char *argv[])
- ndev++;
- }
-
-- grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
-+ grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0]));
-
- for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
- curdrive++)
-diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
-index bc087c2..d97d0e7 100644
---- a/util/grub-mkimagexx.c
-+++ b/util/grub-mkimagexx.c
-@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path,
- + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize);
- smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset);
-
-- smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections);
-- memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections);
-- smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections);
-- memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections);
-+ smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs));
-+ smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs));
-
- SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target);
-
-diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
-index ce2cbc4..5183102 100644
---- a/util/grub-mkrescue.c
-+++ b/util/grub-mkrescue.c
-@@ -441,8 +441,8 @@ main (int argc, char *argv[])
- xorriso = xstrdup ("xorriso");
- label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2");
-
-- argp_argv = xmalloc (sizeof (argp_argv[0]) * argc);
-- xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc);
-+ argp_argv = xcalloc (argc, sizeof (argp_argv[0]));
-+ xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0]));
-
- xorriso_tail_argc = 0;
- /* Program name */
-diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c
-index 4907d44..edf3097 100644
---- a/util/grub-mkstandalone.c
-+++ b/util/grub-mkstandalone.c
-@@ -296,7 +296,7 @@ main (int argc, char *argv[])
- grub_util_host_init (&argc, &argv);
- grub_util_disable_fd_syncs ();
-
-- files = xmalloc ((argc + 1) * sizeof (files[0]));
-+ files = xcalloc (argc + 1, sizeof (files[0]));
-
- argp_parse (&argp, argc, argv, 0, 0, 0);
-
-diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c
-index 0d4084a..1133129 100644
---- a/util/grub-pe2elf.c
-+++ b/util/grub-pe2elf.c
-@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image,
- char *pe_strtab = (image + pe_chdr->symtab_offset
- + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol));
-
-- section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int));
-+ section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int));
- section_map[0] = 0;
-- shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0]));
-+ shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0]));
- idx = 1;
- idx_reloc = pe_chdr->num_sections + 1;
-
-@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image,
-
- pe_sec = pe_shdr + shdr[i].sh_link;
- pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset);
-- rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t));
-+ rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t));
- num_rels = 0;
- modified = 0;
-
-@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image,
- pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset);
- pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols);
-
-- symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) *
-- sizeof (Elf_Sym));
-- memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym));
-+ symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym));
- num_syms = 1;
-
-- symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int));
-+ symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int));
-
- for (i = 0; i < (int) pe_chdr->num_symbols;
- i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1)
-diff --git a/util/grub-probe.c b/util/grub-probe.c
-index 81d27ee..cbe6ed9 100644
---- a/util/grub-probe.c
-+++ b/util/grub-probe.c
-@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim)
- grub_util_pull_device (*curdev);
- ndev++;
- }
--
-- drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1));
-+
-+ drives_names = xcalloc (ndev + 1, sizeof (drives_names[0]));
-
- for (curdev = device_names, curdrive = drives_names; *curdev; curdev++,
- curdrive++)
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
deleted file mode 100644
index 7214ead9a7..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
+++ /dev/null
@@ -1,1330 +0,0 @@
-From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 15 Jun 2020 12:28:27 -0400
-Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
- complex allocations
-
-This attempts to fix the places where we do the following where
-arithmetic_expr may include unvalidated data:
-
- X = grub_malloc(arithmetic_expr);
-
-It accomplishes this by doing the arithmetic ahead of time using grub_add(),
-grub_sub(), grub_mul() and testing for overflow before proceeding.
-
-Among other issues, this fixes:
- - allocation of integer overflow in grub_video_bitmap_create()
- reported by Chris Coulson,
- - allocation of integer overflow in grub_png_decode_image_header()
- reported by Chris Coulson,
- - allocation of integer overflow in grub_squash_read_symlink()
- reported by Chris Coulson,
- - allocation of integer overflow in grub_ext2_read_symlink()
- reported by Chris Coulson,
- - allocation of integer overflow in read_section_as_string()
- reported by Chris Coulson.
-
-Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
-
-Reference to upstream patch:
-https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
-
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
- grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
- grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
- grub-core/font/font.c | 7 +++++-
- grub-core/fs/btrfs.c | 28 +++++++++++++++--------
- grub-core/fs/ext2.c | 10 ++++++++-
- grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
- grub-core/fs/sfs.c | 27 +++++++++++++++++-----
- grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
- grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
- grub-core/fs/xfs.c | 11 +++++----
- grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
- grub-core/fs/zfs/zfscrypt.c | 7 +++++-
- grub-core/lib/arg.c | 20 +++++++++++++++--
- grub-core/loader/i386/bsd.c | 8 ++++++-
- grub-core/net/dns.c | 9 +++++++-
- grub-core/normal/charset.c | 10 +++++++--
- grub-core/normal/cmdline.c | 14 ++++++++++--
- grub-core/normal/menu_entry.c | 13 +++++++++--
- grub-core/script/argv.c | 16 +++++++++++--
- grub-core/script/lexer.c | 21 ++++++++++++++---
- grub-core/video/bitmap.c | 25 +++++++++++++--------
- grub-core/video/readers/png.c | 13 +++++++++--
- 23 files changed, 382 insertions(+), 113 deletions(-)
-
-diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
-index 5e3ec0d..cc5971f 100644
---- a/grub-core/commands/legacycfg.c
-+++ b/grub-core/commands/legacycfg.c
-@@ -32,6 +32,7 @@
- #include <grub/auth.h>
- #include <grub/disk.h>
- #include <grub/partition.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -104,13 +105,22 @@ legacy_file (const char *filename)
- if (newsuffix)
- {
- char *t;
--
-+ grub_size_t sz;
-+
-+ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
-+ grub_add (sz, 1, &sz))
-+ {
-+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
-+ goto fail_0;
-+ }
-+
- t = suffix;
-- suffix = grub_realloc (suffix, grub_strlen (suffix)
-- + grub_strlen (newsuffix) + 1);
-+ suffix = grub_realloc (suffix, sz);
- if (!suffix)
- {
- grub_free (t);
-+
-+ fail_0:
- grub_free (entrysrc);
- grub_free (parsed);
- grub_free (newsuffix);
-@@ -154,13 +164,22 @@ legacy_file (const char *filename)
- else
- {
- char *t;
-+ grub_size_t sz;
-+
-+ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
-+ grub_add (sz, 1, &sz))
-+ {
-+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
-+ goto fail_1;
-+ }
-
- t = entrysrc;
-- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
-- + grub_strlen (parsed) + 1);
-+ entrysrc = grub_realloc (entrysrc, sz);
- if (!entrysrc)
- {
- grub_free (t);
-+
-+ fail_1:
- grub_free (parsed);
- grub_free (suffix);
- return grub_errno;
-diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
-index 4a106ca..cc32903 100644
---- a/grub-core/commands/wildcard.c
-+++ b/grub-core/commands/wildcard.c
-@@ -23,6 +23,7 @@
- #include <grub/file.h>
- #include <grub/device.h>
- #include <grub/script_sh.h>
-+#include <grub/safemath.h>
-
- #include <regex.h>
-
-@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
- int i;
- int j;
- char **p;
-+ grub_size_t sz;
-
- if (! dest)
- return ps;
-@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
- for (j = 0; ps[j]; j++)
- ;
-
-- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
-+ if (grub_add (i, j, &sz) ||
-+ grub_add (sz, 1, &sz) ||
-+ grub_mul (sz, sizeof (char *), &sz))
-+ return dest;
-+
-+ p = grub_realloc (dest, sz);
- if (! p)
- {
- grub_free (dest);
-@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
- char ch;
- int i = 0;
- unsigned len = end - start;
-- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
-+ char *buffer;
-+ grub_size_t sz;
-
-+ /* Worst case size is (len * 2 + 2 + 1). */
-+ if (grub_mul (len, 2, &sz) ||
-+ grub_add (sz, 3, &sz))
-+ return 1;
-+
-+ buffer = grub_malloc (sz);
- if (! buffer)
- return 1;
-
-@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
- struct match_devices_ctx *ctx = data;
- char **t;
- char *buffer;
-+ grub_size_t sz;
-
- /* skip partitions if asked to. */
- if (ctx->noparts && grub_strchr (name, ','))
-@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
- if (regexec (ctx->regexp, buffer, 0, 0, 0))
- {
- grub_dprintf ("expand", "not matched\n");
-+ fail:
- grub_free (buffer);
- return 0;
- }
-
-- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
-+ if (grub_add (ctx->ndev, 2, &sz) ||
-+ grub_mul (sz, sizeof (char *), &sz))
-+ goto fail;
-+
-+ t = grub_realloc (ctx->devs, sz);
- if (! t)
- {
- grub_free (buffer);
-@@ -300,6 +320,7 @@ match_files_iter (const char *name,
- struct match_files_ctx *ctx = data;
- char **t;
- char *buffer;
-+ grub_size_t sz;
-
- /* skip . and .. names */
- if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
-@@ -315,9 +336,14 @@ match_files_iter (const char *name,
- if (! buffer)
- return 1;
-
-- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
-- if (! t)
-+ if (grub_add (ctx->nfile, 2, &sz) ||
-+ grub_mul (sz, sizeof (char *), &sz))
-+ goto fail;
-+
-+ t = grub_realloc (ctx->files, sz);
-+ if (!t)
- {
-+ fail:
- grub_free (buffer);
- return 1;
- }
-diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
-index e632370..58f8a53 100644
---- a/grub-core/disk/ldm.c
-+++ b/grub-core/disk/ldm.c
-@@ -25,6 +25,7 @@
- #include <grub/msdos_partition.h>
- #include <grub/gpt_partition.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
-
- #ifdef GRUB_UTIL
- #include <grub/emu/misc.h>
-@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
- struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
- / sizeof (struct grub_ldm_vblk)];
- unsigned i;
-+ grub_size_t sz;
- err = grub_disk_read (disk, cursec, 0,
- sizeof(vblk), &vblk);
- if (err)
-@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
- grub_free (lv);
- goto fail2;
- }
-- lv->name = grub_malloc (*ptr + 1);
-+ if (grub_add (*ptr, 1, &sz))
-+ {
-+ grub_free (lv->internal_id);
-+ grub_free (lv);
-+ goto fail2;
-+ }
-+ lv->name = grub_malloc (sz);
- if (!lv->name)
- {
- grub_free (lv->internal_id);
-@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
- if (lv->segments->node_alloc == lv->segments->node_count)
- {
- void *t;
-- lv->segments->node_alloc *= 2;
-- t = grub_realloc (lv->segments->nodes,
-- sizeof (*lv->segments->nodes)
-- * lv->segments->node_alloc);
-+ grub_size_t sz;
-+
-+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
-+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
-+ goto fail2;
-+
-+ t = grub_realloc (lv->segments->nodes, sz);
- if (!t)
- goto fail2;
- lv->segments->nodes = t;
-@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
- if (comp->segment_alloc == comp->segment_count)
- {
- void *t;
-- comp->segment_alloc *= 2;
-- t = grub_realloc (comp->segments,
-- comp->segment_alloc
-- * sizeof (*comp->segments));
-+ grub_size_t sz;
-+
-+ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
-+ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
-+ goto fail2;
-+
-+ t = grub_realloc (comp->segments, sz);
- if (!t)
- goto fail2;
- comp->segments = t;
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 8e118b3..5edb477 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -30,6 +30,7 @@
- #include <grub/unicode.h>
- #include <grub/fontformat.h>
- #include <grub/env.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -360,9 +361,13 @@ static char *
- read_section_as_string (struct font_file_section *section)
- {
- char *str;
-+ grub_size_t sz;
- grub_ssize_t ret;
-
-- str = grub_malloc (section->length + 1);
-+ if (grub_add (section->length, 1, &sz))
-+ return NULL;
-+
-+ str = grub_malloc (sz);
- if (!str)
- return 0;
-
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index 11272ef..2b65bd5 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -40,6 +40,7 @@
- #include <grub/btrfs.h>
- #include <grub/crypto.h>
- #include <grub/diskfilter.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
- if (desc->allocated < desc->depth)
- {
- void *newdata;
-- desc->allocated *= 2;
-- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
-- * desc->allocated);
-+ grub_size_t sz;
-+
-+ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
-+ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+
-+ newdata = grub_realloc (desc->data, sz);
- if (!newdata)
- return grub_errno;
- desc->data = newdata;
-@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
- if (data->n_devices_attached > data->n_devices_allocated)
- {
- void *tmp;
-- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
-- data->devices_attached
-- = grub_realloc (tmp = data->devices_attached,
-- data->n_devices_allocated
-- * sizeof (data->devices_attached[0]));
-+ grub_size_t sz;
-+
-+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
-+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
-+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
-+ goto fail;
-+
-+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
- if (!data->devices_attached)
- {
-+ data->devices_attached = tmp;
-+
-+ fail:
- if (ctx.dev_found)
- grub_device_close (ctx.dev_found);
-- data->devices_attached = tmp;
- return NULL;
- }
- }
-diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
-index 9b38980..ac33bcd 100644
---- a/grub-core/fs/ext2.c
-+++ b/grub-core/fs/ext2.c
-@@ -46,6 +46,7 @@
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/fshelp.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
- {
- char *symlink;
- struct grub_fshelp_node *diro = node;
-+ grub_size_t sz;
-
- if (! diro->inode_read)
- {
-@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
- }
- }
-
-- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
-+ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ return NULL;
-+ }
-+
-+ symlink = grub_malloc (sz);
- if (! symlink)
- return 0;
-
-diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
-index 4f1b52a..7ba5b30 100644
---- a/grub-core/fs/iso9660.c
-+++ b/grub-core/fs/iso9660.c
-@@ -28,6 +28,7 @@
- #include <grub/fshelp.h>
- #include <grub/charset.h>
- #include <grub/datetime.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
- int len2)
- {
- int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
-+ grub_size_t sz;
-
-- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
-+ if (grub_add (size, len2, &sz) ||
-+ grub_add (sz, 1, &sz))
-+ return;
-+
-+ ctx->symlink = grub_realloc (ctx->symlink, sz);
- if (! ctx->symlink)
- return;
-
-@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
- {
- grub_size_t off = 0, csize = 1;
- char *old;
-+ grub_size_t sz;
-+
- csize = entry->len - 5;
- old = ctx->filename;
- if (ctx->filename_alloc)
- {
- off = grub_strlen (ctx->filename);
-- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
-+ if (grub_add (csize, off, &sz) ||
-+ grub_add (sz, 1, &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+ ctx->filename = grub_realloc (ctx->filename, sz);
- }
- else
- {
- off = 0;
-- ctx->filename = grub_zalloc (csize + 1);
-+ if (grub_add (csize, 1, &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+ ctx->filename = grub_zalloc (sz);
- }
- if (!ctx->filename)
- {
-@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
- if (node->have_dirents >= node->alloc_dirents)
- {
- struct grub_fshelp_node *new_node;
-- node->alloc_dirents *= 2;
-- new_node = grub_realloc (node,
-- sizeof (struct grub_fshelp_node)
-- + ((node->alloc_dirents
-- - ARRAY_SIZE (node->dirents))
-- * sizeof (node->dirents[0])));
-+ grub_size_t sz;
-+
-+ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
-+ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
-+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
-+ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
-+ goto fail_0;
-+
-+ new_node = grub_realloc (node, sz);
- if (!new_node)
- {
-+ fail_0:
- if (ctx.filename_alloc)
- grub_free (ctx.filename);
- grub_free (node);
-@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
- * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
- {
- struct grub_fshelp_node *new_node;
-- new_node = grub_realloc (node,
-- sizeof (struct grub_fshelp_node)
-- + ((node->alloc_dirents
-- - ARRAY_SIZE (node->dirents))
-- * sizeof (node->dirents[0]))
-- + grub_strlen (ctx.symlink) + 1);
-+ grub_size_t sz;
-+
-+ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
-+ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
-+ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
-+ grub_add (sz, grub_strlen (ctx.symlink), &sz))
-+ goto fail_1;
-+
-+ new_node = grub_realloc (node, sz);
- if (!new_node)
- {
-+ fail_1:
- if (ctx.filename_alloc)
- grub_free (ctx.filename);
- grub_free (node);
-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
-index 90f7fb3..de2b107 100644
---- a/grub-core/fs/sfs.c
-+++ b/grub-core/fs/sfs.c
-@@ -26,6 +26,7 @@
- #include <grub/types.h>
- #include <grub/fshelp.h>
- #include <grub/charset.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
- if (node->cache && node->cache_size >= node->cache_allocated)
- {
- struct cache_entry *e = node->cache;
-- e = grub_realloc (node->cache,node->cache_allocated * 2
-- * sizeof (e[0]));
-+ grub_size_t sz;
-+
-+ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
-+ goto fail;
-+
-+ e = grub_realloc (node->cache, sz);
- if (!e)
- {
-+ fail:
- grub_errno = 0;
- grub_free (node->cache);
- node->cache = 0;
-@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
- grub_size_t len = grub_strlen (name);
- grub_uint8_t *name_u8;
- int ret;
-+ grub_size_t sz;
-+
-+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
-+ grub_add (sz, 1, &sz))
-+ return 1;
-+
- *node = grub_malloc (sizeof (**node));
- if (!*node)
- return 1;
-- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
-+ name_u8 = grub_malloc (sz);
- if (!name_u8)
- {
- grub_free (*node);
-@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
- data = grub_sfs_mount (disk);
- if (data)
- {
-- grub_size_t len = grub_strlen (data->label);
-- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
-+ grub_size_t sz, len = grub_strlen (data->label);
-+
-+ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
-+ grub_add (sz, 1, &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+
-+ *label = grub_malloc (sz);
- if (*label)
- *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
- (const grub_uint8_t *) data->label,
-diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
-index 95d5c1e..7851238 100644
---- a/grub-core/fs/squash4.c
-+++ b/grub-core/fs/squash4.c
-@@ -26,6 +26,7 @@
- #include <grub/types.h>
- #include <grub/fshelp.h>
- #include <grub/deflate.h>
-+#include <grub/safemath.h>
- #include <minilzo.h>
-
- #include "xz.h"
-@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
- {
- char *ret;
- grub_err_t err;
-- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
-+ grub_size_t sz;
-+
-+ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ return NULL;
-+ }
-+
-+ ret = grub_malloc (sz);
-+ if (!ret)
-+ return NULL;
-
- err = read_chunk (node->data, ret,
- grub_le_to_cpu32 (node->ino.symlink.namelen),
-@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
-
- {
- grub_fshelp_node_t node;
-- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
-+ grub_size_t sz;
-+
-+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
-+ grub_add (sz, sizeof (*node), &sz))
-+ return 0;
-+
-+ node = grub_malloc (sz);
- if (!node)
- return 0;
-- grub_memcpy (node, dir,
-- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
-+ grub_memcpy (node, dir, sz);
- if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
- return 1;
-
-@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
- {
- grub_err_t err;
-
-- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
-+ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
-+ grub_add (sz, sizeof (*node), &sz))
-+ return 0;
-+
-+ node = grub_malloc (sz);
- if (!node)
- return 0;
-
-- grub_memcpy (node, dir,
-- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
-+ grub_memcpy (node, dir, sz);
-
- node->stsize--;
- err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
-@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
- enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
- struct grub_squash_dirent di;
- struct grub_squash_inode ino;
-+ grub_size_t sz;
-
- err = read_chunk (dir->data, &di, sizeof (di),
- grub_le_to_cpu64 (dir->data->sb.diroffset)
-@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
- if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
- filetype = GRUB_FSHELP_SYMLINK;
-
-- node = grub_malloc (sizeof (*node)
-- + (dir->stsize + 1) * sizeof (dir->stack[0]));
-+ if (grub_add (dir->stsize, 1, &sz) ||
-+ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
-+ grub_add (sz, sizeof (*node), &sz))
-+ return 0;
-+
-+ node = grub_malloc (sz);
- if (! node)
- return 0;
-
-- grub_memcpy (node, dir,
-- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
-+ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
-
- node->ino = ino;
- node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
-diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
-index a837616..21ac7f4 100644
---- a/grub-core/fs/udf.c
-+++ b/grub-core/fs/udf.c
-@@ -28,6 +28,7 @@
- #include <grub/charset.h>
- #include <grub/datetime.h>
- #include <grub/udf.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
- utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
- }
- if (!outbuf)
-- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
-+ {
-+ grub_size_t size;
-+
-+ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
-+ grub_add (size, 1, &size))
-+ goto fail;
-+
-+ outbuf = grub_malloc (size);
-+ }
- if (outbuf)
- *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
-+
-+ fail:
- grub_free (utf16);
- return outbuf;
- }
-@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
- grub_size_t sz = U64 (node->block.fe.file_size);
- grub_uint8_t *raw;
- const grub_uint8_t *ptr;
-- char *out, *optr;
-+ char *out = NULL, *optr;
-
- if (sz < 4)
- return NULL;
-@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
- if (!raw)
- return NULL;
- if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
-- {
-- grub_free (raw);
-- return NULL;
-- }
-+ goto fail_1;
-
-- out = grub_malloc (sz * 2 + 1);
-+ if (grub_mul (sz, 2, &sz) ||
-+ grub_add (sz, 1, &sz))
-+ goto fail_0;
-+
-+ out = grub_malloc (sz);
- if (!out)
- {
-+ fail_0:
- grub_free (raw);
- return NULL;
- }
-@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
- {
- grub_size_t s;
- if ((grub_size_t) (ptr - raw + 4) > sz)
-- goto fail;
-+ goto fail_1;
- if (!(ptr[2] == 0 && ptr[3] == 0))
-- goto fail;
-+ goto fail_1;
- s = 4 + ptr[1];
- if ((grub_size_t) (ptr - raw + s) > sz)
-- goto fail;
-+ goto fail_1;
- switch (*ptr)
- {
- case 1:
- if (ptr[1])
-- goto fail;
-+ goto fail_1;
- /* Fallthrough. */
- case 2:
- /* in 4 bytes. out: 1 byte. */
-@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
- if (optr != out)
- *optr++ = '/';
- if (!read_string (ptr + 4, s - 4, optr))
-- goto fail;
-+ goto fail_1;
- optr += grub_strlen (optr);
- break;
- default:
-- goto fail;
-+ goto fail_1;
- }
- ptr += s;
- }
-@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
- grub_free (raw);
- return out;
-
-- fail:
-+ fail_1:
- grub_free (raw);
- grub_free (out);
- grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
-index 96ffecb..ea65902 100644
---- a/grub-core/fs/xfs.c
-+++ b/grub-core/fs/xfs.c
-@@ -25,6 +25,7 @@
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/fshelp.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -899,6 +900,7 @@ static struct grub_xfs_data *
- grub_xfs_mount (grub_disk_t disk)
- {
- struct grub_xfs_data *data = 0;
-+ grub_size_t sz;
-
- data = grub_zalloc (sizeof (struct grub_xfs_data));
- if (!data)
-@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
- if (!grub_xfs_sb_valid(data))
- goto fail;
-
-- data = grub_realloc (data,
-- sizeof (struct grub_xfs_data)
-- - sizeof (struct grub_xfs_inode)
-- + grub_xfs_inode_size(data) + 1);
-+ if (grub_add (grub_xfs_inode_size (data),
-+ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
-+ goto fail;
-+
-+ data = grub_realloc (data, sz);
-
- if (! data)
- goto fail;
-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
-index 381dde5..36d0373 100644
---- a/grub-core/fs/zfs/zfs.c
-+++ b/grub-core/fs/zfs/zfs.c
-@@ -55,6 +55,7 @@
- #include <grub/deflate.h>
- #include <grub/crypto.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
- if (data->n_devices_attached > data->n_devices_allocated)
- {
- void *tmp;
-- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
-- data->devices_attached
-- = grub_realloc (tmp = data->devices_attached,
-- data->n_devices_allocated
-- * sizeof (data->devices_attached[0]));
-+ grub_size_t sz;
-+
-+ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
-+ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
-+ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+
-+ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
- if (!data->devices_attached)
- {
- data->devices_attached = tmp;
-@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
- {
- char *nvpair;
- char *ret;
-- grub_size_t size;
-+ grub_size_t size, sz;
- int found;
-
- found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
- &size, 0);
- if (!found)
- return 0;
-- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
-+
-+ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
-+ return 0;
-+
-+ ret = grub_zalloc (sz);
- if (!ret)
- return 0;
- grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
-diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
-index 1402e0b..de3b015 100644
---- a/grub-core/fs/zfs/zfscrypt.c
-+++ b/grub-core/fs/zfs/zfscrypt.c
-@@ -22,6 +22,7 @@
- #include <grub/misc.h>
- #include <grub/disk.h>
- #include <grub/partition.h>
-+#include <grub/safemath.h>
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/zfs/zfs.h>
-@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
- int passphrase)
- {
- struct grub_zfs_wrap_key *key;
-+ grub_size_t sz;
-+
- if (!passphrase && keylen > 32)
- keylen = 32;
-- key = grub_malloc (sizeof (*key) + keylen);
-+ if (grub_add (sizeof (*key), keylen, &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+ key = grub_malloc (sz);
- if (!key)
- return grub_errno;
- key->is_passphrase = passphrase;
-diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
-index fd7744a..3288609 100644
---- a/grub-core/lib/arg.c
-+++ b/grub-core/lib/arg.c
-@@ -23,6 +23,7 @@
- #include <grub/term.h>
- #include <grub/extcmd.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
-
- /* Built-in parser for default options. */
- static const struct grub_arg_option help_options[] =
-@@ -216,7 +217,13 @@ static inline grub_err_t
- add_arg (char ***argl, int *num, char *s)
- {
- char **p = *argl;
-- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
-+ grub_size_t sz;
-+
-+ if (grub_add (++(*num), 1, &sz) ||
-+ grub_mul (sz, sizeof (char *), &sz))
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+
-+ *argl = grub_realloc (*argl, sz);
- if (! *argl)
- {
- grub_free (p);
-@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
- grub_size_t argcnt;
- struct grub_arg_list *list;
- const struct grub_arg_option *options;
-+ grub_size_t sz0, sz1;
-
- options = extcmd->options;
- if (! options)
-@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
- argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
- }
-
-- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
-+ if (grub_mul (sizeof (*list), i, &sz0) ||
-+ grub_mul (sizeof (char *), argcnt, &sz1) ||
-+ grub_add (sz0, sz1, &sz0))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ return 0;
-+ }
-+
-+ list = grub_zalloc (sz0);
- if (! list)
- return 0;
-
-diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
-index 3730ed3..b92cbe9 100644
---- a/grub-core/loader/i386/bsd.c
-+++ b/grub-core/loader/i386/bsd.c
-@@ -35,6 +35,7 @@
- #include <grub/ns8250.h>
- #include <grub/bsdlabel.h>
- #include <grub/crypto.h>
-+#include <grub/safemath.h>
- #include <grub/verify.h>
- #ifdef GRUB_MACHINE_PCBIOS
- #include <grub/machine/int.h>
-@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
- struct grub_netbsd_btinfo_modules *mods;
- unsigned i;
- grub_err_t err;
-+ grub_size_t sz;
-
- for (mod = netbsd_mods; mod; mod = mod->next)
- modcnt++;
-
-- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
-+ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
-+ grub_add (sz, sizeof (*mods), &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+
-+ mods = grub_malloc (sz);
- if (!mods)
- return grub_errno;
-
-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
-index e332d5e..906ec7d 100644
---- a/grub-core/net/dns.c
-+++ b/grub-core/net/dns.c
-@@ -22,6 +22,7 @@
- #include <grub/i18n.h>
- #include <grub/err.h>
- #include <grub/time.h>
-+#include <grub/safemath.h>
-
- struct dns_cache_element
- {
-@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
- {
- int na = dns_servers_alloc * 2;
- struct grub_net_network_level_address *ns;
-+ grub_size_t sz;
-+
- if (na < 8)
- na = 8;
-- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
-+
-+ if (grub_mul (na, sizeof (ns[0]), &sz))
-+ return GRUB_ERR_OUT_OF_RANGE;
-+
-+ ns = grub_realloc (dns_servers, sz);
- if (!ns)
- return grub_errno;
- dns_servers_alloc = na;
-diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
-index d57fb72..4dfcc31 100644
---- a/grub-core/normal/charset.c
-+++ b/grub-core/normal/charset.c
-@@ -48,6 +48,7 @@
- #include <grub/unicode.h>
- #include <grub/term.h>
- #include <grub/normal.h>
-+#include <grub/safemath.h>
-
- #if HAVE_FONT_SOURCE
- #include "widthspec.h"
-@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
- {
- struct grub_unicode_combining *n;
- unsigned j;
-+ grub_size_t sz;
-
- if (!haveout)
- continue;
-@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
- n = out->combining_inline;
- else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
- {
-- n = grub_realloc (out->combining_ptr,
-- sizeof (n[0]) * (out->ncomb + 1));
-+ if (grub_add (out->ncomb, 1, &sz) ||
-+ grub_mul (sz, sizeof (n[0]), &sz))
-+ goto fail;
-+
-+ n = grub_realloc (out->combining_ptr, sz);
- if (!n)
- {
-+ fail:
- grub_errno = GRUB_ERR_NONE;
- continue;
- }
-diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
-index c57242e..de03fe6 100644
---- a/grub-core/normal/cmdline.c
-+++ b/grub-core/normal/cmdline.c
-@@ -28,6 +28,7 @@
- #include <grub/env.h>
- #include <grub/i18n.h>
- #include <grub/charset.h>
-+#include <grub/safemath.h>
-
- static grub_uint32_t *kill_buf;
-
-@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
- if (len + (*llen) >= (*max_len))
- {
- grub_uint32_t *nbuf;
-- (*max_len) *= 2;
-- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
-+ grub_size_t sz;
-+
-+ if (grub_mul (*max_len, 2, max_len) ||
-+ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
-+ {
-+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
-+ goto fail;
-+ }
-+
-+ nbuf = grub_realloc ((*buf), sz);
- if (nbuf)
- (*buf) = nbuf;
- else
- {
-+ fail:
- grub_print_error ();
- grub_errno = GRUB_ERR_NONE;
- (*max_len) /= 2;
-diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
-index 1993995..50eef91 100644
---- a/grub-core/normal/menu_entry.c
-+++ b/grub-core/normal/menu_entry.c
-@@ -27,6 +27,7 @@
- #include <grub/auth.h>
- #include <grub/i18n.h>
- #include <grub/charset.h>
-+#include <grub/safemath.h>
-
- enum update_mode
- {
-@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
- {
- if (linep->max_len < linep->len + extra)
- {
-- linep->max_len = 2 * (linep->len + extra);
-- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
-+ grub_size_t sz0, sz1;
-+
-+ if (grub_add (linep->len, extra, &sz0) ||
-+ grub_mul (sz0, 2, &sz0) ||
-+ grub_add (sz0, 1, &sz1) ||
-+ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
-+ return 0;
-+
-+ linep->buf = grub_realloc (linep->buf, sz1);
- if (! linep->buf)
- return 0;
-+ linep->max_len = sz0;
- }
-
- return 1;
-diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
-index 217ec5d..5751fdd 100644
---- a/grub-core/script/argv.c
-+++ b/grub-core/script/argv.c
-@@ -20,6 +20,7 @@
- #include <grub/mm.h>
- #include <grub/misc.h>
- #include <grub/script_sh.h>
-+#include <grub/safemath.h>
-
- /* Return nearest power of two that is >= v. */
- static unsigned
-@@ -81,11 +82,16 @@ int
- grub_script_argv_next (struct grub_script_argv *argv)
- {
- char **p = argv->args;
-+ grub_size_t sz;
-
- if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
- return 0;
-
-- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
-+ if (grub_add (argv->argc, 2, &sz) ||
-+ grub_mul (sz, sizeof (char *), &sz))
-+ return 1;
-+
-+ p = grub_realloc (p, round_up_exp (sz));
- if (! p)
- return 1;
-
-@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
- {
- grub_size_t a;
- char *p = argv->args[argv->argc - 1];
-+ grub_size_t sz;
-
- if (! s)
- return 0;
-
- a = p ? grub_strlen (p) : 0;
-
-- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
-+ if (grub_add (a, slen, &sz) ||
-+ grub_add (sz, 1, &sz) ||
-+ grub_mul (sz, sizeof (char), &sz))
-+ return 1;
-+
-+ p = grub_realloc (p, round_up_exp (sz));
- if (! p)
- return 1;
-
-diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
-index c6bd317..5fb0cbd 100644
---- a/grub-core/script/lexer.c
-+++ b/grub-core/script/lexer.c
-@@ -24,6 +24,7 @@
- #include <grub/mm.h>
- #include <grub/script_sh.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
-
- #define yytext_ptr char *
- #include "grub_script.tab.h"
-@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
- old = lexer->recording;
- if (lexer->recordlen < len)
- lexer->recordlen = len;
-- lexer->recordlen *= 2;
-+
-+ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
-+ goto fail;
-+
- lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
- if (!lexer->recording)
- {
-+ fail:
- grub_free (old);
- lexer->recordpos = 0;
- lexer->recordlen = 0;
-@@ -130,7 +135,7 @@ int
- grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
- const char *input)
- {
-- grub_size_t len = 0;
-+ grub_size_t len = 0, sz;
- char *p = 0;
- char *line = 0;
- YY_BUFFER_STATE buffer;
-@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
- }
- else if (len && line[len - 1] != '\n')
- {
-- p = grub_realloc (line, len + 2);
-+ if (grub_add (len, 2, &sz))
-+ {
-+ grub_free (line);
-+ grub_script_yyerror (parserstate, N_("overflow is detected"));
-+ return 1;
-+ }
-+
-+ p = grub_realloc (line, sz);
- if (p)
- {
- p[len++] = '\n';
- p[len] = '\0';
- }
-+ else
-+ grub_free (line);
-+
- line = p;
- }
-
-diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
-index b2e0315..6256e20 100644
---- a/grub-core/video/bitmap.c
-+++ b/grub-core/video/bitmap.c
-@@ -23,6 +23,7 @@
- #include <grub/mm.h>
- #include <grub/misc.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
- enum grub_video_blit_format blit_format)
- {
- struct grub_video_mode_info *mode_info;
-- unsigned int size;
-+ grub_size_t size;
-
- if (!bitmap)
- return grub_error (GRUB_ERR_BUG, "invalid argument");
-@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
-
- mode_info->pitch = width * mode_info->bytes_per_pixel;
-
-- /* Calculate size needed for the data. */
-- size = (width * mode_info->bytes_per_pixel) * height;
-+ /* Calculate size needed for the data. */
-+ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
-+ grub_mul (size, height, &size))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ goto fail;
-+ }
-
- (*bitmap)->data = grub_zalloc (size);
- if (! (*bitmap)->data)
-- {
-- grub_free (*bitmap);
-- *bitmap = 0;
--
-- return grub_errno;
-- }
-+ goto fail;
-
- return GRUB_ERR_NONE;
-+
-+ fail:
-+ grub_free (*bitmap);
-+ *bitmap = NULL;
-+
-+ return grub_errno;
- }
-
- /* Frees all resources allocated by bitmap. */
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index 61bd645..0157ff7 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -23,6 +23,7 @@
- #include <grub/mm.h>
- #include <grub/misc.h>
- #include <grub/bufio.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
- data->bpp <<= 1;
-
- data->color_bits = color_bits;
-- data->row_bytes = data->image_width * data->bpp;
-+
-+ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+
- if (data->color_bits <= 4)
-- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
-+ {
-+ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+
-+ data->row_bytes >>= 3;
-+ }
-
- #ifndef GRUB_CPU_WORDS_BIGENDIAN
- if (data->is_16bit || data->is_gray || data->is_palette)
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
deleted file mode 100644
index 329e554a68..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
-From: Chris Coulson <chris.coulson@canonical.com>
-Date: Fri, 10 Jul 2020 14:41:45 +0100
-Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
- during execution
-
-Defining a new function with the same name as a previously defined
-function causes the grub_script and associated resources for the
-previous function to be freed. If the previous function is currently
-executing when a function with the same name is defined, this results
-in use-after-frees when processing subsequent commands in the original
-function.
-
-Instead, reject a new function definition if it has the same name as
-a previously defined function, and that function is currently being
-executed. Although a behavioural change, this should be backwards
-compatible with existing configurations because they can't be
-dependent on the current behaviour without being broken.
-
-Fixes: CVE-2020-15706
-
-Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-15706
-
-Reference to upstream patch:
-https://git.savannah.gnu.org/cgit/grub.git/commit/?id=426f57383d647406ae9c628c472059c27cd6e040
-
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/script/execute.c | 2 ++
- grub-core/script/function.c | 16 +++++++++++++---
- grub-core/script/parser.y | 3 ++-
- include/grub/script_sh.h | 2 ++
- 4 files changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
-index c8d6806..7e028e1 100644
---- a/grub-core/script/execute.c
-+++ b/grub-core/script/execute.c
-@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
- old_scope = scope;
- scope = &new_scope;
-
-+ func->executing++;
- ret = grub_script_execute (func->func);
-+ func->executing--;
-
- function_return = 0;
- active_loops = loops;
-diff --git a/grub-core/script/function.c b/grub-core/script/function.c
-index d36655e..3aad04b 100644
---- a/grub-core/script/function.c
-+++ b/grub-core/script/function.c
-@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
- func = (grub_script_function_t) grub_malloc (sizeof (*func));
- if (! func)
- return 0;
-+ func->executing = 0;
-
- func->name = grub_strdup (functionname_arg->str);
- if (! func->name)
-@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
- grub_script_function_t q;
-
- q = *p;
-- grub_script_free (q->func);
-- q->func = cmd;
- grub_free (func);
-- func = q;
-+ if (q->executing > 0)
-+ {
-+ grub_error (GRUB_ERR_BAD_ARGUMENT,
-+ N_("attempt to redefine a function being executed"));
-+ func = NULL;
-+ }
-+ else
-+ {
-+ grub_script_free (q->func);
-+ q->func = cmd;
-+ func = q;
-+ }
- }
- else
- {
-diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
-index 4f0ab83..f80b86b 100644
---- a/grub-core/script/parser.y
-+++ b/grub-core/script/parser.y
-@@ -289,7 +289,8 @@ function: "function" "name"
- grub_script_mem_free (state->func_mem);
- else {
- script->children = state->scripts;
-- grub_script_function_create ($2, script);
-+ if (!grub_script_function_create ($2, script))
-+ grub_script_free (script);
- }
-
- state->scripts = $<scripts>3;
-diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
-index b382bcf..6c48e07 100644
---- a/include/grub/script_sh.h
-+++ b/include/grub/script_sh.h
-@@ -361,6 +361,8 @@ struct grub_script_function
-
- /* The next element. */
- struct grub_script_function *next;
-+
-+ unsigned executing;
- };
- typedef struct grub_script_function *grub_script_function_t;
-
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
deleted file mode 100644
index d4f9300c0a..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Sat, 25 Jul 2020 12:15:37 +0100
-Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling
-
-These could be triggered by a crafted filesystem with very large files.
-
-Fixes: CVE-2020-15707
-
-Signed-off-by: Colin Watson <cjwatson@debian.org>
-Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-15707
-
-Reference to upstream patch:
-https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
-
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
- 1 file changed, 54 insertions(+), 20 deletions(-)
-
-diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
-index 471b214..8c8565a 100644
---- a/grub-core/loader/linux.c
-+++ b/grub-core/loader/linux.c
-@@ -4,6 +4,7 @@
- #include <grub/misc.h>
- #include <grub/file.h>
- #include <grub/mm.h>
-+#include <grub/safemath.h>
-
- struct newc_head
- {
-@@ -98,13 +99,13 @@ free_dir (struct dir *root)
- grub_free (root);
- }
-
--static grub_size_t
-+static grub_err_t
- insert_dir (const char *name, struct dir **root,
-- grub_uint8_t *ptr)
-+ grub_uint8_t *ptr, grub_size_t *size)
- {
- struct dir *cur, **head = root;
- const char *cb, *ce = name;
-- grub_size_t size = 0;
-+ *size = 0;
- while (1)
- {
- for (cb = ce; *cb == '/'; cb++);
-@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
- ptr = make_header (ptr, name, ce - name,
- 040777, 0);
- }
-- size += ALIGN_UP ((ce - (char *) name)
-- + sizeof (struct newc_head), 4);
-+ if (grub_add (*size,
-+ ALIGN_UP ((ce - (char *) name)
-+ + sizeof (struct newc_head), 4),
-+ size))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ grub_free (n->name);
-+ grub_free (n);
-+ return grub_errno;
-+ }
- *head = n;
- cur = n;
- }
- root = &cur->next;
- }
-- return size;
-+ return GRUB_ERR_NONE;
- }
-
- grub_err_t
-@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
- eptr = grub_strchr (ptr, ':');
- if (eptr)
- {
-+ grub_size_t dir_size, name_len;
-+
- initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
-- if (!initrd_ctx->components[i].newc_name)
-+ if (!initrd_ctx->components[i].newc_name ||
-+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
-+ &dir_size))
- {
- grub_initrd_close (initrd_ctx);
- return grub_errno;
- }
-- initrd_ctx->size
-- += ALIGN_UP (sizeof (struct newc_head)
-- + grub_strlen (initrd_ctx->components[i].newc_name),
-- 4);
-- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
-- &root, 0);
-+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
-+ if (grub_add (initrd_ctx->size,
-+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
-+ &initrd_ctx->size) ||
-+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
-+ goto overflow;
- newc = 1;
- fname = eptr + 1;
- }
- }
- else if (newc)
- {
-- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-- + sizeof ("TRAILER!!!") - 1, 4);
-+ if (grub_add (initrd_ctx->size,
-+ ALIGN_UP (sizeof (struct newc_head)
-+ + sizeof ("TRAILER!!!") - 1, 4),
-+ &initrd_ctx->size))
-+ goto overflow;
- free_dir (root);
- root = 0;
- newc = 0;
-@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
- initrd_ctx->nfiles++;
- initrd_ctx->components[i].size
- = grub_file_size (initrd_ctx->components[i].file);
-- initrd_ctx->size += initrd_ctx->components[i].size;
-+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
-+ &initrd_ctx->size))
-+ goto overflow;
- }
-
- if (newc)
- {
- initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
-- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-- + sizeof ("TRAILER!!!") - 1, 4);
-+ if (grub_add (initrd_ctx->size,
-+ ALIGN_UP (sizeof (struct newc_head)
-+ + sizeof ("TRAILER!!!") - 1, 4),
-+ &initrd_ctx->size))
-+ goto overflow;
- free_dir (root);
- root = 0;
- }
-
- return GRUB_ERR_NONE;
-+
-+ overflow:
-+ free_dir (root);
-+ grub_initrd_close (initrd_ctx);
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
- }
-
- grub_size_t
-@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
-
- if (initrd_ctx->components[i].newc_name)
- {
-- ptr += insert_dir (initrd_ctx->components[i].newc_name,
-- &root, ptr);
-+ grub_size_t dir_size;
-+
-+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
-+ &dir_size))
-+ {
-+ free_dir (root);
-+ grub_initrd_close (initrd_ctx);
-+ return grub_errno;
-+ }
-+ ptr += dir_size;
- ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
- grub_strlen (initrd_ctx->components[i].newc_name),
- 0100777,
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
new file mode 100644
index 0000000000..7f7bb1acfe
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
@@ -0,0 +1,179 @@
+From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 18:51:35 +1000
+Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
+ out-of-bounds write
+
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+
+ for (i = 0; i < (data->image_width * data->image_height);
+ i++, d1 += 4, d2 += 2)
+ {
+ d1[R3] = d2[1];
+ d1[G3] = d2[1];
+ d1[B3] = d2[1];
+ }
+
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+
+Delete all PNG greyscale support.
+
+Fixes: CVE-2021-3695
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3695
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/png.c | 87 +++--------------------------------
+ 1 file changed, 7 insertions(+), 80 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 35ae553c8..a3161e25b 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+
+ unsigned image_width, image_height;
+ int bpp, is_16bit;
+- int raw_bytes, is_gray, is_alpha, is_palette;
++ int raw_bytes, is_alpha, is_palette;
+ int row_bytes, color_bits;
+ grub_uint8_t *image_data;
+
+@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp = 3;
+ else
+ {
+- data->is_gray = 1;
+- data->bpp = 1;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: color type not supported");
+ }
+
+ if ((color_bits != 8) && (color_bits != 16)
+ && (color_bits != 4
+- || !(data->is_gray || data->is_palette)))
++ || !data->is_palette))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: bit depth must be 8 or 16");
+
+@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+- if (data->is_16bit || data->is_gray || data->is_palette)
++ if (data->is_16bit || data->is_palette)
+ #endif
+ {
+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
+ int shift;
+ int mask = (1 << data->color_bits) - 1;
+ unsigned j;
+- if (data->is_gray)
+- {
+- /* Generic formula is
+- (0xff * i) / ((1U << data->color_bits) - 1)
+- but for allowed bit depth of 1, 2 and for it's
+- equivalent to
+- (0xff / ((1U << data->color_bits) - 1)) * i
+- Precompute the multipliers to avoid division.
+- */
+-
+- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+- for (i = 0; i < (1U << data->color_bits); i++)
+- {
+- grub_uint8_t col = multipliers[data->color_bits] * i;
+- palette[i][0] = col;
+- palette[i][1] = col;
+- palette[i][2] = col;
+- }
+- }
+- else
+- grub_memcpy (palette, data->palette, 3 << data->color_bits);
++
++ grub_memcpy (palette, data->palette, 3 << data->color_bits);
+ d1c = d1;
+ d2c = d2;
+ for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data)
+ return;
+ }
+
+- if (data->is_gray)
+- {
+- switch (data->bpp)
+- {
+- case 4:
+- /* 16-bit gray with alpha. */
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 4)
+- {
+- d1[R4] = d2[3];
+- d1[G4] = d2[3];
+- d1[B4] = d2[3];
+- d1[A4] = d2[1];
+- }
+- break;
+- case 2:
+- if (data->is_16bit)
+- /* 16-bit gray without alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R3] = d2[1];
+- d1[G3] = d2[1];
+- d1[B3] = d2[1];
+- }
+- }
+- else
+- /* 8-bit gray with alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R4] = d2[1];
+- d1[G4] = d2[1];
+- d1[B4] = d2[1];
+- d1[A4] = d2[0];
+- }
+- }
+- break;
+- /* 8-bit gray without alpha. */
+- case 1:
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 3, d2++)
+- {
+- d1[R3] = d2[0];
+- d1[G3] = d2[0];
+- d1[B3] = d2[0];
+- }
+- break;
+- }
+- return;
+- }
+-
+ {
+ /* Only copy the upper 8 bit. */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
new file mode 100644
index 0000000000..f06514e665
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
@@ -0,0 +1,50 @@
+From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 23:25:07 +1000
+Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
+ items
+
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+
+Catch the case where we would underflow the array and bail.
+
+Fixes: CVE-2021-3696
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3696
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index a3161e25b..d7ed5aa6c 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+ for (i = len; i < ht->max_length; i++)
+ n += ht->maxval[i];
+
++ if (n > ht->num_values)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: out of range inserting huffman table item");
++ return;
++ }
++
+ for (i = 0; i < n; i++)
+ ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch
new file mode 100644
index 0000000000..e9fc52df86
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch
@@ -0,0 +1,84 @@
+From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 7 Jul 2021 15:38:19 +1000
+Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
+
+Certain 1 px wide images caused a wild pointer write in
+grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
+we have the following loop:
+
+for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+
+We did not check if vb * width >= hb * nc1.
+
+On a 64-bit platform, if that turns out to be negative, it will underflow,
+be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
+we see data->bitmap_ptr jump, e.g.:
+
+0x6180_0000_0480 to
+0x6181_0000_0498
+ ^
+ ~--- carry has occurred and this pointer is now far away from
+ any object.
+
+On a 32-bit platform, it will decrement the pointer, creating a pointer
+that won't crash but will overwrite random data.
+
+Catch the underflow and error out.
+
+Fixes: CVE-2021-3697
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3697
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/jpeg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 579bbe8a4..09596fbf5 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -699,6 +700,7 @@ static grub_err_t
+ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+ unsigned c1, vb, hb, nr1, nc1;
++ unsigned stride_a, stride_b, stride;
+ int rst = data->dri;
+ grub_err_t err = GRUB_ERR_NONE;
+
+@@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: attempted to decode data before start of stream");
+
++ if (grub_mul(vb, data->image_width, &stride_a) ||
++ grub_mul(hb, nc1, &stride_b) ||
++ grub_sub(stride_a, stride_b, &stride))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: cannot decode image with these dimensions");
++
+ for (; data->r1 < nr1 && (!data->dri || rst);
+- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
++ data->r1++, data->bitmap_ptr += stride * 3)
+ for (c1 = 0; c1 < nc1 && (!data->dri || rst);
+ c1++, rst--, data->bitmap_ptr += hb * 3)
+ {
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
new file mode 100644
index 0000000000..dae26fd8bb
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,49 @@
+From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
+
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+configuration by grub-mkconfig) has inadvertently discarded umask for
+creating grub.cfg in the process of running grub-mkconfig. The resulting
+wrong permission (0644) would allow unprivileged users to read GRUB
+configuration file content. This presents a low confidentiality risk
+as grub.cfg may contain non-secured plain-text passwords.
+
+This patch restores the missing umask and sets the creation file mode
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3981
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ util/grub-mkconfig.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+ exit 1
+ else
+ # none of the children aborted with error, install the new grub.cfg
++ oldumask=$(umask)
++ umask 077
+ cat ${grub_cfg}.new > ${grub_cfg}
++ umask $oldumask
+ rm -f ${grub_cfg}.new
+ fi
+ fi
+--
+2.31.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..727c509694
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,85 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 876b5b6..0ff5525 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ struct grub_video_signed_rect bounds;
+ static struct grub_font_glyph *glyph = 0;
+ static grub_size_t max_glyph_size = 0;
++ grub_size_t cur_glyph_size;
+
+ ensure_comb_space (glyph_id);
+
+@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ if (!glyph_id->ncomb && !glyph_id->attributes)
+ return main_glyph;
+
+- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++ return main_glyph;
++
++ if (max_glyph_size < cur_glyph_size)
+ {
+ grub_free (glyph);
+- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+- if (max_glyph_size < 8)
+- max_glyph_size = 8;
+- glyph = grub_malloc (max_glyph_size);
++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++ max_glyph_size = 0;
++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+ }
+ if (!glyph)
+ {
++ max_glyph_size = 0;
+ grub_errno = GRUB_ERR_NONE;
+ return main_glyph;
+ }
+
+- grub_memset (glyph, 0, sizeof (*glyph)
+- + (bounds.width * bounds.height
+- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++ grub_memset (glyph, 0, cur_glyph_size);
+
+ glyph->font = main_glyph->font;
+- glyph->width = bounds.width;
+- glyph->height = bounds.height;
+- glyph->offset_x = bounds.x;
+- glyph->offset_y = bounds.y;
++ if (bounds.width == 0 || bounds.height == 0 ||
++ grub_cast (bounds.width, &glyph->width) ||
++ grub_cast (bounds.height, &glyph->height) ||
++ grub_cast (bounds.x, &glyph->offset_x) ||
++ grub_cast (bounds.y, &glyph->offset_y))
++ return main_glyph;
+
+ if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+ grub_font_blit_glyph_mirror (glyph, main_glyph,
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
new file mode 100644
index 0000000000..8bf9090f94
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
@@ -0,0 +1,63 @@
+From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Dec 2021 19:41:21 +1100
+Subject: [PATCH] net/ip: Do IP fragment maths safely
+
+We can receive packets with invalid IP fragmentation information. This
+can lead to rsm->total_len underflowing and becoming very large.
+
+Then, in grub_netbuff_alloc(), we add to this very large number, which can
+cause it to overflow and wrap back around to a small positive number.
+The allocation then succeeds, but the resulting buffer is too small and
+subsequent operations can write past the end of the buffer.
+
+Catch the underflow here.
+
+Fixes: CVE-2022-28733
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-28733
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index e3d62e97f..3c3d0be0e 100644
+--- a/grub-core/net/ip.c
++++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
++#include <grub/safemath.h>
+ #include <grub/time.h>
+
+ struct iphdr {
+@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+ {
+ rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ + (nb->tail - nb->data));
+- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
++
++ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
++ &rsm->total_len))
++ {
++ grub_dprintf ("net", "IP reassembly size underflow\n");
++ return GRUB_ERR_NONE;
++ }
++
+ rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+ if (!rsm->asm_netbuff)
+ {
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch
new file mode 100644
index 0000000000..f31167d315
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch
@@ -0,0 +1,58 @@
+From b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 19:04:40 +1100
+Subject: [PATCH] net/http: Error out on headers with LF without CR
+
+In a similar vein to the previous patch, parse_line() would write
+a NUL byte past the end of the buffer if there was an HTTP header
+with a LF rather than a CRLF.
+
+RFC-2616 says:
+
+ Many HTTP/1.1 header field values consist of words separated by LWS
+ or special characters. These special characters MUST be in a quoted
+ string to be used within a parameter value (as defined in section 3.6).
+
+We don't support quoted sections or continuation lines, etc.
+
+If we see an LF that's not part of a CRLF, bail out.
+
+Fixes: CVE-2022-28734
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-28734
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/net/http.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 33a0a28c4..9291a13e2 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+ char *end = ptr + len;
+ while (end > ptr && *(end - 1) == '\r')
+ end--;
++
++ /* LF without CR. */
++ if (end == ptr + len)
++ {
++ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
++ return GRUB_ERR_NONE;
++ }
+ *end = 0;
++
+ /* Trailing CRLF. */
+ if (data->in_chunk_len == 1)
+ {
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch
new file mode 100644
index 0000000000..e0ca1eec44
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch
@@ -0,0 +1,56 @@
+From ec6bfd3237394c1c7dbf2fd73417173318d22f4b Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 18:17:03 +1100
+Subject: [PATCH] net/http: Fix OOB write for split http headers
+
+GRUB has special code for handling an http header that is split
+across two packets.
+
+The code tracks the end of line by looking for a "\n" byte. The
+code for split headers has always advanced the pointer just past the
+end of the line, whereas the code that handles unsplit headers does
+not advance the pointer. This extra advance causes the length to be
+one greater, which breaks an assumption in parse_line(), leading to
+it writing a NUL byte one byte past the end of the buffer where we
+reconstruct the line from the two packets.
+
+It's conceivable that an attacker controlled set of packets could
+cause this to zero out the first byte of the "next" pointer of the
+grub_mm_region structure following the current_line buffer.
+
+Do not advance the pointer in the split header case.
+
+Fixes: CVE-2022-28734
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-28734
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/net/http.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index f8d7bf0cd..33a0a28c4 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
+ int have_line = 1;
+ char *t;
+ ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
+- if (ptr)
+- ptr++;
+- else
++ if (ptr == NULL)
+ {
+ have_line = 0;
+ ptr = (char *) nb->tail;
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
new file mode 100644
index 0000000000..7a59f10bfb
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
@@ -0,0 +1,111 @@
+From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Thu, 2 Dec 2021 15:03:53 +0100
+Subject: [PATCH] kern/efi/sb: Reject non-kernel files in the shim_lock
+ verifier
+
+We must not allow other verifiers to pass things like the GRUB modules.
+Instead of maintaining a blocklist, maintain an allowlist of things
+that we do not care about.
+
+This allowlist really should be made reusable, and shared by the
+lockdown verifier, but this is the minimal patch addressing
+security concerns where the TPM verifier was able to mark modules
+as verified (or the OpenPGP verifier for that matter), when it
+should not do so on shim-powered secure boot systems.
+
+Fixes: CVE-2022-28735
+
+Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE:CVE-2022-28735
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++---
+ include/grub/verify.h | 1 +
+ 2 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+index c52ec6226..89c4bb3fd 100644
+--- a/grub-core/kern/efi/sb.c
++++ b/grub-core/kern/efi/sb.c
+@@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
+ void **context __attribute__ ((unused)),
+ enum grub_verify_flags *flags)
+ {
+- *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++ *flags = GRUB_VERIFY_FLAGS_NONE;
+
+ switch (type & GRUB_FILE_TYPE_MASK)
+ {
++ /* Files we check. */
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+ case GRUB_FILE_TYPE_BSD_KERNEL:
+@@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
++ return GRUB_ERR_NONE;
+
+- /* Fall through. */
++ /* Files that do not affect secureboot state. */
++ case GRUB_FILE_TYPE_NONE:
++ case GRUB_FILE_TYPE_LOOPBACK:
++ case GRUB_FILE_TYPE_LINUX_INITRD:
++ case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
++ case GRUB_FILE_TYPE_XNU_RAMDISK:
++ case GRUB_FILE_TYPE_SIGNATURE:
++ case GRUB_FILE_TYPE_PUBLIC_KEY:
++ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
++ case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
++ case GRUB_FILE_TYPE_TESTLOAD:
++ case GRUB_FILE_TYPE_GET_SIZE:
++ case GRUB_FILE_TYPE_FONT:
++ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
++ case GRUB_FILE_TYPE_CAT:
++ case GRUB_FILE_TYPE_HEXCAT:
++ case GRUB_FILE_TYPE_CMP:
++ case GRUB_FILE_TYPE_HASHLIST:
++ case GRUB_FILE_TYPE_TO_HASH:
++ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
++ case GRUB_FILE_TYPE_PIXMAP:
++ case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
++ case GRUB_FILE_TYPE_CONFIG:
++ case GRUB_FILE_TYPE_THEME:
++ case GRUB_FILE_TYPE_GETTEXT_CATALOG:
++ case GRUB_FILE_TYPE_FS_SEARCH:
++ case GRUB_FILE_TYPE_LOADENV:
++ case GRUB_FILE_TYPE_SAVEENV:
++ case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++ return GRUB_ERR_NONE;
+
++ /* Other files. */
+ default:
+- return GRUB_ERR_NONE;
++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
+ }
+ }
+
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index cd129c398..672ae1692 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -24,6 +24,7 @@
+
+ enum grub_verify_flags
+ {
++ GRUB_VERIFY_FLAGS_NONE = 0,
+ GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
+ GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
+ /* Defer verification to another authority. */
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch b/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch
new file mode 100644
index 0000000000..5741e53f42
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch
@@ -0,0 +1,86 @@
+From 04c86e0bb7b58fc2f913f798cdb18934933e532d Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 5 Apr 2022 11:48:58 +0100
+Subject: [PATCH] loader/efi/chainloader: Use grub_loader_set_ex()
+
+This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
+a use-after-free bug that occurs when grub_cmd_chainloader() is executed
+more than once before a boot attempt is performed.
+
+Fixes: CVE-2022-28736
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-28736
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=04c86e0bb7b58fc2f913f798cdb18934933e532d
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/loader/efi/chainloader.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index d1602c89b..7557eb269 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -44,11 +44,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+
+-static grub_efi_handle_t image_handle;
+-
+ static grub_err_t
+-grub_chainloader_unload (void)
++grub_chainloader_unload (void *context)
+ {
++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
+ grub_efi_loaded_image_t *loaded_image;
+ grub_efi_boot_services_t *b;
+
+@@ -64,8 +63,9 @@ grub_chainloader_unload (void)
+ }
+
+ static grub_err_t
+-grub_chainloader_boot (void)
++grub_chainloader_boot (void *context)
+ {
++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
+ grub_efi_boot_services_t *b;
+ grub_efi_status_t status;
+ grub_efi_uintn_t exit_data_size;
+@@ -225,6 +225,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_physical_address_t address = 0;
+ grub_efi_uintn_t pages = 0;
+ grub_efi_char16_t *cmdline = NULL;
++ grub_efi_handle_t image_handle = NULL;
+
+ if (argc == 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -405,7 +406,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ efi_call_2 (b->free_pages, address, pages);
+ grub_free (file_path);
+
+- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
++ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
+ return 0;
+
+ fail:
+@@ -423,10 +424,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ efi_call_2 (b->free_pages, address, pages);
+
+ if (image_handle != NULL)
+- {
+- efi_call_1 (b->unload_image, image_handle);
+- image_handle = NULL;
+- }
++ efi_call_1 (b->unload_image, image_handle);
+
+ grub_dl_unref (my_mod);
+
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..853efd0486
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,95 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 0ff5525..7b1cbde 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ ctx.bounds.height = main_glyph->height;
+
+ above_rightx = main_glyph->offset_x + main_glyph->width;
+- above_righty = ctx.bounds.y + ctx.bounds.height;
++ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+
+ above_leftx = main_glyph->offset_x;
+- above_lefty = ctx.bounds.y + ctx.bounds.height;
++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+
+- below_rightx = ctx.bounds.x + ctx.bounds.width;
++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+ below_righty = ctx.bounds.y;
+
+ comb = grub_unicode_get_comb (glyph_id);
+@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ if (!combining_glyphs[i])
+ continue;
+- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ /* CGJ is to avoid diacritics reordering. */
+ if (comb[i].code
+ == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ case GRUB_UNICODE_COMB_OVERLAY:
+ do_blit (combining_glyphs[i],
+ targetx,
+- (ctx.bounds.height - combining_glyphs[i]->height) / 2
+- - (ctx.bounds.height + ctx.bounds.y), &ctx);
++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+ break;
+@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ /* Fallthrough. */
+ case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height + ctx.bounds.y + space
++ -((int) ctx.bounds.height + ctx.bounds.y + space
+ + combining_glyphs[i]->height), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height / 2 + ctx.bounds.y
++ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ + combining_glyphs[i]->height / 2), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
diff --git a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch b/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
index faa7fde232..1323a54a59 100644
--- a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
+++ b/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
@@ -1,6 +1,6 @@
-From 72c30928d3d461e0e2d20c5ff33bd96b6991d585 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Sat, 25 Jan 2014 23:49:44 -0500
+From 8790aa8bea736f52341a0430ff3e317d3be0f99b Mon Sep 17 00:00:00 2001
+From: Naveen Saini <naveen.kumar.saini@intel.com>
+Date: Mon, 15 Mar 2021 14:44:15 +0800
Subject: [PATCH] autogen.sh: exclude .pc from po/POTFILES.in
Exclude the .pc from po/POTFILES.in since quilt uses "patch --backup",
@@ -13,23 +13,24 @@ Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
---
autogen.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/autogen.sh b/autogen.sh
-index ef43270..a7067a7 100755
+index 31b0ced7e..c63ae766c 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -13,7 +13,7 @@ fi
export LC_COLLATE=C
unset LC_ALL
--find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
-+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' ! -path './.pc/*' |sort > po/POTFILES.in
+-find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
++find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' ! -path './.pc/*' |sort > po/POTFILES.in
find util -iname '*.in' ! -name Makefile.in |sort > po/POTFILES-shell.in
echo "Importing unicode..."
--
-2.7.4
+2.17.1
diff --git a/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch b/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
deleted file mode 100644
index c9536e68ef..0000000000
--- a/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
+++ /dev/null
@@ -1,246 +0,0 @@
-From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 15 Jun 2020 12:15:29 -0400
-Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking
- calloc() available
-
-This tries to make sure that everywhere in this source tree, we always have
-an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
-available, and that they all safely check for overflow and return NULL when
-it would occur.
-
-Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8
-from https://git.savannah.gnu.org/git/grub.git]
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/kern/emu/misc.c | 12 ++++++++++++
- grub-core/kern/emu/mm.c | 10 ++++++++++
- grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
- grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
- grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
- include/grub/emu/misc.h | 1 +
- include/grub/mm.h | 6 ++++++
- 7 files changed, 85 insertions(+), 3 deletions(-)
-
-diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
-index 65db79b..dfd8a8e 100644
---- a/grub-core/kern/emu/misc.c
-+++ b/grub-core/kern/emu/misc.c
-@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
- exit (1);
- }
-
-+void *
-+xcalloc (grub_size_t nmemb, grub_size_t size)
-+{
-+ void *p;
-+
-+ p = calloc (nmemb, size);
-+ if (!p)
-+ grub_util_error ("%s", _("out of memory"));
-+
-+ return p;
-+}
-+
- void *
- xmalloc (grub_size_t size)
- {
-diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
-index f262e95..145b01d 100644
---- a/grub-core/kern/emu/mm.c
-+++ b/grub-core/kern/emu/mm.c
-@@ -25,6 +25,16 @@
- #include <string.h>
- #include <grub/i18n.h>
-
-+void *
-+grub_calloc (grub_size_t nmemb, grub_size_t size)
-+{
-+ void *ret;
-+ ret = calloc (nmemb, size);
-+ if (!ret)
-+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
-+ return ret;
-+}
-+
- void *
- grub_malloc (grub_size_t size)
- {
-diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
-index ee88ff6..f2822a8 100644
---- a/grub-core/kern/mm.c
-+++ b/grub-core/kern/mm.c
-@@ -67,8 +67,10 @@
- #include <grub/dl.h>
- #include <grub/i18n.h>
- #include <grub/mm_private.h>
-+#include <grub/safemath.h>
-
- #ifdef MM_DEBUG
-+# undef grub_calloc
- # undef grub_malloc
- # undef grub_zalloc
- # undef grub_realloc
-@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
- return 0;
- }
-
-+/*
-+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
-+ * integer overflow.
-+ */
-+void *
-+grub_calloc (grub_size_t nmemb, grub_size_t size)
-+{
-+ void *ret;
-+ grub_size_t sz = 0;
-+
-+ if (grub_mul (nmemb, size, &sz))
-+ {
-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+ return NULL;
-+ }
-+
-+ ret = grub_memalign (0, sz);
-+ if (!ret)
-+ return NULL;
-+
-+ grub_memset (ret, 0, sz);
-+ return ret;
-+}
-+
- /* Allocate SIZE bytes and return the pointer. */
- void *
- grub_malloc (grub_size_t size)
-@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
- grub_printf ("\n");
- }
-
-+void *
-+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
-+{
-+ void *ptr;
-+
-+ if (grub_mm_debug)
-+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
-+ file, line, size);
-+ ptr = grub_calloc (nmemb, size);
-+ if (grub_mm_debug)
-+ grub_printf ("%p\n", ptr);
-+ return ptr;
-+}
-+
- void *
- grub_debug_malloc (const char *file, int line, grub_size_t size)
- {
-diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
-index beeb661..74c6eaf 100644
---- a/grub-core/lib/libgcrypt_wrap/mem.c
-+++ b/grub-core/lib/libgcrypt_wrap/mem.c
-@@ -4,6 +4,7 @@
- #include <grub/crypto.h>
- #include <grub/dl.h>
- #include <grub/env.h>
-+#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-@@ -36,7 +37,10 @@ void *
- gcry_xcalloc (size_t n, size_t m)
- {
- void *ret;
-- ret = grub_zalloc (n * m);
-+ size_t sz;
-+ if (grub_mul (n, m, &sz))
-+ grub_fatal ("gcry_xcalloc would overflow");
-+ ret = grub_zalloc (sz);
- if (!ret)
- grub_fatal ("gcry_xcalloc failed");
- return ret;
-@@ -56,7 +60,10 @@ void *
- gcry_xcalloc_secure (size_t n, size_t m)
- {
- void *ret;
-- ret = grub_zalloc (n * m);
-+ size_t sz;
-+ if (grub_mul (n, m, &sz))
-+ grub_fatal ("gcry_xcalloc would overflow");
-+ ret = grub_zalloc (sz);
- if (!ret)
- grub_fatal ("gcry_xcalloc failed");
- return ret;
-diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
-index 3b46f47..7a8d385 100644
---- a/grub-core/lib/posix_wrap/stdlib.h
-+++ b/grub-core/lib/posix_wrap/stdlib.h
-@@ -21,6 +21,7 @@
-
- #include <grub/mm.h>
- #include <grub/misc.h>
-+#include <grub/safemath.h>
-
- static inline void
- free (void *ptr)
-@@ -37,7 +38,12 @@ malloc (grub_size_t size)
- static inline void *
- calloc (grub_size_t size, grub_size_t nelem)
- {
-- return grub_zalloc (size * nelem);
-+ grub_size_t sz;
-+
-+ if (grub_mul (size, nelem, &sz))
-+ return NULL;
-+
-+ return grub_zalloc (sz);
- }
-
- static inline void *
-diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
-index ce464cf..ff9c48a 100644
---- a/include/grub/emu/misc.h
-+++ b/include/grub/emu/misc.h
-@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
- #define GRUB_HOST_PRIuLONG_LONG "llu"
- #define GRUB_HOST_PRIxLONG_LONG "llx"
-
-+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
- void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
- void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
- char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
-diff --git a/include/grub/mm.h b/include/grub/mm.h
-index 28e2e53..9c38dd3 100644
---- a/include/grub/mm.h
-+++ b/include/grub/mm.h
-@@ -29,6 +29,7 @@
- #endif
-
- void grub_mm_init_region (void *addr, grub_size_t size);
-+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
- void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
- void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
- void EXPORT_FUNC(grub_free) (void *ptr);
-@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
- void grub_mm_dump_free (void);
- void grub_mm_dump (unsigned lineno);
-
-+#define grub_calloc(nmemb, size) \
-+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
-+
- #define grub_malloc(size) \
- grub_debug_malloc (GRUB_FILE, __LINE__, size)
-
-@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
- #define grub_free(ptr) \
- grub_debug_free (GRUB_FILE, __LINE__, ptr)
-
-+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
-+ grub_size_t nmemb, grub_size_t size);
- void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
- grub_size_t size);
- void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch b/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch
new file mode 100644
index 0000000000..a2c0530f04
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch
@@ -0,0 +1,168 @@
+From 14ceb3b3ff6db664649138442b6562c114dcf56e Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 5 Apr 2022 10:58:28 +0100
+Subject: [PATCH] commands/boot: Add API to pass context to loader
+
+Loaders rely on global variables for saving context which is consumed
+in the boot hook and freed in the unload hook. In the case where a loader
+command is executed twice, calling grub_loader_set() a second time executes
+the unload hook, but in some cases this runs when the loader's global
+context has already been updated, resulting in the updated context being
+freed and potential use-after-free bugs when the boot hook is subsequently
+called.
+
+This adds a new API, grub_loader_set_ex(), which allows a loader to specify
+context that is passed to its boot and unload hooks. This is an alternative
+to requiring that loaders call grub_loader_unset() before mutating their
+global context.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=14ceb3b3ff6db664649138442b6562c114dcf56e
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++++++++++-----
+ include/grub/loader.h | 5 +++
+ 2 files changed, 63 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
+index bbca81e94..61514788e 100644
+--- a/grub-core/commands/boot.c
++++ b/grub-core/commands/boot.c
+@@ -27,10 +27,20 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+-static grub_err_t (*grub_loader_boot_func) (void);
+-static grub_err_t (*grub_loader_unload_func) (void);
++static grub_err_t (*grub_loader_boot_func) (void *context);
++static grub_err_t (*grub_loader_unload_func) (void *context);
++static void *grub_loader_context;
+ static int grub_loader_flags;
+
++struct grub_simple_loader_hooks
++{
++ grub_err_t (*boot) (void);
++ grub_err_t (*unload) (void);
++};
++
++/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
++static struct grub_simple_loader_hooks simple_loader_hooks;
++
+ struct grub_preboot
+ {
+ grub_err_t (*preboot_func) (int);
+@@ -44,6 +54,29 @@ static int grub_loader_loaded;
+ static struct grub_preboot *preboots_head = 0,
+ *preboots_tail = 0;
+
++static grub_err_t
++grub_simple_boot_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++ return hooks->boot ();
++}
++
++static grub_err_t
++grub_simple_unload_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++ grub_err_t ret;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++
++ ret = hooks->unload ();
++ grub_memset (hooks, 0, sizeof (*hooks));
++
++ return ret;
++}
++
+ int
+ grub_loader_is_loaded (void)
+ {
+@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
+ }
+
+ void
+-grub_loader_set (grub_err_t (*boot) (void),
+- grub_err_t (*unload) (void),
+- int flags)
++grub_loader_set_ex (grub_err_t (*boot) (void *context),
++ grub_err_t (*unload) (void *context),
++ void *context,
++ int flags)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = boot;
+ grub_loader_unload_func = unload;
++ grub_loader_context = context;
+ grub_loader_flags = flags;
+
+ grub_loader_loaded = 1;
+ }
+
++void
++grub_loader_set (grub_err_t (*boot) (void),
++ grub_err_t (*unload) (void),
++ int flags)
++{
++ grub_loader_set_ex (grub_simple_boot_hook,
++ grub_simple_unload_hook,
++ &simple_loader_hooks,
++ flags);
++
++ simple_loader_hooks.boot = boot;
++ simple_loader_hooks.unload = unload;
++}
++
+ void
+ grub_loader_unset(void)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = 0;
+ grub_loader_unload_func = 0;
++ grub_loader_context = 0;
+
+ grub_loader_loaded = 0;
+ }
+@@ -158,7 +208,7 @@ grub_loader_boot (void)
+ return err;
+ }
+ }
+- err = (grub_loader_boot_func) ();
++ err = (grub_loader_boot_func) (grub_loader_context);
+
+ for (cur = preboots_tail; cur; cur = cur->prev)
+ if (! err)
+diff --git a/include/grub/loader.h b/include/grub/loader.h
+index b20864282..97f231054 100644
+--- a/include/grub/loader.h
++++ b/include/grub/loader.h
+@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
+ grub_err_t (*unload) (void),
+ int flags);
+
++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
++ grub_err_t (*unload) (void *context),
++ void *context,
++ int flags);
++
+ /* Unset current loader, if any. */
+ void EXPORT_FUNC (grub_loader_unset) (void);
+
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
index 3c1f562c71..2828e80975 100644
--- a/meta/recipes-bsp/grub/files/determinism.patch
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -1,6 +1,9 @@
-The output in moddep.lst generated from syminfo.lst using genmoddep.awk is
-not deterministic since the order of the dependencies on each line can vary
-depending on how awk sorts the values in the array.
+From b6f9b3f6fa782807c4a7ec16ee8ef868cdfbf468 Mon Sep 17 00:00:00 2001
+From: Naveen Saini <naveen.kumar.saini@intel.com>
+Date: Mon, 15 Mar 2021 14:56:18 +0800
+Subject: [PATCH] The output in moddep.lst generated from syminfo.lst using
+ genmoddep.awk is not deterministic since the order of the dependencies on
+ each line can vary depending on how awk sorts the values in the array.
Be deterministic in the output by sorting the dependencies on each line.
@@ -13,11 +16,29 @@ keys of the dict.
Upstream-Status: Pending
Richard Purdie <richard.purdie@linuxfoundation.org>
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
+---
+ gentpl.py | 1 +
+ grub-core/genmoddep.awk | 4 +++-
+ util/import_unicode.py | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
-Index: grub-2.04/grub-core/genmoddep.awk
-===================================================================
---- grub-2.04.orig/grub-core/genmoddep.awk
-+++ grub-2.04/grub-core/genmoddep.awk
+diff --git a/gentpl.py b/gentpl.py
+index c86550d4f..589285192 100644
+--- a/gentpl.py
++++ b/gentpl.py
+@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platform, suffix, closure):
+ for group in RMAP[platform]:
+ for value in defn.find_all(group + suffix):
+ r.append(closure(value))
++ r.sort()
+ return ''.join(r)
+
+ def platform_conditional(platform, closure):
+diff --git a/grub-core/genmoddep.awk b/grub-core/genmoddep.awk
+index 04c2863e5..247436392 100644
+--- a/grub-core/genmoddep.awk
++++ b/grub-core/genmoddep.awk
@@ -59,7 +59,9 @@ END {
}
modlist = ""
@@ -29,22 +50,10 @@ Index: grub-2.04/grub-core/genmoddep.awk
modlist = modlist " " depmod;
inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod
depcount[mod]++
-Index: grub-2.04/gentpl.py
-===================================================================
---- grub-2.04.orig/gentpl.py
-+++ grub-2.04/gentpl.py
-@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platfor
- for group in RMAP[platform]:
- for value in defn.find_all(group + suffix):
- r.append(closure(value))
-+ r.sort()
- return ''.join(r)
-
- def platform_conditional(platform, closure):
-Index: grub-2.04/util/import_unicode.py
-===================================================================
---- grub-2.04.orig/util/import_unicode.py
-+++ grub-2.04/util/import_unicode.py
+diff --git a/util/import_unicode.py b/util/import_unicode.py
+index 08f80591e..1f434a069 100644
+--- a/util/import_unicode.py
++++ b/util/import_unicode.py
@@ -174,7 +174,7 @@ infile.close ()
outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ")
@@ -54,3 +63,6 @@ Index: grub-2.04/util/import_unicode.py
try:
if arabicsubst[x]['join'] == "DUAL":
outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4]))
+--
+2.17.1
+
diff --git a/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch b/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch
new file mode 100644
index 0000000000..a43025d425
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch
@@ -0,0 +1,129 @@
+From 1469983ebb9674753ad333d37087fb8cb20e1dce Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 5 Apr 2022 10:02:04 +0100
+Subject: [PATCH] loader/efi/chainloader: Simplify the loader state
+
+The chainloader command retains the source buffer and device path passed
+to LoadImage(), requiring the unload hook passed to grub_loader_set() to
+free them. It isn't required to retain this state though - they aren't
+required by StartImage() or anything else in the boot hook, so clean them
+up before grub_cmd_chainloader() finishes.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1469983ebb9674753ad333d37087fb8cb20e1dce
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ grub-core/loader/efi/chainloader.c | 38 +++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 2bd80f4db..d1602c89b 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -44,25 +44,20 @@ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+
+-static grub_efi_physical_address_t address;
+-static grub_efi_uintn_t pages;
+-static grub_efi_device_path_t *file_path;
+ static grub_efi_handle_t image_handle;
+-static grub_efi_char16_t *cmdline;
+
+ static grub_err_t
+ grub_chainloader_unload (void)
+ {
++ grub_efi_loaded_image_t *loaded_image;
+ grub_efi_boot_services_t *b;
+
++ loaded_image = grub_efi_get_loaded_image (image_handle);
++ if (loaded_image != NULL)
++ grub_free (loaded_image->load_options);
++
+ b = grub_efi_system_table->boot_services;
+ efi_call_1 (b->unload_image, image_handle);
+- efi_call_2 (b->free_pages, address, pages);
+-
+- grub_free (file_path);
+- grub_free (cmdline);
+- cmdline = 0;
+- file_path = 0;
+
+ grub_dl_unref (my_mod);
+ return GRUB_ERR_NONE;
+@@ -140,7 +135,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+ char *dir_start;
+ char *dir_end;
+ grub_size_t size;
+- grub_efi_device_path_t *d;
++ grub_efi_device_path_t *d, *file_path;
+
+ dir_start = grub_strchr (filename, ')');
+ if (! dir_start)
+@@ -222,11 +217,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_status_t status;
+ grub_efi_boot_services_t *b;
+ grub_device_t dev = 0;
+- grub_efi_device_path_t *dp = 0;
++ grub_efi_device_path_t *dp = NULL, *file_path = NULL;
+ grub_efi_loaded_image_t *loaded_image;
+ char *filename;
+ void *boot_image = 0;
+ grub_efi_handle_t dev_handle = 0;
++ grub_efi_physical_address_t address = 0;
++ grub_efi_uintn_t pages = 0;
++ grub_efi_char16_t *cmdline = NULL;
+
+ if (argc == 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -234,11 +232,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+
+ grub_dl_ref (my_mod);
+
+- /* Initialize some global variables. */
+- address = 0;
+- image_handle = 0;
+- file_path = 0;
+-
+ b = grub_efi_system_table->boot_services;
+
+ file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
+@@ -408,6 +401,10 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_file_close (file);
+ grub_device_close (dev);
+
++ /* We're finished with the source image buffer and file path now. */
++ efi_call_2 (b->free_pages, address, pages);
++ grub_free (file_path);
++
+ grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
+ return 0;
+
+@@ -419,11 +416,18 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ if (file)
+ grub_file_close (file);
+
++ grub_free (cmdline);
+ grub_free (file_path);
+
+ if (address)
+ efi_call_2 (b->free_pages, address, pages);
+
++ if (image_handle != NULL)
++ {
++ efi_call_1 (b->unload_image, image_handle);
++ image_handle = NULL;
++ }
++
+ grub_dl_unref (my_mod);
+
+ return grub_errno;
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch b/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
deleted file mode 100644
index 2b8157f592..0000000000
--- a/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
+++ /dev/null
@@ -1,287 +0,0 @@
-From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001
-From: Michael Chang <mchang@suse.com>
-Date: Thu, 19 Mar 2020 13:56:13 +0800
-Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling
-
-The LVM cache logical volume is the logical volume consisting of the original
-and the cache pool logical volume. The original is usually on a larger and
-slower storage device while the cache pool is on a smaller and faster one. The
-performance of the original volume can be improved by storing the frequently
-used data on the cache pool to utilize the greater performance of faster
-device.
-
-The default cache mode "writethrough" ensures that any data written will be
-stored both in the cache and on the origin LV, therefore grub can be straight
-to read the original lv as no data loss is guarenteed.
-
-The second cache mode is "writeback", which delays writing from the cache pool
-back to the origin LV to have increased performance. The drawback is potential
-data loss if losing the associated cache device.
-
-During the boot time grub reads the LVM offline i.e. LVM volumes are not
-activated and mounted, hence it should be fine to read directly from original
-lv since all cached data should have been flushed back in the process of taking
-it offline.
-
-It is also not much helpful to the situation by adding fsync calls to the
-install code. The fsync did not force to write back dirty cache to the original
-device and rather it would update associated cache metadata to complete the
-write transaction with the cache device. IOW the writes to cached blocks still
-go only to the cache device.
-
-To write back dirty cache, as LVM cache did not support dirty cache flush per
-block range, there'no way to do it for file. On the other hand the "cleaner"
-policy is implemented and can be used to write back "all" dirty blocks in a
-cache, which effectively drain all dirty cache gradually to attain and last in
-the "clean" state, which can be useful for shrinking or decommissioning a
-cache. The result and effect is not what we are looking for here.
-
-In conclusion, as it seems no way to enforce file writes to the original
-device, grub may suffer from power failure as it cannot assemble the cache
-device and read the dirty data from it. However since the case is only
-applicable to writeback mode which is sensitive to data lost in nature, I'd
-still like to propose my (relatively simple) patch and treat reading dirty
-cache as improvement.
-
-Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135
-from https://git.savannah.gnu.org/git/grub.git]
-
-Signed-off-by: Michael Chang <mchang@suse.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 190 insertions(+)
-
-diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
-index 7b265c7..dc6b83b 100644
---- a/grub-core/disk/lvm.c
-+++ b/grub-core/disk/lvm.c
-@@ -33,6 +33,14 @@
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
-+struct cache_lv
-+{
-+ struct grub_diskfilter_lv *lv;
-+ char *cache_pool;
-+ char *origin;
-+ struct cache_lv *next;
-+};
-+
-
- /* Go the string STR and return the number after STR. *P will point
- at the number. In case STR is not found, *P will be NULL and the
-@@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag)
- }
- }
-
-+static void
-+grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
-+{
-+ struct cache_lv *cache;
-+
-+ while ((cache = cache_lvs))
-+ {
-+ cache_lvs = cache_lvs->next;
-+
-+ if (cache->lv)
-+ {
-+ unsigned int i;
-+
-+ for (i = 0; i < cache->lv->segment_count; ++i)
-+ if (cache->lv->segments)
-+ grub_free (cache->lv->segments[i].nodes);
-+ grub_free (cache->lv->segments);
-+ grub_free (cache->lv->fullname);
-+ grub_free (cache->lv->idname);
-+ grub_free (cache->lv->name);
-+ }
-+ grub_free (cache->lv);
-+ grub_free (cache->origin);
-+ grub_free (cache->cache_pool);
-+ grub_free (cache);
-+ }
-+}
-+
- static struct grub_diskfilter_vg *
- grub_lvm_detect (grub_disk_t disk,
- struct grub_diskfilter_pv_id *id,
-@@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk,
-
- if (! vg)
- {
-+ struct cache_lv *cache_lvs = NULL;
-+
- /* First time we see this volume group. We've to create the
- whole volume group structure. */
- vg = grub_malloc (sizeof (*vg));
-@@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk,
- seg->nodes[seg->node_count - 1].name = tmp;
- }
- }
-+ else if (grub_memcmp (p, "cache\"",
-+ sizeof ("cache\"") - 1) == 0)
-+ {
-+ struct cache_lv *cache = NULL;
-+
-+ char *p2, *p3;
-+ grub_size_t sz;
-+
-+ cache = grub_zalloc (sizeof (*cache));
-+ if (!cache)
-+ goto cache_lv_fail;
-+ cache->lv = grub_zalloc (sizeof (*cache->lv));
-+ if (!cache->lv)
-+ goto cache_lv_fail;
-+ grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
-+
-+ if (lv->fullname)
-+ {
-+ cache->lv->fullname = grub_strdup (lv->fullname);
-+ if (!cache->lv->fullname)
-+ goto cache_lv_fail;
-+ }
-+ if (lv->idname)
-+ {
-+ cache->lv->idname = grub_strdup (lv->idname);
-+ if (!cache->lv->idname)
-+ goto cache_lv_fail;
-+ }
-+ if (lv->name)
-+ {
-+ cache->lv->name = grub_strdup (lv->name);
-+ if (!cache->lv->name)
-+ goto cache_lv_fail;
-+ }
-+
-+ skip_lv = 1;
-+
-+ p2 = grub_strstr (p, "cache_pool = \"");
-+ if (!p2)
-+ goto cache_lv_fail;
-+
-+ p2 = grub_strchr (p2, '"');
-+ if (!p2)
-+ goto cache_lv_fail;
-+
-+ p3 = ++p2;
-+ p3 = grub_strchr (p3, '"');
-+ if (!p3)
-+ goto cache_lv_fail;
-+
-+ sz = p3 - p2;
-+
-+ cache->cache_pool = grub_malloc (sz + 1);
-+ if (!cache->cache_pool)
-+ goto cache_lv_fail;
-+ grub_memcpy (cache->cache_pool, p2, sz);
-+ cache->cache_pool[sz] = '\0';
-+
-+ p2 = grub_strstr (p, "origin = \"");
-+ if (!p2)
-+ goto cache_lv_fail;
-+
-+ p2 = grub_strchr (p2, '"');
-+ if (!p2)
-+ goto cache_lv_fail;
-+
-+ p3 = ++p2;
-+ p3 = grub_strchr (p3, '"');
-+ if (!p3)
-+ goto cache_lv_fail;
-+
-+ sz = p3 - p2;
-+
-+ cache->origin = grub_malloc (sz + 1);
-+ if (!cache->origin)
-+ goto cache_lv_fail;
-+ grub_memcpy (cache->origin, p2, sz);
-+ cache->origin[sz] = '\0';
-+
-+ cache->next = cache_lvs;
-+ cache_lvs = cache;
-+ break;
-+
-+ cache_lv_fail:
-+ if (cache)
-+ {
-+ grub_free (cache->origin);
-+ grub_free (cache->cache_pool);
-+ if (cache->lv)
-+ {
-+ grub_free (cache->lv->fullname);
-+ grub_free (cache->lv->idname);
-+ grub_free (cache->lv->name);
-+ }
-+ grub_free (cache->lv);
-+ grub_free (cache);
-+ }
-+ grub_lvm_free_cache_lvs (cache_lvs);
-+ goto fail4;
-+ }
- else
- {
- #ifdef GRUB_UTIL
-@@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk,
- }
-
- }
-+
-+ {
-+ struct cache_lv *cache;
-+
-+ for (cache = cache_lvs; cache; cache = cache->next)
-+ {
-+ struct grub_diskfilter_lv *lv;
-+
-+ for (lv = vg->lvs; lv; lv = lv->next)
-+ if (grub_strcmp (lv->name, cache->origin) == 0)
-+ break;
-+ if (lv)
-+ {
-+ cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
-+ if (!cache->lv->segments)
-+ {
-+ grub_lvm_free_cache_lvs (cache_lvs);
-+ goto fail4;
-+ }
-+ grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments));
-+
-+ for (i = 0; i < lv->segment_count; ++i)
-+ {
-+ struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
-+ grub_size_t node_count = lv->segments[i].node_count;
-+
-+ cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
-+ if (!cache->lv->segments[i].nodes)
-+ {
-+ for (j = 0; j < i; ++j)
-+ grub_free (cache->lv->segments[j].nodes);
-+ grub_free (cache->lv->segments);
-+ cache->lv->segments = NULL;
-+ grub_lvm_free_cache_lvs (cache_lvs);
-+ goto fail4;
-+ }
-+ grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes));
-+ }
-+
-+ if (cache->lv->segments)
-+ {
-+ cache->lv->segment_count = lv->segment_count;
-+ cache->lv->vg = vg;
-+ cache->lv->next = vg->lvs;
-+ vg->lvs = cache->lv;
-+ cache->lv = NULL;
-+ }
-+ }
-+ }
-+ }
-+
-+ grub_lvm_free_cache_lvs (cache_lvs);
- if (grub_diskfilter_vg_register (vg))
- goto fail4;
- }
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch b/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
deleted file mode 100644
index 29021e8d8f..0000000000
--- a/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 15 Jun 2020 10:58:42 -0400
-Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for
- overflow
-
-This adds a new header, include/grub/safemath.h, that includes easy to
-use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
-
- bool OP(a, b, res)
-
-where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
-case where the operation would overflow and res is not modified.
-Otherwise, false is returned and the operation is executed.
-
-These arithmetic primitives require newer compiler versions. So, bump
-these requirements in the INSTALL file too.
-
-Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d
-from https://git.savannah.gnu.org/git/grub.git]
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-[YL: omit the change to INSTALL from original patch]
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- include/grub/compiler.h | 8 ++++++++
- include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 45 insertions(+)
- create mode 100644 include/grub/safemath.h
-
-diff --git a/include/grub/compiler.h b/include/grub/compiler.h
-index c9e1d7a..8f3be3a 100644
---- a/include/grub/compiler.h
-+++ b/include/grub/compiler.h
-@@ -48,4 +48,12 @@
- # define WARN_UNUSED_RESULT
- #endif
-
-+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
-+# define CLANG_PREREQ(maj,min) \
-+ ((__clang_major__ > (maj)) || \
-+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
-+#else
-+# define CLANG_PREREQ(maj,min) 0
-+#endif
-+
- #endif /* ! GRUB_COMPILER_HEADER */
-diff --git a/include/grub/safemath.h b/include/grub/safemath.h
-new file mode 100644
-index 0000000..c17b89b
---- /dev/null
-+++ b/include/grub/safemath.h
-@@ -0,0 +1,37 @@
-+/*
-+ * GRUB -- GRand Unified Bootloader
-+ * Copyright (C) 2020 Free Software Foundation, Inc.
-+ *
-+ * GRUB is free software: you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation, either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GRUB is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
-+ *
-+ * Arithmetic operations that protect against overflow.
-+ */
-+
-+#ifndef GRUB_SAFEMATH_H
-+#define GRUB_SAFEMATH_H 1
-+
-+#include <grub/compiler.h>
-+
-+/* These appear in gcc 5.1 and clang 3.8. */
-+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
-+
-+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
-+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
-+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
-+
-+#else
-+#error gcc 5.1 or newer or clang 3.8 or newer is required
-+#endif
-+
-+#endif /* GRUB_SAFEMATH_H */
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch b/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
deleted file mode 100644
index 84a80d5ffd..0000000000
--- a/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001
-From: Chris Coulson <chris.coulson@canonical.com>
-Date: Fri, 10 Jul 2020 11:21:14 +0100
-Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function
- struct
-
-Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96
-from https://git.savannah.gnu.org/git/grub.git]
-
-Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
----
- include/grub/script_sh.h | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
-index 360c2be..b382bcf 100644
---- a/include/grub/script_sh.h
-+++ b/include/grub/script_sh.h
-@@ -359,13 +359,8 @@ struct grub_script_function
- /* The script function. */
- struct grub_script *func;
-
-- /* The flags. */
-- unsigned flags;
--
- /* The next element. */
- struct grub_script_function *next;
--
-- int references;
- };
- typedef struct grub_script_function *grub_script_function_t;
-
---
-2.14.4
-
diff --git a/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch b/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch
new file mode 100644
index 0000000000..2db9bcbbc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch
@@ -0,0 +1,693 @@
+From 1f48917d8ddb490dcdc70176e0f58136b7f7811a Mon Sep 17 00:00:00 2001
+From: Elyes Haouas <ehaouas@noos.fr>
+Date: Fri, 4 Mar 2022 07:42:13 +0100
+Subject: [PATCH] video: Remove trailing whitespaces
+
+Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1f48917d8ddb490dcdc70176e0f58136b7f7811a
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/bochs.c | 2 +-
+ grub-core/video/capture.c | 2 +-
+ grub-core/video/cirrus.c | 4 ++--
+ grub-core/video/coreboot/cbfb.c | 2 +-
+ grub-core/video/efi_gop.c | 22 +++++++++----------
+ grub-core/video/fb/fbblit.c | 8 +++----
+ grub-core/video/fb/video_fb.c | 10 ++++-----
+ grub-core/video/i386/pc/vbe.c | 34 ++++++++++++++---------------
+ grub-core/video/i386/pc/vga.c | 6 ++---
+ grub-core/video/ieee1275.c | 4 ++--
+ grub-core/video/radeon_fuloong2e.c | 6 ++---
+ grub-core/video/radeon_yeeloong3a.c | 6 ++---
+ grub-core/video/readers/png.c | 2 +-
+ grub-core/video/readers/tga.c | 2 +-
+ grub-core/video/sis315_init.c | 2 +-
+ grub-core/video/sis315pro.c | 8 +++----
+ grub-core/video/sm712.c | 10 ++++-----
+ grub-core/video/video.c | 8 +++----
+ 18 files changed, 69 insertions(+), 69 deletions(-)
+
+diff --git a/grub-core/video/bochs.c b/grub-core/video/bochs.c
+index 30ea1bd82..edc651697 100644
+--- a/grub-core/video/bochs.c
++++ b/grub-core/video/bochs.c
+@@ -212,7 +212,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
+
+ if (((class >> 16) & 0xffff) != 0x0300 || pciid != 0x11111234)
+ return 0;
+-
++
+ addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
+ framebuffer.base = grub_pci_read (addr) & GRUB_PCI_ADDR_MEM_MASK;
+ if (!framebuffer.base)
+diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
+index 4d3195e01..c653d89f9 100644
+--- a/grub-core/video/capture.c
++++ b/grub-core/video/capture.c
+@@ -92,7 +92,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
+ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
+ if (!framebuffer.ptr)
+ return grub_errno;
+-
++
+ err = grub_video_fb_create_render_target_from_pointer (&framebuffer.render_target,
+ &framebuffer.mode_info,
+ framebuffer.ptr);
+diff --git a/grub-core/video/cirrus.c b/grub-core/video/cirrus.c
+index e2149e8ce..f5542ccdc 100644
+--- a/grub-core/video/cirrus.c
++++ b/grub-core/video/cirrus.c
+@@ -354,11 +354,11 @@ grub_video_cirrus_setup (unsigned int width, unsigned int height,
+ grub_uint8_t sr_ext = 0, hidden_dac = 0;
+
+ grub_vga_set_geometry (&config, grub_vga_cr_write);
+-
++
+ grub_vga_gr_write (GRUB_VGA_GR_MODE_256_COLOR | GRUB_VGA_GR_MODE_READ_MODE1,
+ GRUB_VGA_GR_MODE);
+ grub_vga_gr_write (GRUB_VGA_GR_GR6_GRAPHICS_MODE, GRUB_VGA_GR_GR6);
+-
++
+ grub_vga_sr_write (GRUB_VGA_SR_MEMORY_MODE_NORMAL, GRUB_VGA_SR_MEMORY_MODE);
+
+ grub_vga_cr_write ((config.pitch >> CIRRUS_CR_EXTENDED_DISPLAY_PITCH_SHIFT)
+diff --git a/grub-core/video/coreboot/cbfb.c b/grub-core/video/coreboot/cbfb.c
+index 9af81fa5b..986003c51 100644
+--- a/grub-core/video/coreboot/cbfb.c
++++ b/grub-core/video/coreboot/cbfb.c
+@@ -106,7 +106,7 @@ grub_video_cbfb_setup (unsigned int width, unsigned int height,
+
+ grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
+ grub_video_fbstd_colors);
+-
++
+ return err;
+ }
+
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index b7590dc6c..7a5054631 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -273,7 +273,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ grub_efi_status_t status;
+ struct grub_efi_gop_mode_info *info = NULL;
+ struct grub_video_mode_info mode_info;
+-
++
+ status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+
+ if (status)
+@@ -390,7 +390,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ found = 1;
+ }
+ }
+-
++
+ if (!found)
+ {
+ unsigned mode;
+@@ -399,7 +399,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ {
+ grub_efi_uintn_t size;
+ grub_efi_status_t status;
+-
++
+ status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+ if (status)
+ {
+@@ -472,11 +472,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
+ framebuffer.offscreen
+ = grub_malloc (framebuffer.mode_info.height
+- * framebuffer.mode_info.width
++ * framebuffer.mode_info.width
+ * sizeof (struct grub_efi_gop_blt_pixel));
+
+ buffer = framebuffer.offscreen;
+-
++
+ if (!buffer)
+ {
+ grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
+@@ -485,11 +485,11 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ &framebuffer.mode_info);
+ buffer = framebuffer.ptr;
+ }
+-
++
+ grub_dprintf ("video", "GOP: initialising FB @ %p %dx%dx%d\n",
+ framebuffer.ptr, framebuffer.mode_info.width,
+ framebuffer.mode_info.height, framebuffer.mode_info.bpp);
+-
++
+ err = grub_video_fb_create_render_target_from_pointer
+ (&framebuffer.render_target, &framebuffer.mode_info, buffer);
+
+@@ -498,15 +498,15 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ grub_dprintf ("video", "GOP: Couldn't create FB target\n");
+ return err;
+ }
+-
++
+ err = grub_video_fb_set_active_render_target (framebuffer.render_target);
+-
++
+ if (err)
+ {
+ grub_dprintf ("video", "GOP: Couldn't set FB target\n");
+ return err;
+ }
+-
++
+ err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
+ grub_video_fbstd_colors);
+
+@@ -514,7 +514,7 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ grub_dprintf ("video", "GOP: Couldn't set palette\n");
+ else
+ grub_dprintf ("video", "GOP: Success\n");
+-
++
+ return err;
+ }
+
+diff --git a/grub-core/video/fb/fbblit.c b/grub-core/video/fb/fbblit.c
+index d55924837..1010ef393 100644
+--- a/grub-core/video/fb/fbblit.c
++++ b/grub-core/video/fb/fbblit.c
+@@ -466,7 +466,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst,
+ for (i = 0; i < width; i++)
+ {
+ register grub_uint32_t col;
+- if (*srcptr == 0xf0)
++ if (*srcptr == 0xf0)
+ col = palette[16];
+ else
+ col = palette[*srcptr & 0xf];
+@@ -478,7 +478,7 @@ grub_video_fbblit_replace_24bit_indexa (struct grub_video_fbblit_info *dst,
+ *dstptr++ = col >> 0;
+ *dstptr++ = col >> 8;
+ *dstptr++ = col >> 16;
+-#endif
++#endif
+ srcptr++;
+ }
+
+@@ -651,7 +651,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst,
+ for (i = 0; i < width; i++)
+ {
+ register grub_uint32_t col;
+- if (*srcptr != 0xf0)
++ if (*srcptr != 0xf0)
+ {
+ col = palette[*srcptr & 0xf];
+ #ifdef GRUB_CPU_WORDS_BIGENDIAN
+@@ -662,7 +662,7 @@ grub_video_fbblit_blend_24bit_indexa (struct grub_video_fbblit_info *dst,
+ *dstptr++ = col >> 0;
+ *dstptr++ = col >> 8;
+ *dstptr++ = col >> 16;
+-#endif
++#endif
+ }
+ else
+ dstptr += 3;
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index ae6b89f9a..fa4ebde26 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -754,7 +754,7 @@ grub_video_fb_unmap_color_int (struct grub_video_fbblit_info * source,
+ *alpha = 0;
+ return;
+ }
+-
++
+ /* If we have an out-of-bounds color, return transparent black. */
+ if (color > 255)
+ {
+@@ -1141,7 +1141,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
+ /* If everything is aligned on 32-bit use 32-bit copy. */
+ if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y)
+ % sizeof (grub_uint32_t) == 0
+- && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y)
++ && (grub_addr_t) grub_video_fb_get_video_ptr (&target, dst_x, dst_y)
+ % sizeof (grub_uint32_t) == 0
+ && linelen % sizeof (grub_uint32_t) == 0
+ && linedelta % sizeof (grub_uint32_t) == 0)
+@@ -1155,7 +1155,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
+ else if ((grub_addr_t) grub_video_fb_get_video_ptr (&target, src_x, src_y)
+ % sizeof (grub_uint16_t) == 0
+ && (grub_addr_t) grub_video_fb_get_video_ptr (&target,
+- dst_x, dst_y)
++ dst_x, dst_y)
+ % sizeof (grub_uint16_t) == 0
+ && linelen % sizeof (grub_uint16_t) == 0
+ && linedelta % sizeof (grub_uint16_t) == 0)
+@@ -1170,7 +1170,7 @@ grub_video_fb_scroll (grub_video_color_t color, int dx, int dy)
+ {
+ grub_uint8_t *src, *dst;
+ DO_SCROLL
+- }
++ }
+ }
+
+ /* 4. Fill empty space with specified color. In this implementation
+@@ -1615,7 +1615,7 @@ grub_video_fb_setup (unsigned int mode_type, unsigned int mode_mask,
+ framebuffer.render_target = framebuffer.back_target;
+ return GRUB_ERR_NONE;
+ }
+-
++
+ mode_info->mode_type &= ~(GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
+ | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
+
+diff --git a/grub-core/video/i386/pc/vbe.c b/grub-core/video/i386/pc/vbe.c
+index b7f911926..0e65b5206 100644
+--- a/grub-core/video/i386/pc/vbe.c
++++ b/grub-core/video/i386/pc/vbe.c
+@@ -219,7 +219,7 @@ grub_vbe_disable_mtrr (int mtrr)
+ }
+
+ /* Call VESA BIOS 0x4f09 to set palette data, return status. */
+-static grub_vbe_status_t
++static grub_vbe_status_t
+ grub_vbe_bios_set_palette_data (grub_uint32_t color_count,
+ grub_uint32_t start_index,
+ struct grub_vbe_palette_data *palette_data)
+@@ -237,7 +237,7 @@ grub_vbe_bios_set_palette_data (grub_uint32_t color_count,
+ }
+
+ /* Call VESA BIOS 0x4f00 to get VBE Controller Information, return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci)
+ {
+ struct grub_bios_int_registers regs;
+@@ -251,7 +251,7 @@ grub_vbe_bios_get_controller_info (struct grub_vbe_info_block *ci)
+ }
+
+ /* Call VESA BIOS 0x4f01 to get VBE Mode Information, return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_mode_info (grub_uint32_t mode,
+ struct grub_vbe_mode_info_block *mode_info)
+ {
+@@ -285,7 +285,7 @@ grub_vbe_bios_set_mode (grub_uint32_t mode,
+ }
+
+ /* Call VESA BIOS 0x4f03 to return current VBE Mode, return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_mode (grub_uint32_t *mode)
+ {
+ struct grub_bios_int_registers regs;
+@@ -298,7 +298,7 @@ grub_vbe_bios_get_mode (grub_uint32_t *mode)
+ return regs.eax & 0xffff;
+ }
+
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_getset_dac_palette_width (int set, int *dac_mask_size)
+ {
+ struct grub_bios_int_registers regs;
+@@ -346,7 +346,7 @@ grub_vbe_bios_get_memory_window (grub_uint32_t window,
+ }
+
+ /* Call VESA BIOS 0x4f06 to set scanline length (in bytes), return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_set_scanline_length (grub_uint32_t length)
+ {
+ struct grub_bios_int_registers regs;
+@@ -354,14 +354,14 @@ grub_vbe_bios_set_scanline_length (grub_uint32_t length)
+ regs.ecx = length;
+ regs.eax = 0x4f06;
+ /* BL = 2, Set Scan Line in Bytes. */
+- regs.ebx = 0x0002;
++ regs.ebx = 0x0002;
+ regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
+ grub_bios_interrupt (0x10, &regs);
+ return regs.eax & 0xffff;
+ }
+
+ /* Call VESA BIOS 0x4f06 to return scanline length (in bytes), return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_scanline_length (grub_uint32_t *length)
+ {
+ struct grub_bios_int_registers regs;
+@@ -377,7 +377,7 @@ grub_vbe_bios_get_scanline_length (grub_uint32_t *length)
+ }
+
+ /* Call VESA BIOS 0x4f07 to set display start, return status. */
+-static grub_vbe_status_t
++static grub_vbe_status_t
+ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
+ {
+ struct grub_bios_int_registers regs;
+@@ -390,7 +390,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
+ regs.edx = y;
+ regs.eax = 0x4f07;
+ /* BL = 80h, Set Display Start during Vertical Retrace. */
+- regs.ebx = 0x0080;
++ regs.ebx = 0x0080;
+ regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
+ grub_bios_interrupt (0x10, &regs);
+
+@@ -401,7 +401,7 @@ grub_vbe_bios_set_display_start (grub_uint32_t x, grub_uint32_t y)
+ }
+
+ /* Call VESA BIOS 0x4f07 to get display start, return status. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_display_start (grub_uint32_t *x,
+ grub_uint32_t *y)
+ {
+@@ -419,7 +419,7 @@ grub_vbe_bios_get_display_start (grub_uint32_t *x,
+ }
+
+ /* Call VESA BIOS 0x4f0a. */
+-grub_vbe_status_t
++grub_vbe_status_t
+ grub_vbe_bios_get_pm_interface (grub_uint16_t *segment, grub_uint16_t *offset,
+ grub_uint16_t *length)
+ {
+@@ -896,7 +896,7 @@ vbe2videoinfo (grub_uint32_t mode,
+ case GRUB_VBE_MEMORY_MODEL_YUV:
+ mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_YUV;
+ break;
+-
++
+ case GRUB_VBE_MEMORY_MODEL_DIRECT_COLOR:
+ mode_info->mode_type |= GRUB_VIDEO_MODE_TYPE_RGB;
+ break;
+@@ -923,10 +923,10 @@ vbe2videoinfo (grub_uint32_t mode,
+ break;
+ case 8:
+ mode_info->bytes_per_pixel = 1;
+- break;
++ break;
+ case 4:
+ mode_info->bytes_per_pixel = 0;
+- break;
++ break;
+ }
+
+ if (controller_info.version >= 0x300)
+@@ -976,7 +976,7 @@ grub_video_vbe_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+
+ static grub_err_t
+ grub_video_vbe_setup (unsigned int width, unsigned int height,
+- grub_video_mode_type_t mode_type,
++ grub_video_mode_type_t mode_type,
+ grub_video_mode_type_t mode_mask)
+ {
+ grub_uint16_t *p;
+@@ -1193,7 +1193,7 @@ grub_video_vbe_print_adapter_specific_info (void)
+ controller_info.version & 0xFF,
+ controller_info.oem_software_rev >> 8,
+ controller_info.oem_software_rev & 0xFF);
+-
++
+ /* The total_memory field is in 64 KiB units. */
+ grub_printf_ (N_(" total memory: %d KiB\n"),
+ (controller_info.total_memory << 6));
+diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
+index b2f776c99..50d0b5e02 100644
+--- a/grub-core/video/i386/pc/vga.c
++++ b/grub-core/video/i386/pc/vga.c
+@@ -48,7 +48,7 @@ static struct
+ int back_page;
+ } framebuffer;
+
+-static unsigned char
++static unsigned char
+ grub_vga_set_mode (unsigned char mode)
+ {
+ struct grub_bios_int_registers regs;
+@@ -182,10 +182,10 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
+
+ is_target = 1;
+ err = grub_video_fb_set_active_render_target (framebuffer.render_target);
+-
++
+ if (err)
+ return err;
+-
++
+ err = grub_video_fb_set_palette (0, GRUB_VIDEO_FBSTD_NUMCOLORS,
+ grub_video_fbstd_colors);
+
+diff --git a/grub-core/video/ieee1275.c b/grub-core/video/ieee1275.c
+index f437fb0df..ca3d3c3b2 100644
+--- a/grub-core/video/ieee1275.c
++++ b/grub-core/video/ieee1275.c
+@@ -233,7 +233,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height,
+ /* TODO. */
+ return grub_error (GRUB_ERR_IO, "can't set mode %dx%d", width, height);
+ }
+-
++
+ err = grub_video_ieee1275_fill_mode_info (dev, &framebuffer.mode_info);
+ if (err)
+ {
+@@ -260,7 +260,7 @@ grub_video_ieee1275_setup (unsigned int width, unsigned int height,
+
+ grub_video_ieee1275_set_palette (0, framebuffer.mode_info.number_of_colors,
+ grub_video_fbstd_colors);
+-
++
+ return err;
+ }
+
+diff --git a/grub-core/video/radeon_fuloong2e.c b/grub-core/video/radeon_fuloong2e.c
+index b4da34b5e..40917acb7 100644
+--- a/grub-core/video/radeon_fuloong2e.c
++++ b/grub-core/video/radeon_fuloong2e.c
+@@ -75,7 +75,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
+ if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
+ || pciid != 0x515a1002)
+ return 0;
+-
++
+ *found = 1;
+
+ addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
+@@ -139,7 +139,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height,
+ framebuffer.mapped = 1;
+
+ /* Prevent garbage from appearing on the screen. */
+- grub_memset (framebuffer.ptr, 0x55,
++ grub_memset (framebuffer.ptr, 0x55,
+ framebuffer.mode_info.height * framebuffer.mode_info.pitch);
+
+ #ifndef TEST
+@@ -152,7 +152,7 @@ grub_video_radeon_fuloong2e_setup (unsigned int width, unsigned int height,
+ return err;
+
+ err = grub_video_fb_set_active_render_target (framebuffer.render_target);
+-
++
+ if (err)
+ return err;
+
+diff --git a/grub-core/video/radeon_yeeloong3a.c b/grub-core/video/radeon_yeeloong3a.c
+index 52614feb6..48631c181 100644
+--- a/grub-core/video/radeon_yeeloong3a.c
++++ b/grub-core/video/radeon_yeeloong3a.c
+@@ -74,7 +74,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
+ if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
+ || pciid != 0x96151002)
+ return 0;
+-
++
+ *found = 1;
+
+ addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
+@@ -137,7 +137,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height,
+ #endif
+
+ /* Prevent garbage from appearing on the screen. */
+- grub_memset (framebuffer.ptr, 0,
++ grub_memset (framebuffer.ptr, 0,
+ framebuffer.mode_info.height * framebuffer.mode_info.pitch);
+
+ #ifndef TEST
+@@ -150,7 +150,7 @@ grub_video_radeon_yeeloong3a_setup (unsigned int width, unsigned int height,
+ return err;
+
+ err = grub_video_fb_set_active_render_target (framebuffer.render_target);
+-
++
+ if (err)
+ return err;
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 0157ff742..54dfedf43 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -916,7 +916,7 @@ grub_png_convert_image (struct grub_png_data *data)
+ }
+ return;
+ }
+-
++
+ if (data->is_gray)
+ {
+ switch (data->bpp)
+diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c
+index 7cb9d1d2a..a9ec3a1b6 100644
+--- a/grub-core/video/readers/tga.c
++++ b/grub-core/video/readers/tga.c
+@@ -127,7 +127,7 @@ tga_load_palette (struct tga_data *data)
+
+ if (len > sizeof (data->palette))
+ len = sizeof (data->palette);
+-
++
+ if (grub_file_read (data->file, &data->palette, len)
+ != (grub_ssize_t) len)
+ return grub_errno;
+diff --git a/grub-core/video/sis315_init.c b/grub-core/video/sis315_init.c
+index ae5c1419c..09c3c7bbe 100644
+--- a/grub-core/video/sis315_init.c
++++ b/grub-core/video/sis315_init.c
+@@ -1,4 +1,4 @@
+-static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] =
++static const struct { grub_uint8_t reg; grub_uint8_t val; } sr_dump [] =
+ {
+ { 0x28, 0x81 },
+ { 0x2a, 0x00 },
+diff --git a/grub-core/video/sis315pro.c b/grub-core/video/sis315pro.c
+index 22a0c85a6..4d2f9999a 100644
+--- a/grub-core/video/sis315pro.c
++++ b/grub-core/video/sis315pro.c
+@@ -103,7 +103,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
+ if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
+ || pciid != GRUB_SIS315PRO_PCIID)
+ return 0;
+-
++
+ *found = 1;
+
+ addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
+@@ -218,7 +218,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
+
+ #ifndef TEST
+ /* Prevent garbage from appearing on the screen. */
+- grub_memset (framebuffer.ptr, 0,
++ grub_memset (framebuffer.ptr, 0,
+ framebuffer.mode_info.height * framebuffer.mode_info.pitch);
+ grub_arch_sync_dma_caches (framebuffer.ptr,
+ framebuffer.mode_info.height
+@@ -231,7 +231,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
+ | GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0
+ | GRUB_VGA_IO_MISC_28MHZ
+ | GRUB_VGA_IO_MISC_ENABLE_VRAM_ACCESS
+- | GRUB_VGA_IO_MISC_COLOR,
++ | GRUB_VGA_IO_MISC_COLOR,
+ GRUB_VGA_IO_MISC_WRITE + GRUB_MACHINE_PCI_IO_BASE);
+
+ grub_vga_sr_write (0x86, 5);
+@@ -335,7 +335,7 @@ grub_video_sis315pro_setup (unsigned int width, unsigned int height,
+ {
+ if (read_sis_cmd (0x5) != 0xa1)
+ write_sis_cmd (0x86, 0x5);
+-
++
+ write_sis_cmd (read_sis_cmd (0x20) | 0xa1, 0x20);
+ write_sis_cmd (read_sis_cmd (0x1e) | 0xda, 0x1e);
+
+diff --git a/grub-core/video/sm712.c b/grub-core/video/sm712.c
+index 10c46eb65..65f59f84b 100644
+--- a/grub-core/video/sm712.c
++++ b/grub-core/video/sm712.c
+@@ -167,7 +167,7 @@ enum
+ GRUB_SM712_CR_SHADOW_VGA_VBLANK_START = 0x46,
+ GRUB_SM712_CR_SHADOW_VGA_VBLANK_END = 0x47,
+ GRUB_SM712_CR_SHADOW_VGA_VRETRACE_START = 0x48,
+- GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49,
++ GRUB_SM712_CR_SHADOW_VGA_VRETRACE_END = 0x49,
+ GRUB_SM712_CR_SHADOW_VGA_OVERFLOW = 0x4a,
+ GRUB_SM712_CR_SHADOW_VGA_CELL_HEIGHT = 0x4b,
+ GRUB_SM712_CR_SHADOW_VGA_HDISPLAY_END = 0x4c,
+@@ -375,7 +375,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)
+ if (((class >> 16) & 0xffff) != GRUB_PCI_CLASS_SUBCLASS_VGA
+ || pciid != GRUB_SM712_PCIID)
+ return 0;
+-
++
+ *found = 1;
+
+ addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
+@@ -471,7 +471,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
+
+ #if !defined (TEST) && !defined(GENINIT)
+ /* Prevent garbage from appearing on the screen. */
+- grub_memset ((void *) framebuffer.cached_ptr, 0,
++ grub_memset ((void *) framebuffer.cached_ptr, 0,
+ framebuffer.mode_info.height * framebuffer.mode_info.pitch);
+ #endif
+
+@@ -482,7 +482,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
+ grub_sm712_sr_write (0x2, 0x6b);
+ grub_sm712_write_reg (0, GRUB_VGA_IO_PIXEL_MASK);
+ grub_sm712_sr_write (GRUB_VGA_SR_RESET_ASYNC, GRUB_VGA_SR_RESET);
+- grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY
++ grub_sm712_write_reg (GRUB_VGA_IO_MISC_NEGATIVE_VERT_POLARITY
+ | GRUB_VGA_IO_MISC_NEGATIVE_HORIZ_POLARITY
+ | GRUB_VGA_IO_MISC_UPPER_64K
+ | GRUB_VGA_IO_MISC_EXTERNAL_CLOCK_0
+@@ -694,7 +694,7 @@ grub_video_sm712_setup (unsigned int width, unsigned int height,
+ for (i = 0; i < ARRAY_SIZE (dda_lookups); i++)
+ grub_sm712_write_dda_lookup (i, dda_lookups[i].compare, dda_lookups[i].dda,
+ dda_lookups[i].vcentering);
+-
++
+ /* Undocumented */
+ grub_sm712_cr_write (0, 0x9c);
+ grub_sm712_cr_write (0, 0x9d);
+diff --git a/grub-core/video/video.c b/grub-core/video/video.c
+index 983424107..8937da745 100644
+--- a/grub-core/video/video.c
++++ b/grub-core/video/video.c
+@@ -491,13 +491,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth)
+ current_mode);
+
+ param++;
+-
++
+ *width = grub_strtoul (value, 0, 0);
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("invalid video mode specification `%s'"),
+ current_mode);
+-
++
+ /* Find height value. */
+ value = param;
+ param = grub_strchr(param, 'x');
+@@ -513,13 +513,13 @@ parse_modespec (const char *current_mode, int *width, int *height, int *depth)
+ {
+ /* We have optional color depth value. */
+ param++;
+-
++
+ *height = grub_strtoul (value, 0, 0);
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("invalid video mode specification `%s'"),
+ current_mode);
+-
++
+ /* Convert color depth value. */
+ value = param;
+ *depth = grub_strtoul (value, 0, 0);
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch b/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
new file mode 100644
index 0000000000..0c7deae858
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
@@ -0,0 +1,264 @@
+From d5caac8ab79d068ad9a41030c772d03a4d4fbd7b Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 28 Jun 2021 14:16:14 +1000
+Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails
+
+Fuzzing revealed some inputs that were taking a long time, potentially
+forever, because they did not bail quickly upon encountering an I/O error.
+
+Try to catch I/O errors sooner and bail out.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++-------
+ 1 file changed, 70 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index c47ffd651..806c56c78 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -109,9 +109,17 @@ static grub_uint8_t
+ grub_jpeg_get_byte (struct grub_jpeg_data *data)
+ {
+ grub_uint8_t r;
++ grub_ssize_t bytes_read;
+
+ r = 0;
+- grub_file_read (data->file, &r, 1);
++ bytes_read = grub_file_read (data->file, &r, 1);
++
++ if (bytes_read != 1)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: unexpected end of data");
++ return 0;
++ }
+
+ return r;
+ }
+@@ -120,9 +128,17 @@ static grub_uint16_t
+ grub_jpeg_get_word (struct grub_jpeg_data *data)
+ {
+ grub_uint16_t r;
++ grub_ssize_t bytes_read;
+
+ r = 0;
+- grub_file_read (data->file, &r, sizeof (grub_uint16_t));
++ bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
++
++ if (bytes_read != sizeof (grub_uint16_t))
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: unexpected end of data");
++ return 0;
++ }
+
+ return grub_be_to_cpu16 (r);
+ }
+@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
+ if (data->bit_mask == 0)
+ {
+ data->bit_save = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE) {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: file read error");
++ return 0;
++ }
+ if (data->bit_save == JPEG_ESC_CHAR)
+ {
+ if (grub_jpeg_get_byte (data) != 0)
+@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
+ "jpeg: invalid 0xFF in data stream");
+ return 0;
+ }
++ if (grub_errno != GRUB_ERR_NONE)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
++ return 0;
++ }
+ }
+ data->bit_mask = 0x80;
+ }
+@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
+ return 0;
+
+ msb = value = grub_jpeg_get_bit (data);
+- for (i = 1; i < num; i++)
++ for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
+ value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
+ if (!msb)
+ value += 1 - (1 << num);
+@@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
+ while (data->file->offset + sizeof (count) + 1 <= next_marker)
+ {
+ id = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ ac = (id >> 4) & 1;
+ id &= 0xF;
+ if (id > 1)
+@@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+
+ if (next_marker > data->file->size)
+ {
+@@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+ <= next_marker)
+ {
+ id = grub_jpeg_get_byte (data);
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (id >= 0x10) /* Upper 4-bit is precision. */
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: only 8-bit precision is supported");
+@@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ if (grub_jpeg_get_byte (data) != 8)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: only 8-bit precision is supported");
+@@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
+
+ ss = grub_jpeg_get_byte (data); /* Sampling factor. */
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (!id)
+ {
+ grub_uint8_t vs, hs;
+@@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
+ }
+ }
+
+-static void
++static grub_err_t
+ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ {
+ int h1, h2, qt;
+@@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ data->dc_value[id] +=
+ grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
+ pos = 1;
+ while (pos < ARRAY_SIZE (data->quan_table[qt]))
+@@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ num >>= 4;
+ pos += num;
+
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
++
+ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
+ {
+- grub_error (GRUB_ERR_BAD_FILE_TYPE,
+- "jpeg: invalid position in zigzag order!?");
+- return;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: invalid position in zigzag order!?");
+ }
+
+ du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
+@@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
+ }
+
+ grub_jpeg_idct_transform (du);
++ return GRUB_ERR_NONE;
+ }
+
+ static void
+@@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ data_offset += grub_jpeg_get_word (data);
+
+ cc = grub_jpeg_get_byte (data);
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (cc != 3 && cc != 1)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: component count must be 1 or 3");
+@@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ id = grub_jpeg_get_byte (data) - 1;
+ if ((id < 0) || (id >= 3))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ ht = grub_jpeg_get_byte (data);
+ data->comp_index[id][1] = (ht >> 4);
+ data->comp_index[id][2] = (ht & 0xF) + 2;
+@@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ }
+
+ grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
+ grub_jpeg_get_word (data);
+-
++ if (grub_errno != GRUB_ERR_NONE)
++ return grub_errno;
+ if (data->file->offset != data_offset)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
+
+@@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+ unsigned c1, vb, hb, nr1, nc1;
+ int rst = data->dri;
++ grub_err_t err = GRUB_ERR_NONE;
+
+ vb = 8 << data->log_vs;
+ hb = 8 << data->log_hs;
+@@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+
+ for (r2 = 0; r2 < (1U << data->log_vs); r2++)
+ for (c2 = 0; c2 < (1U << data->log_hs); c2++)
+- grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
++ {
++ err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
++ if (err != GRUB_ERR_NONE)
++ return err;
++ }
+
+ if (data->color_components >= 3)
+ {
+- grub_jpeg_decode_du (data, 1, data->cbdu);
+- grub_jpeg_decode_du (data, 2, data->crdu);
++ err = grub_jpeg_decode_du (data, 1, data->cbdu);
++ if (err != GRUB_ERR_NONE)
++ return err;
++ err = grub_jpeg_decode_du (data, 2, data->crdu);
++ if (err != GRUB_ERR_NONE)
++ return err;
+ }
+
+- if (grub_errno)
+- return grub_errno;
+-
+ nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
+ nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
+
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch b/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
new file mode 100644
index 0000000000..91ecaad98a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
@@ -0,0 +1,53 @@
+From 166a4d61448f74745afe1dac2f2cfb85d04909bf Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 28 Jun 2021 14:25:17 +1000
+Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
+ streams
+
+An invalid file could contain multiple start of stream blocks, which
+would cause us to reallocate and leak our bitmap. Refuse to handle
+multiple start of streams.
+
+Additionally, fix a grub_error() call formatting.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=166a4d61448f74745afe1dac2f2cfb85d04909bf
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/jpeg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 2284a6c06..579bbe8a4 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -683,6 +683,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
+ if (data->file->offset != data_offset)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
+
++ if (*data->bitmap)
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
++
+ if (grub_video_bitmap_create (data->bitmap, data->image_width,
+ data->image_height,
+ GRUB_VIDEO_BLIT_FORMAT_RGB_888))
+@@ -705,8 +708,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+
+ if (data->bitmap_ptr == NULL)
+- return grub_error(GRUB_ERR_BAD_FILE_TYPE,
+- "jpeg: attempted to decode data before start of stream");
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: attempted to decode data before start of stream");
+
+ for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/grub/grub-bootconf_1.00.bb b/meta/recipes-bsp/grub/grub-bootconf_1.00.bb
index 572580313b..783e30bf38 100644
--- a/meta/recipes-bsp/grub/grub-bootconf_1.00.bb
+++ b/meta/recipes-bsp/grub/grub-bootconf_1.00.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "Grub might require different configuration file for \
different machines."
HOMEPAGE = "https://www.gnu.org/software/grub/manual/grub/grub.html#Configuration"
-RPROVIDES_${PN} += "virtual/grub-bootconf"
+RPROVIDES:${PN} += "virtual-grub-bootconf"
inherit grub-efi-cfg
@@ -29,4 +29,4 @@ do_install() {
install grub-bootconf ${D}${EFI_FILES_PATH}/grub.cfg
}
-FILES_${PN} = "${EFI_FILES_PATH}/grub.cfg"
+FILES:${PN} = "${EFI_FILES_PATH}/grub.cfg"
diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb b/meta/recipes-bsp/grub/grub-efi_2.06.bb
index f80afd95cb..9857e8e036 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.06.bb
@@ -4,8 +4,8 @@ require conf/image-uefi.conf
GRUBPLATFORM = "efi"
-DEPENDS_append = " grub-native"
-RDEPENDS_${PN} = "grub-common virtual/grub-bootconf"
+DEPENDS:append = " grub-native"
+RDEPENDS:${PN} = "grub-common virtual-grub-bootconf"
SRC_URI += " \
file://cfg \
@@ -46,11 +46,21 @@ EXTRA_OECONF += "--enable-efiemu=no"
do_mkimage() {
cd ${B}
+
+ GRUB_MKIMAGE_MODULES="${GRUB_BUILDIN}"
+
+ # If 'all' is included in GRUB_BUILDIN we will include all available grub2 modules
+ if [ "${@ bb.utils.contains('GRUB_BUILDIN', 'all', 'True', 'False', d)}" = "True" ]; then
+ bbdebug 1 "Including all available modules"
+ # Get the list of all .mod files in grub-core build directory
+ GRUB_MKIMAGE_MODULES=$(find ${B}/grub-core/ -type f -name "*.mod" -exec basename {} .mod \;)
+ fi
+
# Search for the grub.cfg on the local boot media by using the
# built in cfg file provided via this recipe
- grub-mkimage -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
+ grub-mkimage -v -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
-O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
- ${GRUB_BUILDIN}
+ ${GRUB_MKIMAGE_MODULES}
}
addtask mkimage before do_install after do_compile
@@ -70,28 +80,26 @@ do_install() {
install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
}
-do_install_append_aarch64() {
- rm -rf ${D}/${prefix}/
-}
-
+# To include all available modules, add 'all' to GRUB_BUILDIN
GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos part_gpt normal \
efi_gop iso9660 configfile search loadenv test"
+# 'xen_boot' is a module valid only for aarch64
+GRUB_BUILDIN:append:aarch64 = "${@bb.utils.contains('DISTRO_FEATURES', 'xen', ' xen_boot', '', d)}"
+
do_deploy() {
install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
}
addtask deploy after do_install before do_build
-FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
+FILES:${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
${datadir}/grub \
${EFI_FILES_PATH}/${GRUB_IMAGE} \
"
-FILES_${PN}_remove_aarch64 = "${libdir}/grub/${GRUB_TARGET}-efi"
-
# 64-bit binaries are expected for the bootloader with an x32 userland
-INSANE_SKIP_${PN}_append_linux-gnux32 = " arch"
-INSANE_SKIP_${PN}-dbg_append_linux-gnux32 = " arch"
-INSANE_SKIP_${PN}_append_linux-muslx32 = " arch"
-INSANE_SKIP_${PN}-dbg_append_linux-muslx32 = " arch"
+INSANE_SKIP:${PN}:append:linux-gnux32 = " arch"
+INSANE_SKIP:${PN}-dbg:append:linux-gnux32 = " arch"
+INSANE_SKIP:${PN}:append:linux-muslx32 = " arch"
+INSANE_SKIP:${PN}-dbg:append:linux-muslx32 = " arch"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 49c869b5dc..bf7aba6b1c 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -8,7 +8,7 @@ standard, which allows for flexible loading of multiple boot images."
HOMEPAGE = "http://www.gnu.org/software/grub/"
SECTION = "bootloaders"
-LICENSE = "GPLv3"
+LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
CVE_PRODUCT = "grub2"
@@ -18,37 +18,60 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://autogen.sh-exclude-pc.patch \
file://grub-module-explicitly-keeps-symbole-.module_license.patch \
file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
- file://CVE-2020-10713.patch \
- file://calloc-Make-sure-we-always-have-an-overflow-checking.patch \
- file://lvm-Add-LVM-cache-logical-volume-handling.patch \
- file://CVE-2020-14308-calloc-Use-calloc-at-most-places.patch \
- file://safemath-Add-some-arithmetic-primitives-that-check-f.patch \
- file://CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch \
- file://script-Remove-unused-fields-from-grub_script_functio.patch \
- file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
- file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
file://determinism.patch \
+ file://0001-RISC-V-Restore-the-typcast-to-long.patch \
+ file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
+ file://0001-configure.ac-Use-_zicsr_zifencei-extentions-on-riscv.patch \
+ file://video-Remove-trailing-whitespaces.patch \
+ file://CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch \
+ file://CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch \
+ file://video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch \
+ file://video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch \
+ file://CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch \
+ file://CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch \
+ file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \
+ file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \
+ file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \
+ file://0001-configure-Remove-obsoleted-malign-jumps-loops-functi.patch \
+ file://0002-configure-Check-for-falign-jumps-1-beside-falign-loo.patch \
+ file://loader-efi-chainloader-Simplify-the-loader-state.patch \
+ file://commands-boot-Add-API-to-pass-context-to-loader.patch \
+ file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch\
+ file://0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
+ file://CVE-2022-2601.patch \
+ file://CVE-2022-3775.patch \
"
-SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
-SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
+
+SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
+
+# Applies only to RHEL
+CVE_CHECK_IGNORE += "CVE-2019-14865"
+# Applies only to SUSE
+CVE_CHECK_IGNORE += "CVE-2021-46705"
DEPENDS = "flex-native bison-native gettext-native"
-COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|riscv.*)-(linux.*|freebsd.*)'
-COMPATIBLE_HOST_armv7a = 'null'
-COMPATIBLE_HOST_armv7ve = 'null'
+GRUB_COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|riscv.*)-(linux.*|freebsd.*)'
+COMPATIBLE_HOST = "${GRUB_COMPATIBLE_HOST}"
+# Grub doesn't support hard float toolchain and won't be able to forcefully
+# disable it on some of the target CPUs. See 'configure.ac' for
+# supported/unsupported CPUs in hardfp.
+COMPATIBLE_HOST:armv7a = "${@'null' if bb.utils.contains('TUNE_CCARGS_MFLOAT', 'hard', True, False, d) else d.getVar('GRUB_COMPATIBLE_HOST')}"
+COMPATIBLE_HOST:armv7ve = "${@'null' if bb.utils.contains('TUNE_CCARGS_MFLOAT', 'hard', True, False, d) else d.getVar('GRUB_COMPATIBLE_HOST')}"
# configure.ac has code to set this automagically from the target tuple
# but the OE freeform one (core2-foo-bar-linux) don't work with that.
-GRUBPLATFORM_arm = "efi"
-GRUBPLATFORM_aarch64 = "efi"
-GRUBPLATFORM_riscv32 = "efi"
-GRUBPLATFORM_riscv64 = "efi"
+GRUBPLATFORM:arm = "efi"
+GRUBPLATFORM:aarch64 = "efi"
+GRUBPLATFORM:riscv32 = "efi"
+GRUBPLATFORM:riscv64 = "efi"
GRUBPLATFORM ??= "pc"
inherit autotools gettext texinfo pkgconfig
+CFLAGS:remove = "-O2"
+
EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
--disable-grub-mkfont \
--program-prefix="" \
@@ -73,7 +96,7 @@ BUILD_LDFLAGS = ""
export PYTHON = "python3"
-do_configure_prepend() {
+do_configure:prepend() {
cd ${S}
FROM_BOOTSTRAP=1 ${S}/autogen.sh
cd ${B}
diff --git a/meta/recipes-bsp/grub/grub_2.04.bb b/meta/recipes-bsp/grub/grub_2.04.bb
deleted file mode 100644
index f2942b9e37..0000000000
--- a/meta/recipes-bsp/grub/grub_2.04.bb
+++ /dev/null
@@ -1,38 +0,0 @@
-require grub2.inc
-
-RDEPENDS_${PN}-common += "${PN}-editenv"
-RDEPENDS_${PN} += "${PN}-common"
-RDEPENDS_${PN}_class-native = ""
-
-RPROVIDES_${PN}-editenv += "${PN}-efi-editenv"
-
-PROVIDES_append_class-native = " grub-efi-native"
-
-PACKAGES =+ "${PN}-editenv ${PN}-common"
-FILES_${PN}-editenv = "${bindir}/grub-editenv"
-FILES_${PN}-common = " \
- ${bindir} \
- ${sysconfdir} \
- ${sbindir} \
- ${datadir}/grub \
-"
-
-FILES_${PN}-common_append_aarch64 = " \
- ${libdir}/${BPN} \
-"
-
-do_install_append () {
- install -d ${D}${sysconfdir}/grub.d
- # Remove build host references...
- find "${D}" -name modinfo.sh -type f -exec \
- sed -i \
- -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
- -e 's|${DEBUG_PREFIX_MAP}||g' \
- -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
- {} +
-}
-
-INSANE_SKIP_${PN} = "arch"
-INSANE_SKIP_${PN}-dbg = "arch"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-bsp/grub/grub_2.06.bb b/meta/recipes-bsp/grub/grub_2.06.bb
new file mode 100644
index 0000000000..05d462785c
--- /dev/null
+++ b/meta/recipes-bsp/grub/grub_2.06.bb
@@ -0,0 +1,41 @@
+require grub2.inc
+
+RDEPENDS:${PN}-common += "${PN}-editenv"
+RDEPENDS:${PN} += "${PN}-common"
+RDEPENDS:${PN}:class-native = ""
+
+RPROVIDES:${PN}-editenv += "${PN}-efi-editenv"
+
+PROVIDES:append:class-native = " grub-efi-native"
+
+PACKAGES =+ "${PN}-editenv ${PN}-common"
+FILES:${PN}-editenv = "${bindir}/grub-editenv"
+FILES:${PN}-common = " \
+ ${bindir} \
+ ${sysconfdir} \
+ ${sbindir} \
+ ${datadir}/grub \
+"
+ALLOW_EMPTY:${PN} = "1"
+
+do_install:append () {
+ # Avoid conflicts with the EFI package for systems such as arm64 where we
+ # need to build grub and grub-efi but only EFI is supported by removing EFI
+ # from this package.
+ rm -rf ${D}${libdir}/grub/*-efi/
+ rmdir --ignore-fail-on-non-empty ${D}${libdir}/grub ${D}${libdir}
+
+ install -d ${D}${sysconfdir}/grub.d
+ # Remove build host references...
+ find "${D}" -name modinfo.sh -type f -exec \
+ sed -i \
+ -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
+ -e 's|${DEBUG_PREFIX_MAP}||g' \
+ -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
+ {} +
+}
+
+INSANE_SKIP:${PN} = "arch"
+INSANE_SKIP:${PN}-dbg = "arch"
+
+BBCLASSEXTEND = "native nativesdk"
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-19 06:34:52 +0000