import grub2-2.02-162.el8_10

SOURCES/0612-kern-file-Ensure-file-data-is-set.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 03:01:40 +0100
+Subject: [PATCH] kern/file: Ensure file->data is set
+
+This is to avoid a generic issue were some filesystems would not set
+data and also not set a grub_errno. This meant it was possible for many
+filesystems to grub_dl_unref() themselves multiple times resulting in
+it being possible to unload the filesystems while there were still
+references to them, e.g., via a loopback.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index 5e1f29d0d..596f16ced 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -121,6 +121,9 @@ grub_file_open (const char *name, enum grub_file_type type)
+   if ((file->fs->open) (file, file_name) != GRUB_ERR_NONE)
+     goto fail;
+ 
++  if (file->data == NULL)
++    goto fail;
++
+   file->name = grub_strdup (name);
+   grub_errno = GRUB_ERR_NONE;
+ 

SOURCES/0613-kern-file-Implement-filesystem-reference-counting.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 10:15:03 +0100
+Subject: [PATCH] kern/file: Implement filesystem reference counting
+
+The grub_file_open() and grub_file_close() should be the only places
+that allow a reference to a filesystem to stay open. So, add grub_dl_t
+to grub_fs_t and set this in the GRUB_MOD_INIT() for each filesystem to
+avoid issues when filesystems forget to do it themselves or do not track
+their own references, e.g. squash4.
+
+The fs_label(), fs_uuid(), fs_mtime() and fs_read() should all ref and
+unref in the same function but it is essentially redundant in GRUB
+single threaded model.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/affs.c     | 1 +
+ grub-core/fs/bfs.c      | 1 +
+ grub-core/fs/btrfs.c    | 1 +
+ grub-core/fs/cbfs.c     | 1 +
+ grub-core/fs/cpio.c     | 1 +
+ grub-core/fs/cpio_be.c  | 1 +
+ grub-core/fs/ext2.c     | 1 +
+ grub-core/fs/f2fs.c     | 1 +
+ grub-core/fs/fat.c      | 1 +
+ grub-core/fs/hfs.c      | 1 +
+ grub-core/fs/hfsplus.c  | 1 +
+ grub-core/fs/iso9660.c  | 1 +
+ grub-core/fs/jfs.c      | 1 +
+ grub-core/fs/minix.c    | 1 +
+ grub-core/fs/newc.c     | 1 +
+ grub-core/fs/nilfs2.c   | 1 +
+ grub-core/fs/ntfs.c     | 1 +
+ grub-core/fs/odc.c      | 1 +
+ grub-core/fs/proc.c     | 1 +
+ grub-core/fs/reiserfs.c | 1 +
+ grub-core/fs/romfs.c    | 1 +
+ grub-core/fs/sfs.c      | 1 +
+ grub-core/fs/squash4.c  | 1 +
+ grub-core/fs/tar.c      | 1 +
+ grub-core/fs/udf.c      | 1 +
+ grub-core/fs/ufs.c      | 1 +
+ grub-core/fs/xfs.c      | 1 +
+ grub-core/fs/zfs/zfs.c  | 1 +
+ grub-core/kern/file.c   | 4 ++++
+ include/grub/fs.h       | 4 ++++
+ 30 files changed, 36 insertions(+)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index e4615c743..6347ca368 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -699,6 +699,7 @@ static struct grub_fs grub_affs_fs =
+ 
+ GRUB_MOD_INIT(affs)
+ {
++  grub_affs_fs.mod = mod;
+   grub_fs_register (&grub_affs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
+index d2b490bce..6afdfc987 100644
+--- a/grub-core/fs/bfs.c
++++ b/grub-core/fs/bfs.c
+@@ -1104,6 +1104,7 @@ GRUB_MOD_INIT (bfs)
+ {
+   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
+ 		       sizeof (struct grub_bfs_extent));
++  grub_bfs_fs.mod = mod;
+   grub_fs_register (&grub_bfs_fs);
+ }
+ 
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 9da2952f7..65213549e 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -2802,6 +2802,7 @@ subvol_get_env (struct grub_env_var *var __attribute__ ((unused)),
+ 
+ GRUB_MOD_INIT (btrfs)
+ {
++  grub_btrfs_fs.mod = mod;
+   grub_fs_register (&grub_btrfs_fs);
+   cmd_info = grub_register_command("btrfs-info", grub_cmd_btrfs_info,
+ 				   "DEVICE",
+diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
+index 0842701a6..395edcbbd 100644
+--- a/grub-core/fs/cbfs.c
++++ b/grub-core/fs/cbfs.c
+@@ -390,6 +390,7 @@ GRUB_MOD_INIT (cbfs)
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   init_cbfsdisk ();
+ #endif
++  grub_cbfs_fs.mod = mod;
+   grub_fs_register (&grub_cbfs_fs);
+ }
+ 
+diff --git a/grub-core/fs/cpio.c b/grub-core/fs/cpio.c
+index dab5f9898..1799f7ff5 100644
+--- a/grub-core/fs/cpio.c
++++ b/grub-core/fs/cpio.c
+@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)
+ 
+ GRUB_MOD_INIT (cpio)
+ {
++  grub_cpio_fs.mod = mod;
+   grub_fs_register (&grub_cpio_fs);
+ }
+ 
+diff --git a/grub-core/fs/cpio_be.c b/grub-core/fs/cpio_be.c
+index 846548892..7bed1b848 100644
+--- a/grub-core/fs/cpio_be.c
++++ b/grub-core/fs/cpio_be.c
+@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)
+ 
+ GRUB_MOD_INIT (cpio_be)
+ {
++  grub_cpio_fs.mod = mod;
+   grub_fs_register (&grub_cpio_fs);
+ }
+ 
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index de5c268a9..dc62a6cfe 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -1105,6 +1105,7 @@ static struct grub_fs grub_ext2_fs =
+ 
+ GRUB_MOD_INIT(ext2)
+ {
++  grub_ext2_fs.mod = mod;
+   grub_fs_register (&grub_ext2_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
+index 706e595d3..149f33695 100644
+--- a/grub-core/fs/f2fs.c
++++ b/grub-core/fs/f2fs.c
+@@ -1339,6 +1339,7 @@ static struct grub_fs grub_f2fs_fs = {
+ 
+ GRUB_MOD_INIT (f2fs)
+ {
++  grub_f2fs_fs.mod = mod;
+   grub_fs_register (&grub_f2fs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/fat.c b/grub-core/fs/fat.c
+index 8d8dc35ce..72785a798 100644
+--- a/grub-core/fs/fat.c
++++ b/grub-core/fs/fat.c
+@@ -1254,6 +1254,7 @@ GRUB_MOD_INIT(fat)
+ #endif
+ {
+   COMPILE_TIME_ASSERT (sizeof (struct grub_fat_dir_entry) == 32);
++  grub_fat_fs.mod = mod;
+   grub_fs_register (&grub_fat_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index 44859fe43..66b9fca83 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -1434,6 +1434,7 @@ static struct grub_fs grub_hfs_fs =
+ 
+ GRUB_MOD_INIT(hfs)
+ {
++  grub_hfs_fs.mod = mod;
+   if (!grub_is_lockdown ())
+     grub_fs_register (&grub_hfs_fs);
+   my_mod = mod;
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 2edb1649d..a1805eed0 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1139,6 +1139,7 @@ static struct grub_fs grub_hfsplus_fs =
+ 
+ GRUB_MOD_INIT(hfsplus)
+ {
++  grub_hfsplus_fs.mod = mod;
+   grub_fs_register (&grub_hfsplus_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index cf17702e2..576505535 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -1165,6 +1165,7 @@ static struct grub_fs grub_iso9660_fs =
+ 
+ GRUB_MOD_INIT(iso9660)
+ {
++  grub_iso9660_fs.mod = mod;
+   grub_fs_register (&grub_iso9660_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 739b3c540..46941248b 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -998,6 +998,7 @@ static struct grub_fs grub_jfs_fs =
+ 
+ GRUB_MOD_INIT(jfs)
+ {
++  grub_jfs_fs.mod = mod;
+   grub_fs_register (&grub_jfs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
+index d451b3426..28571c49e 100644
+--- a/grub-core/fs/minix.c
++++ b/grub-core/fs/minix.c
+@@ -716,6 +716,7 @@ GRUB_MOD_INIT(minix)
+ #endif
+ #endif
+ {
++  grub_minix_fs.mod = mod;
+   grub_fs_register (&grub_minix_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/newc.c b/grub-core/fs/newc.c
+index 4fb8b2e3d..43b7f8b64 100644
+--- a/grub-core/fs/newc.c
++++ b/grub-core/fs/newc.c
+@@ -64,6 +64,7 @@ read_number (const char *str, grub_size_t size)
+ 
+ GRUB_MOD_INIT (newc)
+ {
++  grub_cpio_fs.mod = mod;
+   grub_fs_register (&grub_cpio_fs);
+ }
+ 
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index c4c4610be..3c1e4d1f6 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -1231,6 +1231,7 @@ GRUB_MOD_INIT (nilfs2)
+ 				  grub_nilfs2_dat_entry));
+   COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
+ 		       == sizeof (struct grub_nilfs2_inode));
++  grub_nilfs2_fs.mod = mod;
+   grub_fs_register (&grub_nilfs2_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 86222413c..9244e95dd 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -1537,6 +1537,7 @@ static struct grub_fs grub_ntfs_fs =
+ 
+ GRUB_MOD_INIT (ntfs)
+ {
++  grub_ntfs_fs.mod = mod;
+   grub_fs_register (&grub_ntfs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/odc.c b/grub-core/fs/odc.c
+index 790000622..8e4e8aeac 100644
+--- a/grub-core/fs/odc.c
++++ b/grub-core/fs/odc.c
+@@ -52,6 +52,7 @@ read_number (const char *str, grub_size_t size)
+ 
+ GRUB_MOD_INIT (odc)
+ {
++  grub_cpio_fs.mod = mod;
+   grub_fs_register (&grub_cpio_fs);
+ }
+ 
+diff --git a/grub-core/fs/proc.c b/grub-core/fs/proc.c
+index 31f3aa9a4..317118b81 100644
+--- a/grub-core/fs/proc.c
++++ b/grub-core/fs/proc.c
+@@ -192,6 +192,7 @@ static struct grub_fs grub_procfs_fs =
+ 
+ GRUB_MOD_INIT (procfs)
+ {
++  grub_procfs_fs.mod = mod;
+   grub_disk_dev_register (&grub_procfs_dev);
+   grub_fs_register (&grub_procfs_fs);
+ }
+diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
+index 9556c15ff..e65b81467 100644
+--- a/grub-core/fs/reiserfs.c
++++ b/grub-core/fs/reiserfs.c
+@@ -1407,6 +1407,7 @@ static struct grub_fs grub_reiserfs_fs =
+ 
+ GRUB_MOD_INIT(reiserfs)
+ {
++  grub_reiserfs_fs.mod = mod;
+   grub_fs_register (&grub_reiserfs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
+index 2e3544408..f282cff86 100644
+--- a/grub-core/fs/romfs.c
++++ b/grub-core/fs/romfs.c
+@@ -475,6 +475,7 @@ static struct grub_fs grub_romfs_fs =
+ 
+ GRUB_MOD_INIT(romfs)
+ {
++  grub_romfs_fs.mod = mod;
+   grub_fs_register (&grub_romfs_fs);
+ }
+ 
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 61d6c303c..c6b9fb49a 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -779,6 +779,7 @@ static struct grub_fs grub_sfs_fs =
+ 
+ GRUB_MOD_INIT(sfs)
+ {
++  grub_sfs_fs.mod = mod;
+   grub_fs_register (&grub_sfs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index f9bef38fc..1505832d5 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -1032,6 +1032,7 @@ static struct grub_fs grub_squash_fs =
+ 
+ GRUB_MOD_INIT(squash4)
+ {
++  grub_squash_fs.mod = mod;
+   grub_fs_register (&grub_squash_fs);
+ }
+ 
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index 28baa5845..01738ec55 100644
+--- a/grub-core/fs/tar.c
++++ b/grub-core/fs/tar.c
+@@ -354,6 +354,7 @@ static struct grub_fs grub_cpio_fs = {
+ 
+ GRUB_MOD_INIT (tar)
+ {
++  grub_cpio_fs.mod = mod;
+   grub_fs_register (&grub_cpio_fs);
+ }
+ 
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index 6670beb56..8db2b5686 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -1382,6 +1382,7 @@ static struct grub_fs grub_udf_fs = {
+ 
+ GRUB_MOD_INIT (udf)
+ {
++  grub_udf_fs.mod = mod;
+   grub_fs_register (&grub_udf_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 0c2004fd7..a2c63d646 100644
+--- a/grub-core/fs/ufs.c
++++ b/grub-core/fs/ufs.c
+@@ -899,6 +899,7 @@ GRUB_MOD_INIT(ufs1)
+ #endif
+ #endif
+ {
++  grub_ufs_fs.mod = mod;
+   grub_fs_register (&grub_ufs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index c9818a96a..5b7643eb1 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -1167,6 +1167,7 @@ static struct grub_fs grub_xfs_fs =
+ 
+ GRUB_MOD_INIT(xfs)
+ {
++  grub_xfs_fs.mod = mod;
+   grub_fs_register (&grub_xfs_fs);
+   my_mod = mod;
+ }
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0d8c08eec..0c4b15f08 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -4391,6 +4391,7 @@ static struct grub_fs grub_zfs_fs = {
+ GRUB_MOD_INIT (zfs)
+ {
+   COMPILE_TIME_ASSERT (sizeof (zap_leaf_chunk_t) == ZAP_LEAF_CHUNKSIZE);
++  grub_zfs_fs.mod = mod;
+   grub_fs_register (&grub_zfs_fs);
+ #ifndef GRUB_UTIL
+   my_mod = mod;
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index 596f16ced..7e64609d4 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -25,6 +25,7 @@
+ #include <grub/fs.h>
+ #include <grub/device.h>
+ #include <grub/i18n.h>
++#include <grub/dl.h>
+ 
+ void (*EXPORT_VAR (grub_grubnet_fini)) (void);
+ 
+@@ -124,6 +125,9 @@ grub_file_open (const char *name, enum grub_file_type type)
+   if (file->data == NULL)
+     goto fail;
+ 
++  if (file->fs->mod)
++    grub_dl_ref (file->fs->mod);
++
+   file->name = grub_strdup (name);
+   grub_errno = GRUB_ERR_NONE;
+ 
+diff --git a/include/grub/fs.h b/include/grub/fs.h
+index 5678c60c2..cb1040b50 100644
+--- a/include/grub/fs.h
++++ b/include/grub/fs.h
+@@ -23,6 +23,7 @@
+ #include <grub/device.h>
+ #include <grub/symbol.h>
+ #include <grub/types.h>
++#include <grub/dl.h>
+ 
+ #include <grub/list.h>
+ /* For embedding types.  */
+@@ -57,6 +58,9 @@ struct grub_fs
+   /* My name.  */
+   const char *name;
+ 
++  /* My module */
++  grub_dl_t mod;
++
+   /* Call HOOK with each file under DIR.  */
+   grub_err_t (*dir) (grub_device_t device, const char *path,
+ 		     grub_fs_dir_hook_t hook, void *hook_data);

SOURCES/0614-disk-loopback-Reference-tracking-for-the-loopback.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 03:26:19 +0100
+Subject: [PATCH] disk/loopback: Reference tracking for the loopback
+
+It was possible to delete a loopback while there were still references
+to it. This led to an exploitable use-after-free.
+
+Fixed by implementing a reference counting in the grub_loopback struct.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/disk/loopback.c | 18 ++++++++++++++++++
+ include/grub/err.h        |  3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/disk/loopback.c b/grub-core/disk/loopback.c
+index 9406d931c..e7052a9cb 100644
+--- a/grub-core/disk/loopback.c
++++ b/grub-core/disk/loopback.c
+@@ -24,6 +24,7 @@
+ #include <grub/mm.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -33,6 +34,7 @@ struct grub_loopback
+   grub_file_t file;
+   struct grub_loopback *next;
+   unsigned long id;
++  grub_uint64_t refcnt;
+ };
+ 
+ static struct grub_loopback *loopback_list;
+@@ -63,6 +65,8 @@ delete_loopback (const char *name)
+   if (! dev)
+     return grub_error (GRUB_ERR_BAD_DEVICE, "device not found");
+ 
++  if (dev->refcnt > 0)
++    return grub_error (GRUB_ERR_STILL_REFERENCED, "device still referenced");
+   /* Remove the device from the list.  */
+   *prev = dev->next;
+ 
+@@ -124,6 +128,7 @@ grub_cmd_loopback (grub_extcmd_context_t ctxt, int argc, char **args)
+ 
+   newdev->file = file;
+   newdev->id = last_id++;
++  newdev->refcnt = 0;
+ 
+   /* Add the new entry to the list.  */
+   newdev->next = loopback_list;
+@@ -165,6 +170,9 @@ grub_loopback_open (const char *name, grub_disk_t disk)
+   if (! dev)
+     return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "can't open device");
+ 
++  if (grub_add (dev->refcnt, 1, &dev->refcnt))
++    grub_fatal ("Reference count overflow");
++
+   /* Use the filesize for the disk size, round up to a complete sector.  */
+   if (dev->file->size != GRUB_FILE_SIZE_UNKNOWN)
+     disk->total_sectors = ((dev->file->size + GRUB_DISK_SECTOR_SIZE - 1)
+@@ -182,6 +190,15 @@ grub_loopback_open (const char *name, grub_disk_t disk)
+   return 0;
+ }
+ 
++static void
++grub_loopback_close (grub_disk_t disk)
++{
++  struct grub_loopback *dev = disk->data;
++
++  if (grub_sub (dev->refcnt, 1, &dev->refcnt))
++    grub_fatal ("Reference count underflow");
++}
++
+ static grub_err_t
+ grub_loopback_read (grub_disk_t disk, grub_disk_addr_t sector,
+ 		    grub_size_t size, char *buf)
+@@ -224,6 +241,7 @@ static struct grub_disk_dev grub_loopback_dev =
+     .id = GRUB_DISK_DEVICE_LOOPBACK_ID,
+     .iterate = grub_loopback_iterate,
+     .open = grub_loopback_open,
++    .close = grub_loopback_close,
+     .read = grub_loopback_read,
+     .write = grub_loopback_write,
+     .next = 0
+diff --git a/include/grub/err.h b/include/grub/err.h
+index 9b830757d..1b5335610 100644
+--- a/include/grub/err.h
++++ b/include/grub/err.h
+@@ -71,7 +71,8 @@ typedef enum
+     GRUB_ERR_NET_PACKET_TOO_BIG,
+     GRUB_ERR_NET_NO_DOMAIN,
+     GRUB_ERR_EOF,
+-    GRUB_ERR_BAD_SIGNATURE
++    GRUB_ERR_BAD_SIGNATURE,
++    GRUB_ERR_STILL_REFERENCED
+   }
+ grub_err_t;
+ 

SOURCES/0615-kern-disk-Limit-recursion-depth.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 04:09:24 +0100
+Subject: [PATCH] kern/disk: Limit recursion depth
+
+The grub_disk_read() may trigger other disk reads, e.g. via loopbacks.
+This may lead to very deep recursion which can corrupt the heap. So, fix
+the issue by limiting reads depth.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/disk.c | 27 ++++++++++++++++++++-------
+ include/grub/err.h    |  3 ++-
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/kern/disk.c b/grub-core/kern/disk.c
+index 7f58c5614..62d6a85cc 100644
+--- a/grub-core/kern/disk.c
++++ b/grub-core/kern/disk.c
+@@ -28,6 +28,10 @@
+ 
+ #define	GRUB_CACHE_TIMEOUT	2
+ 
++/* Disk reads may trigger other disk reads. So, limit recursion depth. */
++#define MAX_READ_RECURSION_DEPTH	16
++static unsigned int read_recursion_depth = 0;
++
+ /* The last time the disk was used.  */
+ static grub_uint64_t grub_last_time = 0;
+ 
+@@ -417,6 +421,8 @@ grub_err_t
+ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+ 		grub_off_t offset, grub_size_t size, void *buf)
+ {
++  grub_err_t err = GRUB_ERR_NONE;
++
+   /* First of all, check if the region is within the disk.  */
+   if (grub_disk_adjust_range (disk, &sector, &offset, size) != GRUB_ERR_NONE)
+     {
+@@ -427,12 +433,17 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+       return grub_errno;
+     }
+ 
++  if (++read_recursion_depth >= MAX_READ_RECURSION_DEPTH)
++    {
++      grub_error (GRUB_ERR_RECURSION_DEPTH, "grub_disk_read(): Maximum recursion depth exceeded");
++      goto error;
++    }
++
+   /* First read until first cache boundary.   */
+   if (offset || (sector & (GRUB_DISK_CACHE_SIZE - 1)))
+     {
+       grub_disk_addr_t start_sector;
+       grub_size_t pos;
+-      grub_err_t err;
+       grub_size_t len;
+ 
+       start_sector = sector & ~((grub_disk_addr_t) GRUB_DISK_CACHE_SIZE - 1);
+@@ -444,7 +455,7 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+       err = grub_disk_read_small (disk, start_sector,
+ 				  offset + pos, len, buf);
+       if (err)
+-	return err;
++	goto error;
+       buf = (char *) buf + len;
+       size -= len;
+       offset += len;
+@@ -457,7 +468,6 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+     {
+       char *data = NULL;
+       grub_disk_addr_t agglomerate;
+-      grub_err_t err;
+ 
+       /* agglomerate read until we find a first cached entry.  */
+       for (agglomerate = 0; agglomerate
+@@ -493,7 +503,7 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+ 						   - disk->log_sector_size),
+ 				   buf);
+ 	  if (err)
+-	    return err;
++	    goto error;
+ 	  
+ 	  for (i = 0; i < agglomerate; i ++)
+ 	    grub_disk_cache_store (disk->dev->id, disk->id,
+@@ -527,13 +537,16 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,
+   /* And now read the last part.  */
+   if (size)
+     {
+-      grub_err_t err;
+       err = grub_disk_read_small (disk, sector, 0, size, buf);
+       if (err)
+-	return err;
++	goto error;
+     }
+ 
+-  return grub_errno;
++  err = grub_errno;
++
++ error:
++  read_recursion_depth--;
++  return err;
+ }
+ 
+ grub_uint64_t
+diff --git a/include/grub/err.h b/include/grub/err.h
+index 1b5335610..670d40967 100644
+--- a/include/grub/err.h
++++ b/include/grub/err.h
+@@ -72,7 +72,8 @@ typedef enum
+     GRUB_ERR_NET_NO_DOMAIN,
+     GRUB_ERR_EOF,
+     GRUB_ERR_BAD_SIGNATURE,
+-    GRUB_ERR_STILL_REFERENCED
++    GRUB_ERR_STILL_REFERENCED,
++    GRUB_ERR_RECURSION_DEPTH
+   }
+ grub_err_t;
+ 

SOURCES/0616-kern-partition-Limit-recursion-in-part_iterate.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 16 Nov 2024 21:24:19 +0000
+Subject: [PATCH] kern/partition: Limit recursion in part_iterate()
+
+The part_iterate() is used by grub_partition_iterate() as a callback in
+the partition iterate functions. However, part_iterate() may also call
+the partition iterate functions which may lead to recursion. Fix potential
+issue by limiting the recursion depth.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/partition.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
+index 3068c4dca..f3f125e75 100644
+--- a/grub-core/kern/partition.c
++++ b/grub-core/kern/partition.c
+@@ -28,6 +28,9 @@
+ 
+ grub_partition_map_t grub_partition_map_list;
+ 
++#define MAX_RECURSION_DEPTH	32
++static unsigned int recursion_depth = 0;
++
+ /*
+  * Checks that disk->partition contains part.  This function assumes that the
+  * start of part is relative to the start of disk->partition.  Returns 1 if
+@@ -208,7 +211,12 @@ part_iterate (grub_disk_t dsk, const grub_partition_t partition, void *data)
+       FOR_PARTITION_MAPS(partmap)
+       {
+ 	grub_err_t err;
+-	err = partmap->iterate (dsk, part_iterate, ctx);
++	recursion_depth++;
++	if (recursion_depth <= MAX_RECURSION_DEPTH)
++	  err = partmap->iterate (dsk, part_iterate, ctx);
++	else
++	  err = grub_error (GRUB_ERR_RECURSION_DEPTH, "maximum recursion depth exceeded");
++	recursion_depth--;
+ 	if (err)
+ 	  grub_errno = GRUB_ERR_NONE;
+ 	if (ctx->ret)

SOURCES/0617-script-execute-Limit-the-recursion-depth.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 19:04:13 +0100
+Subject: [PATCH] script/execute: Limit the recursion depth
+
+If unbounded recursion is allowed it becomes possible to collide the
+stack with the heap. As UEFI firmware often lacks guard pages this
+becomes an exploitable issue as it is possible in some cases to do
+a controlled overwrite of a section of this heap region with
+arbitrary data.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/script/execute.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 266d99ed3..ef9a01642 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -36,10 +36,18 @@
+    is sizeof (int) * 3, and one extra for a possible -ve sign.  */
+ #define ERRNO_DIGITS_MAX  (sizeof (int) * 3 + 1)
+ 
++/*
++ * A limit on recursion, to avoid colliding with the heap. UEFI defines a baseline
++ * stack size of 128 KiB. So, assuming at most 1-2 KiB per iteration this should
++ * keep us safe.
++ */
++#define MAX_RECURSION_DEPTH 64
++
+ static unsigned long is_continue;
+ static unsigned long active_loops;
+ static unsigned long active_breaks;
+ static unsigned long function_return;
++static unsigned long recursion_depth;
+ 
+ #define GRUB_SCRIPT_SCOPE_MALLOCED      1
+ #define GRUB_SCRIPT_SCOPE_ARGS_MALLOCED 2
+@@ -850,7 +858,13 @@ grub_script_execute_cmd (struct grub_script_cmd *cmd)
+   if (cmd == 0)
+     return 0;
+ 
++  recursion_depth++;
++
++  if (recursion_depth >= MAX_RECURSION_DEPTH)
++    return grub_error (GRUB_ERR_RECURSION_DEPTH, N_("maximum recursion depth exceeded"));
++
+   ret = cmd->exec (cmd);
++  recursion_depth--;
+ 
+   grub_snprintf (errnobuf, sizeof (errnobuf), "%d", ret);
+   grub_env_set ("?", errnobuf);

SOURCES/0618-net-Unregister-net_default_ip-and-net_default_mac-va.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 28 Nov 2024 04:05:04 +0000
+Subject: [PATCH] net: Unregister net_default_ip and net_default_mac variables
+ hooks on unload
+
+The net module is a dependency of normal. So, it shouldn't be possible
+to unload the net. Though unregister variables hooks as a precaution.
+It also gets in line with unregistering the other net module hooks.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index b9e2a4d10..c78c8694b 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -2161,6 +2161,8 @@ GRUB_MOD_FINI(net)
+ 
+   grub_register_variable_hook ("net_default_server", 0, 0);
+   grub_register_variable_hook ("pxe_default_server", 0, 0);
++  grub_register_variable_hook ("net_default_ip", 0, 0);
++  grub_register_variable_hook ("net_default_mac", 0, 0);
+ 
+   grub_bootp_fini ();
+   grub_dns_fini ();

SOURCES/0619-net-Remove-variables-hooks-when-interface-is-unregis.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:49:48 +0000
+Subject: [PATCH] net: Remove variables hooks when interface is unregisted
+
+The grub_net_network_level_interface_unregister(), previously
+implemented in a header, did not remove the variables hooks that
+were registered in grub_net_network_level_interface_register().
+Fix this by implementing the same logic used to register the
+variables and move the function into the grub-core/net/net.c.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c | 34 ++++++++++++++++++++++++++++++++++
+ include/grub/net.h  | 11 +----------
+ 2 files changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index c78c8694b..69223164d 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1051,6 +1051,40 @@ grub_net_add_ipv6_local (struct grub_net_network_level_interface *inter,
+   return 0;
+ }
+ 
++void
++grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter)
++{
++  char *name;
++
++  {
++    char buf[GRUB_NET_MAX_STR_HWADDR_LEN];
++
++    grub_net_hwaddr_to_str (&inter->hwaddress, buf);
++    name = grub_xasprintf ("net_%s_mac", inter->name);
++    if (name != NULL)
++      grub_register_variable_hook (name, NULL, NULL);
++    grub_free (name);
++  }
++
++  {
++    char buf[GRUB_NET_MAX_STR_ADDR_LEN];
++
++    grub_net_addr_to_str (&inter->address, buf);
++    name = grub_xasprintf ("net_%s_ip", inter->name);
++    if (name != NULL)
++      grub_register_variable_hook (name, NULL, NULL);
++    grub_free (name);
++  }
++
++  inter->card->num_ifaces--;
++  *inter->prev = inter->next;
++  if (inter->next)
++    inter->next->prev = inter->prev;
++  inter->next = 0;
++  inter->prev = 0;
++}
++
++
+ grub_err_t
+ grub_net_add_ipv4_local (struct grub_net_network_level_interface *inter,
+ 			 int mask)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 0d31f0066..4a815fa91 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -607,16 +607,7 @@ void grub_bootp_fini (void);
+ void grub_dns_init (void);
+ void grub_dns_fini (void);
+ 
+-static inline void
+-grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter)
+-{
+-  inter->card->num_ifaces--;
+-  *inter->prev = inter->next;
+-  if (inter->next)
+-    inter->next->prev = inter->prev;
+-  inter->next = 0;
+-  inter->prev = 0;
+-}
++void grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter);
+ 
+ void
+ grub_net_tcp_retransmit (void);

SOURCES/0620-net-Fix-OOB-write-in-grub_net_search_config_file.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 15 Nov 2024 13:12:09 +0000
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 69223164d..f0896979d 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1940,9 +1940,9 @@ grub_net_restore_hw (void)
+ }
+ 
+ grub_err_t
+-grub_net_search_configfile (char *config)
++grub_net_search_configfile (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
++  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   auto int search_through (grub_size_t num_tries, grub_size_t slice_size);
+@@ -1979,6 +1979,7 @@ grub_net_search_configfile (char *config)
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
++  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -2004,7 +2005,7 @@ grub_net_search_configfile (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
++          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (search_through (1, 0) == 0) return GRUB_ERR_NONE;
+         }
+ 
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 93f33c167..f5e9b54f7 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -349,7 +349,7 @@ grub_try_normal_prefix (const char *prefix)
+ 	  return err;
+ 
+ 	grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+-	err = grub_net_search_configfile (config);
++	err = grub_net_search_configfile (config, config_len);
+       }
+ 
+     if (err != GRUB_ERR_NONE)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 4a815fa91..8c8521944 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -646,6 +646,6 @@ extern char *grub_net_default_server;
+ #define VLANTAG_IDENTIFIER 0x8100
+ 
+ grub_err_t
+-grub_net_search_configfile (char *config);
++grub_net_search_configfile (char *config, grub_size_t config_buf_len);
+ 
+ #endif /* ! GRUB_NET_HEADER */

SOURCES/0621-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 17:32:34 +0100
+Subject: [PATCH] net/tftp: Fix stack buffer overflow in tftp_open()
+
+An overly long filename can be passed to tftp_open() which would cause
+grub_normalize_filename() to write out of bounds.
+
+Fixed by adding an extra argument to grub_normalize_filename() for the
+space available, making it act closer to a strlcpy(). As several fixed
+strings are strcpy()'d after into the same buffer, their total length is
+checked to see if they exceed the remaining space in the buffer. If so,
+return an error.
+
+On the occasion simplify code a bit by removing unneeded rrqlen zeroing.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/tftp.c | 40 +++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 09e1511cc..9bc8a688d 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -267,17 +267,19 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+  * forward slashes to a single forward slash.
+  */
+ static void
+-grub_normalize_filename (char *normalized, const char *filename)
++grub_normalize_filename (char *normalized, const char *filename, int c)
+ {
+   char *dest = normalized;
+   const char *src = filename;
+ 
+-  while (*src != '\0')
++  while (*src != '\0' && c > 0)
+     {
+       if (src[0] == '/' && src[1] == '/')
+ 	src++;
+-      else
+-	*dest++ = *src++;
++      else {
++        c--;
++        *dest++ = *src++;
++      }
+     }
+   *dest = '\0';
+ }
+@@ -288,7 +290,7 @@ tftp_open (struct grub_file *file, const char *filename)
+   struct tftphdr *tftph;
+   char *rrq;
+   int i;
+-  int rrqlen;
++  int rrqlen, rrqsize;
+   int hdrlen;
+   grub_uint8_t open_data[1500];
+   struct grub_net_buff nb;
+@@ -316,35 +318,43 @@ tftp_open (struct grub_file *file, const char *filename)
+ 
+   tftph = (struct tftphdr *) nb.data;
+ 
+-  rrq = (char *) tftph->u.rrq;
+-  rrqlen = 0;
+-
+   tftph->opcode = grub_cpu_to_be16_compile_time (TFTP_RRQ);
+ 
++  rrq = (char *) tftph->u.rrq;
++  rrqsize = sizeof (tftph->u.rrq);
++
+   /* Copy and normalize the filename to work-around issues on some tftp
+      servers when file names are being matched for remapping. */
+-  grub_normalize_filename (rrq, filename);
+-  rrqlen += grub_strlen (rrq) + 1;
++  grub_normalize_filename (rrq, filename, rrqsize);
++
++  rrqlen = grub_strlen (rrq) + 1;
+   rrq += grub_strlen (rrq) + 1;
+ 
+-  grub_strcpy (rrq, "octet");
++  /* Verify there is enough space for the remaining components. */
+   rrqlen += grub_strlen ("octet") + 1;
++  rrqlen += grub_strlen ("blksize") + 1;
++  rrqlen += grub_strlen ("1024") + 1;
++  rrqlen += grub_strlen ("tsize") + 1;
++  rrqlen += grub_strlen ("0") + 1;
++
++  if (rrqlen >= rrqsize) {
++    grub_free (data);
++    return grub_error (GRUB_ERR_BAD_FILENAME, N_("filename too long"));
++  }
++
++  grub_strcpy (rrq, "octet");
+   rrq += grub_strlen ("octet") + 1;
+ 
+   grub_strcpy (rrq, "blksize");
+-  rrqlen += grub_strlen ("blksize") + 1;
+   rrq += grub_strlen ("blksize") + 1;
+ 
+   grub_strcpy (rrq, "1024");
+-  rrqlen += grub_strlen ("1024") + 1;
+   rrq += grub_strlen ("1024") + 1;
+ 
+   grub_strcpy (rrq, "tsize");
+-  rrqlen += grub_strlen ("tsize") + 1;
+   rrq += grub_strlen ("tsize") + 1;
+ 
+   grub_strcpy (rrq, "0");
+-  rrqlen += grub_strlen ("0") + 1;
+   rrq += grub_strlen ("0") + 1;
+   hdrlen = sizeof (tftph->opcode) + rrqlen;
+ 

SOURCES/0622-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 8 Mar 2024 22:47:20 +1100
+Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in
+ JPEG
+
+Otherwise a subsequent header could change the height and width
+allowing future OOB writes.
+
+Fixes: CVE-2024-45774
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 2da04094b..c7aaac362 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -332,6 +332,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+   if (grub_errno != GRUB_ERR_NONE)
+     return grub_errno;
+ 
++  if (data->image_height != 0 || data->image_width != 0)
++    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		       "jpeg: cannot have duplicate SOF0 markers");
++
+   if (grub_jpeg_get_byte (data) != 8)
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ 		       "jpeg: only 8-bit precision is supported");

SOURCES/0623-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 15:59:26 +0100
+Subject: [PATCH] kern/dl: Fix for an integer overflow in grub_dl_ref()
+
+It was possible to overflow the value of mod->ref_count, a signed
+integer, by repeatedly invoking insmod on an already loaded module.
+This led to a use-after-free. As once ref_count was overflowed it became
+possible to unload the module while there was still references to it.
+
+This resolves the issue by using grub_add() to check if the ref_count
+will overflow and then stops further increments. Further changes were
+also made to grub_dl_unref() to check for the underflow condition and
+the reference count was changed to an unsigned 64-bit integer.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/minicmd.c |  2 +-
+ grub-core/kern/dl.c          | 17 ++++++++++++-----
+ include/grub/dl.h            |  8 ++++----
+ util/misc.c                  |  4 ++--
+ 4 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 2bd3ac76f..2001043cf 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -167,7 +167,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
+   {
+     grub_dl_dep_t dep;
+ 
+-    grub_printf ("%s\t%d\t\t", mod->name, mod->ref_count);
++    grub_printf ("%s\t%" PRIuGRUB_UINT64_T "\t\t", mod->name, mod->ref_count);
+     for (dep = mod->dep; dep; dep = dep->next)
+       {
+ 	if (dep != mod->dep)
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 68d3177f5..edbb55d7d 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -34,6 +34,7 @@
+ #include <grub/i18n.h>
+ #include <grub/efi/sb.h>
+ #include <grub/tpm.h>
++#include <grub/safemath.h>
+ 
+ /* Platforms where modules are in a readonly area of memory.  */
+ #if defined(GRUB_MACHINE_QEMU)
+@@ -595,7 +596,7 @@ grub_dl_resolve_dependencies (grub_dl_t mod, Elf_Ehdr *e)
+   return GRUB_ERR_NONE;
+ }
+ 
+-int
++grub_uint64_t
+ grub_dl_ref (grub_dl_t mod)
+ {
+   grub_dl_dep_t dep;
+@@ -606,10 +607,13 @@ grub_dl_ref (grub_dl_t mod)
+   for (dep = mod->dep; dep; dep = dep->next)
+     grub_dl_ref (dep->mod);
+ 
+-  return ++mod->ref_count;
++  if (grub_add (mod->ref_count, 1, &mod->ref_count))
++    grub_fatal ("Module reference count overflow");
++
++  return mod->ref_count;
+ }
+ 
+-int
++grub_uint64_t
+ grub_dl_unref (grub_dl_t mod)
+ {
+   grub_dl_dep_t dep;
+@@ -620,10 +624,13 @@ grub_dl_unref (grub_dl_t mod)
+   for (dep = mod->dep; dep; dep = dep->next)
+     grub_dl_unref (dep->mod);
+ 
+-  return --mod->ref_count;
++  if (grub_sub (mod->ref_count, 1, &mod->ref_count))
++    grub_fatal ("Module reference count underflow");
++
++  return mod->ref_count;
+ }
+ 
+-int
++grub_uint64_t
+ grub_dl_ref_count (grub_dl_t mod)
+ {
+   if (mod == NULL)
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index 6f46b7e86..2e27ef596 100644
+--- a/include/grub/dl.h
++++ b/include/grub/dl.h
+@@ -177,7 +177,7 @@ typedef struct grub_dl_dep *grub_dl_dep_t;
+ struct grub_dl
+ {
+   char *name;
+-  int ref_count;
++  grub_uint64_t ref_count;
+   int persistent;
+   grub_dl_dep_t dep;
+   grub_dl_segment_t segment;
+@@ -207,9 +207,9 @@ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+ extern void grub_dl_unload_unneeded (void);
+-extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
+-extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
++extern grub_uint64_t EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
++extern grub_uint64_t EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern grub_uint64_t EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
+ 
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+ 
+diff --git a/util/misc.c b/util/misc.c
+index d545212d9..0f928e5b4 100644
+--- a/util/misc.c
++++ b/util/misc.c
+@@ -190,14 +190,14 @@ grub_xputs_real (const char *str)
+ 
+ void (*grub_xputs) (const char *str) = grub_xputs_real;
+ 
+-int
++grub_uint64_t
+ grub_dl_ref (grub_dl_t mod)
+ {
+   (void) mod;
+   return 0;
+ }
+ 
+-int
++grub_uint64_t
+ grub_dl_unref (grub_dl_t mod)
+ {
+   (void) mod;

SOURCES/0624-kern-dl-Check-for-the-SHF_INFO_LINK-flag-in-grub_dl_.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 7 Nov 2024 06:00:36 +0000
+Subject: [PATCH] kern/dl: Check for the SHF_INFO_LINK flag in
+ grub_dl_relocate_symbols()
+
+The grub_dl_relocate_symbols() iterates through the sections in
+an ELF looking for relocation sections. According to the spec [1]
+the SHF_INFO_LINK flag should be set if the sh_info field is meant
+to be a section index.
+
+[1] https://refspecs.linuxbase.org/elf/gabi4+/ch4.sheader.html
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/dl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index edbb55d7d..e93863196 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -663,6 +663,9 @@ grub_dl_relocate_symbols (grub_dl_t mod, void *ehdr)
+ 	grub_dl_segment_t seg;
+ 	grub_err_t err;
+ 
++  if (!(s->sh_flags & SHF_INFO_LINK))
++ 	  continue;
++
+ 	seg = grub_dl_find_segment(mod, s->sh_info);
+         if (!seg)
+ 	  continue;

SOURCES/0625-commands-extcmd-Missing-check-for-failed-allocation.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:55 +0000
+Subject: [PATCH] commands/extcmd: Missing check for failed allocation
+
+The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
+a grub_arg_list struct but it does not verify the allocation was successful.
+In case of failed allocation the NULL state pointer can be accessed in
+parse_option() through grub_arg_parse() which may lead to a security issue.
+
+Fixes: CVE-2024-45775
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+---
+ grub-core/commands/extcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 90a5ca24a..c236be13a 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
+     }
+ 
+   state = grub_arg_list_alloc (ext, argc, args);
++  if (state == NULL)
++    return grub_errno;
++
+   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
+     {
+       context.state = state;

SOURCES/0626-commands-ls-Fix-NULL-dereference.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 11:08:23 +0100
+Subject: [PATCH] commands/ls: Fix NULL dereference
+
+The grub_strrchr() may return NULL when the dirname do not contain "/".
+This can happen on broken filesystems.
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/ls.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
+index d4dcffd31..ac6936bc7 100644
+--- a/grub-core/commands/ls.c
++++ b/grub-core/commands/ls.c
+@@ -241,7 +241,11 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
+ 
+ 	  grub_file_close (file);
+ 
+-	  p = grub_strrchr (dirname, '/') + 1;
++ 	  p = grub_strrchr (dirname, '/');
++ 	  if (p == NULL)
++ 	    goto fail;
++ 	  ++p;
++
+ 	  dirname = grub_strndup (dirname, p - dirname);
+ 	  if (! dirname)
+ 	    goto fail;

SOURCES/0627-commands-pgp-Unregister-the-check_signatures-hooks-o.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 19:24:29 +0000
+Subject: [PATCH] commands/pgp: Unregister the "check_signatures" hooks on
+ module unload
+
+If the hooks are not removed they can be called after the module has
+been unloaded leading to an use-after-free.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/pgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
+index 55d354be0..15e981304 100644
+--- a/grub-core/commands/pgp.c
++++ b/grub-core/commands/pgp.c
+@@ -982,6 +982,8 @@ GRUB_MOD_INIT(pgp)
+ 
+ GRUB_MOD_FINI(pgp)
+ {
++  grub_register_variable_hook ("check_signatures", NULL, NULL);
++  grub_env_unset ("check_signatures");
+   grub_verifier_unregister (&grub_pubkey_verifier);
+   grub_unregister_extcmd (cmd);
+   grub_unregister_extcmd (cmd_trust);

SOURCES/0628-normal-Remove-variables-hooks-on-module-unload.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:46:55 +0000
+Subject: [PATCH] normal: Remove variables hooks on module unload
+
+The normal module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload normal module now but fix the
+issues for completeness.
+
+On the occasion replace 0s with NULLs for "pager" variable
+hooks unregister.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index f5e9b54f7..b61f01ae5 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -670,7 +670,9 @@ GRUB_MOD_FINI(normal)
+   grub_xputs = grub_xputs_saved;
+ 
+   grub_set_history (0);
+-  grub_register_variable_hook ("pager", 0, 0);
++  grub_register_variable_hook ("pager", NULL, NULL);
++  grub_register_variable_hook ("color_normal", NULL, NULL);
++  grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+ }

SOURCES/0629-gettext-Remove-variables-hooks-on-module-unload.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:52:06 +0000
+Subject: [PATCH] gettext: Remove variables hooks on module unload
+
+The gettext module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload gettext module because normal
+module depends on it. Though fix the issues for completeness.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gettext/gettext.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 84d520cd4..1344c7c81 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -520,6 +520,10 @@ GRUB_MOD_INIT (gettext)
+ 
+ GRUB_MOD_FINI (gettext)
+ {
++  grub_register_variable_hook ("locale_dir", NULL, NULL);
++  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
++  grub_register_variable_hook ("lang", NULL, NULL);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 

SOURCES/0630-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:56 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
+
+Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
+overflow leading to subsequent OOB write or read. This patch fixes the
+issue by replacing grub_zalloc() and explicit multiplication with
+grub_calloc() which does the same thing in safe manner.
+
+Fixes: CVE-2024-45776
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+---
+ grub-core/gettext/gettext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 1344c7c81..cb304ebeb 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
+   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
+        ctx->grub_gettext_max_log++);
+ 
+-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
+-					    * sizeof (ctx->grub_gettext_msg_list[0]));
++  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
++					    sizeof (ctx->grub_gettext_msg_list[0]));
+   if (!ctx->grub_gettext_msg_list)
+     {
+       grub_file_close (fd);

SOURCES/0631-gettext-Integer-overflow-leads-to-heap-OOB-write.patch

+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:57 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
+
+The size calculation of the translation buffer in
+grub_gettext_getstr_from_position() may overflow
+to 0 leading to heap OOB write. This patch fixes
+the issue by using grub_add() and checking for
+an overflow.
+
+Fixes: CVE-2024-45777
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+---
+ grub-core/gettext/gettext.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index cb304ebeb..9654bb3fd 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -26,6 +26,7 @@
+ #include <grub/file.h>
+ #include <grub/kernel.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   char *translation;
+   struct string_descriptor desc;
+   grub_err_t err;
++  grub_size_t alloc_sz;
+ 
+   internal_position = (off + position * sizeof (desc));
+ 
+@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   length = grub_cpu_to_le32 (desc.length);
+   offset = grub_cpu_to_le32 (desc.offset);
+ 
+-  translation = grub_malloc (length + 1);
++  if (grub_add (length, 1, &alloc_sz))
++    return NULL;
++
++  translation = grub_malloc (alloc_sz);
+   if (!translation)
+     return NULL;
+